| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <!DOCTYPE document [ |
| <!ENTITY project SYSTEM "project.xml"> |
| |
| <!-- DTD is used to validate changelog structure at build time. BZ 64931. --> |
| |
| <!ELEMENT document (project?, properties, body)> |
| <!ATTLIST document url CDATA #REQUIRED> |
| |
| <!-- body and title are used both in project.xml and in this document --> |
| <!ELEMENT body ANY> |
| <!ELEMENT title (#PCDATA)> |
| |
| <!-- Elements of project.xml --> |
| <!ELEMENT project (title, logo, body)> |
| <!ATTLIST project name CDATA #REQUIRED> |
| <!ATTLIST project href CDATA #REQUIRED> |
| |
| <!ELEMENT logo (#PCDATA)> |
| <!ATTLIST logo href CDATA #REQUIRED> |
| |
| <!ELEMENT menu (item+)> |
| <!ATTLIST menu name CDATA #REQUIRED> |
| |
| <!ELEMENT item EMPTY> |
| <!ATTLIST item name CDATA #REQUIRED> |
| <!ATTLIST item href CDATA #REQUIRED> |
| |
| <!-- Elements of this document --> |
| <!ELEMENT properties (author*, title, no-comments) > |
| <!ELEMENT author (#PCDATA)> |
| <!ATTLIST author email CDATA #IMPLIED> |
| <!ELEMENT no-comments EMPTY> |
| |
| <!ELEMENT section (subsection)*> |
| <!ATTLIST section name CDATA #REQUIRED> |
| <!ATTLIST section rtext CDATA #IMPLIED> |
| |
| <!ELEMENT subsection (changelog+)> |
| <!ATTLIST subsection name CDATA #REQUIRED> |
| |
| <!ELEMENT changelog (add|update|fix|scode|docs|design)*> |
| <!ELEMENT add ANY> |
| <!ELEMENT update ANY> |
| <!ELEMENT fix ANY> |
| <!ELEMENT scode ANY> |
| <!ELEMENT docs ANY> |
| <!ELEMENT design ANY> |
| |
| <!ELEMENT bug (#PCDATA)> |
| <!ELEMENT rev (#PCDATA)> |
| |
| <!-- Random HTML markup tags. Add more here as needed. --> |
| <!ELEMENT a (#PCDATA)> |
| <!ATTLIST a href CDATA #REQUIRED> |
| <!ATTLIST a rel CDATA #IMPLIED> |
| |
| <!ELEMENT b (#PCDATA)> |
| <!ELEMENT code (#PCDATA)> |
| <!ELEMENT em (#PCDATA)> |
| <!ELEMENT strong (#PCDATA)> |
| <!ELEMENT tt (#PCDATA)> |
| ]> |
| <?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?> |
| <document url="changelog.html"> |
| |
| &project; |
| |
| <properties> |
| <title>Changelog</title> |
| <no-comments /> |
| </properties> |
| |
| <body> |
| <!-- |
| Subsection ordering: |
| General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications, |
| Extras, Tribes, jdbc-pool, Other |
| |
| Item Ordering: |
| |
| Fixes having an issue number are sorted by their number, ascending. |
| |
| There is no ordering by add/update/fix/scode/docs/design. |
| |
| Other fixed issues are added to the end of the list, chronologically. |
| They eventually become mixed with the numbered issues (i.e., numbered |
| issues do not "pop up" wrt. others). |
| --> |
| <section name="Tomcat 9.0.44 (markt)" rtext="in development"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Revert an incorrect fix for a potential resource leak that broke |
| deployment via the Ant deploy task. (markt) |
| </fix> |
| <fix> |
| Improve error message for failed ConfigurationSource lookups in the |
| Catalina implementation. (remm) |
| </fix> |
| <fix> |
| <bug>64938</bug>: Align the behaviour when <code>null</code> is passed |
| to the <code>ServletResponse</code> methods |
| <code>setCharacterEncoding()</code>, <code>setContentType()</code> and |
| <code>setLocale()</code> with the recent clarification from the Jakarta |
| Servlet project of the expected behaviour in these cases. (markt) |
| </fix> |
| <fix> |
| <bug>65135</bug>: Rename Context method |
| <code>isParallelAnnotationScanning</code> to |
| <code>getParallelAnnotationScanning</code> for consistency and ease |
| of use in JMX descriptors. (remm) |
| </fix> |
| <fix> |
| Ensure that the <code>AsyncListener.onError()</code> event is triggered |
| when a I/O error occurs during non-blocking I/O. There were some cases |
| discovered where this was not happening. (markt) |
| </fix> |
| <add> |
| Make the non-blocking I/O error handling more robust by handling the |
| case where the application code swallows an <code>IOException</code> in |
| <code>WriteListener.onWritePossible()</code> and |
| <code>ReadListener.onDataAvailable()</code>. (markt) |
| </add> |
| <fix> |
| Correct syntax error in output of <code>JsonErrorReportValve</code>. |
| Pull request provided by Viraj Kanwade. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>65118</bug>: Fix a potential <code>NullPointerException</code> when |
| pruning closed HTTP/2 streams from the connection. (markt) |
| </fix> |
| <fix> |
| Avoid NullPointerException when a secure channel is closed before the |
| SSL engine was initialized. (remm) |
| </fix> |
| <fix> |
| Ensure that the <code>ReadListener</code>'s <code>onError()</code> event |
| is triggered if the client closes the connection before sending the |
| entire request body and the server is ready the request body using |
| non-blocking I/O. (markt) |
| </fix> |
| <fix> |
| <bug>65137</bug>: Ensure that a response is not corrupted as well as |
| incomplete if the connection is closed before the response is fully |
| written due to a write timeout. (markt) |
| </fix> |
| <fix> |
| Related to bug <bug>65131</bug>, make sure all errors from OpenSSL are |
| fully cleared, as there could be more than one error present after |
| an operation (confirmed in the OpenSSL API documentation). (remm) |
| </fix> |
| <fix> |
| Make handling of OpenSSL read errors more robust when plain text data is |
| reported to be available to read. (markt) |
| </fix> |
| <fix> |
| Correct handling of write errors during non-blocking I/O to ensure that |
| the associated <code>AsyncContext</code> was closed down correctly. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Remove the restriction that prevented the Manager web application |
| deploying different web applications in parallel. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the OWB module to Apache OpenWebBeans 2.0.21. (remm) |
| </update> |
| <update> |
| Update the CXF module to Apache CXF 3.4.2. (remm) |
| </update> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Korean translations. (woonsan) |
| </add> |
| <add> |
| Improvements to Brazilian Portuguese translations. Provided by Thiago. |
| (mark) |
| </add> |
| <add> |
| Improvements to Russian translations. Provided by Azat. (mark) |
| </add> |
| <add> |
| Improvements to Chinese translations. Provided by shawn. (mark) |
| </add> |
| <update> |
| Update to bnd 5.3.0. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.43 (markt)" rtext="2021-02-02"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>65106</bug>: Fix the ConfigFileLoader handling of file URIs when |
| running under a security manager on some JREs. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that SNI provided host names are matched to SSL virtual host |
| configurations in a case insensitive manner. (markt) |
| </fix> |
| <fix> |
| <bug>65111</bug>: Free direct memory buffers in the APR connector. |
| (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.42 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>60781</bug>: Escape elements in the access log that need to be |
| escaped for the access log to be parsed unambiguously. |
| (fschumacher/markt) |
| </fix> |
| <add> |
| <bug>64110</bug>: Add support for additional TLS related request |
| attributes that provide details of the protocols and ciphers requested |
| by a client in the initial TLS handshake. (markt) |
| </add> |
| <add> |
| Let the <code>RemoteCIDRValve</code> inherit from |
| <code>RequestFilterValve</code> and support all of its features. |
| Especially add support for connector specific configuration |
| using <code>addConnectorPort</code>. (rjung) |
| </add> |
| <add> |
| Add <code>peerAddress</code> to coyote request, which contains |
| the IP address of the direct connection peer. If a reverse proxy |
| sits in front of Tomcat and the protocol used is AJP or HTTP |
| in combination with the <code>RemoteIp(Valve|Filter)</code>, |
| the peer address might differ from the <code>remoteAddress</code>. |
| The latter then contains the address of the client in front of the |
| reverse proxy, not the address of the proxy itself. |
| Support for the peer address has been added to the |
| RemoteAddrValve and RemoteCIDRValve with the new attribute |
| <code>usePeerAddress</code>. This can be used to restrict access |
| to Tomcat based on the reverse proxy IP address, which is especially |
| useful to harden access to AJP connectors. The peer address can also |
| be logged in the access log using the new <code>%{peer}a</code> |
| syntax. (rjung) |
| </add> |
| <fix> |
| Avoid uncaught InaccessibleObjectException on Java 16 trying to clear |
| references threads. (remm) |
| </fix> |
| <fix> |
| <bug>65033</bug>: Fix JNDI realm error handling when connecting to a |
| failed server when pooling was not enabled. (remm) |
| </fix> |
| <fix> |
| <bug>65047</bug>: If the <code>AccessLogValve</code> is unable to open |
| the access log file, include information on the current user in the |
| associated log message (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Additional fix for <bug>64830</bug> to address an edge case that could |
| trigger request corruption with h2c connections. (markt) |
| </fix> |
| <fix> |
| <bug>64974</bug>: Improve handling of pipelined HTTP requests in |
| combination with the Servlet non-blocking IO API. It was possible that |
| some requests could get dropped. (markt) |
| </fix> |
| <add> |
| Add support for using Unix domain sockets for NIO when running |
| on Java 16 or later. This uses NIO specific |
| <code>unixDomainSocketPath</code> and |
| <code>unixDomainSocketPathPermissions</code> attributes. |
| Based on a PR submitted by Graham Leggett. (remm) |
| </add> |
| <fix> |
| <bug>65001</bug>: Fix error handling for exceptions thrown from calls |
| to <code>ReadListener</code> and <code>WriteListener</code>. (markt) |
| </fix> |
| <fix> |
| Avoid possible infinite loop in <code>OpenSSLEngine.unwrap</code> |
| when the destination buffers state is changed concurrently. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Add a new <code>StringInterpreter</code> interface that allows |
| applications to provide customised string attribute value to type |
| conversion within JSPs. This allows applications to provide a conversion |
| implementation that is optimised for the application. (markt) |
| </add> |
| <fix> |
| <bug>64965</bug>: <code>JspContextWrapper.findAttribute</code> should |
| ignore expired sessions rather than throw an |
| <code>IllegalStateException</code>. (remm) |
| </fix> |
| <update> |
| Update to the Eclipse JDT compiler 4.18. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>65007</bug>: Clarify that the commands shown in the TLS |
| documentation for importing a signed TLS certificate from a certificate |
| authority are typical examples that may need to be adjusted in some |
| cases. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Work around DNS caching for the DNS provider of the cloud membership. |
| (jfclere) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Improvements to Chinese translations. Provided by leeyazhou and Yi Shen. |
| (markt) |
| </add> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Korean translations. (woonsan) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.26. |
| (markt) |
| </update> |
| <add> |
| Update the internal fork of Apache Commons Pool to 2.9.1-SNAPSHOT |
| (2021-01-15). (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons DBCP to 2.9.0-SNAPSHOT |
| (2021-01-15). (markt) |
| </add> |
| <update> |
| Migrate to new code signing service. (markt) |
| </update> |
| <scode> |
| Use <code>java.nio.file.Path</code> to test for one directory being a |
| sub-directory of another in a consistent way. (markt) |
| </scode> |
| <update> |
| Update to Commons Daemon 1.2.4. (markt) |
| </update> |
| <add> |
| Improvements to Brazilian Portuguese translations. Provided by Rual |
| Zaninetti Rosa and Lucas. (markt) |
| </add> |
| <add> |
| Improvements to Russian translations. Provided by Polina and Azat. |
| (markt) |
| </add> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.06.1. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.41 (markt)" rtext="2020-12-08"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>56181</bug>: Update the RemoteIpValve and RemoteIpFilter so that |
| calls to <code>ServletRequest.getRemoteHost()</code> are consistent with |
| the return value of <code>ServletRequest.getRemoteAddr()</code> rather |
| than always returning a value for the proxy. (markt) |
| </fix> |
| <fix> |
| <bug>56890</bug>: Align the behaviour of |
| <code>ServletContext.getRealPath(String path)</code> with the recent |
| clarification from the Servlet specification project. If the path |
| parameter does not start with <code>/</code> then Tomcat processes the |
| call as if <code>/</code> is appended to the beginning of the |
| provided path. (markt) |
| </fix> |
| <add> |
| <bug>64080</bug>: Enhance the graceful shutdown feature. Includes a new |
| option for <code>StandardService</code>, |
| <code>gracefulStopAwaitMillis</code>, that allows a time to be |
| specified to wait for client connections to complete and close before |
| the Container hierarchy is stopped. (markt) |
| </add> |
| <fix> |
| <bug>64921</bug>: Ensure that the <code>LoadBalancerDrainingValve</code> |
| uses the correct setting for the secure attribute for any session |
| cookies it creates. Based on a pull request by Andreas Kurth. (markt) |
| </fix> |
| <fix> |
| <bug>64947</bug>: Don't assume that the <code>Upgrade</code> header has |
| been set on the <code>HttpServletResponse</code> before any call is made |
| to <code>HttpServletRequest.upgrade()</code>. (markt) |
| </fix> |
| <fix> |
| Ensure that values are not duplicated when manipulating the vary header. |
| Based on a pull request by Fredrik Fall. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>64944</bug>: Ensure that the bytesSent metric is correctly updated |
| when compression is enabled. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>64951</bug>: Fix a potential file descriptor leak when WebSocket |
| connections are attempted and fail. Patch provided by Maurizio Adami. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct a regression in the addition of the HTTP header security filter |
| to the examples web application that prevented the Servlet examples that |
| depend on the asynchronous API from functioning correctly. |
| (kkolinko/markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <scode> |
| Start all core threads when starting the receiver and dispatch |
| interceptor. (kfujino) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the OWB module to Apache OpenWebBeans 2.0.20. (remm) |
| </update> |
| <update> |
| Update the CXF module to Apache CXF 3.4.1. (remm) |
| </update> |
| <add> |
| <bug>64931</bug>: Implement validation of <code>changelog.xml</code> |
| file at build time. (kkolinko) |
| </add> |
| <update> |
| Update to Maven Ant Resolver Tasks 1.3.0. (markt) |
| </update> |
| <fix> |
| <bug>62695</bug>: Provide SHA-256 and SHA-512 checksums for files |
| published via Maven. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.40 (markt)" rtext="2020-11-17"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>55559</bug>: Add a new attribute, <code>localJndiResource</code>, |
| that allows a UserDatabaseRealm to obtain a UserDatabase instance from |
| the local (web application) JNDI context rather than the global JNDI |
| context. This option is only useful when the Realm is defined on the |
| Context. (markt) |
| </fix> |
| <fix> |
| <bug>64805</bug>: Correct imports used by <code>JMXProxyServlet</code>. |
| (markt) |
| </fix> |
| <fix> |
| Fix JNDIRealm pooling problems retrying on another bad connection. Any |
| retries are made on a new connection, just like with the single |
| connection scenario. Also remove all connections from the pool after |
| an error. (remm) |
| </fix> |
| <fix> |
| Remove the entry for <code>org.apache.tomcat.util.descriptor.tld.LocalStrings</code> |
| from tomcat-embed-core's GraalVM tomcat-resource.json. It no more part of the jar |
| since <a href="https://github.com/apache/tomcat/commit/3815b4951eb3acd30a0b77aafa75fbdb928d5782"> |
| Fix unwanted JPMS dependency of embed-core on embed-jasper</a>. (mgrigorov) |
| </fix> |
| <fix> |
| Add org.apache.coyote.http11.Http11Nio2Protocol to the list of classes which could be instantiated |
| via reflection in GraalVM. (mgrigorov) |
| </fix> |
| <add> |
| Add <code>JsonErrorReportValve</code> that extends the |
| <code>ErrorReportValve</code> that returns response as JSON instead of |
| HTML. (kfujino) |
| </add> |
| <add> |
| Add GraalVM config for Tomcat JNI related classes. This makes it |
| possible to use the APR protocol in GraalVM native images. |
| To use it add the following to the native-image arguments: |
| <code>-H:JNIConfigurationResources=META-INF/native-image/org.apache.tomcat.embed/tomcat-embed-core/tomcat-jni.json</code> |
| (mgrigorov) |
| </add> |
| <fix> |
| JNDIRealm connections should only be created with the container |
| classloader as the thread context classloader, just like for the JAAS |
| realm. (remm) |
| </fix> |
| <add> |
| <bug>64871</bug>: Log a warning if Tomcat blocks access to a file |
| because it uses symlinks. (markt) |
| </add> |
| <update> |
| Rename <code>JDBCStore</code> to <code>DataSourceStore</code> |
| and remove bottlenecks for database backed session store. The |
| <code>JDBCStore</code> is deprecated but remains unchanged. Patch |
| submitted by Philippe Mouawad. (remm) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Refactor the HTTP/2 window update handling for padding in data frames to |
| ensure that the connection window is correctly updated after a data |
| frame with zero length padding is received. (markt) |
| </fix> |
| <fix> |
| Fix processing of URIs with %nn encoded solidus characters when |
| <code>encodedSolidusHandling</code> was set to <code>passthrough</code> |
| and the encoded solidus was preceded by other %nn encoded characters. |
| Based on a pull request by willmeck. (markt) |
| </fix> |
| <fix> |
| <bug>63362</bug>: Add collection of statistics for HTTP/2, WebSocket and |
| connections upgraded via the HTTP upgrade mechanism. (markt) |
| </fix> |
| <fix> |
| Restore exception catch around Poller.events, as it would cause |
| the NIO poller thread to exit. This is a regression caused when |
| the Poller.events method was refactored. (remm) |
| </fix> |
| <add> |
| Provide messages for some <code>SocketTimeoutException</code> instances |
| that did not have one. (markt) |
| </add> |
| <fix> |
| Avoid most of the thread pool use during NIO2 socket accept. Patch |
| submitted by Anil Gursel. (remm) |
| </fix> |
| <add> |
| Add additional debug logging for I/O issues when communicating with the |
| user agent. (markt) |
| </add> |
| <fix> |
| <bug>64830</bug>: Fix concurrency issue in HPACK decoder. (markt) |
| </fix> |
| <fix> |
| Fix a concurrency issue in the NIO connector that could cause newly |
| created connections to be removed from the poller. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>64784</bug>: Don't include the time the Java file was generated as |
| a comment when generating Java files for JSPs and/or tags if the Java |
| file was created during pre-compilation. This is to aid repeatable |
| builds. (markt) |
| </fix> |
| <fix> |
| <bug>64794</bug>: Security exception reading system property on |
| JspRuntimeLibrary use. (remm) |
| </fix> |
| <add> |
| Add support for specifying Java 16 (with the value <code>16</code>) as |
| the compiler source and/or compiler target for JSP compilation. If used |
| with an ECJ version that does not support these values, a warning will |
| be logged and the latest supported version will used. (markt) |
| </add> |
| <update> |
| Update to the Eclipse JDT compiler 4.17. (markt) |
| </update> |
| <fix> |
| <bug>64849</bug>: Correct JPMS metadata for the Jakarta Expression |
| Language JARs to provide missing ServiceLoader information. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>64848</bug>: Fix a variation of this memory leak when a write I/O |
| error occurs on a non-container thread. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>64799</bug>: Added missing resources to host-manager web app. (isapir) |
| </fix> |
| <fix> |
| <bug>64797</bug>: Align manager.xml template file in Host-Manager with |
| context.xml of real Manager web application. (isapir) |
| </fix> |
| <add> |
| Configure the examples web applications to set |
| <code>SameSite=strict</code> for all cookies, including session cookies, |
| created by the application. (markt) |
| </add> |
| <add> |
| Configure the examples, Manager and Host Manager to use the HTTP header |
| security filter with default settings apart from no HSTS header. Based |
| on a suggestion by Debangshu Kundu. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Korean translations. (woonsan) |
| </add> |
| <add> |
| Improvements to Russian translations. Provided by Azat. (markt) |
| </add> |
| <fix> |
| Align JPMS module names with current Jakarta EE expectations. (markt) |
| </fix> |
| <fix> |
| <bug>64870</bug>: Update to bnd 5.3.0-SNAPSHOT to work around a |
| <a href="https://bugs.openjdk.java.net/browse/JDK-8255854">JRE bug</a>. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.39 (markt)" rtext="2020-10-09"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| The health check valve will now check the state of its associated |
| containers to report availability. (remm) |
| </update> |
| <fix> |
| Fix race condition when saving and recycling session in |
| <code>PersistentValve</code>. (kfujino) |
| </fix> |
| <update> |
| Deprecate the JDBCRealm. (markt) |
| </update> |
| <fix> |
| Correct numerous spellings throughout the code base. Based on a pull |
| request from John Bampton. (markt) |
| </fix> |
| <fix> |
| <bug>64715</bug>: Add PasswordValidationCallback to the JASPIC |
| implementation. Patch provided by Robert Rodewald. (markt) |
| </fix> |
| <update> |
| Allow using the utility executor for annotation scanning. Patch |
| provided by Jatin Kamnani. (remm) |
| </update> |
| <fix> |
| <bug>64751</bug>: Correct the JPMS module descriptor so the embedded |
| JARs may be used with JPMS. (markt) |
| </fix> |
| <fix> |
| When performing an incremental build, ensure bnd does not create |
| unwanted JPMS dependencies between embedded JARs. (markt) |
| </fix> |
| <update> |
| Add a bloom filter to speed up archive lookup and improve deployment |
| speed of applications with a large number of JARs. Patch |
| provided by Jatin Kamnani. (remm) |
| </update> |
| <fix> |
| Throw <code>SQLException</code> instead of |
| <code>NullpointerException</code> when failing to connect to the |
| database. (kfujino) |
| </fix> |
| <fix> |
| <bug>64735</bug>: Ensure that none of the methods on a |
| <code>ServletContext</code> instance always fail when running under a |
| SecurityManager. Pull request provided by Kyle Stiemann. (markt) |
| </fix> |
| <fix> |
| <bug>64765</bug>: Ensure that the number of currently processing threads |
| is tracked correctly when a web application is undeployed, long running |
| requests are being processed and |
| <code>renewThreadsWhenStoppingContext</code> is enabled for the web |
| application. (markt) |
| </fix> |
| <add> |
| Improve the error messages when running under JPMS without the necessary |
| options to enable reflection required by the memory leak prevention / |
| detection code. (markt) |
| </add> |
| <update> |
| Add connection pooling to JNDI realm. (remm) |
| </update> |
| <fix> |
| When estimating the size of a resource in the static resource cache, |
| include a specific allowance for the path to the resource. Based on a |
| pull request by blueSky1825821. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Do not send an HTTP/2 PING frame to measure round-trip time when it is |
| known that the HTTP/2 connection is not in a good state. (markt) |
| </fix> |
| <fix> |
| Ensure HTTP/2 timeouts are processed for idle connections. (markt) |
| </fix> |
| <fix> |
| <bug>64743</bug>: Correct a regression introduced in 9.0.37 that |
| caused a <code>Connection: close</code> header to be added to the |
| response if the Connector was configured with |
| <code>maxSwallowSize=-1</code>. (markt) |
| </fix> |
| <fix> |
| When logging HTTP/2 debug messages, use consistent formatting for stream |
| identifiers. (markt) |
| </fix> |
| <fix> |
| Correct some double counting in the code that tracks the number of |
| in-flight asynchronous requests. The tracking enables Tomcat to shutdown |
| gracefully when asynchronous processing is in use. (markt) |
| </fix> |
| <fix> |
| Improve the error handling for the HTTP/2 connection preface when the |
| Connector is configured with <code>useAsyncIO="true"</code>. |
| (markt) |
| </fix> |
| <fix> |
| Refactor the handling of closed HTTP/2 streams to reduce the heap usage |
| associated with used streams and to retain information for more streams |
| in the priority tree. (markt) |
| </fix> |
| <fix> |
| Don't send the Keep-Alive response header if the connection has been |
| explicitly closed. (markt) |
| </fix> |
| <fix> |
| <bug>64710</bug>: Avoid a <code>BufferOverflowException</code> if an |
| HTTP/2 connection is closed while the parser still has a partial HTTP/2 |
| frame in the input buffer. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Use lazy instantiation to improve the performance when working with |
| listeners added to the <code>ELContext</code>. Pull request provided by |
| Thomas Andraschko. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Configure the Manager and Host Manager applications to set |
| <code>SameSite=strict</code> for all cookies, including session cookies, |
| created by the application. (markt) |
| </add> |
| <fix> |
| Update the Manager How-To in the documentation web application to |
| clarify when a user may wish to deploy additional instances of the |
| Manager web application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update to Commons Daemon 1.2.3. This adds support to jsvc for |
| <code>--enable-preview</code> and native memory tracking (Procrun |
| already supported these features), adds some addition debug logging and |
| adds a new feature to Procrun that outputs the command to (re-)configure |
| the service with the current settings. (markt) |
| </update> |
| <add> |
| When building, only rebuild JAR files (including OSGi and JPMS metadata) |
| if the contents has changed. (markt) |
| </add> |
| <add> |
| Improvements to Chinese translations. Pull request provided by Yang |
| Yang. (markt) |
| </add> |
| <add> |
| Expand coverage of Russian translations. Pull request provided by |
| Nikolay Gribanov. (markt) |
| </add> |
| <update> |
| Update the OWB module to Apache OpenWebBeans 2.0.18. (remm) |
| </update> |
| <update> |
| Update the CXF module to Apache CXF 3.4.0. (remm) |
| </update> |
| <fix> |
| Fix running service.bat when called from <code>$CATALINA_HOME</code>. |
| (markt) |
| </fix> |
| <fix> |
| Complete the fix for <bug>63815</bug>. Users wishing to use system |
| properties that require quoting with <code>catalina.sh</code> and the |
| <code>debug</code> option must use a JRE that includes the fix for <a |
| href="https://bugs.openjdk.java.net/browse/JDK-8234808">JDK-8234808</a>. |
| (markt) |
| </fix> |
| <add> |
| Improvements to Chinese translations. Provided by leeyazhou. (markt) |
| </add> |
| <add> |
| Improvements to Czech translations. Provided by Dušan Hlaváč and Arnošt |
| Havelka. (markt) |
| </add> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Korean translations. (woonsan) |
| </add> |
| <add> |
| Improvements to Spanish translations. Provided by Andrewlanecarr. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.38 (markt)" rtext="2020-09-15"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>64582</bug>: Pre-load the <code>CoyoteOutputStream</code> class to |
| prevent a potential exception when running under a security manager. |
| Patch provided by Johnathan Gilday. (markt) |
| </fix> |
| <fix> |
| <bug>64593</bug>: If a request is not matched to a Context, delay |
| issuing the 404 response to give the rewrite valve, if configured, an |
| opportunity to rewrite the request. (remm/markt) |
| </fix> |
| <fix> |
| Change top package name for generated embedded classes to avoid |
| conflict with default host name on case insensitive filesystems. |
| (remm) |
| </fix> |
| <fix> |
| Add missing code generation for remaining digester rules. (remm) |
| </fix> |
| <update> |
| Add a dedicated loader for generated code to avoid dynamic class |
| loading. (remm) |
| </update> |
| <add> |
| Refactor the Default servlet to provide a single method that can be |
| overridden (<code>generateETag()</code>) should a custom entity tag |
| format be required. (markt) |
| </add> |
| <fix> |
| Improve the validation of entity tags provided with conditional |
| requests. Requests with headers that contain invalid entity tags will be |
| rejected with a 400 response code. Improve the matching algorithm used |
| to compare entity tags in conditional requests with the entity tag for |
| the requested resource. Based on a pull request by Sergey Ponomarev. |
| (markt) |
| </fix> |
| <fix> |
| Correct the description of the storage format for salted hashes in the |
| Javadoc for <code>MessageDigestCredentialHandler</code> and refactor the |
| associated code for clarity. |
| Based on a patch provided by Milo van der Zee. (markt) |
| </fix> |
| <fix> |
| Correct the path validation to allow the use of the file system root for |
| the <code>docBase</code> attribute of a <code>Context</code>. Note that |
| such a configuration should be used with caution. (markt) |
| </fix> |
| <add> |
| Added filtering expression for requests that are not supposed to use |
| session in <code>PersistentValve</code>. (kfujino) |
| </add> |
