On Tue, 20 Sep 2011, Samuele Kaplun wrote: > Indeed, I was personally not aware of that when we suggest you to use > it. The blocking of POST request was explicitly introduced as part of > the commit: > > <http://invenio-software.org/repo/invenio/commit/?id=7f25178b7da8202c5b85505da248c777db6dcc16> > > I am not fully aware if this still needed today, maybe Tibor might > wish to comment on this.
Yes, this was done because in the past several semi-malicious semi-script-kiddie users tried to mine information out of the DB while at the same time concealing their search strings from Apache logs. While we publicise only GET method for /search pages, they figured out that our search pages work with POST requests as well, and they were using these to semi-bombard our servers while trying to conceal what they search for in that way. So we decided to block POST requests to dissuade these practices at the time. Best regards -- Tibor Simko
