Details
-
Bug
-
Resolution: Done
-
Blocker
-
7.1.0.Alpha1
-
None
Description
While attempting to deploy a war using the console the following message is sent: -
POST /management HTTP/1.1 Host: localhost:9990 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en-us;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive Content-Type: text/plain; charset=utf-8 Referer: http://localhost:9990/console/App.html Content-Length: 202 Pragma: no-cache Cache-Control: no-cache {"address":[{"deployment":"Cross.war"}],"operation":"add","runtime-name":"Cross.war","content":[{"hash":{"BYTES_VALUE":"2UgVrcmsy6irIWrPlGryiLL8xKs="}}],"name":"Cross.war"}
I am currently making some changes to the HTTP interface to prevent requests from specially constructed HTML FORMs so we are enforcing the Content-Type on the incoming request to either: -
application/json or application/dmr-encoded
Looking at the other requests from the console we seem to be preferring application/dmr-encoded so not sure if this is just an early operation not moved to dmr-encoded.
Attachments
Issue Links
- blocks
-
AS7-2400 Prevention of CSRF reqeusts being accepted and disabling cross-origin resource sharing for the HTTP interface
-
- Resolved
-
