Problem/Motivation
The itok token introduced in 7.20 prevents working with CDNs, third party integrations that generate image presets on the fly. To understand the Image style token, itok, read Drupal 7.20 release notes at http://drupal.org/drupal-7.20-release-notes.
Proposed resolution
Allow the drupal user/administrative user of the site an option to decide if they need itok or not. The patch provided at #51 adds a new setting 'suppress_itok_output' The argument for making itok optional is that DDoS or DoS should be better solved at the infrastructure or server level. More over this attack is also possible views with a pager or exposed filters.
Remaining tasks
Needs review by Senior Core contributor
User interface changes
Not applicable
API changes
Related Issues
#1934482: Add an option to disable recursive imagecache preset path
Original report by [jcisio]
Linked issue #1934482: Add an option to disable recursive imagecache preset path because even the fix was published two weeks ago, I can't see any discussion on that issue.
The itok token introduced in 7.20 prevents many sites from upgrading and causes many problem. Why not eliminate it and replace with two things:
- A no recursive option: I think it is much better than the 'image_allow_insecure_derivatives' variable because 1/ we care security 2/ no reason to have urls like example.com/sites/default/files/styles/thumbnail/public/styles/thumbnail/public/image.jpg
- A threshold to limit the concurrent image derivate generation request.
The drawback is you can have image derivates generated by hacker that you'll never use. But given that they are limited, who cares?