diff --git a/includes/file.inc b/includes/file.inc index f7d3f34..c5e5cf0 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -1967,7 +1967,9 @@ function file_download() { $function = $module . '_file_download'; $result = $function($uri); if ($result == -1) { - return drupal_access_denied(); + // Throw away the headers received so far. + $headers = array(); + break; } if (isset($result) && is_array($result)) { $headers = array_merge($headers, $result); @@ -1976,9 +1978,12 @@ function file_download() { if (count($headers)) { file_transfer($uri, $headers); } - return drupal_access_denied(); + drupal_access_denied(); } - return drupal_not_found(); + else { + drupal_not_found(); + } + drupal_exit(); } diff --git a/modules/image/image.test b/modules/image/image.test index de3c1b2..84de632 100644 --- a/modules/image/image.test +++ b/modules/image/image.test @@ -210,6 +210,19 @@ class ImageStylesPathAndUrlTestCase extends DrupalWebTestCase { $this->assertEqual($this->drupalGetHeader('Content-Length'), $generated_image_info['file_size'], t('Expected Content-Length was reported.')); if ($scheme == 'private') { $this->assertEqual($this->drupalGetHeader('X-Image-Owned-By'), 'image_module_test', t('Expected custom header has been added.')); + // Verify access is denied to private image styles. + $this->drupalLogout(); + $this->drupalGet($generate_url); + $this->assertResponse(403, t('Confirmed that access is denied for the private image style.') ); + // Verify that images are not appended to the response. Currently this test only uses PNG images. + if (strpos($generate_url, '.png') === FALSE ) { + $this->fail( t('Confirming that private image styles are not appended require PNG file.') ); + } + else { + // Check for PNG-Signature (cf. http://www.libpng.org/pub/png/book/chapter08.html#png.ch08.div.2) in the + // response body. + $this->assertNoRaw( chr(137) . chr(80) . chr(78) . chr(71) . chr(13) . chr(10) . chr(26) . chr(10), t('No PNG signature found in the response body.') ); + } } } }