From 03cbe6517b64b7b22fb1bbcf3e753634d178cb0d Mon Sep 17 00:00:00 2001
From: David Rothstein <drothstein@gmail.com>
Date: Mon, 1 Feb 2016 11:10:22 -0500
Subject: Issue #1891228 by eiriksm, logaritmisk, joelpittet, stefan.r,
 StefanPr, mariancalinro: image_style_deliver can create invalid headers

---
 modules/image/image.module                   |  4 ++--
 modules/image/image.test                     | 16 ++++++++++++++++
 modules/image/tests/image_module_test.module |  3 +++
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/modules/image/image.module b/modules/image/image.module
index 526330c67..dab88361a 100644
--- a/modules/image/image.module
+++ b/modules/image/image.module
@@ -835,8 +835,8 @@ function image_style_deliver($style, $scheme) {
       file_download($scheme, file_uri_target($derivative_uri));
     }
     else {
-      $headers = module_invoke_all('file_download', $image_uri);
-      if (in_array(-1, $headers) || empty($headers)) {
+      $headers = file_download_headers($image_uri);
+      if (empty($headers)) {
         return MENU_ACCESS_DENIED;
       }
       if (count($headers)) {
diff --git a/modules/image/image.test b/modules/image/image.test
index 87d803a53..42f8d8bca 100644
--- a/modules/image/image.test
+++ b/modules/image/image.test
@@ -201,6 +201,22 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase {
     $this->assertResponse(404, 'Accessing an image style URL with a source image that does not exist provides a 404 error response.');
   }
 
+  /**
+   * Test that we do not pass an array to drupal_add_http_header.
+   */
+  function testImageContentTypeHeaders() {
+    $files = $this->drupalGetTestFiles('image');
+    $file = array_shift($files);
+    // Copy the test file to private folder.
+    $private_file = file_copy($file, 'private://', FILE_EXISTS_RENAME);
+    // Tell image_module_test module to return the headers we want to test.
+    variable_set('image_module_test_invalid_headers', $private_file->uri);
+    // Invoke image_style_deliver so it will try to set headers.
+    $generated_url = image_style_url($this->style_name, $private_file->uri);
+    $this->drupalGet($generated_url);
+    variable_del('image_module_test_invalid_headers');
+  }
+
   /**
    * Test image_style_url().
    */
diff --git a/modules/image/tests/image_module_test.module b/modules/image/tests/image_module_test.module
index 8a322fb97..fc66d9b8b 100644
--- a/modules/image/tests/image_module_test.module
+++ b/modules/image/tests/image_module_test.module
@@ -9,6 +9,9 @@ function image_module_test_file_download($uri) {
   if (variable_get('image_module_test_file_download', FALSE) == $uri) {
     return array('X-Image-Owned-By' => 'image_module_test');
   }
+  if (variable_get('image_module_test_invalid_headers', FALSE) == $uri) {
+    return array('Content-Type' => 'image/png');
+  }
 }
 
 /**
-- 
cgit v1.2.3