diff options
author | webchick <webchick@24967.no-reply.drupal.org> | 2012-05-02 15:04:41 -0700 |
---|---|---|
committer | webchick <webchick@24967.no-reply.drupal.org> | 2012-05-02 15:04:41 -0700 |
commit | cdb0df93be92c8cb68e1a5d3badbdc4e1be148da (patch) | |
tree | 4639d784e81cb085c8e107b1377c9674e296e125 /modules/image | |
parent | ef788926008f96942eaeac0faa4d7b4776b0f25a (diff) | |
parent | 9879d29f731570a34b24c4eae4cc8cb30c7a5082 (diff) | |
download | brdo-cdb0df93be92c8cb68e1a5d3badbdc4e1be148da.tar.gz brdo-cdb0df93be92c8cb68e1a5d3badbdc4e1be148da.tar.bz2 |
Merge branch '7.12-security' into 7.x
Diffstat (limited to 'modules/image')
-rw-r--r-- | modules/image/image.module | 9 | ||||
-rw-r--r-- | modules/image/image.test | 15 |
2 files changed, 18 insertions, 6 deletions
diff --git a/modules/image/image.module b/modules/image/image.module index dda4d9df9..a9c4d027c 100644 --- a/modules/image/image.module +++ b/modules/image/image.module @@ -297,12 +297,9 @@ function image_file_download($uri) { // Send headers describing the image's size, and MIME-type... 'Content-Type' => $info['mime_type'], 'Content-Length' => $info['file_size'], - // ...and allow the file to be cached for two weeks (matching the - // value we/ use for the mod_expires settings in .htaccess) and - // ensure that caching proxies do not share the image with other - // users. - 'Expires' => gmdate(DATE_RFC1123, REQUEST_TIME + 1209600), - 'Cache-Control' => 'max-age=1209600, private, must-revalidate', + // By not explicitly setting them here, this uses normal Drupal + // Expires, Cache-Control and ETag headers to prevent proxy or + // browser caching of private images. ); } } diff --git a/modules/image/image.test b/modules/image/image.test index de3c1b2e1..e4b6d373a 100644 --- a/modules/image/image.test +++ b/modules/image/image.test @@ -209,7 +209,22 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase { $this->assertEqual($this->drupalGetHeader('Content-Type'), $generated_image_info['mime_type'], t('Expected Content-Type was reported.')); $this->assertEqual($this->drupalGetHeader('Content-Length'), $generated_image_info['file_size'], t('Expected Content-Length was reported.')); if ($scheme == 'private') { + $this->assertEqual($this->drupalGetHeader('Expires'), 'Sun, 19 Nov 1978 05:00:00 GMT', t('Expires header was sent.')); + $this->assertEqual($this->drupalGetHeader('Cache-Control'), 'no-cache, must-revalidate, post-check=0, pre-check=0', t('Cache-Control header was set to prevent caching.')); $this->assertEqual($this->drupalGetHeader('X-Image-Owned-By'), 'image_module_test', t('Expected custom header has been added.')); + // Verify access is denied to private image styles. + $this->drupalLogout(); + $this->drupalGet($generate_url); + $this->assertResponse(403, t('Confirmed that access is denied for the private image style.') ); + // Verify that images are not appended to the response. Currently this test only uses PNG images. + if (strpos($generate_url, '.png') === FALSE ) { + $this->fail( t('Confirming that private image styles are not appended require PNG file.') ); + } + else { + // Check for PNG-Signature (cf. http://www.libpng.org/pub/png/book/chapter08.html#png.ch08.div.2) in the + // response body. + $this->assertNoRaw( chr(137) . chr(80) . chr(78) . chr(71) . chr(13) . chr(10) . chr(26) . chr(10), t('No PNG signature found in the response body.') ); + } } } } |