Merge pull request #25 from cesarhernandezgt/tomcat-7.0.104-TT-patch

Prepare release for 7.0.104-SP.10
tomitribe · Sep 6, 2023 · 30e66bb · 30e66bb
2 parents 6fbf954 + 2052b77
commit 30e66bb
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/build.properties.default b/build.properties.default
@@ -27,7 +27,7 @@ version.major=7
 version.minor=0
 version.build=104
 version.patch=0
-version.suffix=-SP.9
+version.suffix=-SP.10
 
 # ----- Source control flags -----
 git.branch=7.0.x

diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -733,6 +733,12 @@ protected String savedRequestURL(Session session) {
             sb.append('?');
             sb.append(saved.getQueryString());
         }
+
+        // Avoid protocol relative redirects
+        while (sb.length() > 1 && sb.charAt(1) == '/') {
+            sb.deleteCharAt(0);
+        }
+
         return sb.toString();
     }
 }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -74,6 +74,9 @@
         interrupting the thread first. Based on a pull request by Govinda
         Sakhare. (markt)
       </add>
+      <fix>
+        Avoid protocol relative redirects in FORM authentication. (markt)
+      </fix>
       <fix>
         <bug>64226</bug>: Reset timezone after parsing a date since the date
         format is reused. Test case submitted by Gary Thomas. (remm)