getPathToken example

    // 'image.settings:suppress_itok_output' configuration to TRUE to achieve     // that (if both are set, the security token will neither be emitted in the     // image derivative URL nor checked for in     // \Drupal\image\ImageStyleInterface::deliver()).     $token_query = [];
    if (!\Drupal::config('image.settings')->get('suppress_itok_output')) {
      // The passed $path variable can be either a relative path or a full URI.       if (!$stream_wrapper_manager::getScheme($path)) {
        $path = \Drupal::config('system.file')->get('default_scheme') . '://' . $path;
      }
      $original_uri = $stream_wrapper_manager->normalizeUri($path);
      $token_query = [IMAGE_DERIVATIVE_TOKEN => $this->getPathToken($original_uri)];
    }

    if ($clean_urls === NULL) {
      // Assume clean URLs unless the request tells us otherwise.       $clean_urls = TRUE;
      try {
        $request = \Drupal::request();
        $clean_urls = RequestHelper::isCleanUrl($request);
      }
      catch (ServiceNotFoundException $e) {
      }
    }
->willReturn('png');

    $image_style = $this->getImageStyleMock($image_effect_id$image_effect['getPrivateKey', 'getHashSalt']);
    $image_style->expects($this->any())
      ->method('getPrivateKey')
      ->willReturn($private_key);
    $image_style->expects($this->any())
      ->method('getHashSalt')
      ->willReturn($hash_salt);

    // Assert the extension has been added to the URI before creating the token.     $this->assertEquals($image_style->getPathToken('public://test.jpeg.png')$image_style->getPathToken('public://test.jpeg'));
    $this->assertEquals(substr(Crypt::hmacBase64($image_style->id() . ':' . 'public://test.jpeg.png', $private_key . $hash_salt), 0, 8)$image_style->getPathToken('public://test.jpeg'));
    $this->assertNotEquals(substr(Crypt::hmacBase64($image_style->id() . ':' . 'public://test.jpeg', $private_key . $hash_salt), 0, 8)$image_style->getPathToken('public://test.jpeg'));

    // Image style that doesn't change the extension.     $image_effect_id = $this->randomMachineName();
    $image_effect = $this->getMockBuilder('\Drupal\image\ImageEffectBase')
      ->setConstructorArgs([[]$image_effect_id[]$logger])
      ->getMock();
    $image_effect->expects($this->any())
      ->method('getDerivativeExtension')
      ->will($this->returnArgument(0));

    
// Also validate the derivative token. Sites which require image     // derivatives to be generated without a token can set the     // 'image.settings:allow_insecure_derivatives' configuration to TRUE to     // bypass this check, but this will increase the site's vulnerability     // to denial-of-service attacks. To prevent this variable from leaving the     // site vulnerable to the most serious attacks, a token is always required     // when a derivative of a style is requested.     // The $target variable for a derivative of a style has     // styles/<style_name>/... as structure, so we check if the $target variable     // starts with styles/.     $token = $request->query->get(IMAGE_DERIVATIVE_TOKEN, '');
    $token_is_valid = hash_equals($image_style->getPathToken($image_uri)$token)
      || hash_equals($image_style->getPathToken($scheme . '://' . $target)$token);
    if (!$this->config('image.settings')->get('allow_insecure_derivatives') || str_starts_with(ltrim($target, '\/'), 'styles/')) {
      $valid = $valid && $token_is_valid;
    }

    if (!$valid) {
      // Return a 404 (Page Not Found) rather than a 403 (Access Denied) as the       // image token is for DDoS protection rather than access checking. 404s       // are more likely to be cached (e.g. at a proxy) which enhances       // protection from DDoS.       throw new NotFoundHttpException();
    }
Home | Imprint | This part of the site doesn't use cookies.