Drupal 7.20 introduces a new concept of image derivate query string to deal with this security issue:
http://drupal.org/SA-CORE-2013-002
The security fixes in this release change all image derivative URLs generated by Drupal to append a token as a query string. ("Image derivatives" are copies of images which the Drupal Image module automatically creates based on configured image styles; for example, thumbnail, medium, large, etc.)
http://drupal.org/drupal-7.20-release-notes
We need to make this compatible with stage file proxy :)
Scenario:
Drupal 7.20+
Request a nonexistent image on local server: /sites/default/files/styles/custom_style/public/images/myimage.jpg?itok=GgsLCDrQ
Stage file proxy handles it, on 200 response code it downloads the original image from the origin and moves to the local folder.
Refresh the request and let the web server work out the mime type, etc.
In the last step the module does not sends the itok query parameter and the petition gets a 403 response.
While this issue be solved you can set this on your settings.php:
$conf['image_allow_insecure_derivatives'] = TRUE;
Comment | File | Size | Author |
---|---|---|---|
#4 | stage_file_proxy-image_derivate_token_protection-1965742-4.patch | 954 bytes | GeduR |
#1 | stage_file_proxy-image_derivate_token_protection-1965742-1.patch | 981 bytes | GeduR |
Comments
Comment #1
GeduR CreditAttribution: GeduR commentedAttached patch for review,
thanks!
Comment #2
gregglesCan you outline the scenario where the derivative doesn't exist on the server already?
Comment #3
GeduR CreditAttribution: GeduR commentedI've just complete a little more information on the description above to better understanding.
Comment #4
GeduR CreditAttribution: GeduR commentedHere is another approach to make this compatible with other posible query parameters and not only "itok".
I think this will be a better solution than previous patch.
Comment #5
navarrete CreditAttribution: navarrete commentedThe #4 patch works fine for me :)
Comment #6
TuWebO CreditAttribution: TuWebO commentedHi,
Patch #4 is working fine for me.
Thanks GeduR.
Comment #7
GeduR CreditAttribution: GeduR commentedThanks. Changing the priority to major according the priority level post (http://drupal.org/node/45111).
Can any of the maintainers take a look to the patch #4?
Thanks!
Comment #8
gregglesFixed - http://drupalcode.org/project/stage_file_proxy.git/commit/b81f21e
Thanks for the patch and reviews, everyone!
Comment #9.0
(not verified) CreditAttribution: commentedAdding scenario info