projects / tomcat7.0 / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fa0f1c1)
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=40001
authormarkt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Sat, 10 Oct 2009 21:54:54 +0000 (21:54 +0000)
committermarkt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Sat, 10 Oct 2009 21:54:54 +0000 (21:54 +0000)
Use POST rather than GET for all operations that are not idempotent
Partly based on a patch suggested by Daniel Naber
Remove the "Are you sure?", partly due to lack of i18n support and since as (based on my recollection) as many people disliked the feature as liked it.
Provides a (very) small measure of CSRF protection but lays the foundation for using a nonce with POST.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@823962 13f79535-47bb-0310-9956-ffa450edef68

java/org/apache/catalina/manager/Constants.java patch | blob | history
java/org/apache/catalina/manager/HTMLManagerServlet.java patch | blob | history
java/org/apache/catalina/manager/LocalStrings.properties patch | blob | history

diff --git a/java/org/apache/catalina/manager/Constants.java b/java/org/apache/catalina/manager/Constants.java
index 00a25b4..164ee52 100644 (file)
--- a/java/org/apache/catalina/manager/Constants.java
+++ b/java/org/apache/catalina/manager/Constants.java
@@ -27,7 +27,7 @@ public class Constants {
         "<html>\n" +
         "<head>\n" +
         "<style>\n" +
-        org.apache.catalina.util.TomcatCSS.TOMCAT_CSS +
+        org.apache.catalina.util.TomcatCSS.TOMCAT_CSS + "\n" +
         "  table {\n" +
         "    width: 100%;\n" +
         "  }\n" +
@@ -92,6 +92,12 @@ public class Constants {
         "    font-family:sans-serif,Tahoma,Arial;\n" +
         "    color: black;\n" +
         "  }\n" +
+        "  form {\n" +
+        "    margin: 1;\n" +
+        "  }\n" +
+        "  form.inline {\n" +
+        "    display: inline;\n" +
+        "  }\n" +
         "</style>\n";
 
     public static final String BODY_HEADER_SECTION =
@@ -100,7 +106,7 @@ public class Constants {
         "\n" +
         "<body bgcolor=\"#FFFFFF\">\n" +
         "\n" +
-        "<table cellspacing=\"4\" width=\"100%\" border=\"0\">\n" +
+        "<table cellspacing=\"4\" border=\"0\">\n" +
         " <tr>\n" +
         "  <td colspan=\"2\">\n" +
         "   <a href=\"http://www.apache.org/\">\n" +
@@ -115,7 +121,7 @@ public class Constants {
         " </tr>\n" +
         "</table>\n" +
         "<hr size=\"1\" noshade=\"noshade\">\n" +
-        "<table cellspacing=\"4\" width=\"100%\" border=\"0\">\n" +
+        "<table cellspacing=\"4\" border=\"0\">\n" +
         " <tr>\n" +
         "  <td class=\"page-title\" bordercolor=\"#000000\" " +
         "align=\"left\" nowrap>\n" +
diff --git a/java/org/apache/catalina/manager/HTMLManagerServlet.java b/java/org/apache/catalina/manager/HTMLManagerServlet.java
index 4763662..ee8be16 100644 (file)
--- a/java/org/apache/catalina/manager/HTMLManagerServlet.java
+++ b/java/org/apache/catalina/manager/HTMLManagerServlet.java
@@ -110,9 +110,6 @@ public final class HTMLManagerServlet extends ManagerServlet {
         String command = request.getPathInfo();
 
         String path = request.getParameter("path");
-        String deployPath = request.getParameter("deployPath");
-        String deployConfig = request.getParameter("deployConfig");
-        String deployWar = request.getParameter("deployWar");
 
         // Prepare our output writer to generate the response message
         response.setContentType("text/html; charset=" + Constants.CHARSET);
@@ -121,16 +118,8 @@ public final class HTMLManagerServlet extends ManagerServlet {
         // Process the requested command
         if (command == null || command.equals("/")) {
             // No command == list
-        } else if (command.equals("/deploy")) {
-            message = deployInternal(deployConfig, deployPath, deployWar);
         } else if (command.equals("/list")) {
             // List always displayed - nothing to do here
-        } else if (command.equals("/reload")) {
-            message = reload(path);
-        } else if (command.equals("/undeploy")) {
-            message = undeploy(path);
-        } else if (command.equals("/expire")) {
-            message = expireSessions(path, request);
         } else if (command.equals("/sessions")) {
             try {
                 doSessions(path, request, response);
@@ -140,10 +129,12 @@ public final class HTMLManagerServlet extends ManagerServlet {
                 message = sm.getString("managerServlet.exception",
                         e.toString());
             }
-        } else if (command.equals("/start")) {
-            message = start(path);
-        } else if (command.equals("/stop")) {
-            message = stop(path);
+        } else if (command.equals("/upload") || command.equals("/deploy") ||
+                command.equals("/reload") || command.equals("/undeploy") ||
+                command.equals("/expire") || command.equals("/start") ||
+                command.equals("/stop")) {
+            message =
+                sm.getString("managerServlet.postCommand", command);
         } else {
             message =
                 sm.getString("managerServlet.unknownCommand", command);
@@ -170,15 +161,38 @@ public final class HTMLManagerServlet extends ManagerServlet {
         // be configured in web.xml
         String command = request.getPathInfo();
 
-        if (command == null || !command.equals("/upload")) {
-            doGet(request,response);
-            return;
-        }
+        String path = request.getParameter("path");
+        String deployPath = request.getParameter("deployPath");
+        String deployConfig = request.getParameter("deployConfig");
+        String deployWar = request.getParameter("deployWar");
 
         // Prepare our output writer to generate the response message
         response.setContentType("text/html; charset=" + Constants.CHARSET);
 
-        String message = upload(request);
+        String message = "";
+
+        if (command == null || command.length() == 0) {
+            // No command == list
+            // List always displayed -> do nothing
+        } else if (command.equals("/upload")) {
+            message = upload(request);
+        } else if (command.equals("/deploy")) {
+            message = deployInternal(deployConfig, deployPath, deployWar);
+        } else if (command.equals("/reload")) {
+            message = reload(path);
+        } else if (command.equals("/undeploy")) {
+            message = undeploy(path);
+        } else if (command.equals("/expire")) {
+            message = expireSessions(path, request);
+        } else if (command.equals("/start")) {
+            message = start(path);
+        } else if (command.equals("/stop")) {
+            message = stop(path);
+        } else {
+            // Try GET
+            doGet(request,response);
+            return;
+        }
 
         list(request, response, message);
     }
@@ -1021,12 +1035,10 @@ public final class HTMLManagerServlet extends ManagerServlet {
 
     private static final String STARTED_DEPLOYED_APPS_ROW_BUTTON_SECTION =
         " <td class=\"row-left\" bgcolor=\"{13}\">\n" +
-        "  <small>\n" +
-        "  &nbsp;{1}&nbsp;\n" +
-        "  &nbsp;<a href=\"{2}\" onclick=\"return(confirm('''Are you sure?'''))\">{3}</a>&nbsp;\n" +
-        "  &nbsp;<a href=\"{4}\" onclick=\"return(confirm('''Are you sure?'''))\">{5}</a>&nbsp;\n" +
-        "  &nbsp;<a href=\"{6}\" onclick=\"return(confirm('''Are you sure?'''))\">{7}</a>&nbsp;\n" +
-        "  </small>\n" +
+        "  &nbsp;<small>{1}</small>&nbsp;\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{2}\"><small><input type=\"submit\" value=\"{3}\"></small></form>\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{4}\"><small><input type=\"submit\" value=\"{5}\"></small></form>\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{6}\"><small><input type=\"submit\" value=\"{7}\"></small></form>\n" +
         " </td>\n" +
         " </tr><tr>\n" +
         " <td class=\"row-left\" bgcolor=\"{13}\">\n" +
@@ -1040,34 +1052,28 @@ public final class HTMLManagerServlet extends ManagerServlet {
 
