summaryrefslogtreecommitdiffstats
path: root/core/modules/image/src/Tests/ImageStylesPathAndUrlTest.php
diff options
context:
space:
mode:
authorAlex Pott2015-09-19 16:57:15 (GMT)
committerAlex Pott2015-09-19 16:57:15 (GMT)
commitb37e84f08b2a5e998f075d021dec225d7997ffde (patch)
tree88c9fd3970ea6e164d90c9dda312c8de57ef732d /core/modules/image/src/Tests/ImageStylesPathAndUrlTest.php
parent0f8b5b1b4fe9f044f46da747a5f46c5835efc20c (diff)
Issue #1934568 by David_Rothstein, StryKaizer, borisson_, martin107, pwolanin, ofry, amitgoyal: Allow sites using the 'image_allow_insecure_derivatives' variable to have partial protection from the Drupal 7.20 security issue
Diffstat (limited to 'core/modules/image/src/Tests/ImageStylesPathAndUrlTest.php')
-rw-r--r--core/modules/image/src/Tests/ImageStylesPathAndUrlTest.php28
1 files changed, 28 insertions, 0 deletions
diff --git a/core/modules/image/src/Tests/ImageStylesPathAndUrlTest.php b/core/modules/image/src/Tests/ImageStylesPathAndUrlTest.php
index eb09e07..fa0c2d4 100644
--- a/core/modules/image/src/Tests/ImageStylesPathAndUrlTest.php
+++ b/core/modules/image/src/Tests/ImageStylesPathAndUrlTest.php
@@ -224,6 +224,34 @@ class ImageStylesPathAndUrlTest extends WebTestBase {
$this->assertIdentical(strpos($generate_url, IMAGE_DERIVATIVE_TOKEN . '='), FALSE, 'The security token does not appear in the image style URL.');
$this->drupalGet($generate_url);
$this->assertResponse(200, 'Image was accessible at the URL with a missing token.');
+
+ // Stop supressing the security token in the URL.
+ $this->config('image.settings')->set('suppress_itok_output', FALSE)->save();
+ // Ensure allow_insecure_derivatives is enabled.
+ $this->assertEqual($this->config('image.settings')->get('allow_insecure_derivatives'), TRUE);
+ // Check that a security token is still required when generating a second
+ // image derivative using the first one as a source.
+ $nested_url = $this->style->buildUrl($generated_uri, $clean_url);
+ $matches_expected_url_format = (boolean) preg_match('/styles\/' . $this->style->id() . '\/' . $scheme . '\/styles\/' . $this->style->id() . '\/' . $scheme . '/', $nested_url);
+ $this->assertTrue($matches_expected_url_format, "Url for a derivative of an image style matches expected format.");
+ $nested_url_with_wrong_token = str_replace(IMAGE_DERIVATIVE_TOKEN . '=', 'wrongparam=', $nested_url);
+ $this->drupalGet($nested_url_with_wrong_token);
+ $this->assertResponse(403, 'Image generated from an earlier derivative was inaccessible at the URL with a missing token.');
+ // Check that this restriction cannot be bypassed by adding extra slashes
+ // to the URL.
+ $this->drupalGet(substr_replace($nested_url_with_wrong_token, '//styles/', strrpos($nested_url_with_wrong_token, '/styles/'), strlen('/styles/')));
+ $this->assertResponse(403, 'Image generated from an earlier derivative was inaccessible at the URL with a missing token, even with an extra forward slash in the URL.');
+ $this->drupalGet(substr_replace($nested_url_with_wrong_token, '////styles/', strrpos($nested_url_with_wrong_token, '/styles/'), strlen('/styles/')));
+ $this->assertResponse(403, 'Image generated from an earlier derivative was inaccessible at the URL with a missing token, even with multiple forward slashes in the URL.');
+ // Make sure the image can still be generated if a correct token is used.
+ $this->drupalGet($nested_url);
+ $this->assertResponse(200, 'Image was accessible when a correct token was provided in the URL.');
+
+ // Check that requesting a nonexistent image does not create any new
+ // directories in the file system.
+ $directory = $scheme . '://styles/' . $this->style->id() . '/' . $scheme . '/' . $this->randomMachineName();
+ $this->drupalGet(file_create_url($directory . '/' . $this->randomString()));
+ $this->assertFalse(file_exists($directory), 'New directory was not created in the filesystem when requesting an unauthorized image.');
}
}