TOMEE-4239 - Backport fix for CVE-2023-41080 from apache/tomcat@bb4624a

apache · Aug 29, 2023 · b5e88d1 · b5e88d1
1 parent 773bb8c
commit b5e88d1
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/tomee/apache-tomee/src/patch/java/org/apache/catalina/authenticator/FormAuthenticator.java b/tomee/apache-tomee/src/patch/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -728,6 +728,12 @@ protected String savedRequestURL(Session session) {
             sb.append('?');
             sb.append(saved.getQueryString());
         }
+
+        // Avoid protocol relative redirects
+        while (sb.length() > 1 && sb.charAt(1) == '/') {
+            sb.deleteCharAt(0);
+        }
+
         return sb.toString();
     }
 }