Drupal 7.20 introduces a new concept of image derivate query string to deal with this security issue:
http://drupal.org/SA-CORE-2013-002 

The security fixes in this release change all image derivative URLs generated by Drupal to append a token as a query string. ("Image derivatives" are copies of images which the Drupal Image module automatically creates based on configured image styles; for example, thumbnail, medium, large, etc.)

http://drupal.org/drupal-7.20-release-notes

We need to make this compatible with stage file proxy :)

Scenario:

Drupal 7.20+

Request a nonexistent image on local server: /sites/default/files/styles/custom_style/public/images/myimage.jpg?itok=GgsLCDrQ

Stage file proxy handles it, on 200 response code it downloads the original image from the origin and moves to the local folder.

Refresh the request and let the web server work out the mime type, etc.

In the last step the module does not sends the itok query parameter and the petition gets a 403 response.

While this issue be solved you can set this on your settings.php:

$conf['image_allow_insecure_derivatives'] = TRUE;

CommentFileSizeAuthor
#4 stage_file_proxy-image_derivate_token_protection-1965742-4.patch954 bytesGeduR
#1 stage_file_proxy-image_derivate_token_protection-1965742-1.patch981 bytesGeduR
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

GeduR’s picture

GeduR CreditAttribution: GeduR commented
Status: Active » Needs review
FileSize
stage_file_proxy-image_derivate_token_protection-1965742-1.patch981 bytes

Attached patch for review,
thanks!

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented

Can you outline the scenario where the derivative doesn't exist on the server already?

GeduR’s picture

GeduR CreditAttribution: GeduR commented

I've just complete a little more information on the description above to better understanding.

GeduR’s picture

GeduR CreditAttribution: GeduR commented
FileSize
stage_file_proxy-image_derivate_token_protection-1965742-4.patch954 bytes

Here is another approach to make this compatible with other posible query parameters and not only "itok".
I think this will be a better solution than previous patch.

navarrete’s picture

navarrete CreditAttribution: navarrete commented
Status: Needs review » Reviewed & tested by the community

The #4 patch works fine for me :)

TuWebO’s picture

TuWebO CreditAttribution: TuWebO commented

Hi,
Patch #4 is working fine for me.
Thanks GeduR.

GeduR’s picture

GeduR CreditAttribution: GeduR commented
Priority: Normal » Major

Thanks. Changing the priority to major according the priority level post (http://drupal.org/node/45111).

Can any of the maintainers take a look to the patch #4?

Thanks!

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented
Status: Reviewed & tested by the community » Fixed

Fixed - http://drupalcode.org/project/stage_file_proxy.git/commit/b81f21e

Thanks for the patch and reviews, everyone!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

(not verified) CreditAttribution: commented
Issue summary: View changes

Adding scenario info