This is an automated email from the ASF dual-hosted git repository.
rmaucher pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 82f1cc7010 Fix another instance of incorrect URL decoding handling
82f1cc7010 is described below
commit 82f1cc7010c8af936c0332d6bfc47ee7284b0006
Author: remm <[email protected]>
AuthorDate: Thu Jun 11 10:00:44 2026 +0200
Fix another instance of incorrect URL decoding handling
The ServletContext stores the decoded URL mappings in its map, so the
lookup will fail.
ApplicationFilterRegistration is fine as FilterMap does the decoding.
---
.../catalina/core/ApplicationServletRegistration.java | 17 +++++++++++------
webapps/docs/changelog.xml | 4 ++++
2 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/java/org/apache/catalina/core/ApplicationServletRegistration.java
b/java/org/apache/catalina/core/ApplicationServletRegistration.java
index 1587ee4837..43ee2e953a 100644
--- a/java/org/apache/catalina/core/ApplicationServletRegistration.java
+++ b/java/org/apache/catalina/core/ApplicationServletRegistration.java
@@ -175,16 +175,21 @@ public class ApplicationServletRegistration implements
ServletRegistration.Dynam
Set<String> conflicts = new HashSet<>();
- for (String urlPattern : urlPatterns) {
- String wrapperName = context.findServletMapping(urlPattern);
+ String[] decodedUrlPatterns = new String[urlPatterns.length];
+ for (int i = 0; i < urlPatterns.length; i++) {
+ decodedUrlPatterns[i] = UDecoder.URLDecode(urlPatterns[i],
StandardCharsets.UTF_8);
+ }
+
+ for (int i = 0; i < decodedUrlPatterns.length; i++) {
+ String wrapperName =
context.findServletMapping(decodedUrlPatterns[i]);
if (wrapperName != null) {
Wrapper wrapper = (Wrapper) context.findChild(wrapperName);
if (wrapper.isOverridable()) {
// Some Wrappers (from global and host web.xml) may be
// overridden rather than generating a conflict
- context.removeServletMapping(urlPattern);
+ context.removeServletMapping(decodedUrlPatterns[i]);
} else {
- conflicts.add(urlPattern);
+ conflicts.add(urlPatterns[i]);
}
}
}
@@ -193,8 +198,8 @@ public class ApplicationServletRegistration implements
ServletRegistration.Dynam
return conflicts;
}
- for (String urlPattern : urlPatterns) {
- context.addServletMappingDecoded(UDecoder.URLDecode(urlPattern,
StandardCharsets.UTF_8), wrapper.getName());
+ for (String urlPattern : decodedUrlPatterns) {
+ context.addServletMappingDecoded(urlPattern, wrapper.getName());
}
if (constraint != null) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 880a6c3068..e5a723c496 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -275,6 +275,10 @@
Add <code>jakarta.</code> to the list of reserved prefixes for SSI
variables and request attributes. (markt)
</fix>
+ <fix>
+ Missing URL decoding when processing <code>addMapping</code> on a
+ Servlet registration. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
