Drupal version 7.20 has a security fix to the core Image module that is incompatible with the CDN module:

http://drupal.org/drupal-7.20-release-notes

In rare cases, this change may alter the way HTTP caches or CDNs handle the images. Sites using HTTP caches or CDNs should examine their configuration and test this release carefully before deploying it to a production site.

The final image URLs now look like:
http://example.com/sites/default/files/styles/style_name/public/example-image.png?itok=YcnYp23B

I believe the issue is happening in _cdn_html_alter_file_url.
I haven't fully examined the regex used in there, but I think the query parameter is match position 5 and not 6, but the module is specifying position 6 for the query parameters. The 'itok' query parameter is removed by the CDN module and then the core Image module refused to make new image style variations for images.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

dan.mantyla’s picture

noooooo! please fix this! :(

Wim Leers’s picture

Assigned: Unassigned » Wim Leers
Category: bug » task

We probably need to do something similar to #1923336-21: Insert module doesn't work with Drupal 7.20.

David_Rothstein’s picture

Title: Not compatible with security fix in Drupal core update 7.20 » CDN module is not compatible with security fix in Drupal core update 7.20

Slight retitling because I'm linking to this from http://drupal.org/drupal-7.20-release-notes.

(@danmantyla, thanks for sending me the heads-up about it.)

iamEAP’s picture

Just deployed 7.20 on a site also using the CDN module when I happened to stumble into this issue. Nearly have a panic attack.

Just reporting that this issue does not affect all image URL re-writing done by the module (for instance, the thumbnail generated after uploading an image via image field works fine, and relatedly, all image URL re-writes done when rendering image fields works as expected).

Related to what was originally reported, it seems this is isolated to re-writes performed within actual field text/html content (which I didn't even realize was a feature until I looked into the code).

Wim Leers’s picture

Category: task » bug
agatlin’s picture

Is there a plan to fix this bug?

Wim Leers’s picture

Yes: I'll work on it ASAP.

Last week I committed a bunch of other bugfixes, this is one of the last two bugs to be fixed: #1915662: [meta] 2.6 release (bugfixes only).

Wim Leers’s picture

Status: Active » Needs review
FileSize
4.35 KB

To make this work, I am FORCED to allow query strings. Hence I'm forced to contradict myself over at #1864536-10: Support dynamically generated images (via query strings).

The attached patch makes the CDN module compatible with Drupal 7.20/7.21. Please test and report back.

Comes with updated tests.

Status: Needs review » Needs work

The last submitted patch, drupal_7.20_7.21_compatibility-1926884-8.patch, failed testing.

Wim Leers’s picture

Also note that until #1936176: image.module uses file_create_url() incorrectly is committed to Drupal core and you're running a release of Drupal on top of that release, CDN module's Far Future expiration functionality is unable to generate the file; hence preventing Far Future expiration for the first appearance of image style URLs. Only once the derivative is generated, it's possible to use CDN module's Far Future expiration; so only the *second* appearance will use the Far Future expiration.

Wim Leers’s picture

Status: Needs work » Needs review

Status: Needs review » Needs work

The last submitted patch, drupal_7.20_7.21_compatibility-1926884-8.patch, failed testing.

Wim Leers’s picture

git clone of CDN's 7.x-2.x branch, wget the patch, git apply: it all works. `git apply --check` also works. I'm clueless why testbot fails to apply it.

@all: please test!

iamEAP’s picture

Version: 7.x-2.5 » 7.x-2.x-dev
Status: Needs work » Needs review

Moving version to 7.x-2.x-dev. Believe that should do it?

iamEAP’s picture

Wim Leers’s picture

#14: HAHAHAHA I'm such a n00b! Thanks :)

mermentau’s picture

I applied the patch to cdn.fallback.inc and it didn't work for me. I didn't apply the patch to cdn.test thinking that for my purpose I wouldn't need to. Do I need to do both? Images are on Amazon S3.

In edit I see that core has a 7.21 now, and maybe I need to get that.

mermentau’s picture

Updated Drupal to 7.21 and applied the entire patch. All the images from Amazon cloudfront work fine. It's a video and thumbnail that's on Amazon S3 that fail to display. Looking at Firefox Page Info it shows the thumbnail downloaded with dimensions 0 x 0, but checking on S3 the image is fine. Disable the CDN module and all works fine.

Wim Leers’s picture

#18: so this patch is breaking your thumbnails on S3, ie the CDN module without this patch works correctly?

mermentau’s picture

#18: so this patch is breaking your thumbnails on S3, ie the CDN module without this patch works correctly?

Prior to Drupal 7.20 it worked fine. I tried it with Drupal 7.21 and then applied the patch. No luck either way.

Wim Leers’s picture

Hrm. Can you contct me via my d.o contact form, and give me access to a staging server or relay details that could aid me in debugging? (Unless you can post publicly, then just post here.)

mermentau’s picture

I'll use your contact form.

Wim Leers’s picture

@mermentau: After looking at your site, I'm 98% certain that this is because you're using an Amazon S3 file stream wrapper. The CDN module has a known compatibility problem with custom stream wrappers, and a patch that should solve it is over at #1863310: CDN module should know how to deal with custom stream wrappers. Please apply that patch and let me know if that fixed the problem for you! :)

If you can review that patch and confirm it works, it'll be in the imminent 2.6 release, otherwise it won't!

mermentau’s picture

Installed the patch at http://drupal.org/node/1863310 and it works great. That is with Drupal 7.21 and also the patch at #8 here.

Wim Leers’s picture

Status: Needs review » Fixed

Committed #8.

http://drupalcode.org/project/cdn.git/commit/c9b98bf

2.6 release is imminent now, this was the last issue that needed to be fixed.

JonMcL’s picture

Thanks! It's working well (7.21)

Wim Leers’s picture

Yay :)

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

dan.mantyla’s picture

Awesome! Thanks!

GiorgosK’s picture

Issue summary: View changes

Don't know if its the same problem
but I have a specific style that does not generate derivative images
meanwhile all other image derivates work
and when I disable CDN this particular style DOES work

what would be the problem here ?
what should I look for ?
What is it so closely related to CDN ?

kevinquillen’s picture

I still have this issue with latest Drupal and CDN over Cloudfront.

I got this going by enabling 'Forward Query Strings' to YES in Amazon. I came back to Drupal, cleared cache, and waited. The new images that were not showing previously (with Access Denied) are now showing as they should, with the token string on the end.

mikeytown2’s picture

web226’s picture

Thank you kevinquillen. your fix #31 worked for me too.

markl17’s picture

asking a very noob question where in cdn module does it ask for secure id for s3 to verify your writes to happen