Patch #31022
closedAlways use HTTPS when accessing gravatar.com
Description
Today it is recommended to use HTTPS when accessing websites, but Redmine accesses gravatar.com with HTTP if the Redmine instance is accessed with HTTP. This is because Redmine generates protocol-relative URLs for Gravatar images (#21855#note-2).
I think we don't have to switch the protocol to access gravatar.com depending on the protocol of the Redmine instance. It will be secure, and moreover, it may improve performance when there are a lot of icons on a single page because of HTTP/2 used in gravatar.com. With HTTP/2, clients can download images in parallel with a single TCP connection.
Index: lib/plugins/gravatar/lib/gravatar.rb
===================================================================
--- lib/plugins/gravatar/lib/gravatar.rb (リビジョン 17938)
+++ lib/plugins/gravatar/lib/gravatar.rb (作業コピー)
@@ -61,7 +61,7 @@
# Returns the base Gravatar URL for the given email hash
def gravatar_api_url(hash)
- "//www.gravatar.com/avatar/#{hash}"
+ "https://www.gravatar.com/avatar/#{hash}"
end
# Return the gravatar URL for the given email address.
Related issues
Updated by Go MAEDA over 5 years ago
This updated patch is frozen string literals ready.
Index: lib/plugins/gravatar/lib/gravatar.rb
===================================================================
--- lib/plugins/gravatar/lib/gravatar.rb (revision 17946)
+++ lib/plugins/gravatar/lib/gravatar.rb (working copy)
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
require 'digest/md5'
require 'cgi'
@@ -61,7 +63,7 @@
# Returns the base Gravatar URL for the given email hash
def gravatar_api_url(hash)
- "//www.gravatar.com/avatar/#{hash}"
+ 'https://www.gravatar.com/avatar/' + hash.to_s
end
# Return the gravatar URL for the given email address.
Updated by Go MAEDA over 5 years ago
- Status changed from New to Closed
- Assignee set to Go MAEDA
Committed.
Updated by Go MAEDA over 5 years ago
- Related to Feature #9112: Libravatar and Gravatar-compatible servers support added
Updated by Marius BĂLTEANU over 5 years ago
- Status changed from Closed to Reopened
We should remove the :ssl
option because it is not used anymore:
vagrant@jessie:/vagrant/project/redmine$ git diff lib/plugins/gravatar/
diff --git a/lib/plugins/gravatar/lib/gravatar.rb b/lib/plugins/gravatar/lib/gravatar.rb
index aa8500b..f368b99 100644
--- a/lib/plugins/gravatar/lib/gravatar.rb
+++ b/lib/plugins/gravatar/lib/gravatar.rb
@@ -34,9 +34,6 @@ module GravatarHelper
# The class to assign to the img tag for the gravatar.
:class => 'gravatar',
-
- # Whether or not to display the gravatars using HTTPS instead of HTTP
- :ssl => false,
}
Updated by Go MAEDA over 5 years ago
- Status changed from Reopened to Closed
Marius BALTEANU wrote:
We should remove the
:ssl
option because it is not used anymore:[...]
Committed the fix. Thank you for pointing it out.