[1405] in WWW Security List Archive
Re: POST vs. GET
daemon@ATHENA.MIT.EDU (Antonio Vasconcelos)
Tue Jan 9 06:50:10 1996
Date: Tue, 9 Jan 1996 10:39:01 GMT
To: "David W. Morris" <dwm@shell.portal.com>
From: Antonio Vasconcelos <vasco@bvl.pt>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
At 00:36 09-01-1996 -0800, David W. Morris wrote:
>The only sensitive data implications I'm aware of are from the fact
>that the GET URI encoded form data is generally logged in the
>various server log files and also often appears in the URL/URI
>window of the browser. I've used the term 'sensitive data' because
>one can hardly consider a switch to POST 'secure' but data will be
>less visable to unexpected observers.
Well, in this case I don't care if a POST can show the data to everyone,
what I'm worried is if a POST can be used to break into my server better
than a GET.
For what you're saying then the warnning pop-ups in Netscape when POSTing
data but not when GETing data are only that, warnning that your data will
travel as clear text... Right ?
>Secondly, there are apparently some browsers and also firewall
>proxies or whatever which significantly limit the length of
>the URI. Base on STML limits associated with HTML are are
>element attribute value length limits.
That's a good idea, but I don't think that's the case, the data is chop'ed
right in the first &0D&0A of the TEXTAREA.
regards,
Antonio Vasconcelos @ The Lisbon $tock Exchange
..........................................................
vasco@bvl.pt, vasco@individual.puug.pt, postmaster@bvl.pt,
webmaster@bvl.pt, http://www.bvl.pt:8080/~vasco
..........................................................
TEL: +351-1-790-9904 Bolsa de Valores de Lisboa
FAX: +351-1-795-2026 R. Soeiro Pereira Gomes
1600 LISBOA
http://www.bvl.pt/ PORTUGAL
..........................................................
All opinions are my own, my employer thinks I'm working
..........................................................
