News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

gravatar profile images not secure

Started by bynw, June 23, 2022, 10:22:54 PM

Previous topic - Next topic

bynw

Right now I know of at least 1 of my users is using the Gravatar option for their profile image. However it's coming from http://www.gravatar.com instead of https://www.gravatar.com

Thus making any page that has the gravatar image not fully secure.

Is there a fix available for this?

Diego Andrés

Check Maintenance > Server settings > Forum SSL mode > Force SSL throughout the forum.
That should make it use https... I think.

SMF Tricks - Free & Premium Responsive Themes for SMF.

Arantor

This is a bug really; there is no reason for the Gravatar code not to get this right without resorting to the force SSL option.

Diego Andrés

It's what I found in get_gravatar_url, dunno why http_method is a thing in there.

SMF Tricks - Free & Premium Responsive Themes for SMF.

Arantor

You could make the argument that you're conserving bandwidth if not secure but this shouldn't be predicated on the *force* option, but simply on whether the URL is secure or not. I would class this as a bug.

Especially since the secure option can be handled further up the stack, e.g. terminating the SSL at an ingress controller on a K8s stack. Or by CloudFlare and not encrypting the traffic between CloudFlare and your server. All sorts of ways.

Steve

Sorry Arantor, but I didnt' understand a lot of what you said at the end (and no need to explain) but would Diego's suggestion work for the OP until the bug is fixed?
DO NOT pm me for support!

Arantor

Possibly. It might also break the OP's forum if used, with potentially no way in to uncheck it.

A dirty fix might be to replace this line in Subs.php:
$http_method = !empty($modSettings['force_ssl']) ? 'https://secure' : 'http://www';
With:
$http_method = true ? 'https://secure' : 'http://www';
It's a rubbish fix but it should do for the OP until it can be properly fixed in a future version.

The issue is that when you do HTTPS, you can either run it in HTTPS mode or forced HTTPS mode - Gravatar seemingly relies on the latter but all the advice people give around in the current "convert to HTTPS" guides makes that option unnecessary.

In any case, if I were to tick that option on my production forums, they would all break because they're not set up to work the way SMF expects them to be to detect HTTPS in use or not.

Doug Heffernan

I have moved this to the Bug Reports board to bring it to the attention of our developers.

Kindred

Is this a bug in SMF or on the Gravatar site?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Doug Heffernan

Quote from: Arantor on June 24, 2022, 07:01:50 AMPossibly. It might also break the OP's forum if used, with potentially no way in to uncheck it.

It can be unchecked/undone with a simple sql query if things went south.

UPDATE smf_settings SET force_ssl = 0;
Quote from: Kindred on June 24, 2022, 08:50:23 AMIs this a bug in SMF or on the Gravatar site?

It looks like it is a bug with Smf.

Arantor

Quote from: Kindred on June 24, 2022, 08:50:23 AMIs this a bug in SMF or on the Gravatar site?

SMF. I don't believe force_ssl is the correct basis for using secure Gravatars, and detecting if boardurl begins with HTTPS would be better (since you can quite legitimately have a secure site without using force_ssl)

Also just because it is a "simple query" doesn't change the fact that someone can be in the admin panel and then through the UI lock themselves and everyone else out of the entire platform depending on server configuration.

Advertisement: