GET requests on target URLs of POST forms should be refused

[pitrou]

At python.org we started having log entries like the following:

X.Y.Z.W - - [11/Apr/2011:11:44:10 +0200] "GET /dev/buildbot/all/builders/x86%20debian%20parallel%203.x/builds/1940/rebuild HTTP/1.1" 302 278 "http://www.python.org/dev/buildbot/all/builders/x86 debian parallel 3.x/builds/1940" "WebReaper [support@webreaper.net]"

This triggered lots of spurious rebuilds. Since the "rebuild" form normally uses the POST method, it means the above bot/crawler is ill-behaved. Refusing GET requests on the rebuild URL (and other ones) would easily defend against such crawlers, and prevent rebuilds from polluting the build history.

[dustin]

This is not a bad idea, but it's probably a better idea to password-protect such forms.

[dustin]

This is quite a good idea, in fact. In general, we should be sure that URLs are careful about which verbs they respond to.