Add patch #5 for latest module versions 2.1.0.

src/Controller/RemoteImageStyleDownloadController.php

@@ -38,11 +38,33 @@ class RemoteImageStyleDownloadController extends ImageStyleDownloadController {
     // allowing any remote file to be processed.
     $target = $request->query->get('file');
     $image_uri = $scheme . '://' . $target;
-    if (!$this->fileStorage->loadByProperties(['uri' => $image_uri])) {
-      throw new AccessDeniedHttpException();
+    if (!$this->isManagedFile($image_uri)) {
+      // If the image style converted the extension, it has been added to the
+      // original file, resulting in filenames like image.png.jpeg. So to see if
+      // the source image is a managed file, we remove the extension and check
+      // again.
+      $path_info = pathinfo($this->streamWrapperManager->getTarget($image_uri));
+      $converted_image_uri = sprintf('%s://%s%s%s', $this->streamWrapperManager->getScheme($image_uri), $path_info['dirname'], DIRECTORY_SEPARATOR, $path_info['filename']);
+
+      if (!$this->isManagedFile($converted_image_uri)) {
+        throw new AccessDeniedHttpException();
+      }
     }
 
     return parent::deliver($request, $scheme, $image_style, $required_derivative_scheme);
   }
 
+  /**
+   * Checks to see if an image URI exists as a managed file.
+   *
+   * @param $uri
+   *   The image URI to check.
+   *
+   * @return bool
+   *   TRUE is the image exists as a managed file. Otherwise FALSE.
+   */
+  protected function isManagedFile($uri) {
+    return !empty($this->fileStorage->loadByProperties(['uri' => $uri]));
+  }
+
 }