WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Default user avatar not loading anymore (23 posts)

  1. BeautyPirate
    Member
    Posted 1 year ago #

    Hello,

    I have activated the secure mode of your plugin and everything works well, part from my default user avatar not loading anymore.

    I am using the plugin Default Gravatar Sans to block all calls to Gravatar
    http://wordpress.org/extend/plugins/default-gravatar-sans/

    And then Simple Local Avatars to provide a new default avatar and an upload function for the registered users.
    http://wordpress.org/extend/plugins/simple-local-avatars/

    I am not sure where to start now, what could cause the issue?

    http://wordpress.org/extend/plugins/bulletproof-security/

    Edit: I´ve already deleted the hotlinking part from your htaccess file (because my images are being served from several subdomains...) but that did not help either.

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Check your BPS Security Log for errors and post ONLY any errors that are directly related to the Gravatar/Avatar plugin(s).

  3. BeautyPirate
    Member
    Posted 1 year ago #

    Hello there, the error log has no entries whatsoever.

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok next do these steps.

    1. Make a backup of your .htaccess files using BulletProof Security built-in Backup.
    2. Activate Default Mode on the Security Modes page.
    3. Use the Delete wp-admin .htaccess feature on the Security Modes page.
    4. Test your plugin or theme. If the problem is still occurring then the problem is not related to BPS.
    5. Restore your .htaccess files using BulletProof Security built-in Restore.

    If the problem goes away after doing step 4 then BPS is blocking something that the plugin or theme is doing. Once you have confirmed this then these 2 plugins will be tested and a solution will be posted here.

  5. BeautyPirate
    Member
    Posted 1 year ago #

    I´ve done every step and the avatar was still gone. Then I deactivated the BPS plugin and all of a sudden the avatar was back.

  6. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Deactivating the BPS plugin only deactivates the BPS plugin itself and does not do anything else that would affect anything else. BPS is designed with the built-in troubleshooting tools instead as mentioned above to take BPS out of the equation for testing and troubleshooting. There may be some other issue/factor occurring that we are not aware of so these plugins will be tested to see if this is the case. The test results will be posted back here.

  7. BeautyPirate
    Member
    Posted 1 year ago #

    I think I know what happens.

    The Simple Local Avatar Plugin adds a question mark in the rendered HTML and BPS gives an error when hitting it like this. Try it yourself:

    http://static.stevemakeup.com/avatar.png?

    (Not working, also there was another server error...)

    http://static.stevemakeup.com/avatar.png Working fine.

    I´ll try and find a way to hack that question mark out of the other plugin now.

  8. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    hmm yep that Query string is missing something. Where is the rest of the Query string? Query strings should look like this: default-user-avatar-not-loading-anymore?replies=7#post-4170710

    The question mark in URL's means a Query string starts here and then the parameters of the Query string follow the question mark.

    Will be testing this plugin shortly.

  9. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I assume the security rule or rules that is blocking this is one of these below. In any case, the Question mark alone without any parameters after the question mark is most likely a coding boo boo.

    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]

    Probably not this RFI security filter

    RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    You could probably whitelist the avatar.png file by adding it as shown below.

    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Only Allow Internal File Requests From Your Website
    # To Allow Additional Websites Access to a File Use [OR] as shown below.
    # RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.* [OR]
    # RewriteCond %{HTTP_REFERER} ^.*AnotherWebsite.com.*
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F,L]
    RewriteCond %{REQUEST_URI} (avatar\.png|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    RewriteCond %{HTTP_REFERER} ^.*example.com.*
    RewriteRule . - [S=1]
  11. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Code correction: I fat fingered it so recheck the correction above. ;)

  12. BeautyPirate
    Member
    Posted 1 year ago #

    What would I put in anotherwebsite.com and example.com?

    What of those should I use now? I´m a bit confused :-)

  13. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    You would ONLY be adding avatar\.png| and nothing else. Be sure to include the pipe operator | after avatar\.png|.

    RewriteCond %{REQUEST_URI} (avatar\.png|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]

  14. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    For the Default Gravatar Sans plugin I do not understand what this plugin author is trying to do with the question mark. It does not make any logical sense for it to be there. Just delete them. My hunch is that this was never completed and forgotten about.

    function local_default_avatar( $url )
    	{
    		if( $option = get_option( 'raoh_CustomDefaultAvatar') )
    			$url = $option['url'];
    
    		return $url . '?';
    	}

    or here

    if ( 'blank' == $default )
    			$default = includes_url('images/blank.gif') . '?';
  15. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    FYI - if you just want to create a custom avatar you can do this fairly easily by doing this.

    http://www.christine.biz/blogging/custom-wordpress-avatar/

  16. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ah never mind I see what you are trying to do with both plugins. Allow users to upload their own avatar. Ok well by just making the code changes to the Default Gravatar Sans plugin then everything works fine.

  17. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    These plugins were tested and a solution was found above. Resolving.

  18. BeautyPirate
    Member
    Posted 1 year ago #

    Thank you so much for all the work. I just removed the ? beweteen the backticks in the plugin and it works on all front end pages now. Dashboard still shows broken image urls though

    http://0.gravatar.com/avatar/c1a0da7178a718bfefa231f4bc0ec27c?s=32&d=local_default&r=G&forcedefault=1

    This is the url of the broken image and it is not supposed to be anything from gravatar. Your plugin interferes with the code somehow. Checked again, when I deactivate BPS (with or without htaccess files removed before) the avatar immediately reappears.

  19. BeautyPirate
    Member
    Posted 1 year ago #

    Just to return the favor, do you have a German language translation already? I could make one for you.

  20. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok I'll check it out and see if this is another coding mistake in that plugin or if this is something legitimate that is being blocked. Thanks.

    If you use the Google Chrome Browser you can right mouse click in plugin pages and then click on Translate to... To translate plugin text into your Language.

    If you still feel like doing a German translation be my guest, but there is a lot of help information in BPS so the translations are very time consuming so do not feel that you need to do this. ;)

  21. BeautyPirate
    Member
    Posted 1 year ago #

    I didn´t say I was gonna do it in 24hrs, did I? :-)
    I´ll have a look at the files by the weekend. Can´t be so much :-)

  22. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Uh its quite alot of help text. ;) I believe in putting all help information at someone's fingertips right where they can find it instead of having them go to another website to find the answer.

    Personal Note: About 80% of folks click on the Read Me help buttons when they have questions and typically 95% of them find the answer they were looking for. Some issues/problems are specific/isolated to a particular website for any one of various reasons so general help would not do the trick anyway.

    Thanks for the offer, but once you see how much time will be involved I will not think less of you for retracting the offer. ;)

  23. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep, just as I thought. With BPS .htaccess files deactivated the gravatar link in the backend still displays the link to the gravatar site. The issue is not being caused by BPS and in this case what needs to happen based on this plugins code is...

    The plugin is assuming this condition in a couple of places:

    $default = apply_filters( 'local_default_avatar', get_template_directory_uri() . '/images/default_avatar.png' );

    If this condition is not true then nothing will work correctly because it does not allow for any variance and is not doing anything dynamic and instead is doing a static assumption based on whether you have created this folder and this image - /images/ default_avatar and also modified your theme files to match this condition.

    Possible ways to work with this would be to do what the plugin code is assuming and create this condition or maybe just do something different, but similar based on this link below.
    http://wordpress.stackexchange.com/questions/17413/removing-gravatar-com-support-for-wordpress-and-simple-local-avatars

    This plugin requires additional coding that I do not have the spare time to fiddle with or create that additional code.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic