From a37b2d42fbc6d837857bb9a33cea8310737477a6 Mon Sep 17 00:00:00 2001 From: Benjamin Carleski Date: Tue, 20 Nov 2018 15:08:50 -0800 Subject: [PATCH] Disable Gravatar images when FIPS is enabled Gravatar image URLs require an MD5 hash of the email be generated. On a FIPS-enabled server, the MD5 algorithm is not available. As Gravatar doesn't offer any other method for getting user images, enabling FIPS means that no user images will be available. --- src/Umbraco.Core/Models/UserExtensions.cs | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/Umbraco.Core/Models/UserExtensions.cs b/src/Umbraco.Core/Models/UserExtensions.cs index 5db36d16ed..d989876607 100644 --- a/src/Umbraco.Core/Models/UserExtensions.cs +++ b/src/Umbraco.Core/Models/UserExtensions.cs @@ -3,6 +3,7 @@ using System.Collections.Generic; using System.Globalization; using System.Linq; using System.Net; +using System.Security.Cryptography; using Umbraco.Core.Cache; using Umbraco.Core.Configuration; using Umbraco.Core.IO; @@ -35,9 +36,12 @@ namespace Umbraco.Core.Models /// A list of 5 different sized avatar URLs /// internal static string[] GetUserAvatarUrls(this IUser user, ICacheProvider staticCache) - { - //check if the user has explicitly removed all avatars including a gravatar, this will be possible and the value will be "none" - if (user.Avatar == "none") + { + // If FIPS is required, never check the Gravatar service as it only supports MD5 hashing. + // Unfortunately, if the FIPS setting is enabled on Windows, using MD5 will throw an exception + // and the website will not run. + // Also, check if the user has explicitly removed all avatars including a gravatar, this will be possible and the value will be "none" + if (user.Avatar == "none" || CryptoConfig.AllowOnlyFipsAlgorithms) { return new string[0]; }