Incorrect image URL using an image style should return a 404 instead of a 403

Created on 9 January 2025, 3 months ago

Problem/Motivation

When requesting an image through an image style with incorrect URL (e.g. .../files/styles/my-style/public/my-image.jpg), the original image file (.../files/my-image.jpg) exists but the correct image style URL should be .(./files/styles/my-style/public/my-image.jpg.webp).

It would make more sense for Drupal to return a Page Not Found (404), instead of an Access Denied error (403) when file is accessed with incorrect URL without (.webp) or source file is missing.

Reasons:

1. In certain server configurations, 404's are cached for some time, but 403's aren't. In this case, a DDoS attack could be made to the server by simply requesting many images with incorrect image style URLs

Similar issue has been fixed in Drupal core (Image system component) - https://www.drupal.org/project/drupal/issues/2211429

User interface changes

Drupal will now return a 404 (Page Not Found) instead of a 403 (Access Denied) when an itok is invalid or an itok is invalid and the source image doesn't exist.

🐛 Bug report
Status

Needs work

Version

1.0

Component

Code

Created by

🇮🇳India manish-31

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024