Problem/Motivation
Because Drupal 7.20 fixed a security issue that was related to fundamental functionality in the Drupal core Image module, it broke a fair number of contributed modules and custom code/workflows.
This patch is designed to provide some level of protection even to sites that use 'image_allow_insecure_derivatives'. They will still be vulnerable to some kinds of denial-of-service attacks using image styles. However, the most damaging and easiest-to-inflict attacks (involving the generation of derivatives-of-derivatives, as well as the unauthorized creation of empty image style directories) will be protected against. Thus, although the variable is still considered insecure and is not recommended, it will allow sites using it to upgrade to Drupal 7.21 and at least have some security protection, while they wait for the other fixes they need to be able to stop using it altogether.
Drupal 8 should not need to support allow_insecure_derivatives
and suppress_itok_output
. We don't have the Drupal 7 legacy to support, Drupal 7 contrib or custom code/workflows.
To quote @David_Rothstein from #1934568-16: Allow sites using the 'image_allow_insecure_derivatives' variable to have partial protection from the Drupal 7.20 security issue
Moving to Drupal 8 to forward-port the patch. (To be honest, there's a question to be asked about whether Drupal 8 should even continue supporting this variable at all going forward. However, the tests need to be ported either way.)
Proposed resolution
Remove it. Less code. Profit.
Remaining tasks
Review.
Commit.
User interface changes
None
API changes
Remove the settings and their effects.
Data model changes
Remove the config keys.
Beta phase evaluation
Issue category | Task because the 'image_allow_insecure_derivatives' feature works. |
---|---|
Issue priority | Major because it was a BC shiv put into Drupal 7 that Drupal 8 does not need and having it makes D8 more vulnerable to DOS attacks |
Prioritized changes | The main goal of this issue is security hardening |
Disruption | Close to zero as Drupal 8 modules should not be relying on this functionality and the default behaviour is not changed. If an existing D8 site relies on this functionality they will be disrupted - however they are currently vulnerable to DDOS too - which would be disruptive for them as well. |
Comment | File | Size | Author |
---|---|---|---|
#51 | 2568517-nr-bot.txt | 144 bytes | needs-review-queue-bot |
#43 | interdiff-2568517-41-43.txt | 943 bytes | yogeshmpawar |
#43 | 2568517-43.patch | 11.26 KB | yogeshmpawar |
#41 | 2568517-41.patch | 11.14 KB | karishmaamin |
#40 | diff_reroll_2568517_34-40.txt | 8.88 KB | ankithashetty |
Comments
Comment #2
alexpottComment #3
alexpottComment #4
effulgentsia CreditAttribution: effulgentsia at Acquia commented+1 to removing them. Do we need a hook_update_N() to remove them from active config as well?
Comment #5
webchickhttps://security.drupal.org/node/70884#comment-45713 (needs sec. team access) seems to be the first place this variable was talked about, as a way to help with the intrusiveness of the hardening. But if that's the only driving reason, stricter image derivatives is probably the least intrusive thing about moving from D7 to D8. ;)
Comment #7
alexpott@effulgentsia well our lovely upgrade path tests tell us we do - which is kind of awesome.
Comment #9
alexpottAdding upgrade path.
Comment #10
alexpottComment #11
alexpottDavid_Rothstein, StryKaizer, borisson_, martin107, pwolanin, ofry, amitgoyal
should also be credited if this issue lands.Comment #12
alexpottComment #14
tstoecklerThe issue summary does not mention the disruption of this to D8 sites that already utilize these settings. I have 1 live client site already that does this.
Comment #15
alexpott@tstoeckler that's awesome to know. Do you know why?
Comment #16
alexpottComment #18
phenaproximaFixed the MD5 hash in the Variable.php dump file, at @alexpott's request.
Comment #19
alexpottUploading the interdiff between #9 and #18
Comment #20
alexpottThis security improvement should be an rc target.
Comment #21
tstoecklerRe #15:
So one argument that I have heard repeatedly from clients is that the added query parameter is bad for SEO. I can't say that I understand why.
