-
Notifications
You must be signed in to change notification settings - Fork 0
3.0.0 release changes
DON'T PANIC: THIS RELEASE DOES NOT INTRODUCE BREAKING CHANGES.
You can find this release at http://pypi.python.org/pypi/thumbor/3.0.0.
This release introduces a change in the way URLs are generated. This change is meant to improve thumbor's security and performance.
This change was proposed by Diogo Mónica from Square. Credit for finding the problem with the old style URLs and for the change to the new style goes to him.
URLs were generated like this:
/encrypted-portion/path/to/original/image
The encrypted portion of the URL was a base64 encoded, AES-128 encrypted version of the specified options(width, height, fit-in, smart, etc).
thumbor would then decrypt that encrypted portion to get the options for your image.
There's one fundamental flaw with this approach. The reason for encrypting was that we wanted URLs to be tamper-proof for people that didn't know the security key. This process (as pointed out by the proposer of this change) is actually signing, and not encryption.
Signing has three main advantages for thumbor:
- It's faster;
- It yields a fixed number of characters in the URL;
- It's safer.
Now thumbor has URLs that feature a hash-based message authentication code that signs them. This makes it very hard for someone that's not aware of the security key to generate new URLs.
A sample URL in the new format:
/hash-with-28-chars/300x200/smart/path/to/original/image
Not at all. As of now, thumbor will try the HMAC based urls first, and if it can't match the hash it will try the old format URLs.
There's a new configuration key (ALLOW_OLD_URLS) that specifies whether old URLs are supported. For now this configuration defaults to True. In the next major version it will default to False. In the major version after that one, we'll completely remove support for old-style URLs.