Comment 5 for bug 1606331

(In reply to Shon Vella from comment #2)
> Looked over the patch and I think the changes for org.apache.tomcat.jdbc
> javax.servlet.jsp.jstl will now incorrectly detect things like
> org.apache.tomcat.jdbcx and javax.servlet.jsp.jstly - Not very likely to
> happen in the wild I know, but I wouldn't have thought org and javax would
> have been very likely either.

If you read again the code you will see that the check for these packages (org.apache.tomcat.jdbc, javax.servlet.jsp.jstl) is introduced in order to permit them not to deny them.
So if there are packages in the client code that are like those that you described above then they will be permitted.

Regards,
Violeta