From d1d0126c23b7c1609d59de0579eba4bc9ac74288 Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Sat, 10 Oct 2009 21:54:54 +0000
Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=40001
 Use POST rather than GET for all operations that are not idempotent Partly
 based on a patch suggested by Daniel Naber Remove the "Are you sure?", partly
 due to lack of i18n support and since as (based on my recollection) as many
 people disliked the feature as liked it. Provides a (very) small measure of
 CSRF protection but lays the foundation for using a nonce with POST.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@823962 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/catalina/manager/Constants.java    | 12 ++-
 .../catalina/manager/HTMLManagerServlet.java       | 94 ++++++++++++----------
 .../catalina/manager/LocalStrings.properties       |  1 +
 3 files changed, 60 insertions(+), 47 deletions(-)

diff --git a/java/org/apache/catalina/manager/Constants.java b/java/org/apache/catalina/manager/Constants.java
index 00a25b4d9..164ee52ac 100644
--- a/java/org/apache/catalina/manager/Constants.java
+++ b/java/org/apache/catalina/manager/Constants.java
@@ -27,7 +27,7 @@ public class Constants {
         "<html>\n" +
         "<head>\n" +
         "<style>\n" +
-        org.apache.catalina.util.TomcatCSS.TOMCAT_CSS +
+        org.apache.catalina.util.TomcatCSS.TOMCAT_CSS + "\n" +
         "  table {\n" +
         "    width: 100%;\n" +
         "  }\n" +
@@ -92,6 +92,12 @@ public class Constants {
         "    font-family:sans-serif,Tahoma,Arial;\n" +
         "    color: black;\n" +
         "  }\n" +
+        "  form {\n" +
+        "    margin: 1;\n" +
+        "  }\n" +
+        "  form.inline {\n" +
+        "    display: inline;\n" +
+        "  }\n" +
         "</style>\n";
 
     public static final String BODY_HEADER_SECTION =
@@ -100,7 +106,7 @@ public class Constants {
         "\n" +
         "<body bgcolor=\"#FFFFFF\">\n" +
         "\n" +
-        "<table cellspacing=\"4\" width=\"100%\" border=\"0\">\n" +
+        "<table cellspacing=\"4\" border=\"0\">\n" +
         " <tr>\n" +
         "  <td colspan=\"2\">\n" +
         "   <a href=\"http://www.apache.org/\">\n" +
@@ -115,7 +121,7 @@ public class Constants {
         " </tr>\n" +
         "</table>\n" +
         "<hr size=\"1\" noshade=\"noshade\">\n" +
-        "<table cellspacing=\"4\" width=\"100%\" border=\"0\">\n" +
+        "<table cellspacing=\"4\" border=\"0\">\n" +
         " <tr>\n" +
         "  <td class=\"page-title\" bordercolor=\"#000000\" " +
         "align=\"left\" nowrap>\n" +
diff --git a/java/org/apache/catalina/manager/HTMLManagerServlet.java b/java/org/apache/catalina/manager/HTMLManagerServlet.java
index 476366264..ee8be163e 100644
--- a/java/org/apache/catalina/manager/HTMLManagerServlet.java
+++ b/java/org/apache/catalina/manager/HTMLManagerServlet.java
@@ -110,9 +110,6 @@ public final class HTMLManagerServlet extends ManagerServlet {
         String command = request.getPathInfo();
 
         String path = request.getParameter("path");
-        String deployPath = request.getParameter("deployPath");
-        String deployConfig = request.getParameter("deployConfig");
-        String deployWar = request.getParameter("deployWar");
 
