1 files changed, 9 insertions, 6 deletions

diff --git a/modules/image/image.module b/modules/image/image.module
index d7178ad7d..a9cc1a545 100644
--- a/modules/image/image.module
+++ b/modules/image/image.module
@@ -780,9 +780,11 @@ function image_style_deliver($style, $scheme) {
   // derivative token is valid. (Sites which require image derivatives to be
   // generated without a token can set the 'image_allow_insecure_derivatives'
   // variable to TRUE to bypass the latter check, but this will increase the
-  // site's vulnerability to denial-of-service attacks.)
+  // site's vulnerability to denial-of-service attacks. To prevent this
+  // variable from leaving the site vulnerable to the most serious attacks, a
+  // token is always required when a derivative of a derivative is requested.)
   $valid = !empty($style) && file_stream_wrapper_valid_scheme($scheme);
-  if (!variable_get('image_allow_insecure_derivatives', FALSE)) {
+  if (!variable_get('image_allow_insecure_derivatives', FALSE) || strpos(ltrim($target, '\/'), 'styles/') === 0) {
     $valid = $valid && isset($_GET[IMAGE_DERIVATIVE_TOKEN]) && $_GET[IMAGE_DERIVATIVE_TOKEN] === image_style_path_token($style['name'], $scheme . '://' . $target);
   }
   if (!$valid) {
@@ -867,6 +869,11 @@ function image_style_deliver($style, $scheme) {
  * @see image_style_load()
  */
 function image_style_create_derivative($style, $source, $destination) {
+  // If the source file doesn't exist, return FALSE without creating folders.
+  if (!$image = image_load($source)) {
+    return FALSE;
+  }
+
   // Get the folder for the final location of this style.
   $directory = drupal_dirname($destination);
 
@@ -876,10 +883,6 @@ function image_style_create_derivative($style, $source, $destination) {
     return FALSE;
   }
 
-  if (!$image = image_load($source)) {
-    return FALSE;
-  }
-
   foreach ($style['effects'] as $effect) {
     image_effect_apply($image, $effect);
   }