Problem/Motivation

CDNs like CloudFlare will sort query parameters to improve cache hit rates. Further reading:

#3038241: Implement a tamper-proof hash for the media library state implemented a check to make sure query parameters are not tampered with. However, it does not sort before doing the hash. Thus, when Drupal is behind a CDN with query param sorting it will return HTTP 403 Forbidden:

Request looks like:

POST https://example.com/media-library?media_library_opener_id=media_library.opener.field_widget&media_library_allowed_types%5Bimage%5D=image&....redacted....&media_library_content=1

Response looks like:

403 Forbidden

{"message":"Invalid media library parameters specified."}

Proposed resolution

TBD

Remaining tasks

TBD

User interface changes

TBD

API changes

TBD

Data model changes

TBD

Release notes snippet

TBD

Comments

josephdpurcell created an issue. See original summary.

josephdpurcell’s picture

josephdpurcell commented
Issue summary: View changes

Updated formatting in desc.

I followed the tags and meta info of https://www.drupal.org/project/drupal/issues/3038241 so sorry if I tagged something wrong.

Is there a suggestion for how this should be resolved? The solution we used was to use a page rule to disable query sort, see https://www.cloudflare.com/features-page-rules/, similar to what is done for /*batch?* URLs.

josephdpurcell’s picture

josephdpurcell commented

phenaproxima clarified that this was fixed recently and backported to 8.7.x, so it should be fixed in the next release of core.

See https://www.drupal.org/project/drupal/issues/3076259.

Closing this as duplicate.

josephdpurcell’s picture

josephdpurcell commented
Status: Active » Closed (duplicate)
Related issues: +#3076259: Media library does not enforce order which can lead to different hashes.