| <fix> |
| Use the correct method to calculate session idle time in |
| <code>PersistentValve</code>. (kfujino) |
| </fix> |
| <fix> |
| Fix path used by the health check valve when it is not associated with |
| a <code>Context</code>. (remm) |
| </fix> |
| <fix> |
| <bug>64712</bug>: The JASPIC authenticator now checks the |
| <code>ServerAuthModule</code> for |
| <code>jakarta.servlet.http.authType</code> and, if present, uses the |
| value provided. Based on a patch by Robert Rodewald. (markt) |
| </fix> |
| <fix> |
| <bug>64713</bug>: The JASPIC authenticator now checks the value of |
| <code>jakarta.servlet.http.registerSession</code> set by the |
| <code>ServerAuthModule</code> when deciding whether or nor to register |
| the session. Based on a patch by Robert Rodewald. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>57661</bug>: For requests containing the |
| <code>Expect: 100-continue</code> header, add optional support to delay |
| sending an intermediate 100 status response until the servlet reads the |
| request body, allowing the servlet the opportunity to respond without |
| asking for the request body. Based on a pull request by malaysf. (markt) |
| </add> |
| <fix> |
| Refactor the implementation of |
| <code>ServletInputStream.available()</code> to provide a more accurate |
| return value, particularly when end of stream has been reached. (markt) |
| </fix> |
| <fix> |
| Refactor the stopping of the acceptor to ensure that the acceptor thread |
| stops when a connector is started immediately after it is stopped. |
| (markt) |
| </fix> |
| <fix> |
| <bug>64614</bug>: Improve compatibility with FIPS keystores. When a FIPS |
| keystore is configured and the keystore contains multiple keys, the |
| alias attribute will be ignored and the key used will be implementation |
| dependent. (jfclere) |
| </fix> |
| <fix> |
| <bug>64621</bug>: Improve handling HTTP/2 stream reset frames received |
| from clients. (markt) |
| </fix> |
| <fix> |
| <bug>64660</bug>: Avoid a potential NPE in the AprEndpoint if a socket |
| is closed in one thread at the same time as the poller is processing an |
| event for that socket in another. (markt) |
| </fix> |
| <fix> |
| <bug>64671</bug>: Avoid several potential NPEs introduced in the changes |
| in the previous release to reduce the memory footprint of closed HTTP/2 |
| streams. (markt) |
| </fix> |
| <fix> |
| Refactor the HTTP/2 implementation to more consistently return a stream |
| closed error if errors occur after a stream has been reset by the |
| client. (markt) |
| </fix> |
| <fix> |
| Improve handling of HTTP/2 stream level flow control errors and notify |
| the stream immediately if it is waiting for an allocation when the flow |
| control error occurs. (markt) |
| </fix> |
| <fix> |
| Ensure that window update frames are sent for HTTP/2 connections to |
| account for DATA frames containing padding including when the associated |
| stream has been closed. (markt) |
| </fix> |
| <fix> |
| Ensure that window update frames are sent for HTTP/2 connections and |
| streams to account for DATA frames containing zero-length padding. |
| (markt) |
| </fix> |
| <fix> |
| <bug>64710</bug>: Revert the changes to reduce the memory footprint of |
| closed HTTP/2 streams as they triggered multiple regressions in the form |
| of <code>NullPointerException</code>s. (markt) |
| </fix> |
| <fix> |
| Ensure that the HTTP/2 overhead protection check is performed after |
| each HTTP/2 frame is processed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Requests received via proxies may be marked as using the <code>ws</code> |
| or <code>wss</code> protocol rather than <code>http</code> or |
| <code>https</code>. Ensure that such requests are not rejected. PR |
| provided by Ronny Perinke. (markt) |
| </fix> |
| <fix> |
| <bug>64848</bug>: Fix a potential issue where the write lock for a |
| WebSocket connection may not be released if an exception occurs during |
| the write. (markt) |
| </fix> |
| <add> |
| <bug>64644</bug>: Add support for a read idle timeout and a write idle |
| timeout to the WebSocket session via custom properties in the user |
| properties instance associated with the session. Based on a pull request |
| by sakshamverma. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Remove the localization of the text output of the Manager application |
| list of contexts and the Host Manager application list of hosts so that |
| the output is more consistent. PR provided by Holomark. (markt) |
| </fix> |
| <fix> |
| Clean-up / standardize the XSL files used to generate the documentation. |
| PR provided by John Bampton. (markt) |
| </fix> |
| <fix> |
| <bug>62723</bug>: Clarify the effects of some options for cluster |
| <code>channelSendOptions</code>. Patch provided by Mitch Claborn. |
| (schultz) |
| </fix> |
| <fix> |
| Remove the out of date functional specification section from the |
| documentation web application. (markt) |
| </fix> |
| <fix> |
| Extracted CSS styles from the Manager we application for better code |
| maintenance and replaced the GIF logo with SVG. (isapir) |
| </fix> |
| <add> |
| Add document for <code>PersistentValve</code>. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Correct a regression in the fix for <bug>64540</bug> and include |
| <code>org.apache.tomcat.util.modeler.modules</code> and |
| <code>org.apache.tomcat.util.net.jsse</code> in the list of exported |
| packages. (markt) |
| </fix> |
| <fix> |
| Remove the local copy of <code>javax.transaction.xa</code> package which |
| is only used during compilation. The package is provided by the JRE from |
| Java 1.4 onwards so the local copy should be unnecessary. (markt) |
| </fix> |
| <add> |
| Improve the quality of the Japanese translations provided with Apache |
| Tomcat. Includes contributions from Yuki Shira. (markt) |
| </add> |
| <fix> |
| <bug>64645</bug>: Use a non-zero exit code if the |
| <code>service.bat</code> does not complete normally. (markt) |
| </fix> |
| <add> |
| Update the internal fork of Apache Commons BCEL to 6.5.0. Code clean-up |
| only. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons Codec to 53c93d0 (2020-08-18, |
| 1.15-SNAPSHOT). Code clean-up. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons FileUpload to c25a4e3 |
| (2020-08-26, 2.0-SNAPSHOT). Code clean-up and RFC 2231 support. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons Pool to 2.8.1. Code clean-up |
| and improved abandoned pool handling. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons DBCP to 6d232e5 (2020-08-11, |
| 2.8.0-SNAPSHOT). Code clean-up various bug fixes. (markt) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.25. |
| (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.37 (markt)" rtext="2020-07-05"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Remove the error message on start if <code>java.io.tmpdir</code> is |
| missing and add an explicit error message on application deployment when |
| the sole feature that depends on it (anti-resource locking) is |
| configured and can't be used. (markt) |
| </add> |
| <update> |
| Implement a significant portion of the TLS environment variables for |
| the rewrite valve. (remm) |
| </update> |
| <fix> |
| <bug>64506</bug>: Correct a potential race condition in the resource |
| cache implementation that could lead to |
| <code>NullPointerException</code>s during class loading. (markt) |
| </fix> |
| <add> |
| Add <code>application/wasm</code> to the media types recognised by |
| Tomcat. Based on a PR by Thiago Henrique Hüpner. (markt) |
| </add> |
| <fix> |
| Fix a bug in <code>HttpServlet</code> so that a <code>405</code> |
| response is returned for an HTTP/2 request if the mapped servlet does |
| implement the requested method rather than the more general |
| <code>400</code> response. (markt) |
| </fix> |
| <add> |
| Add generated classes using Tomcat embedded as an optional replacement |
| for the Catalina configuration files. (remm) |
| </add> |
| <fix> |
| <bug>64541</bug>: Refactor the DTD used to validate |
| <code>mbeans-descriptors.xml</code> files to avoid issues when XML |
| entity expansion is limited or disabled. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Include a <code>Connection: close</code> HTTP header when committing a |
| response and it is known that the <code>maxSwallowSize</code> limit is |
| going to be exceeded. (markt) |
| </add> |
| <fix> |
| <bug>64509</bug>: Correctly parse RFC 2109 version 1 cookies that use a |
| comma as a separator between cookies when using the RFC 6265 cookie |
| processor. Based on a patch by W J Carpenter. (markt) |
| </fix> |
| <fix> |
| Fix the utility code that converted IPv6 addresses to a canonical form |
| to correctly handle input addresses that ended with a pair of colons. |
| Based on a patch by syarramsetty-skyhook. (markt) |
| </fix> |
| <fix> |
| Correctly parse RFC 2109 version 1 cookies that have additional linear |
| white space around cookie attribute names and values when using the RFC |
| 6265 cookie processor. (markt) |
| </fix> |
| <fix> |
| Once an HTTP/2 stream has been closed, ensure that the code that cleans |
| up references that are no longer required is called. (markt) |
| </fix> |
| <fix> |
| Reduce the memory footprint of closed HTTP/2 streams. (markt) |
| </fix> |
| <fix> |
| Ensure that the HTTP/1.1 processor is correctly recycled when a direct |
| connection to h2c is made. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| <bug>64560</bug>: Refactor the replication of a changed session ID for a |
| replicated session so that the list of changes associated with the |
| session is not reset when the session ID changes. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>64563</bug>: Add additional validation of payload length for |
| WebSocket messages. (markt) |
| </fix> |
| <fix> |
| Correct the calculation of payload length when four or more bytes are |
| required to represent the payload length. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>64498</bug>: Fix incorrect version format in OSGi manifests. Patch |
| provided by Raymond Augé. (markt) |
| </fix> |
| <fix> |
| <bug>64501</bug>: Refactor the handling of the deprecated |
| <code>LOGGING_CONFIG</code> environment variable to avoid using a POSIX |
| shell feature that is not available by default on Solaris 10. (markt) |
| </fix> |
| <fix> |
| <bug>64513</bug>: Remove bndlib from dependencies as it is not required. |
| Pull request provided by Raymond Augé. (markt) |
| </fix> |
| <fix> |
| <bug>64515</bug>: Bnd files don't need to be filtered (save some work). |
| Pull request provided by Raymond Augé. (markt) |
| </fix> |
| <update> |
| Update the OWB module to Apache OpenWebBeans 2.0.17. (remm) |
| </update> |
| <fix> |
| <bug>64514</bug>: Fixes some missing class dependency issues in bootstrap |
| to address packaging/dependency concerns for JPMS and OSGi. Pull request |
| provided by Raymond Augé. (markt) |
| </fix> |
| <fix> |
| <bug>64521</bug>: Avoid moving i18n translations into classes dir since |
| they are packaged into separate jars. Pull request provided by Raymond |
| Augé. (markt) |
| </fix> |
| <fix> |
| <bug>64522</bug>: Package jars in effective dependency order. Pull |
| request provided by Raymond Augé. (markt) |
| </fix> |
| <fix> |
| Store common build details in a shared build-defaults.bnd. Pull |
| request provided by Raymond Augé. (markt) |
| </fix> |
| <fix> |
| <bug>64532</bug>: Update to bnd 5.1.1. Pull request provided by Raymond |
| Augé. (markt) |
| </fix> |
| <fix> |
| <bug>64540</bug>: Switch from bndwrap task to bnd task, begin generating |
| a better manifest and make sure the resulting jar contents are correct. |
| Pull request provided by Raymond Augé. (markt) |
| </fix> |
| <fix> |
| <bug>64544</bug>: Add built libs to the bnd classpath for introspection. |
| Pull request provided by Raymond Augé. (markt) |
| </fix> |
| <add> |
| Improve the quality and expand the coverage of the French translations |
| provided with Apache Tomcat. (remm) |
| </add> |
| <fix> |
| <bug>64548</bug>: Generate JPMS metadata. (rotty3000) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.36 (markt)" rtext="2020-06-07"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>64432</bug>: Correct a refactoring regression that broke handling |
| of multi-line configuration in the RewriteValve. Patch provided by Jj. |
| (markt) |
| </fix> |
| <fix> |
| Fix use of multiple parameters when defining RewriteMaps. |
| (remm/fschumacher) |
| </fix> |
| <update> |
| Add the special internal rewrite maps for case modification and |
| escaping. (remm/fschumacher) |
| </update> |
| <fix> |
| Correct a regression in an earlier fix that broke the loading of |
| configuration files such as keystores via URIs on Windows. (markt) |
| </fix> |
| <fix> |
| <bug>64470</bug>: The default value of the solidus handling should |
| reflect the associated system property. (remm) |
| </fix> |
| <fix> |
| Implement a few rewrite SSL env that correspond to Servlet request |
| attributes. (remm) |
| </fix> |
| <update> |
| <bug>64442</bug>: Be more flexible with respect to the ordering of |
| groups, roles and users in the <code>tomcat-users.xml</code> file. |
| (fschumacher) |
| </update> |
| <fix> |
| <bug>64493</bug>: Revert possible change of returned protocol |
| attribute value on the <code>Connector</code>. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| Add support for ALPN on recent OpenJDK 8 releases. (remm) |
| </update> |
| <fix> |
| <bug>64467</bug>: Improve performance of closing idle HTTP/2 streams. |
| (markt) |
| </fix> |
| <update> |
| Expose server certificate through the <code>SSLSupport</code> |
| interface. (remm) |
| </update> |
| <add> |
| <bug>64483</bug>: Log a warning if an AJP request is rejected because it |
| contains an unexpected request attribute. (markt) |
| </add> |
| <fix> |
| <bug>64485</bug>: Fix possible resource leak getting last modified from |
| <code>ConfigurationSource.Resource</code>. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>64488</bug>: Ensure that the ImportHandler from the Expression |
| Language API is able to load classes from the Java runtime when running |
| under a SecurityManager. Based on a patch by Volodymyr Siedleck. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Consistently throw a <code>DeploymentException</code> when an invalid |
| endpoint path is specified and catch invalid endpoint paths earlier. |
| (markt) |
| </fix> |
| <add> |
| Include the target URL in the log message when a WebSocket connection |
| fails. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the list of known <code>Charset</code>s in the |
| <code>CharsetCache</code> to include <code>ISO-8859-16</code>, added in |
| OpenJDK 15. (markt) |
| </update> |
| <add> |
| Improve the quality and expand the coverage of the French translations |
| provided with Apache Tomcat. (remm) |
| </add> |
| <add> |
| <bug>64430</bug>: Add support for the <code>CATALINA_OUT_CMD</code> |
| environment variable that defines a command to which captured stdout and |
| stderr will be redirected. Patch provided by Harald Dunkel. (markt) |
| </add> |
| <update> |
| Switch from the unsupported Maven Ant Tasks to the supported Maven |
| Resolver Ant Tasks to upload artifacts to the ASF Maven repository (and |
| from there to Maven Central). (markt) |
| </update> |
| <update> |
| Update dependency on bnd to 5.1.0. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.35 (markt)" rtext="2020-05-11"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Reduce reflection use and remove AJP specific code in the Connector. |
| (remm/markt/fhanik) |
| </fix> |
| <fix> |
| Rework the fix for <bug>64021</bug> to better support web applications |
| that use a custom class loader that loads resources from non-standard |
| locations. (markt) |
| </fix> |
| <update> |
| Remove redundant sole path/URI from error page message on SC_NOT_FOUND. |
| (michaelo) |
| </update> |
| <add> |
| Log a warning if a <code>CredentialHandler</code> instance is added to |
| an instance of the <code>CombinedRealm</code> (or a sub-class) as the |
| <code>CombinedRealm</code> doesn't use a configured |
| <code>CredentialHandler</code> and it is likely that a configuration |
| error has occurred. (markt) |
| </add> |
| <add> |
| Add more descriptive error message in DefaultServlet for SC_NOT_FOUND. |
| (michaelo) |
| </add> |
| <add> |
| <bug>59203</bug>: Before calling <code>Thread.stop()</code> (if |
| configured to do so) on a web application created thread that is not |
| stopped by the web application when the web application is stopped, try |
| interrupting the thread first. Based on a pull request by Govinda |
| Sakhare. (markt) |
| </add> |
| <fix> |
| <bug>64309</bug>: Improve the regular expression used to search for |
| class loader repositories when bootstrapping Tomcat. Pull request |
| provided by Paul Muriel Biya-Bi. (markt) |
| </fix> |
| <fix> |
| <bug>64384</bug>: Fix multipart configuration ignoring some parameters |
| in some cases. (schultz) |
| </fix> |
| <add> |
| <bug>64386</bug>: WebdavServlet does not send "getlastmodified" |
| property for resource collections. (michaelo) |
| </add> |
| <update> |
| Remove reason phrase on WebDAV Multi-Status (207) response. (michaelo) |
| </update> |
| <fix> |
| <bug>64398</bug>: Change default value separator for property |
| replacement to <code>:-</code> due to possible conflicts. The |
| syntax is now <code>${name:-default}</code>. (remm) |
| </fix> |
| <add> |
| Improve validation of storage location when using FileStore. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Move <code>SocketProperties</code> mbean to its own type rather than |
| use a subType to improve robustness with tools. (remm) |
| </fix> |
| <fix> |
| Include the problematic data in the error message when reporting that |
| the provided request line contains an invalid component. (markt) |
| </fix> |
| <fix> |
| Improve the handling of requests that use an expectation. Do not disable |
| keep-alive where the response has a non-2xx status code but the request |
| body has been fully read. (rjung/markt) |
| </fix> |
| <fix> |
| <bug>64403</bug>: Ensure that compressed HTTP/2 responses are not sent |
| with a content length header appropriate for the original, uncompressed |
| response. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Remove redundant sole path/URI from error page message on SC_NOT_FOUND. |
| (michaelo) |
| </update> |
| <add> |
| Add more descriptive error message in DefaultServlet for SC_NOT_FOUND. |
| (michaelo) |
| </add> |
| <fix> |
| <bug>64373</bug>: When a tag file is packaged in a WAR and then that WAR |
| is unpacked in <code>/WEB-INF/classes</code> ensure that the tag file |
| can still be found. Patch provided by Karl von Randow. (markt) |
| </fix> |
| <fix> |
| Ensure that the Jasper code that interfaces with the Eclipse Compiler |
| for Java (ECJ) enables Jasper to compile JSPs using ECJ 4.14 onwards |
| when the JSPs have inner classes. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Fix the saving of a Context configuration file via the scripting |
| interface of the Manager web application. (markt) |
| </fix> |
| <add> |
| Add a section to the TLS Connector documentation on different key store |
| types and how to configure them. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update JUnit to version 4.13. (markt) |
| </update> |
| <fix> |
| Add missing entries to test class path in sample NetBeans configuration |
| files. Patch provided by Brian Burch. (markt) |
| </fix> |
| <scode> |
| Refactor to use parameterized <code>Collection</code> constructors where |
| possible. Pull request provided by Lars Grefer. (markt) |
| </scode> |
| <scode> |
| Refactor to use empty arrays with <code>Collections.toArray()</code>. |
| Pull request provided by Lars Grefer. (markt) |
| </scode> |
| <scode> |
| Refactor loops with a condition to exit as soon as the condition is met. |
| Pull request provided by Lars Grefer. (markt) |
| </scode> |
| <scode> |
| Refactor bulk addition to collections to use <code>addAll()</code> |
| rather than a loop. Pull request provided by Lars Grefer. (markt) |
| </scode> |
| <add> |
| Improve the quality and expand the coverage of the French translations |
| provided with Apache Tomcat. (remm) |
| </add> |
| <add> |
| Expand the coverage of the Chinese translations provided with Apache |
| Tomcat. Contributions provided by winsonzhao, ZhangJieWen and Lee |
| Yazhou. (markt) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.24. |
| (markt) |
| </update> |
| <scode> |
| Refactor to use enhanced for loops where possible. Pull request by Lars |
| Grefer. (markt) |
| </scode> |
| <add> |
| Improve IDE support for IntelliJ IDEA. Patch provided by Lars Grefer. |
| (markt) |
| </add> |
| <add> |
| Improve the quality of the Japanese translations provided with Apache |
| Tomcat. Includes contributions from Yoshy. (markt) |
| </add> |
| <add> |
| Improve the coverage and quality of the Korean translations provided |
| with Apache Tomcat. (woonsan) |
| </add> |
| <update> |
| Update dependency on bnd to 5.0.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.34 (markt)" rtext="2020-04-08"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Ensure all URL patterns provided via web.xml are %nn decoded |
| consistently using the encoding of the web.xml file where specified and |
| UTF-8 where no explicit encoding is specified. (markt) |
| </fix> |
| <update> |
| Allow a comma separated list of class names for the |
| <code>org.apache.tomcat.util.digester.PROPERTY_SOURCE</code> |
| system property. (remm) |
| </update> |
| <fix> |
| <bug>64149</bug>: Avoid NPE when using the access log valve without |
| a pattern. (remm) |
| </fix> |
| <fix> |
| <bug>64226</bug>: Reset timezone after parsing a date since the date |
| format is reused. Test case submitted by Gary Thomas. (remm) |
| </fix> |
| <fix> |
| <bug>64247</bug>: Using a wildcard for <code>jarsToSkip</code> should |
| not override a possibly present <code>jarsToScan</code>. Based on code |
| submitted by Iridias. (remm) |
| </fix> |
| <fix> |
| <bug>64265</bug>: Fix ETag comparison performed by the default servlet. |
| The default servlet always uses weak comparison. (markt) |
| </fix> |
| <fix> |
| Add support for default values when using <code>${...}</code> property |
| replacement in configuration files. Based on a pull request provided by |
| Bernd Bohmann. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| When configuring an HTTP Connector, warn if the encoding specified for |
| <code>URIEncoding</code> is not a superset of US-ASCII as required by |
| RFC7230. (markt) |
| </add> |
| <fix> |
| Avoid always retrieving the NIO poller selection key when processing |
| to reduce sync. (remm) |
| </fix> |
| <fix> |
| <bug>64240</bug>: Ensure that HTTP/0.9 requests that contain additional |
| data on the request line after the URI are treated consistently. Such |
| requests will now always be treated as HTTP/1.1. (markt) |
| </fix> |
| <add> |
| Expose the HTTP/2 connection ID and stream ID to applications via the |
| request attributes <code>org.apache.coyote.connectionID</code> and |
| <code>org.apache.coyote.streamID</code> respectively. (markt) |
| </add> |
| <add> |
| Replace the system property |
| <code>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</code> |
| with the Connector attribute <code>encodedSolidusHandling</code> that |
| adds an additional option to pass the <code>%2f</code> sequence through |
| to the application without decoding it in addition to rejecting such |
| sequences and decoding such sequences. (markt) |
| </add> |
| <add> |
| Expose the associated <code>HttpServletRequest</code> to the |
| <code>CookieProcessor</code> when generating a cookie header so the |
| header can be tailored based on the properties of the request, such as |
| the user agent, if required. Based on a patch by Lazar Kirchev. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Update to the Eclipse JDT compiler 4.15. (markt) |
| </update> |
| <add> |
| Add support for specifying Java 14 (with the value <code>14</code>) and |
| Java 15 (with the value <code>15</code>) as the compiler source and/or |
| compiler target for JSP compilation. If used with an ECJ version that |
| does not support these values, a warning will be logged and the latest |
| supported version will used. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <scode> |
| Refactor the creation of <code>DeltaRequest</code> objects to make it |
| simpler to use custom implementations. Based on a pull request provided |
| by Thomas Stock. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the documentation web application to remove references to the |
| <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code> system |
| property changing the default for the <code>URIEncoding</code> attribute |
| of the Connector. (markt) |
| </fix> |
| <fix> |
| Correct the documentation web application to remove references to the |
| <code>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</code> |
| system property changing how the sequence <code>%5c</code> is |
| interpreted in a URI. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Improve the quality and expand the coverage of the French translations |
| provided with Apache Tomcat. Contribution provided by Tom Bens. (remm) |
| </add> |
| <add> |
| Expand the coverage of the Chinese translations provided with Apache |
| Tomcat. Contribution provided by Lee Yazhou. (markt) |
| </add> |
| <fix> |
| <bug>64270</bug>: Set the documented default umask of <code>0027</code> |
| when using jsvc via <code>daemon.sh</code> and allow the umask used to |
| be configured via the <code>UMASK</code> environment variable as it is |
| when using <code>catalina.sh</code>. (markt) |
| </fix> |
| <update> |
| Update the OWB module to Apache OpenWebBeans 2.0.16. (remm) |
| </update> |
| <update> |
| Update the CXF module to Apache CXF 3.3.6. (remm) |
| </update> |
| <fix> |
| Deprecated the <code>LOGGING_CONFIG</code> environment variable and |
| replace it with the <code>CATALINA_LOGGING_CONFIG</code> environment |
| variable to avoid clashes with other components that use |
| <code>LOGGING_CONFIG</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.33 (markt)" rtext="2020-03-16"> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>64210</bug>: Correct a regression in the improvements to HTTP |
| header validation that caused requests to be incorrectly treated as |
| invalid if a <code>CRLF</code> sequence was split between TCP packets. |
| Improve validation of request lines, including for HTTP/0.9 requests. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>64206</bug>: Correct regression introduced in 9.0.31 that meant |
| that the HTTP port specified when using the Windows Installer was |
| ignored and 8080 was always used. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.32 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Store config compatibility with HostWebXmlCacheCleaner listener. (remm) |
| </fix> |
| <fix> |
| Modify the <code>RewriteValve</code> to use |
| <code>ServletRequest.getServerName()</code> to populate the |
| <code>HTTP_HOST</code> variable rather than extracting it from the |
| <code>Host</code> header as this allows HTTP/2 to be supported. (markt) |
| </fix> |
| <fix> |
| Switch Tomcat embedded to loading MIME type mappings from a property |
| file generated from the default <code>web.xml</code> so the MIME type |
| mappings are consistent regardless of how Tomcat is started. (markt) |
| </fix> |
| <fix> |
| Missing store config attributes for Resources elements. (remm) |
| </fix> |
| <fix> |
| <bug>64153</bug>: Ensure that the parent for the web application class |
| loader is set consistently. (markt) |
| </fix> |
| <fix> |
| <bug>64166</bug>: Ensure that the names returned by |
| <code>HttpServletResponse.getHeaderNames()</code> are unique. (markt) |
| </fix> |
| <scode> |
| Rename <code>org.apache.tomcat.util.digester.Digester$EnvironmentPropertySource</code> |
| to |
| <code>org.apache.tomcat.util.digester.EnvironmentPropertySource</code>. |
| The old class is still available but deprecated. Patch provided by Bernd |
| Bohmann. (markt) |
| </scode> |
| <add> |
| Add new attribute <code>persistAuthentication</code> to both |
| <code>StandardManager</code> and <code>PersistentManager</code> to |
| support authentication persistence. Patch provided by Carsten Klein. |
| (markt) |
| </add> |
| <fix> |
| <bug>64184</bug>: Avoid repeated log messages if a |
| <code>MemoryUserDatabase</code> is configured but the specified |
| configuration file is missing. (markt) |
| </fix> |
| <add> |
| <bug>64189</bug>: Expose the web application version String as a |
| <code>ServletContext</code> attribute named |
| <code>org.apache.catalina.webappVersion</code>. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| When the NIO or APR/native connectors were configured with |
| <code>useAsyncIO="true"</code> and a zero length read or write was |
| performed, the read/write would time out rather than return immediately. |
| (markt) |
| </fix> |
| <fix> |
| <bug>64141</bug>: If using a CA certificate, remove a default value |
| for the truststore file when not using a JSSE configuration. (remm) |
| </fix> |
| <fix> |
| Improve robustness of OpenSSLEngine shutdown. Based on code submitted |
| by Manuel Dominguez Sarmiento. (remm) |
| </fix> |
| <fix> |
| Add the TLS request attributes used by IIS to the attributes that an AJP |
| Connector will always accept. (markt) |
| </fix> |
| <fix> |
| A zero length AJP secret will now behave as if it has not been |
| specified. (remm) |
| </fix> |
| <fix> |
| <bug>64188</bug>: If an error occurs while committing or flushing the |
| response when using a multiplexing protocol like HTTP/2 that requires |
