Thread:Project:Support desk/Vector Skin Not Loading After Update to 1.22/reply (7)

This seems to be a bug.

https://git.wikimedia.org/blob/mediawiki%2Fcore.git/REL1_22/includes%2Flibs%2FCSSMin.php#L76

It's looking for file_exists based on the match of URL_REGEX, which only takes into account all url values in CSS, but it doesn't filter for data: URL, which is unnecessarily feeding file_exists for data: URLs that aren't going to be found on the server.

In fact, I don't see any further validation on those paths, so I don't know if a malicious CSS file can expose any file accessible from PHP.

Can you please file a bug report about this?