Webp module allows image styles to be created with false IMAGE_DERIVATIVE_TOKEN.

Open on Drupal.org →

Created on 5 July 2024, 5 months ago

My apologies for doing this in wrong order by first creating a public question and only now sending it as security issue.
https://www.drupal.org/project/webp/issues/3437573 🐛 IMAGE_DERIVATIVE_TOKEN ignored? Closed: duplicate

Problem/Motivation

Webp module allows image styles to be created with false IMAGE_DERIVATIVE_TOKEN.

Steps to reproduce

1. Create default Drupal website with the default 4 images styles: Large, Medium, Thumbnail, Wide
2. Install and activate webp module.
3. (Important) remove "Convert WEBP" from image style "medium".
3. Upload an image when creating node of the default article content type. (Example name: penguin_test.jpg )
4. When visiting article the image is shown in style "Wide".
5. Open the image and change the style and IMAGE_DERIVATIVE_TOKEN. For example: /sites/default/files/styles/medium/public/2024-07/penguin_test.jpg?itok=aaaaaaaaaaaaaaaaaaaaaaaaa (this will now generate the image)

Proposed resolution

If statement in https://git.drupalcode.org/project/webp/-/blob/8.x-1.x/src/Controller/Im... needs an update.

🐛 Bug report

Status

Active

Component

Code

Created by

🇳🇱Netherlands willempje2

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

!42Webp module allows image styles to be created with false IMAGE_DERIVATIVE_TOKEN.
Open
dharmeshbarot89
updated 5 months ago

Comments & Activities

Issue created by @willempje2
Comment 5 months ago →
🇳🇱Netherlands willempje2
First commit to issue fork.
Merge request !42Issue #3459262: Webp module allows image styles to be created with false IMAGE_DERIVATIVE_TOKEN updated if condition → (Open) created by dharmeshbarot89
Status changed to Needs review 5 months ago1:02pm 5 July 2024
Comment 5 months ago →
dharmeshbarot89
Status changed to Needs work 4 months ago4:04pm 13 July 2024
Comment 4 months ago →
🇨🇦Canada mandclu
@dharmeshbarot89 I don't see how the changes in your MR change the logic of checking whether or not the token is actually valid. Also, there are code standards issues.
Comment 19 days ago →
🇨🇦Canada bgilhome Victoria
Like the OP in https://www.drupal.org/project/webp/issues/3437573 🐛 IMAGE_DERIVATIVE_TOKEN ignored? Closed: duplicate I can't understand what the reason for the ImageAPI Optimize block is either. It means that if a non-webp image is requested, image tokens in the query are ignored - as long as the requested image style requires a token, the derivative will be allowed to be generated, regardless of what token value (or none) is passed in the query. This is insecure and seems like a bandaid to some issue that requires a proper fix. Here's a patch to remove that block, should anyone want to use it until such fix is made.

Can anyone provide context on what the issue was that prompted this block?

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024