• Welcome to Simple Machines Community Forum. Please login or sign up.
October 27, 2021, 10:43:21 PM

News:

SMF 2.0.18 has been released! Please update. Read more.


custom_avatar_url potential issue

Started by shawnb61, October 20, 2017, 01:53:58 PM

Previous topic - Next topic

shawnb61

October 20, 2017, 01:53:58 PM Last Edit: July 30, 2018, 11:23:54 AM by Gwenwyfar
All -

I noticed this in 2.1, and double-checked, and I believe this is an issue in 2.0 as well.  I will be testing a PR for 2.1 for some SSL items over the next few weeks. 

In loadTheme(), there is some logic that deals with alternate URLs.  These can include anything from detected https/http differences, to using an IP address to load the board, to using alias URLs. 

When a valid 'alternate' is detected, it updates all of the board URLs in $modSettings in memory prior to loading the theme.   It does not update custom_avatar_url. 

I believe that there will be instances, for example, when somebody invokes a page via http on an https forum or vice-versa, where this may cause avatar issues.   This code is ~L1579:

// And just a few mod settings :).
$modSettings['smileys_url'] = strtr($modSettings['smileys_url'], array($oldurl => $boardurl));
$modSettings['avatar_url'] = strtr($modSettings['avatar_url'], array($oldurl => $boardurl));

Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Advertisement: