svn commit: r998071 - in /tomcat/trunk: java/org/apache/catalina/loader/WebappClassLoader.java webapps/docs/changelog.xml

[markt]

Author: markt
Date: Fri Sep 17 11:05:39 2010
New Revision: 998071

URL: http://svn.apache.org/viewvc?rev=998071&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49909
Re-enable JSTL. This was a regression in the fix for bz 47950

Modified:
    tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java?rev=998071&r1=998070&r2=998071&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java Fri Sep 
17 11:05:39 2010
@@ -3217,7 +3217,7 @@ public class WebappClassLoader
 
     /**
      * Validate a classname. As per SRV.9.7.2, we must restrict loading of 
-     * classes from J2SE (java.*) and classes of the servlet API 
+     * classes from J2SE (java.*) and most classes of the servlet API 
      * (javax.servlet.*). That should enhance robustness and prevent a number
      * of user error (where an older version of servlet.jar would be present
      * in /WEB-INF/lib).
@@ -3227,13 +3227,25 @@ public class WebappClassLoader
      */
     protected boolean validate(String name) {
 
-        if (name == null)
+        // Need to be careful with order here
+        if (name == null) {
+            // Can't load a class without a name
             return false;
-        if (name.startsWith("java."))
+        }
+        if (name.startsWith("java.")) {
+            // Must never load java.* classes
             return false;
-        if (name.startsWith("javax.servlet."))
+        }
+        if (name.startsWith("javax.servlet.jsp.jstl")) {
+            // OK for web apps to package JSTL
+            return true;
+        }
+        if (name.startsWith("javax.servlet.")) {
+            // Web apps should never package any other Servlet or JSP classes
             return false;
+        }
 
+        // Assume everything else is OK
         return true;
 
     }

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=998071&r1=998070&r2=998071&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Sep 17 11:05:39 2010
@@ -140,7 +140,10 @@
         and Contexts via JMX from a minimal server.xml that contains only a
         Server element. Based on a patch by Chamith Buddhika. (markt)
       </fix>
-      
+      <fix>
+        <bug>49909</bug>: Fix a regression introduced with the fix for
+        <bug>47950</bug> that prevented JSTL classes being loaded. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org