Public bug reported: Welcome emails from mailman include a URL to perform unsubscribing.
ex: https://lists.schneier.com/cgi-bin/mailman/options/crypto- gram/XXX%40XXX?login-unsub=Unsubscribe If you perform a HTTP HEAD request on that URL, it triggers the unsubscribe process, and an unsubscribe confirmation email is sent to the user. This shouldnt happen: HTTP HEAD method is not HTTP GET. Its supposed to only return headers, not to trigger an action on web server. I have anti-malware software that checks every HTTP link in received emails. When such a link is found by antimalware, it does a HTTP HEAD request on the URL to check the mimetype (if mimetype show a windows executable, an alert is sent). But this HEAD request in understood by mailman as a *real* unsubscribe request, so mailman sends a confirmation to the actual user (who is lost). (Strictly speaking, the behaviour is wrong even with a HTTP GET request: GET should not trigger a webserver action too...) ** Affects: mailman Importance: Undecided Status: New -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1372199 Title: in emails, unsubscribe links should not react to HTTP HEAD requests To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1372199/+subscriptions _______________________________________________ Mailman-coders mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-coders
