Using GET and POST parameter in a single FORM - is this a security vulnerability ?
Issue
<form method="POST" action="/context/someAction?X=GetValue">
<input type="text" name="X" value="PostValue">
<input type="submit" value="Send">
</form>
When submiting this form, the HttpServletRequest object contains "GetValue" and "PostValue" for the field X.
req.getParameter("X") returns "GetValue"
req.getParameterValues("X") returns ["GetValue","PostValue"]
Environment
JBoss Enterprise Platform (EAP) all versions
Tomcat all versions
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.