diff --git a/core/modules/image/image.admin.inc b/core/modules/image/image.admin.inc index 17c8eac..67cf89c 100644 --- a/core/modules/image/image.admin.inc +++ b/core/modules/image/image.admin.inc @@ -312,11 +312,10 @@ $form['data']['#tree'] = TRUE; // Check the URL for a weight, then the image effect, otherwise use default. - $default_weight = isset($effect['weight']) ? $effect['weight'] : count($style->effects); - $weight = Drupal::request()->query->get('weight', $default_weight); + $weight = Drupal::request()->query->get('weight'); $form['weight'] = array( '#type' => 'hidden', - '#value' => intval($weight), + '#value' => isset($weight) ? intval($weight) : (isset($effect['weight']) ? $effect['weight'] : count($style->effects)), ); $form['actions'] = array('#type' => 'actions'); diff --git a/core/modules/image/image.module b/core/modules/image/image.module index b46c62e..6e1691d 100644 --- a/core/modules/image/image.module +++ b/core/modules/image/image.module @@ -537,8 +537,8 @@ // denial-of-service attacks.) $valid = !empty($style) && file_stream_wrapper_valid_scheme($scheme); if (!config('image.settings')->get('allow_insecure_derivatives')) { - $token = Drupal::request()->query->get(IMAGE_DERIVATIVE_TOKEN); - $valid = $valid && $token === image_style_path_token($style->name, $scheme . '://' . $target); + $image_derivative_token = Drupal::request()->query->get(IMAGE_DERIVATIVE_TOKEN); + $valid = $valid && isset($image_derivative_token) && $image_derivative_token === image_style_path_token($style->name, $scheme . '://' . $target); } if (!$valid) { throw new AccessDeniedHttpException();