Commit 3041676f authored by Dries's avatar Dries

Issue #1934498 by attiks, Jelle_S, David_Rothstein: Allow the image style...

Issue #1934498 by attiks, Jelle_S, David_Rothstein: Allow the image style 'itok' token to be suppressed in image derivative URLs.
parent db2df2d8
......@@ -730,7 +730,15 @@ function image_style_url($style_name, $path) {
// The token query is added even if the
// 'image.settings:allow_insecure_derivatives' configuration is TRUE, so that
// the emitted links remain valid if it is changed back to the default FALSE.
$token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, file_stream_wrapper_uri_normalize($path)));
// However, sites which need to prevent the token query from being emitted at
// all can additionally set the 'image.settings:suppress_itok_output'
// configuration to TRUE to achieve that (if both are set, the security token
// will neither be emitted in the image derivative URL nor checked for in
// image_style_deliver()).
$token_query = array();
if (!config('image.settings')->get('suppress_itok_output')) {
$token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, file_stream_wrapper_uri_normalize($path)));
}
// If not using clean URLs, the image derivative callback is only available
// with the script path. If the file does not exist, use url() to ensure
......@@ -742,8 +750,12 @@ function image_style_url($style_name, $path) {
}
$file_url = file_create_url($uri);
// Append the query string with the token.
return $file_url . (strpos($file_url, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($token_query);
// Append the query string with the token, if necessary.
if ($token_query) {
$file_url .= (strpos($file_url, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($token_query);
}
return $file_url;
}
/**
......
......@@ -200,6 +200,30 @@ function _testImageStyleUrlAndPath($scheme, $clean_url = TRUE, $extra_slash = FA
$this->assertResponse(200, 'Existing image was accessible at the URL wih an invalid token.');
}
// Allow insecure image derivatives to be created for the remainder of this
// test.
config('image.settings')->set('allow_insecure_derivatives', TRUE)->save();
// Create another working copy of the file.
$files = $this->drupalGetTestFiles('image');
$file = array_shift($files);
$image_info = image_get_info($file->uri);
$original_uri = file_unmanaged_copy($file->uri, $scheme . '://', FILE_EXISTS_RENAME);
// Let the image_module_test module know about this file, so it can claim
// ownership in hook_file_download().
state()->set('image.test_file_download', $original_uri);
// Suppress the security token in the URL, then get the URL of a file that
// has not been created and try to create it. Check that the security token
// is not present in the URL but that the image is still accessible.
config('image.settings')->set('suppress_itok_output', TRUE)->save();
$generated_uri = image_style_path($this->style_name, $original_uri);
$this->assertFalse(file_exists($generated_uri), 'Generated file does not exist.');
$generate_url = image_style_url($this->style_name, $original_uri);
$this->assertIdentical(strpos($generate_url, IMAGE_DERIVATIVE_TOKEN . '='), FALSE, 'The security token does not appear in the image style URL.');
$this->drupalGet($generate_url);
$this->assertResponse(200, 'Image was accessible at the URL with a missing token.');
$GLOBALS['script_path'] = $script_path_original;
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment