[Buildbot-commits] [Buildbot] #1926: GET requests on target URLs of POST forms should be refused

Buildbot trac trac at buildbot.net
Tue Jan 14 06:39:00 UTC 2014 

#1926: GET requests on target URLs of POST forms should be refused
------------------------+---------------------
Reporter:  pitrou       |       Owner:
    Type:  enhancement  |      Status:  closed
Priority:  minor        |   Milestone:  0.9.0
 Version:  0.8.3        |  Resolution:  fixed
Keywords:  web          |
------------------------+---------------------
Changes (by dustin):

 * status:  new => closed
 * resolution:   => fixed


Old description:

> At python.org we started having log entries like the following:
>
> {{{
> X.Y.Z.W - - [11/Apr/2011:11:44:10 +0200] "GET
> /dev/buildbot/all/builders/x86%20debian%20parallel%203.x/builds/1940/rebuild
> HTTP/1.1" 302 278 "http://www.python.org/dev/buildbot/all/builders/x86
> debian parallel 3.x/builds/1940" "WebReaper [support at webreaper.net]"
> }}}
>
> This triggered lots of spurious rebuilds. Since the "rebuild" form
> normally uses the POST method, it means the above bot/crawler is ill-
> behaved. Refusing GET requests on the rebuild URL (and other ones) would
> easily defend against such crawlers, and prevent rebuilds from polluting
> the build history.

New description:

 At python.org we started having log entries like the following:

 {{{
 X.Y.Z.W - - [11/Apr/2011:11:44:10 +0200] "GET
 /dev/buildbot/all/builders/x86%20debian%20parallel%203.x/builds/1940/rebuild
 HTTP/1.1" 302 278 "http://www.python.org/dev/buildbot/all/builders/x86
 debian parallel 3.x/builds/1940" "WebReaper [support at webreaper.net]"
 }}}

 This triggered lots of spurious rebuilds. Since the "rebuild" form
 normally uses the POST method, it means the above bot/crawler is ill-
 behaved. Refusing GET requests on the rebuild URL (and other ones) would
 easily defend against such crawlers, and prevent rebuilds from polluting
 the build history.

--

Comment:

 This is the case in rest.py, now.  POST is for JSONAPI, and GET only
 reads.

-- 
Ticket URL: <http://trac.buildbot.net/ticket/1926#comment:4>
Buildbot <http://buildbot.net/>
Buildbot: build/test automation

More information about the Commits mailing list