Bug 49750

Summary: WebappClassLoader.validate(name) does not validate javax.servlet.
Product: Tomcat 7 Reporter: Pid <pidster>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: trivial    
Priority: P2    
Version: trunk   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: Minor patch to validate(name) method

Description Pid 2010-08-15 11:06:54 UTC 
The method does not validate the class name as described in the method documentation.

"Validate a classname. As per SRV.9.7.2, we must restrict loading of classes from J2SE (java.*) and classes of the servlet API (javax.servlet.*) "
Comment 1 Pid 2010-08-15 11:08:47 UTC 
Created attachment 25887 [details]
Minor patch to validate(name) method

Minor patch to validate(name) method which returns false for javax.servlet. as described in method comment
Comment 2 Mark Thomas 2010-08-23 13:33:05 UTC 
Fixed and will be included in 7.0.3 onwards. Thanks for the patch.