svn commit: r966292 - /tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java

Wed, 21 Jul 2010 09:11:09 -0700 

Author: markt
Date: Wed Jul 21 16:09:41 2010
New Revision: 966292

URL: http://svn.apache.org/viewvc?rev=966292&view=rev
Log:
Return copies of the URL array rather than the original. This facilitated 
CVE-2010-1622 although the root cause was in the Spring Framework. Returning a 
copy in this case seems like a good idea.

Modified:
    tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java

Modified: tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java?rev=966292&r1=966291&r2=966292&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java Wed Jul 
21 16:09:41 2010
@@ -1709,7 +1709,7 @@ public class WebappClassLoader
     public URL[] getURLs() {
 
         if (repositoryURLs != null) {
-            return repositoryURLs;
+            return repositoryURLs.clone();
         }
 
         URL[] external = super.getURLs();
@@ -1749,7 +1749,7 @@ public class WebappClassLoader
             repositoryURLs = new URL[0];
         }
 
-        return repositoryURLs;
+        return repositoryURLs.clone();
 
     }
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to