Bug 49750 - WebappClassLoader.validate(name) does not validate javax.servlet.
Summary: WebappClassLoader.validate(name) does not validate javax.servlet.
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: trunk
Hardware: All All
: P2 trivial (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-15 11:06 UTC by Pid
Modified: 2010-08-23 13:33 UTC (History)
0 users



Attachments
Minor patch to validate(name) method (497 bytes, patch)
2010-08-15 11:08 UTC, Pid
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Pid 2010-08-15 11:06:54 UTC
The method does not validate the class name as described in the method documentation.

"Validate a classname. As per SRV.9.7.2, we must restrict loading of classes from J2SE (java.*) and classes of the servlet API (javax.servlet.*) "
Comment 1 Pid 2010-08-15 11:08:47 UTC
Created attachment 25887 [details]
Minor patch to validate(name) method

Minor patch to validate(name) method which returns false for javax.servlet. as described in method comment
Comment 2 Mark Thomas 2010-08-23 13:33:05 UTC
Fixed and will be included in 7.0.3 onwards. Thanks for the patch.