Make sure all request parameters are used by the script, otherwise tr…

…igger the error 404 page (see #4277)

index.php

@@ -253,10 +253,14 @@ public function run()
 				break;
 
 			default:
-				$objHandler->generate($objPage);
+				$objHandler->generate($objPage, true);
 				break;
 		}
 
+		// If we get here, something went wrong (see #4277)
+		$objHandler = new $GLOBALS['TL_PTY']['error_404']();
+		$objHandler->generate($pageId);
+
 		// Stop the script (see #4565)
 		exit;
 	}

system/modules/core/classes/FrontendTemplate.php

@@ -52,8 +52,9 @@ public function parse()
 
 	/**
 	 * Parse the template file, replace insert tags and print it to the screen
+	 * @param boolean
 	 */
-	public function output()
+	public function output($blnCheckRequest=false)
 	{
 		global $objPage;
 
@@ -85,11 +86,11 @@ public function output()
 
 				if ($GLOBALS['TL_CONFIG']['useAutoItem'] && in_array($key, $GLOBALS['TL_AUTO_ITEM']))
 				{
-					$strParams .= '/' . \Input::get($key);
+					$strParams .= '/' . \Input::get($key, false, true);
 				}
 				else
 				{
-					$strParams .= '/' . $key . '/' . \Input::get($key);
+					$strParams .= '/' . $key . '/' . \Input::get($key, false, true);
 				}
 			}
 		}
@@ -216,6 +217,12 @@ public function output()
 		$this->strBuffer = str_replace(array('{{request_token}}', '[{]', '[}]'), array(REQUEST_TOKEN, '{{', '}}'), $this->strBuffer);
 		$this->strBuffer = $this->replaceDynamicScriptTags($this->strBuffer); // see #4203
 
+		// Not all $_GET parameters have been used (see #4277)
+		if ($blnCheckRequest && \Input::hasUnusedGet())
+		{
+			return;
+		}
+
 		// Index page if searching is allowed and there is no back end user
 		if ($GLOBALS['TL_CONFIG']['enableSearch'] && $objPage->type == 'regular' && !BE_USER_LOGGED_IN && !$objPage->noSearch)
 		{

system/modules/core/library/Contao/Input.php

@@ -47,6 +47,12 @@ class Input
 	 */
 	protected static $arrCache = array();
 
+	/**
+	 * Unused $_GET parameters
+	 * @var array
+	 */
+	protected static $arrUnusedGet = array();
+
 	/**
 	 * Magic quotes setting
 	 * @var boolean
@@ -65,6 +71,9 @@ public static function initialize()
 
 		// Only check magic quotes once (see #3438)
 		static::$blnMagicQuotes = function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc();
+
+		// Initialize the unused parameters (see #4277)
+		static::$arrUnusedGet = $_GET;
 	}
 
 
@@ -73,10 +82,11 @@ public static function initialize()
 	 * 
 	 * @param string  $strKey            The variable name
 	 * @param boolean $blnDecodeEntities If true, all entities will be decoded
+	 * @param boolean $blnKeepUnused     If true, the parameter will not be marked as used (see #4277)
 	 * 
 	 * @return mixed The cleaned variable value
 	 */
-	public static function get($strKey, $blnDecodeEntities=false)
+	public static function get($strKey, $blnDecodeEntities=false, $blnKeepUnused=false)
 	{
 		if (!isset($_GET[$strKey]))
 		{
@@ -100,6 +110,12 @@ public static function get($strKey, $blnDecodeEntities=false)
 			}
 
 			static::$arrCache[$strCacheKey][$strKey] = $varValue;
+
+			// Mark the parameter as used (see #4277)
+			if (!$blnKeepUnused)
+			{
+				unset(static::$arrUnusedGet[$strKey]);
+			}
 		}
 
 		return static::$arrCache[$strCacheKey][$strKey];
@@ -271,6 +287,7 @@ public static function setGet($strKey, $varValue)
 		else
 		{
 			$_GET[$strKey] = $varValue;
+			static::$arrUnusedGet[$strKey] = $varValue; // see #4277
 		}
 	}
 
@@ -335,6 +352,17 @@ public static function resetCache()
 	}
 
 
+	/**
+	 * Return whether there are unused GET parameters
+	 * 
+	 * @return boolean True if there are unused GET parameters
+	 */
+	public static function hasUnusedGet()
+	{
+		return count(static::$arrUnusedGet) > 0;
+	}
+
+
 	/**
 	 * Sanitize the variable names (thanks to Andreas Schempp)
 	 * 

system/modules/core/modules/ModuleSearch.php

@@ -63,8 +63,15 @@ public function generate()
 	 */
 	protected function compile()
 	{
+		// Mark the x and y parameter as used (see #4277)
+		if (isset($_GET['x']))
+		{
+			\Input::get('x');
+			\Input::get('y');
+		}
+
 		// Trigger the search module from a custom form
-		if (!$_GET['keywords'] && \Input::post('FORM_SUBMIT') == 'tl_search')
+		if (!isset($_GET['keywords']) && \Input::post('FORM_SUBMIT') == 'tl_search')
 		{
 			$_GET['keywords'] = \Input::post('keywords');
 			$_GET['query_type'] = \Input::post('query_type');

system/modules/core/pages/PageRegular.php

@@ -31,8 +31,9 @@ class PageRegular extends \Frontend
 	/**
 	 * Generate a regular page
 	 * @param object
+	 * @param boolean
 	 */
-	public function generate($objPage)
+	public function generate($objPage, $blnCheckRequest=false)
 	{
 		$GLOBALS['TL_KEYWORDS'] = '';
 		$GLOBALS['TL_LANGUAGE'] = $objPage->language;
@@ -160,7 +161,7 @@ public function generate($objPage)
 		$this->createHeaderScripts($objPage, $objLayout);
 
 		// Print the template to the screen
-		$this->Template->output();
+		$this->Template->output($blnCheckRequest);
 	}