- Issue created by @richardbporter
- 🇺🇸United States jrglasgow Idaho
This will cause a breakage beginning when Drupal 10.3 is released and people start upgrading to it.
- Merge request !13Resolve #3437974 "Drupal 10.3 imagestyledownloadcontrollerdeliver" → (Merged) created by jrglasgow
- Status changed to Needs review
8 months ago 7:43pm 29 May 2024 - 🇺🇸United States jrglasgow Idaho
I have a merge request with the changes to update the signature and the Drupal core version to ^10.3
- 🇺🇸United States richardbporter
That fixed the error on install but images were not rendering for me. I added the
required_derivative_schemeroute config based on https://www.drupal.org/node/3346038 → and its working now. - Status changed to Needs work
8 months ago 2:23pm 10 June 2024 - 🇺🇸United States richardbporter
It looks like there are a couple test failures compared with the 2.x branch that need to be fixed: https://git.drupalcode.org/issue/remote_stream_wrapper-3437974/-/jobs/18...
- 🇺🇸United States richardbporter
I updated the test as I think this is an expected change since its using a core-provided image style (thumbnail): https://www.drupal.org/node/3421405 →
- Status changed to Needs review
8 months ago 7:05pm 10 June 2024 - Status changed to RTBC
8 months ago 7:30pm 10 June 2024 - 🇺🇸United States adam-delaney
RTBC, any chance we can get this reviewed by a maintainer since this could cause issues once 10.3 is released
- Status changed to Needs work
7 months ago 6:17am 14 June 2024 - 🇺🇸United States cmlara
There appears to be an incorrect assumption made that the derivative scheme will always be public://.
The new checks in 10.3 enforces that the $required_derivative_scheme to match the scheme of buildUri to assert that the route is responsible for the scheme and that a route for a different scheme isn’t being abused.
https://git.drupalcode.org/issue/remote_stream_wrapper-3437974/-/blob/34...
This is related to #3302994: Bypass of RSW file_managed access protection and arbitrary HTTP HEAD reqeusts → which was part of SA-CORE-2022-012.
What likely needs to happen is:
- RSW obtains the default configured scheme
- Locates the route for that scheme
- Adds the RSW mappings atop those routes.
Alternatively some of these protections might actually be better as part of a Route Subscriber.
- Assigned to richardbporter
- 🇺🇸United States matthand Riverdale Park, Maryland
Hi @cmlara,
The assumption that the scheme will always be public is based on the routes defined in the Image module. See https://api.drupal.org/api/drupal/core%21modules%21image%21src%21Routing... where the directory path is set by using the method `->getViaScheme('public')`.
It looks to me like this MR fixes the bug introduced by the update to Drupal 10.3. If we need to make other improvements isn't that better to do in the issue you linked?
- 🇺🇸United States cmlara
If we need to make other improvements isn't that better to do in the issue you linked?
That is a possibility as well.
I will note that the Entity itself does not assume that public is used https://git.drupalcode.org/project/remote_stream_wrapper/-/blob/2.x/src/...
I will leave it up to the modules maintainer how they want to split the fix.
It is just important to know the fix as is (even with the update to use the config) does not truly resolve the reasons why the core signature change occurred.
- Issue was unassigned.
- Status changed to Needs review
7 months ago 6:46pm 14 June 2024 - 🇬🇷Greece vensires
Adding a patch targeting 2.0.0. Not to be used but for anyone required to use only stable versions.
- 🇪🇸Spain aaron gil martinez Zaragoza
Aaron Gil Martinez → made their first commit to this issue’s fork.
- Merge request !14Resolve #3437974 "Drupal 10.x imagestyledownloadcontrollerdeliver" → (Closed) created by aaron gil martinez
- 🇺🇸United States apotek
I reviewed and approved, though I did, like others, also feel that fixing the default scheme is a bit out of scope here.
Noting also that it's been a year since any maintainer closed or merged an issue on this project, so while this is good work here, we might be out of luck getting this into the project, so thank you to everyone who put up patches. I did write a long time ago asking about co-maintaining, but understandably did not hear back. Perhaps there is someone on this thread who would have the stature in the community to be able to make the same offer so we can address some of the issues that are beginning to stretch this module now with 10.3 out.
- 🇬🇷Greece vensires
Count me in @apotek. I don’t know how much help I will be able to offer but I will definitely try.
- 🇺🇸United States cmlara
https://www.drupal.org/docs/develop/managing-a-drupalorg-theme-module-or... → Is the process for taking over an “abandoned” module on Drupal.org.
@vensires and @jrglasgow are users on this thread that have the necessary permission to proceed through the process if they desire to do so.
- 🇬🇷Greece vensires
I just opened 💬 Offering to co-maintain Remote Stream Wrapper Active in case anyone is interested...
(@apotek, I mentioned you too)Thank you @cmlara for your hint!
- 🇺🇸United States dave reid Nebraska USA
Hey sorry all, life has been super hectic the last couple of months.
- Assigned to richardbporter
- Status changed to Active
7 months ago 6:12pm 2 July 2024 - Issue was unassigned.
- Status changed to Needs review
7 months ago 1:37pm 3 July 2024 - Status changed to RTBC
7 months ago 3:54pm 12 July 2024 -
Dave Reid →
committed 17517380 on 2.x authored by
jrglasgow →
Issue #3437974 by Aaron Gil Martinez, richardbporter, jrglasgow, Dave...
-
Dave Reid →
committed 17517380 on 2.x authored by
jrglasgow →
- Status changed to Fixed
6 months ago 8:17pm 14 July 2024 Automatically closed - issue fixed for 2 weeks with no activity.