Google Git
Sign in
apache / tomcat / 0f8a19d16d7bb327b54195df6511291b294579fd / . / webapps / docs / changelog.xml
blob: d462487aae71c00043b4cd507867e50407826b84 [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE document [
<!ENTITY project SYSTEM "project.xml">
<!-- DTD is used to validate changelog structure at build time. BZ 64931. -->
<!ELEMENT document (project?, properties, body)>
<!ATTLIST document url CDATA #REQUIRED>
<!-- body and title are used both in project.xml and in this document -->
<!ELEMENT body ANY>
<!ELEMENT title (#PCDATA)>
<!-- Elements of project.xml -->
<!ELEMENT project (title, logo, body)>
<!ATTLIST project name CDATA #REQUIRED>
<!ATTLIST project href CDATA #REQUIRED>
<!ELEMENT logo (#PCDATA)>
<!ATTLIST logo href CDATA #REQUIRED>
<!ELEMENT menu (item+)>
<!ATTLIST menu name CDATA #REQUIRED>
<!ELEMENT item EMPTY>
<!ATTLIST item name CDATA #REQUIRED>
<!ATTLIST item href CDATA #REQUIRED>
<!-- Elements of this document -->
<!ELEMENT properties (author*, title, no-comments) >
<!ELEMENT author (#PCDATA)>
<!ATTLIST author email CDATA #IMPLIED>
<!ELEMENT no-comments EMPTY>
<!ELEMENT section (subsection)*>
<!ATTLIST section name CDATA #REQUIRED>
<!ATTLIST section rtext CDATA #IMPLIED>
<!ELEMENT subsection (changelog+)>
<!ATTLIST subsection name CDATA #REQUIRED>
<!ELEMENT changelog (add|update|fix|scode|docs|design)*>
<!ELEMENT add ANY>
<!ELEMENT update ANY>
<!ELEMENT fix ANY>
<!ELEMENT scode ANY>
<!ELEMENT docs ANY>
<!ELEMENT design ANY>
<!ELEMENT bug (#PCDATA)>
<!ELEMENT rev (#PCDATA)>
<!ELEMENT pr (#PCDATA)>
<!-- Random HTML markup tags. Add more here as needed. -->
<!ELEMENT a (#PCDATA)>
<!ATTLIST a href CDATA #REQUIRED>
<!ATTLIST a rel CDATA #IMPLIED>
<!ELEMENT b (#PCDATA)>
<!ELEMENT code (#PCDATA)>
<!ELEMENT em (#PCDATA)>
<!ELEMENT strong (#PCDATA)>
<!ELEMENT tt (#PCDATA)>
]>
<?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?>
<document url="changelog.html">
&project;
<properties>
<title>Changelog</title>
<no-comments />
</properties>
<body>
<!--
Subsection ordering:
General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications,
Extras, Tribes, jdbc-pool, Other
Item Ordering:
Fixes having an issue number are sorted by their number, ascending.
There is no ordering by add/update/fix/scode/docs/design.
Other fixed issues are added to the end of the list, chronologically.
They eventually become mixed with the numbered issues (i.e., numbered
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 10.1.0-M4 (markt)" rtext="in development">
<subsection name="WebSocket">
<changelog>
<fix>
Correct a regression in the Java 8 to Java 11 changes made in 10.1.0-M3
that caused all WebSocket end points to fail to register. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 10.1.0-M3 (markt)" rtext="release in progress">
<subsection name="General">
<changelog>
<update>
Update the minimum required Java version to Java 11. (markt)
</update>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<scode>
Incremented the supported Jakarta Servlet version to 6.0 to align with
the current development branch of the Jakarta Servlet specification.
Plans have changed and the next iteration of the Servlet specification
will be 6.0 rather than 5.1. (markt)
</scode>
<fix>
<bug>65411</bug>: Always close the connection when an uncaught
<code>NamingException</code> occurs to avoid connection locking.
Submitted by Ole Ostergaard. (remm)
</fix>
<fix>
<bug>65433</bug>: Correct a regression in the fix for <bug>65397</bug>
where a <code>StringIndexOutOfBoundsException</code> could be triggered
if the canonical path of the target of a symlink was shorter than the
canonical path of the directory in which the symlink had been created.
