FIX: add 'Content-Length' header for avatars

app/controllers/static_controller.rb

@@ -77,13 +77,12 @@ class StaticController < ApplicationController
   end
 
   skip_before_filter :verify_authenticity_token, only: [:cdn_asset]
+
   def cdn_asset
     path = File.expand_path(Rails.root + "public/assets/" + params[:path])
 
     # SECURITY what if path has /../
-    unless path.start_with?(Rails.root.to_s + "/public/assets")
+    raise Discourse::NotFound unless path.start_with?(Rails.root.to_s + "/public/assets")
-      raise Discourse::NotFound
-    end
 
     expires_in 1.year, public: true
 
@@ -96,10 +95,8 @@ class StaticController < ApplicationController
     rescue Errno::ENOENT
       raise Discourse::NotFound
     end
-    opts = {
-      disposition: nil
-    }
 
+    opts = { disposition: nil }
     opts[:type] = "application/javascript" if path =~ /\.js$/
 
     # we must disable acceleration otherwise NGINX strips
@@ -107,4 +104,5 @@ class StaticController < ApplicationController
     request.env['sendfile.type'] = ''
     send_file(path, opts)
   end
+
 end

app/controllers/user_avatars_controller.rb

@@ -24,12 +24,12 @@ class UserAvatarsController < ApplicationController
     params.require(:version)
     params.require(:size)
 
-    if params[:version].to_i > LetterAvatar::VERSION
+    return render_dot if params[:version].to_i > LetterAvatar::VERSION
-      return render_dot
-    end
 
     image = LetterAvatar.generate(params[:username].to_s, params[:size].to_i)
+
     response.headers["Last-Modified"] = File.ctime(image).httpdate
+    response.headers["Content-Length"] = File.size(image).to_s
     expires_in 1.year, public: true
     send_file image, disposition: nil
   end
@@ -77,6 +77,7 @@ class UserAvatarsController < ApplicationController
 
     if image
       response.headers["Last-Modified"] = File.ctime(image).httpdate
+      response.headers["Content-Length"] = File.size(image).to_s
       expires_in 1.year, public: true
       send_file image, disposition: nil
     else

config/routes.rb

@@ -253,10 +253,8 @@ Discourse::Application.routes.draw do
   get "users/:username/badges_json" => "user_badges#username"
 
   post "user_avatar/:username/refresh_gravatar" => "user_avatars#refresh_gravatar"
-  get "letter_avatar/:username/:size/:version.png" => "user_avatars#show_letter",
+  get "letter_avatar/:username/:size/:version.png" => "user_avatars#show_letter", format: false, constraints: { hostname: /[\w\.-]+/ }
-      format: false, constraints: {hostname: /[\w\.-]+/}
+  get "user_avatar/:hostname/:username/:size/:version.png" => "user_avatars#show", format: false, constraints: { hostname: /[\w\.-]+/ }
-  get "user_avatar/:hostname/:username/:size/:version.png" => "user_avatars#show",
-      format: false, constraints: {hostname: /[\w\.-]+/}
 
   get "uploads/:site/:id/:sha.:extension" => "uploads#show", constraints: {site: /\w+/, id: /\d+/, sha: /[a-z0-9]{15,16}/i, extension: /\w{2,}/}
   get "uploads/:site/:sha" => "uploads#show", constraints: { site: /\w+/, sha: /[a-z0-9]{40}/}