Contrib.social

Deprecate allow_insecure_derivatives and suppress_itok_output in image system

Open on Drupal.org β†’
Created on 14 September 2015, over 9 years ago
Updated 30 January 2023, about 2 years ago

Problem/Motivation

In #1934568: Allow sites using the 'image_allow_insecure_derivatives' variable to have partial protection from the Drupal 7.20 security issue β†’

Because Drupal 7.20 fixed a security issue that was related to fundamental functionality in the Drupal core Image module, it broke a fair number of contributed modules and custom code/workflows.

This patch is designed to provide some level of protection even to sites that use 'image_allow_insecure_derivatives'. They will still be vulnerable to some kinds of denial-of-service attacks using image styles. However, the most damaging and easiest-to-inflict attacks (involving the generation of derivatives-of-derivatives, as well as the unauthorized creation of empty image style directories) will be protected against. Thus, although the variable is still considered insecure and is not recommended, it will allow sites using it to upgrade to Drupal 7.21 and at least have some security protection, while they wait for the other fixes they need to be able to stop using it altogether.

Drupal 8 should not need to support allow_insecure_derivatives and suppress_itok_output. We don't have the Drupal 7 legacy to support, Drupal 7 contrib or custom code/workflows.

To quote @David_Rothstein from #1934568-16: Allow sites using the 'image_allow_insecure_derivatives' variable to have partial protection from the Drupal 7.20 security issue β†’

Moving to Drupal 8 to forward-port the patch. (To be honest, there's a question to be asked about whether Drupal 8 should even continue supporting this variable at all going forward. However, the tests need to be ported either way.)

Proposed resolution

Remove it. Less code. Profit.

Remaining tasks

Review.
Commit.

User interface changes

None

API changes

Remove the settings and their effects.

Data model changes

Remove the config keys.

Beta phase evaluation

<!--Uncomment the relevant rows for the issue. -->
πŸ“Œ Task
Status

Needs work

Version

10.1 ✨

Component
Image systemΒ  β†’

Last updated 1 day ago

Created by

πŸ‡¬πŸ‡§United Kingdom alexpott πŸ‡ͺπŸ‡ΊπŸŒ

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 years ago β†’
    needs-review-queue-bot

    The Needs Review Queue Bot β†’ tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024