The itok token introduced in 7.20 prevents working with CDNs, third party integrations that generate image presets on the fly. To understand the Image style token, itok, read Drupal 7.20 release notes at http://drupal.org/drupal-7.20-release-notes.
Allow the drupal user/administrative user of the site an option to decide if they need itok or not. The patch provided at #51 adds a new setting 'suppress_itok_output' The argument for making itok optional is that DDoS or DoS should be better solved at the infrastructure or server level. More over this attack is also possible views with a pager or exposed filters.
Needs review by Senior Core contributor
User interface changes
Original report by [jcisio]
Linked issuebecause even the fix was published two weeks ago, I can't see any discussion on that issue.
The itok token introduced in 7.20 prevents many sites from upgrading and causes many problem. Why not eliminate it and replace with two things:
- A no recursive option: I think it is much better than the 'image_allow_insecure_derivatives' variable because 1/ we care security 2/ no reason to have urls like example.com/sites/default/files/styles/thumbnail/public/styles/thumbnail/public/image.jpg
- A threshold to limit the concurrent image derivate generation request.
The drawback is you can have image derivates generated by hacker that you'll never use. But given that they are limited, who cares?
|FAILED: [[SimpleTest]]: [MySQL] 40,820 pass(es), 5 fail(s), and 0 exception(s).|
|FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch 1934498-101-d7-suppress-itok.patch. Unable to apply patch. See the log in the details link for more information.|
|PASSED: [[SimpleTest]]: [MySQL] 56,012 pass(es).|
|PASSED: [[SimpleTest]]: [MySQL] 55,895 pass(es).|