[Bug 1372199] [NEW] in emails, unsubscribe links should not react to HTTP HEAD requests

Stephane Martin stephane.martin at vesperal.eu
Mon Sep 22 01:02:20 CEST 2014


Public bug reported:

Welcome emails from mailman include a URL to perform unsubscribing.

ex: https://lists.schneier.com/cgi-bin/mailman/options/crypto-
gram/XXX%40XXX?login-unsub=Unsubscribe

If you perform a HTTP HEAD request on that URL, it triggers the
unsubscribe process, and an unsubscribe confirmation email is sent to
the user.

This shouldnt happen: HTTP HEAD method is not HTTP GET. Its supposed to
only return headers, not to trigger an action on web server.

I have anti-malware software that checks every HTTP link in received
emails. When such a link is found by antimalware, it does a HTTP HEAD
request on the URL to check the mimetype (if mimetype show a windows
executable, an alert is sent). But this HEAD request in understood by
mailman as a *real* unsubscribe request, so mailman sends a confirmation
to the actual user (who is lost).

(Strictly speaking, the behaviour is wrong even with a HTTP GET request:
GET should not trigger a webserver action too...)

** Affects: mailman
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1372199

Title:
  in emails, unsubscribe links should not react to HTTP HEAD requests

To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1372199/+subscriptions


More information about the Mailman-coders mailing list