2010-05-13
AlexJ
Any operation (add, edit, delete) with ACL from admin's GUI replace mask %USER% in the second field(user/group) of ACL in the file conf/acl.auth.php with %25USER%25.
In this case %USER% rules became broken.
Quick hack to avoid this is to add:
$lines = preg_replace('/%25/','%',$lines); // before line 138 in the lib/plugins/acl/admin.php
$new_config = preg_replace('/%25/','%',$new_config); // before line 662 in the lib/plugins/acl/admin.php
$new_config = preg_replace('/%25/','%',$new_config); // before line 679 in the lib/plugins/acl/admin.php
escaping is happened in the inc/auth.php in the function 'auth_nameencode'.
Not sure if replacing regex with preg_replace('/([\x00-\x24\x26-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])/e',... there
would be safe since reference to 'auth_nameencode' came from many different places.