Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

February 21, 2004

Don’t GET it!

Quite by accident, I discovered that one can post comments to MovableType blogs using HTTP GET requests (instead of the normal POST requests). The implications of this are, to say the least, a little worrisome.

Trackback Pings can also be sent using GET, even though that behaviour was supposed to have been removed from MovableType over a year ago.

Note: in older versions of the TrackBack specification, pings are sent using HTTP GET requests. This behavior is deprecrated; support for GET requests will be removed from the Movable Type implementation in January of 2003.

Here’s a patch to fix both problems.

As usual, if you’re using MT-Blacklist, you need to apply the patches to MTBlPost.pm and MTBlPing.pm instead.

Posted by distler at February 21, 2004 1:42 AM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/315

0 Comments & 0 Trackbacks

Post a New Comment