Patch provided by Cedomir Igaly. (markt)
</fix>
<add>
<bug>65443</bug>: Refactor the <code>CorsFilter</code> to make it easier
to extend. (markt)
</add>
<fix>
To avoid unnecessary cache revalidation, do not add an HTTP
<code>Expires</code> header when setting adding an HTTP header of
<code>CacheControl: private</code>. (markt)
</fix>
<scode>
Refactor JULI's custom <code>LogManager</code>, the
web application class loader implementation, the web resources
implementation, the <code>JreLeakPreventionListener</code>
implementation and the <code>StandardJarScanner</code> implementation to
remove Java 8 specific code now that the minimum Java version has been
increased to 11. (markt)
</scode>
<scode>
Remove all references to the endorsed standards override feature and the
specifying of optional packages (extensions) in the manifest as these
are not supported in Java 11. (markt)
</scode>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
When writing an HTTP/2 response via sendfile (only enabled when
<code>useAsyncIO</code> is true) the connection flow control window was
sometimes ignored leading to various error conditions. sendfile now
checks both the stream and connection flow control windows before
writing. (markt)
</fix>
<add>
Add debug logging for writing an HTTP/2 response via sendfile. (markt)
</add>
<fix>
Correct bugs in the HTTP/2 connection flow control management that meant
it was possible for a connection to stall waiting for a connection flow
control window update that had already arrived. Any streams on that
connection that were trying to write when this happened would time out.
(markt)
</fix>
<fix>
<bug>65448</bug>: When using TLS with NIO, it was possible for a
blocking response write to hang just before the final TLS packet
associated with the response until the connection timed out at which
point the final packet would be sent and the connection closed. (markt)
</fix>
<fix>
<bug>65454</bug>: Fix a race condition that could result in a delay to
a new request. The new request could be queued to wait for an existing
request to finish processing rather than the thread pool creating a new
thread to process the new request. (markt)
</fix>
<fix>
<bug>65460</bug>: Correct a regression introduced in the previous
release in the change to reduce the number of small HTTP/2 window
updates sent for streams. A logic error meant that small window updates
for the connection were dropped. This meant that the connection flow
window slowly reduced over time until nothing could be sent. (markt)
</fix>
<fix>
Remove NIO workarounds and code that is no longer needed with Java 11.
(remm)
</fix>
<scode>
Refactor the endpoints to remove Java 8 specific code now that the
minimum Java version has been increased to 11. (markt)
</scode>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<scode>
Add additional generics to the EL API to align with the latest changes
in the EL specification project. (markt)
</scode>
<add>
Enable EL lambda expressions to be coerced to functional interfaces.
This is an implementation of a proposed extension to the Jakarta
Expression Language specification. (markt)
</add>
<scode>
Refactor the EL API and implementation to remove Java 8 specific code
now that the minimum Java version has been increased to 11. (markt)
</scode>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<scode>
Refactor the WebSocket implementation to remove Java 8 specific code now
that the minimum Java version has been increased to 11. (markt)
</scode>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
<bug>65404</bug>: Correct a regression in the fix for <bug>63362</bug>
that caused the server status page in the Manager web application to be
truncated if HTTP upgrade was used such as when starting a WebSocket
connection. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<add>
Improvements to Chinese translations contributed by ZhangJieWen and
chengzheyan. (markt)
</add>
<add>
Improvements to French translations. (remm)
</add>
<add>
Improvements to Japanese translations contributed by tak7iji. (markt)
</add>
<add>
Improvements to Korean translations. (woonsan)
</add>
<fix>
Use of GraalVM native images no longer automatically disables JMX
support. JMX support may still be disabled by calling
<code>org.apache.tomcat.util.modeler.Registry.disableRegistry()</code>.
(markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 10.1.0-M2 (markt)" rtext="2021-07-02">
<subsection name="Catalina">
<changelog>
<scode>
Refactor the <code>RemoteIpValve</code> to use the common utility method
for list to comma separated string conversion. (markt)
</scode>
<scode>
Refactor <code>JNDIRealm$JNDIConnection</code> so its fields are
accessible to sub-classes of <code>JNDIRealm</code>. (markt)
</scode>
<fix>
Fix serialization warnings in <code>UserDatabasePrincipal</code>
reported by SpotBugs. (markt)
</fix>
<fix>
<bug>65397</bug>: Calls to
<code>ServletContext.getResourcePaths()</code> no longer include
symbolic links in the results unless <code>allowLinking</code> has been
set to <code>true</code>. If a resource is skipped because of this
change, a warning will be logged as this typically indicates a
configuration issue. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>65368</bug>: Improve handling of clean closes of inbound TLS
connections. Treat them the same way as clean closes of non-TLS
connections rather than as unknown errors. (markt)
</fix>
<fix>
Modify the HTTP/2 connector not to sent small updates for stream flow
control windows to the user agent as, depending on how the user agent is
written, this may trigger small writes from the user agent that in turn
trigger the overhead protection. Small updates for stream flow control
windows are now combined with subsequent flow control window updates for
that stream to ensure that all stream flow control window updates sent
from Tomcat are larger than <code>overheadWindowUpdateThreshold</code>.
(markt)
</fix>
<add>
Add additional debug logging to track the current state of the HTTP/2
overhead count that Tomcat uses to detect and close potentially
malicious connections. (markt)
</add>
<update>
Many HTTP/2 requests from browsers will trigger one overhead frame and
one non-overhead frame. Change the overhead calculation so that a
non-overhead frame reduces the current overhead count by 2 rather than
1. This means that, over time, the overhead count for a well-behaved
connection will trend downwards. (markt)
</update>
<update>
Change the initial HTTP/2 overhead count from <code>-10</code> to
<code>-10 * overheadCountFactor</code>. This means that, regardless of
the value chosen for <code>overheadCountFactor</code>, when a connection
opens 10 overhead frames in a row will be required to trigger the
overhead protection. (markt)
</update>
<update>
Increase the default <code>overheadCountFactor</code> from
<code>1</code> to <code>10</code> and change the reduction in overhead
count for a non-overhead frame from <code>-2</code> to <code>-20</code>.
This allows for a larger range (0-20) to be used for
<code>overheadCountFactor</code> providing for finer-grained control.
(markt)
</update>
<fix>
Modify the parsing of HTTP header values that use the
<code>1#token</code> to ignore empty elements as per RFC 7230 section 7
instead of treating the presence of empty elements as an error. (markt)
</fix>
<fix>
Expand the unit tests for <code>HttpServlet.doHead()</code> and correct
the flushing of the response buffer. The buffer used to behave as if it
was one byte smaller than the configured size. The buffer was flushed
(and the response committed if required) when the buffer was full. The
buffer is now flushed (and the response committed if required) if the
buffer is full and there is more data to write. (markt)
</fix>
<fix>
Fix an issue where concurrent HTTP/2 writes (or concurrent reads) to the
same connection could hang and eventually timeout when async IO was
enabled (it is enabled by default). (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>65387</bug>: Correct a regression in the fix for <bug>65124</bug>
and restore the local definition of <code>out</code> for tags that
implement <code>TryCatchFinally</code>. (markt)
</fix>
<fix>
<bug>65390</bug>: Correct a regression in the fix for <bug>65124</bug>
and restore code that was removed in error leading to JSP compilation
failures in some circumstances. (markt)
</fix>
<update>
Update to the Eclipse JDT compiler 4.20. (markt)
</update>
<add>
Add support for specifying Java 17 (with the value <code>17</code>) as
the compiler source and/or compiler target for JSP compilation. If used
with an Eclipse JDT compiler version that does not support these values,
a warning will be logged and the latest supported version will used.
