2013/11/8 <ma...@apache.org>: > Author: markt > Date: Fri Nov 8 00:09:19 2013 > New Revision: 1539873 > > URL: http://svn.apache.org/r1539873 > Log: > Correctly implement delegation filtering for container packages. > > Modified: > tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java > > Modified: tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java?rev=1539873&r1=1539872&r2=1539873&view=diff > ============================================================================== > --- tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java > (original) > +++ tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java Fri > Nov 8 00:09:19 2013 > @@ -47,7 +47,6 @@ import java.util.ConcurrentModificationE > import java.util.Date; > import java.util.Enumeration; > import java.util.HashMap; > -import java.util.HashSet; > import java.util.Iterator; > import java.util.LinkedHashSet; > import java.util.List; > @@ -61,6 +60,8 @@ import java.util.concurrent.ThreadPoolEx > import java.util.jar.Attributes; > import java.util.jar.Attributes.Name; > import java.util.jar.Manifest; > +import java.util.regex.Matcher; > +import java.util.regex.Pattern; > > import org.apache.catalina.Globals; > import org.apache.catalina.Lifecycle; > @@ -179,18 +180,23 @@ public class WebappClassLoader extends U > // ------------------------------------------------------- Static > Variables > > /** > - * Set of package names which are not allowed to be loaded from a webapp > - * class loader without delegating first. > + * Regular expression of package names which are not allowed to be loaded > + * from a webapp class loader without delegating first. > */ > - protected static final Set<String> packageTriggersDeny = new HashSet<>(); > + protected final Matcher packageTriggersDeny = Pattern.compile( > + "^javax\\.el\\.|" + > + "^javax\\.servlet\\.|" + > + > "^org\\.apache\\.(catalina|coyote|el|jasper|juli|naming|tomcat)\\." > + ).matcher(""); > > > /** > - * Set of package names which are allowed to be loaded from a webapp > class > - * loader without delegating first and override any set by > + * Regular expression of package names which are allowed to be loaded > from a > + * webapp class loader without delegating first and override any set by > * {@link #packageTriggersDeny}. > */ > - protected static final Set<String> packageTriggersPermit = new > HashSet<>(); > + protected final Matcher packageTriggersPermit = > + Pattern.compile("^javax\\.servlet\\.jsp\\.jstl\\.").matcher(""); >
Looking at other Tomcat projects... Standard Taglib uses org.apache.taglibs.standard.**, so it is not affected by the above patterns. Maven Plugin uses org.apache.tomcat.maven.**, so it is affected. (Even though it is unlikely that those classes would be used in a web application, it is not illegal). Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
