3 namespace Drupal\image\Tests;
5 use Drupal\image\Entity\ImageStyle;
6 use Drupal\simpletest\WebTestBase;
9 * Tests the functions for generating paths and URLs for image styles.
13 class ImageStylesPathAndUrlTest extends WebTestBase {
20 public static $modules = ['image', 'image_module_test'];
23 * @var \Drupal\image\ImageStyleInterface
27 protected function setUp() {
30 $this->style = ImageStyle::create(['name' => 'style_foo', 'label' => $this->randomString()]);
35 * Tests \Drupal\image\ImageStyleInterface::buildUri().
37 public function testImageStylePath() {
39 $actual = $this->style->buildUri("$scheme://foo/bar.gif");
40 $expected = "$scheme://styles/" . $this->style->id() . "/$scheme/foo/bar.gif";
41 $this->assertEqual($actual, $expected, 'Got the path for a file URI.');
43 $actual = $this->style->buildUri('foo/bar.gif');
44 $expected = "$scheme://styles/" . $this->style->id() . "/$scheme/foo/bar.gif";
45 $this->assertEqual($actual, $expected, 'Got the path for a relative file path.');
49 * Tests an image style URL using the "public://" scheme.
51 public function testImageStyleUrlAndPathPublic() {
52 $this->doImageStyleUrlAndPathTests('public');
56 * Tests an image style URL using the "private://" scheme.
58 public function testImageStyleUrlAndPathPrivate() {
59 $this->doImageStyleUrlAndPathTests('private');
63 * Tests an image style URL with the "public://" scheme and unclean URLs.
65 public function testImageStyleUrlAndPathPublicUnclean() {
66 $this->doImageStyleUrlAndPathTests('public', FALSE);
70 * Tests an image style URL with the "private://" schema and unclean URLs.
72 public function testImageStyleUrlAndPathPrivateUnclean() {
73 $this->doImageStyleUrlAndPathTests('private', FALSE);
77 * Tests an image style URL with a file URL that has an extra slash in it.
79 public function testImageStyleUrlExtraSlash() {
80 $this->doImageStyleUrlAndPathTests('public', TRUE, TRUE);
84 * Tests that an invalid source image returns a 404.
86 public function testImageStyleUrlForMissingSourceImage() {
87 $non_existent_uri = 'public://foo.png';
88 $generated_url = $this->style->buildUrl($non_existent_uri);
89 $this->drupalGet($generated_url);
90 $this->assertResponse(404, 'Accessing an image style URL with a source image that does not exist provides a 404 error response.');
94 * Tests building an image style URL.
96 public function doImageStyleUrlAndPathTests($scheme, $clean_url = TRUE, $extra_slash = FALSE) {
97 $this->prepareRequestForGenerator($clean_url);
99 // Make the default scheme neither "public" nor "private" to verify the
100 // functions work for other than the default scheme.
101 $this->config('system.file')->set('default_scheme', 'temporary')->save();
103 // Create the directories for the styles.
104 $directory = $scheme . '://styles/' . $this->style->id();
105 $status = file_prepare_directory($directory, FILE_CREATE_DIRECTORY);
106 $this->assertNotIdentical(FALSE, $status, 'Created the directory for the generated images for the test style.');
108 // Create a working copy of the file.
109 $files = $this->drupalGetTestFiles('image');
110 $file = array_shift($files);
111 $original_uri = file_unmanaged_copy($file->uri, $scheme . '://', FILE_EXISTS_RENAME);
112 // Let the image_module_test module know about this file, so it can claim
113 // ownership in hook_file_download().
114 \Drupal::state()->set('image.test_file_download', $original_uri);
115 $this->assertNotIdentical(FALSE, $original_uri, 'Created the generated image file.');
117 // Get the URL of a file that has not been generated and try to create it.
118 $generated_uri = $this->style->buildUri($original_uri);
119 $this->assertFalse(file_exists($generated_uri), 'Generated file does not exist.');
120 $generate_url = $this->style->buildUrl($original_uri, $clean_url);
122 // Ensure that the tests still pass when the file is generated by accessing
123 // a poorly constructed (but still valid) file URL that has an extra slash
126 $modified_uri = str_replace('://', ':///', $original_uri);
127 $this->assertNotEqual($original_uri, $modified_uri, 'An extra slash was added to the generated file URI.');
128 $generate_url = $this->style->buildUrl($modified_uri, $clean_url);
131 $this->assertTrue(strpos($generate_url, 'index.php/') !== FALSE, 'When using non-clean URLS, the system path contains the script name.');
133 // Add some extra chars to the token.
