Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49750

Align WebappClassLoader.validate() implementation with Javadoc and ensure that javax.servlet.* classes can not be loaded by a WebappClassLoader instance.
Patch provided by pid.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@988222 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/catalina/loader/WebappClassLoader.java b/java/org/apache/catalina/loader/WebappClassLoader.java
index e298360..2d8d13f 100644 (file)
--- a/java/org/apache/catalina/loader/WebappClassLoader.java
+++ b/java/org/apache/catalina/loader/WebappClassLoader.java
@@ -3206,6 +3206,8 @@ public class WebappClassLoader
             return false;
         if (name.startsWith("java."))
             return false;
+        if (name.startsWith("javax.servlet."))
+            return false;
 
         return true;
 

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 17ad106..0cd5ebf 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -47,6 +47,12 @@
         distributable element of web.xml. (kfujino)
       </fix>
       <fix>
+        <bug>47950</bug>: Align <code>WebappClassLoader.validate()</code>
+        implementation with Javadoc and ensure that <code>javax.servlet.*</code>
+        classes can not be loaded by a <code>WebappClassLoader</code> instance.
+        Patch provided by pid. (markt)
+      </fix>
+      <fix>
         <bug>49757</bug>: Correct some generics warnings. Based on a patch
         provided by Gábor. (markt)
       </fix>