When ToolListener goes into the webapp to look for tools to load, it will read from any filename. It should, for consistency, read only from files that end with .xml. The 'register' function of the ActiveToolManager that accepts a File as a parameter does this check but the ToolListener passes this resource as an unverified stream. This recently came up as an issue for us because 'patch' created a some files with an .orig extension which was loaded by sakai instead of the correct .xml registration file.
The patch changes ToolListener to pass the tool path as a File rather than as a stream so it's checked.
Also affects 2.5 versions of sakai.