in case of invalid ID, only pageread and pageadd route redirect to corected ID. close #529

Author: vincent-peugnet

app/class/Model.php

@@ -53,12 +53,22 @@ abstract class Model
         'version' => 'version',
     ];
 
-    public const ID_REGEX                   = "%[^a-z0-9-_]%";
-    public const MAX_ID_LENGTH              = 64;
-    public const PASSWORD_MIN_LENGTH        = 4;
-    public const PASSWORD_MAX_LENGTH        = 128;
-    public const MAX_COOKIE_CONSERVATION    = 365;
-    public const MAX_QUERY_LENGH            = 512;
+    /** Characters that are authorized in item ID */
+    public const ID_AUTHORIZED_CHARS         = 'a-z0-9-_';
+
+    /** Maximum database item ID length */
+    public const MAX_ID_LENGTH               = 64;
+
+    /** Regex for unauthorized characters in item IDs */
+    public const ID_UNAUTHORIZED_CHARS_REGEX = '[^' . self::ID_AUTHORIZED_CHARS . ']';
+
+    /** Regex for database items IDs*/
+    public const ID_REGEX                    = '[' . self::ID_AUTHORIZED_CHARS . ']{1,' . self::MAX_ID_LENGTH . '}';
+
+    public const PASSWORD_MIN_LENGTH         = 4;
+    public const PASSWORD_MAX_LENGTH         = 128;
+    public const MAX_COOKIE_CONSERVATION     = 365;
+    public const MAX_QUERY_LENGH             = 512;
 
 
     public static function dirtopath(string $dir): string
@@ -139,7 +149,8 @@ public static function idclean(string $input, int $max = self::MAX_ID_LENGTH): s
             $replace = ['e', 'a', 'e', 'c', 'u', 'u', 'i', 'i', '-'];
             $input = str_replace($search, $replace, $input);
 
-            $input = preg_replace(static::ID_REGEX, '', strtolower(trim($input)));
+            $regex = '%' . self::ID_UNAUTHORIZED_CHARS_REGEX . '%';
+            $input = preg_replace($regex, '', strtolower(trim($input)));
             $input = mb_substr($input, 0, $max);
         }
         return $input;
@@ -153,7 +164,7 @@ public static function idclean(string $input, int $max = self::MAX_ID_LENGTH): s
     public static function idcheck(string $id, int $max = self::MAX_ID_LENGTH): bool
     {
         return (
-            !((bool) preg_match(static::ID_REGEX, $id))
+            !((bool) preg_match('%' . self::ID_UNAUTHORIZED_CHARS_REGEX . '%', $id))
             && strlen($id) <= $max
             && strlen($id) > 0
         );

app/class/Modelmedia.php

@@ -23,7 +23,8 @@ class Modelmedia extends Model
         'extension' => 'extension'
     ];
 
-    public const ID_REGEX                   = "%[^a-z0-9-_.]%";
+    /** Characters that are authorized for cleaned media filename */
+    public const ID_AUTHORIZED_CHARS                   = 'a-z0-9-_.';
 
     public const OPTIMIZE_IMG_MAX_WIDTH     = 1920;
     public const OPTIMIZE_IMG_MAX_HEIGHT    = 1920;

app/class/Routes.php

@@ -18,7 +18,8 @@ public function match(): void
         if (!empty(Config::basepath())) {
             $router->setBasePath('/' . Config::basepath());
         }
-        $router->addMatchTypes(array('cid' => '[^/]+'));
+        $router->addMatchTypes(array('noslash' => '[^/]+'));
+        $router->addMatchTypes(array('cid' => Model::ID_REGEX));
         $router->addRoutes([
             ['GET', '/api/v0/page/[cid:page]', 'Controllerapipage#get', 'apipageget'],
             ['GET', '/api/v0/pages/list', 'Controllerapipage#list', 'apipagelist'],
@@ -69,13 +70,13 @@ public function match(): void
             ['POST', '/!profile', 'Controllerprofile#update', 'profileupdate'],
             ['POST', '/!profile/password', 'Controllerprofile#password', 'profilepassword'],
             ['GET', '/!info', 'Controllerinfo#desktop', 'info'],
-            ['GET', '/[cid:page]/', 'Controllerpage#pagepermanentredirect', 'pageread/'],
+            ['GET', '/[noslash:page]/', 'Controllerpage#pagepermanentredirect', 'pageread/'],
             ['HEAD', '/[cid:page]/', 'Controllerpage#pagepermanentredirect', 'pageread/head'],
             ['POST', '/[cid:page]', 'Controllerpage#read', 'pagereadpost'], /** Used for password protected pages */
-            ['GET', '/[cid:page]', 'Controllerpage#read', 'pageread'],
+            ['GET', '/[noslash:page]', 'Controllerpage#read', 'pageread'],
             ['HEAD', '/[cid:page]', 'Controllerpage#readhead', 'pagereadhead'],
-            ['GET', '/[cid:page]/add', 'Controllerpage#add', 'pageadd'],
-            ['GET', '/[cid:page]/add:[cid:copy]', 'Controllerpage#addascopy', 'pageaddascopy'],
+            ['GET', '/[noslash:page]/add', 'Controllerpage#add', 'pageadd'],
+            ['GET', '/[noslash:page]/add:[cid:copy]', 'Controllerpage#addascopy', 'pageaddascopy'],
             ['GET', '/[cid:page]/edit', 'Controllerpage#edit', 'pageedit'],
             ['GET', '/[cid:page]/render', 'Controllerpage#render', 'pagerender'],
             ['GET', '/[cid:page]/log', 'Controllerpage#log', 'pagelog'],
@@ -86,7 +87,7 @@ public function match(): void
             ['POST', '/workspace/update', 'Controllerworkspace#update', 'workspaceupdate'],
             ['GET', '/[cid:page]/delete', 'Controllerpage#delete', 'pagedelete'],
             ['POST', '/[cid:page]/delete', 'Controllerpage#confirmdelete', 'pageconfirmdelete'],
-            ['GET', '/[cid:page]/duplicate:[cid:duplicate]', 'Controllerpage#duplicate', 'pageduplicate'],
+            ['GET', '/[cid:page]/duplicate:[noslash:duplicate]', 'Controllerpage#duplicate', 'pageduplicate'],
             ['GET', '/[cid:page]/[*:command]', 'Controllerpage#commandnotfound', 'pageread/etoile'],
         ]);