Media has released a security update to the 7.x-2.0-beta branch. Marking this issue Major because of this.

2016-12-07: 7.x-2.0-beta12 addresses the security issue
2016-12-09: 7.x-2.0-beta14 out already

Wetkit should update media to 7.x-2.0-beta12 at least.



nerdcore created an issue. See original summary.

nerdcore’s picture

Issue summary: View changes
joseph.olstad’s picture

actually the security vulnerability only affected beta8 through beta11 and wetkit is using beta7 which does not have the security vulnerability.

that said, its up to beta14 now, slowly but surely closer to getting to 2.0 stable.

there was one commit in beta8 marked as a 2.0 release blocker though that was far reaching and introduced a few regressions that have been dealt with.

still more work to be done on the media module in general however the recipe that is used by wetkit has been tested for wetkit so no rush in upgrading just yet.

joseph.olstad’s picture

so , to clarify, no, wetkit does not have to upgrade , there is no known security vulnerability in beta7 used by wetkit.

sylus’s picture

Ah thanks Joseph, I will still be updating shortly but just want to do due diligence in testing each subsequent version. I'd expect by end of the week to have the update in dev version of distro.

joseph.olstad’s picture

While you're looking into media, sort of related is multilingual image style formatter support for file entity images
Just pushed a D7 core patch for this.

#2835135: image formatter needs to handle alt/title from file entities on images for multi language support

sylus’s picture

Thanks for the heads up :) appreciated!

nerdcore’s picture

Priority: Major » Normal

Thanks for the clarification joseph.olstad! I'm changing status of this issue to Normal.

joseph.olstad’s picture

Another FYI: @brockfanning has been doing a lot of work on the media and media_ckeditor modules. He has created a recipe (yml make file) for media and media_ckeditor , soon (hopefully very soon if @sylus can help run a few tests for us, please?) we'll be making a media release and a corresponding media_ckeditor release and update the installation documentation for this .

See his latest recipe here:

here's the actual recipe:

He's using the latest 7.x-2.x dev build of media and media_ckeditor , for media he has two patches, and two related patches for media_ckeditor, and the other dependencies and their versions are contained, including the libraries.

@sylus, if you can create a build for this in your dev and run it against your behat tests, this would be very helpful and chime in, @brockfanning is desperately seeking some assistance in qa/testing his recipe , and if his recipe works for your build, or if you can get it working with wetkit, it'd be a real help for us to increase our confidence for the next release. media as you know is still in beta and it'd be nice to get a 2.0 release soon. With your help, I think because it'd be easiest for you because your test environment and CI is already configured and set up, if you could run it against your travis CI and behat tests, it'd be a real help. @brockfanning has created a behat test for media_wysiwyg which is where most of the challenges are with token encoding and decoding, I've not yet run it but hopefully soon. If you can run this additional behat test too, it'd be very helpful to the media module which has over 200000 installs.

Here's a link to the behat test.

If this gets done, then hopefully wetkit will be able to use a stable release of media and media_ckeditor without any patches. It'd really help the community as well.


joseph.olstad’s picture

UPDATE: 7.x-2.0-rc1 of media was released. Passes all of the simpletests and also the @brockfanning behat tests (except one long standing issue that has not changed).

So, if you are to look at it, things should be optimal now. You'll want to have a look at the yml recipe for this.

joseph.olstad’s picture

Status: Active » Needs review
joseph.olstad’s picture

UPDATE: 'media' 7.x-2.0-rc3 released today. I've shoe-horned this version on to an old wetkit 1.x distro rc1 release from 2013 and its working as designed. Going to spend some more time monday on it however I replaced a tinyMCE setup with ckeditor with this following the instructions on the updated recipe 8 .

Note, now that 7.x-2.0-rc3 was released, a recipe 9 should contain this but hasn't yet been created.

There is one patch that you may need for wetkit distro if you're using fieldable panel panes.

otherwise, follow recipe 8 , swap out 7.x-2.0-rc2 with 7.x-2.0-rc3

@sylus, if you do get around to this, please let me know which travis tests or behat tests fail if they do so that I can look at them asap.

media is getting pretty close to a 7.x-2.0 stable release , there are a couple blockers left but not sure yet if they're important enough to be holding up a stable release.


joseph.olstad’s picture

Media 7.x-2.0-rc3 with ckeditor 4.6.2 kicks butt

A new wiki page containing an up-to-date recipe and various troubleshooting tips makes it much easier to set up the 'media' stack now.

Also, a must have feature, bulk uploading using the plupload module and library in combination with media_bulk_upload is working without any additional patches and requires very little configuration aside from enabling the media_bulk_upload module and its dependencies (multiform latest version and plupload with the plupload library)

imce is harmoniously working with media_ckeditor (a seperate module that works with 'media' and ckeditor ) but requires one patch and one subsequent setting adjustment (when using it with bootstrap or other themes that have a higher version of jQuery than most admin themes.)

imce is a file picker with a gui , it complements the media browser. It integrates nicely with the ckeditor image plugin.

linkit also works nicely with this stack.

A recipe wiki page for media with media_ckeditor has been created.

It contains helpful troubleshooting tips as well it mentions recommended versions and patches and some configuration steps.

The only one feature left for media_ckeditor on my wishlist that hasn't come out is out of the box support for align right and align left of media inserted using the media browser. There is a workaround way that involves putting a field onto the image file entity that would specify the alignment, a custom hook alter is required to make it work. Otherwise out of the box functionality is very good and supports the latest version of ckeditor (library) version 4.6.2 this I have tested myself. ckeditor (module) requires one patch for skin support which is also mentioned in the recipe.

joseph.olstad’s picture

In my setup, I had to disable the wetkit_wysiwyg module , however for the distro, this module would just need updating (feature create after new settings).

this new recipe does not use the wysiwyg module, media_ckeditor takes its place.

nerdcore’s picture

Title: Security Update to media-7.x-2.0-beta12 » Update to media module
Version: 7.x-4.14 » 7.x-4.x-dev

just updating the issue title and version. I hope this is appropriate.

sylus’s picture

Thanks a bunch for this everyone!

I have currently tested locally up to 7.x-2.0-rc1 and everything seems to be working great! Really happy to have all of our patches inside media itself now, makes this whole process much easier.

I just need to do testing for the next set of releases. Hoping to have a new release out by the end of the week / weekend :)

joseph.olstad’s picture

@brockfanning just completed a float left and right functionality for media in wysiwyg #2842391: better support for float media left and float media right

joseph.olstad’s picture

7.x-2.0-rc5 was released, it keeps getting better.

  • sylus committed 16f85b6 on 7.x-4.x
    Fixed WetKit Widgets for Issue #2834397: Update to media module
  • sylus authored e0c7188 on 7.x-4.x
    Merge pull request #1899 from sylus/7.x-4.x
    Fixed WetKit Widgets for...
sylus’s picture

Status: Needs review » Fixed

Thanks for all the hard work am now using 2.0-rc5 with no patches and working great :)

This is very awesome ^_^

joseph.olstad’s picture


Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.