Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Image downloads are not being restricted by node permissions when private download method is set in drupal.
Its possible to download images by linking directly to them, even when user has no permissions to view node/attached images.
Also, since the image module bypasses upload method on download, all uploaded image files outside the path of image module would also be compromised.
Patch attached addresses these issues. Aditional content name and lenght headers are also being set.
| Comment | File | Size | Author |
|---|---|---|---|
| image_download.patch | 839 bytes | fibra |
Comments
Comment #1
drewish commentedThis version is no longer supported. If this issue is occurring with a more recent version please open a new issue.