134 $this->drupalGet(str_replace(IMAGE_DERIVATIVE_TOKEN . '=', IMAGE_DERIVATIVE_TOKEN . '=Zo', $generate_url));
135 $this->assertResponse(403, 'Image was inaccessible at the URL with an invalid token.');
136 // Change the parameter name so the token is missing.
137 $this->drupalGet(str_replace(IMAGE_DERIVATIVE_TOKEN . '=', 'wrongparam=', $generate_url));
138 $this->assertResponse(403, 'Image was inaccessible at the URL with a missing token.');
140 // Check that the generated URL is the same when we pass in a relative path
141 // rather than a URI. We need to temporarily switch the default scheme to
142 // match the desired scheme before testing this, then switch it back to the
143 // "temporary" scheme used throughout this test afterwards.
144 $this->config('system.file')->set('default_scheme', $scheme)->save();
145 $relative_path = file_uri_target($original_uri);
146 $generate_url_from_relative_path = $this->style->buildUrl($relative_path, $clean_url);
147 $this->assertEqual($generate_url, $generate_url_from_relative_path);
148 $this->config('system.file')->set('default_scheme', 'temporary')->save();
150 // Fetch the URL that generates the file.
151 $this->drupalGet($generate_url);
152 $this->assertResponse(200, 'Image was generated at the URL.');
153 $this->assertTrue(file_exists($generated_uri), 'Generated file does exist after we accessed it.');
154 $this->assertRaw(file_get_contents($generated_uri), 'URL returns expected file.');
155 $image = $this->container->get('image.factory')->get($generated_uri);
156 $this->assertEqual($this->drupalGetHeader('Content-Type'), $image->getMimeType(), 'Expected Content-Type was reported.');
157 $this->assertEqual($this->drupalGetHeader('Content-Length'), $image->getFileSize(), 'Expected Content-Length was reported.');
159 // Check that we did not download the original file.
160 $original_image = $this->container->get('image.factory')->get($original_uri);
161 $this->assertNotEqual($this->drupalGetHeader('Content-Length'), $original_image->getFileSize());
163 if ($scheme == 'private') {
164 $this->assertEqual($this->drupalGetHeader('Expires'), 'Sun, 19 Nov 1978 05:00:00 GMT', 'Expires header was sent.');
165 $this->assertNotEqual(strpos($this->drupalGetHeader('Cache-Control'), 'no-cache'), FALSE, 'Cache-Control header contains \'no-cache\' to prevent caching.');
166 $this->assertEqual($this->drupalGetHeader('X-Image-Owned-By'), 'image_module_test', 'Expected custom header has been added.');
168 // Make sure that a second request to the already existing derivative
170 $this->drupalGet($generate_url);
171 $this->assertResponse(200, 'Image was generated at the URL.');
173 // Check that the second request also returned the generated image.
174 $this->assertEqual($this->drupalGetHeader('Content-Length'), $image->getFileSize());
176 // Check that we did not download the original file.
177 $this->assertNotEqual($this->drupalGetHeader('Content-Length'), $original_image->getFileSize());
179 // Make sure that access is denied for existing style files if we do not
181 \Drupal::state()->delete('image.test_file_download');
182 $this->drupalGet($generate_url);
183 $this->assertResponse(403, 'Confirmed that access is denied for the private image style.');
185 // Repeat this with a different file that we do not have access to and
186 // make sure that access is denied.
187 $file_noaccess = array_shift($files);
188 $original_uri_noaccess = file_unmanaged_copy($file_noaccess->uri, $scheme . '://', FILE_EXISTS_RENAME);
189 $generated_uri_noaccess = $scheme . '://styles/' . $this->style->id() . '/' . $scheme . '/' . drupal_basename($original_uri_noaccess);
190 $this->assertFalse(file_exists($generated_uri_noaccess), 'Generated file does not exist.');
191 $generate_url_noaccess = $this->style->buildUrl($original_uri_noaccess);
193 $this->drupalGet($generate_url_noaccess);
194 $this->assertResponse(403, 'Confirmed that access is denied for the private image style.');
195 // Verify that images are not appended to the response. Currently this test only uses PNG images.
