From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Wed, 21 Jul 2010 16:09:41 +0000 (+0000)
Subject: Return copies of the URL array rather than the original. This facilitated CVE-2010... 
X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=a1e2b5d8cd39ccfd93465c9a04283bd4f6b2d10d;p=tomcat7.0

Return copies of the URL array rather than the original. This facilitated CVE-2010-1622 although the root cause was in the Spring Framework. Returning a copy in this case seems like a good idea.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@966292 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/java/org/apache/catalina/loader/WebappClassLoader.java b/java/org/apache/catalina/loader/WebappClassLoader.java
index 85ccaab48..8090e905d 100644
--- a/java/org/apache/catalina/loader/WebappClassLoader.java
+++ b/java/org/apache/catalina/loader/WebappClassLoader.java
@@ -1709,7 +1709,7 @@ public class WebappClassLoader
     public URL[] getURLs() {
 
         if (repositoryURLs != null) {
-            return repositoryURLs;
+            return repositoryURLs.clone();
         }
 
         URL[] external = super.getURLs();
@@ -1749,7 +1749,7 @@ public class WebappClassLoader
             repositoryURLs = new URL[0];
         }
 
-        return repositoryURLs;
+        return repositoryURLs.clone();
 
     }