Sitecore.Pipelines.HttpRequest.ResizePicture is commented out in Sitecore 7.5

Question

In a default install of Sitecore 7.5 rev 141003, the httpRequestEnd processor Sitecore.Pipelines.HttpRequest.ResizePicture is commented out in web.config.

We have a build of 7.5 rev 141003 for a client where it is not commented out.

Anyone know what this is for and why it would be commented out by default or you would uncomment it?

Answer 1

If we decompile the Sitecore.Pipelines.HttpRequest.ResizePicture processor, we see that it does something very simple. The Process method simply calls:

Assert.ArgumentNotNull((object) args, "args");
  int num = WebUtil.GetQueryString("sc_thumbnail") == string.Empty ? (false ? 1 : 0) : (true ? 1 : 0);

This means it is sensing image size manipulation via the query string. Starting Sitecore 7.5, manipulating the image via query string parameters is not possible without an added hash for security purposes in case an attack was to max out resources by performing many image resizes.

The recommended approach is now to resize the image in the Media Library and call just the image without the query string but if you have to do it via query string, make sure to add the hash. All links generated by Sitecore using image controls will be fine but for hardcoded image urls, there will be problems since the hashes won't be there.

In 7.5 if you inspect your log files, you will probably see tons of entries like this:

ERROR MediaRequestProtection: An invalid/missing hash value was encountered. The expected hash value: 681CB48737DFF780679D0FA51542B987DA3C591F. Media URL: ...

This is related to the queries strings of media items without hashes. You can turn these log entries off in:

/app_config/includes/Sitecore.MediaRequestProtection.config

In here you can turn off logging altogether so these issues don’t trigger log entries each and every time.

<setting name="Media.RequestProtection.Logging.Enabled" value="false" />

Of course you can turn off the protection entirely as well:

<setting name="Media.RequestProtection.Enabled" value="false" />

Although this is a way to get around the issue quickly, it is not recommended since you will be bypassing a security feature.

You can also designate which parameters are protected via this list:

<protectedMediaQueryParameters>
      <parameter description="width" name="w"/>
      <parameter description="height" name="h"/>
      <parameter description="max width" name="mw"/>
      <parameter description="max height" name="mh"/>
      <parameter description="scale" name="sc"/>
      <parameter description="allow stretch" name="as"/>
      <parameter description="background color" name="bc"/>
      <parameter description="database name" name="db"/>
      <parameter description="ignore aspect ratio" name="iar"/>
      <parameter description="language code" name="la"/>
      <parameter description="thumbnail" name="thn"/>
      <parameter description="version number" name="vs"/>
      <parameter description="content database" name="sc_content"/>
      <parameter description="content language name" name="sc_lang"/>
      <parameter description="context site" name="sc_site"/>
      <parameter description="grayscale filter" name="gray"/>
</protectedMediaQueryParameters>

This is another effort by Sitecore to enhance performance but executed in a poor way. If you migrated from any version prior to 7.5 you will be seeing many of these errors in the logs. Otherwise you will never notice.

Answer 2

The processor doesn't do anything, simply checks the querystring for a parameter but since it does not set the value to anything it can be safely reverted to default Sitcore config. This processor has not been used since Sitecore 6.2 at least, possibly earlier, so it may be legacy from a very old version.

Decompiling Sitecore.Pipelines.HttpRequest.ResizePicture reveals the following:

public override void Process(HttpRequestArgs args)
{
  Assert.ArgumentNotNull((object) args, "args");
  int num = WebUtil.GetQueryString("sc_thumbnail") == string.Empty ? (false ? 1 : 0) : (true ? 1 : 0);
}