         // Prepare our output writer to generate the response message
         response.setContentType("text/html; charset=" + Constants.CHARSET);
@@ -121,16 +118,8 @@ public final class HTMLManagerServlet extends ManagerServlet {
         // Process the requested command
         if (command == null || command.equals("/")) {
             // No command == list
-        } else if (command.equals("/deploy")) {
-            message = deployInternal(deployConfig, deployPath, deployWar);
         } else if (command.equals("/list")) {
             // List always displayed - nothing to do here
-        } else if (command.equals("/reload")) {
-            message = reload(path);
-        } else if (command.equals("/undeploy")) {
-            message = undeploy(path);
-        } else if (command.equals("/expire")) {
-            message = expireSessions(path, request);
         } else if (command.equals("/sessions")) {
             try {
                 doSessions(path, request, response);
@@ -140,10 +129,12 @@ public final class HTMLManagerServlet extends ManagerServlet {
                 message = sm.getString("managerServlet.exception",
                         e.toString());
             }
-        } else if (command.equals("/start")) {
-            message = start(path);
-        } else if (command.equals("/stop")) {
-            message = stop(path);
+        } else if (command.equals("/upload") || command.equals("/deploy") ||
+                command.equals("/reload") || command.equals("/undeploy") ||
+                command.equals("/expire") || command.equals("/start") ||
+                command.equals("/stop")) {
+            message =
+                sm.getString("managerServlet.postCommand", command);
         } else {
             message =
                 sm.getString("managerServlet.unknownCommand", command);
@@ -170,15 +161,38 @@ public final class HTMLManagerServlet extends ManagerServlet {
         // be configured in web.xml
         String command = request.getPathInfo();
 
-        if (command == null || !command.equals("/upload")) {
-            doGet(request,response);
-            return;
-        }
+        String path = request.getParameter("path");
+        String deployPath = request.getParameter("deployPath");
+        String deployConfig = request.getParameter("deployConfig");
+        String deployWar = request.getParameter("deployWar");
 
         // Prepare our output writer to generate the response message
         response.setContentType("text/html; charset=" + Constants.CHARSET);
 
-        String message = upload(request);
+        String message = "";
+
+        if (command == null || command.length() == 0) {
+            // No command == list
+            // List always displayed -> do nothing
+        } else if (command.equals("/upload")) {
+            message = upload(request);
+        } else if (command.equals("/deploy")) {
+            message = deployInternal(deployConfig, deployPath, deployWar);
+        } else if (command.equals("/reload")) {
+            message = reload(path);
+        } else if (command.equals("/undeploy")) {
+            message = undeploy(path);
+        } else if (command.equals("/expire")) {
+            message = expireSessions(path, request);
+        } else if (command.equals("/start")) {
+            message = start(path);
+        } else if (command.equals("/stop")) {
+            message = stop(path);
+        } else {
+            // Try GET
+            doGet(request,response);
+            return;
+        }
 
         list(request, response, message);
     }
@@ -1021,12 +1035,10 @@ public final class HTMLManagerServlet extends ManagerServlet {
 
     private static final String STARTED_DEPLOYED_APPS_ROW_BUTTON_SECTION =
         " <td class=\"row-left\" bgcolor=\"{13}\">\n" +
-        "  <small>\n" +
-        "  &nbsp;{1}&nbsp;\n" +
-        "  &nbsp;<a href=\"{2}\" onclick=\"return(confirm('''Are you sure?'''))\">{3}</a>&nbsp;\n" +
-        "  &nbsp;<a href=\"{4}\" onclick=\"return(confirm('''Are you sure?'''))\">{5}</a>&nbsp;\n" +
-        "  &nbsp;<a href=\"{6}\" onclick=\"return(confirm('''Are you sure?'''))\">{7}</a>&nbsp;\n" +
-        "  </small>\n" +
+        "  &nbsp;<small>{1}</small>&nbsp;\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{2}\"><small><input type=\"submit\" value=\"{3}\"></small></form>\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{4}\"><small><input type=\"submit\" value=\"{5}\"></small></form>\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{6}\"><small><input type=\"submit\" value=\"{7}\"></small></form>\n" +
         " </td>\n" +
         " </tr><tr>\n" +
         " <td class=\"row-left\" bgcolor=\"{13}\">\n" +
@@ -1040,34 +1052,28 @@ public final class HTMLManagerServlet extends ManagerServlet {
 
     private static final String STOPPED_DEPLOYED_APPS_ROW_BUTTON_SECTION =
         " <td class=\"row-left\" bgcolor=\"{13}\" rowspan=\"2\">\n" +
-        "  <small>\n" +
-        "  &nbsp;<a href=\"{0}\" onclick=\"return(confirm('''Are you sure?'''))\">{1}</a>&nbsp;\n" +
-        "  &nbsp;{3}&nbsp;\n" +
-        "  &nbsp;{5}&nbsp;\n" +
-        "  &nbsp;<a href=\"{6}\" onclick=\"return(confirm('''Are you sure?  This will delete the application.'''))\">{7}</a>&nbsp;\n" +
-        "  </small>\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{0}\"><small><input type=\"submit\" value=\"{1}\"></small></form>\n" +
+        "  &nbsp;<small>{3}</small>&nbsp;\n" +
+        "  &nbsp;<small>{5}</small>&nbsp;\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{6}\"><small><input type=\"submit\" value=\"{7}\"></small></form>\n" +
         " </td>\n" +
         "</tr>\n<tr></tr>\n";
 
     private static final String STARTED_NONDEPLOYED_APPS_ROW_BUTTON_SECTION =
         " <td class=\"row-left\" bgcolor=\"{13}\" rowspan=\"2\">\n" +
-        "  <small>\n" +
-        "  &nbsp;{1}&nbsp;\n" +
-        "  &nbsp;<a href=\"{2}\" onclick=\"return(confirm('''Are you sure?'''))\">{3}</a>&nbsp;\n" +
-        "  &nbsp;<a href=\"{4}\" onclick=\"return(confirm('''Are you sure?'''))\">{5}</a>&nbsp;\n" +
-        "  &nbsp;{7}&nbsp;\n" +
-        "  </small>\n" +
+        "  &nbsp;<small>{1}</small>&nbsp;\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{2}\"><small><input type=\"submit\" value=\"{3}\"></small></form>\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{4}\"><small><input type=\"submit\" value=\"{5}\"></small></form>\n" +
+        "  &nbsp;<small>{7}</small>&nbsp;\n" +
         " </td>\n" +
         "</tr>\n<tr></tr>\n";
 
     private static final String STOPPED_NONDEPLOYED_APPS_ROW_BUTTON_SECTION =
         " <td class=\"row-left\" bgcolor=\"{13}\" rowspan=\"2\">\n" +
-        "  <small>\n" +
-        "  &nbsp;<a href=\"{0}\" onclick=\"return(confirm('''Are you sure?'''))\">{1}</a>&nbsp;\n" +
-        "  &nbsp;{3}&nbsp;\n" +
-        "  &nbsp;{5}&nbsp;\n" +
-        "  &nbsp;{7}&nbsp;\n" +
-        "  </small>\n" +
+        "  <form class=\"inline\" method=\"POST\" action=\"{0}\"><small><input type=\"submit\" value=\"{1}\"></small></form>\n" +
+        "  &nbsp;<small>{3}</small>&nbsp;\n" +
+        "  &nbsp;<small>{5}</small>&nbsp;\n" +
+        "  &nbsp;<small>{7}</small>&nbsp;\n" +
         " </td>\n" +
         "</tr>\n<tr></tr>\n";
 
diff --git a/java/org/apache/catalina/manager/LocalStrings.properties b/java/org/apache/catalina/manager/LocalStrings.properties
index a33bab490..be0ddb7ed 100644
--- a/java/org/apache/catalina/manager/LocalStrings.properties
+++ b/java/org/apache/catalina/manager/LocalStrings.properties
@@ -80,6 +80,7 @@ managerServlet.noRole=FAIL - User does not possess role {0}
 managerServlet.noSelf=FAIL - The manager can not reload, undeploy, stop, or undeploy itself
 managerServlet.noWrapper=Container has not called setWrapper() for this servlet
 managerServlet.notDeployed=FAIL - Context {0} is defined in server.xml and may not be undeployed
+managerServlet.postCommand=FAIL - Tried to use command {0} via a GET request but POST is required
 managerServlet.reloaded=OK - Reloaded application at context path {0}
 managerServlet.undeployd=OK - Undeployed application at context path {0}
 managerServlet.resourcesAll=OK - Listed global resources of all types
-- 
2.11.0