diff options
author | webchick <webchick@24967.no-reply.drupal.org> | 2012-08-22 21:46:57 +0200 |
---|---|---|
committer | webchick <webchick@24967.no-reply.drupal.org> | 2012-08-22 21:46:57 +0200 |
commit | c7225f0e622ed0c4a87cc981f0647b944aa4c784 (patch) | |
tree | 95da8fa6a1d0bc7a348f20b941e61befd5e90de1 /modules/image | |
parent | 669b2682f307e2af1c8d33c365e2a0e486e389ee (diff) | |
download | brdo-c7225f0e622ed0c4a87cc981f0647b944aa4c784.tar.gz brdo-c7225f0e622ed0c4a87cc981f0647b944aa4c784.tar.bz2 |
Issue #1507988 follow-up by Berdir, chx, webchick, Xenza: Fixed tests for SA-CORE-2012-002.
Diffstat (limited to 'modules/image')
-rw-r--r-- | modules/image/image.test | 22 | ||||
-rw-r--r-- | modules/image/tests/image_module_test.module | 1 |
2 files changed, 17 insertions, 6 deletions
diff --git a/modules/image/image.test b/modules/image/image.test index e4b6d373a..75e96074c 100644 --- a/modules/image/image.test +++ b/modules/image/image.test @@ -183,7 +183,7 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase { // Create a working copy of the file. $files = $this->drupalGetTestFiles('image'); - $file = reset($files); + $file = array_shift($files); $image_info = image_get_info($file->uri); $original_uri = file_unmanaged_copy($file->uri, $scheme . '://', FILE_EXISTS_RENAME); // Let the image_module_test module know about this file, so it can claim @@ -212,18 +212,30 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase { $this->assertEqual($this->drupalGetHeader('Expires'), 'Sun, 19 Nov 1978 05:00:00 GMT', t('Expires header was sent.')); $this->assertEqual($this->drupalGetHeader('Cache-Control'), 'no-cache, must-revalidate, post-check=0, pre-check=0', t('Cache-Control header was set to prevent caching.')); $this->assertEqual($this->drupalGetHeader('X-Image-Owned-By'), 'image_module_test', t('Expected custom header has been added.')); - // Verify access is denied to private image styles. - $this->drupalLogout(); + + // Make sure that a second request to the already existing derivate works + // too. $this->drupalGet($generate_url); + $this->assertResponse(200, t('Image was generated at the URL.')); + + // Repeat this with a different file that we do not have access to and + // make sure that access is denied. + $file_noaccess = array_shift($files); + $original_uri_noaccess = file_unmanaged_copy($file_noaccess->uri, $scheme . '://', FILE_EXISTS_RENAME); + $generated_uri_noaccess = $scheme . '://styles/' . $this->style_name . '/' . $scheme . '/'. drupal_basename($original_uri_noaccess); + $this->assertFalse(file_exists($generated_uri_noaccess), t('Generated file does not exist.')); + $generate_url_noaccess = image_style_url($this->style_name, $original_uri_noaccess); + + $this->drupalGet($generate_url_noaccess); $this->assertResponse(403, t('Confirmed that access is denied for the private image style.') ); // Verify that images are not appended to the response. Currently this test only uses PNG images. if (strpos($generate_url, '.png') === FALSE ) { - $this->fail( t('Confirming that private image styles are not appended require PNG file.') ); + $this->fail('Confirming that private image styles are not appended require PNG file.'); } else { // Check for PNG-Signature (cf. http://www.libpng.org/pub/png/book/chapter08.html#png.ch08.div.2) in the // response body. - $this->assertNoRaw( chr(137) . chr(80) . chr(78) . chr(71) . chr(13) . chr(10) . chr(26) . chr(10), t('No PNG signature found in the response body.') ); + $this->assertNoRaw( chr(137) . chr(80) . chr(78) . chr(71) . chr(13) . chr(10) . chr(26) . chr(10), 'No PNG signature found in the response body.'); } } } diff --git a/modules/image/tests/image_module_test.module b/modules/image/tests/image_module_test.module index 766a9d957..0d398ab30 100644 --- a/modules/image/tests/image_module_test.module +++ b/modules/image/tests/image_module_test.module @@ -9,7 +9,6 @@ function image_module_test_file_download($uri) { if (variable_get('image_module_test_file_download', FALSE) == $uri) { return array('X-Image-Owned-By' => 'image_module_test'); } - return -1; } /** |