Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49909

Re-enable JSTL. This was a regression in the fix for bz 47950

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@998071 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/catalina/loader/WebappClassLoader.java b/java/org/apache/catalina/loader/WebappClassLoader.java
index baba079..5147618 100644 (file)
--- a/java/org/apache/catalina/loader/WebappClassLoader.java
+++ b/java/org/apache/catalina/loader/WebappClassLoader.java
@@ -3217,7 +3217,7 @@ public class WebappClassLoader
 
     /**
      * Validate a classname. As per SRV.9.7.2, we must restrict loading of 
-     * classes from J2SE (java.*) and classes of the servlet API 
+     * classes from J2SE (java.*) and most classes of the servlet API 
      * (javax.servlet.*). That should enhance robustness and prevent a number
      * of user error (where an older version of servlet.jar would be present
      * in /WEB-INF/lib).
@@ -3227,13 +3227,25 @@ public class WebappClassLoader
      */
     protected boolean validate(String name) {
 
-        if (name == null)
+        // Need to be careful with order here
+        if (name == null) {
+            // Can't load a class without a name
             return false;
-        if (name.startsWith("java."))
+        }
+        if (name.startsWith("java.")) {
+            // Must never load java.* classes
             return false;
-        if (name.startsWith("javax.servlet."))
+        }
+        if (name.startsWith("javax.servlet.jsp.jstl")) {
+            // OK for web apps to package JSTL
+            return true;
+        }
+        if (name.startsWith("javax.servlet.")) {
+            // Web apps should never package any other Servlet or JSP classes
             return false;
+        }
 
+        // Assume everything else is OK
         return true;
 
     }

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index a8929d6..ae15ef9 100644 (file)
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -140,7 +140,10 @@
         and Contexts via JMX from a minimal server.xml that contains only a
         Server element. Based on a patch by Chamith Buddhika. (markt)
       </fix>
-      
+      <fix>
+        <bug>49909</bug>: Fix a regression introduced with the fix for
+        <bug>47950</bug> that prevented JSTL classes being loaded. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">