SECURITY: Don't allow loading unprotected JS files

[lhc/web/wiklou.git] / includes / libs / CSSMin.php

diff --git a/includes/libs/CSSMin.php b/includes/libs/CSSMin.php
index 73825e8..1ee7a3b 100644 (file)
--- a/includes/libs/CSSMin.php
+++ b/includes/libs/CSSMin.php
@@ -402,6 +402,7 @@ class CSSMin {
                        // Match these three variants separately to avoid broken urls when
                        // e.g. a double quoted url contains a parenthesis, or when a
                        // single quoted url contains a double quote, etc.
+                       // FIXME: Simplify now we only support PHP 7.0.0+
                        // Note: PCRE doesn't support multiple capture groups with the same name by default.
                        // - PCRE 6.7 introduced the "J" modifier (PCRE_INFO_JCHANGED for PCRE_DUPNAMES).
                        //   https://secure.php.net/manual/en/reference.pcre.pattern.modifiers.php
@@ -420,7 +421,7 @@ class CSSMin {
                        //   is only supported in PHP 5.6. Use a getter method for now.
                        $urlRegex = '(' .
                                // Unquoted url
-                               'url\(\s*(?P<file0>[^\'"][^\?\)]+?)(?P<query0>\?[^\)]*?|)\s*\)' .
+                               'url\(\s*(?P<file0>[^\s\'"][^\?\)]+?)(?P<query0>\?[^\)]*?|)\s*\)' .
                                // Single quoted url
                                '|url\(\s*\'(?P<file1>[^\?\']+?)(?P<query1>\?[^\']*?|)\'\s*\)' .
                                // Double quoted url