196 if (strpos($generate_url, '.png') === FALSE ) {
197 $this->fail('Confirming that private image styles are not appended require PNG file.');
200 // Check for PNG-Signature (cf. http://www.libpng.org/pub/png/book/chapter08.html#png.ch08.div.2) in the
202 $this->assertNoRaw( chr(137) . chr(80) . chr(78) . chr(71) . chr(13) . chr(10) . chr(26) . chr(10), 'No PNG signature found in the response body.');
206 $this->assertEqual($this->drupalGetHeader('Expires'), 'Sun, 19 Nov 1978 05:00:00 GMT', 'Expires header was sent.');
207 $this->assertEqual(strpos($this->drupalGetHeader('Cache-Control'), 'no-cache'), FALSE, 'Cache-Control header contains \'no-cache\' to prevent caching.');
210 // Add some extra chars to the token.
211 $this->drupalGet(str_replace(IMAGE_DERIVATIVE_TOKEN . '=', IMAGE_DERIVATIVE_TOKEN . '=Zo', $generate_url));
212 $this->assertResponse(200, 'Existing image was accessible at the URL with an invalid token.');
216 // Allow insecure image derivatives to be created for the remainder of this
218 $this->config('image.settings')->set('allow_insecure_derivatives', TRUE)->save();
220 // Create another working copy of the file.
221 $files = $this->drupalGetTestFiles('image');
222 $file = array_shift($files);
223 $original_uri = file_unmanaged_copy($file->uri, $scheme . '://', FILE_EXISTS_RENAME);
224 // Let the image_module_test module know about this file, so it can claim
225 // ownership in hook_file_download().
226 \Drupal::state()->set('image.test_file_download', $original_uri);
228 // Suppress the security token in the URL, then get the URL of a file that
229 // has not been created and try to create it. Check that the security token
230 // is not present in the URL but that the image is still accessible.
231 $this->config('image.settings')->set('suppress_itok_output', TRUE)->save();
232 $generated_uri = $this->style->buildUri($original_uri);
233 $this->assertFalse(file_exists($generated_uri), 'Generated file does not exist.');
234 $generate_url = $this->style->buildUrl($original_uri, $clean_url);
235 $this->assertIdentical(strpos($generate_url, IMAGE_DERIVATIVE_TOKEN . '='), FALSE, 'The security token does not appear in the image style URL.');
236 $this->drupalGet($generate_url);
237 $this->assertResponse(200, 'Image was accessible at the URL with a missing token.');
239 // Stop supressing the security token in the URL.
240 $this->config('image.settings')->set('suppress_itok_output', FALSE)->save();
241 // Ensure allow_insecure_derivatives is enabled.
242 $this->assertEqual($this->config('image.settings')->get('allow_insecure_derivatives'), TRUE);
243 // Check that a security token is still required when generating a second
244 // image derivative using the first one as a source.
245 $nested_url = $this->style->buildUrl($generated_uri, $clean_url);
246 $matches_expected_url_format = (boolean) preg_match('/styles\/' . $this->style->id() . '\/' . $scheme . '\/styles\/' . $this->style->id() . '\/' . $scheme . '/', $nested_url);
247 $this->assertTrue($matches_expected_url_format, "URL for a derivative of an image style matches expected format.");
248 $nested_url_with_wrong_token = str_replace(IMAGE_DERIVATIVE_TOKEN . '=', 'wrongparam=', $nested_url);
249 $this->drupalGet($nested_url_with_wrong_token);
250 $this->assertResponse(403, 'Image generated from an earlier derivative was inaccessible at the URL with a missing token.');
251 // Check that this restriction cannot be bypassed by adding extra slashes
253 $this->drupalGet(substr_replace($nested_url_with_wrong_token, '//styles/', strrpos($nested_url_with_wrong_token, '/styles/'), strlen('/styles/')));
254 $this->assertResponse(403, 'Image generated from an earlier derivative was inaccessible at the URL with a missing token, even with an extra forward slash in the URL.');
255 $this->drupalGet(substr_replace($nested_url_with_wrong_token, '////styles/', strrpos($nested_url_with_wrong_token, '/styles/'), strlen('/styles/')));
256 $this->assertResponse(403, 'Image generated from an earlier derivative was inaccessible at the URL with a missing token, even with multiple forward slashes in the URL.');
257 // Make sure the image can still be generated if a correct token is used.
258 $this->drupalGet($nested_url);
259 $this->assertResponse(200, 'Image was accessible when a correct token was provided in the URL.');
261 // Check that requesting a nonexistent image does not create any new
262 // directories in the file system.
263 $directory = $scheme . '://styles/' . $this->style->id() . '/' . $scheme . '/' . $this->randomMachineName();
264 $this->drupalGet(file_create_url($directory . '/' . $this->randomString()));
265 $this->assertFalse(file_exists($directory), 'New directory was not created in the filesystem when requesting an unauthorized image.');