Avoid protocol relative redirects · apache/tomcat@bb4624a · GitHub
Skip to content

Commit

Permalink
Avoid protocol relative redirects
Browse files Browse the repository at this point in the history
  • Loading branch information
markt-asf committed Aug 22, 2023
1 parent 7d3142f commit bb4624a
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 0 deletions.
6 changes: 6 additions & 0 deletions java/org/apache/catalina/authenticator/FormAuthenticator.java
Original file line number Diff line number Diff line change
Expand Up @@ -747,6 +747,12 @@ protected String savedRequestURL(Session session) {
sb.append('?');
sb.append(saved.getQueryString());
}

// Avoid protocol relative redirects
while (sb.length() > 1 && sb.charAt(1) == '/') {
sb.deleteCharAt(0);
}

return sb.toString();
}
}
3 changes: 3 additions & 0 deletions webapps/docs/changelog.xml
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,9 @@
Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes
and KiB for 1024 bytes rather than MB and kB. (martk)
</fix>
<fix>
Avoid protocol relative redirects in FORM authentication. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
Expand Down

0 comments on commit bb4624a

Please sign in to comment.