diff --git a/core/includes/file.inc b/core/includes/file.inc index b476bc7..47b028e 100644 --- a/core/includes/file.inc +++ b/core/includes/file.inc @@ -2046,7 +2046,9 @@ function file_download() { $function = $module . '_file_download'; $result = $function($uri); if ($result == -1) { - return drupal_access_denied(); + // Throw away the headers received so far. + $headers = array(); + break; } if (isset($result) && is_array($result)) { $headers = array_merge($headers, $result); @@ -2055,9 +2057,12 @@ function file_download() { if (count($headers)) { file_transfer($uri, $headers); } - return drupal_access_denied(); + drupal_access_denied(); } - return drupal_not_found(); + else { + drupal_not_found(); + } + drupal_exit(); } diff --git a/core/modules/image/image.module b/core/modules/image/image.module index 8fd8cee..d19b01e 100644 --- a/core/modules/image/image.module +++ b/core/modules/image/image.module @@ -281,12 +281,9 @@ function image_file_download($uri) { // Send headers describing the image's size, and MIME-type... 'Content-Type' => $info['mime_type'], 'Content-Length' => $info['file_size'], - // ...and allow the file to be cached for two weeks (matching the - // value we/ use for the mod_expires settings in .htaccess) and - // ensure that caching proxies do not share the image with other - // users. - 'Expires' => gmdate(DATE_RFC1123, REQUEST_TIME + 1209600), - 'Cache-Control' => 'max-age=1209600, private, must-revalidate', + // By not explicitly setting them here, this uses normal Drupal + // Expires, Cache-Control and ETag headers to prevent proxy or + // browser caching of private images. ); } } diff --git a/core/modules/image/image.test b/core/modules/image/image.test index ff783be..aa8b9ce 100644 --- a/core/modules/image/image.test +++ b/core/modules/image/image.test @@ -224,7 +224,22 @@ class ImageStylesPathAndUrlUnitTest extends DrupalWebTestCase { $this->assertEqual($this->drupalGetHeader('Content-Type'), $generated_image_info['mime_type'], t('Expected Content-Type was reported.')); $this->assertEqual($this->drupalGetHeader('Content-Length'), $generated_image_info['file_size'], t('Expected Content-Length was reported.')); if ($scheme == 'private') { + $this->assertEqual($this->drupalGetHeader('Expires'), 'Sun, 19 Nov 1978 05:00:00 GMT', t('Expires header was sent.')); + $this->assertEqual($this->drupalGetHeader('Cache-Control'), 'no-cache, must-revalidate, post-check=0, pre-check=0', t('Cache-Control header was set to prevent caching.')); $this->assertEqual($this->drupalGetHeader('X-Image-Owned-By'), 'image_module_test', t('Expected custom header has been added.')); + // Verify access is denied to private image styles. + $this->drupalLogout(); + $this->drupalGet($generate_url); + $this->assertResponse(403, t('Confirmed that access is denied for the private image style.') ); + // Verify that images are not appended to the response. Currently this test only uses PNG images. + if (strpos($generate_url, '.png') === FALSE ) { + $this->fail( t('Confirming that private image styles are not appended require PNG file.') ); + } + else { + // Check for PNG-Signature (cf. http://www.libpng.org/pub/png/book/chapter08.html#png.ch08.div.2) in the + // response body. + $this->assertNoRaw( chr(137) . chr(80) . chr(78) . chr(71) . chr(13) . chr(10) . chr(26) . chr(10), t('No PNG signature found in the response body.') ); + } } $GLOBALS['script_path'] = $script_path_original;