https://bz.apache.org/bugzilla/show_bug.cgi?id=66025
--- Comment #3 from Remy Maucherat <r...@apache.org> --- (In reply to Marvin Fröhlich from comment #2) > Don't you agree, that resolving resource paths is intrinsic for a > classloader? Is a logger a security relevant aspect? > > Well, wouldn't it be sufficient to make provide these aspect via protected > methods? I don't understand. It is fine if WebappClassLoaderBase uses a WebResourceRoot internally, however it turned out it is quite risky if it exposes it. Other items could be exposed, but this is really not the place to do it, and this may not be as safe as you think it is (for example with the Spring vuln, the logging framework could become fully accessible allowing a remote user to log unfiltered strings). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