| the channel to be closed but not the connection, just close the channel |
| and allow the other channels using the connection to continue. Based on |
| a suggestion from Alejandro Anadon. (markt) |
| </fix> |
| <fix> |
| Correct the semantics of <code>getEnableSessionCreation</code> and |
| <code>setEnableSessionCreation</code> for <code>OpenSSLEngine</code>. |
| Pull request provided by Alexander Scheel. (markt) |
| </fix> |
| <fix> |
| <bug>64192</bug>: Correctly handle case where unread data is returned to |
| the read buffer when the read buffer is non empty. Ensure a gathering |
| TLS read stops once the provided ByteBuffers are full or no more data is |
| available. (markt) |
| </fix> |
| <fix> |
| <bug>64195</bug>: Revert simplification of NIO block read and write, |
| deferred to Tomcat 10. (remm) |
| </fix> |
| <fix> |
| Allow async requests to complete cleanly when the Connector is paused |
| before <code>complete()</code> is called on a container thread. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <scode> |
| Parameterize JSP version and API class names in localization messages to |
| allow simpler re-use between major versions. (markt) |
| </scode> |
| <fix> |
| Ensure that TLD files listed in the <code>jsp-config</code> section of |
| <code>web.xml</code> that are registered in the |
| <code>uriTldResourcePathMap</code> with the URI specified in |
| <code>web.xml</code> are also registered with the URI in the TLD file if |
| it is different. Patch provided by Markus Lottmann. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Fix cloud environment lookup order and add a dedicated |
| <code>DNS_MEMBERSHIP_SERVICE_NAME</code> environment for use with the |
| DNS membership provider. Submitted by Bernd Bohmann. (remm) |
| </fix> |
| <fix> |
| Allow configuring the <code>DNSMembershipProvider</code> using the |
| <code>dns</code> alias. Submitted by Bernd Bohmann. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Add to the documentation for the <code>JmxRemoteLifecycleListener</code> |
| the requirement to use |
| <code>-Dcom.sun.management.jmxremote.registry.ssl=false</code> if TLS is |
| not being used else clients will be unable to connect to the JMX server. |
| (markt) |
| </fix> |
| <add> |
| Expand the documentation for the <code>address</code> attribute of the |
| AJP Connector and document that the AJP Connector also supports the |
| <code>ipv6v6only</code> attribute with the APR/Native implementation. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Expand the coverage of the French translations provided with Apache |
| Tomcat. (remm) |
| </add> |
| <add> |
| Expand the coverage of the Chinese translations provided with Apache |
| Tomcat. Contribution provided by BoltzmannWxd. (markt) |
| </add> |
| <update> |
| Update the OWB module to Apache OpenWebBeans 2.0.15. (remm) |
| </update> |
| <update> |
| Update the CXF module to Apache CXF 3.3.5. (remm) |
| </update> |
| <add> |
| Expand the coverage of the Korean translations provided with Apache |
| Tomcat. Contributions provided by B. Cansmile Cha. (markt) |
| </add> |
| <add> |
| Expand the coverage of the French translations provided with Apache |
| Tomcat. (remm) |
| </add> |
| <add> |
| <bug>64190</bug>: Add support for specifying milliseconds (using |
| <code>S</code>, <code>SS</code> or <code>SSS</code>) in the timestamp |
| used by JULI's <code>OneLineFormatter</code>. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.31 (markt)" rtext="2020-02-11"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| Do not store username and password as session notes during |
| authentication if they are not needed. (kkolinko) |
| </update> |
| <fix> |
| Avoid useless environment restore when not using GSSCredential |
| in JNDIRealm. (remm) |
| </fix> |
| <fix> |
| <bug>58577</bug>: Respect the argument-count when searching for MBean |
| operations to invoke via the JMXProxyServlet. (schultz) |
| </fix> |
| <update> |
| <bug>63691</bug>: Skip all jar and directory scanning when the wildcard |
| pattern "*" or "*.jar" is set or added to |
| <code>tomcat.util.scan.StandardJarScanFilter.jarsToSkip</code>. (isapir) |
| </update> |
| <fix> |
| <bug>64005</bug>: Correct a regression in the static resource caching |
| changes introduced in 9.0.28. Avoid a <code>NullPointerException</code> |
| when working with the URL provided for the root of a packed WAR. (markt) |
| </fix> |
| <fix> |
| <bug>64006</bug>: Provide default configuration source based on the |
| current directory if none has been set, for full compatibility with |
| existing code. (remm) |
| </fix> |
| <fix> |
| <bug>64008</bug>: Clarify/expand the Javadoc for the |
| <code>Tomcat#addWebapp()</code> and related methods. (markt) |
| </fix> |
| <scode> |
| Deprecate the <code>JmxRemoteLifecycleListener</code> as the features it |
| provides are now available in the remote JMX capability included with |
| the JRE. This listener will be removed in Tomcat 10 and may be removed |
| from Tomcat 9.0.x some time after 2020-12-31. (markt) |
| </scode> |
| <fix> |
| <bug>64011</bug>: <code>JNDIRealm</code> no longer authenticates to LDAP. |
| (michaelo) |
| </fix> |
| <fix> |
| <bug>64021</bug>: Ensure that container provided SCIs are always loaded |
| before application provided SCIs. Note that where both the container and |
| the application provide the same SCI, it is the application provided SCI |
| that will be used. (markt) |
| </fix> |
| <fix> |
| SCI definitions from JARs unpacked into <code>WEB-INF/classes</code> are |
| now handled consistently and will always be found irrespective of |
| whether the web application defines a JAR ordering or not. (markt) |
| </fix> |
| <fix> |
| <bug>64023</bug>: Skip null-valued session attributes when deserializing |
| sessions. (schultz) |
| </fix> |
| <fix> |
| Do not throw a NullPointerException when an MBean or operation cannot |
| be found by the JMXProxyServlet. (schultz) |
| </fix> |
| <update> |
| <bug>64067</bug>: Allow more than one parameter when defining RewriteMaps. |
| (fschumacher) |
| </update> |
| <fix> |
| <bug>64074</bug>: <code>InputStream</code>s for directories obtained |
| from resource URLs now return a directory listing consistent with the |
| behaviour of <code>FileURLConnection</code>. In addition to restoring |
| the behaviour that was lost as a result of the introduction of |
| <code>CachedResourceURLConnection</code>, it expands the feature to |
| include packedWARs and to take account of resource JARs. (markt) |
| </fix> |
| <update> |
| Refactor recycle facade system property into a new connector attribute |
| named <code>discardFacades</code>. (remm) |
| </update> |
| <fix> |
| <bug>64089</bug>: Add <code>${...}</code> property replacement support |
| to XML external entity definitions. (markt) |
| </fix> |
| <scode> |
| Deprecate <code>MappingData.contextPath</code> as it is unused. (markt) |
| </scode> |
| <fix> |
| Fix a problem that meant that remote host, address and port information |
| could be missing in the access log for an HTTP/2 request where the |
| connection was closed unexpectedly. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| Simplify NIO blocking read and write. (remm) |
| </update> |
| <fix> |
| Ensure that Servlet Asynchronous processing timeouts fire when requests |
| are made using HTTP/2. (markt) |
| </fix> |
| <fix> |
| Fix the corruption of the TLS configuration when using the deprecated TLS |
| attributes on the Connector if the configuration has already been set |
| via the new <code>SSLHostConfig</code> and |
| <code>SSLHostConfigCertificate</code> elements. (markt) |
| </fix> |
| <fix> |
| <bug>63966</bug>: Switch the message shown when using HTTP to connect to |
| an HTTPS port from ISO-8859-1 to UTF-8. (markt) |
| </fix> |
| <fix> |
| <bug>64007</bug>: Cancel selection key in poller before wrapper close to |
| avoid possible deadlock. (remm) |
| </fix> |
| <add> |
| Add support for RFC 5915 formatted, unencrypted EC key files when using |
| a JSSE based TLS connector. (markt) |
| </add> |
| <fix> |
| Correct a regression introduced in 9.0.28 that meant invalid tokens in |
| the <code>Transfer-Encoding</code> header were ignored rather than |
| treated as an error. (markt) |
| </fix> |
| <fix> |
| Rename the HTTP Connector attribute <code>rejectIllegalHeaderName</code> |
| to <code>rejectIllegalHeader</code> and expand the underlying |
| implementation to include header values as well as names. (markt) |
| </fix> |
| <update> |
| Disable (comment out in server.xml) the AJP/1.3 connector by default. |
| (markt) |
| </update> |
| <update> |
| Change the default bind address for the AJP/1.3 connector to be the |
| loopback address. (markt) |
| </update> |
| <add> |
| Rename the <code>requiredSecret</code> attribute of the AJP/1.3 |
| Connector to <code>secret</code> and add a new attribute |
| <code>secretRequired</code> that defaults to <code>true</code>. When |
| <code>secretRequired</code> is <code>true</code> the AJP/1.3 Connector |
| will not start unless the <code>secret</code> attribute is configured to |
| a non-null, non-zero length String. (markt) |
| </add> |
| <add> |
| Add a new attribute, <code>allowedRequestAttributesPattern</code> to |
| the AJP/1.3 Connector. Requests with unrecognised attributes will be |
| blocked with a 403. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Update the performance optimisation for using expressions in tags that |
| depend on uninitialised tag attributes with implied scope to make the |
| performance optimisation aware of the new public class |
| (<code>java.lang.Record</code>) added in Java 14. (markt) |
| </fix> |
| <fix> |
| <bug>64097</bug>: Replace the faulty custom services lookup used for |
| <code>ExpressionFactory</code> implementations with |
| <code>ServiceLoader</code>. (markt) |
| </fix> |
| <add> |
| Add a <code>META-INF/services</code> entry to jasper-el.jar so that the |
| Expression Language implementation can be discovered via the services |
| API. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| <bug>64043</bug>: Ensure that session ID changes are replicated during |
| form-authentication. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>64000</bug>: In the examples web application, where a Servlet |
| example includes i18n support, the Locale used should be based on the |
| request locale and not the server locale. (markt) |
| </fix> |
| <add> |
| Add additional information on securing AJP/1.3 Connectors. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>63995</bug>: Ensure statements are closed when a pooled JDBC |
| connection is passivated in Tomcat's fork of Commons DBCP2. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.30 (markt)" rtext="2019-12-12"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>63681</bug>: Introduce RealmBase#authenticate(GSSName, GSSCredential) |
| and friends. (michaelo) |
| </add> |
| <fix> |
| <bug>63964</bug>: Correct a regression in the static resource caching |
| changes introduced in 9.0.28. URLs constructed from URLs obtained from |
| the cache could not be used to access resources. (markt) |
| </fix> |
| <fix> |
| <bug>63970</bug>: Correct a regression in the static resource caching |
| changes introduced in 9.0.28. Connections to URLs obtained for JAR |
| resources could not be cast to <code>JarURLConnection</code>. (markt) |
| </fix> |
| <add> |
| <bug>63937</bug>: Add a new attribute to the standard |
| <code>Authenticator</code> implementations, |
| <code>allowCorsPreflight</code>, that allows the |
| <code>Authenticator</code>s to be configured to allow CORS preflight |
| requests to bypass authentication as required by the CORS specification. |
| (markt) |
| </add> |
| <fix> |
| <bug>63939</bug>: Correct the same origin check in the CORS filter. An |
| origin with an explicit default port is now considered to be the same as |
| an origin without a default port and origins are now compared in a |
| case-sensitive manner as required by the CORS specification. (markt) |
| </fix> |
| <fix> |
| <bug>63981</bug>: Allow multiple calls to |
| <code>Registry.disableRegistry()</code> without the second and |
| subsequent calls triggering the logging of a warning. Based on a patch |
| by Andy Wilkinson. (markt) |
| </fix> |
| <fix> |
| <bug>63982</bug>: CombinedRealm makes assumptions about principal implementation |
| (michaelo) |
| </fix> |
| <fix> |
| <bug>63983</bug>: Correct a regression in the static resource caching |
| changes introduced in 9.0.28. A large number of file descriptors were |
| opened that could reach the OS limit before being released by GC. |
| (markt) |
| </fix> |
| <update> |
| <bug>63987</bug>: Deprecate <code>Realm.getRoles(Principal)</code>. (michaelo) |
| </update> |
| <scode> |
| Add a unit test for the session <code>FileStore</code> implementation |
| and refactor loops in <code>FileStore</code> to use the ForEach style. |
| Pull request provided by Govinda Sakhare. (markt) |
| </scode> |
| <update> |
| Moved server-side include (SSI) module into a separate JAR library. (schultz) |
| </update> |
| <fix> |
| Refactor FORM authentication to reduce duplicate code and to ensure that |
| the authenticated Principal is not cached in the session when caching is |
| disabled. This is the fix for CVE-2019-17563. (markt/kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix endpoint closeSocket and destroySocket discrepancies, in particular |
| in the APR connector. (remm) |
| </fix> |
| <fix> |
| Harmonize maxConnections default value to 8192 across all connectors. |
| (remm) |
| </fix> |
| <fix> |
| <bug>63931</bug>: Improve timeout handling for asyncIO to ensure that |
| blocking operations see a <code>SocketTimeoutException</code> if one |
| occurs. (remm/markt) |
| </fix> |
| <fix> |
| <bug>63932</bug>: By default, do not compress content that has a strong |
| ETag. This behaviour is configuration for the HTTP/1.1 and HTTP/2 |
| connectors via the new Connector attribute |
| <code>noCompressionStrongETag</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63949</bug>: Fix non blocking write problems with NIO due to the |
| need for a write loop. (remm) |
| </fix> |
| <fix> |
| Simplify regular endpoint writes by removing write(Non)BlockingDirect. |
| All regular writes will now be buffered for a more predictable |
| behavior. (remm) |
| </fix> |
| <fix> |
| Send an exception directly to the completion handler when a timeout |
| exception occurs for the operation, and add a boolean to make sure the |
| completion handler is called only once. (remm/markt) |
| </fix> |
| <add> |
| When reporting / logging invalid HTTP headers encode any non-printing |
| characters using the 0xNN form. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Ensure a couple of very unlikely concurrency issues are avoided when |
| writing WebSocket messages. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Fix the broken re-try link on the error page for the FORM authentication |
| example in the JSP section of the examples web application. (markt) |
| </fix> |
| <add> |
| Improvements to CsrfPreventionFilter: additional logging, allow the |
| CSRF nonce request parameter name to be customized. |
| (schultz) |
| </add> |
| <fix> |
| Correct the documentation for the <code>maxConnections</code> attribute |
| of the <code>Connector</code> in the documentation web application. |
| (markt) |
| </fix> |
| <add> |
| Add the ability to set and display session attributes in the JSP FORM |
| authentication example to demonstrate session persistence across |
| restarts for authenticated sessions. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Correct the fix for <bug>63815</bug> (quoting the use of |
| <code>CATALINA_OPTS</code> and <code>JAVA_OPTS</code> when used in shell |
| scripts to avoid the expansion of <code>*</code>) as it caused various |
| regressions, particularly with <code>daemon.sh</code>. (markt) |
| </fix> |
| <update> |
| Update the OWB module to Apache OpenWebBeans 2.0.13. (remm) |
| </update> |
| <update> |
| Support Java 11 in Graal Native Images with Graal 19.3+. (remm) |
| </update> |
| <add> |
| Expand the search made by the Windows installer for a suitable Java |
| installation to include the 64-bit JDK registry entries and the |
| <code>JAVA_HOME</code> environment variable. Pull request provided by |
| Alexander Norz. (markt) |
| </add> |
| <add> |
| Expand the coverage of the Korean translations provided with Apache |
| Tomcat. (woonsan) |
| </add> |
| <add> |
| Expand the coverage of the French translations provided with Apache |
| Tomcat. (remm) |
| </add> |
| <add> |
| Expand the coverage of the Chinese translations provided with Apache |
| Tomcat. Contributions provided by lins and 磊. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons BCEL to ff6941e (2019-12-06, |
| 6.4.2-dev). Code clean-up only. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons Codec to 9637dd4 (2019-12-06, |
| 1.14-SNAPSHOT). Code clean-up and a fix for CODEC-265. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons FileUpload to 2317552 |
| (2019-12-06, 2.0-SNAPSHOT). Refactoring. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons Pool 2 to 6092f92 (2019-12-06, |
| 2.8.0-SNAPSHOT). Clean-up and minor refactoring. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons DBCP 2 to a36390 (2019-12-06, |
| 2.7.1-SNAPSHOT). Minor refactoring. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.29 (markt)" rtext="2019-11-21"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Refactor JMX remote RMI registry creation. This is the fix for |
| CVE-2019-12418. (remm) |
| </fix> |
| <add> |
| Improvement to CsrfPreventionFilter: expose the latest available nonce |
| as a request attribute; expose the expected nonce request parameter |
| name as a context attribute. |
| (schultz) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>63835</bug>: Add support for Keep-Alive response header. (michaelo) |
| </add> |
| <fix> |
| Correct a logic bug in the <code>NioEndpoint</code> timeout handling |
| that meant a write timeout could be handled as a read timeout. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Add a warning regarding potential poor performance of the HTTP and AJP |
| connectors if <code>socket.txBufSize</code> is configured with an |
| explicit value rather than using the JVM default. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Improve OWB module based using custom shade appender. (remm) |
| </fix> |
| <fix> |
| Add security filter in OWB module in addition to the valve for more flexibility. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.28 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Bad paths for URIs can cause exceptions on Windows due to its |
| path separator, so wrap using an IOException. (remm) |
| </fix> |
| <fix> |
| <bug>63832</bug>: Properly mark container as FAILED when a JVM error |
| occurs on stop. (remm) |
| </fix> |
| <add> |
| Add more details on the usage of <code>RewriteMap</code> |
| functionality in the <code>RewriteValve</code>. (fschumacher) |
| </add> |
| <fix> |
| <bug>63836</bug> Ensure that references to the Host object are cleared |
| once the Host instance is destroyed. (markt) |
| </fix> |
| <fix> |
| Ensure that, when static resource caching is enabled for a web |
| application, all access to static files (including JSP files) goes via |
| the cache so that a consistent view of the static files is seen. Prior |
| to this change it was possible to see an updated last modified time but |
| the content would be that prior to the modification. (markt) |
| </fix> |
| <update> |
| <bug>63905</bug> Clean up Tomcat CSS. (michaelo) |
| </update> |
| <fix> |
| <bug>63909</bug>: When the <code>ExpiresFilter</code> is used without a |
| default and the response is served by the Default Servlet, ensure that |
| the filter processes the response if the Default Servlet sets a 304 (Not |
| Found) status code. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that <code>ServletRequest.isAsyncStarted()</code> returns |
| <code>false</code> once <code>AsyncContext.complete()</code> or |
| <code>AsyncContext.dispatch()</code> has been called during |
| <code>AsyncListener.onTimeout()</code> or |
| <code>AsyncListener.onError()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63816</bug> and <bug>63817</bug>: Correctly handle I/O errors after |
| asynchronous processing has been started but before the container thread |
| that started asynchronous processing has completed processing the |
| current request/response. (markt) |
| </fix> |
| <fix> |
| <bug>63825</bug>: When processing the <code>Expect</code> and |
| <code>Connection</code> HTTP headers looking for a specific token, be |
| stricter in ensuring that the exact token is present. (markt) |
| </fix> |
| <fix> |
| <bug>63829</bug>: Improve the check of the <code>Content-Encoding</code> |
| header when looking to see if Tomcat is serving pre-compressed content. |
| Ensure that only a full token is matched and that the match is case |
| insensitive. (markt) |
| </fix> |
| <fix> |
| <bug>63864</bug>: Refactor parsing of the <code>transfer-encoding</code> |
| request header to use the shared parsing code and reduce duplication. |
| (markt) |
| </fix> |
| <fix> |
| <bug>63865</bug>: Add <code>Unset</code> option to same-site cookies |
| and pass through <code>None</code> value if set by user. Patch provided |
| by John Kelly. (markt) |
| </fix> |
| <fix> |
| <bug>63879</bug>: Remove stack trace from debug logging on socket |
| wrapper close. (remm) |
| </fix> |
| <update> |
| Add connection tracking on the connector endpoint to remove excessive |
| concurrency in the protocol handler when maintaining an association |
| between the socket wrapper and its current processor. (remm) |
| </update> |
| <fix> |
| <bug>63894</bug>: Ensure that the configured values for |
| <code>certificateVerification</code> and |
| <code>certificateVerificationDepth</code> are correctly passed to the |
| OpenSSL based SSLEngine implementation. (remm/markt) |
| </fix> |
| <fix> |
| Improve cleanup after errors when setting socket options. (remm) |
| </fix> |
| <fix> |
| <bug>63859</bug>: Do not perform a blocking read after a |
| <code>CPING</code> message is received by the AJP connector because, if |
| the JK Connector is configured with |
| <code>ping_mode="I"</code>, the <code>CPING</code> message |
| will not always be followed by the start of a request. (markt) |
| </fix> |
| <fix> |
| Properly calculate all dynamic parts of the ErrorReportValve response |
| on the fly in |
| <code>org.apache.coyote.http2.TestHttp2InitialConnection</code>. |
| (michaelo) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>63897</bug>: Capture the timestamp of a JSP for the purposes of |
| modification tracking before the JSP is compiled to prevent a race |
| condition if the JSP is modified during compilation. Patch provided by |
| Karl von Randow. (markt) |
| </fix> |
| <fix> |
| Fix a race condition that could mean changes to a modified JSP were not |
| visible to end users. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>63913</bug>: Wrap any <code>NullPointerException</code>s throw by |
| the <code>Inflater</code> or <code>Deflater</code> used by the |
| <code>PerMessageDeflate</code> extension in an <code>IOException</code> |
| so that the error can be caught and handled by the WebSocket error |
| handling mechanism. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the description of the default value for the server attribute in |
| the security How-To. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>63815</bug>: Quote the use of <code>CATALINA_OPTS</code> and |
| <code>JAVA_OPTS</code> when used in shell scripts to avoid the expansion |
| of <code>*</code>. Note that any newlines present in |
| <code>CATALINA_OPTS</code> and/or <code>JAVA_OPTS</code> will no longer |
| removed. (markt) |
| </fix> |
| <fix> |
| <bug>63826</bug>: Remove <code>commons-daemon-native.tar.gz</code> and |
| <code>tomcat-native.tar.gz</code> from the binary zip distributions for |
| Windows since compiled versions of those components are already |
| included within the zip distributions. (markt) |
| </fix> |
| <fix> |
| <bug>63838</bug>: Suppress reflexive access warnings when running the |
| unit tests on the command line. (markt) |
| </fix> |
| <fix> |
| Add missing charsets from the HPE JVM on HP-UX to pass unit tests in |
| <code>org.apache.tomcat.util.buf.TestCharsetCache</code>. (michaelo) |
| </fix> |
| <update> |
| Update the CXF module to Apache CXF 3.3.4. (remm) |
| </update> |
| <add> |
| Expand the coverage and quality of the French translations provided |
| with Apache Tomcat. (remm) |
| </add> |
| <add> |
| Expand the coverage and quality of the Japanese translations provided |
| with Apache Tomcat. Patch provided by motohashi.yuki. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Simplified Chinese translations |
| provided with Apache Tomcat. Contributions provided by rpo130, Mason |
| Shen, leeyazhou, winsonzhao, qingshi huang, Lay, Shucheng Hou and |
| Yanming Zhou. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Brazilian Portuguese translations |
| provided with Apache Tomcat. Patch provided by Danielamorais. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.27 (markt)" rtext="2019-10-11"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct a regression introduced in 9.0.25 that prevented configuration |
| files from being loaded from the class path. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Use URL safe base 64 encoding rather than standard base 64 encoding when |
| generating or parsing the <code>HTTP2-Settings</code> header as part of |
| an HTTP upgrade to <code>h2c</code> as required by RFC 7540. (markt) |
| </fix> |
| <fix> |
| <bug>63765</bug>: NIO2 should try to unwrap after TLS handshake to |
| avoid edge cases. (remm) |
| </fix> |
| <fix> |
| <bug>63766</bug>: Ensure Processor objects are recycled when processing |
| an HTTP upgrade connection that terminates before processing switches to |
| the Processor for the upgraded protocol. (markt) |
| </fix> |
| <fix> |
| Fix a memory leak introduced by the HTTP/2 timeout refactoring in 9.0.23 |
| that could occur when HTTP/2 or WebSocket was used. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Update to the Eclipse JDT compiler 4.13. (markt) |
| </update> |
| <fix> |
| Add GraalVM specific ELResolver to avoid BeanInfo use in BeanElResolver |
| if possible, as it needs manual reflection configuration. (remm) |
| </fix> |
| <fix> |
| <bug>63781</bug>: When performing various checks related to the |
| visibility of classes, fields an methods in the EL implementation, also |
| check that the containing module has been exported. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Socket"> |
| <changelog> |
| <fix> |
| <bug>63753</bug>: Ensure that the <code>Host</code> header in a Web |
| Socket HTTP upgrade request only contains a port if a non-default port |
| is being used. (markt) |
| </fix> |
| <fix> |
| When running on Java 9 and above, don't attempt to instantiate WebSocket |
| Endpoints found in modules that are not exported. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <add> |
| Add base GraalVM documentation. (remm) |
| </add> |
| <add> |
| Add Javadoc for the Common Annotations API implementation. (markt) |
| </add> |
| <fix> |
| Correct various typos in the comments, error messages and Javadoc. Patch |
| provided by 康智冬. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| When connections are validated without an explicit validation query, |
| ensure that any transactions opened by the validation process are |
| committed. Patch provided by Pascal Davoust. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <scode> |
| Deprecate <code>org.apache.tomcat.util.compat.TLS</code>. |
| Its functionality was only used for unit tests in |
| <code>org.apache.tomcat.util.net.TesterSupport</code> |
| and has been moved there. (rjung) |
| </scode> |
| <fix> |
| <bug>63759</bug>: When installing Tomcat with the Windows installer, |
| grant sufficient privileges to enable the uninstaller to execute when |
| user account control is active. (markt) |
| </fix> |
| <add> |
| Use a build property to define the minimum supported Java version and |
| use that build property to reduce the number of edits required to update |
| the minimum supported Java version. (markt) |
| </add> |
| <update> |
| Update the OWB module to Apache OpenWebBeans 2.0.12. (remm) |
| </update> |
| <update> |
| Update the CXF module to Apache CXF 3.3.3. (remm) |
| </update> |
| <update> |
| <bug>63767</bug>: Update to Commons Daemon 1.2.2. This corrects a |
| regression in Commons Daemon 1.2.0 and 1.2.1 that caused the Windows |
| Service to crash on start when running on an operating system that had |
| not been fully updated. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.26 (markt)" rtext="2019-09-19"> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Re-tagged to ensure that the source file for the changelog did not |
| contain an XML byte order mark. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.25 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Avoid a possible <code>InvalidPathException</code> when obtaining a URI |
| for a configuration file. (markt) |
| </fix> |
| <fix> |
| <bug>63684</bug>: <code>Wrapper</code> never passed to |
| <code>RealmBase.hasRole()</code> for given security constraints. |
| (michaelo) |
| </fix> |
| <fix> |
| <bug>63740</bug>: Ensure configuration files are loaded correctly when a |
| <code>Host</code> is configured with an <code>xmlBase</code>. Patch |
| provided by uk4sx. (markt) |
| </fix> |
| <fix> |
| Avoid a potential <code>NullPointerException</code> on Service stop if a |
| Service is embedded directly (i.e. with no Server) in an application |
| and JNDI is enabled. Patch provided by S. Ali Tokmen. (markt) |
| </fix> |
| <add> |
