svn commit: r1230729 - /tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java

Thu, 12 Jan 2012 11:48:20 -0800 

Author: markt
Date: Thu Jan 12 19:47:52 2012
New Revision: 1230729

URL: http://svn.apache.org/viewvc?rev=1230729&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=52245
Don't allow webapps to package javax.el classes

Modified:
    tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java

Modified: tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java?rev=1230729&r1=1230728&r2=1230729&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java Thu Jan 
12 19:47:52 2012
@@ -189,7 +189,7 @@ public class WebappClassLoader
      * earlier versions.
      */
     protected static final String[] triggers = {
-        "javax.servlet.Servlet"                     // Servlet API
+        "javax.servlet.Servlet", "javax.el.Expression"       // Servlet API
     };
 
 
@@ -3296,6 +3296,10 @@ public class WebappClassLoader
             // Web apps should never package any other Servlet or JSP classes
             return false;
         }
+        if (name.startsWith("javax.el")) {
+            // Must never load javax.el.* classes
+            return false;
+        }
 
         // Assume everything else is OK
         return true;



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to