Commit 9ff32080 authored by IKEDA Soji's avatar IKEDA Soji
Browse files

When an other user (or anonymous user on web interface) requested...

When an other user (or anonymous user on web interface) requested subscribing/unsubscribing, if target user already subscribed / not yet subscribed to the list, they will be informed someone requested action while no actions will be taken.  Also, fake response will be sent to requester to prevent sniffing users.
parent 88bb106d
......@@ -53,6 +53,25 @@ Subject: [% FILTER qencode %][%|loc(list.name)%]No valid recipient in list %1[%E
[%|loc(list.name,conf.listmaster_email,domain) %]Your message to list %1 could not be delivered. All the subscribers to this list have their address in error.
Please contact the listmaster (%2@%3) to fix this problem before re-posting your message.[% END %]
[% ELSIF type == 'vain_request_by_other' -%]
[% IF request.action == 'subscribe' -%]
Subject: [% FILTER qencode %][%|loc(list.name)%]FYI: subscribing to %1[%END%][%END%]
[%- ELSIF request.action == 'signoff' -%]
Subject: [% FILTER qencode %][%|loc(conf.title,list.name)%]FYI: unsubscribing from %1[%END%][%END%]
[%- ELSE -%]
Subject: [% request.action %]
[%- END %]
[% IF request.action == 'subscribe' -%]
[%|loc(list.name)%]Someone (probably you) requested for subscribing to list %1, but you have already subscribed to this list.[%END%]
[%- ELSIF request.action == 'signoff' -%]
[%|loc(list.name)%]Someone (probably you) requested for unsubscribing from list %1, but you have not subscribed to this list.[%END%]
[%- ELSE -%]
[% request.action %]
[%- END %]
[%|loc%]No action is needed on your side.[%END%]
[% ELSIF type == 'plugin' -%]
[%- TRY -%][%- INCLUDE $entry -%]
[%- CATCH -%]
......
......@@ -5746,14 +5746,16 @@ sub do_subscribe {
return 1;
}
 
my ($email, $gecos);
my ($sender, $email, $gecos);
if ($param->{'user'} and $param->{'user'}{'email'}) {
$email = $param->{'user'}{'email'};
$gecos = $in{'gecos'} || $param->{'user'}{'gecos'};
$sender = $param->{'user'}{'email'};
$email = $param->{'user'}{'email'};
$gecos = $in{'gecos'} || $param->{'user'}{'gecos'};
} else {
# User is not autenticated.
$email = Sympa::Tools::Text::canonic_email($in{'email'});
$gecos = $in{'gecos'};
$sender = 'nobody';
$email = Sympa::Tools::Text::canonic_email($in{'email'});
$gecos = $in{'gecos'};
}
 
@{$param}{qw(email gecos custom_attribute)} =
......@@ -5787,7 +5789,7 @@ sub do_subscribe {
my $spindle = Sympa::Spindle::ProcessRequest->new(
context => $list,
action => 'subscribe',
sender => $email,
sender => $sender,
email => $email,
gecos => $gecos,
( $in{'custom_attribute'}
......@@ -5799,7 +5801,7 @@ sub do_subscribe {
: ()
),
scenario_context => {
sender => $email,
sender => $sender,
remote_host => $param->{'remote_host'},
remote_addr => $param->{'remote_addr'},
},
......@@ -5813,12 +5815,6 @@ sub do_subscribe {
if ($report->[1] eq 'notice') {
Sympa::WWW::Report::notice_report_web(@{$report}[2, 3],
$param->{'action'});
} elsif ($report->[1] eq 'user'
and $report->[2] eq 'already_subscriber') {
# To prevent sniffing users, fake "You requested a subscription"
# notice.
Sympa::WWW::Report::notice_report_web('sent_to_user', {},
$param->{'action'});
} else {
Sympa::WWW::Report::reject_report_web(@{$report}[1 .. 3],
$param->{action});
......@@ -5921,10 +5917,10 @@ sub do_auto_signoff {
my $spindle = Sympa::Spindle::ProcessRequest->new(
context => $list,
action => 'signoff',
sender => $email,
sender => 'nobody',
email => $email,
scenario_context => {
sender => $email,
sender => 'nobody',
remote_host => $param->{'remote_host'},
remote_addr => $param->{'remote_addr'},
},
......@@ -5938,13 +5934,6 @@ sub do_auto_signoff {
if ($report->[1] eq 'notice') {
Sympa::WWW::Report::notice_report_web(@{$report}[2, 3],
$param->{'action'});
} elsif ($report->[1] eq 'user'
and grep { $report->[2] eq $_ }
qw(user_not_subscriber not_subscriber)) {
# To prevent sniffing users, fake "We've sent validation link"
# notice.
Sympa::WWW::Report::notice_report_web('sent_to_user', {},
$param->{'action'});
} else {
Sympa::WWW::Report::reject_report_web(@{$report}[1 .. 3],
$param->{action});
......@@ -6018,12 +6007,14 @@ sub do_signoff {
return 1;
}
 