| Add a new <code>PropertySource</code> implementation, |
| <code>EnvironmentPropertySource</code>, that can be used to do property |
| replacement in configuration files with environment variables. Based on |
| a pull request provided by Thomas Meyer. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>63682</bug>: Fix a potential hang when using the asynchronous |
| Servlet API to write the response body and the stream and/or connection |
| window reaches 0 bytes in size. (markt) |
| </fix> |
| <fix> |
| <bug>63690</bug>: Use the average of the current and previous sizes when |
| calculating overhead for HTTP/2 <code>DATA</code> and |
| <code>WINDOW_UPDATE</code> frames to avoid false positives as a result |
| of client side buffering behaviour that causes a small percentage of |
| non-final DATA frames to be smaller than expected. (markt) |
| </fix> |
| <fix> |
| <bug>63706</bug>: Avoid NPE accessing https port with plaintext. (remm) |
| </fix> |
| <fix> |
| Correct typos in the names of the configuration attributes |
| <code>overheadDataThreshold</code> and |
| <code>overheadWindowUpdateThreshold</code>. (markt) |
| </fix> |
| <fix> |
| If the HTTP/2 connection requires an initial window size larger than the |
| default, send a WINDOW_UPDATE to increase the flow control window for the |
| connection so that the initial size of the flow control window for the |
| connection is consistent with the increased value. (markt) |
| </fix> |
| <fix> |
| <bug>63710</bug>: When using HTTP/2, ensure that a |
| <code>content-length</code> header is not set for those responses with |
| status codes that do not permit one. (markt) |
| </fix> |
| <fix> |
| <bug>63737</bug>: Correct various issues when parsing the |
| <code>accept-encoding</code> header to determine if gzip encoding is |
| supported including only parsing the first header found. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>63724</bug>: Correct a regression introduced in 9.0.21 that broke |
| compilation of JSPs in some configurations. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the source code links on the index page for the ROOT web |
| application to point to Git rather than Subversion. (markt) |
| </fix> |
| <fix> |
| Fix various issues with the Javadoc generated for the documentation web |
| application to enable release builds to be built with Java 10 onwards. |
| (markt) |
| </fix> |
| <fix> |
| <bug>63733</bug>: Remove the documentation for the "Additional |
| Components" since they have been removed / merged into the core |
| Tomcat distribution for 9.0.5 onwards. (markt) |
| </fix> |
| <fix> |
| <bug>63739</bug>: Correct the invalid <code>Automatic-Module-Name</code> |
| manifest entries for the Tomcat provided JARs included in the Tomcat |
| embedded distribution. (markt) |
| </fix> |
| <fix> |
| Fix a large number of Javadoc and documentation typos. Patch provided by |
| KangZhiDong. (markt) |
| </fix> |
| <fix> |
| Spelling and formatting corrections for the cluster how-to. Pull request |
| provided by Bill Mitchell. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Expand the coverage and quality of the French translations provided |
| with Apache Tomcat. (remm) |
| </add> |
| <add> |
| Expand the coverage and quality of the Simplified Chinese translations |
| provided with Apache Tomcat. Includes contributions by leeyazhou and |
| 康智冬. (markt) |
| </add> |
| <fix> |
| <bug>62140</bug>: Additional usage documentation in comments for |
| <code>catalina.[bat|sh]</code>. (markt) |
| </fix> |
| <fix> |
| Fix <code>JSSE_OPTS</code> quoting in <code>catalina.bat</code>. |
| Contributed by Peter Uhnak. (fschumacher) |
| </fix> |
| <update> |
| <bug>63625</bug>: Update to Commons Daemon 1.2.1. This corrects several |
| regressions in Commons Daemon 1.2.1, most notably the Windows Service |
| crashing on start when using 32-bit JVMs. (markt) |
| </update> |
| <fix> |
| <bug>63689</bug>: Correct a regression in the fix for <bug>63285</bug> |
| that meant that when installing a service, the service display name was |
| not set. (markt) |
| </fix> |
| <fix> |
| When performing a silent install with the Windows Installer, ensure that |
| the registry entries are added to the 64-bit registry when using a |
| 64-bit JVM. (markt) |
| </fix> |
| <fix> |
| Remove unused i18n messages and associated translations. Patch provided |
| by KangZhiDong. (markt) |
| </fix> |
| <add> |
| Expand the coverage and quality of the Korean translations provided |
| with Apache Tomcat. (woonsan) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.24 (markt)" rtext="2019-08-17"> |
| <subsection name="Coyote"> |
| <changelog> |
| <scode> |
| Remove the code in the sendfile poller that ensured smaller pollsets |
| were used with older, no longer supported versions of Windows that |
| could not support larger pollsets. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.23 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>57665</bug>: Add support for the <code>X-Forwarded-Host</code> |
| header to the <code>RemoteIpFilter</code> and <code>RemoteIpValve</code>. |
| (markt) |
| </add> |
| <add> |
| <bug>62496</bug>: Add option to write auth information (remote user/auth type) |
| to response headers. (michaelo) |
| </add> |
| <fix> |
| <bug>63550</bug>: Only try the <code>alternateURL</code> in the |
| <code>JNDIRealm</code> if one has been specified. (markt) |
| </fix> |
| <add> |
| <bug>63556</bug>: Mark request as forwarded in RemoteIpValve and |
| RemoteIpFilter (michaelo) |
| </add> |
| <fix> |
| <bug>63579</bug>: Correct parsing of malformed OPTIONS requests and |
| reject them with a 400 response rather than triggering an internal error |
| that results in a 500 response. (markt) |
| </fix> |
| <fix> |
| <bug>63608</bug>: Align the implementation of the negative match feature |
| for patterns used with the <code>RewriteValve</code> with the |
| description in the documentation. (markt) |
| </fix> |
| <update> |
| <bug>63627</bug>: Implement more fine-grained handling in |
| <code>RealmBase.authenticate(GSSContext, boolean)</code>. (michaelo) |
| </update> |
| <fix> |
| If an unhandled exception occurs on a asynchronous thread started via |
| <code>AsyncContext.start(Runnable)</code>, process it using the standard |
| error page mechanism. (markt) |
| </fix> |
| <fix> |
| Discard large byte buffers allocated using setBufferSize when recycling |
| the request. (remm) |
| </fix> |
| <fix> |
| Avoid a <code>NullPointerException</code> in the |
| <code>CrawlerSessionManagerValve</code> if no ROOT Context is deployed |
| and a request does not map to any of the other deployed Contexts. Patch |
| provided by Jop Zinkweg. (markt) |
| </fix> |
| <fix> |
| <bug>63636</bug>: <code>Context.findRoleMapping()</code> never called |
| in <code>StandardWrapper.findSecurityReference()</code>. (michaelo) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <scode> |
| Refactor the APR poller to always use a single pollset now that the |
| Windows operating systems that required multiple smaller pollsets to be |
| used are no longer supported. (markt) |
| </scode> |
| <fix> |
| <bug>63524</bug>: Improve the handling of PEM file based keys and |
| certificates that do not include a full certificate chain when |
| configuring the internal, in-memory key store. Improve the handling of |
| PKCS#1 formatted private keys when configuring the internal, in-memory |
| key store. (markt) |
| </fix> |
| <update> |
| Add callback when finishing the set properties rule in the digester. |
| (remm) |
| </update> |
| <fix> |
| <bug>63568</bug>: Avoid error when trying to set tcpNoDelay on socket |
| types that do not support it, which can occur when using the NIO |
| inherited channel capability. Submitted by František Kučera. (remm) |
| </fix> |
| <fix> |
| <bug>63570</bug>: Fix regression retrieving local address with |
| the NIO connector. Submitted by Aditya Kadakia. (remm) |
| </fix> |
| <fix> |
| Correct parsing of invalid host names that contain bytes in the range |
| 128 to 255 and reject them with a 400 response rather than triggering an |
| internal error that results in a 500 response. (markt) |
| </fix> |
| <fix> |
| <bug>63571</bug>: Allow users to configure infinite TLS session caches |
| and/or timeouts. (markt) |
| </fix> |
| <fix> |
| <bug>63578</bug>: Improve handling of invalid requests so that 400 |
| responses are returned to the client rather than 500 responses. (markt) |
| </fix> |
| <fix> |
| Fix h2spec test suite failure. It is an error if a Huffman encoded |
| string literal contains the EOS symbol. (jfclere) |
| </fix> |
| <add> |
| Connections that fail the TLS handshake will now appear in the access |
| logs with a 400 status code. (markt) |
| </add> |
| <fix> |
| Timeouts for HTTP/2 connections were not always correctly handled |
| leaving some connections open for longer than expected. (markt) |
| </fix> |
| <fix> |
| <bug>63650</bug>: Refactor initialisation for JSSE based TLS connectors |
| to enable custom JSSE providers that provide custom cipher suites to be |
| used. (markt) |
| </fix> |
| <add> |
| Expand the HTTP/2 excessive overhead protection to cover various forms |
| of abusive client behaviour and close the connection if any such |
| behaviour is detected. (markt) |
| </add> |
| <fix> |
| Fix a crash on shutdown with the APR/native connector when a blocking |
| I/O operation was still in progress when the connector stopped. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Avoid failing Kubernetes membership (and preventing startup) if the |
| stream cannot be opened, to get the same behavior as the DNS based |
| membership. The namespace is still a failure on startup but it is easy |
| to provide. (remm) |
| </fix> |
| <fix> |
| Avoid non fatal NPEs with Tribes when JMX is not available. (remm) |
| </fix> |
| <fix> |
| Make Kube environment optional for Kube memberships, for easier testing |
| and Graal training. A warn log will occur if the environment is not |
| present. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>63597</bug>: Update the custom 404 error page for the Host Manager |
| to take account of previous refactoring so that the page is used for |
| 404 errors rather than falling back to the default error page. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| JNDI support for GraalVM native images. (remm) |
| </fix> |
| <fix> |
| JSP runtime library support for GraalVM native images. (remm) |
| </fix> |
| <fix> |
| java.util.logging configuration for GraalVM native images. (remm) |
| </fix> |
| <update> |
| Update Checkstyle to 8.22. (markt) |
| </update> |
| <fix> |
| <bug>55969</bug>: Tighten up the security of the Apache Tomcat |
| installation created by the Windows installer. Change the default |
| shutdown port used by the Windows installer from <code>8005</code> to |
| <code>-1</code> (disabled). Limit access to the chosen installation |
| directory to local administrators, Local System and Local Service. |
| (markt) |
| </fix> |
| <update> |
| <bug>62696</bug>: The digital signature for the Windows installer now |
| uses SHA-256 for hashes. (markt) |
| </update> |
| <add> |
| <bug>63285</bug>: Add an option to <code>service.bat</code> so that when |
| installing a Windows service, the name of the executables used by the |
| Windows service may be changed to match the service name. This |
| makes the installation behaviour consistent with the Windows installer. |
| The original executable names will be restored when the Windows service |
| is removed. The renaming can be enabled by using the new |
| <code>--rename</code> option after the service name. (markt) |
| </add> |
| <update> |
| <bug>63310</bug>: Update to Commons Daemon 1.2.0. This provides improved |
| support for Java 11. This also changes the user configured by the |
| Windows installer for the Windows service from <code>Local System</code> |
| to the lower privileged <code>Local Service</code>. (markt) |
| </update> |
| <add> |
| Expand the coverage and quality of the French translations provided |
| with Apache Tomcat. (remm) |
| </add> |
| <fix> |
| <bug>63555</bug>: Add <code>Automatic-Module-Name</code> entries for |
| each of the Tomcat provided JARs included in the Tomcat embedded |
| distribution. (markt) |
| </fix> |
| <fix> |
| <bug>63567</bug>: Restore the passing of <code>$LOGGING_MANAGER</code> |
| to the jvm in <code>catalina.sh</code> when calling <code>stop</code>. |
| (markt) |
| </fix> |
| <fix> |
| Correct broken OSGi data in JAR file manifests. (markt) |
| </fix> |
| <fix> |
| Add "embed" to the <code>Bundle-Name</code> and |
| <code>Bundle-Symbolic-Name</code> for the Tomcat embedded WebSocket JAR |
| to align the naming with the other embedded JARs and to differentiate it |
| from the standard WebSocket JAR that does not include the API classes. |
| (markt) |
| </fix> |
| <update> |
| Update dependency on bnd to 4.2.0. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Codec to 3ebef4a (2018-08-01) to |
| pick up the fix for CODEC-134. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Pool2 to 796e32d (2018-08-01) to |
| pick up the changes Commons Pool2 2.7.0. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons DBCP2 to 87d9e3a (2018-08-01) to |
| pick up the changes Commons DBCP2 2.7.0 and DBCP-555. (markt) |
| </update> |
| <update> |
| <bug>63648</bug>: Update the test TLS keys and certificates used in the |
| test suite to replace the keys and certificates that are about to |
| expire. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.22 (markt)" rtext="2019-07-09"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Improve parsing of Range request headers. (markt) |
| </fix> |
| <fix> |
| Range headers that specify a range unit Tomcat does not recognise should |
| be ignored rather than triggering a 416 response. Based on a pull |
| request by zhanhb. (markt) |
| </fix> |
| <fix> |
| When comparing a date from a <code>If-Range</code> header, an exact |
| match is required. Based on a pull request by zhanhb. (markt) |
| </fix> |
| <fix> |
| Add an option to the default servlet to disable processing of PUT |
| requests with Content-Range headers as partial PUTs. The default |
| behaviour (processing as partial PUT) is unchanged. Based on a pull |
| request by zhanhb. (markt) |
| </fix> |
| <fix> |
| Improve parsing of Content-Range headers. (markt) |
| </fix> |
| <update> |
| Update the recommended minimum Tomcat Native version to 1.2.23. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Remove a source of potential deadlocks when using HTTP/2 when the |
| Connector is configured with <code>useAsyncIO</code> as |
| <code>true</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63523</bug>: Restore SSLUtilBase methods as protected to preserve |
| compatibility. (remm) |
| </fix> |
| <fix> |
| Fix typo in UTF-32LE charset name. Patch by zhanhb via Github. |
| (fschumacher) |
| </fix> |
| <fix> |
| Once a URI is identified as invalid don't attempt to process it further. |
| Based on a PR by Alex Repert. (markt) |
| </fix> |
| <fix> |
| Fix to avoid the possibility of long poll times for individual pollers |
| when using multiple pollers with APR. (markt) |
| </fix> |
| <fix> |
| Refactor the fix for <bug>63205</bug> so it only applies when using |
| PKCS12 keystores as regressions have been reported with some other |
| keystore types. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Include file names if SMAP processor is unable to delete or rename a |
| class file during SMAP generation. (markt) |
| </add> |
| <update> |
| Update to the Eclipse JDT compiler 4.12. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>63521</bug>: As required by the WebSocket specification, if a POJO |
| that is deployed as a result of the SCI scan for annotated POJOs is |
| subsequently deployed via the programmatic API ignore the programmatic |
| deployment. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Switch the check for terminal availability to test for stdin as using |
| stdout does not work when output is piped to another process. Patch |
| provided by Radosław Józwik. (markt) |
| </fix> |
| <add> |
| Add user buildable optional modules for easier CDI 2 and JAX-RS |
| support. Also include a new documentation page describing how |
| to use it. (remm) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.21 (markt)" rtext="2019-06-07"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>57287</bug>: Add file sorting to DefaultServlet (schultz) |
| </add> |
| <fix> |
| Fix <code>--no-jmx</code> flag processing, which was called after |
| registry initialization. (remm) |
| </fix> |
| <fix> |
| Ensure that a default request character encoding set on a |
| <code>ServletContext</code> is used when calling |
| <code>ServletRequest#getReader()</code>. (markt) |
| </fix> |
| <fix> |
| Make a best efforts attempt to clean-up if a request fails during |
| processing due to an <code>OutOfMemoryException</code>. (markt) |
| </fix> |
| <fix> |
| Improve the BoM detection for static files handled by the default |
| servlet for the rarely used UTF-32 encodings. Identified by Coverity |
| Scan. (markt) |
| </fix> |
| <fix> |
| Ensure that the default servlet reads the entire global XSLT file if |
| one is defined. Identified by Coverity Scan. (markt) |
| </fix> |
| <fix> |
| Avoid potential <code>NullPointerException</code> when generating an |
| HTTP <code>Allow</code> header. Identified by Coverity Scan. (markt) |
| </fix> |
| <scode> |
| Add <code>Context.createInstanceManager()</code> for easier framework |
| integration. (remm) |
| </scode> |
| <scode> |
| Add utility <code>org.apache.catalina.core.FrameworkListener</code> to |
| allow replicating adding a Listener to context.xml in a programmatic |
| way. (remm) |
| </scode> |
| <scode> |
| Move <code>Container.ADD_CHILD_EVENT</code> to before the child |
| container start, and <code>Container.REMOVE_CHILD_EVENT</code> to |
| before removal of the child from the internal child collection. |
| (remm) |
| </scode> |
| <add> |
| Remove any fragment included in the target path used to obtain a |
| <code>RequestDispatcher</code>. The requested target path is logged as a |
| warning since this is an application error. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| NIO poller seems to create some unwanted concurrency, causing rare |
| CI test failures. Add sync when processing async operation to avoid |
| this. (remm) |
| </fix> |
| <fix> |
| Fix concurrency issue that lead to incorrect HTTP/2 connection timeout. |
| (remm/markt) |
| </fix> |
| <fix> |
| Avoid useless exception wrapping in async IO. (remm) |
| </fix> |
| <fix> |
| <bug>63412</bug>: Security manager failure when using the async IO |
| API from a webapp. (remm) |
| </fix> |
| <fix> |
| Remove <code>acceptorThreadCount</code> Connector attribute, |
| one accept thread is sufficient. As documented, value <code>2</code> |
| was the only other sensible value, but without and impact beyond |
| certain microbenchmarks. (remm) |
| </fix> |
| <fix> |
| Avoid possible NPEs on connector stop. (remm) |
| </fix> |
| <update> |
| Remove <code>pollerThreadCount</code> Connector attribute for NIO, |
| one poller thread is sufficient. (remm) |
| </update> |
| <add> |
| Add async IO for APR connector for consistency, but disable it by |
| default due to low performance. (remm) |
| </add> |
| <fix> |
| Avoid blocking write of internal buffer when using async IO. (remm) |
| </fix> |
| <scode> |
| Refactor async IO implementation to the <code>SocketWrapperBase</code>. |
| (remm) |
| </scode> |
| <update> |
| Refactor <code>SocketWrapperBase</code> close using an atomic boolean |
| and a <code>doClose</code> method that subclasses will implement, with |
| a guarantee that it will be run only once. (remm) |
| </update> |
| <fix> |
| Decouple the socket wrapper, which is not recycled, from the NIOx |
| channel after close, and replace it with a dummy static object. (remm) |
| </fix> |
| <fix> |
| Clear buffers on socket wrapper close. (remm) |
| </fix> |
| <fix> |
| NIO2 failed to properly close sockets on connector stop. (remm) |
| </fix> |
| <update> |
| Reduce the default for <code>maxConcurrentStreams</code> on the |
| <code>Http2Protocol</code> from 200 to 100 to align with typical |
| defaults for HTTP/2 implementations. (markt) |
| </update> |
| <update> |
| Reduce the default HTTP/2 header list size from 4GB to 32kB to align |
| with typical HTTP/2 implementations. (markt) |
| </update> |
| <add> |
| Add support for same-site cookie attribute. Patch provided by John |
| Kelly. (markt) |
| </add> |
| <fix> |
| Drop legacy NIO double socket close (close channel, then close |
| socket). (remm) |
| </fix> |
| <fix> |
| Fix HTTP/2 end of stream concurrency with async. (remm) |
| </fix> |
| <fix> |
| Correct a bug in the stream flushing code that could lead to multiple |
| threads processing the stream concurrently which in turn could cause |
| errors processing the stream. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| <bug>62841</bug>: Refactor the <code>DeltaRequest</code> serialization |
| to reduce the window during which the <code>DeltaSession</code> is |
| locked and to remove a potential cause of deadlocks during |
| serialization. (markt) |
| </fix> |
| <fix> |
| <bug>63441</bug>: Further streamline the processing of session creation |
| messages in the <code>DeltaManager</code> to reduce the possibility of a |
| session update message being processed before the session has been |
| created. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Fix timeout logic for async non blocking writes. Identified by |
| Coverity Scan. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Expand the explanation of how deprecated TLS configuration attributes |
| are converted to the new TLS configuration style. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Treat <code>NoRouteToHostException</code> the same way as |
| <code>SocketTimeoutException</code> when checking the health of group |
| members. This avoids a SEVERE log message every time the check is |
| performed when the host associated with a group member is not powered |
| on. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Switch from FindBugs to SpotBugs. (fschumacher) |
| </update> |
| <update> |
| Start Graal native image compatibility, using the tomcat-maven |
| packaging. (remm) |
| </update> |
| <fix> |
| <bug>63403</bug>: Fix TestHttp2InitialConnection test failures when |
| running with a non-English locale. (kkolinko) |
| </fix> |
| <fix> |
| Add Graal JreCompat, and use it to disable JMX and URL stream handlers. |
| (remm) |
| </fix> |
| <add> |
| Expand the coverage and quality of the Czech translations provided |
| with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the German translations provided |
| with Apache Tomcat. Includes contributions by Niklasmerz, dusiema and |
| Jens. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the French translations provided |
| with Apache Tomcat. (remm) |
| </add> |
| <add> |
| Expand the coverage and quality of the Simplified Chinese translations |
| provided with Apache Tomcat. Includes contributions by 諵. (markt) |
| </add> |
| <fix> |
| Use the <code>test</code> command to check for terminal availability |
| rather than the <code>tty</code> command since the <code>tty</code> |
| based test fails on non-English locales. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.20 (markt)" rtext="2019-05-13"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Fix some edge cases where the docBase was not being set using a canonical |
| path which in turn meant resource URLs were not being constructed as |
| expected. (markt) |
| </fix> |
| <fix> |
| Fix a potential resource leak when executing CGI scripts from a WAR |
| file. Identified by Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential concurrency issue in the StringCache identified by |
| Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential concurrency issue in the main Sendfile thread of the APR |
| connector. Identified by Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential resource leak when running a web application from a WAR |
| file. Identified by Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential resource leak on some exception paths in the |
| <code>DataSourceRealm</code>. Identified by Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential resource leak on an exception path when parsing JSP |
| files. Identified by Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential resource leak when a JNDI lookup returns an object of an |
| in compatible class. Identified by Coverity scan. (markt) |
| </fix> |
| <scode> |
| Refactor <code>ManagerServlet</code> to avoid loading classes when |
| filtering JNDI resources for resources of a specified type. (markt) |
| </scode> |
| <fix> |
| <bug>63324</bug>: Refactor the <code>CrawlerSessionManagerValve</code> |
| so that the object placed in the session is compatible with session |
| serialization with mem-cached. Patch provided by Martin Lemanski. |
| (markt) |
| </fix> |
| <add> |
| <bug>63358</bug>: Expand the <code>throwOnFailure</code> support in the |
| <code>Connector</code> to include the adding of a <code>Connector</code> |
| to a running <code>Service</code>. (markt) |
| </add> |
| <add> |
| <bug>63361</bug>: Add a new method |
| (<code>Registry.disableRegistry()</code>) that can be used to disable |
| JMX registration of Tomcat components providing it is called before the |
| first component is registered. (markt) |
| </add> |
| <fix> |
| Avoid <code>OutOfMemoryError</code>s and |
| <code>ArrayIndexOutOfBoundsException</code>s when accessing large files |
| via the default servlet when resource caching has been disabled. (markt) |
| </fix> |
| <fix> |
| Avoid a <code>NullPointerException</code> when a <code>Context</code> is |
| defined in <code>server.xml</code> with a <code>docBase</code> but not |
| the optional <code>path</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63333</bug>: Override the <code>isAvailable()</code> method in the |
| <code>JAASRealm</code> so that only login failures caused by invalid |
| credentials trigger account lock out when the <code>LockOutRealm</code> |
| is in use. Patch provided by jchobantonov. (markt) |
| </fix> |
| <fix> |
| Add <code>--no-jmx</code> flag to allow disabling JMX in |
| <code>startup.Tomcat.main</code>. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| The <code>useAsyncIO</code> boolean attribute on the Connector element |
| value now defaults to <code>true</code>. (remm) |
| </fix> |
| <fix> |
| Possible HTTP/2 connection leak issue when using async with NIO. (remm) |
| </fix> |
| <fix> |
| Fix socket close discrepancies for NIO, now the wrapper close |
| is used everywhere except for socket accept problems. (remm) |
| </fix> |
| <fix> |
| Implement poller timeout when using async IO with NIO. (remm) |
| </fix> |
| <fix> |
| Avoid creating and using object caches when they are disabled. (remm) |
| </fix> |
| <fix> |
| When running on newer JREs that don't support SSLv2Hello, don't warn |
| that it is not available unless explicitly configured. (markt) |
| </fix> |
| <fix> |
| Change default value of <code>pollerThreadCount</code> of NIO |
| to <code>1</code>. (remm) |
| </fix> |
| <fix> |
| Associate BlockPoller thread name with its NIO connector for better |
| readability. (remm) |
| </fix> |
| <fix> |
| The async HTTP/2 frame parser should tolerate concurrency so clearing |
| shared buffers before attempting a read is not possible. (remm) |
| </fix> |
| <update> |
| Update the HTTP/2 connection preface and initial frame reading to be |
| asynchronous instead of blocking IO. (remm) |
| </update> |
| <scode> |
| Refactor Hostname validation to improve performance. Patch provided by |
| Uwe Hees. (markt) |
| </scode> |
| <update> |
| Add additional NIO2 style read and write methods closer to core NIO2, |
| for possible use with an asynchronous workflow like CompletableFuture. |
| (remm) |
| </update> |
| <fix> |
| Expand HTTP/2 timeout handling to include connection window exhaustion |
| on write. This is the fix for CVE-2019-10072. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>63359</bug>: Ensure that the type conversions used when converting |
| from strings for <code>jsp:setProperty</code> actions are correctly |
| implemented as per section JSP.1.14.2.1 of the JSP 2.3 specification. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>63335</bug>: Ensure that stack traces written by the |
| <code>OneLineFormatter</code> are fully indented. The entire stack trace |
| is now indented by an additional TAB character. (markt) |
| </fix> |
| <fix> |
| <bug>63370</bug>: Message files (LocalStrings_*.properties) of the |
| examples webapp not converted to ascii. (woonsan) |
| </fix> |
| <add> |
| Expand the coverage and quality of the French translations provided |
| with Apache Tomcat. (remm) |
| </add> |
| <add> |
| Expand the coverage and quality of the Japanese translations provided |
| with Apache Tomcat. Includes contributions by motohashi.yuki. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Czech translations provided |
| with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt) |
| </add> |
| <fix> |
| When using the <code>OneLineFormatter</code>, don't print a blank line |
| in the log after printing a stack trace. (markt) |
| </fix> |
| <update> |
| Update the internal fork of Apache Commons FileUpload to 41e4047 |
| (2019-04-24) pick up some enhancements. (markt) |
| </update> |
| <update> |
| Update the internal fork of Apache Commons DBCP 2 to dcdbc72 |
| (2019-04-24) to pick up some clean-up and enhancements. (markt) |
| </update> |
| <update> |
| Update the internal fork of Apache Commons Pool 2 to 0664f4d |
