View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008882 | mantisbt | other | public | 2008-02-12 10:43 | 2008-10-18 18:32 |
Reporter | pardini | Assigned To | jreese | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.1.1 | ||||
Target Version | 1.1.3 | Fixed in Version | 1.1.3 | ||
Summary | 0008882: Gravatar causes annoying security popups on IE when using Mantis over HTTPS/SSL | ||||
Description | When using Mantis over HTTPS/SSL, the Gravatar image URL is a common HTTP URL which causes boring Internet Explorer popups on almost every page. This is a very common problem when using HTTPS, unfortunately Gravatar does not offer an HTTPS endpoint (that I know of). One solution would be to 'proxy' all gravatar requests through a Mantis PHP file, like 'user_show_avatar.php'. This PHP file would be called just like every other Mantis page, over HTTPS, and would then proxy the request to gravatar, handling HTTP caching headers correctly to reduce the load. This maybe could be also interesting for abstracting the avatar storage method (like the local avatars in 0008257). | ||||
Steps To Reproduce | 1) Use a Mantis install over HTTPS | ||||
Tags | avatar, https | ||||
Attached Files | user_api_gravatar_proxy.patch (1,632 bytes)
Index: user_api.php =================================================================== RCS file: /var/lib/cvs/mantis/core/user_api.php,v retrieving revision 1.5 diff -u -r1.5 user_api.php --- user_api.php 10 Feb 2008 00:49:03 -0000 1.5 +++ user_api.php 12 Feb 2008 17:22:48 -0000 @@ -649,18 +649,22 @@ * in this first implementation, only gravatar.com avatars are supported * @return array|bool an array( URL, width, height ) or false when the given user has no avatar */ - function user_get_avatar( $p_user_id ) { + function user_get_avatar( $p_user_id, $p_use_proxy_page = true) { $t_email = strtolower( user_get_email( $p_user_id ) ); if ( is_blank( $t_email ) ) { $t_result = false; } else { - $t_default_image = config_get( 'default_avatar' ); $t_size = 80; - $t_avatar_url = "http://www.gravatar.com/avatar.php?gravatar_id=" . md5( $t_email ) . - "&default=" . urlencode( $t_default_image ) . - "&size=" . $t_size . - "&rating=G"; - $t_result = array( $t_avatar_url, $t_size, $t_size ); + if ($p_use_proxy_page) { + $t_result = array( 'user_avatar_image.php?id='.$p_user_id, $t_size, $t_size ); + } else { + $t_default_image = config_get( 'default_avatar' ); + $t_avatar_url = "http://www.gravatar.com/avatar.php?gravatar_id=" . md5( $t_email ) . + "&default=" . urlencode( $t_default_image ) . + "&size=" . $t_size . + "&rating=G"; + $t_result = array( $t_avatar_url, $t_size, $t_size ); + } } return $t_result; --- user_avatar_image.php +++ user_avatar_image.php @@ -0,0 +1,0 @@ user_avatar_image.php (3,481 bytes)
<?php # Mantis - a php based bugtracking system # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org # Copyright (C) 2002 - 2007 Mantis Team - mantisbt-dev@lists.sourceforge.net # Mantis is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 2 of the License, or # (at your option) any later version. # # Mantis is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Mantis. If not, see <http://www.gnu.org/licenses/>. # -------------------------------------------------------- # $Id: user_avatar_image.php,v 1.1 2008-02-12 22:06:45 ricardop Exp $ # -------------------------------------------------------- require_once( 'core.php' ); $t_core_path = config_get( 'core_path' ); require_once( $t_core_path . 'user_api.php' ); $user_id = gpc_get_int( 'id' ); $avatarDef = user_get_avatar( $user_id, false); $avatarURL = $avatarDef[0]; if ($avatarURL) { ob_end_clean(); ob_start(); // Request headers. We take these from the request we received, and relay it back to gravatar.com $header = array(); if ($_SERVER['HTTP_PRAGMA']) $header[] = 'Pragma: no-cache'; if ($_SERVER['HTTP_CACHE_CONTROL']) $header[] = 'Cache-Control: no-cache'; if ($_SERVER['HTTP_IF_MODIFIED_SINCE']) $header[] = 'If-Modified-Since: '.$_SERVER['HTTP_IF_MODIFIED_SINCE'].''; if ($_SERVER['HTTP_IF_NONE_MATCH']) $header[] = 'If-None-Match: '.