There is an issue with image token generation in the image module. The function image_style_url() allows you to use either a path or a URI. For example, we can use either logo_1.gif or public://logo_1.gif. However if we use logo_1.gif, the token is generated for the path, but the validation always tries the URI. This causes itok validation to fail and you will get an "Access denied" page.

The latest patch converts path to URI in image_style_url().

Files: 
CommentFileSizeAuthor
#31 image-itok-relative-path-1955378-31-test-only.patch1.28 KBclaudiu.cristea
FAILED: [[SimpleTest]]: [MySQL] 40,250 pass(es), 5 fail(s), and 0 exception(s).
[ View ]
#31 image-itok-relative-path-1955378-31.patch2.36 KBclaudiu.cristea
PASSED: [[SimpleTest]]: [MySQL] 40,402 pass(es).
[ View ]
#29 image-itok-relative-path-1955378-29.patch2.39 KBDavid_Rothstein
PASSED: [[SimpleTest]]: [MySQL] 58,800 pass(es).
[ View ]
#27 image-itok-relative-path-1955378-27-fail.patch1.44 KBclaudiu.cristea
FAILED: [[SimpleTest]]: [MySQL] 58,835 pass(es), 5 fail(s), and 0 exception(s).
[ View ]
#27 image-itok-relative-path-1955378-27.patch2.89 KBclaudiu.cristea
PASSED: [[SimpleTest]]: [MySQL] 58,771 pass(es).
[ View ]
#19 image-itok-relative-path-D7-1955378-17-do-not-test.patch2.73 KBDarren Oh
#18 image-itok-relative-path-1955378-17.patch2.88 KBDarren Oh
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch image-itok-relative-path-1955378-17.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]
#16 image-itok-relative-path-1955378-14.patch2.8 KBDarren Oh
FAILED: [[SimpleTest]]: [MySQL] 59,024 pass(es), 1 fail(s), and 0 exception(s).
[ View ]
#9 image-itok-relative-path-1955378-9-D7-do-not-test.patch2.36 KBDavid_Rothstein
#9 image-itok-relative-path-1955378-9-TESTS-ONLY.patch1.52 KBDavid_Rothstein
FAILED: [[SimpleTest]]: [MySQL] 54,056 pass(es), 5 fail(s), and 0 exception(s).
[ View ]
#9 image-itok-relative-path-1955378-9.patch2.62 KBDavid_Rothstein
FAILED: [[SimpleTest]]: [MySQL] 55,702 pass(es), 1 fail(s), and 0 exception(s).
[ View ]
#8 image-itok_generation_issue-1955378-8.patch1.44 KBskek
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch image-itok_generation_issue-1955378-8.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]
#3 image-itok_generation_issue-1955378.patch1019 bytesskek
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch image-itok_generation_issue-1955378_0.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]
#1 image-itok_generation_issue-1955378.patch979 bytesskek
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch image-itok_generation_issue-1955378.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]
patch.txt711 bytesskek

Comments

StatusFileSize
new979 bytes
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch image-itok_generation_issue-1955378.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]

The above patch was not correct. The needed functionality here is if we receive a path e.g. 'logo_1.gif' we should normalize it to the default schema e.g. 'public://logo_1.gif'.
Here you go a working solution patch for the previous described problem.

Status:Needs review» Needs work

The last submitted patch, image-itok_generation_issue-1955378.patch, failed testing.

Status:Needs work» Needs review
StatusFileSize
new1019 bytes
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch image-itok_generation_issue-1955378_0.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]

Adding a new patch with the path to the module and file.

Status:Needs review» Needs work

The last submitted patch, image-itok_generation_issue-1955378.patch, failed testing.

Status:Needs work» Closed (fixed)

This is actually fixed in 7.22 in better way.
Closing this one.

Title:Image derivative token generation issueImage derivative tokens don't work when image_style_url() is called on a path (rather than a URI)
Version:7.21» 8.x-dev
Status:Closed (fixed)» Needs work
Issue tags:+needs backport to D7

I can reproduce this in the latest 7.x code, actually (and presumably 8.x too). Although most people don't call image_style_url() this way, it seems pretty bad.

Is the fix you're referring to the one in #1923554: New anti-DoS measure breaks for some file URIs? It doesn't look to me like that helped here...

Version:8.x-dev» 7.x-dev

@David_Rothstein,

Actually the issue you are referring to is different from the one I've reported, so closing this bug was actually not a good idea :).
$token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, file_stream_wrapper_uri_normalize($path)));
The above code is fixing the issue you are referring to and it accused me to close this one but actually this doesn't fix the problem I'm referring to.
The problem here is when you add an image using a path like "logo.jpg", not an URI. I agree that calling the image_style_url() this way is not a good idea but actually the function allows you to do that, so the code should handle both ways I think, cause a non experienced developer can easily use the bad practice.

