This project is not covered by Drupal’s security advisory policy.
Provides a user interface to allow Drupal to bypass the token security check when generating image derivatives.
Details
Drupal 7.20 comes with a security fix that changes all image derivative URLs generated by Drupal to append a token as a query string. ("Image derivatives" are copies of images which the Drupal Image module automatically creates based on configured image styles; for example, thumbnail, medium, large, etc.)
As an example, links that previously pointed to a URL like: /sites/default/files/styles/thumbnail/public/field/image/example.png
will now point to a URL like: /sites/default/files/styles/thumbnail/public/field/image/example.png?itok=zD_VaCaD
For more information on the security improvement, visit the release notes.
This is a fantastic security improvement, but in certain cases, has some ramifications. This module provides a configuration setting in order to toggle whether or not Drupal bypasses that token check.
Warning
Only use this if you are experiencing image display issues, and understand the security risks.
Installation
- Install the module as usual at sites/all/modules/image_allow_insecure_derivatives
- Enable the module in admin/modules
- The module defaults to allow insecure derivatives, but that can be toggled at admin/config/media/image-toolkit
- Troubleshoot by making sure the variable isn't already set in settings.php:
$conf['image_allow_insecure_derivatives'] = TRUE;
Project information
- Minimally maintained
Maintainers monitor issues, but fast responses are not guaranteed. - Module categories: Developer Tools, Security
- 688 sites report using this module
- Created by RobLoach on , updated
- This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.
Releases
Development version: 7.x-1.x-dev updated 13 Mar 2013 at 17:13 UTC