(tomcat) branch 9.0.x updated: Expand access log escaping

Mon, 30 Mar 2026 00:57:11 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 9756684258 Expand access log escaping
9756684258 is described below

commit 97566842589d0b80de138ca719378861fd017d68
Author: Mark Thomas <[email protected]>
AuthorDate: Mon Mar 30 08:53:09 2026 +0100

    Expand access log escaping
---
 java/org/apache/catalina/valves/AbstractAccessLogValve.java | 8 ++++----
 webapps/docs/changelog.xml                                  | 7 +++++++
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/java/org/apache/catalina/valves/AbstractAccessLogValve.java 
b/java/org/apache/catalina/valves/AbstractAccessLogValve.java
index 5a0ec78cd7..635e4c0437 100644
--- a/java/org/apache/catalina/valves/AbstractAccessLogValve.java
+++ b/java/org/apache/catalina/valves/AbstractAccessLogValve.java
@@ -1136,10 +1136,10 @@ public abstract class AbstractAccessLogValve extends 
ValveBase implements Access
                 } else {
                     buf.append(request.getMethod());
                     buf.append(' ');
-                    buf.append(request.getRequestURI());
+                    escapeAndAppend(request.getRequestURI(), buf);
                     if (request.getQueryString() != null) {
                         buf.append('?');
-                        buf.append(request.getQueryString());
+                        escapeAndAppend(request.getQueryString(), buf);
                     }
                     buf.append(' ');
                     buf.append(request.getProtocol());
@@ -1336,7 +1336,7 @@ public abstract class AbstractAccessLogValve extends 
ValveBase implements Access
             }
             if (query != null) {
                 buf.append('?');
-                buf.append(query);
+                escapeAndAppend(query, buf);
             }
         }
     }
@@ -1367,7 +1367,7 @@ public abstract class AbstractAccessLogValve extends 
ValveBase implements Access
         @Override
         public void addElement(CharArrayWriter buf, Date date, Request 
request, Response response, long time) {
             if (request != null) {
-                buf.append(request.getRequestURI());
+                escapeAndAppend(request.getRequestURI(), buf);
             } else {
                 buf.append('-');
             }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index d4fe2a4bca..4b845b041e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,13 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 9.0.117 (remm)" rtext="in development">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        Add escaping for URI and query string in the access log. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Coyote">
     <changelog>
       <update>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to