svn commit: r1539873 - /tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java

Thu, 07 Nov 2013 16:09:58 -0800 

Author: markt
Date: Fri Nov  8 00:09:19 2013
New Revision: 1539873

URL: http://svn.apache.org/r1539873
Log:
Correctly implement delegation filtering for container packages.

Modified:
    tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java

Modified: tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java?rev=1539873&r1=1539872&r2=1539873&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java Fri Nov 
 8 00:09:19 2013
@@ -47,7 +47,6 @@ import java.util.ConcurrentModificationE
 import java.util.Date;
 import java.util.Enumeration;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Iterator;
 import java.util.LinkedHashSet;
 import java.util.List;
@@ -61,6 +60,8 @@ import java.util.concurrent.ThreadPoolEx
 import java.util.jar.Attributes;
 import java.util.jar.Attributes.Name;
 import java.util.jar.Manifest;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import org.apache.catalina.Globals;
 import org.apache.catalina.Lifecycle;
@@ -179,18 +180,23 @@ public class WebappClassLoader extends U
     // ------------------------------------------------------- Static Variables
 
     /**
-     * Set of package names which are not allowed to be loaded from a webapp
-     * class loader without delegating first.
+     * Regular expression of package names which are not allowed to be loaded
+     * from a webapp class loader without delegating first.
      */
-    protected static final Set<String> packageTriggersDeny = new HashSet<>();
+    protected final Matcher packageTriggersDeny = Pattern.compile(
+            "^javax\\.el\\.|" +
+            "^javax\\.servlet\\.|" +
+            "^org\\.apache\\.(catalina|coyote|el|jasper|juli|naming|tomcat)\\."
+            ).matcher("");
 
 
     /**
-     * Set of package names which are allowed to be loaded from a webapp class
-     * loader without delegating first and override any set by
+     * Regular expression of package names which are allowed to be loaded from 
a
+     * webapp class loader without delegating first and override any set by
      * {@link #packageTriggersDeny}.
      */
-    protected static final Set<String> packageTriggersPermit = new HashSet<>();
+    protected final Matcher packageTriggersPermit =
+            Pattern.compile("^javax\\.servlet\\.jsp\\.jstl\\.").matcher("");
 
 
     /**
@@ -200,22 +206,6 @@ public class WebappClassLoader extends U
         StringManager.getManager(Constants.Package);
 
 
-    {
-        // Configure packages that web applications are not allowed to override
-        packageTriggersDeny.add("javax.el");
-        packageTriggersDeny.add("javax.servlet");
-        packageTriggersDeny.add("org.apache.catalina");
-        packageTriggersDeny.add("org.apache.coyote");
-        packageTriggersDeny.add("org.apache.el");
-        packageTriggersDeny.add("org.apache.jasper");
-        packageTriggersDeny.add("org.apache.juli");
-        packageTriggersDeny.add("org.apache.naming");
-        packageTriggersDeny.add("org.apache.tomcat");
-
-        // Add some exceptions to the above
-        // Standard tag libraries
-        packageTriggersPermit.add("javax.servlet.jsp.jstl");
-    }
     // ----------------------------------------------------------- Constructors
 
     /**
@@ -2658,7 +2648,7 @@ public class WebappClassLoader extends U
      * @param name class name
      * @return true if the class should be filtered
      */
-    protected boolean filter(String name) {
+    protected synchronized boolean filter(String name) {
 
         if (name == null)
             return false;
@@ -2671,11 +2661,13 @@ public class WebappClassLoader extends U
         else
             return false;
 
-        if (packageTriggersPermit.contains(packageName)) {
+        packageTriggersPermit.reset(packageName);
+        if (packageTriggersPermit.lookingAt()) {
             return false;
         }
 
-        if (packageTriggersDeny.contains(packageName)) {
+        packageTriggersDeny.reset(packageName);
+        if (packageTriggersDeny.lookingAt()) {
             return true;
         }
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to