incorrect 'unsubscribe' link in subscription emails

respiranto · 2016-01-08 14:40:43

When receiving an email to indicate new posts in a topic one is subscribed to, it does also contain a link to unsubscribe.
Today, I tried for the first time to use the link and it failed with the following error message:

Bad CSRF hash. You were referred to this page from an unauthorized source.

The problem is a missing csrf_token GET parameter:

email: https://bbs.archlinux.org/misc.php?action=unsubscribe&tid=<tid>
web: https://bbs.archlinux.org/misc.php?action=unsubscribe&tid=<tid>&csrf_token=<csrf_token>

As far as I understand, the CSRF token cannot be included in the email, since it has to match with a previously set cookie.

So, as I see it, there are two options to fix this:

remove the requirement for a csrf_token
- If logged in, there should be a cookie that can be used for identification anyways.
- Elsewise a redirection to the login page would be great.
remove the link from the email

Is this feature part of FluxBB? If so, the above issue should probably be rather reported as a bug upstream.
Though, if not, would somebody be willing to fix this?
I could also try to do so on my own, though I would prefer to hear your opinions first.

Last edited by respiranto (2016-01-08 14:42:45)

lahwaacz · 2016-01-08 15:18:39

CSRF tokens are a security measure, so removing it is not an option. An alternative to removing the link from emails might be redirecting to a confirmation page (something like "Do you really want to unsubscribe from this thread?" accompanied by a yes button) or the login page if not logged in already. At least MediaWiki does something similar.

respiranto · 2016-01-08 15:30:07

Of course you are right, i somehow misundertood the purpose of the tokens. Your proposed solution does sound like the only option then.

So the question remains: Is this to be reported upstream or rather an issue of Arch's manual configuration?

lahwaacz · 2016-01-08 16:29:02

That will know the fellow Forum Admins, but my guess is that it's an upstream feature bug.

respiranto · 2016-01-08 17:58:25

I've read a little more upon CSRF tokens, since I can make use of the on my own, and my initial assumption about the necessity of a cookie seems to have proven wrong.

It should be possible to send a valid CSFR token in the email which would have to be stored on the server in relation to the respective user, most probably in a database.

Anyways, if I won't get any response from a forum administrator soon, I will report this upstream.
I've never heard of a Arch project dedicated to the forum, so you are most probably right.

Arch Linux

#1 2016-01-08 14:40:43

incorrect 'unsubscribe' link in subscription emails

#2 2016-01-08 15:18:39

Re: incorrect 'unsubscribe' link in subscription emails

#3 2016-01-08 15:30:07

Re: incorrect 'unsubscribe' link in subscription emails

#4 2016-01-08 16:29:02

Re: incorrect 'unsubscribe' link in subscription emails

#5 2016-01-08 17:58:25

Re: incorrect 'unsubscribe' link in subscription emails

Board footer