Drupal version 7.20 has a security fix to the core Image module that is incompatible with the CDN module:


In rare cases, this change may alter the way HTTP caches or CDNs handle the images. Sites using HTTP caches or CDNs should examine their configuration and test this release carefully before deploying it to a production site.

The final image URLs now look like:

I believe the issue is happening in _cdn_html_alter_file_url.
I haven't fully examined the regex used in there, but I think the query parameter is match position 5 and not 6, but the module is specifying position 6 for the query parameters. The 'itok' query parameter is removed by the CDN module and then the core Image module refused to make new image style variations for images.

#8 drupal_7.20_7.21_compatibility-1926884-8.patch4.35 KBWim Leers
PASSED: [[SimpleTest]]: [MySQL] 57 pass(es).
[ View ]


noooooo! please fix this! :(

Assigned:Unassigned» Wim Leers
Category:bug» task

We probably need to do something similar to #1923336-21: Insert module doesn't work with Drupal 7.20.

Title:Not compatible with security fix in Drupal core update 7.20CDN module is not compatible with security fix in Drupal core update 7.20

Slight retitling because I'm linking to this from http://drupal.org/drupal-7.20-release-notes.

(@danmantyla, thanks for sending me the heads-up about it.)

Just deployed 7.20 on a site also using the CDN module when I happened to stumble into this issue. Nearly have a panic attack.

Just reporting that this issue does not affect all image URL re-writing done by the module (for instance, the thumbnail generated after uploading an image via image field works fine, and relatedly, all image URL re-writes done when rendering image fields works as expected).

Related to what was originally reported, it seems this is isolated to re-writes performed within actual field text/html content (which I didn't even realize was a feature until I looked into the code).

Category:task» bug

Is there a plan to fix this bug?

Yes: I'll work on it ASAP.

Last week I committed a bunch of other bugfixes, this is one of the last two bugs to be fixed: #1915662: [meta] 2.6 release (bugfixes only).

Status:Active» Needs review
new4.35 KB
PASSED: [[SimpleTest]]: [MySQL] 57 pass(es).
[ View ]

To make this work, I am FORCED to allow query strings. Hence I'm forced to contradict myself over at #1864536-10: Support dynamically generated images (via query strings).

The attached patch makes the CDN module compatible with Drupal 7.20/7.21. Please test and report back.

Comes with updated tests.

Status:Needs review» Needs work

The last submitted patch, drupal_7.20_7.21_compatibility-1926884-8.patch, failed testing.

Also note that until #1936176: image.module uses file_create_url() incorrectly is committed to Drupal core and you're running a release of Drupal on top of that release, CDN module's Far Future expiration functionality is unable to generate the file; hence preventing Far Future expiration for the first appearance of image style URLs. Only once the derivative is generated, it's possible to use CDN module's Far Future expiration; so only the *second* appearance will use the Far Future expiration.

Status:Needs work» Needs review

Status:Needs review» Needs work

The last submitted patch, drupal_7.20_7.21_compatibility-1926884-8.patch, failed testing.

git clone of CDN's 7.x-2.x branch, wget the patch, git apply: it all works. `git apply --check` also works. I'm clueless why testbot fails to apply it.

@all: please test!

Version:7.x-2.5» 7.x-2.x-dev
Status:Needs work» Needs review

Moving version to 7.x-2.x-dev. Believe that should do it?

#14: HAHAHAHA I'm such a n00b! Thanks :)

I applied the patch to cdn.fallback.inc and it didn't work for me. I didn't apply the patch to cdn.test thinking that for my purpose I wouldn't need to. Do I need to do both? Images are on Amazon S3.

In edit I see that core has a 7.21 now, and maybe I need to get that.

Updated Drupal to 7.21 and applied the entire patch. All the images from Amazon cloudfront work fine. It's a video and thumbnail that's on Amazon S3 that fail to display. Looking at Firefox Page Info it shows the thumbnail downloaded with dimensions 0 x 0, but checking on S3 the image is fine. Disable the CDN module and all works fine.

#18: so this patch is breaking your thumbnails on S3, ie the CDN module without this patch works correctly?

#18: so this patch is breaking your thumbnails on S3, ie the CDN module without this patch works correctly?

Prior to Drupal 7.20 it worked fine. I tried it with Drupal 7.21 and then applied the patch. No luck either way.

Hrm. Can you contct me via my d.o contact form, and give me access to a staging server or relay details that could aid me in debugging? (Unless you can post publicly, then just post here.)

I'll use your contact form.

@mermentau: After looking at your site, I'm 98% certain that this is because you're using an Amazon S3 file stream wrapper. The CDN module has a known compatibility problem with custom stream wrappers, and a patch that should solve it is over at #1863310: CDN module should know how to deal with custom stream wrappers. Please apply that patch and let me know if that fixed the problem for you! :)

If you can review that patch and confirm it works, it'll be in the imminent 2.6 release, otherwise it won't!

Installed the patch at http://drupal.org/node/1863310 and it works great. That is with Drupal 7.21 and also the patch at #8 here.

Status:Needs review» Fixed

Committed #8.


2.6 release is imminent now, this was the last issue that needed to be fixed.

Thanks! It's working well (7.21)

Yay :)

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Awesome! Thanks!

Issue summary:View changes

Don't know if its the same problem
but I have a specific style that does not generate derivative images
meanwhile all other image derivates work
and when I disable CDN this particular style DOES work

what would be the problem here ?
what should I look for ?
What is it so closely related to CDN ?