Patch #31022

Always use HTTPS when accessing gravatar.com

Added by Go MAEDA 7 months ago. Updated 5 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:UI
Target version:4.1.0

Description

Today it is recommended to use HTTPS when accessing websites, but Redmine accesses gravatar.com with HTTP if the Redmine instance is accessed with HTTP. This is because Redmine generates protocol-relative URLs for Gravatar images (#21855#note-2).

I think we don't have to switch the protocol to access gravatar.com depending on the protocol of the Redmine instance. It will be secure, and moreover, it may improve performance when there are a lot of icons on a single page because of HTTP/2 used in gravatar.com. With HTTP/2, clients can download images in parallel with a single TCP connection.

Index: lib/plugins/gravatar/lib/gravatar.rb
===================================================================
--- lib/plugins/gravatar/lib/gravatar.rb    (リビジョン 17938)
+++ lib/plugins/gravatar/lib/gravatar.rb    (作業コピー)
@@ -61,7 +61,7 @@

     # Returns the base Gravatar URL for the given email hash
     def gravatar_api_url(hash)
-      "//www.gravatar.com/avatar/#{hash}" 
+      "https://www.gravatar.com/avatar/#{hash}" 
     end

     # Return the gravatar URL for the given email address.

Related issues

Related to Redmine - Feature #9112: Libravatar and Gravatar-compatible servers support Closed 2011-08-24

Associated revisions

Revision 17948
Added by Go MAEDA 7 months ago

Always use HTTPS when accessing gravatar.com (#31022).

Patch by Go MAEDA.

Revision 18139
Added by Go MAEDA 5 months ago

Remove the :ssl option which is not used anymore (#31022).

Patch by Marius BALTEANU.

History

#1 Updated by Go MAEDA 7 months ago

  • Target version set to 4.1.0

#2 Updated by Go MAEDA 7 months ago

This updated patch is frozen string literals ready.

Index: lib/plugins/gravatar/lib/gravatar.rb
===================================================================
--- lib/plugins/gravatar/lib/gravatar.rb    (revision 17946)
+++ lib/plugins/gravatar/lib/gravatar.rb    (working copy)
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'digest/md5'
 require 'cgi'

@@ -61,7 +63,7 @@

     # Returns the base Gravatar URL for the given email hash
     def gravatar_api_url(hash)
-      "//www.gravatar.com/avatar/#{hash}" 
+      'https://www.gravatar.com/avatar/' + hash.to_s
     end

     # Return the gravatar URL for the given email address.

#3 Updated by Go MAEDA 7 months ago

  • Status changed from New to Closed
  • Assignee set to Go MAEDA

Committed.

#4 Updated by Go MAEDA 6 months ago

  • Related to Feature #9112: Libravatar and Gravatar-compatible servers support added

#5 Updated by Marius BALTEANU 5 months ago

  • Status changed from Closed to Reopened

We should remove the :ssl option because it is not used anymore:

vagrant@jessie:/vagrant/project/redmine$ git diff lib/plugins/gravatar/
diff --git a/lib/plugins/gravatar/lib/gravatar.rb b/lib/plugins/gravatar/lib/gravatar.rb
index aa8500b..f368b99 100644
--- a/lib/plugins/gravatar/lib/gravatar.rb
+++ b/lib/plugins/gravatar/lib/gravatar.rb
@@ -34,9 +34,6 @@ module GravatarHelper

     # The class to assign to the img tag for the gravatar.
     :class => 'gravatar',
-
-    # Whether or not to display the gravatars using HTTPS instead of HTTP
-    :ssl => false,
   }

#6 Updated by Go MAEDA 5 months ago

  • Status changed from Reopened to Closed

Marius BALTEANU wrote:

We should remove the :ssl option because it is not used anymore:

[...]

Committed the fix. Thank you for pointing it out.

Also available in: Atom PDF