Bug 200974

Summary: Insecure mailing list unsubscription with mailman
Product: Documentation Reporter: Johannes Jost Meixner <xmj>
Component: WebsiteAssignee: postmaster
Status: Closed FIXED    
Severity: Affects Only Me CC: peter, wiml
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description Johannes Jost Meixner freebsd_committer freebsd_triage 2015-06-19 16:11:03 UTC 
When unsubscribing from a mailing list, then clicking the link to 

https://lists.freebsd.org/mailman/confirm/freebsd-wireless/<hash> in the confirmation mail,

and on that link hitting the "Unsubscribe" button, the form is sent insecurely, which throws a security warning.

Please change the form action to use HTTPS, in consistency with mailman's confirm URL.
Comment 1 wiml 2015-08-13 01:28:49 UTC 
This is true of subscription-confirmation requests as well, probably just an error in mailman configuration (possibly DEFAULT_URL_PATTERN ?)

The confirmation link in email is http://lists.freebsd.org/mailman/confirm/blahblah, which redirects to HTTPS. But the confirmation form explicitly specifies HTTP again:

> <FORM action="http://lists.freebsd.org/mailman/confirm/freebsd-fs" method="POST" >

which causes another insecure request.
Comment 2 Peter Wemm freebsd_committer freebsd_triage 2015-08-13 05:59:53 UTC 
I don't think we are passing the correct tokens through from the front end proxy for this to work right without a redirect loop.

I'll look at this after some sleep.
Comment 3 Peter Wemm freebsd_committer freebsd_triage 2015-08-13 06:29:27 UTC 
Postmaster: I have run:
mailman% ../bin/withlist -l -a -r fix_url

This has changed the per-list config.pck settings from 
    'web_page_url': 'http://lists.freebsd.org/mailman/',
to
    'web_page_url': 'https://lists.freebsd.org/mailman/',
Comment 4 Johannes Jost Meixner freebsd_committer freebsd_triage 2016-02-02 13:44:36 UTC 
Thanks for fixing this!