summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDries2013-05-29 19:09:59 (GMT)
committerDries2013-05-29 19:09:59 (GMT)
commit3041676f3f13eae43a14eca78f27670aa7d07ac0 (patch)
tree7caf11552fc879186847d0020ac001d2221f70b2
parentdb2df2d80889263cdb7deffbd25c5ea2291aab72 (diff)
Issue #1934498 by attiks, Jelle_S, David_Rothstein: Allow the image style 'itok' token to be suppressed in image derivative URLs.
-rw-r--r--core/modules/image/image.module18
-rw-r--r--core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php24
2 files changed, 39 insertions, 3 deletions
diff --git a/core/modules/image/image.module b/core/modules/image/image.module
index 2cc6f6b..051912a 100644
--- a/core/modules/image/image.module
+++ b/core/modules/image/image.module
@@ -730,7 +730,15 @@ function image_style_url($style_name, $path) {
// The token query is added even if the
// 'image.settings:allow_insecure_derivatives' configuration is TRUE, so that
// the emitted links remain valid if it is changed back to the default FALSE.
- $token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, file_stream_wrapper_uri_normalize($path)));
+ // However, sites which need to prevent the token query from being emitted at
+ // all can additionally set the 'image.settings:suppress_itok_output'
+ // configuration to TRUE to achieve that (if both are set, the security token
+ // will neither be emitted in the image derivative URL nor checked for in
+ // image_style_deliver()).
+ $token_query = array();
+ if (!config('image.settings')->get('suppress_itok_output')) {
+ $token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, file_stream_wrapper_uri_normalize($path)));
+ }
// If not using clean URLs, the image derivative callback is only available
// with the script path. If the file does not exist, use url() to ensure
@@ -742,8 +750,12 @@ function image_style_url($style_name, $path) {
}
$file_url = file_create_url($uri);
- // Append the query string with the token.
- return $file_url . (strpos($file_url, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($token_query);
+ // Append the query string with the token, if necessary.
+ if ($token_query) {
+ $file_url .= (strpos($file_url, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($token_query);
+ }
+
+ return $file_url;
}
/**
diff --git a/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php b/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php
index ae550ae..7b1b2ed 100644
--- a/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php
+++ b/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php
@@ -200,6 +200,30 @@ class ImageStylesPathAndUrlTest extends WebTestBase {
$this->assertResponse(200, 'Existing image was accessible at the URL wih an invalid token.');
}
+ // Allow insecure image derivatives to be created for the remainder of this
+ // test.
+ config('image.settings')->set('allow_insecure_derivatives', TRUE)->save();
+
+ // Create another working copy of the file.
+ $files = $this->drupalGetTestFiles('image');
+ $file = array_shift($files);
+ $image_info = image_get_info($file->uri);
+ $original_uri = file_unmanaged_copy($file->uri, $scheme . '://', FILE_EXISTS_RENAME);
+ // Let the image_module_test module know about this file, so it can claim
+ // ownership in hook_file_download().
+ state()->set('image.test_file_download', $original_uri);
+
+ // Suppress the security token in the URL, then get the URL of a file that
+ // has not been created and try to create it. Check that the security token
+ // is not present in the URL but that the image is still accessible.
+ config('image.settings')->set('suppress_itok_output', TRUE)->save();
+ $generated_uri = image_style_path($this->style_name, $original_uri);
+ $this->assertFalse(file_exists($generated_uri), 'Generated file does not exist.');
+ $generate_url = image_style_url($this->style_name, $original_uri);
+ $this->assertIdentical(strpos($generate_url, IMAGE_DERIVATIVE_TOKEN . '='), FALSE, 'The security token does not appear in the image style URL.');
+ $this->drupalGet($generate_url);
+ $this->assertResponse(200, 'Image was accessible at the URL with a missing token.');
+
$GLOBALS['script_path'] = $script_path_original;
}
}