2016-02-12 22:35 GMT+02:00 <rj...@apache.org>:
Author: rjung
Date: Fri Feb 12 20:35:26 2016
New Revision: 1730101
URL: http://svn.apache.org/viewvc?rev=1730101&view=rev
Log:
BZ 58999: Fix class and resource name
filtering in WebappClassLoader.
It throws a StringIndexOutOfBoundsException
if the name is "org" or "javax".
We currently do not filter class or resource
names which are exactly equals to one of the
package names of classes and resources to
filter. Only classes or resources underneath
that packages.
Example:
- "javax.servlet" will not be filtered
- "javax.servlet.Class" will be filtered
Modified:
tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoaderBase.java
tomcat/trunk/test/org/apache/catalina/loader/TestWebappClassLoader.java
Modified:
tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoaderBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoaderBase.java?rev=1730101&r1=1730100&r2=1730101&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoaderBase.java
(original)
+++
tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoaderBase.java Fri
Feb 12 20:35:26 2016
@@ -2765,6 +2765,9 @@ public abstract class WebappClassLoaderB
char ch;
if (name.startsWith("javax")) {
/* 5 == length("javax") */
+ if (name.length() == 5) {
+ return false;
+ }
ch = name.charAt(5);
if (isClassName && ch == '.') {
/* 6 == length("javax.") */
@@ -2791,6 +2794,9 @@ public abstract class WebappClassLoaderB
}
} else if (name.startsWith("org")) {
/* 3 == length("org") */
+ if (name.length() == 3) {
+ return false;
+ }
ch = name.charAt(3);
if (isClassName && ch == '.') {
/* 4 == length("org.") */
Modified:
tomcat/trunk/test/org/apache/catalina/loader/TestWebappClassLoader.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/loader/TestWebappClassLoader.java?rev=1730101&r1=1730100&r2=1730101&view=diff
==============================================================================
---
tomcat/trunk/test/org/apache/catalina/loader/TestWebappClassLoader.java
(original)
+++
tomcat/trunk/test/org/apache/catalina/loader/TestWebappClassLoader.java Fri
Feb 12 20:35:26 2016
@@ -65,10 +65,12 @@ public class TestWebappClassLoader exten
public void testFilter() throws IOException {
String[] classSuffixes = new String[]{
+ "",
With this test we would like to test "org" and "javax", but then why we add
"." and "/" when the suffix is empty string?
"some.package.Example"
};
String[] resourceSuffixes = new String[]{
+ "",
"some/path/test.properties",
"some/path/test"
};
@@ -83,7 +85,7 @@ public class TestWebappClassLoader exten
"org.apache",
"org.apache.tomcat.jdbc",
"javax",
- "javax.jsp.jstl",
+ "javax.servlet.jsp.jstl",
"com.mycorp"
};
@@ -131,20 +133,13 @@ public class TestWebappClassLoader exten
for (String prefix : prefixesDeny) {
for (String suffix : classSuffixes) {
if (prefix.equals("")) {
This one should be removed. Currently it breaks the build.
- name = suffix;
- } else {
- name = prefix + "." + suffix;
- }
+ name = prefix + "." + suffix;
Assert.assertTrue("Class '" + name + "' failed deny
filter",
loader.filter(name, true));
}
prefix = prefix.replace('.', '/');
for (String suffix : resourceSuffixes) {
- if (prefix.equals("")) {
- name = suffix;
- } else {
- name = prefix + "/" + suffix;
- }
+ name = prefix + "/" + suffix;
Assert.assertTrue("Resource '" + name + "' failed
deny filter",
loader.filter(name, false));
}
Regards,
Violeta
