(tomcat) branch 11.0.x updated: Fix slash handling for path parameters (schultz)

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new 4c5d306001 Fix slash handling for path parameters (schultz)
4c5d306001 is described below

commit 4c5d306001b780c9316aea5ff6502c524fb20695
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Mar 12 11:50:51 2026 +0000

    Fix slash handling for path parameters (schultz)
---
 .../catalina/valves/LoadBalancerDrainingValve.java | 27 ++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/valves/LoadBalancerDrainingValve.java 
b/java/org/apache/catalina/valves/LoadBalancerDrainingValve.java
index 69b1133f68..ad5418775b 100644
--- a/java/org/apache/catalina/valves/LoadBalancerDrainingValve.java
+++ b/java/org/apache/catalina/valves/LoadBalancerDrainingValve.java
@@ -208,11 +208,11 @@ public class LoadBalancerDrainingValve extends ValveBase {
                 response.addCookie(sessionCookie);
             }
 
+            String uri = collapseLeadingSlashes(request.getRequestURI());
             // Re-write the URI if it contains a ;jsessionid parameter
-            String uri = request.getRequestURI();
             String sessionURIParamName = 
SessionConfig.getSessionUriParamName(request.getContext());
             if (uri.contains(";" + sessionURIParamName + "=")) {
-                uri = uri.replaceFirst(";" + sessionURIParamName + "=[^&?]*", 
"");
+                uri = uri.replaceFirst(";" + sessionURIParamName + "=[^;/]*", 
"");
             }
 
             String queryString = request.getQueryString();
@@ -229,4 +229,27 @@ public class LoadBalancerDrainingValve extends ValveBase {
             getNext().invoke(request, response);
         }
     }
+
+    private static String collapseLeadingSlashes(String s) {
+        final int len = s.length();
+        int i = 0;
+
+        // Find the last consecutive / character
+        while (i < len && s.charAt(i) == '/') {
+            i++;
+        }
+
+        // No leading slashes
+        if (i == 0) {
+            return s;
+        }
+
+        // Nothing but slashes
+        if (i == len) {
+            return "/";
+        }
+
+        // Multiple; remove all but one
+        return s.substring(i - 1);
+    }
 }


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org