https://bz.apache.org/bugzilla/show_bug.cgi?id=60087
--- Comment #4 from Mark Thomas <ma...@apache.org> --- Unfortunately, it doesn't appear to be as clear cut as I would like. If we look at how the JRE constructs a code path for a JAR, it returns a "file:" URL to the JAR, not a "jar:" URL. Therefore, if Tomcat is to be consistent with that, the current behavior is correct. However, the JarVerifier accepts either a "file:" or "jar:" URL for a JAR and ignores the possibility of JARs in WARs etc entirely. Returning "jar:" URLs and "jar:war:" URLs would fix JarVerifier but might break other functionality. I need to do some more testing with the security manager. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
