Drupal 7.20+ and the Image javascript crop module

Created by: thewilkybarkid

Drupal 7.20 introduced a security fix for potential DOS attacks on image deriatives.

The Image javascript crop module doesn't yet cope with the change, so when uploading an image and trying to crop it before it has been viewed on the page the image URL is broken (the derivative hasn't yet been generated and it doesn't properly include the 'itok' query string part to allow its generation).

There is a patch for the dev version which resolves the issue, but the dev version itself doesn't work properly (and doesn't look like being updated).

While the module isn't great, it seems to be the only real choice for what should be an important part of a CMS. Alternative modules either don't work or are missing key features (such as integration with the media module).

Currently the only way to not have broken images is to add in the $conf['image_allow_insecure_derivatives'] = TRUE; setting, which is potentially a security risk (Drupal 7.21 reduces the risk when enabling it).

A patch will need to be written for the 7.x-1.0-rc3 module version.

Created by: thewilkybarkid

Patch candidate now at https://gist.github.com/thewilkybarkid/6241365