Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Servlets Post 2.1.0
-
None
Description
In certain situations a POST request is accompanied with request parameters that are to be ignored. Currently the Sling POST Servlet has two mechanisms to handle such parameters:
- any parameter starting with a colon ( is ignored, e.g. :operation
- only parameters starting with "./" are considered if at least one parameter has this format
In certain situations, more parameters might be submitted ending in the POST Servlet and then being written to the repository. For example if a user tries to authenticated with form based authentication supplying j_username and j_password parameters then if the Sling POST Servlet is erroneously hit, these values might get written to the repository.
We should add functionality to specify regular expressions for parameters which are to be ignored (apart from the existing mechanism). The default would be "j_.*" to ignore any parameters starting with j_ generally used for authentication