diff --git a/core/includes/file.inc b/core/includes/file.inc index 133d64f..6fad13a 100644 --- a/core/includes/file.inc +++ b/core/includes/file.inc @@ -1966,7 +1966,9 @@ function file_download() { $function = $module . '_file_download'; $result = $function($uri); if ($result == -1) { - throw new AccessDeniedHttpException(); + // Throw away the headers received so far. + $headers = array(); + break; } if (isset($result) && is_array($result)) { $headers = array_merge($headers, $result); @@ -1975,7 +1977,10 @@ function file_download() { if (count($headers)) { return file_transfer($uri, $headers); } - throw new AccessDeniedHttpException(); + else { + throw new AccessDeniedHttpException(); + } + drupal_exit(); } throw new NotFoundHttpException(); } diff --git a/core/modules/image/image.module b/core/modules/image/image.module index fef8c93..88facbf 100644 --- a/core/modules/image/image.module +++ b/core/modules/image/image.module @@ -286,12 +286,9 @@ function image_file_download($uri) { // Send headers describing the image's size, and MIME-type... 'Content-Type' => $info['mime_type'], 'Content-Length' => $info['file_size'], - // ...and allow the file to be cached for two weeks (matching the - // value we/ use for the mod_expires settings in .htaccess) and - // ensure that caching proxies do not share the image with other - // users. - 'Expires' => gmdate(DATE_RFC1123, REQUEST_TIME + 1209600), - 'Cache-Control' => 'max-age=1209600, private, must-revalidate', + // By not explicitly setting them here, this uses normal Drupal + // Expires, Cache-Control and ETag headers to prevent proxy or + // browser caching of private images. ); } } diff --git a/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php b/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php index 574cc1b..263c471 100644 --- a/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php +++ b/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php @@ -126,7 +126,20 @@ class ImageStylesPathAndUrlTest extends WebTestBase { $this->assertEqual($this->drupalGetHeader('Content-Type'), $generated_image_info['mime_type'], t('Expected Content-Type was reported.')); $this->assertEqual($this->drupalGetHeader('Content-Length'), $generated_image_info['file_size'], t('Expected Content-Length was reported.')); if ($scheme == 'private') { + $this->assertEqual($this->drupalGetHeader('Expires'), 'Sun, 19 Nov 1978 05:00:00 GMT', t('Expires header was sent.')); + $this->assertEqual($this->drupalGetHeader('Cache-Control'), 'no-cache, private', t('Cache-Control header was set to prevent caching.')); $this->assertEqual($this->drupalGetHeader('X-Image-Owned-By'), 'image_module_test', t('Expected custom header has been added.')); + $this->drupalGet($generate_url); + $this->assertResponse(403, t('Confirmed that access is denied for the private image style.') ); + // Verify that images are not appended to the response. Currently this test only uses PNG images. + if (strpos($generate_url, '.png') === FALSE ) { + $this->fail('Confirming that private image styles are not appended require PNG file.'); + } + else { + // Check for PNG-Signature (cf. http://www.libpng.org/pub/png/book/chapter08.html#png.ch08.div.2) in the + // response body. + $this->assertNoRaw( chr(137) . chr(80) . chr(78) . chr(71) . chr(13) . chr(10) . chr(26) . chr(10), 'No PNG signature found in the response body.'); + } } $GLOBALS['script_path'] = $script_path_original;