| (2019-04-30) to pick up some enhancements and bug fixes. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.19 (markt)" rtext="2019-04-13"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Fix wrong JMX registration regression in 9.0.18. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| Add vectoring for NIO in the base and SSL channels. (remm) |
| </update> |
| <add> |
| Add asynchronous IO from NIO2 to the NIO connector, with support for |
| the async IO implementations for HTTP/2 and Websockets. The |
| <code>useAsyncIO</code> boolean attribute on the Connector element |
| allows enabling use of the asynchronous IO API. (remm) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Ensure that the correct files are included in the source distribution |
| for javacc based parsers depending on whether jjtree is used or not. |
| (markt) |
| </fix> |
| <fix> |
| Ensure that text files in the source distribution have the correct line |
| endings for the target platform. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.18 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>63196</bug>: Provide a default (<code>X-Forwarded-Proto</code>) for |
| the <code>protocolHeader</code> attribute of the |
| <code>RemoteIpFilter</code> and <code>RemoteIpValve</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63235</bug>: Refactor Charset cache to reduce start time. (markt) |
| </fix> |
| <fix> |
| <bug>63249</bug>: Use a consistent log level (<code>WARN</code>) when |
| logging the failure to register or deregister a JMX Bean. (markt) |
| </fix> |
| <fix> |
| <bug>63249</bug>: Use a consistent log level (<code>ERROR</code>) when |
| logging the <code>LifecycleException</code> associated with the failure |
| to start or stop a component. (markt) |
| </fix> |
| <fix> |
| When the SSI directive <code>fsize</code> is used with an invalid |
| target, return a file size of <code>-</code> rather than |
| <code>1k</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63251</bug>: Implement a work-around for a known JRE bug (<a |
| href="https://bugs.openjdk.java.net/browse/JDK-8194653">JDK-8194653</a>) |
| that may cause a dead-lock when Tomcat starts. (markt) |
| </fix> |
| <fix> |
| <bug>63275</bug>: When using a <code>RequestDispatcher</code> ensure |
| that <code>HttpServletRequest.getContextPath()</code> returns an encoded |
| path in the dispatched request. (markt) |
| </fix> |
| <update> |
| Add optional listeners for Server/Listener, as a slight variant of |
| a standard listener. The difference is that loading is not fatal when |
| it fails. This would allow adding example configuration to the standard |
| server.xml if deemed useful. Storeconfig will not attempt to persist |
| the new listener. (remm) |
| </update> |
| <fix> |
| <bug>63286</bug>: Document the differences in behaviour between the |
| <code>LogFormat</code> directive in httpd and the <code>pattern</code> |
| attribute in the <code>AccessLogValve</code> for <code>%D</code> and |
| <code>%T</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63287</bug>: Make logging levels more consistent for similar issues |
| of similar severity. (markt) |
| </fix> |
| <fix> |
| <bug>63311</bug>: Add support for https URLs to the local resolver within |
| Tomcat used to resolve standard XML DTDs and schemas when Tomcat is |
| configured to validate XML configuration files such as web.xml. (markt) |
| </fix> |
| <fix> |
| Encode the output of the SSI <code>printenv</code> command. This is the |
| fix for CVE-2019-0221. (markt) |
| </fix> |
| <scode> |
| Use constants for SSI encoding values. (markt) |
| </scode> |
| <add> |
| When the CGI Servlet is configured with |
| <code>enableCmdLineArguments</code> set to true, limit the encoded form |
| of the individual command line arguments to those values allowed by RFC |
| 3875. This restriction may be relaxed by the use of the new |
| initialisation parameter <code>cmdLineArgumentsEncoded</code>. (markt) |
| </add> |
| <add> |
| When the CGI Servlet is configured with |
| <code>enableCmdLineArguments</code> set to true, limit the decoded form |
| of the individual command line arguments to known safe values when |
| running on Windows. This restriction may be relaxed by the use of the |
| new initialisation parameter <code>cmdLineArgumentsDecoded</code>. This |
| is the fix for CVE-2019-0232. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix bad interaction between NIO2 async read API and the regular read. |
| (remm) |
| </fix> |
| <fix> |
| Refactor NIO2 write pending strategy for the classic IO API. (remm) |
| </fix> |
| <fix> |
| Restore original maxConnections default for NIO2 as the underlying |
| close issues have been fixed. (remm) |
| </fix> |
| <fix> |
| Harmonize NIO2 isReadyForWrite with isReadyForRead code. (remm) |
| </fix> |
| <fix> |
| When using a JSSE TLS connector that supported ALPN (Java 9 onwards) and |
| a protocol was not negotiated, Tomcat failed to fallback to HTTP/1.1 and |
| instead dropped the connection. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the TLS connector refactoring in Tomcat 9.0.17 |
| that prevented the use of PKCS#8 private keys with OpenSSL based |
| connectors. (markt) |
| </fix> |
| <fix> |
| Fix NIO2 SSL edge cases. (remm) |
| </fix> |
| <fix> |
| When performing an upgrade from HTTP/1.1 to HTTP/2, ensure that any |
| query string present in the original HTTP/1.1 request is passed to the |
| HTTP/2 request processing. (markt) |
| </fix> |
| <fix> |
| When Tomcat writes a final response without reading all of an HTTP/2 |
| request, reset the stream to inform the client that the remaining |
| request body is not required. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Add support for specifying Java 11 (with the value <code>11</code>) as |
| the compiler source and/or compiler target for JSP compilation. (markt) |
| </add> |
| <add> |
| Add support for specifying Java 12 (with the value <code>12</code>) and |
| Java 13 (with the value <code>13</code>) as the compiler source and/or |
| compiler target for JSP compilation. If used with an ECJ version that |
| does not support these values, a warning will be logged and the latest |
| supported version will used. Based on a patch by Thomas Collignon. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>63184</bug>: Expand the SSI documentation to provide more |
| information on the supported directives and their attributes. Patch |
| provided by nightwatchcyber. (markt) |
| </fix> |
| <add> |
| Add a note to the documentation about the risk of DoS with poorly |
| written regular expressions and the <code>RewriteValve</code>. Patch |
| provided by salgattas. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Improved maxAge handling. Add support for age check on idle connections. |
| Connection that expired reconnects rather than closes it. Patch provided |
| by toby1984. (kfujino) |
| </fix> |
| <fix> |
| <bug>63320</bug>: Ensure that <code>StatementCache</code> caches |
| statements that include arrays in arguments. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update to the Eclipse JDT compiler 4.10. (markt) |
| </update> |
| <add> |
| Expand the coverage and quality of the Spanish translations provided |
| with Apache Tomcat. Includes contributions by Ulises Gonzalez Horta. |
| (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Czech translations provided |
| with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Chinese translations provided |
| with Apache Tomcat. Includes contributions by winsonzhao and wjt. |
| (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Russian translations provided |
| with Apache Tomcat. (kkolinko) |
| </add> |
| <add> |
| Expand the coverage and quality of the Japanese translations provided |
| with Apache Tomcat. (kfujino) |
| </add> |
| <add> |
| Expand the coverage and quality of the Korean translations provided |
| with Apache Tomcat. (woonsan) |
| </add> |
| <add> |
| Expand the coverage and quality of the German translations provided |
| with Apache Tomcat. (fschumacher) |
| </add> |
| <add> |
| Expand the coverage and quality of the French translations provided |
| with Apache Tomcat. (remm) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.17 (markt)" rtext="2019-03-18"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Refactor how cookies are transferred from the base request to a |
| <code>PushBuilder</code> so that they are accessible, and may be edited, |
| via the standard <code>PushBuilder</code> methods for working with HTTP |
| headers. (markt) |
| </fix> |
| <update> |
| Simplify the value of <code>jarsToSkip</code> property in |
| <code>catalina.properties</code> file for tomcat-i18n jar files. |
| Use prefix pattern instead of listing each language. (kkolinko) |
| </update> |
| <fix> |
| Restore the getter and setter for the access log valve attribute |
| <code>maxLogMessageBufferSize</code> that were accidentally removed. |
| (markt) |
| </fix> |
| <add> |
| <bug>63206</bug>: Add a new attribute to <code>Context</code> - |
| <code>createUploadTargets</code> which, if <code>true</code> enables |
| Tomcat to create the temporary upload location used by a Servlet if the |
| location specified by the Servlet does not already exist. The default |
| value is <code>false</code>. (markt) |
| </add> |
| <fix> |
| <bug>63210</bug>: Ensure that the Apache Commons DBCP 2 based default |
| connection pool is correctly shutdown when it is no longer required. |
| This ensures that a non-daemon thread is not left running that will |
| prevent Tomcat from shutting down cleanly. (markt) |
| </fix> |
| <fix> |
| <bug>63213</bug>: Ensure the correct escaping of group names when |
| searching for nested groups when the JNDIRealm is configured with |
| <code>roleNested</code> set to <code>true</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63236</bug>: Use <code>String.intern()</code> as suggested by |
| Phillip Webb to reduce memory wasted due to String duplication. This |
| changes saves ~245k when starting a clean installation. With additional |
| thanks to YourKit Java profiler for helping to track down the wasted |
| memory and the root causes. (markt) |
| </fix> |
| <fix> |
| <bug>63246</bug>: Fix a potential <code>NullPointerException</code> when |
| calling <code>AsyncContext.dispatch()</code>. (markt) |
| </fix> |
| <fix> |
| Always use the absolute path of the <code>docBase</code> during the |
| deployment process to determine the Context name, deployment type, |
| whether the <code>docBase</code> is located within the |
| <code>appBase</code> etc. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| When performing an HTTP/1.1 upgrade to HTTP/2 (h2c) ensure that the hostname |
| and port from the HTTP/1.1 Host header of the upgraded request are made |
| available via the standard methods |
| <code>ServletRequest.getServerName()</code> and |
| <code>ServletRequest.getServerPort()</code>. (markt) |
| </fix> |
| <fix> |
| Refactor the APR/Native endpoint TLS configuration code to enable JSSE |
| style configuration - including JKS keystores - to be used with the |
| APR/Native connector. (markt) |
| </fix> |
| <add> |
| With the TLS configuration refactoring, the configuration attributes |
| <code>sessionCacheSize</code> and <code>sessionTimeout</code> are no |
| longer limited to JSSE implementations. They may now be used with |
| OpenSSL implementations as well. (markt) |
| </add> |
| <fix> |
| Refactor NIO2 read pending strategy for the classic IO API. (remm) |
| </fix> |
| <fix> |
| <bug>63182</bug>: Avoid extra read notifications for HTTP/1.1 with |
| NIO2 when using asynchronous threads. (remm) |
| </fix> |
| <add> |
| <bug>63205</bug>: Add a work-around for a known |
| <a href="https://bugs.openjdk.java.net/browse/JDK-8157404">JRE KeyStore |
| loading bug</a>. (markt) |
| </add> |
| <fix> |
| NIO2 should try to use SocketTimeoutException everywhere rather than a |
| mix of it and InterruptedByTimeout. (remm) |
| </fix> |
| <fix> |
| Correct an error in the request validation that meant that HTTP/2 push |
| requests always resulted in a 400 response. (markt) |
| </fix> |
| <fix> |
| <bug>63223</bug>: Correctly account for push requests when tracking |
| currently active HTTP/2 streams. (markt) |
| </fix> |
| <fix> |
| Ensure enough buffer space when using TLS with NIO2 by using the main |
| read buffer to store additional decrypted data. (remm) |
| </fix> |
| <fix> |
| Verify HTTP/2 stream is still writable before assuming a timeout |
| occurred. (remm) |
| </fix> |
| <fix> |
| Avoid some overflow cases with OpenSSL to improve efficiency, as the |
| OpenSSL engine has an internal buffer. (remm) |
| </fix> |
| <fix> |
| Harmonize HTTP/1.1 NIO2 keepalive code. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <scode> |
| Remove the <code>STREAMS_DROP_EMPTY_MESSAGES</code> system property that |
| was introduced to work-around four failing TCK tests. An alternative |
| solution has been implemented. Sending messages via |
| <code>getSendStream()</code> and <code>getSendWriter()</code> will now |
| only result in messages on the wire if data is written to the |
| <code>OutputStream</code> or <code>Writer</code>. Writing zero length |
| data will result in an empty message. Note that sending a message via an |
| <code>Encoder</code> may result in the message being send via |
| <code>getSendStream()</code> or <code>getSendWriter()</code>. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Fix messages used by Manager and Host Manager web applications. |
| Disambiguate message keys used when adding or removing a host. |
| Improve display of summary values on the status page: separate |
| terms and values with a whitespace. Improve wording of messages |
| for expire sessions command. (kkolinko) |
| </fix> |
| <fix> |
| Do not add CSRF nonce parameter and suppress Referer header for external |
| links in Manager and Host Manager web applications. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add feature that discover local member from the static member list. |
| (kfujino) |
| </add> |
| <fix> |
| Ensure that members registered in the addSuspects list are static |
| members. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Expand the coverage and quality of the French translations provided |
| with Apache Tomcat. (remm) |
| </add> |
| <fix> |
| <bug>63041</bug>: Revert the changes for <bug>53930</bug> that added |
| support for the <code>CATALINA_OUT_CMD</code> environment variable as |
| they prevented correct operation with systemd configurations that did |
| not explicitly specify a PID file. (markt) |
| </fix> |
| <add> |
| Expand the coverage and quality of the Russian translations provided |
| with Apache Tomcat. (kkolinko) |
| </add> |
| <fix> |
| Fix the artifactId of <code>tomcat-i18n-cs</code>. (rjung) |
| </fix> |
| <add> |
| Expand the coverage and quality of the Korean translations provided |
| with Apache Tomcat. (woonsan) |
| </add> |
| <add> |
| Expand the coverage and quality of the Chinese translations provided |
| with Apache Tomcat. Includes contributions by winsonzhao. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Czech translations provided |
| with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Spanish translations provided |
| with Apache Tomcat. Includes contributions by Ulises Gonzalez Horta. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.16 (markt)" rtext="2019-02-08"> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Use client's preferred language for the Server Status page of the |
| Manager web application. Review and fix several cases when the |
| client's language preference was not respected in Manager and |
| Host Manager web applications. (kkolinko) |
| </fix> |
| <fix> |
| <bug>63141</bug>: Ensure that translated manager response strings still |
| start with <code>OK -</code> where expected by the associated Ant tasks. |
| (markt) |
| </fix> |
| <fix> |
| <bug>63143</bug>: Ensure that the Manager web application respects the |
| language preferences of the user as configured in the browser when the |
| language of the default system locale is not English. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Remove unnecessary shutdown for executor. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.04. (markt) |
| </update> |
| <add> |
| Add Czech translations to Apache Tomcat. Includes contributions from |
| Arnošt Havelka and Alice. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Spanish translations provided |
| with Apache Tomcat. Includes contributions from Ulises Gonzalez Horta. |
| (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the French translations provided |
| with Apache Tomcat. (remm) |
| </add> |
| <add> |
| Expand the coverage and quality of the Korean translations provided |
| with Apache Tomcat. (woonsan) |
| </add> |
| <add> |
| Expand the coverage and quality of the Japanese translations provided |
| with Apache Tomcat. Includes contributions from Yujiorama. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Chinese translations provided |
| with Apache Tomcat. Includes contributions from zheng. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Russian translations provided |
| with Apache Tomcat. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.15 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>54741</bug>: Add a new method, |
| <code>Tomcat.addWebapp(String,URL)</code>, that allows a web application |
| to be deployed from a URL when using Tomcat in embedded mode. (markt) |
| </fix> |
| <fix> |
| <bug>63002</bug>: Fix setting rewrite qsdiscard flag. (remm) |
| </fix> |
| <fix> |
| Implement the requirements of section 8.2.2 2c of the Servlet |
| specification and prevent a web application from deploying if it has |
| fragments with duplicate names and is configured to use relative |
| ordering of fragments. (markt) |
| </fix> |
| <fix> |
| Ensure that the HEAD response is consistent with the GET response when |
| <code>HttpServlet</code> is relied upon to generate the HEAD response |
| and the GET response uses chunking. (markt) |
| </fix> |
| <fix> |
| Ensure that the <code>ServletOutputStream</code> implementation is |
| consistent with the requirements of asynchronous I/O and that all of the |
| write methods use a single write rather than multiple writes. (markt) |
| </fix> |
| <fix> |
| Correct the Javadoc for <code>Context.getDocBase()</code> and |
| <code>Context.setDocBase()</code> and remove text that indicates that a |
| URL may be used for the <code>docBase</code> as this has not been the |
| case for quite some time. (markt) |
| </fix> |
| <update> |
| Add basic health check valve. (remm) |
| </update> |
| <fix> |
| Correct a bug exposed in 9.0.14 and ensure that the Tomcat terminates in |
| a timely manner when running as a service. (markt) |
| </fix> |
| <fix> |
| Log a message when using a Connector that requires Apr without enabling |
| the AprLifecycleListener first. (csutherl) |
| </fix> |
| <fix> |
| Utility thread count for special negative or zero values will again be |
| based on Runtime.getRuntime().availableProcessors(). (remm) |
| </fix> |
| <scode> |
| Treat I/O errors during request body reads the same way as I/O errors |
| during response body writes. The errors are treated as client side |
| errors rather than server side errors and only logged at debug level. |
| (markt) |
| </scode> |
| <fix> |
| <bug>63038</bug>: Ensure that a <code>ClassNotFoundException</code> is |
| thrown when attempting to load a class from a corrupted JAR file. |
| (markt) |
| </fix> |
| <fix> |
| <bug>63078</bug>: Ensure the utility thread pool is at least two, as the |
| deployer uses a blocking pattern. (remm, markt) |
| </fix> |
| <add> |
| Make the removal of leading and trailing whitespace from credentials |
| passed to BASIC authentication configurable via a new attribute, |
| <code>trimCredentials</code> on the <code>BasicAuthenticator</code>. |
| (markt) |
| </add> |
| <fix> |
| <bug>63003</bug>: Extend the <code>unloadDelay</code> attribute on a |
| <code>Context</code> to include in-flight asynchronous requests. (markt) |
| </fix> |
| <add> |
| <bug>63026</bug>: Add a new attribute, <code>forceDnHexEscape</code>, to |
| the <code>JNDIRealm</code> that forces escaping in the String |
| representation of a distinguished name to use the <code>\nn</code> form. |
| This may avoid issues with realms using Active Directory which appears |
| to be more tolerant of optional escaping when the <code>\nn</code> form |
| is used. (markt) |
| </add> |
| <fix> |
| Avoid a swallowed (and therefore ignored) access failure during web |
| application class loading when running under a |
| <code>SecurityManager</code>. (markt) |
| </fix> |
| <update> |
| Add SSL configuration options to the JMX remote listener using the |
| <code>SSLHostConfig</code> framework. (remm) |
| </update> |
| <update> |
| Update the recommended minimum Tomcat Native version to 1.2.21. (markt) |
| </update> |
| <fix> |
| <bug>63137</bug>: If the resources for a web application have been |
| configured with multiple locations mapped to |
| <code>/WEB-INF/classes</code>, ensure that all of those locations are |
| used when building the web application class path. Patch provided by |
| Marcin Gołębski. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>63009</bug>: Include the optional <code>content-length</code> |
| header in HTTP/2 responses where an appropriate value is available. |
| (markt) |
| </add> |
| <fix> |
| <bug>63022</bug>: Do not use the socket open state when using the |
| wrapper isClosed method for NIO and NIO2, as it will disable all |
| further processing. (remm) |
| </fix> |
| <fix> |
| Fix socket close discrepancies for NIO2, now the wrapper close |
| is used everywhere except for socket accept problems. (remm) |
| </fix> |
| <fix> |
| Fix use of write timeout instead of read timeout for HTTP/2 NIO2 |
| frame read. (remm) |
| </fix> |
| <fix> |
| Fix incorrect APR sendfile thread stop. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>63056</bug>: Correct a regression in the fix for <bug>53737</bug> |
| that did not correctly scan the web application directory structure for |
| JSPs. (markt) |
| </fix> |
| <fix> |
| Update the performance optimisation for using expressions in tags that |
| depend on uninitialised tag attributes with implied scope to make the |
| performance optimisation aware of the new public class |
| (<code>java.lang.Enum$EnumDesc</code>) added in Java 12. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>57974</bug>: Ensure implementation of |
| <code>Session.getOpenSessions()</code> returns correct value for both |
| client-side and server-side calls. (markt) |
| </fix> |
| <fix> |
| <bug>63019</bug>: Use payload remaining bytes rather than limit when |
| writing. Submitted by Benoit Courtilly. (remm) |
| </fix> |
| <fix> |
| When running under a <code>SecurityManager</code>, ensure that the |
| <code>ServiceLoader</code> look-up for the default |
| <code>javax.websocket.server.ServerEndpointConfig.Configurator</code> |
| implementation completes correctly rather than silently using the |
| hard-coded fall-back. (markt) |
| </fix> |
| <fix> |
| Ensure that the network connection is closed if the client receives an |
| I/O error trying to communicate with the server. (markt) |
| </fix> |
| <fix> |
| Ignore synthetic methods when scanning POJO methods. (markt) |
| </fix> |
| <fix> |
| Implement the requirements of section 5.2.1 of the WebSocket 1.1 |
| specification and ensure that if the deployment of one Endpoint fails, |
| no Endpoints are deployed for that web application. (markt) |
| </fix> |
| <fix> |
| Implement the requirements of section 4.3 of the WebSocket 1.1 |
| specification and ensure that the deployment of an Endpoint fails if |
| <code>@PathParam</code> is used with an invalid parameter type. (markt) |
| </fix> |
| <fix> |
| Ensure a <code>DeploymentException</code> rather than an |
| <code>IllegalArgumentException</code> is thrown if a method annotated |
| with <code>@OnMessage</code> does not conform to the requirements set |
| out in the Javadoc. (markt) |
| </fix> |
| <fix> |
| Improve algorithm that determines if two <code>@OnMessage</code> |
| annotations have been added for the same message type. Prior to this |
| change some matches were missed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>63103</bug>: Remove the unused source.jsp file and associated tag |
| from the examples web application as it is no longer used. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <update> |
| Add dns-ping support to enumerate cluster members. This is much simpler |
| than getting the pod list but it does not indicate pod status. |
| Submitted by Maxime Beck. (remm) |
| </update> |
| <fix> |
| Never expire the local member from a Membership. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update container image with monitoring contraptions. (remm) |
| </update> |
| <add> |
| Expand the coverage and quality of the Korean translations provided with |
| Apache Tomcat. Includes contributions from woonsan and Chris Cho. |
| (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Japanese translations provided |
| with Apache Tomcat. Includes contributions from kfujino, Yujiorama and |
| motohashi.yuki. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the French translations provided with |
| Apache Tomcat. Includes contributions from remm, Ludovic Pénet and |
| evernat. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the German translations provided |
| with Apache Tomcat. Includes contributions from fschumacher, Stefan and |
| burghard. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Chinese (simplified) translations |
| provided with Apache Tomcat. Includes contributions from winsonzhao, |
| Lanranzi, shawn, Winsonzhoa, JinXiqian, RichardHo, qingshi huang, |
| Greenman0007, Jim Ma, huxing, 袁宇杰 and evernat. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Spanish translations provided |
| with Apache Tomcat. Includes contributions from Ulises Gonzalez Horta, |
| Israel, Eduardo Quintanilla and Miguel Ortega. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Russian translations provided |
| with Apache Tomcat. Includes contributions from Andrei Maiseyenka and |
| solomax. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Brazilian Portuguese translations |
| provided with Apache Tomcat. Includes contributions from Victor Caetano |
| and Dabilo. (markt) |
| </add> |
| <fix> |
| <bug>63041</bug>: Correct a regression in the fix for <bug>53930</bug> |
| that prevented Tomcat from working correctly with systemd. Patch |
| provided by Patrik S. (markt) |
| </fix> |
| <update> |
| <fix>63072</fix>: Remove extras (JMX remote listener and webservices |
| object factories) and merge them back into the core build. |
| (remm) |
| </update> |
| <add> |
| Update the internal fork of Apache Commons FileUpload to pick up the |
| changes in the Apache Commons FileUpload 1.4 release. (markt) |
| </add> |
| <update> |
| Update the internal fork of Apache Commons DBCP 2 to de20b77 |
| (2019-01-29) to pick up some bug fixes and enhancements. (markt) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.21 to |
| pick up the memory leak fixes when using NIO/NIO2 with OpenSSL. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.14 (markt)" rtext="2018-12-12"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>62788</bug>: Add explicit logging configuration to write log files |
| using UTF-8 to align with Tomcat's use of UTF-8 by default |
| elsewhere. (markt) |
| </fix> |
| <fix> |
| The default Servlet should not override a previously set content-type. |
| (remm) |
| </fix> |
| <fix> |
| Fix storeconfig for the cluster encryption interceptor key attribute. |
| (remm) |
| </fix> |
| <add> |
| Add a scheduled executor to the Server, which can be used to |
| process periodic utility tasks. The utility threads are non daemon |
| by default. (remm) |
| </add> |
| <update> |
| Refactor container background processor using the Server executor, and |
| add monitoring to reschedule it in case of an unexpected error. (remm) |
| </update> |
| <update> |
| Refactor parallel deployment threads using the Server executor. (remm) |
| </update> |
| <add> |
| Introduce a ConfigurationSource API to standardize access to the core |
| configuration resources of Tomcat. (remm) |
| </add> |
| <update> |
| Update the Tomcat embedded API by allowing to set a configuration |
| source, which will allow processing of core configuration. (remm) |
| </update> |
| <update> |
| Refactor processing of server.xml, web.xml, context.xml, other |
| configuration files and resources using the ConfigurationSource API. |
| JASPIC persistent providers load and store remains file based. |
| StoreConfig Tomcat configuration files storing remains file based |
| at their previous default locations. (remm) |
| </update> |
| <add> |
| <bug>62897</bug>: Provide a property |
| (<code>clearReferencesThreadLocals</code>) on the standard |
| <code>Context</code> implementation that enables the check for memory |
| leaks via <code>ThreadLocal</code>s to be disabled because this check |
| depends on the use of an API that has been deprecated in later versions |
| of Java. (markt) |
| </add> |
| <fix> |
| Fix more storeconfig issues with duplicated SSL attributes. (remm) |
| </fix> |
| <fix> |
| <bug>62924</bug>: Fix file descriptor leak introduced in the code that |
| monitors <code>tomcat-users.xml</code> for modifications. (markt) |
| </fix> |
| <update> |
| Add periodic event notification for lifecycle listeners configured on |
| the Server. (remm) |
| </update> |
| <fix> |
| <bug>62968</bug>: Avoid unnecessary (and relatively expensive) |
| <code>getResources()</code> call in the Mapper when processing rule 7. |
| (markt) |
| </fix> |
| <update> |
| Update the recommended minimum Tomcat Native version to 1.2.19. (markt) |
| </update> |
| <fix> |
| <bug>62978</bug>: Update the RemoteIpValve to handle multiple values in |
| the <code>x-forwarded-proto</code> header. Patch provided by Tom Groot. |
| (markt) |
