diff options
author | David Rothstein <drothstein@gmail.com> | 2015-03-30 18:20:30 -0400 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2015-03-30 18:20:30 -0400 |
commit | eaa79a12af2f739213e05c95edd4a0686bdc391b (patch) | |
tree | bb0c5732b5d8ebc746fe5ba70606111b815a33e8 /modules/image | |
parent | bcb8761d36eb0297d8675f6af17957f9accc5b7b (diff) | |
download | brdo-eaa79a12af2f739213e05c95edd4a0686bdc391b.tar.gz brdo-eaa79a12af2f739213e05c95edd4a0686bdc391b.tar.bz2 |
Issue #1934498 by attiks, David_Rothstein, KhaledBlah, tstoeckler, julien_acti, helmo, effulgentsia, Jelle_S, jcisio: Allow the image style 'itok' token to be suppressed in image derivative URLs
Diffstat (limited to 'modules/image')
-rw-r--r-- | modules/image/image.module | 18 | ||||
-rw-r--r-- | modules/image/image.test | 9 |
2 files changed, 24 insertions, 3 deletions
diff --git a/modules/image/image.module b/modules/image/image.module index a2a0f416a..fac8de955 100644 --- a/modules/image/image.module +++ b/modules/image/image.module @@ -1027,7 +1027,15 @@ function image_style_url($style_name, $path) { // The token query is added even if the 'image_allow_insecure_derivatives' // variable is TRUE, so that the emitted links remain valid if it is changed // back to the default FALSE. - $token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, $original_uri)); + // However, sites which need to prevent the token query from being emitted at + // all can additionally set the 'image_suppress_itok_output' variable to TRUE + // to achieve that (if both are set, the security token will neither be + // emitted in the image derivative URL nor checked for in + // image_style_deliver()). + $token_query = array(); + if (!variable_get('image_suppress_itok_output', FALSE)) { + $token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, $original_uri)); + } // If not using clean URLs, the image derivative callback is only available // with the query string. If the file does not exist, use url() to ensure @@ -1039,8 +1047,12 @@ function image_style_url($style_name, $path) { } $file_url = file_create_url($uri); - // Append the query string with the token. - return $file_url . (strpos($file_url, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($token_query); + // Append the query string with the token, if necessary. + if ($token_query) { + $file_url .= (strpos($file_url, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($token_query); + } + + return $file_url; } /** diff --git a/modules/image/image.test b/modules/image/image.test index 2387314c5..359197948 100644 --- a/modules/image/image.test +++ b/modules/image/image.test @@ -330,6 +330,15 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase { $this->drupalGet($nested_url); $this->assertResponse(200, 'Image was accessible when a correct token was provided in the URL.'); + // Suppress the security token in the URL, then get the URL of a file. Check + // that the security token is not present in the URL but that the image is + // still accessible. + variable_set('image_suppress_itok_output', TRUE); + $generate_url = image_style_url($this->style_name, $original_uri); + $this->assertIdentical(strpos($generate_url, IMAGE_DERIVATIVE_TOKEN . '='), FALSE, 'The security token does not appear in the image style URL.'); + $this->drupalGet($generate_url); + $this->assertResponse(200, 'Image was accessible at the URL with a missing token.'); + // Check that requesting a nonexistent image does not create any new // directories in the file system. $directory = $scheme . '://styles/' . $this->style_name . '/' . $scheme . '/' . $this->randomName(); |