Consider removing the user.profile.avatar.maxSize permission

[TimWolla]

The permission is not really reliable to ensure an upper bound for the file size of the avatar, because larger images will be implicitly scaled down to 128×128. If the rescaled image exceeds the file size (e.g. because libgd did not compress as well as it could, thus enlarging the file size) then either a confusing error message will need to be emitted to the user or the resulting image will exceed the configured maximum size. Both outcomes are questionable.

Furthermore the generated WebP file size is entirely out of the uploader's and the administrator's control.

Instead a reasonable hardcoded upper limit on the file size should be implemented. It should be large enough to allow everything a user might legitimately upload and small enough to prevent abuse (e.g. by uploading a JPG with a huge multi-megabyte EXIF section).

The following random noise image should be a worst case for compression algorithms and is 32kB as a PNG and 50kB as a JPEG:

A reasonable limit for the uploaded file size would be 1 Megabyte.

see also: 8291b3fa27c6d6f4bed19a0da0a5d87cbfd781b1