(markt)
</add>
<fix>
<bug>65377</bug>: Update the Java code generation for JSPs not to use
the boxed primitive constructors as they have been deprecated in Java 9
and marked for future removal in Java 16. <code>valueOf()</code> is now
used instead. (markt)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<scode>
Refactor the <code>DigestAuthenticator</code> to reuse a shared
<code>SecureRandom</code> instance rather than create a new one to
generate the <code>cnonce</code> if required. (markt)
</scode>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
<bug>65385</bug>: Correct the link in the documentation web application
the Maven Central repository. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<add>
Use JSign to integrate the build script with the code signing service to
enable release builds to be created on Linux as well as Windows. (markt)
</add>
<update>
Update the OWB module to Apache OpenWebBeans 2.0.23. (remm)
</update>
<update>
Update the CXF module to Apache CXF 3.4.4. (remm)
</update>
<fix>
<bug>65369</bug> / <pr>422</pr>: Add the additional
<code>--add-opens=...</code> options required for running Tomcat on Java
16 onwards to the <code>service.bat</code> script to align it with the
other start-up scripts. PR provided by MCMicS. (markt)
</fix>
<add>
Improvements to French translations. (remm)
</add>
<add>
Improvements to Korean translations. (woonsan)
</add>
<update>
Update JUnit to version 4.13.2. (markt)
</update>
<update>
Update EasyMock to 4.3. (markt)
</update>
<update>
Update Objenesis to 3.2. (markt)
</update>
<update>
Update UnboundID to 6.0.0. (markt)
</update>
<update>
Update CheckStyle to 8.43. (markt)
</update>
<update>
Update SpotBugs to 4.2.3. (markt)
</update>
<update>
Update OSGi annotations to 1.1.0. (markt)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 10.1.0-M1 (markt)" rtext="2021-06-15">
<subsection name="General">
<changelog>
<scode>
This release contains all of the changes up to and including those in
Apache Tomcat 10.0.6 plus the additional changes listed below. (markt)
</scode>
<scode>
Remove code previously marked for removal in Tomcat 10.1.x. (markt)
</scode>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<scode>
Incremented the supported Jakarta Servlet version to 5.1 to align with
the current development branch of the Jakarta Servlet specification.
(markt)
</scode>
<fix>
<bug>65301</bug>: <code>RemoteIpValve</code> will now avoid getting
the local host name when it is not needed. (remm)
</fix>
<fix>
<bug>65308</bug>: NPE in JNDIRealm when no <code>userRoleAttribute</code>
is given. (fschumacher)
</fix>
<add>
<pr>412</pr>: Add commented out, sample users for the Tomcat Manager app
to the default <code>tomcat-users.xml</code> file. Based on a PR by
Arnaud Dagnelies. (markt)
</add>
<add>
<pr>418</pr>: Add a new option, <code>pass-through</code>, to the
default servlet's <code>useBomIfPresent</code> initialization parameter
that causes the default servlet to leave any BOM in place when
processing a static file and not to use the BOM to determine the
encoding of the file. Based on a pull request by Jean-Louis Monteiro.
(markt)
</add>
<fix>
<pr>419</pr>: When processing POST requests of type
<code>multipart/form-data</code> for parts without a filename that are
added to the parameter map in String form, check the size of the part
before attempting conversion to String. Pull request provided by
tianshuang. (markt)
</fix>
<add>
Implement the new <code>Cookie</code> methods
<code>setAttribute()</code>, <code>getAttribute()</code> and
<code>getAttributes()</code> introduced in Servlet 6.0. (markt)
</add>
<fix>
AprLifecycleListener does not show dev version suffix for libtcnative
and libapr. (michaelo)
</fix>
<update>
Refactor principal handling in <code>UserDatabaseRealm</code> using
an inner class that extends <code>GenericPrincipal</code>. (remm)
</update>
<fix>
Enable the default <code>doHead()</code> implementation in
<code>HttpServlet</code> to correctly handle responses where the content
length needs to be represented as a long since it is larger than the
maximum value that can be represented by an int. (markt)
</fix>
<fix>
Avoid synchronization on roles verification for the memory
<code>UserDatabase</code>. (remm)
</fix>
<fix>
Fix the default <code>doHead()</code> implementation in
<code>HttpServlet</code> to correctly handle responses where the Servlet
calls <code>ServletResponse.reset()</code> and/or
<code>ServletResponse.resetBuffer()</code>. (markt)
</fix>
<fix>
Fix the default <code>doHead()</code> implementation in
<code>HttpServlet</code> to correctly handle responses generated using
the Servlet non-blocking API. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>65303</bug>: Fix a possible <code>NullPointerException</code> if
an error occurs on an HTTP/1.1 connection being upgraded to HTTP/2 or on
a pushed HTTP/2 stream. (markt)
</fix>
<update>
Simplify AprEndpoint socket bind for all platforms. (michaelo)
</update>
<fix>
<bug>65340</bug>: Add missing check for a negative return value for
<code>Hpack.decodeInteger</code> in the <code>HpackDecoder</code>,
which could cause a <code>NegativeArraySizeException</code> exception.
