Fork me on GitHub
Subscribe 2

Ticket #1059 (fixed bug)

No csrf_token in unsubscibe link of subscription email

  • Created: 2015-11-18 00:51:38
  • Reported by: quy
  • Assigned to: quy
  • Milestone: 1.5.10
  • Component: security
  • Priority: normal

Since there is no csrf_token in the URL of the subscription email, it is no longer possible to unsubscribe directly from the email:

$mail_message = str_replace('<unsubscribe_url>', get_base_url().'/misc.php?action=unsubscribe&tid='.$tid, $mail_message);
$mail_message_full = str_replace('<unsubscribe_url>', get_base_url().'/misc.php?action=unsubscribe&tid='.$tid, $mail_message_full);

from error log:

PHP message: PHP Notice:  Undefined index: csrf_token in misc.php on line 376

On a related note, we should check that $_GET['csrf_token'] is isset before making this call to avoid `Undefined index: csrf_token`:

check_csrf($_GET['csrf_token']);

History

Visman 2015-11-18 09:20:41

And

$mail_message = str_replace('<unsubscribe_url>', get_base_url().'/misc.php?action=unsubscribe&fid='.$cur_posting['id'], $mail_message);
$mail_message_full = str_replace('<unsubscribe_url>', get_base_url().'/misc.php?action=unsubscribe&fid='.$cur_posting['id'], $mail_message_full);

Franz 2016-01-10 12:30:44

I'd vote for just removing the link.

Visman 2016-01-10 13:26:12

To remove the link to refusal of a subscription?

Franz 2016-01-10 14:17:38

Yep, to avoid the additional complexity.

It's easy enough to unsubscribe after following the link to the topic.

Visman 2016-01-10 14:59:52

https://support.google.com/mail/answer/8151?hl=en
See "I'm on the mailing list for a shopping site, social network, or similar site" wink

quy 2016-01-12 16:42:12

I know this is sort of "hackish", but would you be ok with this to keep the changes minimal/simple? The message is hardcoded for now, but will be in $lang_misc. Also, are you ok with the wordings of the message?

	if ($topic_id)
	{
		if ($pun_config['o_topic_subscriptions'] != '1')
			message($lang_common['No permission'], false, '403 Forbidden');

		if (!isset($_GET['csrf_token']))
		{
			$token_url = '&amp;csrf_token='.pun_csrf_token();

			message('Click <a href="misc.php?action=unsubscribe&amp;tid='.$topic_id.$token_url.'">here</a> to confirm unsubscribing.', true);
		}

		check_csrf($_GET['csrf_token']);

		$result = $db->query('SELECT 1 FROM '.$db->prefix.'topic_subscriptions WHERE user_id='.$pun_user['id'].' AND topic_id='.$topic_id) or error('Unable to fetch subscription info', __FILE__, __LINE__, $db->error());
		if (!$db->num_rows($result))
			message($lang_misc['Not subscribed topic']);

		$db->query('DELETE FROM '.$db->prefix.'topic_subscriptions WHERE user_id='.$pun_user['id'].' AND topic_id='.$topic_id) or error('Unable to remove subscription', __FILE__, __LINE__, $db->error());

		redirect('viewtopic.php?id='.$topic_id, $lang_misc['Unsubscribe redirect']);
	}
Comment edited 2 times (Diff, Diff 2)

Franz 2016-01-15 08:19:45

@Visman: I'd argue that notification mails are not mailing lists. We can have a link to the topic, saying that's where they can unsubscribe.

quy 2016-01-15 15:11:12

  • Owner set to quy.

@Franz: Very valid point.

OK to proceed with the following:

You can unsubscribe by going to <unsubscribe_url> and clicking the Unsubscribe link at the bottom of the page.

For the unsubscribe_url, I will add an anchor #unsubscribe to the Unsubscribe link and link to it.

Franz 2016-01-15 19:09:19

Great idea!

quy 2016-01-15 21:07:58

Commit a5441e8 to fluxbb 1.5-next

#1059 Replace unsubscribe url with link to topic/forum to unsubscribe in email notification

Franz 2016-01-16 17:34:06

Commit 2e7ef22 to fluxbb 1.5-next

Merge pull request #190 from Quy/1059-unsubscribe

#1059 Replace unsubscribe url with link to topic/forum to unsubscribe in email notification

quy 2016-01-16 18:01:08

  • Status changed from open to fixed.

Visman 2016-01-17 11:11:01

https://support.google.com/mail/answer/ … l=en#unsub

Because Gmail can help users automatically unsubscribe from your email, we strongly recommend the following:

    Provide a 'List-Unsubscribe' header which points to an email address or a URL where the user can unsubscribe easily from future mailings. (Note: This is not a substitute method for unsubscribing.)

quy 2016-06-16 07:53:10

Commit ee2523a to fluxbb master

#1059 Replace unsubscribe url with link to topic/forum to unsubscribe in email notification