Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:Update
tomcat.31353
tomcat-8.0.53-CVE-2023-41080.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tomcat-8.0.53-CVE-2023-41080.patch of Package tomcat.31353
From 77c0ce2d169efa248b64b992e547aad549ec906b Mon Sep 17 00:00:00 2001 From: Mark Thomas <markt@apache.org> Date: Tue, 22 Aug 2023 11:31:23 -0700 Subject: [PATCH] Avoid protocol relative redirects --- Index: apache-tomcat-8.0.53-src/java/org/apache/catalina/authenticator/FormAuthenticator.java =================================================================== --- apache-tomcat-8.0.53-src.orig/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ apache-tomcat-8.0.53-src/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -664,6 +664,12 @@ public class FormAuthenticator sb.append('?'); sb.append(saved.getQueryString()); } + + // Avoid protocol relative redirects + while (sb.length() > 1 && sb.charAt(1) == '/') { + sb.deleteCharAt(0); + } + return (sb.toString()); } Index: apache-tomcat-8.0.53-src/webapps/docs/changelog.xml =================================================================== --- apache-tomcat-8.0.53-src.orig/webapps/docs/changelog.xml +++ apache-tomcat-8.0.53-src/webapps/docs/changelog.xml @@ -156,6 +156,9 @@ used and if something accidently exposes the class loader this method can be used to gain access to Tomcat internals. (markt) </add> + <fix> + Avoid protocol relative redirects in FORM authentication. (markt) + </fix> </changelog> </subsection> <subsection name="Coyote">
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor