Reason to use GET vs POST? (discussion)

deprecated has asked for the wisdom of the Perl Monks concerning the following question:

I have been hassling with apple's bundled apache that comes with OS X Server. Its a run-of-the-mill 1.3.19 with a ton of extension to deal with everything from Apple's use of HFS+ (vs a case-sensitive file system) to their JSP stuff.

Anyhow, I spent several hours earlier today figuring out what was wrong with a script of mine. Turns out Apple saw fit to disable POST entirely, and my forms must use GET instead.

The reasoning for this totally boggles me. I cant think of any reasons, security or otherwise, for doing this. Has anyone got any ideas why they would do this?

Thanks
brother deprecated.

update:

i checked the <limit> tags, fixed the config file, and indeed it appears that POST has been disabled in the source. This is very irritating to the point I will be installing a separate apache instance on this box.

--
Laziness, Impatience, Hubris, and Generosity.

Comment on Reason to use GET vs POST? (discussion) Download Code

Replies are listed 'Best First'.
Re: Reason to use GET vs POST? (discussion) by Zaxo (Archbishop) on Sep 18, 2001 at 03:18 UTC
GET is necessary for cgi scripts which are to be static linked. Then, parameters may be passed from an ordinary anchor's href property, without the need of form submissions. Real security is no different from POST, but be aware that GET exploits can simply be typed into the browser's location line by someone who knows about url encoding. That makes them ripe for casual experimentation. After Compline, Zaxo	[reply]
Re: Reason to use GET vs POST? (discussion) by shotgunefx (Parson) on Sep 18, 2001 at 03:21 UTC
The only POST attack I can really think of is posting huge chunks of data to try and fill the filesystem where the processing program is storing it. The only remotely relavent vunerablility I know of is the Cross Protocol Scripting vunerability which in my opinion would be a bad reason to disable POSTs altogether. -Lee "To be civilized is to deny one's nature."	[reply]
Re: Re: Reason to use GET vs POST? (discussion) by Hero Zzyzzx (Curate) on Sep 18, 2001 at 03:35 UTC
Are you sure that it's totally disabled? Look at the `<LIMIT>` statements in your httpd.conf file, this is where you set whether or not a location can accept GET or POST requests. That truly sucks if you can only use GET. It's not more secure, but it's the only way to send largish amounts of data (like a file upload) to your script. . . If you're only going to do vanilla stuff, it's pretty easy to recompile apache, though I have no idea how this works on OS X -Any sufficiently advanced technology is indistinguishable from doubletalk.	[reply] [d/l]
Re: Re: Re: Reason to use GET vs POST? (discussion) by shotgunefx (Parson) on Sep 18, 2001 at 04:20 UTC
I agree. I can't imagine they disabled it in the source. -Lee "To be civilized is to deny one's nature."	[reply]
Re: Reason to use GET vs POST? (discussion) by dga (Hermit) on Sep 19, 2001 at 01:23 UTC
This would be very annoying if it's really turned off and not just disabled in the config file. At my site I take in POSTs with more than the max GET size allowed by the browsers, so a loss of POST functionality would make those forms break. Probably silently as well. GET has the other feature of cluttering up your log files with hoards of data that is being saved anyway. (the content of the form submission) So from a logging and feature fullness standpoint, I think POST has to be allowed for the Web Server to use. Of course with the Development CD you can get the C compiler and build an apache which will POST...	[reply]


"be consistent"
	PerlMonks