From 3f76cf0481d7535689b5f1355c52141592ae7429 Mon Sep 17 00:00:00 2001
From: BlankEclair <blankeclair@disroot.org>
Date: Fri, 23 Aug 2024 17:04:20 +1000
Subject: [PATCH] SECURITY: Workaround path traversal abusing backslashes

Bug: T369486
---
 CSS.class.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/CSS.class.php b/CSS.class.php
index ad7bc3c..332812d 100644
--- a/CSS.class.php
+++ b/CSS.class.php
@@ -41,7 +41,15 @@ class CSS {
 		} elseif ( $css[0] == '/' ) {
 			# Regular file
 			$base = $wgCSSPath === false ? $wgStylePath : $wgCSSPath;
-			$url = wfAppendQuery( $base . $css, $rawProtection );
+			// The replacement for \ to / is to workaround a path traversal,
+			// per T369486.
+			// TODO: Implement a proper URL parser. There may be more niche URL
+			// shenanigans one could get up to that MediaWiki's parser does not
+			// handle, but which the browser does. The most surefire way to
+			// guarantee that no tomfoolery happens is to 100% replicate what
+			// the browser does and not only like 90% of it.
+			$path = str_replace( '\\', '/', $css );
+			$url = wfAppendQuery( $base . $path, $rawProtection );
 
 			# Verify the expanded URL is still using the base URL
 			if ( strpos( wfExpandUrl( $url ), wfExpandUrl( $base ) ) === 0 ) {
-- 
2.46.0