Update img_auth.php and WebRequest code to handle non index.php scripts like img_auth.php better.

Also update img_auth.php so it's abuse of $wg variables is done in a way that doesn't let "/*" action paths clobber it's handling.
This should theoretically fix bug 32486.

img_auth.php

@@ -36,7 +36,8 @@ wfProfileIn( 'img_auth.php' );
 
 # Set action base paths so that WebRequest::getPathInfo()
 # recognizes the "X" as the 'title' in ../image_auth/X urls.
-$wgActionPaths[] = $_SERVER['SCRIPT_NAME'];
+$wgArticlePath = false; # Don't let a "/*" article path clober our action path
+$wgActionPaths = array( "$wgUploadPath/" );
 
 wfImageAuthMain();
 wfLogProfilingData();
@@ -55,7 +56,11 @@ function wfImageAuthMain() {
 
 	// Get the requested file path (source file or thumbnail)
 	$matches = WebRequest::getPathInfo();
-	$path = $matches['title']; // path with leading '/'
+	$path = $matches['title'];
+	if ( $path && $path[0] !== '/' ) {
+		// Make sure $path has a leading /
+		$path = "/" . $path;
+	}
 
 	// Check for bug 28235: QUERY_STRING overriding the correct extension
 	$whitelist = array();

includes/WebRequest.php

@@ -96,6 +96,16 @@ class WebRequest {
 				// Raw PATH_INFO style
 				$matches = self::extractTitle( $path, "$wgScript/$1" );
 
+				if( !$matches
+					&& isset( $_SERVER['SCRIPT_NAME'] )
+					&& preg_match( '/\.php5?/', $_SERVER['SCRIPT_NAME'] ) )
+				{
+					# Check for SCRIPT_NAME, we handle index.php explicitly
+					# But we do have some other .php files such as img_auth.php
+					# Don't let root article paths clober the parsing for them
+					$matches = self::extractTitle( $path, $_SERVER['SCRIPT_NAME'] . "/$1" );
+				}
+
 				global $wgArticlePath;
 				if( !$matches && $wgArticlePath ) {
 					$matches = self::extractTitle( $path, $wgArticlePath );