From c2f7ce21c3fb12caefee87c517a8bb4f80700044 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Tue, 3 Dec 2024 17:45:03 +0000
Subject: [PATCH] Limit to 10 attributes. Add option to delete attribute.

Origin: https://github.com/apache/tomcat/commit/c2f7ce21c3fb12caefee87c517a8bb4f80700044
---
 webapps/docs/changelog.xml                    |  5 ++
 .../examples/jsp/security/protected/index.jsp | 49 ++++++++++++++++---
 2 files changed, 46 insertions(+), 8 deletions(-)

diff --git a/webapps/examples/jsp/security/protected/index.jsp b/webapps/examples/jsp/security/protected/index.jsp
index 09c23e721910..987a30fd1878 100644
--- a/webapps/examples/jsp/security/protected/index.jsp
+++ b/webapps/examples/jsp/security/protected/index.jsp
@@ -14,8 +14,10 @@
   See the License for the specific language governing permissions and
   limitations under the License.
 --%>
-<%@ page import="java.util.Enumeration" %>
+<%@ page import="java.net.URLEncoder" %>
+<%@ page import="java.nio.charset.StandardCharsets" %>
 <%@ page import="java.security.Principal" %>
+<%@ page import="java.util.Enumeration" %>
 <%@ page import="org.apache.catalina.TomcatPrincipal" %>
 <%
   if (request.getParameter("logoff") != null) {
@@ -121,31 +123,62 @@ enter it here:
 %>
 <br><br>
 
+<%
+  // Count the existing attributes
+  int sessionAttributeCount = 0;
+  Enumeration<String> names = session.getAttributeNames();
+  while (names.hasMoreElements()) {
+    names.nextElement();
+    sessionAttributeCount++;
+  }
+
+  String dataName = request.getParameter("dataName");
+  String dataValue = request.getParameter("dataValue");
+  if (dataName != null) {
+    if (dataValue == null) {
+      session.removeAttribute(dataName);
+      sessionAttributeCount--;
+    } else if (sessionAttributeCount < 10) {
+      session.setAttribute(dataName, dataValue);
+      sessionAttributeCount++;
+    } else {
+%>
+<p>Session attribute [<%= util.HTMLFilter.filter(dataName) %>] not added as there are already 10 attributes in the
+session. Delete an attribute before adding another.</p>
+<%
+    }
+  }
+
+  if (sessionAttributeCount < 10) {
+%>
 To add some data to the authenticated session, enter it here:
 <form method="GET" action='<%= response.encodeURL("index.jsp") %>'>
 <input type="text" name="dataName">
 <input type="text" name="dataValue">
 <input type="submit" >
 </form>
-<br><br>
-
 <%
-  String dataName = request.getParameter("dataName");
-  if (dataName != null) {
-    session.setAttribute(dataName, request.getParameter("dataValue"));
+  } else {
+%>
+<p>You may not add more than 10 attributes to this session.</p>
+<%
   }
 %>
+<br><br>
+
 <p>The authenticated session contains the following attributes:</p>
 <table>
 <tr><th>Name</th><th>Value</th></tr>
 <%
-  Enumeration<String> names = session.getAttributeNames();
+  names = session.getAttributeNames();
   while (names.hasMoreElements()) {
     String name = names.nextElement();
+    String value = session.getAttribute(name).toString();
 %>
 <tr>
   <td><%= util.HTMLFilter.filter(name) %></td>
-  <td><%= util.HTMLFilter.filter(String.valueOf(session.getAttribute(name))) %></td>
+  <td><%= util.HTMLFilter.filter(value) %></td>
+  <td><a href='<%= response.encodeURL("index.jsp?dataName=" + URLEncoder.encode(name, StandardCharsets.UTF_8)) %>'>delete</a></td>
 </tr>
 <%
   }