cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader WebappClassLoader.java

[remm]

remm        01/09/19 16:15:44

  Modified:    catalina/src/share/org/apache/catalina/loader
                        WebappClassLoader.java
  Log:
  - According to paragraph 9.7.2 of the Servlet 2.3 spec, we should refuse loading
    any class related to J2SE or the servlet API from the webapp class repository.
  - This prevents ClassCasts when putting an old servlet.jar in the webapp
    repository, BUT JSPs will still fail to build (the reason is that javac uses a 
classpath
    String to lookup the JARs .............). I have no idea how to fix the JSP 
problem.
  
  Revision  Changes    Path
  1.16      +31 -4     
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
  
  Index: WebappClassLoader.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v
  retrieving revision 1.15
  retrieving revision 1.16
  diff -u -r1.15 -r1.16
  --- WebappClassLoader.java    2001/09/07 19:16:31     1.15
  +++ WebappClassLoader.java    2001/09/19 23:15:43     1.16
  @@ -1,7 +1,7 @@
   /*
  - * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v
 1.15 2001/09/07 19:16:31 remm Exp $
  - * $Revision: 1.15 $
  - * $Date: 2001/09/07 19:16:31 $
  + * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v
 1.16 2001/09/19 23:15:43 remm Exp $
  + * $Revision: 1.16 $
  + * $Date: 2001/09/19 23:15:43 $
    *
    * ====================================================================
    *
  @@ -123,7 +123,7 @@
    *
    * @author Remy Maucherat
    * @author Craig R. McClanahan
  - * @version $Revision: 1.15 $ $Date: 2001/09/07 19:16:31 $
  + * @version $Revision: 1.16 $ $Date: 2001/09/19 23:15:43 $
    */
   public class WebappClassLoader
       extends URLClassLoader
  @@ -1414,6 +1414,9 @@
       protected Class findClassInternal(String name)
           throws ClassNotFoundException {
   
  +        if (!validate(name))
  +            throw new ClassNotFoundException(name);
  +
           String tempPath = name.replace('.', '/');
           String classPath = tempPath + ".class";
   
  @@ -1733,6 +1736,30 @@
               // Some policy files may restrict this, even for the core,
               // so this exception is ignored
           }
  +
  +    }
  +
  +
  +    /**
  +     * Validate a classname. As per SRV.9.7.2, we must restict loading of 
  +     * classes from J2SE (java.*) and classes of the servlet API 
  +     * (javax.servlet.*). That should enhance robustness and prevent a number
  +     * of user error (where an older version of servlet.jar would be present
  +     * in /WEB-INF/lib).
  +     * 
  +     * @param name class name
  +     * @return true if the name is valid
  +     */
  +    protected boolean validate(String name) {
  +
  +        if (name == null)
  +            return false;
  +        if (name.startsWith("java."))
  +            return false;
  +        if (name.startsWith("javax.servlet."))
  +            return false;
  +
  +        return true;
   
       }