| </fix> |
| <fix> |
| Update the RemoteIpFilter to handle multiple values in the |
| <code>x-forwarded-proto</code> header. Based on a patch provided by Tom |
| Groot. (markt) |
| </fix> |
| <scode> |
| <bug>62986</bug>: Refactor the code that performs class scanning during |
| web application start to make integration simpler for downstream users. |
| Patch provided by rmannibucau. (markt) |
| </scode> |
| <fix> |
| Filter out tomcat-web.xml from the watched resources list in |
| storeconfig. (remm) |
| </fix> |
| <fix> |
| <bug>62988</bug>: Fix the <code>LoadBalancerDrainingValve</code> so it |
| works when the session cookie configuration is not explicitly declared. |
| Based on a patch provided by Andreas Kurth. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| Refactor connector async timeout threads using a scheduled executor. |
| (remm) |
| </update> |
| <update> |
| Avoid using a dedicated thread for accept on the NIO2 connector, it is |
| always less efficient. (remm) |
| </update> |
| <update> |
| Load SSL configuration resources for JSSE using the ConfigurationSource |
| API. OpenSSL use requires actual files. (remm) |
| </update> |
| <fix> |
| <bug>62899</bug>: Prevent the incorrect timing out of connections when |
| Servlet non-blocking I/O is used to read a request body over an HTTP/2 |
| stream. (markt) |
| </fix> |
| <fix> |
| Avoid bad SSLHostConfig JMX registrations before init. (remm) |
| </fix> |
| <fix> |
| Avoid a potential hang when a client connects using TLS 1.0 to a Tomcat |
| HTTPS connector configured to use NIO or NIO2 with OpenSSL 1.1.1 or |
| later. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Update the Eclipse Compiler for Java to 4.9. Additional patch by Lukasz |
| Jader. (markt) |
| </update> |
| <add> |
| <bug>53737</bug>: Extend JspC, the precompilation tool, to include |
| support for resource JARs. (markt) |
| </add> |
| <fix> |
| <bug>62976</bug>: Avoid an <code>IllegalStateException</code> when using |
| background compilation when tag files are packaged in JAR files. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>53553</bug>: Add the ability to specify a context.xml from the |
| server to use when uploading a web application for deployment with the |
| Manager web application. Patch provided by Anton Lindström. (markt) |
| </add> |
| <fix> |
| <bug>62918</bug>: Filter out subtype mbeans to avoid breaking the |
| connector status page. (remm) |
| </fix> |
| <fix> |
| Unify letter case of the word 'How-To' in the webapps (csutherl) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <update> |
| Refactor various operations performed in tribes using a scheduled |
| executor. When tribes is not running standalone, it will use the |
| executor from the Catalina Server. If running independently, the |
| Channel will provide the executor. (remm) |
| </update> |
| <fix> |
| Make EncryptInterceptor thread-safe. This makes this interceptor |
| actually usable. (schultz/markt) |
| </fix> |
| <add> |
| Add support for GCM mode to EncryptInterceptor. (schultz) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Prevent an error when running in a Cygwin shell and the |
| <code>JAVA_ENDORSED_DIRS</code> system property is empty. Patch provided |
| by Zemian Deng. (markt) |
| </fix> |
| <add> |
| Expand the coverage and quality of the French translations provided with |
| Apache Tomcat. Includes contributions from remm, soliplaya, Ludovic |
| Pénet, David, NicolasG and bdelacretaz. (markt) |
| </add> |
| <add> |
| Add Simplified Chinese translations to the translations to Apache |
| Tomcat. Includes contributions from Darren Luo, syseal, Winsonzhao, |
| 袁宇杰, Lanranzi, ZhangJieWen, Jerry, yinzhili001, 安柏诚, shawn, lavender, |
| Zheng Feng, zengwc, RichardHo, mm, gingshi huang, Bob, geekwang, zheng, |
| Deanzhg, Tianfengjingjing, Panblack, oking, Dave Newman, Cnfnss, Jim Ma, |
| 852394875, huxing and Greenman0007. (markt) |
| </add> |
| <add> |
| Add Korean translations to Apache Tomcat. Includes contributions from |
| woonsan, JunSang Park, song choe and OhChan. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Spanish translations provided |
| with Apache Tomcat. Includes contributions from Ulises Gonzalez Horta, |
| Israel, Eduardo Quintanilla and Miguel suarez. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Russian translations provided |
| with Apache Tomcat. Includes contributions from solomax, Rafael Sachakov |
| and Andrei Maiseyenka. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the German translations provided |
| with Apache Tomcat. Includes contributions from Matk80, burghard, |
| Daniel Wehringer and Felix Schumacher. (markt) |
| </add> |
| <add> |
| Expand the coverage and quality of the Japanese translations provided |
| with Apache Tomcat. Includes contributions from Yujiorama, |
| motohashi.yuki and kfujino. (markt) |
| </add> |
| <add> |
| Add Brazilian Portuguese translations to Apache Tomcat. Includes |
| contributions from geraldo netto. (markt) |
| </add> |
| <fix> |
| Include Brazilian Portuguese translations in the standard Tomcat |
| distribution. (markt) |
| </fix> |
| <fix> |
| Include Simplified Chinese translations in the standard Tomcat |
| distribution. (markt) |
| </fix> |
| <fix> |
| Include Korean translations in the standard Tomcat distribution. (markt) |
| </fix> |
| <add> |
| Add a packaging method for Tomcat using Maven, as well as a container |
| build file for it. (remm) |
| </add> |
| <fix> |
| Add XML Namespace to the project element of all POM files so that the |
| XML files are Well Formed and Valid. (csutherl) |
| </fix> |
| <add> |
| <bug>53930</bug>: Add support for the <code>CATALINA_OUT_CMD</code> |
| environment variable that defines a command to which captured stdout and |
| stderr will be redirected. Patch provided by Casey Lucas. (markt) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.19 to |
| pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL |
| 1.1.1a. (markt) |
| </update> |
| <update> |
| Add i18n to many strings that lacked it. (remm) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.13 (markt)" rtext="2018-11-07"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>58590</bug>: Add the ability for a UserDatabase to monitor the |
| backing XML file for changes and reload the source file if a change in |
| the last modified time is detected. This is enabled by default meaning |
| that changes to <code>$CATALINA_BASE/conf/tomcat-users.xml</code> will |
| now take effect a short time after the file is saved. (markt) |
| </add> |
| <add> |
| <bug>61171</bug>: Add the <code>portOffset</code> attribute to the |
| <code>Server</code> element which is added to the configured shutdown |
| and <code>Connector</code> ports. Based on a patch by Marek Czernek. |
| (markt) |
| </add> |
| <add> |
| <bug>61692</bug>: Add the ability to control which HTTP methods are |
| handled by the CGI Servlet via a new initialization parameter |
| <code>cgiMethods</code>. (markt) |
| </add> |
| <fix> |
| <bug>62687</bug>: Expose content length information for resources |
| when using a compressed war. (remm) |
| </fix> |
| <fix> |
| <bug>62737</bug>: Fix rewrite substitutions parsing of {} nesting. |
| (remm) |
| </fix> |
| <fix> |
| Add rewrite flags output when getting the rewrite configuration back. |
| (remm) |
| </fix> |
| <fix> |
| Add missing qsdiscard flag to the rewrite flags as a cleaner way to |
| discard the query string. (remm) |
| </fix> |
| <add> |
| <bug>62755</bug>: Add ability to opt out of adding the default web.xml |
| config when embedding Tomcat and adding a context via |
| <code>addWebapp()</code>. Call |
| <code>setAddDefaultWebXmlToWebapp(false)</code> to prevent the automatic |
| config. (isapir) |
| </add> |
| <fix> |
| Add documentation about the files <code>context.xml.default</code> and |
| <code>web.xml.default</code> that can be used to customize |
| <code>conf/context.xml</code> and <code>conf/web.xml</code> on a per |
| host basis. (fschumacher) |
| </fix> |
| <fix> |
| Ensure that a canonical path is always used for the docBase of a Context |
| to ensure consistent behaviour. (markt) |
| </fix> |
| <fix> |
| <bug>62803</bug>: Fix SSL connector configuration processing |
| in storeconfig. (remm) |
| </fix> |
| <fix> |
| <bug>62797</bug>: Pass throwable to keep client aborts with status 200 |
| rather than 500. Patch submitted by zikfat. (remm) |
| </fix> |
| <fix> |
| <bug>62802</bug>: Restore the <code>appContextProtection</code> |
| attribute to the <code>JreMemoryLeakPreventionListener</code> as |
| application code may still trigger this memory leak. (markt) |
| </fix> |
| <fix> |
| <bug>62809</bug>: Correct a regression in the implementation of DIGEST |
| authentication support for the Deployer Ant tasks (bug <bug>45832</bug>) |
| that prevented the <code>DeployTask</code> from working when |
| authentication was required. (markt) |
| </fix> |
| <update> |
| Update the recommended minimum Tomcat Native version to 1.2.18. (markt) |
| </update> |
| <add> |
| Ignore an attribute named <code>source</code> on <code>Context</code> |
| elements provided by <code>StandardContext</code>. This is to suppress |
| warnings generated by the Eclipse / Tomcat integration provided by |
| Eclipse. Based on a patch by mdfst13. (markt) |
| </add> |
| <add> |
| <bug>62830</bug>: Added <code>JniLifeCycleListener</code> and static |
| methods <code>Library.loadLibrary(libraryName)</code> and |
| <code>Library.load(filename)</code> to load a native library by a |
| shared class loader so that more than one Webapp can use it. (isapir) |
| </add> |
| <scode> |
| Refactor the <code>Connector</code> so that the port is obtained from |
| the <code>Endpoint</code> rather than a local field that could end up |
| out of sync. (markt) |
| </scode> |
| <fix> |
| Correct a typo in the Spanish resource files. Patch provided by Diego |
| Agulló. (markt) |
| </fix> |
| <fix> |
| <bug>62868</bug>: Order the <code>Enumeration<URL></code> provided |
| by <code>WebappClassLoaderBase.getResources(String)</code> according to |
| the setting of the delegate flag. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Add TLSv1.3 to the default protocols and to the <code>all</code> |
| alias for JSSE based TLS connectors when running on a JVM that |
| supports TLS version 1.3. One such JVM is OpenJDK version 11. (rjung) |
| </add> |
| <fix> |
| <bug>62685</bug>: Correct an error in host name validation parsing that |
| did not allow a fully qualified domain name to terminate with a period. |
| Patch provided by AG. (markt) |
| </fix> |
| <fix> |
| Make PEM file parser a public utility class. (remm) |
| </fix> |
| <fix> |
| <bug>62739</bug>: Do not reject requests with an empty HTTP Host header. |
| Such requests are unusual but not invalid. Patch provided by Michael |
| Orr. (markt) |
| </fix> |
| <add> |
| <bug>62748</bug>: Add TLS 1.3 support for the APR/Native connector and |
| the NIO/NIO2 connector when using the OpenSSL backed JSSE |
| implementation. (schultz/markt) |
| </add> |
| <fix> |
| <bug>62791</bug>: Remove an unnecessary check in the NIO TLS |
| implementation that prevented from secure WebSocket connections from |
| being established. (markt) |
| </fix> |
| <fix> |
| Fix server initiated TLS renegotiation to obtain a client certificate |
| when using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation. |
| (markt) |
| </fix> |
| <fix> |
| Ensure open sockets etc. are cleaned up if the socket binding process |
| fails. (markt) |
| </fix> |
| <fix> |
| <bug>62871</bug>: Improve MBeans for Endpoint instances (type |
| <code>ThreadPool</code> in JMX) by using explicit declaration of |
| attributes and operations rather than relying on introspection. Add a |
| new MBean to expose the <code>Socketproperties</code> values. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Correct parsing of XML whitespace in TLD function signatures that |
| incorrectly only looked for the space character. (markt) |
| </fix> |
| <fix> |
| <bug>62674</bug>: Correct a regression in the stand-alone JSP compiler |
| utility, <code>JspC</code>, caused by the fix for <bug>53492</bug>, that |
| caused the JSP compiler to hang. (markt) |
| </fix> |
| <fix> |
| <bug>62721</bug>: Correct generation of web.xml header when using JspC. |
| (markt) |
| </fix> |
| <fix> |
| <bug>62757</bug>: Correct a regression in the fix for <bug>62603</bug> |
| that caused <code>NullPointerException</code>s when compiling tag files |
| on first access when development mode was disabled and background |
| compilation was enabled. Based on a patch by Jordi Llach. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>62731</bug>: Make the URI returned by |
| <code>HandshakeRequest.getRequestURI()</code> and |
| <code>Session.getRequestURI()</code> absolute so that the scheme, host |
| and port are accessible. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>62676</bug>: Expand the CORS filter documentation to make it clear |
| that explicit configuration is required to enable support for |
| cross-origin requests. (markt) |
| </fix> |
| <fix> |
| <bug>62712</bug>: Correct NPE in Manager application when attempting to |
| view configured certificates for an APR/native TLS connector. (markt) |
| </fix> |
| <fix> |
| <bug>62761</bug>: Correct the advanced CORS example in the Filter |
| documentation to use a valid configuration. (markt) |
| </fix> |
| <fix> |
| <bug>62786</bug>: Add a note to the Context documentation to explain |
| that, by default, settings for a Context element defined in server.xml |
| will be overwritten by settings specified in a default context file such |
| as <code>conf/context.xml</code>. (markt) |
| </fix> |
| <fix> |
| Create a little visual separation between the Undeploy button and the |
| other buttons in the Manager application. Patch provided by Łukasz |
| Jąder. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add <code>setMembershipService</code> method to the |
| <code>MembershipProvider</code>. (kfujino) |
| </add> |
| <add> |
| Experimental Kubernetes aware cloud membership provider, based on code |
| by Maxime Beck. Contains code derived from jgroups. (remm/kfujino) |
| </add> |
| <fix> |
| Move the event notification <code>ThreadPoolExecutor</code> to |
| <code>MembershipProviderBase</code>. (kfujino) |
| </fix> |
| <fix> |
| Even if all members have already disappeared and PING can not be sent, |
| ensure that members will be expired. (kfujino) |
| </fix> |
| <fix> |
| Ensure that remove the member from suspect list when member added. |
| (kfujino) |
| </fix> |
| <add> |
| Add EncryptInterceptor to the portfolio of available clustering |
| interceptors. This adds symmetric encryption of session data |
| to Tomcat clustering regardless of the type of cluster manager |
| or membership being used. (schultz) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Port DBCP transaction synchronization registry fix |
| (commit d49d45e). (remm) |
| </fix> |
| <update> |
| Update the internal fork of Apache Commons Pool 2 to d4e0e88 |
| (2018-09-12) to pick up some bug fixes and enhancements. (markt) |
| </update> |
| <add> |
| <bug>62705</bug>: Added a fail fast check for minimum required Apache |
| Ant version 1.9.8 when building Tomcat. (isapir) |
| </add> |
| <add> |
| Added ant target ide-intellij to create an IntelliJ IDEA project. (isapir) |
| </add> |
| <add> |
| Utility JSON parser generated from a public domain javacc grammar |
| written by Robert Fischer. (remm) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.18 to |
| pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL |
| 1.1.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.12 (markt)" rtext="2018-09-10"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Improve the handling of path parameters when working with |
| RequestDispatcher objects. (markt) |
| </fix> |
| <fix> |
| <bug>62664</bug>: Process requests with content type |
| <code>multipart/form-data</code> to servlets with a |
| <code>@MultipartConfig</code> annotation regardless of HTTP method. |
| (markt) |
| </fix> |
| <fix> |
| <bug>62667</bug>: Add recursion to rewrite substitution parsing. (remm) |
| </fix> |
| <fix> |
| <bug>62669</bug>: When using the SSIFilter and a resource does not |
| specify a content type, do not force the content type to |
| <code>application/x-octet-stream</code>. (markt) |
| </fix> |
| <fix> |
| <bug>62670</bug>: Adjust the memory leak protection for the |
| <code>DriverManager</code> so that JDBC drivers located in |
| <code>$CATALINA_HOME/lib</code> and <code>$CATALINA_BASE/lib</code> are |
| loaded via the service loader mechanism when the protection is enabled. |
| (markt) |
| </fix> |
| <fix> |
| When generating a redirect to a directory in the Default Servlet, avoid |
| generating a protocol relative redirect. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix potential deadlocks when using asynchronous Servlet processing with |
| HTTP/2 connectors. (markt) |
| </fix> |
| <fix> |
| <bug>62620</bug>: Fix corruption of response bodies when writing large |
| bodies using asynchronous processing over HTTP/2. (markt) |
| </fix> |
| <fix> |
| <bug>62628</bug>: Additional fixes for output corruption of response |
| bodies when writing large bodies using asynchronous processing over |
| HTTP/2. (markt) |
| </fix> |
| <scode> |
| Support for Netware in the <code>org.apache.tomcat.jni</code> package |
| has been removed as there has not been a supported Netware platform for |
| a number of years. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Correct the JSP version in the X-PoweredBy HTTP header generated when |
| the xpoweredBy option is enabled. (markt) |
| </fix> |
| <fix> |
| <bug>62662</bug>: Fix the corruption of web.xml output during JSP |
| compilation caused by the fix for <bug>53492</bug>. Patch provided by |
| Bernhard Frauendienst. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Expand the information in the documentation web application regarding |
| the use of <code>CATALINA_HOME</code> and <code>CATALINA_BASE</code>. |
| Patch provided by Marek Czernek. (markt) |
| </add> |
| <fix> |
| <bug>62652</bug>: Make it clearer that the version of DBCP that is |
| packaged in Tomcat 9.0.x is DBCP 2. Correct the names of some DBCP 2 |
| configuration attributes that changed between 1.x and 2.x. (markt) |
| </fix> |
| <add> |
| <bug>62666</bug>: Expand internationalisation support in the Manager |
| application to include the server status page and provide Russian |
| translations in addition to English. Patch provided by Artem Chebykin. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Switch the build script to use http for downloads from an ASF mirror |
| using the closer.lua script to avoid failures due to HTTPS to HTTP |
| redirects. (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.11 (markt)" rtext="2018-08-17"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Make the <code>isLocked()</code> method of the <code>LockOutRealm</code> |
| public and expose the method via JMX. (markt) |
| </add> |
| <add> |
| <bug>53387</bug>: Add support for regular expression capture groups to |
| the SSI servlet and filter. (markt) |
| </add> |
| <fix> |
| <bug>53411</bug>: Improve the handling of HTTP requests that do not |
| explicitly specify a host name when no default host is configured. Also |
| improve the tracking of changes to the default host as hosts are added |
| and removed while Tomcat is running. (markt) |
| </fix> |
| <fix> |
| Ensure that the HTTP Vary header is set correctly when using the CORS |
| filter and improve the cacheability of requests that pass through the |
| COPRS filter. (markt) |
| </fix> |
| <fix> |
| <bug>62527</bug>: Revert restriction of JNDI to the <code>java:</code> |
| namespace. (remm) |
| </fix> |
| <add> |
| Introduce a new class - <code>MultiThrowable</code> - to report |
| exceptions when multiple actions are taken where each action may throw |
| an exception but all actions are taken before any errors are reported. |
| Use this new class when reporting multiple container (e.g. web |
| application) failures during start. (markt) |
| </add> |
| <fix> |
| Correctly decode URL paths (<code>+</code> should not be decoded to a |
| space in the path) in the <code>RequestDispatcher</code> and the web |
| application class loader. (markt) |
| </fix> |
| <add> |
| Make logout more robust if JASPIC subject is unexpectedly unavailable. |
| (markt) |
| </add> |
| <fix> |
| <bug>62547</bug>: JASPIC <code>cleanSubject()</code> was not called on |
| logout when the authenticator was configured to cache the authenticated |
| Principal. Patch provided by Guillermo González de Agüero. (markt) |
| </fix> |
| <add> |
| <bug>62559</bug>: Add <code>jaxb-*.jar</code> to the list of JARs |
| ignored by <code>StandardJarScanner</code>. (markt) |
| </add> |
| <add> |
| <bug>62560</bug>: Add <code>oraclepki.jar</code> to the list of JARs |
| ignored by <code>StandardJarScanner</code>. (markt) |
| </add> |
| <add> |
| <bug>62607</bug>: Return a non-zero exit code from |
| <code>catalina.[bat|sh] run</code> if Tomcat fails to start. (markt) |
| </add> |
| <fix> |
| Use short circuit logic to prevent potential NPE in CorsFilter. (fschumacher) |
| </fix> |
| <scode> |
| Simplify construction of appName from container name in JAASRealm. (fschumacher) |
| </scode> |
| <scode> |
| Remove <code>ServletException</code> from declaration of |
| <code>Tomcat.addWebapp(String,String)</code> since it is never thrown. |
| Patch provided by Tzafrir. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <scode> |
| Refactor HTTP date creation and parsing to reduce code duplication, |
| reduce the use of ThreadLocals and to increase the use of caching. |
| (markt) |
| </scode> |
| <fix> |
| <bug>56676</bug>: Add a default location for the native library, as |
| ${catalina.home}/bin, which the testsuite already uses. (remm) |
| </fix> |
| <update> |
| <bug>60560</bug>: Add support for using an inherited channel to |
| the NIO connector. Based on a patch submitted by Thomas Meyer with |
| testing and suggestions by Coty Sutherland. (remm) |
| </update> |
| <fix> |
| <bug>62507</bug>: Ensure that JSSE based TLS connectors work correctly |
| with a DKS keystore. (markt) |
| </fix> |
| <fix> |
| Refactor code that adds an additional header name to the |
| <code>Vary</code> HTTP response header to use a common utility method |
| that addresses several additional edge cases. (markt) |
| </fix> |
| <fix> |
| <bug>62515</bug>: When a connector is configured (via setting |
| <code>bindOnInit</code> to <code>false</code>) to bind/unbind the server |
| socket during start/stop, close the socket earlier in the stop process |
| so new connections do not sit in the TCP backlog during the shutdown |
| process only to be dropped as stop completes. In this scenario new |
| connections will now be refused immediately. (markt) |
| </fix> |
| <fix> |
| <bug>62526</bug>: Correctly handle PKCS12 format key stores when the key |
| store password is configured to be the empty string. (markt) |
| </fix> |
| <fix> |
| <bug>62605</bug>: Ensure <code>ReadListener.onDataAvailable()</code> is |
| called when the initial request body data arrives after the request |
| headers when using asynchronous processing over HTTP/2. (markt) |
| </fix> |
| <fix> |
| <bug>62614</bug>: Ensure that |
| <code>WriteListener.onWritePossible()</code> is called after |
| <code>isReady()</code> returns <code>false</code> and the window size is |
| subsequently incremented when using asynchronous processing over HTTP/2. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>53492</bug>: Make the Java file generation process multi-threaded. |
| By default, one thread will be used per core. Based on a patch by Dan |
| Fabulich. (markt) |
| </add> |
| <add> |
| <bug>62453</bug>: Add a performance optimisation for using expressions |
| in tags that depend on uninitialised tag attributes with implied scope. |
| Generally, using an explicit scope with tag attributes in EL is the best |
| way to avoid various potential performance issues. (markt) |
| </add> |
| <fix> |
| Correctly decode URL paths (<code>+</code> should not be decoded to a |
| space in the path) in the Jasper class loader. (markt) |
| </fix> |
| <fix> |
| <bug>62603</bug>: Fix a potential race condition when development mode |
| is disabled and background compilation checks are enabled. It was |
| possible that some updates would not take effect and/or |
| <code>ClassNotFoundException</code>s would occur. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>62596</bug>: Remove the limit on the size of the initial HTTP |
| upgrade request used to establish the web socket connection. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>62558</bug>: Add Russian translations for the Manager and Host |
| Manager web applications. Based on a patch by Ivan Krasnov. (markt) |
| </add> |
| <add> |
| Add documents for Static Membership service. (kfujino) |
| </add> |
| <add> |
| <bug>62561</bug>: Add advanced class loader configuration information |
| regarding the use of the Server and Shared class loaders to the |
| documentation web application. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensures that the specified <code>rxBufSize</code> is correctly set to |
| receiver buffer size. (kfujino) |
| </fix> |
| <fix> |
| Correct the stop order of the Channel components. It stops in the |
| reverse order to that at startup. (kfujino) |
| </fix> |
| <add> |
| Added new StaticMembership implementation. This implementation does not |
| require any additional configuration of other |
| <code>ChannelInterceptors</code>. It works only with membership service. |
| (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Support building with Java 9+ while preserving the Java 8 compatibility |
| at runtime (requires Ant 1.9.8 or later). (ebourg) |
| </update> |
| <update> |
| Update WSDL4J library to version 1.6.3 (from 1.6.2). (kkolinko) |
| </update> |
| <update> |
| Update JUnit library to version 4.12 (from 4.11). (kkolinko) |
| </update> |
| <update> |
| Downgrade CGLib library used for testing with EasyMock to version |
| 2.2.2 (from 2.2.3) as version 2.2.3 is not available from Maven Central. |
| (markt) |
| </update> |
| <add> |
| Implement checksum checks when downloading dependencies that are used |
| to build Tomcat. (kkolinko) |
| </add> |
| <fix> |
| Fixed spelling. Patch provided by Jimmy Casey via GitHub. (violetagg) |
| </fix> |
| <update> |
| Update the internal fork of Apache Commons Pool 2 to 3e02523 |
| (2018-08-09) to pick up some bug fixes and enhancements. (markt) |
| </update> |
| <update> |
| Update the internal fork of Apache Commons DBCP 2 to abc0484 |
| (2018-08-09) to pick up some bug fixes and enhancements. (markt) |
| </update> |
| <fix> |
| Correct various spelling errors throughout the source code and |
| documentation. Patch provided by Kazuhiro Sera. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.10 (markt)" rtext="2018-06-25"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>62476</bug>: Use GMT timezone for the value of |
| <code>Expires</code> header as required by HTTP specification |
| (RFC 7231, 7234). (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.9 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Treat the <code><mapped-name></code> element of a |
| <code><env-entry></code> in web.xml in the same way as the |
| <code>mappedName</code> element of the equivalent <code>@Resource</code> |
| annotation. Both now attempt to set the <code>mappedName</code> property |
| of the resource. (markt) |
| </fix> |
| <fix> |
| Correct the processing of resources with |
| <code><injection-target></code>s defined in web.xml. First look |
| for a match using JavaBean property names and then, only if a match is |
| not found, look for a match using fields. (markt) |
| </fix> |
| <fix> |
| When restoring a saved request with a request body after FORM |
| authentication, ensure that calls to the <code>HttpServletRequest</code> |
| methods <code>getRequestURI()</code>, <code>getQueryString()</code> and |
| <code>getProtocol()</code> are not corrupted by the processing of the |
| saved request body. (markt) |
| </fix> |
| <fix> |
| JNDI resources that are defined with injection targets but no value are |
| now treated as if the resource is not defined. (markt) |
| </fix> |
| <fix> |
| Ensure that JNDI names used for <code><lookup-name></code> entries |
| in web.xml and for <code>lookup</code> elements of |
| <code>@Resource</code> annotations specify a name with an explicit |
| <code>java:</code> namespace. (markt) |
| </fix> |
| <fix> |
| <bug>50019</bug>: Add support for <code><lookup-name></code>. |
| Based on a patch by Gurkan Erdogdu. (markt) |
| </fix> |
| <add> |
| Add the <code>AuthenticatedUserRealm</code> for use with CLIENT-CERT and |
| SPNEGO when just the authenticated user name is required. (markt) |
| </add> |
| <fix> |
| <bug>50175</bug>: Add a new attribute to the standard context |
| implementation, <code>skipMemoryLeakChecksOnJvmShutdown</code>, that |
| allows the user to configure Tomcat to skip the memory leak checks |
| usually performed during web application stop if that stop is triggered |
| by a JVM shutdown. (markt) |
| </fix> |
| <add> |
| <bug>51497</bug>: Add an option, <code>ipv6Canonical</code>, to the |
| <code>AccessLogValve</code> that causes IPv6 addresses to be output in |
| canonical form defined by RFC 5952. (ognjen/markt) |
| </add> |
| <add> |
| <bug>51953</bug>: Add the <code>RemoteCIDRFilter</code> and |
| <code>RemoteCIDRValve</code> that can be used to allow/deny requests |
| based on IPv4 and/or IPv6 client address where the IP ranges are defined |
| using CIDR notation. Based on a patch by Francis Galiegue. (markt) |
| </add> |
| <fix> |
| <bug>62343</bug>: Make CORS filter defaults more secure. This is the fix |
| for CVE-2018-8014. (markt) |
| </fix> |
