ViewStatusMessagesServlet requires method POST for button 'Clear' (#971)

rw7 · web-flow · commit c76fed3c01f3 · 2025-09-29T19:28:57.000+02:00
The button 'Clear' has a side-effect and should not work with GET, as GET is considered a Safe Method not taking an action other than retrieval. https://www.rfc-editor.org/rfc/rfc2616#section-9.1.1 I'd like to restrict users from doing any changes by restricting them to method GET. With that said one might consider this change as a security fix. Signed-off-by: Ralf Wiebicke <ralf.wiebicke@exedio.com>
diff --git a/logback-core/src/main/java/ch/qos/logback/core/status/ViewStatusMessagesServletBase.java b/logback-core/src/main/java/ch/qos/logback/core/status/ViewStatusMessagesServletBase.java
@@ -62,7 +62,7 @@ protected void service(HttpServletRequest req, HttpServletResponse resp) throws
         output.append("<input type=\"submit\" name=\"" + SUBMIT + "\" value=\"" + CLEAR + "\">");
         output.append("</form>\r\n");
 
-        if (CLEAR.equalsIgnoreCase(req.getParameter(SUBMIT))) {
+        if ("POST".equals(req.getMethod()) && CLEAR.equalsIgnoreCase(req.getParameter(SUBMIT))) {
             sm.clear();
             sm.add(new InfoStatus("Cleared all status messages", this));
         }

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ protected void service(HttpServletRequest req, HttpServletResponse resp) throws`
`62`	`62`	`output.append("<input type=\"submit\" name=\"" + SUBMIT + "\" value=\"" + CLEAR + "\">");`
`63`	`63`	`output.append("</form>\r\n");`
`64`	`64`
`65`		`- if (CLEAR.equalsIgnoreCase(req.getParameter(SUBMIT))) {`
	`65`	`+ if ("POST".equals(req.getMethod()) && CLEAR.equalsIgnoreCase(req.getParameter(SUBMIT))) {`
`66`	`66`	`sm.clear();`
`67`	`67`	`sm.add(new InfoStatus("Cleared all status messages", this));`
`68`	`68`	`}`