Open GoogleCodeExporter opened 8 years ago
I'd like to see this fixed before 2.0 GA
Original comment by manico.james@gmail.com
on 1 Nov 2010 at 12:47
Original comment by manico.james@gmail.com
on 19 Nov 2010 at 2:34
Original comment by chrisisbeef
on 20 Nov 2010 at 9:54
How do you [Jim] propose to differentiate these when they are used GET vs. POST
unless a developer calls something that allows them to distinguish the
difference.
For example, if client does a POST with POST parameter foo=bar and also passes
the query parameter ?foo=bar it is indeterminate as to which one of these
HttpServletRequest.getParameter("foo") would return.
The Javadoc for ServletRequest.getParameter(String name) says:
"You should only use this method when you are sure the parameter has only one
value. If the parameter might have more than one value, use
getParameterValues(java.lang.String). If you use this method with a multivalued
parameter, the value returned is equal to the first value in the array returned
by getParameterValues."
Unfortunately, the Javadoc for ServletRequest.getParameterValues(String name)
doesn't say anything about whether the GET or POST parameter would be called
first. I am not sure if some IETF RFC or some W3C spec or the Java Servlet Spec
mentions this or not, but I would conjecture that since it isn't mentioned in
the Javadoc, it probably is implemented in various app servers and servlet
engines. So bottom line is that developer better always check via
getParameterValues and if multiple values are returned they probably are SOL.
My bet is that unless you want to call something like getQueryString and parse
the query string yourself, you can't tell a POST from a GET parameter. That's
because obviously someone could POST something like
foo=bar&foo=baz
and presumably getParmeterValues() would still return 2 values, so calling that
is not sufficient even to tell that one parameter value came from a POST and
the other from a GET. So I think the only thing that a developer can do is to
call getParameterValues() and if it all the values that it returns are the
same, things are OK. If not, things are suspect (unless you intended to use all
the different values). But bottom line, I'm not sure we have the context to
tell what the developers intent was.
Xref: HTTP Parameter Pollution
Original comment by kevin.w.wall@gmail.com
on 12 Feb 2011 at 6:05
Oh wait... I think maybe I misunderstood Jim. Only read the description, not
the title of the issue.
Jim, are you proposing that we just log whether an HTTP request is made via
POST or GET? Do we have context to do that? In what classes do we need to do
this? Seems like it might be spread all over the place unless we have some
special HTTP logger class. (I've not checked.)
Original comment by kevin.w.wall@gmail.com
on 12 Feb 2011 at 6:10
Yes, I just want to see GET or POST logged. :)
Original comment by manico.james@gmail.com
on 17 Feb 2011 at 3:25
Original issue reported on code.google.com by
manico.james@gmail.com
on 15 Dec 2009 at 9:51