[REUSE] Bug in the subscribe form of this mailing list

Sebastian seabass-labrax at gmx.com
Sun Apr 18 17:53:43 UTC 2021 

Dear Max,

> For of all, thank you for signing up and becoming part of the list,
> albeit the hurdles on your way. Welcome!

Thanks! I'm glad to be subscribed; I'm sure it'll have been worth it! :)

> I have tried to reproduce your error, to no avail. Of course, the form
> uses the POST method and some CSRF protection. There are no complex
> proxy hacks in use as long as you use the following site to sign up:
>
> https://lists.fsfe.org/mailman/listinfo/REUSE

I used that URL, except with REUSE in lower case (as linked to at the
bottom of the https://reuse.software homepage).

> Could it be that there was a longer timespan between opening the
> sign-up form site (URL above), and actually sending the request? In
> this case, the CSRF protection kicked in because the dynamic code of
> your individual form expires after a certain time (10 minutes IIRC

According to my browser history, my initial visit to the registration
page to the error were less than five minutes apart. I was using
Chromium, specifically the chromium-browser-privacy build from RPM
Fusion.

> Usually, this CSRF code should be regenerated with every page reload,
> so what you did (refreshing the page) should have worked. I honestly
> don't know why this failed, and why signing up to digests worked
> eventually.

I tried to reproduce it with Firefox, using a different email address
and with the non-digest setting. The subscription was successful, but
bizarrely, I could not get to the subscriber settings page! I got
'Connection refused' errors regardless of whether I contacted
lists.fsfe.org with or without TLS, on Firefox, Chromium or even curl.

> If you or anyone continues to experience similar technical issues,
> please let me know (ideally via private mail) and I'll investigate
> more thoroughly. For now, I reckon this was just a silly edge case of
> failed communication between Mailman and your browser.

In conclusion, I agree - you can discount my experiences as a silly edge
case :) We are getting into real xkcd.com/2259 territory here!

Thanks for taking the time to look into this.

Best wishes,

Sebastian

More information about the REUSE mailing list