In light of http://drupal.org/drupal-7.21-release-notes and Drupal 7.20 before that, I think this would be a good idea. We expect some sites to be using this variable for a little while longer, but it's still not fully secure and they shouldn't forget about it and leave it on forever.

Could maybe go in the Image Allow Insecure Derivatives module instead, but I think it makes sense in core.

CommentFileSizeAuthor
#6 image-hook_requirements_insecure_derivatives-1935850-6.patch902 bytesrootwork
#4 image-hook_requirements_insecure_derivatives-1935850-4.patch906 bytesbkonetzny
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

RobLoach’s picture

RobLoach
he/him
CreditAttribution: RobLoach commented

Not sure this check belongs in Drupal core. If anything, Drupal should be telling you to keep it on, since it's a security fix. Drupal core should not babysit broken code. The Image Allow Insecure Derivatives module is a good workaround in the mean time, at least until the broken code in contrib catches up.

Having a hook_requirements() check in the module itself is a great idea though. Put together an issue for that: #1936552: Add a hook_requirements().

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented

If anything, Drupal should be telling you to keep it on, since it's a security fix.

What I meant specifically is that if the variable is TRUE, there should be an error message on the requirements page telling you that your site is in an insecure state.

RobLoach’s picture

RobLoach
he/him
CreditAttribution: RobLoach commented

Ah, thanks for the clarification! Not sure we should be warning about this in Drupal core. The only way to enable it is by editing settings.php, or by enabling the module. If they did either one of those, they already know it's enabled and what they're getting themselves into. So having a warning just feels like needless spam at that point. Your call!

At the very least, the module definitely seems like an appropriate place for this. I'll stick that in right now. Thanks David!

bkonetzny’s picture

bkonetzny CreditAttribution: bkonetzny commented
Status: Active » Needs review
Issue tags: +SprintWeekend2013
FileSize
image-hook_requirements_insecure_derivatives-1935850-4.patch906 bytes

As this is an security issue (DoS), we should warn about this in the status report. We have less important information we show up there (upload progress extension), so this one should be included.

Attached patch for D8. Not sure about the link to d.o, as this setting is only mentioned in the release notes of D7.20. Any other suggestions?

Status: Needs review » Needs work

The last submitted patch, image-hook_requirements_insecure_derivatives-1935850-4.patch, failed testing.

rootwork’s picture

rootwork
he/him
Primary language English
Location 🇺🇸 US-Pacific 🌎 Chinook (Multnomah, Clackamas) & Cowlitz lands 🌹 Portland, OR
CreditAttribution: rootwork commented
Status: Needs work » Needs review
FileSize
image-hook_requirements_insecure_derivatives-1935850-6.patch902 bytes

Removed whitespace and added newline so that it would apply.

bkonetzny’s picture

bkonetzny CreditAttribution: bkonetzny commented

6: image-hook_requirements_insecure_derivatives-1935850-6.patch queued for re-testing.

Status: Needs review » Needs work

The last submitted patch, 6: image-hook_requirements_insecure_derivatives-1935850-6.patch, failed testing.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.