diff options
author | David Rothstein <drothstein@gmail.com> | 2013-02-28 23:41:58 -0500 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2013-02-28 23:41:58 -0500 |
commit | 40d178b0097040017f2fe17607b0b2c1ad17c181 (patch) | |
tree | 109443a7c57f11b0232bc5c0492e4576a46a7a2d /modules/image | |
parent | bfaa7b4fd0c0b16e38ba3475d0be24b1d5f9a5d1 (diff) | |
download | brdo-40d178b0097040017f2fe17607b0b2c1ad17c181.tar.gz brdo-40d178b0097040017f2fe17607b0b2c1ad17c181.tar.bz2 |
Issue #1923554 by David_Rothstein, pwolanin, mitron | alfaguru: Fixed New anti-DoS measure breaks for some file URIs.
Diffstat (limited to 'modules/image')
-rw-r--r-- | modules/image/image.module | 2 | ||||
-rw-r--r-- | modules/image/image.test | 18 |
2 files changed, 18 insertions, 2 deletions
diff --git a/modules/image/image.module b/modules/image/image.module index 258f12f82..78f5effcf 100644 --- a/modules/image/image.module +++ b/modules/image/image.module @@ -993,7 +993,7 @@ function image_style_url($style_name, $path) { // The token query is added even if the 'image_allow_insecure_derivatives' // variable is TRUE, so that the emitted links remain valid if it is changed // back to the default FALSE. - $token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, $path)); + $token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, file_stream_wrapper_uri_normalize($path))); // If not using clean URLs, the image derivative callback is only available // with the query string. If the file does not exist, use url() to ensure diff --git a/modules/image/image.test b/modules/image/image.test index d4db2130b..cb4ce4848 100644 --- a/modules/image/image.test +++ b/modules/image/image.test @@ -168,9 +168,16 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase { } /** + * Test image_style_url() with a file URL that has an extra slash in it. + */ + function testImageStyleUrlExtraSlash() { + $this->_testImageStyleUrlAndPath('public', TRUE, TRUE); + } + + /** * Test image_style_url(). */ - function _testImageStyleUrlAndPath($scheme, $clean_url = TRUE) { + function _testImageStyleUrlAndPath($scheme, $clean_url = TRUE, $extra_slash = FALSE) { // Make the default scheme neither "public" nor "private" to verify the // functions work for other than the default scheme. variable_set('file_default_scheme', 'temporary'); @@ -196,6 +203,15 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase { $this->assertFalse(file_exists($generated_uri), t('Generated file does not exist.')); $generate_url = image_style_url($this->style_name, $original_uri); + // Ensure that the tests still pass when the file is generated by accessing + // a poorly constructed (but still valid) file URL that has an extra slash + // in it. + if ($extra_slash) { + $modified_uri = str_replace('://', ':///', $original_uri); + $this->assertNotEqual($original_uri, $modified_uri, 'An extra slash was added to the generated file URI.'); + $generate_url = image_style_url($this->style_name, $modified_uri); + } + if (!$clean_url) { $this->assertTrue(strpos($generate_url, '?q=') !== FALSE, 'When using non-clean URLS, the system path contains the query string.'); } |