The Drupal 7.20 security release introduced this change:

-  return file_create_url($uri);
+  $file_url = file_create_url($uri);
+  // Append the query string with the token.
+  return $file_url . (strpos($file_url, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($token_query);

This means the query string is effectively not available for hook_file_url_alter() to be modified, i.e. it breaks file URL altering.


This breaks CDN module's Far Future expiration functionality.

Files: 
CommentFileSizeAuthor
7.21_correct_file_create_url_usage.patch776 bytesWim Leers
FAILED: [[SimpleTest]]: [MySQL] 40,405 pass(es), 30 fail(s), and 4 exception(s).
[ View ]

Comments

Status:Needs review» Needs work

The last submitted patch, 7.21_correct_file_create_url_usage.patch, failed testing.

Version:7.21» 7.x-dev
Status:Needs work» Needs review

Status:Needs review» Needs work

The last submitted patch, 7.21_correct_file_create_url_usage.patch, failed testing.

Status:Needs work» Closed (won't fix)

By passing file_create_url() after having added the token, the symbol ? or & is encoded with drupal_encode_path():

<?php
     
// If this is not a properly formatted stream, then it is a shipped file.
      // Therefore, return the urlencoded URI with the base URL prepended.
     
return $GLOBALS['base_url'] . '/' . drupal_encode_path($uri);
?>

Unless we were to change this logic, this issue is won't fix for D7. The ability to remove the itok querystring comes then at the template level :(

I don't know about CDN FF functionality and how it breaks or could not be fixed.

Yes, this looks hard. Maybe you could do something super hackish like:

<?php
// Add the query string before calling file_create_url(), so that it is available in
// hook_file_url_alter().
$query_string = drupal_http_build_query($token_query);
$uri .= (strpos($uri, '?') !== FALSE ? '&' : '?') . $query_string;
$uri = file_create_url($uri);
// If file_create_url() has simply URL-encoded the token query, and if that was the
// entire query string, restore it here.
return str_replace(drupal_encode_path('?' . $query_string), '?' . $query_string, $uri);
?>

It is even not hackish enough. Think about user with Clean URLs off ;)

Issue summary:View changes

Updated issue summary.