Author: markt
Date: Sat Oct 10 21:54:54 2009
New Revision: 823962
URL: http://svn.apache.org/viewvc?rev=823962&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=40001
Use POST rather than GET for all operations that are not idempotent
Partly based on a patch suggested by Daniel Naber
Remove the "Are you sure?", partly due to lack of i18n support and since as
(based on my recollection) as many people disliked the feature as liked it.
Provides a (very) small measure of CSRF protection but lays the foundation for
using a nonce with POST.
Modified:
tomcat/trunk/java/org/apache/catalina/manager/Constants.java
tomcat/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java
tomcat/trunk/java/org/apache/catalina/manager/LocalStrings.properties
Modified: tomcat/trunk/java/org/apache/catalina/manager/Constants.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/Constants.java?rev=823962&r1=823961&r2=823962&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/manager/Constants.java (original)
+++ tomcat/trunk/java/org/apache/catalina/manager/Constants.java Sat Oct 10
21:54:54 2009
@@ -27,7 +27,7 @@
"<html>\n" +
"<head>\n" +
"<style>\n" +
- org.apache.catalina.util.TomcatCSS.TOMCAT_CSS +
+ org.apache.catalina.util.TomcatCSS.TOMCAT_CSS + "\n" +
" table {\n" +
" width: 100%;\n" +
" }\n" +
@@ -92,6 +92,12 @@
" font-family:sans-serif,Tahoma,Arial;\n" +
" color: black;\n" +
" }\n" +
+ " form {\n" +
+ " margin: 1;\n" +
+ " }\n" +
+ " form.inline {\n" +
+ " display: inline;\n" +
+ " }\n" +
"</style>\n";
public static final String BODY_HEADER_SECTION =
@@ -100,7 +106,7 @@
"\n" +
"<body bgcolor=\"#FFFFFF\">\n" +
"\n" +
- "<table cellspacing=\"4\" width=\"100%\" border=\"0\">\n" +
+ "<table cellspacing=\"4\" border=\"0\">\n" +
" <tr>\n" +
" <td colspan=\"2\">\n" +
" <a href=\"http://www.apache.org/\";>\n" +
@@ -115,7 +121,7 @@
" </tr>\n" +
"</table>\n" +
"<hr size=\"1\" noshade=\"noshade\">\n" +
- "<table cellspacing=\"4\" width=\"100%\" border=\"0\">\n" +
+ "<table cellspacing=\"4\" border=\"0\">\n" +
" <tr>\n" +
" <td class=\"page-title\" bordercolor=\"#000000\" " +
"align=\"left\" nowrap>\n" +
Modified: tomcat/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java?rev=823962&r1=823961&r2=823962&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/manager/HTMLManagerServlet.java Sat
Oct 10 21:54:54 2009
@@ -110,9 +110,6 @@
String command = request.getPathInfo();
String path = request.getParameter("path");
- String deployPath = request.getParameter("deployPath");
- String deployConfig = request.getParameter("deployConfig");
- String deployWar = request.getParameter("deployWar");
// Prepare our output writer to generate the response message
response.setContentType("text/html; charset=" + Constants.CHARSET);
@@ -121,16 +118,8 @@
// Process the requested command
if (command == null || command.equals("/")) {
// No command == list
- } else if (command.equals("/deploy")) {
- message = deployInternal(deployConfig, deployPath, deployWar);
} else if (command.equals("/list")) {
// List always displayed - nothing to do here
- } else if (command.equals("/reload")) {
- message = reload(path);
- } else if (command.equals("/undeploy")) {
- message = undeploy(path);
- } else if (command.equals("/expire")) {
- message = expireSessions(path, request);
} else if (command.equals("/sessions")) {
try {
doSessions(path, request, response);
@@ -140,10 +129,12 @@
message = sm.getString("managerServlet.exception",
e.toString());
}
- } else if (command.equals("/start")) {
- message = start(path);
- } else if (command.equals("/stop")) {
- message = stop(path);
+ } else if (command.equals("/upload") || command.equals("/deploy") ||
+ command.equals("/reload") || command.equals("/undeploy") ||
+ command.equals("/expire") || command.equals("/start") ||
+ command.equals("/stop")) {
+ message =
+ sm.getString("managerServlet.postCommand", command);
} else {
message =
sm.getString("managerServlet.unknownCommand", command);
@@ -170,15 +161,38 @@
// be configured in web.xml
String command = request.getPathInfo();
- if (command == null || !command.equals("/upload")) {
- doGet(request,response);
- return;
- }
+ String path = request.getParameter("path");
+ String deployPath = request.getParameter("deployPath");
+ String deployConfig = request.getParameter("deployConfig");
+ String deployWar = request.getParameter("deployWar");
// Prepare our output writer to generate the response message
response.setContentType("text/html; charset=" + Constants.CHARSET);
- String message = upload(request);
+ String message = "";
+
+ if (command == null || command.length() == 0) {
