When requesting an image through an image style with incorrect URL (e.g. .../files/styles/my-style/public/my-image.jpg), the original image file (.../files/my-image.jpg) exists but the correct image style URL should be .(./files/styles/my-style/public/my-image.jpg.webp).
It would make more sense for Drupal to return a Page Not Found (404), instead of an Access Denied error (403) when file is accessed with incorrect URL without (.webp) or source file is missing.
Reasons:
1. In certain server configurations, 404's are cached for some time, but 403's aren't. In this case, a DDoS attack could be made to the server by simply requesting many images with incorrect image style URLs
Similar issue has been fixed in Drupal core (Image system component) - https://www.drupal.org/project/drupal/issues/2211429 →
Drupal will now return a 404 (Page Not Found) instead of a 403 (Access Denied) when an itok is invalid or an itok is invalid and the source image doesn't exist.
Needs work
1.0
Code
Hello @manish-31,
I reproduced this issue and MR-47 applied successfully for me and fixed this issue.
Before:
After:
The changes looks good to me thus moving it to RTBC+!.