diff --git a/.gitignore b/.gitignore
index baff153..371615d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ sites/*/settings*.php
 # Ignore paths that contain user-generated content.
 sites/*/files
 sites/*/private
+/nbproject/private/
\ No newline at end of file
diff --git a/modules/image/image.module b/modules/image/image.module
index 78f5eff..9868e95 100644
--- a/modules/image/image.module
+++ b/modules/image/image.module
@@ -798,16 +798,16 @@ function image_style_deliver($style, $scheme) {
   // variable to TRUE to bypass the latter check, but this will increase the
   // site's vulnerability to denial-of-service attacks.)
   $valid = !empty($style) && file_stream_wrapper_valid_scheme($scheme);
-  if (!variable_get('image_allow_insecure_derivatives', FALSE)) {
-    $valid = $valid && isset($_GET[IMAGE_DERIVATIVE_TOKEN]) && $_GET[IMAGE_DERIVATIVE_TOKEN] === image_style_path_token($style['name'], $scheme . '://' . $target);
-  }
-  if (!$valid) {
-    return MENU_ACCESS_DENIED;
-  }
 
   $image_uri = $scheme . '://' . $target;
   $derivative_uri = image_style_path($style['name'], $image_uri);
 
+  // Don't allow nested image styles.
+  $testdirectory = image_style_path($style['name'], '');
+  if (strpos($image_uri, $testdirectory) === 0) {
+    return MENU_ACCESS_DENIED;
+  }
+
   // If using the private scheme, let other modules provide headers and
   // control access to the file.
   if ($scheme == 'private') {