fix: "except empty" means "except all"

kenjis · kenjis · commit e7297f1a9a55 · 2023-08-16T10:46:01.000+09:00
This behavior is unexpected and not good for security.
If a dev removes all items in `except` key, the filter is disabled.

Now "except empty" means "except nothing".
diff --git a/system/Filters/Filters.php b/system/Filters/Filters.php
@@ -416,7 +416,7 @@ protected function processGlobals(?string $uri = null)
                         if (isset($rules['except'])) {
                             // grab the exclusion rules
                             $check = $rules['except'];
-                            if ($this->pathApplies($uri, $check)) {
+                            if ($this->checkExcept($uri, $check)) {
                                 $keep = false;
                             }
                         }
@@ -550,4 +550,39 @@ private function pathApplies(string $uri, $paths)
 
         return false;
     }
+
+    /**
+     * Check except paths
+     *
+     * @param string       $uri   URI to check
+     * @param array|string $paths The except path patterns
+     *
+     * @return bool True if the URI matches except paths.
+     */
+    private function checkExcept(string $uri, $paths): bool
+    {
+        // empty path does not match anything
+        if (empty($paths)) {
+            return false;
+        }
+
+        // make sure the paths are iterable
+        if (is_string($paths)) {
+            $paths = [$paths];
+        }
+
+        // treat each paths as pseudo-regex
+        foreach ($paths as $path) {
+            // need to escape path separators
+            $path = str_replace('/', '\/', trim($path, '/ '));
+            // need to make pseudo wildcard real
+            $path = strtolower(str_replace('*', '.*', $path));
+            // Does this rule apply here?
+            if (preg_match('#^' . $path . '$#', $uri, $match) === 1) {
+                return true;
+            }
+        }
+
+        return false;
+    }
 }
