Issue #1507988 follow-up by Berdir, chx, webchick, Xenza: Fixed tests for SA-CORE-2012-002.

2 files changed, 17 insertions, 6 deletions

diff --git a/modules/image/image.test b/modules/image/image.test
index e4b6d373a..75e96074c 100644
--- a/modules/image/image.test
+++ b/modules/image/image.test
@@ -183,7 +183,7 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase {
 
     // Create a working copy of the file.
     $files = $this->drupalGetTestFiles('image');
-    $file = reset($files);
+    $file = array_shift($files);
     $image_info = image_get_info($file->uri);
     $original_uri = file_unmanaged_copy($file->uri, $scheme . '://', FILE_EXISTS_RENAME);
     // Let the image_module_test module know about this file, so it can claim
@@ -212,18 +212,30 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase {
       $this->assertEqual($this->drupalGetHeader('Expires'), 'Sun, 19 Nov 1978 05:00:00 GMT', t('Expires header was sent.'));
       $this->assertEqual($this->drupalGetHeader('Cache-Control'), 'no-cache, must-revalidate, post-check=0, pre-check=0', t('Cache-Control header was set to prevent caching.'));
       $this->assertEqual($this->drupalGetHeader('X-Image-Owned-By'), 'image_module_test', t('Expected custom header has been added.'));
-      // Verify access is denied to private image styles.
-      $this->drupalLogout();
+
+      // Make sure that a second request to the already existing derivate works
+      // too.
       $this->drupalGet($generate_url);
+      $this->assertResponse(200, t('Image was generated at the URL.'));
+
+      // Repeat this with a different file that we do not have access to and
+      // make sure that access is denied.
+      $file_noaccess = array_shift($files);
+      $original_uri_noaccess = file_unmanaged_copy($file_noaccess->uri, $scheme . '://', FILE_EXISTS_RENAME);
+      $generated_uri_noaccess = $scheme . '://styles/' . $this->style_name . '/' . $scheme . '/'. drupal_basename($original_uri_noaccess);
+      $this->assertFalse(file_exists($generated_uri_noaccess), t('Generated file does not exist.'));
+      $generate_url_noaccess = image_style_url($this->style_name, $original_uri_noaccess);
+
+      $this->drupalGet($generate_url_noaccess);
       $this->assertResponse(403, t('Confirmed that access is denied for the private image style.') );
       // Verify that images are not appended to the response. Currently this test only uses PNG images.
       if (strpos($generate_url, '.png') === FALSE ) {
-        $this->fail( t('Confirming that private image styles are not appended require PNG file.') );
+        $this->fail('Confirming that private image styles are not appended require PNG file.');
       }
       else {
         // Check for PNG-Signature (cf. http://www.libpng.org/pub/png/book/chapter08.html#png.ch08.div.2) in the
         // response body.
-        $this->assertNoRaw( chr(137) . chr(80) . chr(78) . chr(71) . chr(13) . chr(10) . chr(26) . chr(10), t('No PNG signature found in the response body.') );
+        $this->assertNoRaw( chr(137) . chr(80) . chr(78) . chr(71) . chr(13) . chr(10) . chr(26) . chr(10), 'No PNG signature found in the response body.');
       }
     }
   }
diff --git a/modules/image/tests/image_module_test.module b/modules/image/tests/image_module_test.module
index 766a9d957..0d398ab30 100644
--- a/modules/image/tests/image_module_test.module
+++ b/modules/image/tests/image_module_test.module
@@ -9,7 +9,6 @@ function image_module_test_file_download($uri) {
   if (variable_get('image_module_test_file_download', FALSE) == $uri) {
     return array('X-Image-Owned-By' => 'image_module_test');
   }
-  return -1;
 }
 
 /**