- Issue created by @claudiu.cristea
- π·π΄Romania claudiu.cristea Arad π·π΄
At least we might do a
getimagesize()which know to detect non-images? - Status changed to Fixed
over 1 year ago 12:04pm 27 December 2023 - π§πͺBelgium swentel
Well, in about 99% of our use cases, the external images are saved in a field which is populated by an API call. Users never enter this value themselves. And in addition with the whitelist, I think we're fine to be honest. Larowlan has maintained this module for a couple of years as well, so I kind of imagine that he and his team have definitely thought about security things in this module.
- π¦πΊAustralia larowlan π¦πΊπ.au GMT+10
Just to clarify. I wrote this module in D6 era for a European Government tourism site.
I no longer use it but still help out with reviews/maintenance.In terms of safety, if you don't trust the domains in the allow-list there is a risk of defacement.
E.g. someone could craft a URL that fetched a file from an untrusted domain and it would appear as though that image is from your site.
I think the itok param that was added in D7 would make it harder to do this than it was in D6 where you could effectively use the site as a proxy if the allow-list was wide-open.
Automatically closed - issue fixed for 2 weeks with no activity.
