Commit 40d178b0 authored by David_Rothstein's avatar David_Rothstein

Issue #1923554 by David_Rothstein, pwolanin, mitron | alfaguru: Fixed New...

Issue #1923554 by David_Rothstein, pwolanin, mitron | alfaguru: Fixed New anti-DoS measure breaks for some file URIs.
parent bfaa7b4f
Drupal 7.21, xxxx-xx-xx (development version)
- Fixed a bug which caused the denial-of-service protection added in Drupal
7.20 to break certain valid image URLs that had an extra slash in them.
- Fixed a bug with update queries in the SQLite database driver that prevented
Drupal from being installed with SQLite on PHP 5.4.
- Fixed enforced dependencies errors updating to recent versions of Drupal 7 on
......@@ -993,7 +993,7 @@ function image_style_url($style_name, $path) {
// The token query is added even if the 'image_allow_insecure_derivatives'
// variable is TRUE, so that the emitted links remain valid if it is changed
// back to the default FALSE.
$token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, $path));
$token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, file_stream_wrapper_uri_normalize($path)));
// If not using clean URLs, the image derivative callback is only available
// with the query string. If the file does not exist, use url() to ensure
......@@ -167,10 +167,17 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase {
$this->_testImageStyleUrlAndPath('private', FALSE);
* Test image_style_url() with a file URL that has an extra slash in it.
function testImageStyleUrlExtraSlash() {
$this->_testImageStyleUrlAndPath('public', TRUE, TRUE);
* Test image_style_url().
function _testImageStyleUrlAndPath($scheme, $clean_url = TRUE) {
function _testImageStyleUrlAndPath($scheme, $clean_url = TRUE, $extra_slash = FALSE) {
// Make the default scheme neither "public" nor "private" to verify the
// functions work for other than the default scheme.
variable_set('file_default_scheme', 'temporary');
......@@ -196,6 +203,15 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase {
$this->assertFalse(file_exists($generated_uri), t('Generated file does not exist.'));
$generate_url = image_style_url($this->style_name, $original_uri);
// Ensure that the tests still pass when the file is generated by accessing
// a poorly constructed (but still valid) file URL that has an extra slash
// in it.
if ($extra_slash) {
$modified_uri = str_replace('://', ':///', $original_uri);
$this->assertNotEqual($original_uri, $modified_uri, 'An extra slash was added to the generated file URI.');
$generate_url = image_style_url($this->style_name, $modified_uri);
if (!$clean_url) {
$this->assertTrue(strpos($generate_url, '?q=') !== FALSE, 'When using non-clean URLS, the system path contains the query string.');
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment