You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2015/06/09 22:49:08 UTC
svn commit: r1684526 -
/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoaderBase.java
Author: markt
Date: Tue Jun 9 20:49:08 2015
New Revision: 1684526
URL: http://svn.apache.org/r1684526
Log:
The validate() method is unnecessary.
Test 0.2 in loadClass(String, boolean) already ensures that Java SE classes can not be overridden and does so in a way that doesn't require a list of packages to be renamed.
The filter() method handles the similar requirement for the Java EE APIs Tomcat implements.
Modified:
tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoaderBase.java
Modified: tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoaderBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoaderBase.java?rev=1684526&r1=1684525&r2=1684526&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoaderBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoaderBase.java Tue Jun 9 20:49:08 2015
@@ -1217,7 +1217,8 @@ public abstract class WebappClassLoaderB
}
// (0.2) Try loading the class with the system class loader, to prevent
- // the webapp from overriding J2SE classes
+ // the webapp from overriding Java SE classes. This implements
+ // SRV.10.7.2
String resourceName = binaryNameToPath(name, false);
ClassLoader javaseLoader = getJavaseClassLoader();
if (javaseLoader.getResource(resourceName) != null) {
@@ -2390,10 +2391,6 @@ public abstract class WebappClassLoaderB
*/
protected Class<?> findClassInternal(String name) {
- if (!validate(name)) {
- return null;
- }
-
String path = binaryNameToPath(name, true);
ResourceEntry entry = null;
@@ -2760,50 +2757,6 @@ public abstract class WebappClassLoaderB
}
- /**
- * Validate a classname. As per SRV.9.7.2, we must restrict loading of
- * classes from J2SE (java.*) and most classes of the servlet API
- * (javax.servlet.*). That should enhance robustness and prevent a number
- * of user error (where an older version of servlet.jar would be present
- * in /WEB-INF/lib).
- *
- * @param name class name
- * @return true if the name is valid
- */
- protected boolean validate(String name) {
-
- // Need to be careful with order here
- if (name == null) {
- // Can't load a class without a name
- return false;
- }
- if (name.startsWith("java.")) {
- // Must never load java.* classes
- return false;
- }
- if (name.startsWith("javax.servlet.jsp.jstl")) {
- // OK for web apps to package JSTL
- return true;
- }
- if (name.startsWith("javax.servlet.")) {
- // Web apps should never package any other Servlet or JSP classes
- return false;
- }
- if (name.startsWith("javax.el")) {
- // Must never load javax.el.* classes
- return false;
- }
- if (name.startsWith("javax.websocket")) {
- // Must never load javax.websocket.* classes
- return false;
- }
-
- // Assume everything else is OK
- return true;
-
- }
-
-
@Override
protected void addURL(URL url) {
super.addURL(url);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org