Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.When I switch the schema of an existing file from public to private, or vice versa, a new download token is generated, breaking any existing links to the file that use the previous token. This removes a major benefit of using the download link in content instead of a direct link to the file. I am not sure if this was intentional, but I could definitely see how it could also be unintentional. Is there any reason NOT to preserve this token? Would doing so allow users to download files that they should no longer be able to once a previously public file becomes private?
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | file_token_alter-2667278-4.patch | 1.25 KB | frodri |
Comments
Comment #2
mstrelan CreditAttribution: mstrelan commentedThis is not limited to file schema. If you replace the file attached to a file entity, and the new file has a different name, it will also have a new URI. The token generation uses the file URI to generate a hash.
substr(drupal_hmac_base64("file/$file->fid/download:" . $file->uri, drupal_get_private_key() . drupal_get_hash_salt()), 0, 8)Would it be secure enough to remove the file uri from this key?
Comment #3
mstrelan CreditAttribution: mstrelan commentedFWIW if uuid module was a dependency you could use that instead of the file uri. Or perhaps file_entity_get_download_token() should have an alter hook. Then a contrib module could exist to solve this by relying on uuid.
But my vote would still be to remove the file uri from the hash data. The token exists to prevent people from iterating through every integer and downloading each file by fid. AFAIK a valid token can't be generated without knowing the sites private key and hash salt.
Comment #4
frodri CreditAttribution: frodri commentedThis patch adds an alter hook to file_entity_get_download_token(), as suggested by mstrelan.