File tomcat-9.0-hardening_getResources.patch of Package tomcat.32891

Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/loader/WebappClassLoaderBase.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/loader/WebappClassLoaderBase.java
@@ -426,10 +426,15 @@ public abstract class WebappClassLoaderB
     // ------------------------------------------------------------- Properties
 
     /**
+     * Unused. Always returns {@code null}.
+     *
      * @return associated resources.
+     *
+     * @deprecated This will be removed in Tomcat 10.1.x onwards
      */
+    @Deprecated
     public WebResourceRoot getResources() {
-        return this.resources;
+        return null;
     }
 
 
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -47,6 +47,12 @@
 <section name="Tomcat 9.0.36 (markt)">
   <subsection name="Catalina">
     <changelog>
+      <add>
+         Effectively disable the
+         <code>WebappClassLoaderBase.getResources()</code> method as it is not
+         used and if something accidently exposes the class loader this method
+         can be used to gain access to Tomcat internals. (markt)
+      </add>
       <fix>
         <bug>63508</bug>: NPE in JNDIRealm when no <code>userRoleAttribute</code>
         is given. (fschumacher)