my $email;
my ($sender, $email);
if ($param->{'user'} and $param->{'user'}{'email'}) {
$email = $param->{'user'}{'email'};
$sender = $param->{'user'}{'email'};
$email = $param->{'user'}{'email'};
} else {
# User is not autenticated.
$email = Sympa::Tools::Text::canonic_email($in{'email'});
$sender = 'nobody';
$email = Sympa::Tools::Text::canonic_email($in{'email'});
}
 
$param->{email} = $email;
......@@ -6043,14 +6034,14 @@ sub do_signoff {
my $spindle = Sympa::Spindle::ProcessRequest->new(
context => $list,
action => 'signoff',
sender => $email,
sender => $sender,
email => $email,
( $param->{'user'}{'email'}
? (md5_check => 1)
: ()
),
scenario_context => {
sender => $email,
sender => $sender,
remote_host => $param->{'remote_host'},
remote_addr => $param->{'remote_addr'},
},
......@@ -6064,13 +6055,6 @@ sub do_signoff {
if ($report->[1] eq 'notice') {
Sympa::WWW::Report::notice_report_web(@{$report}[2, 3],
$param->{'action'});
} elsif ($report->[1] eq 'user'
and grep { $report->[2] eq $_ }
qw(user_not_subscriber not_subscriber)) {
# To prevent sniffing users, fake "We've sent validation link"
# notice.
Sympa::WWW::Report::notice_report_web('sent_to_user', {},
$param->{'action'});
} else {
Sympa::WWW::Report::reject_report_web(@{$report}[1 .. 3],
$param->{action});
......
......@@ -112,16 +112,45 @@ sub _twist {
return undef;
}
# Special cases for subscribe & signoff: If membership is unsatisfactory,
# force execute request and let it be rejected.
unless ($action =~ /\Areject\b/i) {
if ($request->{action} eq 'subscribe'
and defined $that->get_list_member($request->{email})) {
$action =~ s/\A\w+/do_it/;
} elsif ($request->{action} eq 'signoff'
and not defined $that->get_list_member($request->{email})) {
$action =~ s/\A\w+/do_it/;
# Special cases for "subscribe" and "signoff" actions.
if ($action =~ /\Areject\b/i) {
;
} elsif (
$sender ne $request->{email}
and
($request->{action} eq 'subscribe' or $request->{action} eq 'signoff')
) {
# Request by an other/anonymous user:
# If membership is unsatisfactory, fake successful response to prevent
# sniffing users.
my $is_list_member = $that->get_list_member($request->{email});
if ( $request->{action} eq 'subscribe' and $is_list_member
or $request->{action} eq 'signoff' and not $is_list_member) {
$log->syslog(
'info',
'%s %s for %s from %s is in vain (omitted)',
uc $request->{action},
$request->{email}, $that, $sender
);
# Notify target address.
Sympa::send_notify_to_user($that, 'vain_request_by_other',
$request->{email}, {request => $request});
# Fake succsssful result.
if ($action =~ /\Arequest_auth\b/i) {
$self->add_stash($request, 'notice', 'sent_to_user',
{email => $request->{email}});
} elsif ($action =~ /\Aowner\b/i) {
$self->add_stash($request, 'notice', 'sent_to_owner');
}
# Abort processing request.
return 1;
}
# Otherwise, confirmation should be sent to target email instead of
# sender. This fixup is necessary for subscribe.* scenarios bundled
# in 6.2.34 or earlier.
$action =~
s/\Arequest_auth(?![(][[]email[]][)])/request_auth([email])/;
}
if ($action =~ /\Ado_it\b/i) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment