https://issues.apache.org/bugzilla/show_bug.cgi?id=50192
Robert Goff <robert_goff...@yahoo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WONTFIX |
--- Comment #3 from Robert Goff <robert_goff...@yahoo.com> 2010-11-11 10:45:02
EST ---
The NullFunctionMapper in ELContextImpl is a final object. Therefore, it can
not be overridden and the only method that it has is resolveFunction which will
return null. There is nothing about this object that could present a security
issue.
As far as the ELResolverImpl is concerned, I can see how the static ELResolver
could be accessed and it is possible that it would be altered by a malicious
user. However, I think that there could still be a performance gain here by
not having each method withing the ELResolverImpl call getDefaultResolver().
Instead, you could create one defaultResolver for this particular instance (in
the constructor) allowing all the methods for this instance to use that object,
and you could still provide the static getDefaultResolver() method to return a
new object each time. This would at least save a few new constructions of the
ELResolver when you're reusing the same ELResolverImpl object.
Please look at the patch to see the recommended change.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
