Contrib.social

Webp module allows image styles to be created with false IMAGE_DERIVATIVE_TOKEN.

Open on Drupal.org →
Created on 5 July 2024, 3 months ago
Updated 13 July 2024, 3 months ago

My apologies for doing this in wrong order by first creating a help request and only now sending it as security issue.
https://www.drupal.org/project/webp/issues/3437573 🐛 IMAGE_DERIVATIVE_TOKEN ignored? Closed: duplicate

Problem/Motivation

Webp module allows image styles to be created with false IMAGE_DERIVATIVE_TOKEN.

Steps to reproduce

1. Create default Drupal website with the default 4 images styles: Large, Medium, Thumbnail, Wide
2. Install and activate webp module.
3. (Important) remove "Convert WEBP" from image style "medium".
3. Upload an image when creating node of the default article content type. (Example name: penguin_test.jpg )
4. When visiting article the image is shown in style "Wide".
5. Open the image and change the style and IMAGE_DERIVATIVE_TOKEN. For example: /sites/default/files/styles/medium/public/2024-07/penguin_test.jpg?itok=aaaaaaaaaaaaaaaaaaaaaaaaa (this will now generate the image)

Proposed resolution

If statement in https://git.drupalcode.org/project/webp/-/blob/8.x-1.x/src/Controller/Im... needs an update.

🐛 Bug report
Status

Needs work

Component

Code

Created by

🇳🇱Netherlands Willempje2

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024