Estou testando “responder por e-mail” em um fórum e descobri que a resposta postada inclui toda a mensagem citada conforme enviada pelo Gmail. Embora esteja ofuscada por estar em um “…”, que é ocultado automaticamente, ainda inclui o texto do rodapé “cancelar inscrição por e-mail” e o link de cancelamento de inscrição, o que é claramente uma falha de segurança de Negação de Serviço.
@codinghorror recomenda desativar isso como solução, então desativei “rodapé de cancelamento de inscrição por e-mail”, que eu havia ativado para conveniência do usuário (e gestão de reputação), mas ainda estou recebendo e-mails com links de cancelamento de inscrição no rodapé.
Estou executando o Discourse 2.6.0.beta2 1acb2f752bd9075472cd4e8d1b14196e6289f51b
Which mail provider are you using? Many will insist on inserting their own links to unsubscribe. Have you confirmed that the links which show up point to your instance rather than said mail providers?
You can disable that by disabling the always show trimmed content site setting. As an admin you will still be able to see the full email by clicking on the envelope icon in the top right corner of a post created via email.
Sorry, I conflated things. @codinghorror described that as the solution, but it doesn’t remove an unsubscribe key in the footer entirely, it just (as the help text points out) changes the URL protocol between mailto and https which in either case is exposing the unsubscribe key.
To be further clear, I’m using my own sendmail server on another system, which is definitely not configured to add any links or any other content at all. In addition, the actual links are discourse-generated, of the form https://${myforum}/email/unsubscribe/${uniqueId} which would not match something generated by another server.
Now, having tested it between non-admin users, I see that the link requires authentication, so it’s just ugly to have it, and a waste of database space, and not a DoS.
I’m not complaining about it being obscured. I’m complaining about it being present (even though obscured).
I have always had this setting, which has to the best of my knowledge never changed in site history:
I am clicking on the ellipsis icon within the post to see the quoted text.
Have I missed a configuration to entirely remove a trailing quoted section from a response? My main reason for not wanting to turn on reply-by-email has been precisely how much quote noise it injects into the forum. It make the “lazy” use of the easy reply-by-email feature reduce the value of a forum. Laziness is one of the primary virtues of a programmer, I’m not denigrating laziness here!
