This is an automated email from the ASF dual-hosted git repository. rzo1 pushed a commit to branch tomee-9.x in repository https://gitbox.apache.org/repos/asf/tomee.git
commit b5e88d1534c457905a7411b8182928a528f6f8d9 Author: Richard Zowalla <[email protected]> AuthorDate: Tue Aug 29 11:06:19 2023 +0200 TOMEE-4239 - Backport fix for CVE-2023-41080 from https://github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27 --- .../java/org/apache/catalina/authenticator/FormAuthenticator.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tomee/apache-tomee/src/patch/java/org/apache/catalina/authenticator/FormAuthenticator.java b/tomee/apache-tomee/src/patch/java/org/apache/catalina/authenticator/FormAuthenticator.java index a412db0071..0e95e2c08d 100644 --- a/tomee/apache-tomee/src/patch/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/tomee/apache-tomee/src/patch/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -728,6 +728,12 @@ public class FormAuthenticator sb.append('?'); sb.append(saved.getQueryString()); } + + // Avoid protocol relative redirects + while (sb.length() > 1 && sb.charAt(1) == '/') { + sb.deleteCharAt(0); + } + return sb.toString(); } } \ No newline at end of file
