In versions of Sitecore prior to 7.5, many of us have used parameters in Sitecore’s controls (i.e. sc:image) to alter the size of an image. All works well if you use this strategy for image resizing. However, in some cases, we request the URL to a media item directly, using parameters like “mh” and “mw” in the query string to modify the image size. If you’re moving from a Sitecore version earlier than 7.5 to 8, you’ll quickly notice that these images appear full size. What happened?

According to the release notes for Sitecore 7.5, it turns out that this URL-based image sizing feature in Sitecore actually exposed a vulnerability that was fixed with a new feature called Media Request Protection:

The new media request protection feature restricts media URLs that contain dynamic image-scaling parameters so that only server-generated requests are processed. This ensures that the server only spends resources and disk space on valid image scaling requests.

This new feature essentially hashes the URL, so that the server can better recognize a scaled image request as valid (or invalid, of course).

So what do you have to do now that your images are showing up full-size after upgrading? Well, you have two options essentially. The first is to turn off Media Request Protection, a setting found in “App_Config/Include/Sitecore.Media.RequestProtection.config”. This is easy, but still exposes the vulnerability, so do that at your own risk. The second, recommended approach is to go through your code and make some changes. It’s actually not too daunting:

  • For URLs being used directly in the code, you can use a new utility page in Sitecore: “/sitecore/admin/MediaHash.aspx”. This page will help you generate a hashed URL. This is especially useful if you have hardcoded image URLs in your CSS files.
  • For ASP.NET MVC Views (.cshtml) or User Controls (.ascx), you can use the “Sitecore.Resources.Media.HashingUtils.ProtectAssetUrl()” method.
  • In XSLT renderings, you can use the “sc:SignMediaUrl()” method.

And that does it!