Summary: | Insecure mailing list unsubscription with mailman | ||
---|---|---|---|
Product: | Documentation | Reporter: | Johannes Jost Meixner <xmj> |
Component: | Website | Assignee: | postmaster |
Status: | Closed FIXED | ||
Severity: | Affects Only Me | CC: | peter, wiml |
Priority: | --- | ||
Version: | Latest | ||
Hardware: | Any | ||
OS: | Any |
Description
Johannes Jost Meixner
2015-06-19 16:11:03 UTC
This is true of subscription-confirmation requests as well, probably just an error in mailman configuration (possibly DEFAULT_URL_PATTERN ?) The confirmation link in email is http://lists.freebsd.org/mailman/confirm/blahblah, which redirects to HTTPS. But the confirmation form explicitly specifies HTTP again: > <FORM action="http://lists.freebsd.org/mailman/confirm/freebsd-fs" method="POST" > which causes another insecure request. I don't think we are passing the correct tokens through from the front end proxy for this to work right without a redirect loop. I'll look at this after some sleep. Postmaster: I have run: mailman% ../bin/withlist -l -a -r fix_url This has changed the per-list config.pck settings from 'web_page_url': 'http://lists.freebsd.org/mailman/', to 'web_page_url': 'https://lists.freebsd.org/mailman/', Thanks for fixing this! |