Fix issues #388 & #705

(thanks to @sourcejedi, PR #1326 for pointing inconsistencies with RFC2616

1 files changed, 5 insertions, 4 deletions

diff --git a/system/core/URI.php b/system/core/URI.php
index 407a6ce88..4a8d33e88 100644
--- a/system/core/URI.php
+++ b/system/core/URI.php
@@ -188,7 +188,7 @@ class CI_URI {
 
 		$uri = parse_url($_SERVER['REQUEST_URI']);
 		$query = isset($uri['query']) ? $uri['query'] : '';
-		$uri = isset($uri['path']) ? $uri['path'] : '';
+		$uri = isset($uri['path']) ? rawurldecode($uri['path']) : '';
 
 		if (strpos($uri, $_SERVER['SCRIPT_NAME']) === 0)
 		{
@@ -204,7 +204,7 @@ class CI_URI {
 		if (trim($uri, '/') === '' && strncmp($query, '/', 1) === 0)
 		{
 			$query = explode('?', $query, 2);
-			$uri = $query[0];
+			$uri = rawurldecode($query[0]);
 			$_SERVER['QUERY_STRING'] = isset($query[1]) ? $query[1] : '';
 		}
 		else
@@ -245,8 +245,9 @@ class CI_URI {
 		{
 			$uri = explode('?', $uri, 2);
 			$_SERVER['QUERY_STRING'] = isset($uri[1]) ? $uri[1] : '';
-			$uri = $uri[0];
+			$uri = rawurldecode($uri[0]);
 		}
+
 		$this->_reset_query_string();
 
 		return str_replace(array('//', '../'), '/', trim($uri, '/'));
@@ -325,7 +326,7 @@ class CI_URI {
 		{
 			// preg_quote() in PHP 5.3 escapes -, so the str_replace() and addition of - to preg_quote() is to maintain backwards
 			// compatibility as many are unaware of how characters in the permitted_uri_chars will be parsed as a regex pattern
-			if ( ! preg_match('|^['.str_replace(array('\\-', '\-'), '-', preg_quote($this->config->item('permitted_uri_chars'), '-')).']+$|i', urldecode($str)))
+			if ( ! preg_match('|^['.str_replace(array('\\-', '\-'), '-', preg_quote($this->config->item('permitted_uri_chars'), '|')).']+$|i', $str))
 			{
 				show_error('The URI you submitted has disallowed characters.', 400);
 			}