Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
The menu callback for 'media/%file/format-form' is linked to view file_entity_access. This access is typically granted to anonymous users. However, the format-form generates multiple derived images. Which opens the door to things like: https://www.drupal.org/SA-CORE-2013-002.
Proposed resolution
Secure using 'access media browser' permission. Why, might you ask use that permission and not create a new one? Because the media wysiwyg is linked to the browser already. If this where a separate permission, it wouldn't make sense.
Remaining tasks
Review patch.
User interface changes
n/a
API changes
n/a
Comment | File | Size | Author |
---|---|---|---|
#11 | interdiff_10-11.txt | 548 bytes | azinck |
#11 | media_wysiwyg-DoS_image_derivatives-2349977_11.patch | 3.44 KB | azinck |
#10 | interdiff_8-10.txt | 872 bytes | azinck |
#10 | media_wysiwyg-DoS_image_derivatives-2349977_10.patch | 3.44 KB | azinck |
#8 | media_wysiwyg-DoS_image_derivatives-2349977_8.patch | 3.63 KB | heddn |
Comments
Comment #1
heddnPatch attached.
Comment #2
heddnComment #4
heddnTry this.
Comment #5
heddnAfter a lengthy chat with @azinck off-line, I've moved this to a separate permission tied to Media WYSIWYG module, rather than use media browser. This is so we can add the restricted flag on the permission. Media browser doesn't let anyone generate a list of derivative URLs. But Media WYSIWYG does.
Not sure if this really should be a restricted permission or not, but it does provide a mechanism to harvest a large number of valid image derivative URLs.
I've also written a hook_update to move things over to the new permission from the existing 'view file' permissiion. I pondered for a moment not granting the anonymous RID access. Instead I simply print the updates access from hook_update and leave it to the reader as an exercise to update permissions. It doesn't give any more access to people than previously, so this seems acceptable.
Comment #6
svenryen CreditAttribution: svenryen commentedI tested the patch and it works as expected. I did a security review which resulted in Access denied for people who had no access.
When the patch was applied, I could no longer load pages like /media/1/format-form unless the permission was set to allow that. Loading the url for a user that did not have the permission resulted in an Access denied message.
Further, running dbupdate resulted in an update DB patch being applied, and it did give access to the format-form to everybody that had access to view files before the update was run.
I also did not see any side-effects after applying the patch to the current dev.
Comment #7
Dave ReidNeeds a one-line summary first.
Let's leave out the second sentence of this string. Just notifying which roles have new permissions added is the best benefit.
I wonder if we need a custom access callback that also checks file_entity_access()? Is this a regression if we're not checking that in addition to the new permission?
Comment #8
heddn#7.1, #7.2, 7.3 are all addressed.
I've opened a follow-up to update the description in media module as well, from which this was simply a copy. https://www.drupal.org/node/2351377#comment-9221005
Comment #9
izmeez CreditAttribution: izmeez commentedThe patch in #8 applies cleanly to the current media-7.x-2.x-dev release and works as expected. It adds a new permission to deny users access to media/%file/format-form
However, when the patch is applied and creates this new permission it grants access to anonymous users despite the warning. Access should not be granted to anonymous users.
Comment #10
azinck CreditAttribution: azinck commentedTrue @izmeez.
I've updated the patch to only grant the permission to roles that have the "access media browser" permission, but there's still a very good chance that that will include anonymous users on many sites, in light of media_update_7226().
I'm torn with this one. If we don't grant it to anons, then we may break some sites, but if we do, then many sites will go needlessly unprotected. And my understanding here of the security concern is not so much strictly a DoS problem as it is a diskspace issue: it makes easy for an attacker to fill your disk with image derivatives. We have to weigh that against the possible damage done by "breaking" sites.
Comment #11
azinck CreditAttribution: azinck commentedAnd here's a more conservative version of the patch that won't grant the perm to anons.
Comment #12
izmeez CreditAttribution: izmeez commentedThis approach seems like a good way to go.
And the change in #11 is less code than that in #10 which is usually a good thing.
Comment #13
azinck CreditAttribution: azinck commentedActually #11 has almost exactly the same amount of code as #10 (less code by just 1 character!) :). Thanks for testing, izmeez.
Comment #14
izmeez CreditAttribution: izmeez commentedJust a note, similar to what I posted in #1792738-182: Allow custom file view modes for WYSIWYG display, the patch in this thread has some lines overlapping with the patch in the other thread and depending on which is committed first the other will need a re-roll.
Comment #15
izmeez CreditAttribution: izmeez commentedSorry, I misunderstood, I thought the interdiff in both #10 and #11 was from the patch in #8 rather than incremental.
Comment #16
izmeez CreditAttribution: izmeez commentedThe patch in #11 applies to the current media-7.x-2.x-dev and works as expected. It preserves and uses the access media browser permission and does not allow anonymous users the use media wysiwyg permission.
Thanks. The status is changed to RTBC.
If this patch is committed the patch in #1792738: Allow custom file view modes for WYSIWYG display will need to be re-rolled.
Comment #17
izmeez CreditAttribution: izmeez commentedThere appears to be a duplicate of this issue at #2337305: Media wysiwyg exposes fields attached to a file entity via media_wysiwyg_format_form callback which maybe could be closed.
Comment #19
aaron CreditAttribution: aaron commentedCommitted to http://drupalcode.org/project/media.git/commit/02b3142.
Comment #21
izmeez CreditAttribution: izmeez commentedI have an issue that may be related to this and I will have to open a separate issue. Not sure if it belongs in media or file_entity queue.
Surprised to see on new install anonymous users see content with youtube video as expected but also see above the video a menu with two items, Edit and Delete. These are links to the paths file/%/edit and file/%/delete which since the commit of the patch in this thread returns access denied.
Still it's a surprise to see this menu showing to anonymous users and not showing to admin roles when logged in.
Firebug shows them to be contextual links.
Just looking into this now. Any suggestions are welcome. Thanks.
Comment #22
izmeez CreditAttribution: izmeez commentedFollow-up to #21 started a new issue #2455117: Anonymous users see menu to Edit and Delete files