Use the correct classloader

This is the fix for CVE-2011-1582

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1100832 13f79535-47bb-0310-9956-ffa450edef68

java/org/apache/catalina/core/StandardWrapper.java

@@ -1136,7 +1136,8 @@ public void servletSecurityAnnotationScan() throws ServletException {
         if (getServlet() == null) {
             Class<?> clazz = null;
             try {
-                clazz = getParentClassLoader().loadClass(getServletClass());
+                clazz = getParent().getLoader().getClassLoader().loadClass(
+                        getServletClass());
                 processServletSecurityAnnotation(clazz);
             } catch (ClassNotFoundException e) {
                 // Safe to ignore. No class means no annotations to process

webapps/docs/changelog.xml

@@ -61,6 +61,10 @@
         Use safe equality test when determining event type in the
         MapperListener. (markt)
       </fix>
+      <fix>
+        Use correct class loader when loading Servlet classes in
+        StandardWrapper. (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>