This project is read-only.


Orchard violates HTTP GET verb


The GET verb protocol should only get data and never modify or delete data. Calling GET twice in a row should always return the same result. Orchard violates this by allowing Edit and Delete through GET requests. For example (from IIS logs):
GET /admin/navigation/delete/370
GET /admin/contents/unpublish/83
GET /admin/contents/remove/83
GET /admin/contents/edit/165

We made the unfortunate mistake of giving our search crawler edit access and everything in our site got deleted because the crawler found the delete URLs and executed them as a GET. The GET request should not have modified data, and if Orchard had followed standard protocols, we may have had a lot of unfortunate content, but we at least would not have had our content wiped out.
Closed May 14, 2013 at 9:01 PM by sebastienros


Piedone wrote May 8, 2013 at 11:08 PM

Naturally those actions are only reachable through a POST request (the methods have the [HttpPost] attribute) and no altering action is exposed as GET. There is something missing here.

sebastienros wrote May 9, 2013 at 3:14 AM

I agree with Piedone, these requests can't work, even as admin.

BertrandLeRoy wrote May 9, 2013 at 9:18 PM

@wslyhbb: please explain how you got those GET requests to work.

wslyhbb wrote May 10, 2013 at 2:15 PM

Hi Bertrand,
I do see the HttpPost attribute and understand it is not possible. I also grabbed the URL from the delete button and pasted in the URL and got a 404. I went back to the logs where I saw those requests and I do see they got 404s as well, so I continued looking through the log and figured out what the issue was. We are using Iroo Version Manager:, and it was this that had Deletes that did work with a GET request.

/admin/iroo.versionmanager/delete/1598, this returns a 302. I tested it manually and it does delete the item and the 302 is it redirecting to the Recycle Bin.

sebastienros wrote May 14, 2013 at 9:04 PM

Please file a bug against IROO, or make a better module, it can be enhanced. Renaud will ignore the bug but because it's open source you could fix it.