Submitted by Thomas, and verified the fix is present in the donated
hpack code in a further update. (remm)
</fix>
<add>
Add debug logging for HTTP/2 HPACK header decoding. (markt)
</add>
<fix>
Correct parsing of HTTP headers consisting of a list of tokens so that a
header with an empty token is treated consistently regardless of whether
the empty token is at the start, middle or end of the list of tokens.
(markt)
</fix>
<fix>
Remove support for the <code>identity</code> transfer encoding. The
inclusion of this encoding in RFC 2616 was an error that was corrected
in 2001. Requests using this transfer encoding will now receive a 501
response. (markt)
</fix>
<fix>
Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1
clients. (markt)
</fix>
<fix>
Ensure that if the transfer encoding header contains the
<code>chunked</code>, that the <code>chunked</code> encoding is the
final encoding listed. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<scode>
Incremented the supported Jakarta Expression Language version to 5.0 to
align with the current development branch of the Jakarta Expression
Language specification. (markt)
</scode>
<scode>
Review code used to generate Java source from JSPs and tags and remove
code found to be unnecessary. (markt)
</scode>
<scode>
Refactor use of internal <code>ChildInfo</code> class to use compile
time type checking rather than run time type checking. (markt)
</scode>
<fix>
<bug>65124</bug>: Partial fix. When generating Java source code to call
a tag handler, only define the local variable <code>JspWriter out</code>
when it is going to be used. (markt)
</fix>
<scode>
Add generics to the EL 5.0 API to align with the current EL 5.0
development branch. (markt)
</scode>
<update>
Update the <code>web-fragment.xml</code> included in
<code>jasper.jar</code> and <code>jasper-el.jar</code> to use the
Servlet 5.0 schema. (markt)
</update>
<fix>
Update JspC to generate <code>web.xml</code> and
<code>web-fragment.xml</code> files using Servlet 5.0 schemas. (markt)
</fix>
<scode>
Remove the deprecated method
<code>MethodExpression.getParmetersProvided()</code> from the EL API to
align with the current EL 5.0 development branch. (markt)
</scode>
<fix>
<bug>65358</bug>: Improve expression language method matching for
methods with varargs. Where multiple methods may match the provided
parameters, the method that requires the fewest varargs is preferred.
(markt)
</fix>
<add>
<bug>65332</bug>: Add a commented out section in
<code>catalina.policy</code> that provides the necessary permissions to
compile JSPs with javac when running on Java 9 onwards with a security
manager. It is commented out as it will cause errors if used with
earlier Java versions. (markt)
</add>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
<bug>65317</bug>: When using <code>permessage-deflate</code>, the
WebSocket connection was incorrectly closed if the uncompressed payload
size was an exact multiple of 8192. Based on a patch provided by Saksham
Verma. (markt)
</fix>
<update>
Update the <code>web-fragment.xml</code> included in
<code>tomcat-websocket.jar</code> to use the Servlet 5.0 schema. (markt)
</update>
<fix>
<bug>65342</bug>: Correct a regression introduced with the fix for
<bug>65262</bug> that meant Tomcat's WebSocket implementation would only
work with Tomcat's implementation of the Jakarta WebSocket API. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
Improve the description of the <code>maxConnections</code> and
<code>acceptCount</code> attributes in the Connector section of the
documentation web application. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<add>
Improvements to French translations. (remm)
</add>
<add>
Improvements to Korean translations. (woonsan)
</add>
<fix>
<bug>65362</bug>: Correct a regression in the previous release. The
change to create OSGi <code>Require-Capability</code> sections in
manifests for Jakarta API JARs manually rather than with bnd annotations
did not add the necessary manual entries to the embedded JARs. (markt)
</fix>
<update>
Update the packaged version of the Tomcat Native Library to 1.2.30. Also
update the minimum recommended version to 1.2.30. (markt)
</update>
</changelog>
</subsection>
</section>
</body>
</document>