billbar...@apache.org wrote: > @@ -235,6 +224,9 @@ > http://svn.apache.org/viewvc?rev=721708&view=rev > http://svn.apache.org/viewvc?rev=721886&view=rev > +1: markt, fhanik > + 0: billbarker: Haven't tried to break it yet, but the 4th patch > potentially > + offers access to static fields in ELContextImpl and ELResolverImpl > that could > + possibly be exploited by a malicious webapp.
Any thoughts on how to fix this? How about testing for a security manager and if one is present creating new instances of NullFunctionMapper and DefaultResolver rather than re-using the static ones? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
