Friday, February 22, 2013

Intro to Drupal image token system (Drupal 7.20 onwards)

In Drupal 7.20, a new token system was introduced for image derivative urls to circumvent a security DOS issue.

An image derivative would have only one token. However, different image derivatives (image styles) of the same main image will have different tokens each.

The image token is generated as a base-64 encoded sha-256 hmac based on the drupal hash salt, image style name & uri in image_style_path_token(). So it remains constant for an image derivative but changes based on the image style name.

The call stack for generating image style links is:

The security check is conducted in image_style_deliver() where it is a valid url request iff;


$_GET[IMAGE_DERIVATIVE_TOKEN] === image_style_path_token($style['name'], $scheme . '://' . $target);

NB: IMAGE_DERIVATIVE_TOKEN is a constant for 'itok'.