I disabled file uploads after this exchange, as it appears more security testing work should be done to see if file uploads are not vulnerable to exploits. There was actually a pretty good presentation about picture upload vulns that just went up the other day.
To be clear, I’m not saying file upload is vulnerable, I’m just saying we want to test it more and we haven’t had the time to do that in the past couple of weeks. So far now, we’re choosing the “better safe than sorry” route.
Question related to OP:
What kind of lag time is there between updating my image on Gravatar’s end and then that image pulling in to Discourse (upon manual refresh)? I’ve been testing this today, and it seems like it is not instantaneous…but it might work after some undefined period of time (30-90mins?)?