You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2012/01/12 20:47:52 UTC
svn commit: r1230729 -
/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
Author: markt
Date: Thu Jan 12 19:47:52 2012
New Revision: 1230729
URL: http://svn.apache.org/viewvc?rev=1230729&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=52245
Don't allow webapps to package javax.el classes
Modified:
tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
Modified: tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java?rev=1230729&r1=1230728&r2=1230729&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java (original)
+++ tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java Thu Jan 12 19:47:52 2012
@@ -189,7 +189,7 @@ public class WebappClassLoader
* earlier versions.
*/
protected static final String[] triggers = {
- "javax.servlet.Servlet" // Servlet API
+ "javax.servlet.Servlet", "javax.el.Expression" // Servlet API
};
@@ -3296,6 +3296,10 @@ public class WebappClassLoader
// Web apps should never package any other Servlet or JSP classes
return false;
}
+ if (name.startsWith("javax.el")) {
+ // Must never load javax.el.* classes
+ return false;
+ }
// Assume everything else is OK
return true;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org