diff --git a/_test/cases/inc/pageutils_getID.test.php b/_test/cases/inc/pageutils_getID.test.php
index 33ff12c79c89afb7f77e7c1ffea82277c08759b5..e6ddb5e3bb138979c3bf8c744363771cd7a4f1d2 100644
--- a/_test/cases/inc/pageutils_getID.test.php
+++ b/_test/cases/inc/pageutils_getID.test.php
@@ -12,16 +12,38 @@ class init_getID_test extends UnitTestCase {
     function test1(){
         global $conf;
         $conf['basedir'] = '//';
-        $conf['urlrewrite'] = 2;
+        $conf['userewrite'] = 2;
         $conf['deaccent'] = 0; // the default (1) gives me strange exceptions
 
 
         $_SERVER['SCRIPT_FILENAME'] = '/lib/exe/fetch.php';
         $_SERVER['REQUEST_URI'] = '/lib/exe/fetch.php/myhdl-0.5dev1.tar.gz?id=snapshots&cache=cache';
 
-	$this->assertEqual(getID($param='not_id'), 'myhdl-0.5dev1.tar.gz');
+        $this->assertEqual(getID('media'), 'myhdl-0.5dev1.tar.gz');
     }
 
 
-}
+    /**
+     * getID with internal mediafile, urlrewrite=2, no basedir set, apache, mod_php
+     */
+    function test2(){
+        global $conf;
+        $conf['basedir'] = '';
+        $conf['userewrite'] = '2';
+        $conf['baseurl'] = '';
+        $conf['useslash'] = '1';
+        $_SERVER['DOCUMENT_ROOT'] = '/var/www/';
+        $_SERVER['HTTP_HOST'] = 'xerxes.my.home';
+        $_SERVER['SCRIPT_FILENAME'] = '/var/www/dokuwiki/lib/exe/detail.php';
+        $_SERVER['PHP_SELF'] = '/dokuwiki/lib/exe/detail.php/wiki/discussion/button-dw.png';
+        $_SERVER['REQUEST_URI'] = '/dokuwiki/lib/exe/detail.php/wiki/discussion/button-dw.png?id=test&debug=1';
+        $_SERVER['SCRIPT_NAME'] = '/dokuwiki/lib/exe/detail.php';
+        $_SERVER['PATH_INFO'] = '/wiki/discussion/button-dw.png';
+        $_SERVER['PATH_TRANSLATED'] = '/var/www/wiki/discussion/button-dw.png';
+
+        $this->assertEqual(getID('media',true), 'wiki:discussion:button-dw.png');
+        $this->assertEqual(getID('media',false), 'wiki/discussion/button-dw.png');
+    }
 
+}
+//Setup VIM: ex: et ts=4 enc=utf-8 :
diff --git a/inc/auth.php b/inc/auth.php
index 4db852d5ca745e14c778181873cb280b8b3d6576..76ce525cf3cf8f14781d1cdc9f7647b7b5db3327 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -310,7 +310,7 @@ function auth_aclcheck($id,$user,$groups){
   }
 
   //check exact match first
-  $matches = preg_grep('/^'.$id.'\s+('.$regexp.')\s+/',$AUTH_ACL);
+  $matches = preg_grep('/^'.preg_quote($id,'/').'\s+('.$regexp.')\s+/',$AUTH_ACL);
   if(count($matches)){
     foreach($matches as $match){
       $match = preg_replace('/#.*$/','',$match); //ignore comments
diff --git a/inc/pageutils.php b/inc/pageutils.php
index bf629c09754f329952c513ac9a15d81228845a59..1dc66981d44fcd81bf6985c0a6cd0a58588d1bb1 100644
--- a/inc/pageutils.php
+++ b/inc/pageutils.php
@@ -13,19 +13,16 @@
  * Uses either standard $_REQUEST variable or extracts it from
  * the full request URI when userewrite is set to 2
  *
- * For $param='id' $conf['start'] is returned if no id was found
- * and the returned ID will be cleaned. For other params the
- * cleaning has to be done outside this function
+ * For $param='id' $conf['start'] is returned if no id was found.
+ * If the second parameter is true (default) the ID is cleaned.
  * 
  * @author Andreas Gohr <andi@splitbrain.org>
  */
-function getID($param='id'){
+function getID($param='id',$clean=true){
   global $conf;
 
   $id = $_REQUEST[$param];
 
-  if($param == 'id') $id = cleanID($id);
-  
   //construct page id from request URI
   if(empty($id) && $conf['userewrite'] == 2){
     //get the script URL
@@ -52,10 +49,12 @@ function getID($param='id'){
       $id = preg_replace ('/\?.*/','',$match[1]);
     }
     $id = urldecode($id);
-    $id = cleanID($id);
+    //strip leading slashes
+    $id = preg_replace('!^/+!','',$id);
   }
-  if(empty($id) && $param=='id') $id = cleanID($conf['start']);
-
+  if(empty($id) && $param=='id') $id = $conf['start'];
+  if($clean) $id = cleanID($id);
+  
   return $id;
 }
 
diff --git a/lib/exe/detail.php b/lib/exe/detail.php
index 21a34d721771fd65ff45ed6bec6d1a4eae5a00c9..5d7de0119f3818e2313cdfdefb8fb851bcf1cc01 100644
--- a/lib/exe/detail.php
+++ b/lib/exe/detail.php
@@ -14,6 +14,21 @@
   $IMG  = getID('media');
   $ID   = cleanID($_REQUEST['id']);
 
+	//FIXME remove me later
+	if($_REQUEST['debug']){
+			print '<pre>';
+			foreach(explode(' ','basedir userewrite baseurl useslash') as $x){
+					print '$'."conf['$x'] = '".$conf[$x]."';\n";
+			}
+			foreach(explode(' ','DOCUMENT_ROOT HTTP_HOST SCRIPT_FILENAME PHP_SELF '.
+                      'REQUEST_URI SCRIPT_NAME PATH_INFO PATH_TRANSLATED') as $x){
+					print '$'."_SERVER['$x'] = '".$_SERVER[$x]."';\n";
+			}
+			print "getID('media'): ".getID('media')."\n";
+      print "getID('media',false): ".getID('media',false)."\n";
+			print '</pre>';
+	}
+
   $ERROR = false;
   // check image permissions
   $AUTH = auth_quickaclcheck($IMG);
diff --git a/lib/exe/fetch.php b/lib/exe/fetch.php
index 902d9248ea60689762f7a1d55cde428780b431ea..89c88090ca631b856051689c088eec0d78c0be17 100644
--- a/lib/exe/fetch.php
+++ b/lib/exe/fetch.php
@@ -18,7 +18,7 @@
   $mimetypes = getMimeTypes();
 
   //get input
-  $MEDIA  = getID('media');
+  $MEDIA  = getID('media',false); // no cleaning - maybe external
   $CACHE  = calc_cache($_REQUEST['cache']);
   $WIDTH  = $_REQUEST['w'];
   $HEIGHT = $_REQUEST['h'];