Ensure URL encoding issues trigger errors.

Should be a NO-OP unless someone has a Rewrite valve configuration that
is inconsistent with the Connector's URI encoding - in which case the
new IAE will highlight this.

Originated from a report from OSS-Fuzz that found some cases where a
round-trip encode/decode have the same result as the input.

Author: markt-asf

java/org/apache/catalina/util/URLEncoder.java

@@ -20,6 +20,7 @@
 import java.io.IOException;
 import java.io.OutputStreamWriter;
 import java.nio.charset.Charset;
+import java.nio.charset.CodingErrorAction;
 import java.util.BitSet;
 
 /**
@@ -146,7 +147,15 @@ public String encode(String path, Charset charset) {
         int maxBytesPerChar = 10;
         StringBuilder rewrittenPath = new StringBuilder(path.length());
         ByteArrayOutputStream buf = new ByteArrayOutputStream(maxBytesPerChar);
-        OutputStreamWriter writer = new OutputStreamWriter(buf, charset);
+        /*
+         * Most calls to this method use UTF-8 where malformed input and unmappable character issues are not expected to
+         * happen. The only Tomcat code that currently (January 2026) might call this method with something other than
+         * UTF-8 is the rewrite valve. In that case, the rewrite rules should be consistent with the configured URI
+         * encoding on the Connector. Given all of this, the IAE is only expected to be thrown as a result of
+         * configuration errors.
+         */
+        OutputStreamWriter writer = new OutputStreamWriter(buf, charset.newEncoder()
+                .onMalformedInput(CodingErrorAction.REPORT).onUnmappableCharacter(CodingErrorAction.REPORT));
 
         for (int i = 0; i < path.length(); i++) {
             int c = path.charAt(i);
@@ -160,8 +169,7 @@ public String encode(String path, Charset charset) {
                     writer.write((char) c);
                     writer.flush();
                 } catch (IOException ioe) {
-                    buf.reset();
-                    continue;
+                    throw new IllegalArgumentException(ioe);
                 }
                 byte[] ba = buf.toByteArray();
                 for (byte toEncode : ba) {

test/org/apache/catalina/util/TestURLEncoder.java

@@ -16,11 +16,14 @@
  */
 package org.apache.catalina.util;
 
+import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
 
 import org.junit.Assert;
 import org.junit.Test;
 
+import org.apache.tomcat.util.buf.UDecoder;
+
 public class TestURLEncoder {
 
     private static final String SPACE = " ";
@@ -53,4 +56,29 @@ public void testRemoveSafeCharacter() {
         xml.removeSafeCharacter('&');
         Assert.assertEquals(AMPERSAND_ENCODED, xml.encode(AMPERSAND, StandardCharsets.UTF_8));
     }
+
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testOssFuzz01() {
+        /*
+         * Round-trip URL encoding with ASCII only works for valid ASCII characters.
+         */
+        testRoundTrip("\uFFFD", StandardCharsets.US_ASCII);
+    }
+
+
+    @Test
+    public void testOssFuzz02() {
+        testRoundTrip("\uFFFD", StandardCharsets.UTF_8);
+    }
+
+
+    private void testRoundTrip(String input, Charset charset) {
+        URLEncoder encoder = new URLEncoder();
+
+        String encoded = encoder.encode(input, charset);
+        String decoded = UDecoder.URLDecode(encoded, charset);
+
+        Assert.assertEquals(input, decoded);
+    }
 }

webapps/docs/changelog.xml

@@ -130,6 +130,10 @@
         Authenticators that provides a per Authenticator override of the SSO
         Valve <code>requireReauthentication</code> attribute. (markt)
       </add>
+      <fix>
+        Ensure URL encoding errors in the Rewrite Valve trigger an exception
+        rather than silently using a replacement character. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">