| <fix> |
| Ensure that the web application resources implementation does not |
| incorrectly cache results for resources that are only visible as class |
| loader resources. (markt) |
| </fix> |
| <fix> |
| <bug>62387</bug>: Do not log a warning message if the file based |
| persistent session store fails to delete the file for a session when the |
| session is invalidated because the file has not been created yet. |
| (markt) |
| </fix> |
| <fix> |
| Make all loggers associated with Tomcat provided Filters non-static to |
| ensure that log messages are not lost when a web application is |
| reloaded. (markt) |
| </fix> |
| <fix> |
| Correct the manifest for the annotations-api.jar. The JAR implements the |
| Common Annotations API 1.3 and the manifest should reflect that. (markt) |
| </fix> |
| <fix> |
| Switch to non-static loggers where there is a possibility of a logger |
| becoming associated with a web application class loader causing log |
| messages to be lost if the web application is stopped. (markt) |
| </fix> |
| <add> |
| <bug>62389</bug>: Add the IPv6 loopback address to the default |
| <code>internalProxies</code> regular expression. Patch by Craig Andrews. |
| (markt) |
| </add> |
| <fix> |
| In the <code>RemoteIpValve</code> and <code>RemoteIpFilter</code>, |
| correctly handle the case when the request passes through one or more |
| <code>trustedProxies</code> but no <code>internalProxies</code>. Based |
| on a patch by zhanhb. (markt) |
| </fix> |
| <fix> |
| Correct the logic in <code>MBeanFactory.removeConnector()</code> to |
| ensure that the correct Connector is removed when there are multiple |
| Connectors using different addresses but the same port. (markt) |
| </fix> |
| <fix> |
| Make <code>JAASRealm</code> mis-configuration more obvious by requiring |
| the authenticated Subject to include at least one Principal of a type |
| specified by <code>userClassNames</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct a regression in the error page handling that prevented error |
| pages from issuing redirects or taking other action that required the |
| response status code to be changed. (markt) |
| </fix> |
| <fix> |
| Consistent exception propagation for NIO2 SSL close. (remm) |
| </fix> |
| <fix> |
| Followup sync fix for NIO2 async IO blocking read/writes. (remm) |
| </fix> |
| <fix> |
| Log an error message if the AJP connector detects that the reverse proxy |
| is sending AJP messages that are too large for the configured |
| <code>packetSize</code>. (markt) |
| </fix> |
| <fix> |
| Relax Host validation by removing the requirement that the final |
| component of a FQDN must be alphabetic. (markt) |
| </fix> |
| <fix> |
| <bug>62371</bug>: Improve logging of Host validation failures. (markt) |
| </fix> |
| <fix> |
| Fix a couple of unlikely edge cases in the shutting down of the |
| APR/native connector. (markt) |
| </fix> |
| <fix> |
| Add missing handshake timeout for NIO2. (remm) |
| </fix> |
| <fix> |
| Correctly handle a digest authorization header when the user name |
| contains an escaped character. (markt) |
| </fix> |
| <fix> |
| Correctly handle a digest authorization header when one of the hex |
| field values ends the header with in an invalid character. (markt) |
| </fix> |
| <fix> |
| Correctly handle an invalid quality value in an |
| <code>Accept-Language</code> header. (markt) |
| </fix> |
| <docs> |
| <bug>62423</bug>: Fix SSL docs CRL attribute typo. (remm) |
| </docs> |
| <fix> |
| Improve IPv6 validation by ensuring that IPv4-Mapped IPv6 addresses do |
| not contain leading zeros in the IPv4 part. Based on a patch by Katya |
| Stoycheva. (markt) |
| </fix> |
| <fix> |
| Fix <code>NullPointerException</code> thrown from <code> |
| replaceSystemProperties()</code> when trying to log messages. (csutherl) |
| </fix> |
| <fix> |
| Avoid unnecessary processing of async timeouts. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>50234</bug>: Add the capability to generate a web-fragment.xml file |
| to JspC. (markt) |
| </add> |
| <fix> |
| <bug>62080</bug>: Ensure that all reads of the current thread's context |
| class loader made by the UEL API and implementation are performed via a |
| <code>PrivilegedAction</code> to ensure that a |
| <code>SecurityException</code> is not triggered when running under a |
| <code>SecurityManager</code>. (mark) |
| </fix> |
| <fix> |
| <bug>62350</bug>: Refactor |
| <code>org.apache.jasper.runtime.BodyContentImpl</code> so a |
| <code>SecurityException</code> is not thrown when running under a |
| SecurityManger and additional permissions are not required in the |
| <code>catalina.policy</code> file. This is a follow-up to the fix for |
| <bug>43925</bug>. (kkolinko/markt) |
| </fix> |
| <fix> |
| Enable JspC from Tomcat 9 to work with Maven JspC compiler plug-ins |
| written for Tomcat 8.5.x. Patch provided by Pavel Cibulka. (markt) |
| </fix> |
| <fix> |
| Update web.xml, web-fragment.xml and web.xml extracts generated by JspC |
| to use the Servlet 4.0 version of the relevant schemas. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Remove duplicate calls when creating a replicated session to reduce the |
| time taken to create the session and thereby reduce the chances of a |
| subsequent session update message being ignored because the session does |
| not yet exist. (markt) |
| </fix> |
| <add> |
| Add the method to send a message with a specified sendOptions. (kfujino) |
| </add> |
| <fix> |
| When sending the <code>GET_ALL_SESSIONS</code> message, make sure that |
| sends with asynchronous option in order to avoid ack timeout. Waiting to |
| receive the <code>ALL_SESSION_DATA</code> message should be done with |
| <code>waitForSendAllSessions</code> instead of ACK. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <update> |
| Use NIO2 API for websockets writes. (remm) |
| </update> |
| <fix> |
| When decoding of path parameter failed, make sure to throw |
| <code>DecodeException</code> instead of throwing |
| <code>ArrayIndexOutOfBoundsException</code>. (kfujino) |
| </fix> |
| <fix> |
| Improve the handling of exceptions during TLS handshakes for the |
| WebSocket client. (markt) |
| </fix> |
| <fix> |
| Enable host name verification when using TLS with the WebSocket client. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>62395</bug>: Clarify the meaning of the connector attribute |
| <code>minSpareThreads</code> in the documentation web application. |
| (markt) |
| </fix> |
| <fix> |
| Correct the documentation for the <code>allowHostHeaderMismatch</code> |
| attribute of the standard HTTP Connector implementations. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensure that the correct default value is returned when retrieve unset |
| properties in <code>McastService</code>. (kfujino) |
| </fix> |
| <add> |
| Make <code>MembershipService</code> more easily extensible. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| When <code>logValidationErrors</code> is set to true, the connection |
| validation error is logged as <code>SEVERE</code> instead of |
| <code>WARNING</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Ensure that Apache Tomcat may be built from source with Java 11. (markt) |
| </fix> |
| <add> |
| <bug>52381</bug>: Add OSGi metadata to JAR files. (markt) |
| </add> |
| <fix> |
| <bug>62391</bug>: Remove references to <code>javaw.exe</code> as this |
| file is not required by Tomcat and the references prevent the use of the |
| Server JRE. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.17 to |
| pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL |
| 1.0.2o. (markt) |
| </update> |
| <update> |
| <bug>62458</bug>: Update the internal fork of Commons Pool 2 to dfef97b |
| (2018-06-18) to pick up some bug fixes and enhancements. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons DBCP 2 to 2.4.0. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.8 (markt)" rtext="2018-05-03"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>62263</bug>: Avoid a <code>NullPointerException</code> when the |
| <code>RemoteIpValve</code> processes a request for which no Context can |
| be found. (markt) |
| </fix> |
| <add> |
| <bug>62258</bug>: Don't trigger the standard error page mechanism when |
| the error has caused the connection to the client to be closed as no-one |
| will ever see the error page. (markt) |
| </add> |
| <fix> |
| Register MBean when DataSource Resource <code> |
| type="javax.sql.XADataSource"</code>. Patch provided by Masafumi Miura. |
| (csutherl) |
| </fix> |
| <fix> |
| Fix a rare edge case that is unlikely to occur in real usage. This edge |
| case meant that writing long streams of UTF-8 characters to the HTTP |
| response that consisted almost entirely of surrogate pairs could result |
| in one surrogate pair being dropped. (markt) |
| </fix> |
| <add> |
| Update the internal fork of Apache Commons BCEL to r1829827 to add early |
| access Java 11 support to the annotation scanning code. (markt) |
| </add> |
| <fix> |
| <bug>62297</bug>: Enable the <code>CrawlerSessionManagerValve</code> to |
| correctly handle bots that crawl multiple hosts and/or web applications |
| when the Valve is configured on a Host or an Engine. (fschumacher) |
| </fix> |
| <fix> |
| <bug>62309</bug>: Fix a <code>SecurityException</code> when using JASPIC |
| under a <code>SecurityManager</code> when authentication is not |
| mandatory. (markt) |
| </fix> |
| <fix> |
| <bug>62329</bug>: Correctly list resources in JAR files when directories |
| do not have dedicated entries. Patch provided by Meelis Müür. (markt) |
| </fix> |
| <add> |
| Collapse multiple leading <code>/</code> characters to a single |
| <code>/</code> in the return value of |
| <code>HttpServletRequest#getContextPath()</code> to avoid issues if the |
| value is used with <code>HttpServletResponse#sendRedirect()</code>. This |
| behaviour is enabled by default and configurable via the new Context |
| attribute <code>allowMultipleLeadingForwardSlashInPath</code>. (markt) |
| </add> |
| <fix> |
| Improve handling of overflow in the UTF-8 decoder with supplementary |
| characters. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct off-by-one error in thread pool that allowed thread pools to |
| increase in size to one more than the configured limit. Patch provided |
| by usc. (markt) |
| </fix> |
| <fix> |
| Prevent unexpected TLS handshake failures caused by errors during a |
| previous handshake that were not correctly cleaned-up when using the NIO |
| or NIO2 connector with the <code>OpenSSLImplementation</code>. (markt) |
| </fix> |
| <add> |
| <bug>62273</bug>: Implement configuration options to work-around |
| specification non-compliant user agents (including all the major |
| browsers) that do not correctly %nn encode URI paths and query strings |
| as required by RFC 7230 and RFC 3986. (markt) |
| </add> |
| <fix> |
| Fix sync for NIO2 async IO blocking read/writes. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Update the Eclipse Compiler for Java to 4.7.3a. (markt) |
| </update> |
| <update> |
| Allow <code>9</code> to be used to specify Java 9 as the compiler source |
| and/or compiler target for JSP compilation. The Early Access value of |
| <code>1.9</code> is still supported. (markt) |
| </update> |
| <add> |
| Add support for specifying Java 10 (with the value <code>10</code>) as |
| the compiler source and/or compiler target for JSP compilation. (markt) |
| </add> |
| <fix> |
| <bug>62287</bug>: Do not rely on hash codes to test instances of |
| <code>ValueExpressionImpl</code> for equality. Patch provided by Mark |
| Struberg. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>62301</bug>: Correct a regression in the fix for <bug>61491</bug> |
| that didn't correctly handle a final empty message part in all |
| circumstances when using <code>PerMessageDeflate</code>. (markt) |
| </fix> |
| <fix> |
| <bug>62332</bug>: Ensure WebSocket connections are closed after an I/O |
| error is experienced reading from the client. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Avoid warning when running under Cygwin when the |
| <code>JAVA_ENDORSED_DIRS</code> environment variable is not set. Patch |
| provided by Zemian Deng. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.7 (markt)" rtext="2018-04-07"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>51195</bug>: Avoid a false positive report of a web application |
| memory leak by clearing <code>ObjectStreamClass$Caches</code> of classes |
| loaded by the web application when the web application is stopped. |
| (markt) |
| </fix> |
| <fix> |
| <bug>52688</bug>: Add support for the <code>maxDays</code> attribute to |
| the <code>AccessLogValve</code> and <code>ExtendedAccessLogValve</code>. |
| This allows the maximum number of days for which rotated access logs |
| should be retained before deletion to be defined. (markt) |
| </fix> |
| <fix> |
| Ensure the MBean names for the <code>SSLHostConfig</code> and |
| <code>SSLHostConfigCertificate</code> are correctly formed when the |
| <code>Connector</code> is bound to a specific IP address. (markt) |
| </fix> |
| <fix> |
| <bug>62168</bug>: When using the <code>PersistentManager</code> honor a |
| value of <code>-1</code> for <code>minIdleSwap</code> and do not swap |
| out sessions to keep the number of active sessions under |
| <code>maxActive</code>. Patch provided by Holger Sunke. (markt) |
| </fix> |
| <fix> |
| <bug>62172</bug>: Improve Javadoc for |
| <code>org.apache.catalina.startup.Constants</code> and ensure that the |
| constants are correctly used. (markt) |
| </fix> |
| <fix> |
| <bug>62175</bug>: Avoid infinite recursion, when trying to validate |
| a session while loading it with <code>PersistentManager</code>. |
| (fschumacher) |
| </fix> |
| <fix> |
| Ensure that <code>NamingContextListener</code> instances are only |
| notified once of property changes on the associated naming resources. |
| (markt) |
| </fix> |
| <add> |
| <bug>62224</bug>: Disable the <code>forkJoinCommonPoolProtection</code> |
| of the <code>JreMemoryLeakPreventionListener</code> when running on Java |
| 9 and above since the underlying JRE bug has been fixed. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Avoid potential loop in APR/Native poller. (markt) |
| </fix> |
| <fix> |
| Ensure streams that are received but not processed are excluded from the |
| tracking of maximum ID of processed streams. (markt) |
| </fix> |
| <fix> |
| Refactor the check for a paused connector to consistently prevent new |
| streams from being created after the connector has been paused. (markt) |
| </fix> |
| <fix> |
| Improve debug logging for HTTP/2 pushed streams. (markt) |
| </fix> |
| <fix> |
| The OpenSSL engine SSL session will now ignore invalid accesses. (remm) |
| </fix> |
| <fix> |
| <bug>62177</bug>: Correct two protocol errors with HTTP/2 |
| <code>PUSH_PROMISE</code> frames. Firstly, the HTTP/2 protocol only |
| permits pushes to be sent on peer initiated requests. Secondly, pushes |
| must be sent in order of increasing stream ID. These restriction were |
| not being enforced leading to protocol errors at the client. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Add document for <code>FragmentationInterceptor</code>. (kfujino) |
| </add> |
| <add> |
| Document how the roles for an authenticated user are determined when the |
| <code>CombinedRealm</code> is used. (markt) |
| </add> |
| <fix> |
| <bug>62163</bug>: Correct the Tomcat Setup documentation that |
| incorrectly referred to Java 7 as the minimum version rather than Java |
| 8. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Add JMX support for <code>FragmentationInterceptor</code> in order to |
| prevent warning of startup. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Ensure that <code>SQLWarning</code> has been cleared when connection |
| returns to the pool. (kfujino) |
| </fix> |
| <add> |
| Enable clearing of <code>SQLWarning</code> via JMX. (kfujino) |
| </add> |
| <fix> |
| Ensure that parameters have been cleared when |
| <code>PreparedStatement</code> and/or <code>CallableStatement</code> are |
| cached. (kfujino) |
| </fix> |
| <fix> |
| Enable PoolCleaner to be started even if <code>validationQuery</code> |
| is not set. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the build script so MD5 hashes are no longer generated for |
| releases as per the change in the ASF distribution policy. (markt) |
| </update> |
| <fix> |
| <bug>62164</bug>: Switch the build script to use TLS for downloads from |
| SourceForge and Maven Central to avoid failures due to HTTP to HTTPS |
| redirects. (markt) |
| </fix> |
| <add> |
| Always report the OS's umask when launching the JVM. (schultz) |
| </add> |
| <add> |
| Add managed connections package to the package renamed DBCP 2 to provide |
| a complete DBCP 2 in Tomcat. (remm) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.6 (markt)" rtext="2018-03-08"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>43866</bug>: Add additional attributes to the Manager to provide |
| control over which listeners are called when an attribute is added to |
| the session when it has already been added under the same name. This is |
| to aid clustering scenarios where <code>setAttribute()</code> is often |
| called to signal that the attribute value has been mutated and needs to |
| be replicated but it may not be required, or even desired, for the |
| associated listeners to be triggered. The default behaviour has not been |
| changed. (markt) |
| </fix> |
| <fix> |
| Minor optimization when calling class transformers. (rjung) |
| </fix> |
| <add> |
| Pass errors triggered by invalid requests or unavailable services to the |
| application provided error handling and/or the container provided error |
| handling (<code>ErrorReportValve</code>) as appropriate. (markt) |
| </add> |
| <add> |
| <bug>41007</bug>: Add the ability to specify static HTML responses for |
| specific error codes and/or exception types with the |
| <code>ErrorReportValve</code>. (markt) |
| </add> |
| <fix> |
| Prevent Tomcat from applying gzip compression to content that is already |
| compressed with brotli compression. Based on a patch provided by burka. |
| (markt) |
| </fix> |
| <fix> |
| <bug>62090</bug>: Null container names are not allowed. (remm) |
| </fix> |
| <fix> |
| <bug>62104</bug>: Fix programmatic login regression as the |
| NonLoginAuthenticator has to be set for it to work (if no login method |
| is specified). (remm) |
| </fix> |
| <fix> |
| <bug>62117</bug>: Improve error message in <code>catalina.sh</code> when |
| calling <code>kill -0 <pid></code> fails. Based on a suggestion |
| from Mark Morschhaeuser. (markt) |
| </fix> |
| <fix> |
| <bug>62118</bug>: Correctly create a JNDI <code>ServiceRef</code> using |
| the specified interface rather than the concrete type. Based on a |
| suggestion by Ángel Álvarez Páscua. (markt) |
| </fix> |
| <fix> |
| Fix for <code>RequestDumperFilter</code> log attribute. Patch provided |
| by Kirill Romanov via Github. (violetagg) |
| </fix> |
| <fix> |
| <bug>62123</bug>: Avoid <code>ConcurrentModificationException</code> |
| when attempting to clean up application triggered RMI memory leaks on |
| web application stop. (markt) |
| </fix> |
| <add> |
| When a deployment descriptor is deployed that includes a |
| <code>path</code> attribute, log a warning that the <code>path</code> |
| attribute will be ignored. (markt) |
| </add> |
| <add> |
| When a deployment descriptor is deployed that references an external |
| <code>docBase</code> and, as a result, a <code>docBase</code> under the |
| <code>appBase</code> will be ignored, log a warning. (markt) |
| </add> |
| <fix> |
| Correct a regression in the fix for <bug>60276</bug> that meant that |
| compression was applied to all MIME types. Patch provided by Stefan |
| Knoblich. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Add async HTTP/2 parser for NIO2. (remm) |
| </add> |
| <fix> |
| Add minor HPACK fixes, based on fixes by Stuart Douglas. (remm) |
| </fix> |
| <fix> |
| <bug>61751</bug>: Follow up fix so that OpenSSL engine returns |
| underflow when unwrapping if no bytes were produced and the input is |
| empty. (remm) |
| </fix> |
| <fix> |
| Minor OpenSSL engine cleanups. (remm) |
| </fix> |
| <fix> |
| NIO SSL handshake should throw an exception on overflow status, like |
| NIO2 SSL. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>47467</bug>: When deploying a web application via the manager |
| application and a path is not explicitly specified, derive it from the |
| provided deployment descriptor or, if that is not present, the WAR or |
| DIR. (markt) |
| </add> |
| <add> |
| <bug>48672</bug>: Add documentation for the Host Manager web |
| application. Patch provided by Marek Czernek. (markt) |
| </add> |
| <add> |
| Add support for specifying the application version when deploying an |
| application via the Manager application HTML interface. (markt) |
| </add> |
| <add> |
| Work-around a known, non-specification compliant behaviour in some |
| versions of IE that can allow XSS when the Manager application generates |
| a plain text response. Based on a suggestion from Muthukumar Marikani. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.5 (markt)" rtext="2018-02-11"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Prevent a stack trace being written to standard out when running on Java |
| 10 due to changes in the <code>LogManager</code> implementation. (markt) |
| </fix> |
| <fix> |
| Avoid duplicate load attempts if one has been made already. (remm) |
| </fix> |
| <fix> |
| Avoid NPE in ThreadLocalLeakPreventionListener if there is no Engine. |
| (remm) |
| </fix> |
| <fix> |
| <bug>62000</bug>: When a JNDI reference cannot be resolved, ensure that |
| the root cause exception is reported rather than swallowed. (markt) |
| </fix> |
| <fix> |
| <bug>62036</bug>: When caching an authenticated user Principal in the |
| session when the web application is configured with the |
| <code>NonLoginAuthenticator</code>, cache the internal Principal object |
| rather than the user facing Principal object as Tomcat requires the |
| internal object to correctly process later authorization checks. (markt) |
| </fix> |
| <add> |
| Refactor error handling to enable errors that occur before processing is |
| passed to the application to be handled by the application provided |
| error handling and/or the container provided error handling |
| (<code>ErrorReportValve</code>) as appropriate. (markt) |
| </add> |
| <add> |
| Pass 404 errors triggered by a missing ROOT web application to the |
| container error handling to generate the response body. (markt) |
| </add> |
| <add> |
| Pass 400 errors triggered by invalid request targets to the container |
| error handling to generate the response body. (markt) |
| </add> |
| <fix> |
| Provide a correct <code>Allow</code> header when responding to an HTTP |
| <code>TRACE</code> request for a JSP with a 405 status code. (markt) |
| </fix> |
| <fix> |
| When using Tomcat embedded, only perform Authenticator configuration |
| once during web application start. (markt) |
| </fix> |
| <fix> |
| <bug>62067</bug>: Correctly apply security constraints mapped to the |
| context root using a URL pattern of <code>""</code>. (markt) |
| </fix> |
| <fix> |
| Process all <code>ServletSecurity</code> annotations at web application |
| start rather than at servlet load time to ensure constraints are applied |
| consistently. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61751</bug>: Fix truncated request input streams when using NIO2 |
| with TLS. (markt) |
| </fix> |
| <fix> |
| <bug>62023</bug>: Log error reporting multiple SSLHostConfig elements |
| when using the APR Connector instead of crashing Tomcat. (csutherl) |
| </fix> |
| <fix> |
| <bug>62032</bug>: Fix NullPointerException when certificateFile is not |
| defined on an SSLHostConfig and unify the behavior when a |
| certificateFile is defined but the file does not exist for both |
| JKS and PEM file types. (csutherl) |
| </fix> |
| <fix> |
| Ensure that the <code>toString()</code> method behaves consistently for |
| <code>ByteChunk</code> and <code>CharChunk</code> and that |
| <code>null</code> is returned when <code>toString()</code> is called |
| both on newly created objects and immediately after a call to |
| <code>recycle()</code>. This should not impact typical Tomcat users. It |
| may impact users who use these classes directly in their own code. |
| (markt) |
| </fix> |
| <fix> |
| Ensure that the <code>toString()</code>, <code>toBytes()</code> and |
| <code>toChars()</code> methods of <code>MessageBytes</code> behave |
| consistently and do not throw a <code>NullPointerException</code> both |
| on newly created objects and immediately after a call to |
| <code>recycle()</code>. This should not impact typical Tomcat users. It |
| may impact users who use these classes directly in their own code. |
| (markt) |
| </fix> |
| <fix> |
| When processing an HTTP 1.0 request in the HTTP connector and no host |
| information is provided in the request, obtain the server port from the |
| local port rather than the connector configuration since the configured |
| value maybe zero. (markt) |
| </fix> |
| <add> |
| Enable strict validation of the provided host name and port for all |
| connectors. Requests with invalid host names and/or ports will be |
| rejected with a 400 response. (markt) |
| </add> |
| <fix> |
| Update the host validation to permit host names and components of domain |
| names (excluding top-level domains) to start with a number and to ensure |
| that top-level domains are fully alphabetic. (markt) |
| </fix> |
| <fix> |
| <bug>62053</bug>: Fix NPE when writing push headers with HTTP/2 NIO2. |
| Patch submitted by Holger Sunke. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Include an HTTP <code>Allow</code> header when a JSP generates a |
| 405 response due to a request with an unsupported method. (markt) |
| </fix> |
| <add> |
| Add support for the HTTP <code>OPTION</code> method to JSPs. The |
| JSP specification explicitly states that the behaviour for this |
| method is undefined for JSPs so this is a Tomcat specific |
| behaviour. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>62024</bug>: When closing a connection with an abnormal close, |
| close the socket immediately rather than waiting for a close message |
| from the client that may never arrive. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Webapps"> |
| <changelog> |
| <fix> |
| <bug>62049</bug>: Fix missing class from manager 404 JSP error page. |
| (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <add> |
| Enhance the JMX support for jdbc-pool in order to expose |
| <code>PooledConnection</code> and <code>JdbcInterceptors</code>. |
| (kfujino) |
| </add> |
| <add> |
| Add MBean for <code>PooledConnection</code>. (kfujino) |
| </add> |
| <add> |
| <bug>62011</bug>: Add MBean for <code>StatementCache</code>. (kfujino) |
| </add> |
| <add> |
| Expose the cache size for each connection via JMX in |
| <code>StatementCache</code>. (kfujino) |
| </add> |
| <add> |
| Add MBean for <code>ResetAbandonedTimer</code>. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the list with the public interfaces in the RELEASE-NOTES. |
| (violetagg) |
| </update> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.03. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.4 (markt)" rtext="2018-01-22"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct a regression in the previous fix for <bug>61916</bug> that meant |
| that any call to <code>addHeader()</code> would have been replaced with |
| a call to <code>setHeader()</code> for all requests mapped to the |
| <code>AddDefaultCharsetFilter</code>. (markt) |
| </fix> |
| <fix> |
| <bug>61999</bug>: maxSavePostSize set to 0 should disable saving POST |
| data during authentication. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix NIO2 HTTP/2 sendfile. (remm) |
| </fix> |
| <fix> |
| <bug>61993</bug>: Improve handling for <code>ByteChunk</code> and |
| <code>CharChunk</code> instances that grow close to the maximum size |
| allowed by the JRE. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>43925</bug>: Add a new system property |
| (<code>org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE</code>) to |
| control the size of the buffer used by Jasper when buffering tag bodies. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>62006</bug>: Document the new <code>JvmOptions9</code> command line |
| parameter for <code>tomcat9.exe</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.3 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>57619</bug>: Implement a small optimisation to how JAR URLs are |
| processed to reduce the storage of duplicate String objects in memory. |
| Patch provided by Dmitri Blinov. (markt) |
| </add> |
| <fix> |
| Add some missing NPEs to ServletContext. (remm) |
| </fix> |
| <fix> |
| Update the Java EE 8 XML schema to the released versions. (markt) |
| </fix> |
| <fix> |
| Minor HTTP/2 push fixes. (remm) |
| </fix> |
| <fix> |
| <bug>61916</bug>: Extend the <code>AddDefaultCharsetFilter</code> to add |
| a character set when the content type is set via |
| <code>setHeader()</code> or <code>addHeader()</code> as well as when it |
| is set via <code>setContentType()</code>. (markt) |
| </fix> |
| <fix> |
| When using WebDAV to copy a file resource to a destination that requires |
| a collection to be overwritten, ensure that the operation succeeds |
| rather than fails (with a 500 response). This enables Tomcat to pass two |
| additional tests from the Litmus WebDAV test suite. (markt) |
| </fix> |
| <update> |
| Modify the Default and WebDAV Servlets so that a 405 status code is |
| returned for <code>PUT</code> and <code>DELETE</code> requests when |
| disabled via the <code>readonly</code> initialisation parameter. |
