Mark Thomas
Mark Thomas
Sorry about the JEXL / JXPath mix-up. Trying to respond to lots of similar issues about projects with similar names. The CVE record has been updated to invalid so my...
There is no security vulnerability. This PR will be dealt with with the same priority as any other enhancement request.
This PR doesn't appear to change the current behaviour.
Ah, understood. My view is that this is a neat trick but it isn't sufficient. There are a bunch of places where Tomcat calls `response.sendError(400,"reason")` where we also want the...
Tomcat isn't reserving all 4xx responses. It will close the connection if a small sub-set of those status codes is used and does so to avoid various potential security issues....
From memory of previous discussions, implementing Request/Response wrapping in Valves is non-trivial. I'd expose a setter for `requestId`.
Any caching approach needs to consider the case of two classes in different web applications with the same name but different structures. Essentially, caching needs to be per class loader.
I'd also like to see the key remove from the cache when the value expires.
I think the changes will have to go into `Util`. Something like a map of caches, keyed by class loader with appropriate use of weak references to avoid class loader...
Actually, it does belong to us. It isn't part of the public API. We are free to change it how we wish. If you compare our version to the equivalent...