From df65ef30618fb201772f67350ac6f3c46bcf3d98 Mon Sep 17 00:00:00 2001
From: Fomafix <fomafix@googlemail.com>
Date: Tue, 11 Jun 2019 21:54:57 +0200
Subject: [PATCH] resourceloader: Validate
 ResourceLoaderContext::getDirection() input

Only dir=ltr and dir=rtl are now allowed. Ignore other values.

Change-Id: Id39471e8a792c7c48ff7ca9d80be2e6dd4caee6b
---
 .../resourceloader/ResourceLoaderContext.php  |  6 ++--
 .../ResourceLoaderContextTest.php             | 32 +++++++++++++++++++
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/includes/resourceloader/ResourceLoaderContext.php b/includes/resourceloader/ResourceLoaderContext.php
index c596a239ff..f57f13beca 100644
--- a/includes/resourceloader/ResourceLoaderContext.php
+++ b/includes/resourceloader/ResourceLoaderContext.php
@@ -190,8 +190,10 @@ class ResourceLoaderContext implements MessageLocalizer {
 	 */
 	public function getDirection() {
 		if ( $this->direction === null ) {
-			$this->direction = $this->getRequest()->getRawVal( 'dir' );
-			if ( !$this->direction ) {
+			$direction = $this->getRequest()->getRawVal( 'dir' );
+			if ( $direction === 'ltr' || $direction === 'rtl' ) {
+				$this->direction = $direction;
+			} else {
 				// Determine directionality based on user language (T8100)
 				$this->direction = Language::factory( $this->getLanguage() )->getDir();
 			}
diff --git a/tests/phpunit/includes/resourceloader/ResourceLoaderContextTest.php b/tests/phpunit/includes/resourceloader/ResourceLoaderContextTest.php
index 2ec8ea987a..c3d5ec1fed 100644
--- a/tests/phpunit/includes/resourceloader/ResourceLoaderContextTest.php
+++ b/tests/phpunit/includes/resourceloader/ResourceLoaderContextTest.php
@@ -78,6 +78,38 @@ class ResourceLoaderContextTest extends PHPUnit\Framework\TestCase {
 		$this->assertEquals( 'zh|fallback|||styles|||||', $ctx->getHash() );
 	}
 
+	public static function provideDirection() {
+		yield 'LTR language' => [
+			[ 'lang' => 'en' ],
+			'ltr',
+		];
+		yield 'RTL language' => [
+			[ 'lang' => 'he' ],
+			'rtl',
+		];
+		yield 'explicit LTR' => [
+			[ 'lang' => 'he', 'dir' => 'ltr' ],
+			'ltr',
+		];
+		yield 'explicit RTL' => [
+			[ 'lang' => 'en', 'dir' => 'rtl' ],
+			'rtl',
+		];
+		// Not supported, but tested to cover the case and detect change
+		yield 'invalid dir' => [
+			[ 'lang' => 'he', 'dir' => 'xyz' ],
+			'rtl',
+		];
+	}
+
+	/**
+	 * @dataProvider provideDirection
+	 */
+	public function testDirection( array $params, $expected ) {
+		$ctx = new ResourceLoaderContext( $this->getResourceLoader(), new FauxRequest( $params ) );
+		$this->assertEquals( $expected, $ctx->getDirection() );
+	}
+
 	public function testShouldInclude() {
 		$ctx = new ResourceLoaderContext( $this->getResourceLoader(), new FauxRequest( [] ) );
 		$this->assertTrue( $ctx->shouldIncludeScripts(), 'Scripts in combined' );
-- 
2.20.1