Image styles setting extension cause access denied

Open on Drupal.org →

Created on 19 July 2019, over 5 years ago

Updated 1 June 2023, over 1 year ago

Problem/Motivation

When generating an Image style derivative of a remote_stream_wrapper wrapped file with a ".jpeg" extension, and an image style that sets the extension to ".jpg", both extensions end up in the requested path (".jpeg.jpg"). This ends up producing an access denied error by RemoteImageStyleDownloadController::deliver because the file path in the request is not what it is locally where it ends in ".jpeg" and not ".jpeg.jpg". Where I think this goes wrong is in ImageStyle::buildUri (not the core class but the module's own class). The extension that the image style expects is added here. Removing that call and just using the path directly does not cause the issue to appear as the filename is left as-is.

Steps to reproduce:
1. Create a managed file with a URI scheme supported by this module. We create image files linking to other Drupal sites manually for reasons, so a row in file_managed ends up looking like this:
"1", "90150000-6b00-4700-a700-c2fb1ce2c000", "en", "pexels-photo.jpeg", "http://some.url/sites/default/files/2019-07/pexels-photo.jpeg", "image/jpeg", "4000", "1", "1563500000", "1563500000"
2. Render the file as an image with an image style that changes the extension. We use Imagick module's Convert filter to force writing JPEG files, which sets the extension to ".jpg".

Proposed resolution

Omitting the call to addExtension in ImageStyle::buildUri seems to resolve the issue. It would be a very simple patch, but it is so simple that something tells me that I'm missing something...

🐛 Bug report

Status

Needs review

Version

1.0

Component

Code

Created by

🇳🇱Netherlands dennis_meuwissen

Live updates comments and jobs are added and updated live.

image styles

file extension

Access denied

Incomplete comments

Sign in to follow issues

Merge Requests

!15Image styles setting extension cause access denied
Open
🇸🇦Saudi Arabia martins.bruvelis
updated 5 months ago

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇦🇹Austria agoradesign
#5 works for me in combination with the mentioned core patch
Comment over 1 year ago →
🇮🇳India gurbakshish
#5 works fine for me, Thanks
Status changed to RTBC 5 months ago2:17pm 24 July 2024
Comment 5 months ago →
🇺🇸United States dpagini
Patch form #5 is also working for me... I'm going to set this to RTBC.

I see a lot of talk here and in the linked issues about supporting multiple WEBP modules. Isn't that functionality in core now? I know I'm using the core webp "image_convert" plugin, and this patch is fixing it for me, and is relatively straight forward as well, that's why I chose to use this patch over some of the other open issues.
Comment 5 months ago →
🇸🇦Saudi Arabia martins.bruvelis Thuwal
martins.bruvelis → made their first commit to this issue’s fork.
Merge request !15Add patch #5 for latest module versions 2.1.0. → (Open) created by martins.bruvelis
Pipeline finished with Failed
5 months ago
Total: 151s
#234380
Comment 17 days ago →
🇧🇪Belgium aimevp Belgium
Re-rolled the patch for 2.x version of the module where it is working as well once applied.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024