     private static final String STOPPED_DEPLOYED_APPS_ROW_BUTTON_SECTION =
         " <td class=\"row-left\" bgcolor=\"{13}\" rowspan=\"2\">\n" +
-        "  <small>\n" +
-        "  &nbsp;<a href=\"{0}\" onclick=\"return(confirm('''Are you sure?'''))\">{1}</a>&nbsp;\n" +
-        "  &nbsp;{3}&nbsp;\n" +
-        "  &nbsp;{5}&nbsp;\n" +
-        "  &nbsp;<a href=\"{6}\" onclick=\"return(confirm('''Are you sure?  This will delete the application.'''))\">{7}</a>&nbsp;\n" +
-        "  </small>\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{0}\"><small><input type=\"submit\" value=\"{1}\"></small></form>\n" +
+        "  &nbsp;<small>{3}</small>&nbsp;\n" +
+        "  &nbsp;<small>{5}</small>&nbsp;\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{6}\"><small><input type=\"submit\" value=\"{7}\"></small></form>\n" +
         " </td>\n" +
         "</tr>\n<tr></tr>\n";
 
     private static final String STARTED_NONDEPLOYED_APPS_ROW_BUTTON_SECTION =
         " <td class=\"row-left\" bgcolor=\"{13}\" rowspan=\"2\">\n" +
-        "  <small>\n" +
-        "  &nbsp;{1}&nbsp;\n" +
-        "  &nbsp;<a href=\"{2}\" onclick=\"return(confirm('''Are you sure?'''))\">{3}</a>&nbsp;\n" +
-        "  &nbsp;<a href=\"{4}\" onclick=\"return(confirm('''Are you sure?'''))\">{5}</a>&nbsp;\n" +
-        "  &nbsp;{7}&nbsp;\n" +
-        "  </small>\n" +
+        "  &nbsp;<small>{1}</small>&nbsp;\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{2}\"><small><input type=\"submit\" value=\"{3}\"></small></form>\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{4}\"><small><input type=\"submit\" value=\"{5}\"></small></form>\n" +
+        "  &nbsp;<small>{7}</small>&nbsp;\n" +
         " </td>\n" +
         "</tr>\n<tr></tr>\n";
 
     private static final String STOPPED_NONDEPLOYED_APPS_ROW_BUTTON_SECTION =
         " <td class=\"row-left\" bgcolor=\"{13}\" rowspan=\"2\">\n" +
-        "  <small>\n" +
-        "  &nbsp;<a href=\"{0}\" onclick=\"return(confirm('''Are you sure?'''))\">{1}</a>&nbsp;\n" +
-        "  &nbsp;{3}&nbsp;\n" +
-        "  &nbsp;{5}&nbsp;\n" +
-        "  &nbsp;{7}&nbsp;\n" +
-        "  </small>\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{0}\"><small><input type=\"submit\" value=\"{1}\"></small></form>\n" +
+        "  &nbsp;<small>{3}</small>&nbsp;\n" +
+        "  &nbsp;<small>{5}</small>&nbsp;\n" +
+        "  &nbsp;<small>{7}</small>&nbsp;\n" +
         " </td>\n" +
         "</tr>\n<tr></tr>\n";
 
diff --git a/java/org/apache/catalina/manager/LocalStrings.properties b/java/org/apache/catalina/manager/LocalStrings.properties
index a33bab4..be0ddb7 100644 (file)
--- a/java/org/apache/catalina/manager/LocalStrings.properties
+++ b/java/org/apache/catalina/manager/LocalStrings.properties
@@ -80,6 +80,7 @@ managerServlet.noRole=FAIL - User does not possess role {0}
 managerServlet.noSelf=FAIL - The manager can not reload, undeploy, stop, or undeploy itself
 managerServlet.noWrapper=Container has not called setWrapper() for this servlet
 managerServlet.notDeployed=FAIL - Context {0} is defined in server.xml and may not be undeployed
+managerServlet.postCommand=FAIL - Tried to use command {0} via a GET request but POST is required
 managerServlet.reloaded=OK - Reloaded application at context path {0}
 managerServlet.undeployd=OK - Undeployed application at context path {0}
 managerServlet.resourcesAll=OK - Listed global resources of all types
Unnamed repository; edit this file to name it for gitweb.