// Also validate the derivative token. Sites which require image
// derivatives to be generated without a token can set the
// 'image.settings:allow_insecure_derivatives' configuration to TRUE to
// bypass this check, but this will increase the site's vulnerability
// to denial-of-service attacks. To prevent this variable from leaving the
// site vulnerable to the most serious attacks, a token is always required
// when a derivative of a style is requested.
// The $target variable for a derivative of a style has
// styles/<style_name>/... as structure, so we check if the $target variable
// starts with styles/.
$token =
$request->query->
get(IMAGE_DERIVATIVE_TOKEN, ''
);
$token_is_valid =
hash_equals($image_style->
getPathToken($image_uri),
$token) ||
hash_equals($image_style->
getPathToken($scheme . '://' .
$target),
$token);
if (!
$this->
config('image.settings'
)->
get('allow_insecure_derivatives'
) ||
str_starts_with(ltrim($target, '\/'
), 'styles/'
)) { $valid =
$valid &&
$token_is_valid;
} if (!
$valid) { // Return a 404 (Page Not Found) rather than a 403 (Access Denied) as the
// image token is for DDoS protection rather than access checking. 404s
// are more likely to be cached (e.g. at a proxy) which enhances
// protection from DDoS.
throw new NotFoundHttpException();
}