This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new f28783921a Avoid NPE
f28783921a is described below
commit f28783921a6e12a67e9aa5f4aa1f584fff149716
Author: Mark Thomas <[email protected]>
AuthorDate: Mon Jun 22 03:08:22 2026 +0100
Avoid NPE
---
java/org/apache/catalina/valves/rewrite/RewriteValve.java | 6 ++++++
webapps/docs/changelog.xml | 3 +++
2 files changed, 9 insertions(+)
diff --git a/java/org/apache/catalina/valves/rewrite/RewriteValve.java
b/java/org/apache/catalina/valves/rewrite/RewriteValve.java
index d1d3a2fc4e..a162fe6274 100644
--- a/java/org/apache/catalina/valves/rewrite/RewriteValve.java
+++ b/java/org/apache/catalina/valves/rewrite/RewriteValve.java
@@ -588,6 +588,12 @@ public class RewriteValve extends ValveBase {
// Decode then normalize
String urlStringRewriteDecoded =
URLDecoder.decode(urlStringRewriteEncoded, uriCharset.name());
urlStringRewriteDecoded =
RequestUtil.normalize(urlStringRewriteDecoded);
+ if (urlStringRewriteDecoded == null) {
+ // Assume bad input caused the re-write to try and
escape root
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+ return;
+ }
+
request.getCoyoteRequest().decodedURI().setChars(MessageBytes.EMPTY_CHAR_ARRAY,
0, 0);
chunk =
request.getCoyoteRequest().decodedURI().getCharChunk();
if (context) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 10aef95326..2370a9ca45 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -118,6 +118,9 @@
Improve the performance of range validation for the default servlet.
(markt)
</fix>
+ <fix>
+ Avoid NPE in RewriteValve. (markt)
+ </fix>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
