This is an automated email from the ASF dual-hosted git repository.
rmaucher pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new a1080ae4e8 Avoid NPE and force configuration of URI if in use
a1080ae4e8 is described below
commit a1080ae4e8ad936e2f48ffbc95c906479d3a39b8
Author: remm <[email protected]>
AuthorDate: Thu May 21 12:08:53 2026 +0200
Avoid NPE and force configuration of URI if in use
---
java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java | 5 ++++-
java/org/apache/catalina/filters/LocalStrings.properties | 1 +
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
b/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
index 39dd9f7ecd..8d85bc5d07 100644
--- a/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
+++ b/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java
@@ -86,6 +86,9 @@ public class HttpHeaderSecurityFilter extends FilterBase {
// Anti click-jacking
StringBuilder cjValue = new
StringBuilder(antiClickJackingOption.headerValue);
if (antiClickJackingOption == XFrameOption.ALLOW_FROM) {
+ if (antiClickJackingUri == null) {
+ throw new
IllegalArgumentException(sm.getString("httpHeaderSecurityFilter.nullAntiClickJackingUri"));
+ }
cjValue.append(' ');
cjValue.append(antiClickJackingUri);
}
@@ -270,7 +273,7 @@ public class HttpHeaderSecurityFilter extends FilterBase {
* @return the ALLOW_FROM URI
*/
public String getAntiClickJackingUri() {
- return antiClickJackingUri.toString();
+ return antiClickJackingUri != null ? antiClickJackingUri.toString() :
null;
}
diff --git a/java/org/apache/catalina/filters/LocalStrings.properties
b/java/org/apache/catalina/filters/LocalStrings.properties
index b20ab8a167..318297784d 100644
--- a/java/org/apache/catalina/filters/LocalStrings.properties
+++ b/java/org/apache/catalina/filters/LocalStrings.properties
@@ -62,6 +62,7 @@ http.403=Access to the specified resource [{0}] has been
forbidden.
httpHeaderSecurityFilter.clickjack.invalid=An invalid value [{0}] was
specified for the anti click-jacking header
httpHeaderSecurityFilter.committed=Unable to add HTTP headers since response
is already committed on entry to the HTTP header security Filter
+httpHeaderSecurityFilter.nullAntiClickJackingUri=Null value for anti click
jacking URI
rateLimitFilter.initialized=RateLimitFilter [{0}] initialized with [{1}]
requests per [{2}] seconds. Actual is [{3}] per [{4}] seconds. [{5}].
rateLimitFilter.maxRequestsExceeded=[{0}] [{1}] Requests from [{2}] have
exceeded the maximum allowed of [{3}] in a [{4}] second window.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