StatusFileSize
new1.44 KB
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch image-itok_generation_issue-1955378-8.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]

Adding not git patch, sorry about this but I don't have the time to do it.
Please somebody to make re-work it and make a correct patch, sorry about that.

StatusFileSize
new2.62 KB
FAILED: [[SimpleTest]]: [MySQL] 55,702 pass(es), 1 fail(s), and 0 exception(s).
[ View ]
new1.52 KB
FAILED: [[SimpleTest]]: [MySQL] 54,056 pass(es), 5 fail(s), and 0 exception(s).
[ View ]
new2.36 KB

Thanks!

Here is a version for Drupal 8 (also backported to Drupal 7), with tests. I think we can use file_build_uri() here, so I went ahead and tried that.

Version:7.x-dev» 8.x-dev
Status:Needs work» Needs review

I will also mention this issue in the Drupal 7.20 release notes (http://drupal.org/drupal-7.20-release-notes).

Thanks!

http://drupal.org/node/1427826 contains instructions for updating the issue summary with the summary template.

The summary may need to be updated with information from comments.

Status:Needs review» Needs work

The last submitted patch, image-itok-relative-path-1955378-9.patch, failed testing.

i am going to try to reroll the patch, but realized patch is already re-rolled.

Status:Needs work» Needs review
StatusFileSize
new2.8 KB
FAILED: [[SimpleTest]]: [MySQL] 59,024 pass(es), 1 fail(s), and 0 exception(s).
[ View ]

Updated patch.

Status:Needs review» Needs work

The last submitted patch, image-itok-relative-path-1955378-14.patch, failed testing.

Status:Needs work» Needs review
StatusFileSize
new2.88 KB
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch image-itok-relative-path-1955378-17.patch. Unable to apply patch. See the log in the details link for more information.
[ View ]

Fixed patch.

Drupal 7 version.

Status:Needs review» Needs work

This patch assumes that the path is within the default files directory. The purpose of passing in a path instead of a URL with a schema is to be able to generate derivatives of images which are not in the files directory. That still doesn’t work, and this patch doesn’t fix that.

Status:Needs work» Needs review

Making image_style_url() work for files shipped with modules or themes would require a major redesign, so my last comment is wrong.

Issue tags:+Needs tests

We need to prove this bug with an automated test first.

Issue tags:-Needs tests

The patch already has tests.

But I'm wondering if they still pass...

Status:Needs review» Needs work

The last submitted patch, image-itok-relative-path-1955378-17.patch, failed testing.

Title:Image derivative tokens don't work when image_style_url() is called on a path (rather than a URI)Return same derivative token with path or URI
Assigned:Unassigned» claudiu.cristea
Status:Needs work» Needs review
Issue tags:-Needs issue summary update
StatusFileSize
new2.89 KB
PASSED: [[SimpleTest]]: [MySQL] 58,771 pass(es).
[ View ]
new1.44 KB
FAILED: [[SimpleTest]]: [MySQL] 58,835 pass(es), 5 fail(s), and 0 exception(s).
[ View ]

Reworked and rerolled against image style D8 conversion. Attached, a failure and a full patch.

Any takers for review? :)

Status:Needs review» Reviewed & tested by the community
StatusFileSize
new2.39 KB
PASSED: [[SimpleTest]]: [MySQL] 58,800 pass(es).
[ View ]

Not sure if I should RTBC this since I wrote most of the patch, but the recent changes are all pretty simple so I'm going to go ahead and do that.

Just rerolling it to remove the extra whitespace that the previous patch added to the test file.

Version:8.x-dev» 7.x-dev
Status:Reviewed & tested by the community» Patch (to be ported)

Committed/pushed to 8.x, thanks!

Moving to 7.x for backport.

Status:Patch (to be ported)» Needs review
StatusFileSize
new2.36 KB
PASSED: [[SimpleTest]]: [MySQL] 40,402 pass(es).
[ View ]
new1.28 KB
FAILED: [[SimpleTest]]: [MySQL] 40,250 pass(es), 5 fail(s), and 0 exception(s).
[ View ]

Retested patch from #9 and provided a patch-only test.

Status:Needs review» Reviewed & tested by the community

Tested and verified patch in comment 31 - http://drupal.org/files/image-itok-relative-path-1955378-31.patch

Set up latest drupal 7 dev

Created URLs with

image_style_url('thumbnail', 'field/image/test.JPG')
image_style_url('thumbnail', 'public://field/image/test.JPG')

Tested both URLS one by one after deleting the cached file created at sites/default/files/styles/thumbnail/public/field/image/tets.JPG

Replicated access denied error with URL generated from the file system path. The token generated was different for the two URLs.

Applied patch

Tested both URLS one by one after deleting the cached file created at sites/default/files/styles/thumbnail/public/field/image/tets.JPG

Was able to access both URLs without access denied error. Verified that the token generated was the same for both urls.

Issue summary:View changes

Updated summary.

Issue summary:View changes
Status:Reviewed & tested by the community» Fixed
Issue tags:+7.25 release notes

Status:Fixed» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.