Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By anavarre on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
8.6.x
Introduced in version:
8.6.0
Issue links:
Description:
Background
Image tokens were introduced in Drupal 7.20 to mitigate SA-CORE-2013-002. The goal was to change all on-demand image derivative URLs generated by Drupal to append a token as a query string, and therefore prevent this capability to be abused by requesting a large number of new derivatives which can fill up the server disk space and cause a very high CPU load.
Current behavior
Drupal returns a 403 (Access Denied) upon trying to access an image derivative with an invalid token, whether or not the source image is available. In the case of an attack or upon stripping query parameters from image requests, the huge amount of 403s hitting the web server may lead to the site becoming unavailable or unresponsive.
New behavior
Drupal now returns a 404 (Page Not Found) upon trying to access an image derivative with an invalid token, whether or not the source image is available. Web hosts enforcing 404s to be cached for a certain period of time at the caching reverse proxy can much more easily mitigate DoS or DDoS attacks.
Impacts:
Site builders, administrators, editors
Module developers