$_SERVER['HTTP_IF_NONE_MATCH'].''; if ($_SERVER['HTTP_USER_AGENT']) $header[] = 'User-Agent: '.$_SERVER['HTTP_USER_AGENT'].''; if ($_SERVER['HTTP_ACCEPT']) $header[] = 'Accept: '.$_SERVER['HTTP_ACCEPT'].''; if ($_SERVER['HTTP_ACCEPT_LANGUAGE']) $header[] = 'Accept-Language: '.$_SERVER['HTTP_ACCEPT_LANGUAGE'].''; if ($_SERVER['HTTP_ACCEPT_ENCODING']) $header[] = 'Accept-Encoding: '.$_SERVER['HTTP_ACCEPT_ENCODING'].''; if ($_SERVER['HTTP_ACCEPT_CHARSET']) $header[] = 'Accept-Charset: '.$_SERVER['HTTP_ACCEPT_CHARSET'].''; $ch = curl_init(); // set URL and other appropriate options curl_setopt($ch, CURLOPT_URL, $avatarURL); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER , 1 ); curl_setopt($ch, CURLOPT_HTTPHEADER, $header); // grab URL and pass it to the browser $response = curl_exec($ch); $info = curl_getinfo($ch); $code = $info['http_code']; $type = $info['content_type']; $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE); curl_close($ch); $headers = substr($response, 0, $header_size); $body = substr($response, $header_size); // PHP insists in sending some unwanted headers, clean those ob_end_clean(); header("Cache-Control: "); header("Pragma: "); header("Expires: "); header("Date: "); header("ETag: "); header("Last-Modified: "); header("Age: "); header("Via: "); // Proxy the headers, directly to the client. This includes the status code. Clean the response first. $headers_array = explode("\n", $headers); foreach ($headers_array as $oneHeader) { header(trim($oneHeader)); } echo $body; die(0); } user_api-tuxsoul.diff (844 bytes)
--- ../temp/mantis-1.1.2/core/user_api.php 2007-10-14 17:35:35.000000000 -0500 +++ /var/www/bts-update/core/user_api.php 2008-08-04 13:15:41.000000000 -0500 @@ -655,7 +655,18 @@ } else { $t_default_image = config_get( 'default_avatar' ); $t_size = 80; - $t_avatar_url = "http://www.gravatar.com/avatar.php?gravatar_id=" . md5( $t_email ) . + + $t_use_ssl = false; + if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { + $t_use_ssl = true; + } + + if ( !$t_use_ssl ) + $t_gravatar_domain = "http://www.gravatar.com/"; + else + $t_gravatar_domain = "https://secure.gravatar.com/"; + + $t_avatar_url = $t_gravatar_domain . "avatar.php?gravatar_id=" . md5( $t_email ) . "&default=" . urlencode( $t_default_image ) . "&size=" . $t_size . "&rating=G"; | ||||
<rant> This is one of the dumbest IE-isms around. The use of normal HTTP content in HTTPS pages is a Good Thing for images and such, because it's faster and reduces the load on the server for things that don't need to be sent securely. And giving a user a popup in this case does nothing for security, because it doesn't tell you what is insecure, and so people just learn to ignore it anyways. </rant> Anyways, I agree that we shouldn't be annoying the users, and I do think it might be a good solution to use a proxy page, but I will leave this for Giallu, as he implemented the avatar system. |
|
Attached is the proposed proxy page. |
|
Gravatar also support ssl protocol, maybe can check: I'm a newbie, but append a small patch, if possible have this in stable version ? :-D, sorry my english is bad, greeting's ;-). |
|
Nice and easy solution. I would appreciate it, if it becomes part of the official mantis too ;-) |
|
Agreed. tuxsoul's solution is much better since Gravatar has an SSL site. |
|
Fix to use Gravatar over SSL has been committed to SVN 1.1.x branch, r5529, and trunk, r5530. |
|
MantisBT: master-1.1.x cd3f6374 2008-08-28 09:45 Details Diff |
Fix 0008882: Serve secure Gravatar images when using HTTPS. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5529 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0008882 |
|
mod - core/user_api.php | Diff File | ||
MantisBT: master 241f91d5 2008-08-28 09:48 Details Diff |
Fix 0008882: Serve secure Gravatar images when using HTTPS. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5530 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0008882 |
|
mod - core/user_api.php | Diff File |