Merge pull request #13 from cesarhernandezgt/TOMCAT_7_0_68_TT-CVE-PATCH

Prepare for release 7.0.68-TT.18

build.properties.default

@@ -27,7 +27,7 @@ version.major=7
 version.minor=0
 version.build=68
 version.patch=0
-version.suffix=-TT.17
+version.suffix=-TT.18
 
 # ----- Build control flags -----
 # Note enabling validation uses Checkstyle which is LGPL licensed

java/org/apache/catalina/authenticator/FormAuthenticator.java

@@ -665,8 +665,13 @@ protected String savedRequestURL(Session session) {
             sb.append('?');
             sb.append(saved.getQueryString());
         }
-        return (sb.toString());
 
+        // Avoid protocol relative redirects
+        while (sb.length() > 1 && sb.charAt(1) == '/') {
+            sb.deleteCharAt(0);
+        }
+
+        return (sb.toString());
     }
 
 

java/org/apache/tomcat/util/http/Parameters.java

@@ -218,14 +218,14 @@ public void addParameter( String key, String value )
             return;
         }
 
-        parameterCount ++;
-        if (limit > -1 && parameterCount > limit) {
+        if (limit > -1 && parameterCount >= limit) {
             // Processing this parameter will push us over the limit. ISE is
             // what Request.parseParts() uses for requests that are too big
             setParseFailedReason(FailReason.TOO_MANY_PARAMETERS);
             throw new IllegalStateException(sm.getString(
                     "parameters.maxCountFail", Integer.valueOf(limit)));
         }
+        parameterCount++;
 
         ArrayList<String> values = paramHashValues.get(key);
         if (values == null) {

webapps/docs/changelog.xml

@@ -75,6 +75,9 @@
         <code>RemoteIpFilter</code> determines that this request was submitted
         via a secure channel. (lihan)
       </fix>
+      <fix>
+        Avoid protocol relative redirects in FORM authentication. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="WebSocket">