Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59514

Use @POST instead of @RequirePOST for form submission endpoints

    Details

    • Similar Issues:
    • Released As:
      jenkins-2.198

      Description

      Jenkins should not allow "attempt with POST" resubmissions of GET requests to form submission endpoints. They usually expects a form ( getSubmittedForm / structured form submission) with unexpected results when submission without a form is attempted (typically an exception stack trace, but who knows…)

        Attachments

          Activity

          Hide
          jimklimov Jim Klimov added a comment -

          As long as this does not block "form"al resubmission suggestions for GET URLs, like below, this is LGTM

          ````
          This URL requires POST

          The URL you're trying to access requires that requests be sent using POST (like a form submission).
          The button below allows you to retry accessing this URL using POST. URL being accessed:

          https://jenkins.domain/quietDown

          If you were sent here from an untrusted source, please proceed with caution.
          ````

          With a 2.198 weekly running, this seems to still work.

          Show
          jimklimov Jim Klimov added a comment - As long as this does not block "form"al resubmission suggestions for GET URLs, like below, this is LGTM ```` This URL requires POST The URL you're trying to access requires that requests be sent using POST (like a form submission). The button below allows you to retry accessing this URL using POST. URL being accessed: https://jenkins.domain/quietDown If you were sent here from an untrusted source, please proceed with caution. ```` With a 2.198 weekly running, this seems to still work.
          Hide
          danielbeck Daniel Beck added a comment -

          This change is only about endpoints that inherently cannot support this kind of use.

          Show
          danielbeck Daniel Beck added a comment - This change is only about endpoints that inherently cannot support this kind of use.
          Hide
          danielbeck Daniel Beck added a comment -

          Specifically, any URL that server-side then calls StaplerRequest#getSubmittedForm.

          Show
          danielbeck Daniel Beck added a comment - Specifically, any URL that server-side then calls StaplerRequest#getSubmittedForm .

            People

            • Assignee:
              danielbeck Daniel Beck
              Reporter:
              danielbeck Daniel Beck
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: