Using GET and POST parameter in a single FORM - is this a security vulnerability ?

Solution Verified - Updated -

Issue

<form method="POST" action="/context/someAction?X=GetValue">
<input type="text" name="X" value="PostValue">
<input type="submit" value="Send">
</form>

When submiting this form, the HttpServletRequest object contains "GetValue" and "PostValue" for the field X.

req.getParameter("X") returns "GetValue"
req.getParameterValues("X") returns ["GetValue","PostValue"]

Environment

JBoss Enterprise Platform (EAP) all versions
Tomcat all versions

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In