You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/07/21 18:09:42 UTC
svn commit: r966292 -
/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
Author: markt
Date: Wed Jul 21 16:09:41 2010
New Revision: 966292
URL: http://svn.apache.org/viewvc?rev=966292&view=rev
Log:
Return copies of the URL array rather than the original. This facilitated CVE-2010-1622 although the root cause was in the Spring Framework. Returning a copy in this case seems like a good idea.
Modified:
tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
Modified: tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java?rev=966292&r1=966291&r2=966292&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java (original)
+++ tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java Wed Jul 21 16:09:41 2010
@@ -1709,7 +1709,7 @@ public class WebappClassLoader
public URL[] getURLs() {
if (repositoryURLs != null) {
- return repositoryURLs;
+ return repositoryURLs.clone();
}
URL[] external = super.getURLs();
@@ -1749,7 +1749,7 @@ public class WebappClassLoader
repositoryURLs = new URL[0];
}
- return repositoryURLs;
+ return repositoryURLs.clone();
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org