Author: jfrederic.clere(a)jboss.com Date: 2011-06-06 08:05:32 -0400 (Mon, 06 Jun 2011) New Revision: 1731 Modified: branches/2.1.x/java/org/apache/catalina/loader/WebappClassLoader.java branches/2.1.x/webapps/docs/changelog.xml Log: Fix CVE-2010-1622. Modified: branches/2.1.x/java/org/apache/catalina/loader/WebappClassLoader.java =================================================================== --- branches/2.1.x/java/org/apache/catalina/loader/WebappClassLoader.java 2011-05-31 15:47:44 UTC (rev 1730) +++ branches/2.1.x/java/org/apache/catalina/loader/WebappClassLoader.java 2011-06-06 12:05:32 UTC (rev 1731) @@ -1417,7 +1417,7 @@ public URL[] getURLs() { if (repositoryURLs != null) { - return repositoryURLs; + return repositoryURLs.clone(); } URL[] external = super.getURLs(); @@ -1446,7 +1446,7 @@ repositoryURLs = new URL[0]; } - return repositoryURLs; + return repositoryURLs.clone(); } Modified: branches/2.1.x/webapps/docs/changelog.xml =================================================================== --- branches/2.1.x/webapps/docs/changelog.xml 2011-05-31 15:47:44 UTC (rev 1730) +++ branches/2.1.x/webapps/docs/changelog.xml 2011-06-06 12:05:32 UTC (rev 1731) @@ -19,6 +19,11 @@ <subsection name="Catalina"> <changelog> <fix> + Return a copy of the current URLs for the <code>WebappClassLoader</code> + to prevent modification. This facilitated, although it wasn't the root + cause, CVE-2010-1622. (markt) + </fix> + <fix> <bug>46982</bug>: Correct reporting of DST offset in access logs. (markt) </fix> </changelog>