Edit: Sitecore Support has confirmed this behaviour as a bug and provided a patch that so far seems to work fine. The patch overrides the method for rendering media links from RTE fields to also include the hash value thus not firing a media request protection error anymore.
The patch number is 438674 for those who need to request this from Sitecore Support.
In the release notes of Sitecore 7.5 rev 141003 you can read about a new security feature called Media Request Protection:
The new media request protection feature restricts media URLs that contain dynamic image-scaling parameters so that only server-generated requests are processed. This ensures that the server only spends resources and disk space on valid image scaling requests.
In short it works like this: To use these querystrings the media request also must append a hash value that can only be generated by the Sitecore server, otherwise the querystrings are ignored and you get an error in your Sitecore log file.
However, when enabling this feature (and it is enabled by default) something happens that can be described like this:
To cut a long story short: The Media Request Protection feature is way too agressive. Not only does it strike down on querystrings regarding image scaling, but also on querystrings such as “la” (for specifying language). Furthermore it doesn’t just apply to images. PDF files are also passed through the feature.
And now we reach the point where this feature turns into a bug.
If you create an internal link to a media item such as a PDF using the Rich Text editor, this link won’t include the necessary hash value and thus generates errors in your log file.
This happens on a clean install of Sitecore 7.5 like this:
Save and publish. Now when clicking the link to the PDF file on the published page, this lands in your log file:
14:36:45 ERROR MediaRequestProtection: An invalid/missing hash value was encountered. The expected hash value: 810CD0685B09545533E20038F16018B95DE7BD84. Media URL: /~/media/Files/cms_tuning_guide_sc70-a4.ashx?la=en, Referring URL: http://sc75rev141003_clean/
The cause of this particular behavior is the “la=en” querystring which is generated by Sitecore’s own editing tool.
I’ve reported this to Sitecore Support and await their solution. Meanwhile I’m considering deactivating the Media Request Protection feature, but possible workarounds also include overriding the media request protection feature code itself or overriding the link provider to include the hash value for the media item. I’ll write another post about this if I decide to venture in that direction.