I have a custom module which changes the image url via js in certain cases to load a new image style of the same image. With the update to 7.20 this does no longer work because of the new security token. This can be fixed by setting $conf['image_allow_insecure_derivatives'] = TRUE in hook_init();
My question is, what exactly is the vulnerability? Is it possible to create an unlimited amount of pictures from remote, or only one for each image and style? What if all pictures for all image styles already exist on the server, is the vulnerability resolved by this?
I also thought about getting the security token via an ajax-call. Would this bypass the securty fix, or would it be better/more secure than setting the image_allow_insecure_derivatives variable?
If someone with a little insight to this issue could clarify that for me I would really appreciate it. Thank you!