Open Cwpute opened 9 months ago
This unkindness is intentional.
Normally, the operation of unsubscription can be initiated without authentication so that the user can unsubscribe themselves even if they forget the password of their own.
However, if Sympa were to change its behavior based on whether or not the user is actually subscribed, an attacker could know whether or not the user is currently on the list by entering the email address of any user.
To prevent this, the same message is always displayed to the user who initiated the unsubscription, while when the user is not subscribed, the following message is sent to the user to be requested for unsubscribing:
Someone (probably you) requested for unsubscribing from list [listname], but you have not subscribed to this list.
It would be good though to add the actual email in Sympa to this message, as the actual email might be redirected to another email. That may result in confusion about the real email in use.
NB: version of Framalistes: 6.2.72
[…]an attacker could know whether or not the user is currently on the list by entering the email address of any user. To prevent this, the same message is always displayed to the user who initiated the unsubscription,
As i suggested, changing that message to always display: You will soon receive further instructions at this email adress.
should work then, as it doesn't give away whether this adress was subscribed or not to the mailing-list. It would still serve the confirm the requested action, while giving additional infwrmation about what's going to happen next.
If anything, it's going to deter attackers sooner as they will understand quickly that without access to this adress, they won't know more.
What is the setting of the unsubscribe
schenario of your list? We need to be able to respond to the all situations.
What do you mean by "what is the setting" ? i am not an administrator of that mailing-list.
By default, these options are possible.
Version
Version used on Framalistes.org as of now... i'm not sure how to know the Sympa version used there as i'm only a user.
Installation method
Should ask people maintaining Framalistes.org
Expected behavior
After having entered your email adress for unsubscribing, Sympa should tell you that further insctructions will arrive by mail, for example: "You should promptly receive an email with further instructions.".
Actual behavior
Sympa currently tells you "Your email adress has been unsubscribed" which is not true: Sympa just sends you an email with further instructions. Also, if the email adress you entered was incorrect, you will not receive the expected email to actually unsubscribe, and will only find out about it next time you receive a new email from that mailing-list. Or if you entered an correct email adress that you have access to, but which was not subscribed to this list, you will receive an email contradicting what Sympa just told you, saying that email was not subscribe to this list. This situation can effectively be highly misleading.
Steps to reproduce
Additional information
Maybe this should've been reported as a feature request, because the whole process might need some rework.