crop_file_url_alter parses a uri to check for a crop style and tries to do a Crop::findCrop(), but the findCrop doesn't work if, for example, the filename has a space in it because the alter hook receives an encoded URL, which won't match the URI in the database. Ex:
$file_uri = public://images/profile%20copy_0.jpg
vs
database = public://images/profile copy_0.jpg
so findCrop() returns empty and a hash is not applied.
The attached patch does a rawurldecode() on the parsed URI path which is sent to the entity query in findCrop() if there's a crop style. Is there potential for security issues with this approach?
Comment | File | Size | Author |
---|---|---|---|
#5 | Capture d’écran 2017-10-25 à 14.44.11.png | 1.26 MB | woprrr |
#5 | Capture d’écran 2017-10-25 à 14.43.31.png | 37.02 KB | woprrr |
crop_file_url_alter-encoded-uri.patch | 568 bytes | blake.thompson | |
|
Comments
Comment #2
blake.thompson CreditAttribution: blake.thompson at Forum One commentedComment #3
weri CreditAttribution: weri at Previon Plus AG commentedComment #4
woprrr CreditAttribution: woprrr as a volunteer and at NeoLynk commentedHello all Sorry for the response delay !! Thank to your sugest patch. I have tested if Berdir patch on #2868339: Public folder check in crop_file_url_alter() is incorrect, does not work for responsive images fix this issue too and this is our case. Usage of "UrlHelper::parse()" to retreive parsed_uri take good results. Can you confirm me if berdir patch solve the problem ?
Comment #5
woprrr CreditAttribution: woprrr as a volunteer and at NeoLynk commentedI mark this issue as fixed because probably berdir issue solve your problems.
Look my test :