Skip to content

Media firewall 3: Introduce media subhashes #7195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: develop-minor
Choose a base branch
from
Draft

Media firewall 3: Introduce media subhashes #7195

wants to merge 3 commits into from

Conversation

@lukasbestle
Copy link
Member

Description

Summary of changes

  • Inside the media hash directory (/media/site/abcdefghij-1234567890), there is now another directory layer (e.g. /media/site/abcdefghij-1234567890/bcdefghija) to separate all individual files (the original and each thumb)
  • Transitional code is added so that all old media URLs stay valid until v6 (these are automatically redirected to the new URLs)
  • Existing media files and thumbs are automatically migrated to their new locations to avoid having to regenerate them

Reasoning

  • Prevent access to file versions (especially originals but also different thumb variants) by guessing the media URL (so far if you e.g. had /media/site/abcdefghij-1234567890/file-120x.jpg you could change the filename to file.jpg to access the original, which may not be intended by devs).
  • Using another directory layer makes sure that the filenames stay clean and don't need to include generated hashes.

Additional context

With the transitional and migration code, there shouldn't be a breaking impact to sites. But since there is already a lot going on in v5, I suggest we include this PR in 5.1 or 5.x. This ensures that users upgrading to v5 with a lot of media files and thumbs don't immediately run into performance problems when all those files are migrated.

Changelog

Enhancements

  • It is no longer possible to guess other URLs to file versions (uploaded file originals and their thumbnails) from a thumbnail URL.

Deprecated

  • The URL structure of media files (file URLs and thumb URLs) has changed. The old URL structure is still supported for now, but will be dropped in Kirby 6.

Breaking changes

None

Docs

None

Ready?

  • In-code documentation (wherever needed)
  • More robust migration code (currently not safe against race conditions when multiple requests migrate the same files at the same time)
  • Unit tests for fixed bug/feature
  • Tests and CI checks all pass

For review team

  • Add changes & docs to release notes draft in Notion

@lukasbestle lukasbestle added this to the 5.1.0 milestone May 10, 2025
@lukasbestle lukasbestle self-assigned this May 10, 2025
@lukasbestle lukasbestle added needs: delay ⏳️ Requires more time, on hold needs: tests 🧪 Requires missing tests labels May 10, 2025
@lukasbestle lukasbestle mentioned this pull request May 10, 2025
Merged
4 tasks
@lukasbestle lukasbestle force-pushed the v5/feature/media-firewall-2 branch from 8ca8ef4 to 0791516 Compare May 10, 2025 17:23
@lukasbestle
Introduce media subhashes
c59e26d 
Ensures that media URLs of different file versions or the original file cannot be guessed
@lukasbestle
Transitional code for 5.x
1f5ed8b
@lukasbestle lukasbestle force-pushed the feature/media-firewall-3 branch from 0a8c96e to 1f5ed8b Compare May 10, 2025 17:25
@bastianallgeier bastianallgeier force-pushed the v5/feature/media-firewall-2 branch from 0791516 to 5221bfc Compare May 13, 2025 13:02
Base automatically changed from v5/feature/media-firewall-2 to v5/develop May 14, 2025 10:34
@distantnative distantnative changed the base branch from v5/develop to develop-minor June 24, 2025 21:13
@distantnative
Copy link
Member

@lukasbestle Can I help getting this ready for 5.1?

@lukasbestle
Copy link
Member Author

I think we should move it to 5.2 to be honest. I need to take another look at it.

@distantnative distantnative modified the milestones: 5.1.0, 5.2.0 Aug 7, 2025
@ovenum
Copy link
Contributor

ovenum commented Aug 13, 2025

It’s a bit offtopic here, but when you change the generated media url paths in an upcoming release, would you also consider to allow UUID based media root paths instead of the current slug based paths?

If it’s considered, this looks to be the right moment to avoid two media url path migrations in the future.

Can create an Issue for this. Did share this idea on Discord and briefly talked about this with @distantnative at the Berlin Kirby meetup

@lukasbestle
Copy link
Member Author

@ovenum Not off-topic at all. In fact I agree it's a great idea and I have already added it to the internal project todo list for further research.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@lukasbestle lukasbestle

Labels

needs: delay ⏳️ Requires more time, on hold needs: tests 🧪 Requires missing tests

Milestone

5.2.0

Development

Successfully merging this pull request may close these issues.

4 participants

@lukasbestle @distantnative @ovenum