Project

General

Profile

Actions

Defect #21855

closed

Gravatar get images over http instead https

Added by Alexander Kupchenko over 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Category:
UI
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Hello!

Our redmine works via https, in preferences https is set up. But gravatars still use http-image links.

Details in attached picture.

Your prompt reply will be highly appreciated!


Files

gravatar.jpg (204 KB) gravatar.jpg Alexander Kupchenko, 2016-01-26 23:01
gravatar-protocol-relative-url.diff (1.92 KB) gravatar-protocol-relative-url.diff patch (protocol relative URL) Go MAEDA, 2016-01-28 16:55

Related issues

Related to Redmine - Patch #18911: check Setting.protocol when determining gravatar protocolClosed

Actions
Related to Redmine - Defect #9365: Gravatar don't utilize HTTPSClosedJean-Baptiste Barth2011-10-03

Actions
Actions #1

Updated by Jérôme BATAILLE over 8 years ago

It's because the detection of https is made with request.ssl? which does not work with https managed by front proxies.

A fix in app/helpers/application_helper.rb :

  def avatar(user, options = { })
    if Setting.gravatar_enabled?
      # The fix : checking if https is enabled in configuration
      options.merge!({:ssl => (Setting.protocol == 'https'), :default => Setting.gravatar_default})
      # options.merge!({:ssl => (request && request.ssl?), :default => Setting.gravatar_default})
      email = nil
      if user.respond_to?(:mail)
        email = user.mail
      elsif user.to_s =~ %r{<(.+?)>}
        email = $1
      end
      return gravatar(email.to_s.downcase, options) unless email.blank? rescue nil
    else
      ''
    end
  end

Actions #2

Updated by Go MAEDA over 8 years ago

Using protocol relative URL (begins with two slash characters, e.g. //www.gravatar.com/avatar/... ) will resolve this issue. Please take a look at this patch: gravatar-protocol-relative-url.diff

Redmine don't have to know whether it is accessed via HTTPS or HTTP because web browsers choose appropriate protocol to access Gravatar.

Actions #3

Updated by Go MAEDA over 8 years ago

  • Related to Patch #18911: check Setting.protocol when determining gravatar protocol added
Actions #4

Updated by Go MAEDA over 8 years ago

  • Related to Defect #9365: Gravatar don't utilize HTTPS added
Actions #5

Updated by Go MAEDA over 8 years ago

  • Target version set to 3.3.0
Actions #6

Updated by Ken Zalewski about 8 years ago

I am confirming this issue when running Redmine 3.2.0 with Passenger 5.0.22.

The protocol setting (Settings->General->Protocol) is ignored, because the logic in application_helper.rb is flawed.

The suggested patch in Note 1 above seems to work fine.

Actions #7

Updated by Jean-Philippe Lang about 8 years ago

  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

Jérôme BATAILLE wrote:

It's because the detection of https is made with request.ssl? which does not work with https managed by front proxies.

A fix in app/helpers/application_helper.rb :
[...]

The same "fix" was applied in r10184 and reverted soon after, see #9365 for more details.

I've committed the solution proposed by Go Maeda in r15245. Thanks.

Actions #8

Updated by Ken Zalewski about 8 years ago

I see that this issue has been closed, but I want to mention that this problem persists into version 3.2.1. Apparently, the patch did not make it in to 3.2.1, which is unfortunate.

I will hand-edit the files for now, and anticipate the 3.2.2 release.

Actions #9

Updated by Ken Zalewski about 8 years ago

I am confirming that the Go Maeda patch in r15245 resolves the issue.

Actions #10

Updated by Ken Zalewski about 8 years ago

I need to take that back. I am now getting a full SSL connection, which is great. However, after applying that patch, Gravatars are no longer being displayed at all.

Is there something else I need to do?

Actions #11

Updated by Ken Zalewski about 8 years ago

After clearing my browser's cache, all is fine! Gravatars are being properly displayed within a full SSL environment. There are no non-SSL components, so the site is considered fully secured.

Thank you.

Actions #12

Updated by Jean-Philippe Lang about 8 years ago

Ken Zalewski wrote:

I see that this issue has been closed, but I want to mention that this problem persists into version 3.2.1. Apparently, the patch did not make it in to 3.2.1, which is unfortunate.

I will hand-edit the files for now, and anticipate the 3.2.2 release.

As you can see, this issue is assigned to 3.3.0, and the fix was not included in 3.2.1

Actions #13

Updated by Ken Zalewski about 8 years ago

Yes, I do see that now. I missed that when I was testing the 3.2.1 release.

I will anticipate the 3.3.0 release then. :-)

Actions #14

Updated by Helge Sychla over 7 years ago

We are on version 3.3.0.stable.15633 and the avatars are still pulled using HTTP.

I checked the code and the changes from r15245 are in there.

We are using a couple of plugins from redminecrm.com, could they be doing something that reverts this patch?

Actions #15

Updated by Helge Sychla over 7 years ago

Just in case somebody else is having this problem and gets here via Google:

We were missing

proxy_set_header X-Forwarded-Proto $scheme;

in our nginx config so redmine was not aware that the original request was HTTPS.

Added that and now the whole page is HTTPS again.

Actions

Also available in: Atom PDF