Gravatars not updating with all image file types disallowed


I’m using the latest version of Discourse and have Gravatars enabled, avatar uploads enabled, but file uploads turned off (no extensions are whitelisted). We also have SSO enabled but avatars via SSO disabled.

When a user asks the site to manually refresh his gravatar, Discourse does not pull in a new gravatar. How can I fix this?

well this sounds like a very odd combo, indeed a bug

I seriously doubt we ever tested no image extensions allowed. Why do you have this odd combo of settings? What exactly is the point of disabling gif and jpg uploads for users?


I disabled file uploads after this exchange, as it appears more security testing work should be done to see if file uploads are not vulnerable to exploits. There was actually a pretty good presentation about picture upload vulns that just went up the other day.

To be clear, I’m not saying file upload is vulnerable, I’m just saying we want to test it more and we haven’t had the time to do that in the past couple of weeks. So far now, we’re choosing the “better safe than sorry” route.

Question related to OP:
What kind of lag time is there between updating my image on Gravatar’s end and then that image pulling in to Discourse (upon manual refresh)? I’ve been testing this today, and it seems like it is not instantaneous…but it might work after some undefined period of time (30-90mins?)?

Well technically I would call that the “inconvenience our users” route, but opinions vary :wink:

I believe this was more than covered in the previous topic, but if you really feel this is vulnerable, despite all the data and answers provided there, why don’t you put a bounty on it and find out what works?

@zogstrip just added an alert dialog that tells people to wait an hour after changing their avatar because of caching.

Haha, thanks for your time on this Jeff.

We’ll consider putting a bounty on it :smile:

And thanks for the “wait an hour” bit. I’ll mess around with that later today to see if I can get gravatars to work without file uploads enabled.

1 Like