If you have an ecommerce site, and use imagecache widely for anything else you could be exposing your product.

Ecommerce content type: thumbs, watermarked, original, all setup for rolls. No problem.

Site Design content type: Company logos, clipart, user photos, free galleries for borders, etc.

Someone can audit your site for imagecache presets, and begin harvesting.
If you can have allowed content types per preset, you should be set.

A nominal fix, would be to always use a scale action whether its applicable or not.

Comments

spgd01’s picture

I second this request. Not only for security issues but also to save on server space and processing time. I have multiple imagecache presets that I only need for one content type. I do not need to create every image cache preset for each and every image. Can we get this in? It only seems natural to have.

sgriffin’s picture

images are not created until they are called.. So if you don't need an preset for an image and you never use it, it will never be created.

spgd01’s picture

Oh I didn't know that. I was wondering why some where missing. Ok that is good to know. Thank you. Does that answer the security issue?

sgriffin’s picture

No, that is still a good idea.

sandrewj’s picture

Status: Active » Closed (duplicate)

This is only an issue if the original file is not accessible. If the original file is accessible and the "attacker" can guess the preset path, then they could guess the original file path and access it directly.

For the security issue see #796384: ImageCache makes private filesystem straightforward accesible (security issue #1172)
For the issue of using presets see #1068046: Apply ImageCache presets to certaint Content Types for per content type control and #1147896: specify imagecache preset per image for per image control

sgriffin’s picture

True, its easy enough to prevent access to the files directory with a .htaccess But when you combine private/public files and want to use imagecache, you've pretty much exposed yourself.
I think the content type feature allows some method for structuring a secure layer between what you would like to have public and what you would like you keep private.
For instance it's plausible to want a largish imagecache setting of publicities but not want your fine art or third party images to be accessible under this preset.

.htaccess
<Files ~ "\.(jpg|JPG|BMP)$">
  order allow,deny
  deny from all
</Files>