In this particular case, however, we were not utilizing the on-demand creation of image derivatives anyway. We were importing images from an external system and creating all derivatives during import. So the added security of the query parameter, was irrelevant in that case. I.e. even if it didn't do any harm, it was unnecessary at best.
Comment #22
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedYes, people in #1934498: Allow the image style 'itok' token to be suppressed in image derivative URLs were very adamant about leaving 'allow_insecure_derivatives' and 'suppress_itok_output' on indefinitely (which is how the latter got committed to both Drupal 7 and Drupal 8 in that issue) so as to remove the query strings from image derivatives entirely. I never fully understood the reasons either - maybe the best is #1934498-62: Allow the image style 'itok' token to be suppressed in image derivative URLs which suggests that Google PageSpeed flags query parameters on image URLs as a problem.
There was also an IMCE feature broken by this that has never been restored and doesn't seem like it will be - see #1930698-6: Drupal 7.20 update broke IMCE's feature for generating previews via image styles.
I'm not sure either of those are that compelling, but people are using this for more than backwards compatibility in Drupal 7, and it feels like it might be a little late to remove from Drupal 8 at this point.
Comment #23
alexpottI agree with @David_Rothstein after considering @tstoeckler's evidence. I'm going to punt this to D9.
Comment #24
alexpottRemoving tags because of #23
Comment #25
catchComment #26
catchWe should add proper deprecation notices in 8.x if we're going to remove these in 9.x per #2575081: [policy, no patch] Use E_USER_DEPRECATED in Drupal 8 minor releases.
Comment #32
gnugetIs this still something that is going to be deprecated on Drupal 9?
Comment #33
gnugetComment #34
andypostinitial re-roll to check current state, surely it needs to deprecate config but no idea how to keep BC same time
Comment #39
DuneBL#34 failed in the test file:
Comment #40
ankithashettyRerolled the patch in #34, thanks!
Comment #41
karishmaamin CreditAttribution: karishmaamin at Specbee commentedTried to fix custom command failure
Comment #43
yogeshmpawarThis will resolve test failures.
Comment #44
marcoka CreditAttribution: marcoka commentedWell i have read a lot on that SEO argument and also checked a lot of pages. I don´t see other pages that drupal adding these tokens.
All my pages also have been kind of hurt after upgrading from D7->8->9
Removing that feature i guess will result in a lot of custom hacks again. I will now disable the itok on my sites an check the results.
And yes, i know it is there because of a possible denial of service attack requesting hundreds of derivates using some script. That kind of fast hammering in any way should be banned very fast anayway by like fail2ban on bigger sites.
Comment #46
TLWatsonSince folks are asking for a case study... my current reason for (at least considering) using this parameter is due to an unresolved issue with image style generation:
https://www.drupal.org/project/drupal/issues/3225202
Comment #47
Leon Kessler CreditAttribution: Leon Kessler commentedWe also had a need for
suppress_itok_output
, when using the flysystem_s3 module, with patch from #2772847: Add support for private uploads / presigned URLs. Theitok
param would be put onto s3 urls, and cause the signature to be invalid, resulting in a broken image url.I've since updated the implementation to strip out the itok param (so we are no longer reliant on
suppress_itok_output
). I had to usehook_preprocess_image_style
.The main reason I did this is because
suppress_itok_output
is a global setting, and as a site can run multiple filesystems, which could combine local with S3. So if anything, it would have been useful to have more granular control oversuppress_itok_output
, i.e. only apply it on certain urls.Comment #48
Leon Kessler CreditAttribution: Leon Kessler commentedActually, using
hook_preprocess_image_style
to strip out the itok param is not a great solution. As image style urls don't always run through this function.We're therefore reverting back to using
suppress_itok_output
.If this setting was to go, it would be nice if there was a way to modify the image style url. Currently the only way I could see was to override the ImageStyle entity definition, which is not really ideal. Maybe if something like #2924796: Create a generic way to decorate Entity classes landed, it would be a lot easier.
Comment #51
needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commentedThe Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.