The Artima Developer Community
Articles | News | Weblogs | Books | Forums
Artima Forums | Articles | Weblogs | Java Answers | News
Sponsored Link

Java Buzz Forum
Incompetent Boobs Part 3

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Elliotte Rusty Harold

Posts: 1573
Nickname: elharo
Registered: Apr, 2003

Elliotte Rusty Harold is an author, developer, and general kibitzer.
Incompetent Boobs Part 3 Posted: Jul 10, 2008 8:14 AM
Reply to this message Reply

This post originated from an RSS feed registered with Java Buzz by Elliotte Rusty Harold.
Original Post: Incompetent Boobs Part 3
Feed Title: Mokka mit Schlag
Feed URL: http://www.elharo.com/blog/feed/atom/?
Feed Description: Ranting and Raving 		Latest Java Buzz Posts
Latest Java Buzz Posts by Elliotte Rusty Harold
Latest Posts From Mokka mit Schlag

Advertisement

I’m beginning to feel like I can write this story on autopilot:

Our companies web site uses a content managment system whose interface is all browser based. Turning the GSA loose on our web site using an administrative account ended up wiping out 85% of our web site’s content thru the execution of delete actions from web page links in the administrative interface of the content managment system.

The CMS system we use is built in coldfusion (which we’re rapidly moving away from to .NET sometime next year.). These coldfusion pages have buttons / images all hyperlinked to perfrom different actions for content records, content folders, and unfortunately whole web site instances. One of these hyperlinked image buttons deletes the content when clicked, which the crawler furiously did last night.

And just in case anybody didn’t get the point the first two times I ran this story:

The problem, yet again, was that the Content Management System was designed by INCOMPETENT BOOBS, who didn’t know the difference between HTTP GET and HTTP DELETE. They had no business building a CMS for their church choir, much less a real business. And one more time, can someone explain to me why in 2008 anyone is still building their own CMS from scratch instead of customizing one of the many off-the-shelf open source solutions?

One more time: any operation that deletes a web page should be done with HTTP DELETE; or, if you must, with HTTP POST. However you should, never, never, never, never design a link to delete a page with HTTP GET. Do not think your Intranet pages are safe. They aren’t. Do not think robots.txt will protect you. It won’t. Do not think usernames and passwords will protect you. They won’t. Do not think nonces or referrer checks or JavaScript or proxy busting query strings will protect you. They won’t.

The only reliable way to implement delete is by using HTTP as it was intended to be used. GET for safe operations, and PUT, DELETE, and POST for unsafe ones.

Read: Incompetent Boobs Part 3

Topic: links for 2008-07-02 from PeopleOverProcess.com Previous Topic   Next Topic Topic: Will Windows Native Authentication (WNA) work with Oracle Identity Management and Firefox ?
Sponsored Links


Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use