From a1e2b5d8cd39ccfd93465c9a04283bd4f6b2d10d Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Wed, 21 Jul 2010 16:09:41 +0000
Subject: [PATCH] Return copies of the URL array rather than the original. This
 facilitated CVE-2010-1622 although the root cause was in the Spring
 Framework. Returning a copy in this case seems like a good idea.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@966292 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/catalina/loader/WebappClassLoader.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/loader/WebappClassLoader.java b/java/org/apache/catalina/loader/WebappClassLoader.java
index 85ccaab48..8090e905d 100644
--- a/java/org/apache/catalina/loader/WebappClassLoader.java
+++ b/java/org/apache/catalina/loader/WebappClassLoader.java
@@ -1709,7 +1709,7 @@ public class WebappClassLoader
     public URL[] getURLs() {
 
         if (repositoryURLs != null) {
-            return repositoryURLs;
+            return repositoryURLs.clone();
         }
 
         URL[] external = super.getURLs();
@@ -1749,7 +1749,7 @@ public class WebappClassLoader
             repositoryURLs = new URL[0];
         }
 
-        return repositoryURLs;
+        return repositoryURLs.clone();
 
     }
 
-- 
2.11.0