--- java/org/apache/coyote/http11/Http11AprProcessor.java.orig	2010-07-12 11:52:05.981133000 -0400
+++ java/org/apache/coyote/http11/Http11AprProcessor.java	2010-07-12 11:59:39.205913000 -0400
@@ -78,6 +78,12 @@
     protected static StringManager sm =
         StringManager.getManager(Constants.Package);
 
+   /**
+    * Tracks how many internal filters are in the filter library so they
+    * are skipped whe looking for pluggable filters
+    */
+   private int pluggableFilterIndex = Integer.MAX_VALUE;
+
 
     // ----------------------------------------------------------- Constructors
 
@@ -1736,6 +1742,8 @@
         //inputBuffer.addFilter(new GzipInputFilter());
         outputBuffer.addFilter(new GzipOutputFilter());
 
+        pluggableFilterIndex = inputBuffer.filterLibrary.length;
+
     }
 
 
@@ -1754,7 +1762,7 @@
                 (inputFilters[Constants.CHUNKED_FILTER]);
             contentDelimitation = true;
         } else {
-            for (int i = 2; i < inputFilters.length; i++) {
+            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
                 if (inputFilters[i].getEncodingName()
                     .toString().equals(encodingName)) {
                     inputBuffer.addActiveFilter(inputFilters[i]);
--- java/org/apache/coyote/http11/Http11NioProcessor.java.orig	2010-07-12 12:00:05.720580000 -0400
+++ java/org/apache/coyote/http11/Http11NioProcessor.java	2010-07-12 12:19:36.465303000 -0400
@@ -81,6 +81,12 @@
      */
     protected SSLSupport sslSupport;
 
+   /**
+    * Tracks how many internal filters are in the filter library so they
+    * are skipped whe looking for pluggable filters
+    */
+   private int pluggableFilterIndex = Integer.MAX_VALUE;
+
     // ----------------------------------------------------------- Constructors
 
 
@@ -1763,6 +1769,8 @@
         //inputBuffer.addFilter(new GzipInputFilter());
         outputBuffer.addFilter(new GzipOutputFilter());
 
+        pluggableFilterIndex = inputBuffer.filterLibrary.length;
+
     }
 
 
@@ -1781,7 +1789,7 @@
                 (inputFilters[Constants.CHUNKED_FILTER]);
             contentDelimitation = true;
         } else {
-            for (int i = 2; i < inputFilters.length; i++) {
+            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
                 if (inputFilters[i].getEncodingName()
                     .toString().equals(encodingName)) {
                     inputBuffer.addActiveFilter(inputFilters[i]);
--- java/org/apache/coyote/http11/Http11Processor.java.orig	2010-07-12 12:20:42.784634000 -0400
+++ java/org/apache/coyote/http11/Http11Processor.java	2010-07-12 12:23:14.996732000 -0400
@@ -76,6 +76,11 @@
     protected static boolean isSecurityEnabled = 
 	org.apache.coyote.Constants.IS_SECURITY_ENABLED;
 
+   /**
+    * Tracks how many internal filters are in the filter library so they
+    * are skipped whe looking for pluggable filters
+    */
+   private int pluggableFilterIndex = Integer.MAX_VALUE;
     // ------------------------------------------------------------ Constructor
 
 
@@ -1642,6 +1647,7 @@
         //inputBuffer.addFilter(new GzipInputFilter());
         outputBuffer.addFilter(new GzipOutputFilter());
 
+        pluggableFilterIndex = inputBuffer.filterLibrary.length;
     }
 
 
@@ -1660,7 +1666,7 @@
                 (inputFilters[Constants.CHUNKED_FILTER]);
             contentDelimitation = true;
         } else {
-            for (int i = 2; i < inputFilters.length; i++) {
+            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
                 if (inputFilters[i].getEncodingName()
                     .toString().equals(encodingName)) {
                     inputBuffer.addActiveFilter(inputFilters[i]);
--- java/org/apache/coyote/http11/filters/BufferedInputFilter.java.orig	2010-01-19 08:43:40.000000000 -0500
+++ java/org/apache/coyote/http11/filters/BufferedInputFilter.java	2010-07-12 13:00:50.374586000 -0400
@@ -102,10 +102,14 @@
     }
 
     public void recycle() {
-        if (buffered.getBuffer().length > 65536) {
-            buffered = null;
-        } else {
-            buffered.recycle();
+        if (buffered != null)
+        {
+           if (buffered.getBuffer().length > 65536)
+           {
+              buffered = null;
+           } else {
+              buffered.recycle();
+           }
         }
         tempRead.recycle();
         hasRead = false;

--- webapps/docs/changelog.xml.orig	2010-07-13 13:46:33.473660000 -0400
+++ webapps/docs/changelog.xml	2010-07-13 13:53:43.597365000 -0400
@@ -37,6 +37,16 @@
   <subsection name="Catalina">
     <changelog>
       <fix>
+	Arrange filter logic (jfclere). CVE-2010-2227
+	Several flaws in the handling of the 'Transfer-Encoding' header were 
+        found that prevented the recycling of a buffer. A remote attacker 
+        could trigger this flaw which would cause subsequent requests to 
+        fail and/or information to leak between requests. This flaw is 
+        mitigated if Tomcat is behind a reverse proxy (such as Apache 
+        httpd 2.2) as the proxy should reject the invalid transfer 
+        encoding header.
+      </fix>
+      <fix>
         Correct TCK failures with security manager caused by the original fix
         for <bug>47774</bug>. (markt)
       </fix>