There are a few issues here. First, the unsubscribe URL in your example is not sent in the standard welcome message. The standard message contains only something like
If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: http://example.com/mailman/options/user%40example.net without the login-unsub fragment. Your installation has modified the subscribeack.txt template on a per-list, per-domain or sitewide basis to add the login-unsub fragment. That notwithstanding, your point about a HEAD request on the URL is valid and I will fix this, but I will still allow GET. In theory this really should be only a POST from the options login page, but it is well known and widely used to put such URLs in list message headers or footers as unsubscribe links, so disallowing GET would be too disruptive. ** Changed in: mailman Importance: Undecided => Medium ** Changed in: mailman Status: New => In Progress ** Changed in: mailman Milestone: None => 2.1.19 ** Changed in: mailman Assignee: (unassigned) => Mark Sapiro (msapiro) -- You received this bug notification because you are a member of Mailman Coders, which is subscribed to GNU Mailman. https://bugs.launchpad.net/bugs/1372199 Title: in emails, unsubscribe links should not react to HTTP HEAD requests To manage notifications about this bug go to: https://bugs.launchpad.net/mailman/+bug/1372199/+subscriptions _______________________________________________ Mailman-coders mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-coders
