diff options
author | David Rothstein <drothstein@gmail.com> | 2013-03-06 19:09:31 -0500 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2013-03-06 19:09:31 -0500 |
commit | 63fc6b8f75663588327cec1f645a1826c75f4400 (patch) | |
tree | ebddcb2fbfdef700ebf15a5cadfac24ec6cb0800 /modules/image | |
parent | 0a9cd357b43bdb0c0c7e574a15975e662f855d8d (diff) | |
parent | ec59e1197a2aa37557f9a87f13ba4d90e6aabf4c (diff) | |
download | brdo-63fc6b8f75663588327cec1f645a1826c75f4400.tar.gz brdo-63fc6b8f75663588327cec1f645a1826c75f4400.tar.bz2 |
Merge branch '7.20-hotfix' into 7.x
Conflicts:
CHANGELOG.txt
includes/bootstrap.inc
Diffstat (limited to 'modules/image')
-rw-r--r-- | modules/image/image.module | 15 | ||||
-rw-r--r-- | modules/image/image.test | 45 |
2 files changed, 54 insertions, 6 deletions
diff --git a/modules/image/image.module b/modules/image/image.module index 78f5effcf..b7d6cdda3 100644 --- a/modules/image/image.module +++ b/modules/image/image.module @@ -796,9 +796,11 @@ function image_style_deliver($style, $scheme) { // derivative token is valid. (Sites which require image derivatives to be // generated without a token can set the 'image_allow_insecure_derivatives' // variable to TRUE to bypass the latter check, but this will increase the - // site's vulnerability to denial-of-service attacks.) + // site's vulnerability to denial-of-service attacks. To prevent this + // variable from leaving the site vulnerable to the most serious attacks, a + // token is always required when a derivative of a derivative is requested.) $valid = !empty($style) && file_stream_wrapper_valid_scheme($scheme); - if (!variable_get('image_allow_insecure_derivatives', FALSE)) { + if (!variable_get('image_allow_insecure_derivatives', FALSE) || strpos(ltrim($target, '\/'), 'styles/') === 0) { $valid = $valid && isset($_GET[IMAGE_DERIVATIVE_TOKEN]) && $_GET[IMAGE_DERIVATIVE_TOKEN] === image_style_path_token($style['name'], $scheme . '://' . $target); } if (!$valid) { @@ -883,6 +885,11 @@ function image_style_deliver($style, $scheme) { * @see image_style_load() */ function image_style_create_derivative($style, $source, $destination) { + // If the source file doesn't exist, return FALSE without creating folders. + if (!$image = image_load($source)) { + return FALSE; + } + // Get the folder for the final location of this style. $directory = drupal_dirname($destination); @@ -892,10 +899,6 @@ function image_style_create_derivative($style, $source, $destination) { return FALSE; } - if (!$image = image_load($source)) { - return FALSE; - } - foreach ($style['effects'] as $effect) { image_effect_apply($image, $effect); } diff --git a/modules/image/image.test b/modules/image/image.test index 3d34fc4f8..917677046 100644 --- a/modules/image/image.test +++ b/modules/image/image.test @@ -271,6 +271,51 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase { $this->drupalGet(str_replace(IMAGE_DERIVATIVE_TOKEN . '=', IMAGE_DERIVATIVE_TOKEN . '=Zo', $generate_url)); $this->assertResponse(200, 'Existing image was accessible at the URL wih an invalid token.'); } + + // Allow insecure image derivatives to be created for the remainder of this + // test. + variable_set('image_allow_insecure_derivatives', TRUE); + + // Create another working copy of the file. + $files = $this->drupalGetTestFiles('image'); + $file = array_shift($files); + $image_info = image_get_info($file->uri); + $original_uri = file_unmanaged_copy($file->uri, $scheme . '://', FILE_EXISTS_RENAME); + // Let the image_module_test module know about this file, so it can claim + // ownership in hook_file_download(). + variable_set('image_module_test_file_download', $original_uri); + + // Get the URL of a file that has not been generated and try to create it. + $generated_uri = image_style_path($this->style_name, $original_uri); + $this->assertFalse(file_exists($generated_uri), 'Generated file does not exist.'); + $generate_url = image_style_url($this->style_name, $original_uri); + + // Check that the image is accessible even without the security token. + $this->drupalGet(str_replace(IMAGE_DERIVATIVE_TOKEN . '=', 'wrongparam=', $generate_url)); + $this->assertResponse(200, 'Image was accessible at the URL with a missing token.'); + + // Check that a security token is still required when generating a second + // image derivative using the first one as a source. + $nested_uri = image_style_path($this->style_name, $generated_uri); + $nested_url = image_style_url($this->style_name, $generated_uri); + $nested_url_with_wrong_token = str_replace(IMAGE_DERIVATIVE_TOKEN . '=', 'wrongparam=', $nested_url); + $this->drupalGet($nested_url_with_wrong_token); + $this->assertResponse(403, 'Image generated from an earlier derivative was inaccessible at the URL with a missing token.'); + // Check that this restriction cannot be bypassed by adding extra slashes + // to the URL. + $this->drupalGet(substr_replace($nested_url_with_wrong_token, '//styles/', strrpos($nested_url_with_wrong_token, '/styles/'), strlen('/styles/'))); + $this->assertResponse(403, 'Image generated from an earlier derivative was inaccessible at the URL with a missing token, even with an extra forward slash in the URL.'); + $this->drupalGet(substr_replace($nested_url_with_wrong_token, '/\styles/', strrpos($nested_url_with_wrong_token, '/styles/'), strlen('/styles/'))); + $this->assertResponse(403, 'Image generated from an earlier derivative was inaccessible at the URL with a missing token, even with an extra backslash in the URL.'); + // Make sure the image can still be generated if a correct token is used. + $this->drupalGet($nested_url); + $this->assertResponse(200, 'Image was accessible when a correct token was provided in the URL.'); + + // Check that requesting a nonexistent image does not create any new + // directories in the file system. + $directory = $scheme . '://styles/' . $this->style_name . '/' . $scheme . '/' . $this->randomName(); + $this->drupalGet(file_create_url($directory . '/' . $this->randomName())); + $this->assertFalse(file_exists($directory), 'New directory was not created in the filesystem when requesting an unauthorized image.'); } } |