(tomcat) branch 11.0.x updated: Fix additional double decoding issues.

Tue, 02 Jun 2026 02:54:40 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt-asf pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new c10b56e4d8 Fix additional double decoding issues.
c10b56e4d8 is described below

commit c10b56e4d83daab16e504444e6145110f5c138cb
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Jun 2 10:53:54 2026 +0100

    Fix additional double decoding issues.
---
 java/org/apache/catalina/core/StandardContext.java   |  4 ++--
 .../tomcat/util/descriptor/web/LoginConfig.java      | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/core/StandardContext.java 
b/java/org/apache/catalina/core/StandardContext.java
index 30d211958c..89b9f6fa04 100644
--- a/java/org/apache/catalina/core/StandardContext.java
+++ b/java/org/apache/catalina/core/StandardContext.java
@@ -2005,7 +2005,7 @@ public class StandardContext extends ContainerBase 
implements Context, Notificat
                 if (log.isDebugEnabled()) {
                     
log.debug(sm.getString("standardContext.loginConfig.loginWarning", loginPage));
                 }
-                config.setLoginPage("/" + loginPage);
+                config.setLoginPageDecoded("/" + loginPage);
             } else {
                 throw new 
IllegalArgumentException(sm.getString("standardContext.loginConfig.loginPage", 
loginPage));
             }
@@ -2016,7 +2016,7 @@ public class StandardContext extends ContainerBase 
implements Context, Notificat
                 if (log.isDebugEnabled()) {
                     
log.debug(sm.getString("standardContext.loginConfig.errorWarning", errorPage));
                 }
-                config.setErrorPage("/" + errorPage);
+                config.setErrorPageDecoded("/" + errorPage);
             } else {
                 throw new 
IllegalArgumentException(sm.getString("standardContext.loginConfig.errorPage", 
errorPage));
             }
diff --git a/java/org/apache/tomcat/util/descriptor/web/LoginConfig.java 
b/java/org/apache/tomcat/util/descriptor/web/LoginConfig.java
index 7bb422ef40..80c506b32f 100644
--- a/java/org/apache/tomcat/util/descriptor/web/LoginConfig.java
+++ b/java/org/apache/tomcat/util/descriptor/web/LoginConfig.java
@@ -114,6 +114,16 @@ public class LoginConfig extends XmlEncodingBase 
implements Serializable {
     }
 
 
+    /**
+     * Set the already decoded error page URI.
+     *
+     * @param errorPage the decoded errorPage to set
+     */
+    public void setErrorPageDecoded(String errorPage) {
+        this.errorPage = errorPage;
+    }
+
+
     /**
      * The context-relative URI of the login page for form login.
      */
@@ -138,6 +148,16 @@ public class LoginConfig extends XmlEncodingBase 
implements Serializable {
     }
 
 
+    /**
+     * Set the already decoded login page URI.
+     *
+     * @param loginPage the decoded loginPage to set
+     */
+    public void setLoginPageDecoded(String loginPage) {
+        this.loginPage = loginPage;
+    }
+
+
     /**
      * The realm name used when challenging the user for authentication 
credentials.
      */


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to