Bug 44282 - WebappClassLoader.findClass calls getClassLoader without privileges
Summary: WebappClassLoader.findClass calls getClassLoader without privileges
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.5.25
Hardware: Other Linux
: P4 minor (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-22 23:50 UTC by Eddy Chan
Modified: 2008-08-27 13:35 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eddy Chan 2008-01-22 23:50:47 UTC
When logging is in TRACE mode or lower,
org.apache.catalina.loader.WebappClassLoader.findClass(String) calls
getClassLoader() without a privileged block.  With security enabled, this will
cause a SecurityException if the RuntimePermission to getClassLoader is not granted.
Comment 1 Mark Thomas 2008-01-30 15:27:43 UTC
I have committed a patch to trunk and proposed the fix for 5.5.x and 6.0.x
Comment 2 Mark Thomas 2008-05-20 00:45:52 UTC
This has been fixed in 6.0.x and will be included in 6.0.17 onwards.
Comment 3 Mark Thomas 2008-08-27 13:35:52 UTC
This has been fixed in 5.5.x and will be included in 5.5.27 onwards.