From 299b26af66793438c323ea6b18462fa44683080f Mon Sep 17 00:00:00 2001
From: Mark Emlyn David Thomas <markt@apache.org>
Date: Sun, 8 May 2011 22:53:32 +0000
Subject: [PATCH] Use the correct classloader This is the fix for CVE-2011-1582

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1100832 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/catalina/core/StandardWrapper.java | 3 ++-
 webapps/docs/changelog.xml                         | 4 ++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/catalina/core/StandardWrapper.java b/java/org/apache/catalina/core/StandardWrapper.java
index 30f2eee02909..bbd6f31ffb14 100644
--- a/java/org/apache/catalina/core/StandardWrapper.java
+++ b/java/org/apache/catalina/core/StandardWrapper.java
@@ -1136,7 +1136,8 @@ public void servletSecurityAnnotationScan() throws ServletException {
         if (getServlet() == null) {
             Class<?> clazz = null;
             try {
-                clazz = getParentClassLoader().loadClass(getServletClass());
+                clazz = getParent().getLoader().getClassLoader().loadClass(
+                        getServletClass());
                 processServletSecurityAnnotation(clazz);
             } catch (ClassNotFoundException e) {
                 // Safe to ignore. No class means no annotations to process
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 189b52531cac..d52d6676b60f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -61,6 +61,10 @@
         Use safe equality test when determining event type in the
         MapperListener. (markt)
       </fix>
+      <fix>
+        Use correct class loader when loading Servlet classes in
+        StandardWrapper. (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>