30 lines
1.1 KiB
Diff
30 lines
1.1 KiB
Diff
From 77c0ce2d169efa248b64b992e547aad549ec906b Mon Sep 17 00:00:00 2001
|
|
From: Mark Thomas <markt@apache.org>
|
|
Date: Tue, 22 Aug 2023 11:31:23 -0700
|
|
Subject: [PATCH] Avoid protocol relative redirects
|
|
|
|
Origin: https://github.com/apache/tomcat/commit/77c0ce2d169efa248b64b992e547aad549ec906b
|
|
|
|
---
|
|
.../apache/catalina/authenticator/FormAuthenticator.java | 6 ++++++
|
|
webapps/docs/changelog.xml | 3 +++
|
|
2 files changed, 9 insertions(+)
|
|
|
|
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
|
|
index a57db51776b..d54cc62182e 100644
|
|
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
|
|
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
|
|
@@ -747,6 +747,12 @@ protected String savedRequestURL(Session session) {
|
|
sb.append('?');
|
|
sb.append(saved.getQueryString());
|
|
}
|
|
+
|
|
+ // Avoid protocol relative redirects
|
|
+ while (sb.length() > 1 && sb.charAt(1) == '/') {
|
|
+ sb.deleteCharAt(0);
|
|
+ }
|
|
+
|
|
return sb.toString();
|
|
}
|
|
}
|