Image style token, itok and Drupal

Drupal  7.20 brought a security fix that prevents DDoS attack on servers. Prior to Drupal 7.2 a user could generate image presets on the fly, opening up a potential opportunity for DDoS attacks.

What is DDoS attack?

Denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to consume the machine or network resource, making it unavailable to the intended users.

The fix in 7.20 fixes this by  adding a token to all image derivative URLs generated by Drupal, as a query string "itok".

“Image derivatives are image cache or presets or copies of images which the Drupal Image module automatically generated based on configured image styles; for example, thumbnail, medium, large, etc.

As an example, links that previously pointed to a URL like http://example.com/sites/default/files/styles/thumbnail/public/field/image/example.png will now point to a URL like http://example.com/sites/default/files/styles/thumbnail/public/field/image/example.png?itok=zD_VaCaD

In addition, any code which programmatically generates a link to an image derivative without using the standard image_style_url()API function will no longer work correctly if the image does not already exist in the file system, since the necessary token will not be present in the URL. “

For more details on this fix refer the Drupal 7.20 release notes at http://drupal.org/drupal-7.20-release-notes. The release note details the issues associated with this fix, how it affects upgrades & other contributed modules as well.

These tokens cause problems when working with CDNs, any third party integrations that generate image presets on the fly. There is an ongoing debate on making this configurable at Replace image style 'itok' token with non-intrusive options with a ready patch by @attiks that needs review by a senior core contirbutor

The debate suggests allowing the user/administrative user of  the site an option to decide if they need itok or not. The patch provided added a new setting 'suppress_itok_output'  The argument for making itok optional is that DDoS or DoS  should be better solved at the infrastructure or server level. More over this attack is also possible views with a pager or exposed filters.