CodeExplorer
You are a developer and looking for Shopware projects?
Apply Now!
getPathToken example
// 'image.settings:suppress_itok_output' configuration to TRUE to achieve
// that (if both are set, the security token will neither be emitted in the
// image derivative URL nor checked for in
// \Drupal\image\ImageStyleInterface::deliver()).
$token_query = [];
if (!\Drupal::config('image.settings')->get('suppress_itok_output')) {
// The passed $path variable can be either a relative path or a full URI. if (!$stream_wrapper_manager::getScheme($path)) {
$path = \Drupal::config('system.file')->get('default_scheme') . '://' . $path;
}
$original_uri = $stream_wrapper_manager->normalizeUri($path);
$token_query = [IMAGE_DERIVATIVE_TOKEN => $this->getPathToken($original_uri)];
}
if ($clean_urls === NULL) {
// Assume clean URLs unless the request tells us otherwise. $clean_urls = TRUE;
try {
$request = \Drupal::request();
$clean_urls = RequestHelper::isCleanUrl($request);
}
catch (ServiceNotFoundException $e) {
}
}
if (!\Drupal::config('image.settings')->get('suppress_itok_output')) {
// The passed $path variable can be either a relative path or a full URI. if (!$stream_wrapper_manager::getScheme($path)) {
$path = \Drupal::config('system.file')->get('default_scheme') . '://' . $path;
}
$original_uri = $stream_wrapper_manager->normalizeUri($path);
$token_query = [IMAGE_DERIVATIVE_TOKEN => $this->getPathToken($original_uri)];
}
if ($clean_urls === NULL) {
// Assume clean URLs unless the request tells us otherwise. $clean_urls = TRUE;
try {
$request = \Drupal::request();
$clean_urls = RequestHelper::isCleanUrl($request);
}
catch (ServiceNotFoundException $e) {
}
}
->willReturn('png');
$image_style = $this->getImageStyleMock($image_effect_id, $image_effect, ['getPrivateKey', 'getHashSalt']);
$image_style->expects($this->any())
->method('getPrivateKey')
->willReturn($private_key);
$image_style->expects($this->any())
->method('getHashSalt')
->willReturn($hash_salt);
// Assert the extension has been added to the URI before creating the token. $this->assertEquals($image_style->getPathToken('public://test.jpeg.png'), $image_style->getPathToken('public://test.jpeg'));
$this->assertEquals(substr(Crypt::hmacBase64($image_style->id() . ':' . 'public://test.jpeg.png', $private_key . $hash_salt), 0, 8), $image_style->getPathToken('public://test.jpeg'));
$this->assertNotEquals(substr(Crypt::hmacBase64($image_style->id() . ':' . 'public://test.jpeg', $private_key . $hash_salt), 0, 8), $image_style->getPathToken('public://test.jpeg'));
// Image style that doesn't change the extension. $image_effect_id = $this->randomMachineName();
$image_effect = $this->getMockBuilder('\Drupal\image\ImageEffectBase')
->setConstructorArgs([[], $image_effect_id, [], $logger])
->getMock();
$image_effect->expects($this->any())
->method('getDerivativeExtension')
->will($this->returnArgument(0));
$image_style = $this->getImageStyleMock($image_effect_id, $image_effect, ['getPrivateKey', 'getHashSalt']);
$image_style->expects($this->any())
->method('getPrivateKey')
->willReturn($private_key);
$image_style->expects($this->any())
->method('getHashSalt')
->willReturn($hash_salt);
// Assert the extension has been added to the URI before creating the token. $this->assertEquals($image_style->getPathToken('public://test.jpeg.png'), $image_style->getPathToken('public://test.jpeg'));
$this->assertEquals(substr(Crypt::hmacBase64($image_style->id() . ':' . 'public://test.jpeg.png', $private_key . $hash_salt), 0, 8), $image_style->getPathToken('public://test.jpeg'));
$this->assertNotEquals(substr(Crypt::hmacBase64($image_style->id() . ':' . 'public://test.jpeg', $private_key . $hash_salt), 0, 8), $image_style->getPathToken('public://test.jpeg'));
// Image style that doesn't change the extension. $image_effect_id = $this->randomMachineName();
$image_effect = $this->getMockBuilder('\Drupal\image\ImageEffectBase')
->setConstructorArgs([[], $image_effect_id, [], $logger])
->getMock();
$image_effect->expects($this->any())
->method('getDerivativeExtension')
->will($this->returnArgument(0));
// Also validate the derivative token. Sites which require image
// derivatives to be generated without a token can set the
// 'image.settings:allow_insecure_derivatives' configuration to TRUE to
// bypass this check, but this will increase the site's vulnerability
// to denial-of-service attacks. To prevent this variable from leaving the
// site vulnerable to the most serious attacks, a token is always required
// when a derivative of a style is requested.
// The $target variable for a derivative of a style has
// styles/<style_name>/... as structure, so we check if the $target variable
// starts with styles/.
$token = $request->query->get(IMAGE_DERIVATIVE_TOKEN, '');
$token_is_valid = hash_equals($image_style->getPathToken($image_uri), $token)
|| hash_equals($image_style->getPathToken($scheme . '://' . $target), $token);
if (!$this->config('image.settings')->get('allow_insecure_derivatives') || str_starts_with(ltrim($target, '\/'), 'styles/')) {
$valid = $valid && $token_is_valid;
}
if (!$valid) {
// Return a 404 (Page Not Found) rather than a 403 (Access Denied) as the // image token is for DDoS protection rather than access checking. 404s // are more likely to be cached (e.g. at a proxy) which enhances // protection from DDoS. throw new NotFoundHttpException();
}
$token_is_valid = hash_equals($image_style->getPathToken($image_uri), $token)
|| hash_equals($image_style->getPathToken($scheme . '://' . $target), $token);
if (!$this->config('image.settings')->get('allow_insecure_derivatives') || str_starts_with(ltrim($target, '\/'), 'styles/')) {
$valid = $valid && $token_is_valid;
}
if (!$valid) {
// Return a 404 (Page Not Found) rather than a 403 (Access Denied) as the // image token is for DDoS protection rather than access checking. 404s // are more likely to be cached (e.g. at a proxy) which enhances // protection from DDoS. throw new NotFoundHttpException();
}