Contrib.social

Increase the length of the itok token for image derivatives

Open on Drupal.org β†’
Created on 5 January 2023, over 2 years ago
Updated 24 June 2025, 3 days ago

Problem/Motivation

As computing power improves, the ability to brute force the token to bypass access increases.

This issue was reported privately to the Drupal security team who decided this could be solved in public as a hardening

Steps to reproduce

Proposed resolution

Increase the length of the itok token

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

πŸ“Œ Task
Status

Active

Version

11.0 πŸ”₯

Component

image.module

Created by

πŸ‡¦πŸ‡ΊAustralia larowlan πŸ‡¦πŸ‡ΊπŸ.au GMT+10

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 3 days ago β†’
    πŸ‡«πŸ‡·France prudloff Lille

    Is there any reason to truncate the hash in ImageStyle::getPathToken()?
    Would using the whole hash cause problems?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024