diff --git a/build.properties.default b/build.properties.default
index 659dce584c74..6bab3387e797 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -27,7 +27,7 @@ version.major=7
version.minor=0
version.build=109
version.patch=0
-version.suffix=-TT.8
+version.suffix=-TT.9
# ----- Source control flags -----
git.branch=7.0.x
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 4a90f5b4008d..5feb53db8989 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -733,6 +733,12 @@ protected String savedRequestURL(Session session) {
sb.append('?');
sb.append(saved.getQueryString());
}
+
+ // Avoid protocol relative redirects
+ while (sb.length() > 1 && sb.charAt(1) == '/') {
+ sb.deleteCharAt(0);
+ }
+
return sb.toString();
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index affe91299c5c..67bdde886522 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -142,6 +142,9 @@
RemoteIpFilter determines that this request was submitted
via a secure channel. (lihan)
+
+ Avoid protocol relative redirects in FORM authentication. (markt)
+