Merge "ResourceLoader: Limit injection of valid skins to names only"

includes/ResourceLoader/Context.php

@@ -102,12 +102,11 @@ class Context implements MessageLocalizer {
 	/**
 	 * @param ResourceLoader $resourceLoader
 	 * @param WebRequest $request
-	 * @param array|null $installedSkins If a list of skins are supplied, perform
-	 *   validation with them. But if we don't have a list of skins to validate on
-	 *   and a skin is not supplied, also fallback to the default skin.
+	 * @param string[]|null $validSkins List of valid skin names. If not passed,
+	 *   any skin name is considered valid. Invalid skins are replaced by the default.
 	 */
 	public function __construct(
-		ResourceLoader $resourceLoader, WebRequest $request, $installedSkins = null
+		ResourceLoader $resourceLoader, WebRequest $request, $validSkins = null
 	) {
 		$this->resourceLoader = $resourceLoader;
 		$this->request = $request;
@@ -135,14 +134,12 @@ class Context implements MessageLocalizer {
 
 		$this->skin = $request->getRawVal( 'skin' );
 
-		if ( is_array( $installedSkins ) ) {
-			if ( !$this->skin || !isset( $installedSkins[$this->skin] ) ) {
-				// The 'skin' parameter is required. (Not yet enforced.)
-				// For requests without a known skin specified,
-				// use MediaWiki's 'fallback' skin for skin-specific decisions.
-				$this->skin = self::DEFAULT_SKIN;
-			}
-		} elseif ( !$this->skin ) {
+		if (
+			!$this->skin
+			|| ( is_array( $validSkins ) && !in_array( $this->skin, $validSkins ) )
+		) {
+			// For requests without a known skin specified,
+			// use MediaWiki's 'fallback' skin for any skin-specific decisions.
 			$this->skin = self::DEFAULT_SKIN;
 		}
 	}

includes/ResourceLoader/ResourceLoaderEntryPoint.php

@@ -47,7 +47,7 @@ class ResourceLoaderEntryPoint extends MediaWikiEntryPoint {
 		$context = new Context(
 			$resourceLoader,
 			$this->getRequest(),
-			$services->getSkinFactory()->getInstalledSkins()
+			array_keys( $services->getSkinFactory()->getInstalledSkins() )
 		);
 
 		// Respond to ResourceLoader request

tests/phpunit/includes/ResourceLoader/ContextTest.php

@@ -205,17 +205,20 @@ class ContextTest extends TestCase {
 	public static function skinsProvider(): Generator {
 		// expected skin, supplied skin, installed skins
 		yield 'keep validated' => [
-			'example', [ 'skin' => 'example' ],
-			[ 'example' => 'ExampleSkin', 'foo' => 'FooSkin', 'bar' => 'BarSkin' ]
+			'example',
+			[ 'skin' => 'example' ],
+			[ 'example', 'foo', 'bar' ]
 		];
 
 		yield 'fallback invalid' => [
-			'fallback', [ 'skin' => 'not-example' ],
-			[ 'example' => 'ExampleSkin', 'foo' => 'FooSkin', 'bar' => 'BarSkin' ]
+			'fallback',
+			[ 'skin' => 'not-example' ],
+			[ 'example', 'foo', 'bar' ]
 		];
 
 		yield 'keep anything without validation' => [
-			'not-example', [ 'skin' => 'not-example' ],
+			'not-example',
+			[ 'skin' => 'not-example' ],
 			null
 		];
 	}