+ // No command == list
+ // List always displayed -> do nothing
+ } else if (command.equals("/upload")) {
+ message = upload(request);
+ } else if (command.equals("/deploy")) {
+ message = deployInternal(deployConfig, deployPath, deployWar);
+ } else if (command.equals("/reload")) {
+ message = reload(path);
+ } else if (command.equals("/undeploy")) {
+ message = undeploy(path);
+ } else if (command.equals("/expire")) {
+ message = expireSessions(path, request);
+ } else if (command.equals("/start")) {
+ message = start(path);
+ } else if (command.equals("/stop")) {
+ message = stop(path);
+ } else {
+ // Try GET
+ doGet(request,response);
+ return;
+ }
list(request, response, message);
}
@@ -1021,12 +1035,10 @@
private static final String STARTED_DEPLOYED_APPS_ROW_BUTTON_SECTION =
" <td class=\"row-left\" bgcolor=\"{13}\">\n" +
- " <small>\n" +
- " {1} \n" +
- " <a href=\"{2}\" onclick=\"return(confirm('''Are you
sure?'''))\">{3}</a> \n" +
- " <a href=\"{4}\" onclick=\"return(confirm('''Are you
sure?'''))\">{5}</a> \n" +
- " <a href=\"{6}\" onclick=\"return(confirm('''Are you
sure?'''))\">{7}</a> \n" +
- " </small>\n" +
+ " <small>{1}</small> \n" +
+ " <form class=\"inline\" method=\"POST\" action=\"{2}\"><small><input
type=\"submit\" value=\"{3}\"></small></form>\n" +
+ " <form class=\"inline\" method=\"POST\" action=\"{4}\"><small><input
type=\"submit\" value=\"{5}\"></small></form>\n" +
+ " <form class=\"inline\" method=\"POST\" action=\"{6}\"><small><input
type=\"submit\" value=\"{7}\"></small></form>\n" +
" </td>\n" +
" </tr><tr>\n" +
" <td class=\"row-left\" bgcolor=\"{13}\">\n" +
@@ -1040,34 +1052,28 @@
private static final String STOPPED_DEPLOYED_APPS_ROW_BUTTON_SECTION =
" <td class=\"row-left\" bgcolor=\"{13}\" rowspan=\"2\">\n" +
- " <small>\n" +
- " <a href=\"{0}\" onclick=\"return(confirm('''Are you
sure?'''))\">{1}</a> \n" +
- " {3} \n" +
- " {5} \n" +
- " <a href=\"{6}\" onclick=\"return(confirm('''Are you sure?
This will delete the application.'''))\">{7}</a> \n" +
- " </small>\n" +
+ " <form class=\"inline\" method=\"POST\" action=\"{0}\"><small><input
type=\"submit\" value=\"{1}\"></small></form>\n" +
+ " <small>{3}</small> \n" +
+ " <small>{5}</small> \n" +
+ " <form class=\"inline\" method=\"POST\" action=\"{6}\"><small><input
type=\"submit\" value=\"{7}\"></small></form>\n" +
" </td>\n" +
"</tr>\n<tr></tr>\n";
private static final String STARTED_NONDEPLOYED_APPS_ROW_BUTTON_SECTION =
" <td class=\"row-left\" bgcolor=\"{13}\" rowspan=\"2\">\n" +
- " <small>\n" +
- " {1} \n" +
- " <a href=\"{2}\" onclick=\"return(confirm('''Are you
sure?'''))\">{3}</a> \n" +
- " <a href=\"{4}\" onclick=\"return(confirm('''Are you
sure?'''))\">{5}</a> \n" +
- " {7} \n" +
- " </small>\n" +
+ " <small>{1}</small> \n" +
+ " <form class=\"inline\" method=\"POST\" action=\"{2}\"><small><input
type=\"submit\" value=\"{3}\"></small></form>\n" +
+ " <form class=\"inline\" method=\"POST\" action=\"{4}\"><small><input
type=\"submit\" value=\"{5}\"></small></form>\n" +
+ " <small>{7}</small> \n" +
" </td>\n" +
"</tr>\n<tr></tr>\n";
private static final String STOPPED_NONDEPLOYED_APPS_ROW_BUTTON_SECTION =
" <td class=\"row-left\" bgcolor=\"{13}\" rowspan=\"2\">\n" +
- " <small>\n" +
- " <a href=\"{0}\" onclick=\"return(confirm('''Are you
sure?'''))\">{1}</a> \n" +
- " {3} \n" +
- " {5} \n" +
- " {7} \n" +
- " </small>\n" +
+ " <form class=\"inline\" method=\"POST\" action=\"{0}\"><small><input
type=\"submit\" value=\"{1}\"></small></form>\n" +
+ " <small>{3}</small> \n" +
+ " <small>{5}</small> \n" +
+ " <small>{7}</small> \n" +
" </td>\n" +
"</tr>\n<tr></tr>\n";
Modified: tomcat/trunk/java/org/apache/catalina/manager/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/LocalStrings.properties?rev=823962&r1=823961&r2=823962&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/manager/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/catalina/manager/LocalStrings.properties Sat
Oct 10 21:54:54 2009
@@ -80,6 +80,7 @@
managerServlet.noSelf=FAIL - The manager can not reload, undeploy, stop, or
undeploy itself
managerServlet.noWrapper=Container has not called setWrapper() for this servlet
managerServlet.notDeployed=FAIL - Context {0} is defined in server.xml and may
not be undeployed
+managerServlet.postCommand=FAIL - Tried to use command {0} via a GET request
but POST is required
managerServlet.reloaded=OK - Reloaded application at context path {0}
managerServlet.undeployd=OK - Undeployed application at context path {0}
managerServlet.resourcesAll=OK - Listed global resources of all types
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
