The bug #1922812: Protection against DOS SA-CORE-2013-002 - Drupal core - Denial of service is a critical vulnerability for DoS attack because imagecache can be recursively generated. For example, with one image files/image.png you can create (it has been publicly disclosed).

files/imagecache/full/image.png
files/imagecache/full/imagecache/full/image.png
files/imagecache/full/imagecache/full/imagecache/full/image.png
...

etc. and 'full' could be replaced by any preset that make a very big combination. If an url can be up to 4000 bytes (Apache limit), a preset is in average 16 bytes, you can put up to 100 presets per url. Suppose that there are only 5 presets on your website, with only one image, an attacker can make up up to 5^100 different urls and ask your server to generate 5^100 (it is a number with 70 digits!) derivated images

To fix this problem prevent 99% from the original bug (the other 1% is "by design"). So let's introduce an option which is enabled by default because I don't think there is any reason for recursive imagecache generation.

Comments

jcisio’s picture

Category: feature » task
Priority: Normal » Critical
Status: Active » Needs review
FileSize
517 bytes
David_Rothstein’s picture

I haven't looked at this in detail, but be careful that no one is able to bypass this via a clever URL, e.g. one which uses something like ////imagecache/ or \\\imagecache/.

See also: #1934568-2: Allow sites using the 'image_allow_insecure_derivatives' variable to have partial protection from the Drupal 7.20 security issue and subsequent comments.

jcisio’s picture

New patch based on core's one.

David_Rothstein’s picture

Probably should use '\/' for the ltrim() (same as the core patch), rather than '/'? I'm pretty sure there is a way to get around this with backslashes.

jcisio’s picture

Indeed.

cancerian7’s picture

cancerian7’s picture

Issue summary: View changes

add link