In our install we have content created with CKeditor (7.x-1.12) containing images uploaded by Media module (7.x-2.0-unstable7) inside the WYSIWYG editor.
This leads to the full URL to the image getting embedded into the HTML generated by the WYSIWYG editor (which is an unrelated problem in itself, see #1352182: Media assets should have relative paths for wysiwyg editors).

As such, the URL (saved in the HTML in field_data_fieldname.fieldname_value) is not getting updated when upgrading to Drupal 7.20.
As such, it does not contain the now required "itok=token".
As such, the image is not displayed any more.

Is there any way to solve this problem apart from
a) editing all the links in the database tables
b) disabling the new anti-DOS feature in settings.php


swentel’s picture

See the release notes here at the end

David_Rothstein’s picture

I wasn't able to reproduce this. It is true that the URL is stored without the token, but it shouldn't matter because the image has already been generated at that point. The token is only needed the first time it's viewed (in order to generate it in the filesystem). After that it's just a regular image file.

Do you have a more specific set of steps to reproduce this problem? It seems like somehow you'd have to have inserted a URL to an image in the WYSIWYG without that image ever being displayed anywhere first... which in theory is possible, but seems like it would be hard to achieve in practice, and I haven't figured out how to reproduce it yet.

David_Rothstein’s picture

Status: Active » Postponed (maintainer needs more info)
j4h8’s picture

Thanks for following up on this and sorry for my late answer.

The image is indeed in the filesystem, but we use the "private files" configuration.
(The URL is e.g. $DOMAIN/system/files/styles/full_wysiwyg_size/private/image.png)

Could our problem be related to this fact?

David_Rothstein’s picture

There are some automated tests for private files that should have caught any issues here, but I went ahead and tried it manually and private files worked for me on a local setup after upgrading to Drupal 7.20.

Just to make sure, you are saying that within your private files directory, there is a file at styles/full_wysiwyg_size/private/image.png? But visiting $DOMAIN/system/files/styles/full_wysiwyg_size/private/image.png still gives access denied?

If so, I don't see how it could be directly related to the Drupal 7.20 upgrade... However, two questions:

  1. What modules do you have installed that do either node access or field access and might be blocking access to that URL? For example, are you using Field Permissions?
  2. Have you tried the patch at #1923554: New anti-DoS measure breaks for some file URIs (or other patches linked to in the release notes, depending on what modules you're using)? I don't think it's related, but it wouldn't hurt to try.
David_Rothstein’s picture

Issue summary: View changes

Updated linked issue with correct format

dddave’s picture

Issue summary: View changes
Status: Postponed (maintainer needs more info) » Closed (won't fix)

No follow-up, Drupal moved on.