Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
http://drupal.org/SA-CORE-2013-002
The imagecache d6 maintainers were aware of this issue. Creating a public tracking issue.
Comment | File | Size | Author |
---|---|---|---|
#34 | 1922812-29-imagecache_d6.patch | 4.86 KB | fizk |
#33 | 1922812-29-imagecache_d6.patch | 4.86 KB | fizk |
#31 | 1922812-29-imagecache_d6.patch | 4.86 KB | fizk |
#29 | 1922812-29-imagecache_d6.patch | 4.86 KB | pwolanin |
#27 | hmac.php_.txt | 1.45 KB | pwolanin |
Comments
Comment #1
pwolanin CreditAttribution: pwolanin commentedHere's an initial backport.
For some reason i'm not getting image derivates generated, but that's true without the patch too, so I think it's an image toolkit issue.
Comment #2
jcisio CreditAttribution: jcisio commentedCould we have a link to the issue that led to that change in Drupal core? I think the next step could be remove the token with some limited threshold in the number of concurrent image derivates generation. For example, flush an image preset (this function exists in Imagecache, but not in the D7 version of Drupal core) cause a similar DoS attack if there is no reverse proxy in front of Drupal.
Comment #3
scor CreditAttribution: scor commentedsame patch, only corrected a typo in the comment of the last hunk. This patch works on my localhost, views can generate thumbnail images.
Comment #4
scor CreditAttribution: scor commentedany reason why not doing
here?
Comment #5
pwolanin CreditAttribution: pwolanin commentedThat does a much more expensive operation, including potentially writing to the DB via watchdog and theming a nice 403 page.
http://api.drupal.org/api/drupal/includes%21common.inc/function/drupal_a...
Given that the original module had this simple shortcut, I didn't see a reason to change.
Comment #6
FiNeX CreditAttribution: FiNeX commentedDid someone analyzed the proposed solution from a SEO perspective? Thanks
Comment #7
gregglesRe #6 - I'm not aware of any potential SEO penalties from this. However, even if there are penalties, that should be pushed to a followup issue.
Comment #8
FiNeX CreditAttribution: FiNeX commented@greggles: I'm thinking about a duplication/crawling problem of the image URL by Google.
Google would crawl two times the same URL and this is a waste of resources. Even if the crawler should be smart and group the content I don't like the idea. Anyway to it should be enough to exclude "itok" from the URL parameters on Webmaster Tools to be safe and let the crawler to get only the base URL.
What do you think about?
Comment #9
scor CreditAttribution: scor commentedI don't think image SEO is as important as regular web pages URLs SEO. This might have an impact when searching for images on Google but I doubt it will affect SEO of regular web pages. these urls won't change. I'm pretty sure Google is smart enough to adjust if your images' urls change, especially if the change is a query parameter. I think having the same image in multiple derivative is possibly a larger concern, which is what imagecache does by design.
Comment #10
Dave ReidWhat is the version of the URL with itok did it's generation, and then redirected to the version of the image URL without the itok?
Comment #11
gregglesFolks interested in this issue may also want to see #1925014: make pwolanin temporary co-maintainer to make new release with security patch.
Comment #12
scor CreditAttribution: scor commented@Dave Reid wouldn't that lead to a redirect everytime you generate imagecache URLs via e.g. views. even when the image is already available?
Either way, this is good feedback, and the type of follow up that could be done in a separate issue.
Comment #13
Dave ReidIgnore #10.
A bigger problem may be this code assumes the hash PHP extension is enabled and available, but it's not a requirement for Drupal 6. This will cause fatal errors for any sites that do not have the extension enabled. It's only enabled by default as of PHP 5.1.2, which is not the minimum requirement for ImageCache nor core. The minimum PHP requirement for imageapi is 5.1.
Comment #14
jcisio CreditAttribution: jcisio commented5.1.6 was released more than 6 years ago and has not been updated since then. According to http://w3techs.com/technologies/details/pl-php/5.1/all PHP < 5.1.6 has less than 0.15% market share of PHP. I don't think there are maintained D6 websites with PHP 5.1.
That said, simply replace hash/hash_hmac with md5 works if hash is not available.
Comment #15
scor CreditAttribution: scor commentedHeine and Peter suggested to use sha1 to address #13. This patch also uses
$db_url
which is the D6 equivalent to$databases
.Comment #16
scor CreditAttribution: scor commentedoops, forgot to remove an hmac comment.
Comment #17
pwolanin CreditAttribution: pwolanin commentedchange to sha1:
This port is wrong I think - you need to implement the HMAC using sha1 for imagecache_style_path_token(). Just calling sha1() is not enough.
Comment #18
scor CreditAttribution: scor commentedok, patch using HMAC-SHA1 now, inspired from http://drupalcode.org/project/acquia_search.git/blob/refs/heads/6.x-1.x:...
Comment #19
pwolanin CreditAttribution: pwolanin commentedStill has this call to hash():
and this is wrong:
it is missing a call to pack('H*'). Correct is:
Comment #20
scor CreditAttribution: scor commentedThanks Peter.
Comment #21
scor CreditAttribution: scor commentedused the wrong global.
Comment #22
pwolanin CreditAttribution: pwolanin commenteddo we need to serialize?
Comment #23
scor CreditAttribution: scor commentedwe technically don't but I left it like that to remain closer to the D7 code logic.
Comment #24
gregglesIn pressflow6 the db_url can be an array - https://pressflow.atlassian.net/wiki/display/PF/Using+database+replicati...
So, I think the serialize is worth keeping.
Comment #25
Dave ReidIt can be an array just with using Drupal 6 core, so agreed, serialize should stay.
Comment #26
pwolanin CreditAttribution: pwolanin commentedthis needs to return the binary value:
should be:
Comment #27
pwolanin CreditAttribution: pwolanin commentedHere's a quick test file for the corrected function
Comment #28
pwolanin CreditAttribution: pwolanin commentedAlso I'd rename these vars:
like $ikey and $okey?
Comment #29
pwolanin CreditAttribution: pwolanin commentedupdated plus added code comments.
Comment #30
pwolanin CreditAttribution: pwolanin commentedSeems tests are not enabled for this project?
We probably need to update those too.
Comment #31
fizk CreditAttribution: fizk commentedShould be enabled now.
Comment #32
pwolanin CreditAttribution: pwolanin commentedOn the testing tab looking at the results it says:
Comment #33
fizk CreditAttribution: fizk commentedI renamed
get_info()
togetInfo()
due to #237667: get_info to getInfo. Let's try this again.Comment #34
fizk CreditAttribution: fizk commentedTurns out there were a lot more things that needed updating. Should work now.
Comment #35
chellman CreditAttribution: chellman commentedJust chiming in to say that #34 is working for me.
Comment #36
fizk CreditAttribution: fizk commentedNow that the automated testing is working, some tests should be written. Could the D7/D8 tests be backported?
Comment #37
a_c_m CreditAttribution: a_c_m commentedGiven exploit code is now live : http://berk.es/2013/03/04/drupal-imagecache-security-vulnarability-with-...
Is there any further movement on this or advice for D6 users. Is 34 RTBC (minus tests) ?
Comment #38
fizk CreditAttribution: fizk commented@a_c_m Does the patch work for you?
Comment #39
nickfitz CreditAttribution: nickfitz commentedHey @Fizk:
I have tested and implemented this patch in a production environment on a large scale Drupal site. The patch works as intended and provides the additional security measures we needed to close the potential attack vector. Thank you for all of your work.
We ran into some hiccups with our own implementation of of the patch in instances where we were re-sizing already re-sized images that were made available to a node via node_embed and displayed within a view. These images were returning as invalid and displaying the 403 error. For others applying the patch in a similar environment, here are the issues we ran into and our solution:
Problem:
The original source image has been re-sized and is made available to a node via node_embed. The re-sized image will need to be re-sized again prior to being displayed within a view. After applying the patch, the source image path, which has already been re-sized, contains a token key. Because the source URL already contains a token key, Drupal's URL encode would return "?" and "=" as "%3F" and "%3D" respectively, causing the patch's validation to fail. This resulted in the image request returning a 403 error.
Original Source Path: http://www.example.com/sites/default/files/imagecache/imagepresetA/image...
Original Re-sized Path: http://www.example.com/sites/default/files/imagecache/imagepresetB/sites...
Solution:
We resolved this issue by removing the original key from the source image URL. Below is some example code:
Adjusted Source Path: http://www.example.com/sites/default/files/imagecache/imagepresetA/image...
Adjusted Re-sized Path: http://www.example.com/sites/default/files/imagecache/imagepresetB/sites...
Comment #40
fizk CreditAttribution: fizk commented@nickfitz, thanks for following up!
@pwolanin, can you please look into nickfitz's report.
Comment #41
jcisio CreditAttribution: jcisio commentedWith what that is being discussed at #1934498: Allow the image style 'itok' token to be suppressed in image derivative URLs, why don't we try an easier solution? This issue is here for more than a month.
A 4-line patch #1934482: Add an option to disable recursive imagecache preset path.