Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 23693 invoked from network); 2 Jul 2007 15:13:38 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 2 Jul 2007 15:13:38 -0000 Received: (qmail 19471 invoked by uid 500); 2 Jul 2007 15:13:37 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 19386 invoked by uid 500); 2 Jul 2007 15:13:36 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 19374 invoked by uid 500); 2 Jul 2007 15:13:36 -0000 Delivered-To: apmail-jakarta-tomcat-dev@jakarta.apache.org Received: (qmail 19371 invoked by uid 99); 2 Jul 2007 15:13:36 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jul 2007 08:13:36 -0700 X-ASF-Spam-Status: No, hits=-99.5 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jul 2007 08:13:33 -0700 Received: by brutus.apache.org (Postfix, from userid 33) id E00E8714191; Mon, 2 Jul 2007 08:13:12 -0700 (PDT) From: bugzilla@apache.org To: tomcat-dev@jakarta.apache.org Subject: DO NOT REPLY [Bug 42795] New: - GET used for unsafe operations Message-ID: X-Bugzilla-Reason: AssignedTo Date: Mon, 2 Jul 2007 08:13:12 -0700 (PDT) X-Virus-Checked: Checked by ClamAV on apache.org DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=42795 Summary: GET used for unsafe operations Product: Tomcat 5 Version: 5.5.23 Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Webapps:Manager AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: erharold@gmail.com The Tomcat manager app (usually found at http://hostname:8080/manager/html) uses HTTP GET and a links for unsafe operations such as restarting, redeploying, starting and stopping the server. For example, http://hostname:8080/manager/html/stop?path=/host-manager Protecting the links with JavaScript "are you sure messages" is an unreliable kludge. These links should be redesigned to use POST instead of GET. I suspect I don't have to explain the importance of this to this group, but just in case: http://www.w3.org/2001/tag/doc/whenToUseGet.html -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org