From d33279d1f2fac0870c3b0bc5eae1ee31f89591f2 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Tue, 11 Apr 2023 09:41:44 -0600
Subject: [PATCH 1/3] Fix parameter counting logic

---
 java/org/apache/tomcat/util/http/Parameters.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/tomcat/util/http/Parameters.java b/java/org/apache/tomcat/util/http/Parameters.java
index 6f3d07fd0a..d3a61e23aa 100644
--- a/java/org/apache/tomcat/util/http/Parameters.java
+++ b/java/org/apache/tomcat/util/http/Parameters.java
@@ -218,14 +218,14 @@ public void addParameter( String key, String value )
             return;
         }
 
-        parameterCount ++;
-        if (limit > -1 && parameterCount > limit) {
+        if (limit > -1 && parameterCount >= limit) {
             // Processing this parameter will push us over the limit. ISE is
             // what Request.parseParts() uses for requests that are too big
             setParseFailedReason(FailReason.TOO_MANY_PARAMETERS);
             throw new IllegalStateException(sm.getString(
                     "parameters.maxCountFail", Integer.valueOf(limit)));
         }
+        parameterCount++;
 
         ArrayList<String> values = paramHashValues.get(key);
         if (values == null) {

From 17721f3a148139e1804510f323b682e291b4e5e2 Mon Sep 17 00:00:00 2001
From: Cesar Hernandez <cfhernan123@gmail.com>
Date: Wed, 6 Sep 2023 15:11:49 -0600
Subject: [PATCH 2/3] Prepare for release 7.0.68-TT.18

---
 build.properties.default | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.properties.default b/build.properties.default
index cdb92cbfc3..b36324bbab 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -27,7 +27,7 @@ version.major=7
 version.minor=0
 version.build=68
 version.patch=0
-version.suffix=-TT.17
+version.suffix=-TT.18
 
 # ----- Build control flags -----
 # Note enabling validation uses Checkstyle which is LGPL licensed

From 0e9cd253756531593f693b3cb077e7ef4e89bc75 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Tue, 22 Aug 2023 12:31:23 -0600
Subject: [PATCH 3/3] Avoid protocol relative redirects

---
 .../apache/catalina/authenticator/FormAuthenticator.java   | 7 ++++++-
 webapps/docs/changelog.xml                                 | 3 +++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 87a7f16e37..3bee2c23c8 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -665,8 +665,13 @@ protected String savedRequestURL(Session session) {
             sb.append('?');
             sb.append(saved.getQueryString());
         }
-        return (sb.toString());
 
+        // Avoid protocol relative redirects
+        while (sb.length() > 1 && sb.charAt(1) == '/') {
+            sb.deleteCharAt(0);
+        }
+
+        return (sb.toString());
     }
 
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6923b67007..9c163363ee 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -75,6 +75,9 @@
         <code>RemoteIpFilter</code> determines that this request was submitted
         via a secure channel. (lihan)
       </fix>
+      <fix>
+        Avoid protocol relative redirects in FORM authentication. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="WebSocket">