[Trac] URL calls - Are all of Trac's GET methods safe &
idempotent?
Christopher Lenz
cmlenz at gmx.de
Fri Aug 5 08:15:26 CDT 2005
Hi Jeoff,
Am 05.08.2005 um 13:59 schrieb Jeoff Wilks:
> There have been a couple questions on the list about making "URL
> calls" to Trac - to create tickets, change tickets, etc. By "URL
> call" people are perhaps referring to GET methods (all parameters
> are in the query string, so a form is not required). The only
> problem is, the HTTP RFC forbids GET methods from changing data on
> the server [1], and the Trac developers generally seem to follow
> the rules.
>
> Trac developers, is that intentional? I thought I read on the list
> at some point that it's a conscious decision, but I couldn't find
> anything obvious in the list archive or project wiki.
Yes, that's intentional. In 0.9.pre, we only allow modification of
resources for POST requests. That improves protection against attacks
generally known as Cross-site request forgery (CSRF), which is rather
important for sites where anonymous users can include images and
snippets of HTML in pages. This was done in changeset [1701]:
<http://projects.edgewall.com/trac/changeset/1701>
Prior to this change, Trac was using but not enforcing use of the
POST method.
Cheers,
Chris
--
Christopher Lenz
cmlenz at gmx.de
http://www.cmlenz.net/
More information about the Trac
mailing list