andytanoko / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

Add Capability to Specify GET vs POST scope to request.getParameter #69

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
If a form is submitted as a POST, but someone submits a GET parameter with
the same name, which one wins out and is returned when I call getParameter?

We should address this by giving programmers the option of specifying one
location over the other.  Is this possible?

Original issue reported on code.google.com by neil.mat...@gmail.com on 2 Dec 2009 at 8:42

GoogleCodeExporter commented 9 years ago

Original comment by neil.mat...@gmail.com on 2 Dec 2009 at 8:43

GoogleCodeExporter commented 9 years ago
The order isn't guaranteed.  We *could* do this by parsing the querystring. But 
perhaps this is better done 
by implementing doPost only, and not having one handler for both doPost and 
doGet.  What's the danger 
here?  Exposing params on the URL?  Making phishing via tinyurl marginally 
easier? 

Do you think an httputility method to getPostParameter() and getGetParameter() 
makes sense?  

Original comment by planetlevel on 2 Dec 2009 at 9:39

GoogleCodeExporter commented 9 years ago
The other reason I can think of is some VERY basic CSRF protection.  Yes, we 
all know
that this is the worst way, but I see some value in implementing this.  Some
frameworks unfortunately hide the doPost/doGet so I think there is some value.  

Lastly, values for navigation are often in the GET string, while the real data 
is in
the POST section.  So if you have page.jsp?state=doSomething with
social_security_number in the post body, you may want to ensure the
social_security_number is in fact in the post body and not appended to the query
string (which is stored in the history, access logs, etc).

Yes, this only buys minimal protection from the least sophisticated hackers so 
we
have to decide whether it is worth the effort.

Original comment by neil.mat...@gmail.com on 2 Dec 2009 at 9:59