Author: markt
Date: Fri Nov 8 00:09:19 2013
New Revision: 1539873
URL: http://svn.apache.org/r1539873
Log:
Correctly implement delegation filtering for container packages.
Modified:
tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
Modified: tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java?rev=1539873&r1=1539872&r2=1539873&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java Fri Nov
8 00:09:19 2013
@@ -47,7 +47,6 @@ import java.util.ConcurrentModificationE
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
-import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
@@ -61,6 +60,8 @@ import java.util.concurrent.ThreadPoolEx
import java.util.jar.Attributes;
import java.util.jar.Attributes.Name;
import java.util.jar.Manifest;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import org.apache.catalina.Globals;
import org.apache.catalina.Lifecycle;
@@ -179,18 +180,23 @@ public class WebappClassLoader extends U
// ------------------------------------------------------- Static Variables
/**
- * Set of package names which are not allowed to be loaded from a webapp
- * class loader without delegating first.
+ * Regular expression of package names which are not allowed to be loaded
+ * from a webapp class loader without delegating first.
*/
- protected static final Set<String> packageTriggersDeny = new HashSet<>();
+ protected final Matcher packageTriggersDeny = Pattern.compile(
+ "^javax\\.el\\.|" +
+ "^javax\\.servlet\\.|" +
+ "^org\\.apache\\.(catalina|coyote|el|jasper|juli|naming|tomcat)\\."
+ ).matcher("");
/**
- * Set of package names which are allowed to be loaded from a webapp class
- * loader without delegating first and override any set by
+ * Regular expression of package names which are allowed to be loaded from
a
+ * webapp class loader without delegating first and override any set by
* {@link #packageTriggersDeny}.
*/
- protected static final Set<String> packageTriggersPermit = new HashSet<>();
+ protected final Matcher packageTriggersPermit =
+ Pattern.compile("^javax\\.servlet\\.jsp\\.jstl\\.").matcher("");
/**
@@ -200,22 +206,6 @@ public class WebappClassLoader extends U
StringManager.getManager(Constants.Package);
- {
- // Configure packages that web applications are not allowed to override
- packageTriggersDeny.add("javax.el");
- packageTriggersDeny.add("javax.servlet");
- packageTriggersDeny.add("org.apache.catalina");
- packageTriggersDeny.add("org.apache.coyote");
- packageTriggersDeny.add("org.apache.el");
- packageTriggersDeny.add("org.apache.jasper");
- packageTriggersDeny.add("org.apache.juli");
- packageTriggersDeny.add("org.apache.naming");
- packageTriggersDeny.add("org.apache.tomcat");
-
- // Add some exceptions to the above
- // Standard tag libraries
- packageTriggersPermit.add("javax.servlet.jsp.jstl");
- }
// ----------------------------------------------------------- Constructors
/**
@@ -2658,7 +2648,7 @@ public class WebappClassLoader extends U
* @param name class name
* @return true if the class should be filtered
*/
- protected boolean filter(String name) {
+ protected synchronized boolean filter(String name) {
if (name == null)
return false;
@@ -2671,11 +2661,13 @@ public class WebappClassLoader extends U
else
return false;
- if (packageTriggersPermit.contains(packageName)) {
+ packageTriggersPermit.reset(packageName);
+ if (packageTriggersPermit.lookingAt()) {
return false;
}
- if (packageTriggersDeny.contains(packageName)) {
+ packageTriggersDeny.reset(packageName);
+ if (packageTriggersDeny.lookingAt()) {
return true;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
