Privilege bypass due to relative paths in URL after initial page filename
N.B.: I have not yet managed to reproduce this, adding it based on a user report.
Due to the way the privilege system matches pages with wildcards, if the user can feed a relative URL to the server it may be able to bypass a check to reach a page they otherwise couldn't access.
For example, if the user has access to status_interfaces.php, but they want to reach diag_backup.php, they can send a request for "status_interfaces.php/../diag_backup.php".
However, few if any clients allow this type of syntax. Most automatically correct the relative path request, and even CLI clients such as cURL and wget remove the relative reference. There may be some proxies such as burpsuite which may be leveraged to send the path in that way (unconfirmed, but suggested by the reporter).
The attached patch should correct the problem, but without being able to reproduce it, we can't confirm the fix, so I have not yet committed it.