Patch #31022
closed
Always use HTTPS when accessing gravatar.com
Added by Go MAEDA almost 6 years ago.
Updated over 5 years ago.
Description
Today it is recommended to use HTTPS when accessing websites, but Redmine accesses gravatar.com with HTTP if the Redmine instance is accessed with HTTP. This is because Redmine generates protocol-relative URLs for Gravatar images (#21855#note-2).
I think we don't have to switch the protocol to access gravatar.com depending on the protocol of the Redmine instance. It will be secure, and moreover, it may improve performance when there are a lot of icons on a single page because of HTTP/2 used in gravatar.com. With HTTP/2, clients can download images in parallel with a single TCP connection.
Index: lib/plugins/gravatar/lib/gravatar.rb
===================================================================
--- lib/plugins/gravatar/lib/gravatar.rb (リビジョン 17938)
+++ lib/plugins/gravatar/lib/gravatar.rb (作業コピー)
@@ -61,7 +61,7 @@
# Returns the base Gravatar URL for the given email hash
def gravatar_api_url(hash)
- "//www.gravatar.com/avatar/#{hash}"
+ "https://www.gravatar.com/avatar/#{hash}"
end
# Return the gravatar URL for the given email address.
- Target version set to 4.1.0
This updated patch is frozen string literals ready.
Index: lib/plugins/gravatar/lib/gravatar.rb
===================================================================
--- lib/plugins/gravatar/lib/gravatar.rb (revision 17946)
+++ lib/plugins/gravatar/lib/gravatar.rb (working copy)
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
require 'digest/md5'
require 'cgi'
@@ -61,7 +63,7 @@
# Returns the base Gravatar URL for the given email hash
def gravatar_api_url(hash)
- "//www.gravatar.com/avatar/#{hash}"
+ 'https://www.gravatar.com/avatar/' + hash.to_s
end
# Return the gravatar URL for the given email address.
- Status changed from New to Closed
- Assignee set to Go MAEDA
- Related to Feature #9112: Libravatar and Gravatar-compatible servers support added
- Status changed from Closed to Reopened
We should remove the :ssl option because it is not used anymore:
vagrant@jessie:/vagrant/project/redmine$ git diff lib/plugins/gravatar/
diff --git a/lib/plugins/gravatar/lib/gravatar.rb b/lib/plugins/gravatar/lib/gravatar.rb
index aa8500b..f368b99 100644
--- a/lib/plugins/gravatar/lib/gravatar.rb
+++ b/lib/plugins/gravatar/lib/gravatar.rb
@@ -34,9 +34,6 @@ module GravatarHelper
# The class to assign to the img tag for the gravatar.
:class => 'gravatar',
-
- # Whether or not to display the gravatars using HTTPS instead of HTTP
- :ssl => false,
}
- Status changed from Reopened to Closed
Marius BALTEANU wrote:
We should remove the :ssl option because it is not used anymore:
[...]
Committed the fix. Thank you for pointing it out.
Also available in: Atom
PDF
Updated by 
Updated by