Author: markt
Date: Wed Jul 21 16:09:41 2010
New Revision: 966292
URL: http://svn.apache.org/viewvc?rev=966292&view=rev
Log:
Return copies of the URL array rather than the original. This facilitated
CVE-2010-1622 although the root cause was in the Spring Framework. Returning a
copy in this case seems like a good idea.
Modified:
tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
Modified: tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java?rev=966292&r1=966291&r2=966292&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java Wed Jul
21 16:09:41 2010
@@ -1709,7 +1709,7 @@ public class WebappClassLoader
public URL[] getURLs() {
if (repositoryURLs != null) {
- return repositoryURLs;
+ return repositoryURLs.clone();
}
URL[] external = super.getURLs();
@@ -1749,7 +1749,7 @@ public class WebappClassLoader
repositoryURLs = new URL[0];
}
- return repositoryURLs;
+ return repositoryURLs.clone();
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
