|
@@ -249,6 +249,51 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase {
|
|
|
$this->drupalGet(str_replace(IMAGE_DERIVATIVE_TOKEN . '=', IMAGE_DERIVATIVE_TOKEN . '=Zo', $generate_url));
|
|
|
$this->assertResponse(200, 'Existing image was accessible at the URL wih an invalid token.');
|
|
|
}
|
|
|
+
|
|
|
+ // Allow insecure image derivatives to be created for the remainder of this
|
|
|
+ // test.
|
|
|
+ variable_set('image_allow_insecure_derivatives', TRUE);
|
|
|
+
|
|
|
+ // Create another working copy of the file.
|
|
|
+ $files = $this->drupalGetTestFiles('image');
|
|
|
+ $file = array_shift($files);
|
|
|
+ $image_info = image_get_info($file->uri);
|
|
|
+ $original_uri = file_unmanaged_copy($file->uri, $scheme . '://', FILE_EXISTS_RENAME);
|
|
|
+ // Let the image_module_test module know about this file, so it can claim
|
|
|
+ // ownership in hook_file_download().
|
|
|
+ variable_set('image_module_test_file_download', $original_uri);
|
|
|
+
|
|
|
+ // Get the URL of a file that has not been generated and try to create it.
|
|
|
+ $generated_uri = image_style_path($this->style_name, $original_uri);
|
|
|
+ $this->assertFalse(file_exists($generated_uri), 'Generated file does not exist.');
|
|
|
+ $generate_url = image_style_url($this->style_name, $original_uri);
|
|
|
+
|
|
|
+ // Check that the image is accessible even without the security token.
|
|
|
+ $this->drupalGet(str_replace(IMAGE_DERIVATIVE_TOKEN . '=', 'wrongparam=', $generate_url));
|
|
|
+ $this->assertResponse(200, 'Image was accessible at the URL with a missing token.');
|
|
|
+
|
|
|
+ // Check that a security token is still required when generating a second
|
|
|
+ // image derivative using the first one as a source.
|
|
|
+ $nested_uri = image_style_path($this->style_name, $generated_uri);
|
|
|
+ $nested_url = image_style_url($this->style_name, $generated_uri);
|
|
|
+ $nested_url_with_wrong_token = str_replace(IMAGE_DERIVATIVE_TOKEN . '=', 'wrongparam=', $nested_url);
|
|
|
+ $this->drupalGet($nested_url_with_wrong_token);
|
|
|
+ $this->assertResponse(403, 'Image generated from an earlier derivative was inaccessible at the URL with a missing token.');
|
|
|
+ // Check that this restriction cannot be bypassed by adding extra slashes
|
|
|
+ // to the URL.
|
|
|
+ $this->drupalGet(substr_replace($nested_url_with_wrong_token, '//styles/', strrpos($nested_url_with_wrong_token, '/styles/'), strlen('/styles/')));
|
|
|
+ $this->assertResponse(403, 'Image generated from an earlier derivative was inaccessible at the URL with a missing token, even with an extra forward slash in the URL.');
|
|
|
+ $this->drupalGet(substr_replace($nested_url_with_wrong_token, '/\styles/', strrpos($nested_url_with_wrong_token, '/styles/'), strlen('/styles/')));
|
|
|
+ $this->assertResponse(403, 'Image generated from an earlier derivative was inaccessible at the URL with a missing token, even with an extra backslash in the URL.');
|
|
|
+ // Make sure the image can still be generated if a correct token is used.
|
|
|
+ $this->drupalGet($nested_url);
|
|
|
+ $this->assertResponse(200, 'Image was accessible when a correct token was provided in the URL.');
|
|
|
+
|
|
|
+ // Check that requesting a nonexistent image does not create any new
|
|
|
+ // directories in the file system.
|
|
|
+ $directory = $scheme . '://styles/' . $this->style_name . '/' . $scheme . '/' . $this->randomName();
|
|
|
+ $this->drupalGet(file_create_url($directory . '/' . $this->randomName()));
|
|
|
+ $this->assertFalse(file_exists($directory), 'New directory was not created in the filesystem when requesting an unauthorized image.');
|
|
|
}
|
|
|
}
|
|
|
|