From d753e330a20786b8410156adfaeb0812ea85c560 Mon Sep 17 00:00:00 2001
From: Timo Tijhof <krinklemail@gmail.com>
Date: Wed, 18 Jan 2017 06:07:05 +0000
Subject: [PATCH] OutputPage: Ignore protocol-relative urls in
 transformResourcePath()

transformResourcePath is only supposed to be called with something
that starts with a '/' (absolute path from document root).

While the primary caller (CSSMin) only calls this method if the path
makes sense as a local file path, ResourceLoaderSkinModule did not,
and wgLogo may be set to a full url that includes a domain.

While chance made it so that protocol-including urls were already
discarded, protocol-relative urls were mistaken for being a path
inside the file system root with a duplicate slash (e.g.
'//tmp/foo.txt', as 'foo.txt' in /fmp, instead of '/foo.txt' at
http://tmp).

This should be fixed upstream in the wikimedia/relpath library,
but workaround it for now since it really shouldn't be called
with urls in the first place.

Bug: T155310
Change-Id: I9b063f1219ddeca5cc2c8a48832cdf8c9eaffe58
---
 includes/OutputPage.php                   | 5 +++--
 tests/phpunit/includes/OutputPageTest.php | 3 +++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 211f44bf5c..8fe128507a 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -3703,8 +3703,9 @@ class OutputPage extends ContextSource {
 		} else {
 			$remotePath = $remotePathPrefix;
 		}
-		if ( strpos( $path, $remotePath ) !== 0 ) {
-			// Path is outside wgResourceBasePath, ignore.
+		if ( strpos( $path, $remotePath ) !== 0 || substr( $path, 0, 2 ) === '//' ) {
+			// - Path is outside wgResourceBasePath, ignore.
+			// - Path is protocol-relative. Fixes T155310. Not supported by RelPath lib.
 			return $path;
 		}
 		$path = RelPath\getRelativePath( $path, $remotePath );
diff --git a/tests/phpunit/includes/OutputPageTest.php b/tests/phpunit/includes/OutputPageTest.php
index f0c8f7abc8..0e83006221 100644
--- a/tests/phpunit/includes/OutputPageTest.php
+++ b/tests/phpunit/includes/OutputPageTest.php
@@ -152,6 +152,9 @@ class OutputPageTest extends MediaWikiTestCase {
 			// Unrelated path with domain component. Ignored.
 			[ 'baseDir' => $baseDir, 'basePath' => '/w', 'https://example.org/files/test.jpg' ],
 			[ 'baseDir' => $baseDir, 'basePath' => '/w', '//example.org/files/test.jpg' ],
+			// Unrelated path with domain, and empty base path (root mw install). Ignored.
+			[ 'baseDir' => $baseDir, 'basePath' => '', 'https://example.org/files/test.jpg' ],
+			[ 'baseDir' => $baseDir, 'basePath' => '', '//example.org/files/test.jpg' ], // T155310
 		];
 	}
 
-- 
2.20.1