This project is not covered by Drupal’s security advisory policy.
Provides a user interface to allow Drupal to bypass the token security check when generating image derivatives.
Drupal 7.20 comes with a security fix that changes all image derivative URLs generated by Drupal to append a token as a query string. ("Image derivatives" are copies of images which the Drupal Image module automatically creates based on configured image styles; for example, thumbnail, medium, large, etc.)
As an example, links that previously pointed to a URL like: /sites/default/files/styles/thumbnail/public/field/image/example.png
will now point to a URL like: /sites/default/files/styles/thumbnail/public/field/image/example.png?itok=zD_VaCaD
For more information on the security improvement, visit the release notes.
This is a fantastic security improvement, but in certain cases, has some ramifications. This module provides a configuration setting in order to toggle whether or not Drupal bypasses that token check.
Only use this if you are experiencing image display issues, and understand the security risks.
- Install the module as usual at sites/all/modules/image_allow_insecure_derivatives
- Enable the module in admin/modules
- The module defaults to allow insecure derivatives, but that can be toggled at admin/config/media/image-toolkit
- Troubleshoot by making sure the variable isn't already set in settings.php:
$conf['image_allow_insecure_derivatives'] = TRUE;
- Maintenance status: Minimally maintained
- Development status: Under active development
- Module categories: Developer, Security
- Reported installs: 1,723 sites currently report using this module. View usage statistics.
- Downloads: 8,213
- Automated tests: Enabled
- Last modified: December 2, 2014
- This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.