Install
Works with Drupal: ^10.3 || ^11Using Composer to manage Drupal site dependencies
Alternative installation files
Release notes
New Submodule: Remote Media (community contribution by guillaumeg, #3577187)
New mcp_tools_remote_media submodule that fetches images from remote URLs and creates managed Drupal media entities.
- mcp_fetch_remote_image tool — download an image from any public URL, save it as a managed file, and optionally create a media entity
- Supports JPEG, PNG, GIF, and WebP formats up to 10 MiB
- Configurable target directory (public:// or private://) and media bundle
- create_media parameter allows saving files without creating media entities
Security hardening applied post-merge:
- SSRF protection — blocks requests to private/reserved IP ranges (127.x, 10.x, 172.16.x, 192.168.x, 169.254.x) preventing cloud metadata and internal
service attacks
- SVG excluded — removed SVG support to prevent stored XSS (no sanitisation layer); may be re-enabled in a future release with proper sanitisation
- Extension blocklist — blocks 18 dangerous file extensions (.php, .phar, .exe, .bat, etc.) matching the existing MediaService pattern
- Defence-in-depth MIME validation — checks both the HTTP Content-Type header and finfo content sniffing
Architecture:
- AbstractRemoteFileService base class with fetchAndCreate() template method — future media types (documents, audio, video) only need to implement three
abstract methods
- Delegates media entity creation to existing MediaService — no duplicated logic
- 24 unit tests covering validation, SSRF blocking, extension blocklist, filename building, and SVG rejection
Stats: 223 tools across 35 submodules.
