search

sympa-community / sympa

Sympa, Mailing List Management Software
https://www.sympa.community/sympa
GNU General Public License v2.0
237 stars 95 forks source link

Misleading unsubscribe message #1730

Open Cwpute opened 9 months ago

Cwpute commented 9 months ago

Version

Version used on Framalistes.org as of now... i'm not sure how to know the Sympa version used there as i'm only a user.

Installation method

Should ask people maintaining Framalistes.org

Expected behavior

After having entered your email adress for unsubscribing, Sympa should tell you that further insctructions will arrive by mail, for example: "You should promptly receive an email with further instructions.".

Actual behavior

Sympa currently tells you "Your email adress has been unsubscribed" which is not true: Sympa just sends you an email with further instructions. Also, if the email adress you entered was incorrect, you will not receive the expected email to actually unsubscribe, and will only find out about it next time you receive a new email from that mailing-list. Or if you entered an correct email adress that you have access to, but which was not subscribed to this list, you will receive an email contradicting what Sympa just told you, saying that email was not subscribe to this list. This situation can effectively be highly misleading.

Steps to reproduce

  1. In a mail received from a mailing list, click on the unsubscribe link provided at the bottom of said mail
  2. On the page it sends you to, provide an incorrect adress, either one you know isn't subscribed or one that does not exist.
  3. Confirm your choice on the next page
  4. See message

Additional information

Maybe this should've been reported as a feature request, because the whole process might need some rework.

ikedas commented 9 months ago

This unkindness is intentional.

Normally, the operation of unsubscription can be initiated without authentication so that the user can unsubscribe themselves even if they forget the password of their own.

However, if Sympa were to change its behavior based on whether or not the user is actually subscribed, an attacker could know whether or not the user is currently on the list by entering the email address of any user.

To prevent this, the same message is always displayed to the user who initiated the unsubscription, while when the user is not subscribed, the following message is sent to the user to be requested for unsubscribing:

Someone (probably you) requested for unsubscribing from list [listname], but you have not subscribed to this list.

racke commented 9 months ago

It would be good though to add the actual email in Sympa to this message, as the actual email might be redirected to another email. That may result in confusion about the real email in use.

ldidry commented 9 months ago

NB: version of Framalistes: 6.2.72

Cwpute commented 9 months ago

[…]an attacker could know whether or not the user is currently on the list by entering the email address of any user. To prevent this, the same message is always displayed to the user who initiated the unsubscription,

As i suggested, changing that message to always display: You will soon receive further instructions at this email adress. should work then, as it doesn't give away whether this adress was subscribed or not to the mailing-list. It would still serve the confirm the requested action, while giving additional infwrmation about what's going to happen next. If anything, it's going to deter attackers sooner as they will understand quickly that without access to this adress, they won't know more.

ikedas commented 8 months ago

What is the setting of the unsubscribe schenario of your list? We need to be able to respond to the all situations.

Cwpute commented 8 months ago

What do you mean by "what is the setting" ? i am not an administrator of that mailing-list.

ikedas commented 8 months ago

By default, these options are possible.