Index: java/org/apache/catalina/loader/WebappClassLoaderBase.java =================================================================== --- java/org/apache/catalina/loader/WebappClassLoaderBase.java (revision 1729943) +++ java/org/apache/catalina/loader/WebappClassLoaderBase.java (working copy) @@ -2763,12 +2763,12 @@ return false; char ch; - if (name.startsWith("javax")) { + if (name.startsWith("javax") && name.length() > 5) { /* 5 == length("javax") */ ch = name.charAt(5); if (isClassName && ch == '.') { /* 6 == length("javax.") */ - if (name.startsWith("servlet.jsp.jstl.", 6)) { + if (name.startsWith("servlet.jsp.jstl", 6)) { return false; } if (name.startsWith("el.", 6) || @@ -2779,7 +2779,7 @@ } } else if (!isClassName && ch == '/') { /* 6 == length("javax/") */ - if (name.startsWith("servlet/jsp/jstl/", 6)) { + if (name.startsWith("servlet/jsp/jstl", 6)) { return false; } if (name.startsWith("el/", 6) || @@ -2789,7 +2789,7 @@ return true; } } - } else if (name.startsWith("org")) { + } else if (name.startsWith("org") && name.length() > 3) { /* 3 == length("org") */ ch = name.charAt(3); if (isClassName && ch == '.') { @@ -2796,7 +2796,7 @@ /* 4 == length("org.") */ if (name.startsWith("apache.", 4)) { /* 11 == length("org.apache.") */ - if (name.startsWith("tomcat.jdbc.", 11)) { + if (name.startsWith("tomcat.jdbc", 11)) { return false; } if (name.startsWith("el.", 11) || @@ -2813,7 +2813,7 @@ /* 4 == length("org/") */ if (name.startsWith("apache/", 4)) { /* 11 == length("org/apache/") */ - if (name.startsWith("tomcat/jdbc/", 11)) { + if (name.startsWith("tomcat/jdbc", 11)) { return false; } if (name.startsWith("el/", 11) || Index: test/org/apache/catalina/loader/TestWebappClassLoader.java =================================================================== --- test/org/apache/catalina/loader/TestWebappClassLoader.java (revision 1729943) +++ test/org/apache/catalina/loader/TestWebappClassLoader.java (working copy) @@ -65,10 +65,11 @@ public void testFilter() throws IOException { String[] classSuffixes = new String[]{ - "some.package.Example" + "","some.package.Example" }; String[] resourceSuffixes = new String[]{ + "", "some/path/test.properties", "some/path/test" }; @@ -83,7 +84,7 @@ "org.apache", "org.apache.tomcat.jdbc", "javax", - "javax.jsp.jstl", + "javax.servlet.jsp.jstl", "com.mycorp" }; @@ -106,30 +107,38 @@ for (String prefix : prefixesPermit) { for (String suffix : classSuffixes) { - name = prefix + "." + suffix; - Assert.assertTrue("Class '" + name + "' failed permit filter", - !loader.filter(name, true)); if (prefix.equals("")) { name = suffix; - Assert.assertTrue("Class '" + name + "' failed permit filter", - !loader.filter(name, true)); + } else if (suffix.equals("")) { + name = prefix; + } else { + name = prefix + "." + suffix; } + Assert.assertTrue("Class '" + name + "' failed permit filter", + !loader.filter(name, true)); } prefix = prefix.replace('.', '/'); for (String suffix : resourceSuffixes) { - name = prefix + "/" + suffix; - Assert.assertTrue("Resource '" + name + "' failed permit filter", - !loader.filter(name, false)); if (prefix.equals("")) { name = suffix; - Assert.assertTrue("Resource '" + name + "' failed permit filter", - !loader.filter(name, false)); + } else if (suffix.equals("")) { + name = prefix; + } else { + name = prefix + "/" + suffix; } + Assert.assertTrue("Resource '" + name + "' failed permit filter", + !loader.filter(name, false)); } } for (String prefix : prefixesDeny) { for (String suffix : classSuffixes) { + if (suffix.equals("")) { + name = prefix; + Assert.assertTrue("Class '" + name + "' failed permit filter", + !loader.filter(name, true)); + continue; + } if (prefix.equals("")) { name = suffix; } else { @@ -140,6 +149,12 @@ } prefix = prefix.replace('.', '/'); for (String suffix : resourceSuffixes) { + if (suffix.equals("")) { + name = prefix; + Assert.assertTrue("Resource '" + name + "' failed permit filter", + !loader.filter(name, false)); + continue; + } if (prefix.equals("")) { name = suffix; } else {