S3fs Followup for Drupal CORE SA 2022-012
This issue was previously raised with the Drupal Security Team in SDO 1715391 NOTE: This is a private security tracker, only members of the Security Team and individuals who have been added will be able to access this link. Do not report Access Denied errors.
Drupal Core SA 2022-012 did not secure up all vulnerabilities that impact contrib. Explicitly when an ITOK is present a user will ALWAYS be granted access through the Core provided ImageStyleDownloadControler
In the case of s3fs we are open to a possible minor DoS vulenrability due how the ImageStyleDownloadController is constucted.
It is inefficient, fragile, and ultimately insecure to attempt to block this from contrib as relies on detecting what routes that trace their heritage to ImageStyleDownloadController and register additional and unnecessary 'null' routes into the Drupal routing system to deny access.
Upload an image to content (such as an Article) that will generate an ImageStyle derivative using the s3:// scheme.
Assume the file is named s3://2021-09/2020-11-20 18.09.12-1.jpg
Obtain the link to the ImageDerivative. Assuming this is for a 'large' derivative the link may be "https://s3fsbucket/styles/large/public/2021-09/2020-11-20 18.09.12-1.jpg?itok=JzmJlrXt"
Attempt to access the file via the image.style_private route controller (assuming the example above) "system/files/styles/large/s3/2021-09/2020-11-20 18.09.12-1.jpg?itok=JzmJlrXt"
Expected Result:
The content is not served
Current Result:
Drupal Streams the content to the requestor.
This issue should be solved by Core.
The attached patch is intended as a stop-gap while we await the Drupal Core teams to secure core.
Fix Core see 🐛 ImageStyleDownloadController routes do not limit schemes served Fixed
None
None in this issue.
None
Closed: outdated
3.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Drupal 7 end-of-life triage:
Drupal 7 reached end of life on January 5th.
The 7.x branches of S3FS do not have any additional planned releases.
The requests in this issue do not appear to exist in the 8.x-3.x and newer branches.