| </update> |
| <fix> |
| Align the contents of the <code>Allow</code> header with the response |
| code for the Default and WebDAV Servlets. For any given resource a |
| method that returns a 405 status code will not be listed in the |
| <code>Allow</code> header and a method listed in the <code>Allow</code> |
| header will not return a 405 status code. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>60276</bug>: Implement GZIP compression support for responses |
| served over HTTP/2. (markt) |
| </add> |
| <fix> |
| Do not call onDataAvailable without any data to read. (remm) |
| </fix> |
| <fix> |
| Correctly handle EOF when <code>ServletInputStream.isReady()</code> is |
| called. (markt) |
| </fix> |
| <fix> |
| <bug>61886</bug>: Log errors on non-container threads at |
| <code>DEBUG</code> rather than <code>INFO</code>. The exception will be |
| made available to the application via the asynchronous error handling |
| mechanism. (markt) |
| </fix> |
| <fix> |
| <bug>61914</bug>: Possible NPE with Java 9 when creating an SSL engine. |
| Patch submitted by Evgenij Ryazanov. (remm) |
| </fix> |
| <fix> |
| <bug>61918</bug>: Fix connectionLimitLatch counting when closing an |
| already closed socket. Based on a patch by Ryan Fong. (remm) |
| </fix> |
| <add> |
| Add support for the OpenSSL ARIA ciphers to the OpenSSL to JSSE |
| cipher mapping. (markt) |
| </add> |
| <fix> |
| <bug>61932</bug>: Allow a call to <code>AsyncContext.dispatch()</code> |
| to terminate non-blocking I/O. (markt) |
| </fix> |
| <fix> |
| <bug>61948</bug>: Improve the handling of malformed ClientHello messages |
| in the code that extracts the SNI information from a TLS handshake for |
| the JSSE based NIO and NIO2 connectors. (markt) |
| </fix> |
| <fix> |
| Fix NIO2 handshaking with a full input buffer. (remm) |
| </fix> |
| <add> |
| Return a simple, plain text error message if a client attempts to make a |
| plain text HTTP connection to a TLS enabled NIO or NIO2 Connector. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>61854</bug>: When using sets and/or maps in EL expressions, ensure |
| that Jasper correctly parses the expression. Patch provided by Ricardo |
| Martin Camarero. (markt) |
| </fix> |
| <fix> |
| Improve the handling of methods with varargs in EL expressions. In |
| particular, the calling of a varargs method with no parameters now works |
| correctly. Based on a patch by Nitkalya (Ing) Wiriyanuparb. (markt) |
| </fix> |
| <fix> |
| <bug>61945</bug>: Fix prototype mode used to compile tags. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>61223</bug>: Add the mbeans-descriptors.dtd file to the custom |
| MBean documentation so users have a reference to use when constructing |
| mbeans-descriptors.xml files for custom components. (markt) |
| </add> |
| <add> |
| <bug>61565</bug>: Add the ability to trigger a reloading of TLS host |
| configuration (certificate and key files, server.xml is not re-parsed) |
| via the Manager web application. (markt) |
| </add> |
| <add> |
| <bug>61566</bug>: Expose the currently in use certificate chain and list |
| of trusted certificates for all virtual hosts configured using the JSSE |
| style (keystore) TLS configuration via the Manager web application. |
| (markt) |
| </add> |
| <fix> |
| Partial fix for <bug>61886</bug>. Ensure that multiple threads do not |
| attempt to complete the <code>AsyncContext</code> if an I/O error occurs |
| in the stock ticker example Servlet. (markt) |
| </fix> |
| <fix> |
| <bug>61886</bug>: Prevent <code>ConcurrentModificationException</code> |
| when running the asynchronous stock ticker in the examples web |
| application. (markt) |
| </fix> |
| <fix> |
| <bug>61886</bug>: Prevent <code>NullPointerException</code> and other |
| errors if the stock ticker example is running when the examples web |
| application is stopped. (markt) |
| </fix> |
| <fix> |
| <bug>61910</bug>: Clarify the meaning of the <code>allowLinking</code> |
| option in the documentation web application. (markt) |
| </fix> |
| <add> |
| Add OCSP configuration information to the SSL How-To. Patch provided by |
| Marek Czernek. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>61312</bug>: Prevent <code>NullPointerException</code> when using |
| the statement cache of connection that has been closed. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Add an additional system property for the system property replacement. |
| (remm) |
| </fix> |
| <fix> |
| Add missing SHA-512 hash for release artifacts to the build script. |
| (markt) |
| </fix> |
| <update> |
| Update the internal fork of Commons Pool 2 to 2.4.3. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons DBCP 2 to 8a71764 (2017-10-18) to |
| pick up some bug fixes and enhancements. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons FileUpload to 6c00d57 (2017-11-23) |
| to pick up some code clean-up. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Codec to r1817136 to pick up some |
| code clean-up. (markt) |
| </update> |
| <fix> |
| The native source bundles (for Commons Daemon and Tomcat Native) are no |
| longer copied to the bin directory for the deploy target. They are now |
| only copied to the bin directory for the release target. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.2 (markt)" rtext="2017-11-30"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Fix possible <code>SecurityException</code> when using TLS related |
| request attributes. (markt) |
| </fix> |
| <fix> |
| <bug>61597</bug>: Extend the <code>StandardJarScanner</code> to scan |
| JARs on the module path when running on Java 9 and class path scanning |
| is enabled. (markt) |
| </fix> |
| <fix> |
| <bug>61601</bug>: Add support for multi-release JARs in JAR scanning and |
| web application class loading. (markt) |
| </fix> |
| <fix> |
| <bug>61681</bug>: Allow HTTP/2 push when using request wrapping. (remm) |
| </fix> |
| <add> |
| Provide the <code>SessionInitializerFilter</code> that can be used to |
| ensure that an HTTP session exists when initiating a WebSocket |
| connection. Patch provided by isapir. (markt) |
| </add> |
| <fix> |
| <bug>61682</bug>: When re-prioritising HTTP/2 streams, ensure that both |
| parent and children fields are correctly updated to avoid a possible |
| <code>StackOverflowError</code>. (markt) |
| </fix> |
| <fix> |
| Improve concurrency by reducing the scope of the synchronisation for |
| <code>javax.security.auth.message.config.AuthConfigFactory</code> in the |
| JASPIC API implementation. Based on a patch by Pavan Kumar. (markt) |
| </fix> |
| <fix> |
| Avoid a possible <code>NullPointerException</code> when timing out |
| <code>AsyncContext</code> instances during shut down. (markt) |
| </fix> |
| <fix> |
| <bug>61777</bug>: Avoid a <code>NullPointerException</code> when |
| detaching a JASPIC <code>RegistrationListener</code>. Patch provided by |
| Lazar. (markt) |
| </fix> |
| <fix> |
| <bug>61778</bug>: Correct the return value when detaching a JASPIC |
| <code>RegistrationListener</code>. Patch provided by Lazar. (markt) |
| </fix> |
| <fix> |
| <bug>61779</bug>: Avoid a <code>NullPointerException</code> when a |
| <code>null</code> <code>RegistrationListener</code> is passed to |
| <code>AuthConfigFactory.getConfigProvider()</code>. Patch provided by |
| Lazar. (markt) |
| </fix> |
| <fix> |
| <bug>61780</bug>: Only include the default JASPIC registration ID in the |
| return value for a call to |
| <code>AuthConfigFactory.getRegistrationIDs()</code> if a |
| <code>RegistrationContext</code> has been registered using the default |
| registration ID. Patch provided by Lazar. (markt) |
| </fix> |
| <fix> |
| <bug>61781</bug>: Enable JASPIC provider registrations to be persisted |
| when the layer and/or application context are <code>null</code>. Patch |
| provided by Lazar. (markt) |
| </fix> |
| <fix> |
| <bug>61782</bug>: When calling |
| <code>AuthConfigFactory.doRegisterConfigProvider()</code> and the |
| requested JASPIC config provider class is found by the web application |
| class loader, do not attempt to load the class with the class loader |
| that loaded the JASPIC API. Patch provided by Lazar. (markt) |
| </fix> |
| <fix> |
| <bug>61783</bug>: When calling |
| <code>AuthConfigFactory.removeRegistration()</code> and the registration |
| is persistent, it should be removed from the persistent store. Patch |
| provided by Lazar. (markt) |
| </fix> |
| <fix> |
| <bug>61784</bug>: Correctly handle the case when |
| <code>AuthConfigFactoryImpl.registerConfigProvider()</code> is called |
| with a provider name of <code>null</code>. Patch provided by Lazar. |
| (markt) |
| </fix> |
| <add> |
| <bug>61795</bug>: Add a property to the <code>Authenticator</code> |
| implementations to enable a custom JASPIC <code>CallbackHandler</code> |
| to be specified. Patch provided by Lazar. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61568</bug>: Avoid a potential <code>SecurityException</code> when |
| using the NIO2 connector and a new thread is added to the pool. (markt) |
| </fix> |
| <fix> |
| <bug>61583</bug>: Correct a further regression in the fix to enable the |
| use of Java key stores that contained multiple keys that did not all |
| have the same password. This fixes PKCS11 key store handling with |
| multiple keys selected with an alias. (markt) |
| </fix> |
| <fix> |
| Improve NIO2 syncing for async IO operations. (remm) |
| </fix> |
| <add> |
| Sendfile support for HTTP/2 and NIO2. (remm) |
| </add> |
| <fix> |
| Reduce default HTTP/2 stream concurrent execution within a connection |
| from 200 to 20. (remm) |
| </fix> |
| <fix> |
| <bug>61668</bug>: Avoid a possible NPE when calling |
| <code>AbstractHttp11Protocol.getSSLProtocol()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>61673</bug>: Avoid a possible |
| <code>ConcurrentModificationException</code> when working with the |
| streams associated with a connection. (markt) |
| </fix> |
| <fix> |
| <bug>61719</bug>: Avoid possible NPE calling |
| InputStream.setReadListener with HTTP/2. (remm) |
| </fix> |
| <fix> |
| <bug>61736</bug>: Improve performance of NIO connector when clients |
| leave large time gaps between network packets. Patch provided by Zilong |
| Song. (markt) |
| </fix> |
| <fix> |
| <bug>61740</bug>: Correct an off-by-one error in the Hpack header index |
| validation that caused intermittent request failures when using HTTP/2. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>61604</bug>: Fix SMAP generation for JSPs that generate no output. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61816</bug>: Invalid expressions in attribute values or template |
| text should trigger a translation (compile time) error, not a run time |
| error. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>61604</bug>: Add support for authentication in the websocket |
| client. Patch submitted by J Fernandez. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct Javadoc links to point to Java SE 8 and Java EE 8. (markt) |
| </fix> |
| <fix> |
| Enable Javadoc to be built with Java 9. (markt) |
| </fix> |
| <fix> |
| <bug>61603</bug>: Add XML filtering for the status servlet output where |
| needed. (remm) |
| </fix> |
| <fix> |
| Correct the description of how the CGI servlet maps a request to a |
| script in the CGI How-To. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Fix incorrect behavior that attempts to resend channel messages more |
| than the actual setting value of <code>maxRetryAttempts</code>. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that the remaining Sender can send channel messages by avoiding |
| unintended <code>ChannelException</code> caused by comparing the number |
| of failed members and the number of remaining Senders. (kfujino) |
| </fix> |
| <fix> |
| Ensure that remaining SelectionKeys that were not handled by throwing a |
| <code>ChannelException</code> during SelectionKey processing are |
| handled. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Improve the fix for <bug>61439</bug> and exclude the JPA, JAX-WS and EJB |
| annotations completely from the Tomcat distributions. (markt) |
| </fix> |
| <fix> |
| Improve handling of endorsed directories. The endorsed directory |
| mechanism will only be used if the <code>JAVA_ENDORSED_DIRS</code> |
| system property is explicitly set or if |
| <code>$CATALINA_HOME/endorsed</code> exists. When running on Java 9, any |
| such attempted use of the endorsed directory mechanism will trigger an |
| error and Tomcat will fail to start. (rjung) |
| </fix> |
| <add> |
| <bug>51496</bug>: When using the Windows installer, check if the |
| requested service name already exists and, if it does, prompt the user |
| to select an alternative service name. Patch provided by Ralph |
| Plawetzki. (markt) |
| </add> |
| <fix> |
| <bug>61590</bug>: Enable <code>service.bat</code> to recognise when |
| <code>JAVA_HOME</code> is configured for a Java 9 JDK. (markt) |
| </fix> |
| <fix> |
| <bug>61598</bug>: Update the Windows installer to search the new (as of |
| Java 9) registry locations when looking for a JRE. (markt) |
| </fix> |
| <add> |
| Add generation of a SHA-512 hash for release artifacts to the build |
| script. (markt) |
| </add> |
| <fix> |
| <bug>61658</bug>: Update MIME mappings for fonts to use |
| <code>font/*</code> as per RFC8081. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.16 to |
| pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL |
| 1.0.2m. (markt) |
| </update> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.02.1. (kkolinko) |
| </update> |
| <update> |
| Update the Windows installer to use "The Apache Software Foundation" as |
| the Publisher when Tomcat is displayed in the list of installed |
| applications in Microsoft Windows. (kkolinko) |
| </update> |
| <fix> |
| <bug>61803</bug>: Remove outdated SSL information from the Security |
| documentation. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.1 (markt)" rtext="2017-09-30"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Use the correct path when loading the JVM <code>logging.properties</code> |
| file for Java 9. (rjung) |
| </fix> |
| <fix> |
| Add additional validation to the resource handling required to fix |
| CVE-2017-12617 on Windows. The checks were being performed elsewhere but |
| adding them to the resource handling ensures that the checks are always |
| performed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>61563</bug>: Correct typos in Spanish translation. Patch provided by |
| Gonzalo Vásquez. (csutherl) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being |
| uploaded via a specially crafted request when HTTP PUT was enabled. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61554</bug>: Exclude test files in unusual encodings and markdown |
| files intended for display in GitHub from RAT analysis. Patch provided |
| by Chris Thistlethwaite. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>60762</bug>: Add the ability to make changes to the TLS |
| configuration of a connector at runtime without having to restart the |
| Connector. (markt) |
| </add> |
| <add> |
| Add an option to reject requests that contain HTTP headers with invalid |
| (non-token) header names with a 400 response and reject such requests by |
| default. (markt) |
| </add> |
| <fix> |
| Implement the requirements of RFC 7230 (and RFC 2616) that HTTP/1.1 |
| requests must include a <code>Host</code> header and any request that |
| does not must be rejected with a 400 response. (markt) |
| </fix> |
| <fix> |
| Implement the requirements of RFC 7230 that any HTTP/1.1 request that |
| specifies a host in the request line, must specify the same host in the |
| <code>Host</code> header and that any such request that does not, must |
| be rejected with a 400 response. This check is optional but enabled by |
| default. It may be disabled with the |
| <code>allowHostHeaderMismatch</code> attribute of the Connector. (markt) |
| </fix> |
| <fix> |
| Implement the requirements of RFC 7230 that any HTTP/1.1 request that |
| contains multiple <code>Host</code> headers is rejected with a 400 |
| response. (markt) |
| </fix> |
| <update> |
| Add a way to set the property source in embedded mode. (remm) |
| </update> |
| <fix> |
| <bug>61557</bug>: Correct a further regression in the fix to enable the |
| use of Java key stores that contain multiple keys that do not all have |
| the same password. The regression broke support for some FIPS compliant |
| key stores. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>61545</bug>: Correctly handle invocations of methods defined in the |
| <code>PooledConnection</code> interface when using pooled XA |
| connections. Patch provided by Nils Winkler. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Update fix for <bug>59904</bug> so that values less than zero are accepted |
| instead of throwing a NegativeArraySizeException. (remm) |
| </fix> |
| <add> |
| Complete the implementation of the Servlet 4.0 specification. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M27 (markt)" rtext="2017-09-19"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Before generating an error page in the <code>ErrorReportValve</code>, |
| check to see if I/O is still permitted for the associated connection |
| before generating the error page so that the page generation can be |
| skipped if the page is never going to be sent. (markt) |
| </fix> |
| <add> |
| <bug>61189</bug>: Add the ability to set environment variables for |
| individual CGI scripts. Based on a patch by jm009. (markt) |
| </add> |
| <fix> |
| <bug>61210</bug>: When running under a SecurityManager, do not print a |
| warning about not being able to read a logging configuration file when |
| that file does not exist. (markt) |
| </fix> |
| <add> |
| <bug>61280</bug>: Add RFC 7617 support to the |
| <code>BasicAuthenticator</code>. Note that the default configuration |
| does not change the existing behaviour. (markt) |
| </add> |
| <fix> |
| <bug>61424</bug>: Avoid a possible <code>StackOverflowError</code> when |
| running under a <code>SecurityManager</code> and using |
| <code>Subject.doAs()</code>. (markt) |
| </fix> |
| <add> |
| When running under Java 9 or later, and the |
| <code>urlCacheProtection</code> option of the |
| <code>JreMemoryLeakPreventionListener</code> is enabled, use the API |
| added in Java 9 to only disable the caching for JAR URL connections. |
| (markt) |
| </add> |
| <add> |
| <bug>61489</bug>: When using the CGI servlet, make the generation of |
| command line arguments from the query string (as per section 4.4 of RFC |
| 3875) optional and disabled by default. Based on a patch by jm009. |
| (markt) |
| </add> |
| <fix> |
| <bug>61503</bug>: This corrects a potential regression in the fix for |
| <bug>60940</bug> with an alternative solution that adds the |
| <code>JarEntry</code> objects normally skipped by a |
| <code>JarInputStream</code> only if those entries exist. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| The minimum required Tomcat Native version has been increased to 1.2.14. |
| This version includes a new API needed for correct client certificate |
| support when using a Java connector with OpenSSL TLS implementation and |
| support for the <code>SSL_CONF</code> OpenSSL API. (rjung) |
| </update> |
| <add> |
| Add support for the OpenSSL <code>SSL_CONF</code> API when using |
| TLS with OpenSSL implementation. It can be used by adding |
| <code>OpenSSLConf</code> elements underneath <code>SSLHostConfig</code>. |
| The new element contains a list of <code>OpenSSLConfCmd</code> elements, |
| each with the attributes <code>name</code> and <code>value</code>. |
| (rjung) |
| </add> |
| <fix> |
| When using a Java connector in combination with the OpenSSL TLS |
| implementation, do not configure each SSL connection object via |
| the OpenSSLEngine. For OpenSSL the SSL object inherits its |
| settings from the SSL_CTX which we have already configured. |
| (rjung) |
| </fix> |
| <fix> |
| When using JSSE TLS configuration with the OpenSSL implementation and |
| client certificates: include client CA subjects in the TLS handshake |
| so that the client can choose an appropriate client certificate to |
| present. (rjung) |
| </fix> |
| <fix> |
| If an invalid option is specified for the |
| <code>certificateVerification</code> attribute of an |
| <code>SSLHostConfig</code> element, treat it as <code>required</code> |
| which is the most secure / restrictive option in addition to reporting |
| the configuration error. (markt) |
| </fix> |
| <fix> |
| Improve the handling of client disconnections during the TLS |
| renegotiation handshake. (markt) |
| </fix> |
| <fix> |
| Prevent exceptions being thrown during normal shutdown of NIO |
| connections. This enables TLS connections to close cleanly. (markt) |
| </fix> |
| <fix> |
| Fix possible race condition when setting IO listeners on an upgraded |
| connection. (remm) |
| </fix> |
| <fix> |
| Ensure that the APR/native connector uses blocking I/O for TLS |
| renegotiation. (markt) |
| </fix> |
| <fix> |
| <bug>48655</bug>: Enable Tomcat to shutdown cleanly when using sendfile, |
| the APR/native connector and a multi-part download is in progress. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58244</bug>: Handle the case when OpenSSL resumes a TLS session |
| using a ticket and the full client certificate chain is not available. |
| In this case the client certificate without the chain will be presented |
| to the application. (markt) |
| </fix> |
| <fix> |
| Improve the warning message when JSSE and OpenSSL configuration styles |
| are mixed on the same <code>SSLHostConfig</code>. (markt) |
| </fix> |
| <fix> |
| <bug>61415</bug>: Fix TLS renegotiation with OpenSSL based connections |
| and session caching. (markt) |
| </fix> |
| <fix> |
| Delay checking that the configured attributes for an |
| <code>SSLHostConfig</code> instance are consistent with the configured |
| SSL implementation until <code>Connector</code> start to avoid incorrect |
| warnings when the SSL implementation changes during initialisation. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61450</bug>: Fix default key alias algorithm. (remm) |
| </fix> |
| <fix> |
| <bug>61451</bug>: Correct a regression in the fix to enable the use of |
| Java key stores that contained multiple keys that did not all have the |
| same password. The regression broke support for any key store that did |
| not store keys in PKCS #8 format such as hardware key stores and Windows |
| key stores. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>60523</bug>: Reduce the number of packets used to send WebSocket |
| messages by not flushing between the header and the payload when the |
| two are written together. (markt) |
| </fix> |
| <fix> |
| <bug>61491</bug>: When using the <code>permessage-deflate</code> |
| extension, correctly handle the sending of empty messages after |
| non-empty messages to avoid the <code>IllegalArgumentException</code>. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Show connector cipher list in the manager web application in the |
| correct cipher order. (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| To avoid unexpected session timeout notification from backup session, |
| update the access time when receiving the map member notification |
| message. (kfujino) |
| </fix> |
| <fix> |
| Add member info to the log message when the failure detection check |
| fails in <code>TcpFailureDetector</code>. (kfujino) |
| </fix> |
| <fix> |
| Avoid Ping timeout until the added map member by receiving |
| <code>MSG_START</code> message is completely started. (kfujino) |
| </fix> |
| <fix> |
| When sending a channel message, make sure that the Sender has connected. |
| (kfujino) |
| </fix> |
| <fix> |
| Correct the backup node selection logic that node 0 is returned twice |
| consecutively. (kfujino) |
| </fix> |
| <fix> |
| Fix race condition of <code>responseMap</code> in |
| <code>RpcChannel</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>61391</bug>: Ensure that failed queries are logged if the |
| <code>SlowQueryReport</code> interceptor is configured to do so and the |
| connection has been abandoned. Patch provided by Craig Webb. (markt) |
| </fix> |
| <fix> |
| <bug>61425</bug>: Ensure that transaction of idle connection has |
| terminated when the <code>testWhileIdle</code> is set to |
| <code>true</code> and <code>defaultAutoCommit</code> is set to |
| <code>false</code>. Patch provided by WangZheng. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>61419</bug>: Replace a Unix style comment in the DOS bat file |
| <code>catalina.bat</code> with the correct <code>rem</code> markup. |
| (rjung) |
| </fix> |
| <fix> |
| <bug>61439</bug>: Remove the Java Annotation API classes from |
| tomcat-embed-core.jar and package them in a separate JAR in the |
| embedded distribution to provide end users with greater flexibility to |
| handle potential conflicts with the JRE and/or other JARs. (markt) |
| </fix> |
| <fix> |
| <bug>61441</bug>: Improve the detection of <code>JAVA_HOME</code> by the |
| <code>daemon.sh</code> script when running on a platform where Java has |
| been installed from an RPM. (rjung) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.14 to |
| pick up the latest Windows binaries built with APR 1.6.2 and OpenSSL |
| 1.0.2l. (markt) |
| </update> |
| <update> |
| <bug>61599</bug>: Update to Commons Daemon 1.1.0 for improved Java 9 |
| support. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M26 (markt)" rtext="2017-08-08"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct multiple regressions in the fix for <bug>49464</bug> that could |
| corrupt static content served by the <code>DefaultServlet</code>.(markt) |
| </fix> |
| <fix> |
| Correct a bug in the <code>PushBuilder</code> implementation that |
| meant push URLs containing <code>%nn</code> sequences were not correctly |
| decoded. Identified by FindBugs. (markt) |
| </fix> |
| <add> |
| <bug>61164</bug>: Add support for the <code>%X</code> pattern in the |
| <code>AccessLogValve</code> that reports the connection status at the |
| end of the request. Patch provided by Zemian Deng. (markt) |
| </add> |
| <fix> |
| <bug>61351</bug>: Correctly handle %nn decoding of URL patterns in |
| web.xml and similar locations that may legitimately contain characters |
| that are not permitted by RFC 3986. (markt) |
| </fix> |
| <add> |
| <bug>61366</bug>: Add a new attribute, <code>localDataSource</code>, to |
| the <code>JDBCStore</code> that allows the Store to be configured to use |
| a DataSource defined by the web application rather than the default of |
| using a globally defined DataSource. Patch provided by Jonathan |
| Horowitz. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61086</bug>: Ensure to explicitly signal an empty request body for |
| HTTP 205 responses. Additional fix to r1795278. Based on a patch |
| provided by Alexandr Saperov. (violetagg) |
| </fix> |
| <update> |
| <bug>61345</bug>: Add a server listener that can be used to do system |
| property replacement from the property source configured in the |
| digester. (remm) |
| </update> |
| <add> |
| Add additional logging to record problems that occur while waiting for |
| the NIO pollers to stop during the Connector stop process. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>61364</bug>: Ensure that files are closed after detecting encoding |
| of JSPs so that files do not remain locked by the file system. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <add> |
| <bug>57767</bug>: Add support to the WebSocket client for following |
| redirects when attempting to establish a WebSocket connection. Patch |
| provided by J Fernandez. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M25 (markt)" rtext="2017-07-28"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Performance improvements for service loader look-ups (and look-ups of |
| other class loader resources) when the web application is deployed in a |
| packed WAR file. (markt) |
| </fix> |
| <fix> |
| <bug>60963</bug>: Add <code>ExtractingRoot</code>, a new |
| <code>WebResourceRoot</code> implementation that extracts JARs to the |
| work directory for improved performance when deploying packed WAR files. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61253</bug>: Add warn message when Digester.updateAttributes |
| throws an exception instead of ignoring it. (csutherl) |
| </fix> |
| <fix> |
| Correct a further regression in the fix for <bug>49464</bug> that could |
| cause an byte order mark character to appear at the start of content |
| included by the <code>DefaultServlet</code>. (markt) |
| </fix> |
| <fix> |
| <bug>61313</bug>: Make the read timeout configurable in the |
| <code>JNDIRealm</code> and ensure that a read timeout will result in an |
| attempt to fail over to the alternateURL. Based on patches by Peter |
| Maloney and Felix Schumacher. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the documentation for how <code>StandardRoot</code> is |
| configured. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>61316</bug>: Fix corruption of UTF-16 encoded source files in |
| released source distributions. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M24 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>52924</bug>: Add support for a Tomcat specific deployment |
| descriptor, <code>/WEB-INF/tomcat-web.xml</code>. This descriptor has an |
| identical format to <code>/WEB-INF/web.xml</code>. The Tomcat descriptor |
| takes precedence over any settings in <code>conf/web.xml</code> but does |
| not take precedence over any settings in <code>/WEB-INF/web.xml</code>. |
| (markt) |
| </add> |
| <fix> |
| <bug>61232</bug>: When log rotation is disabled only one separator will |
| be used when generating the log file name. For example if the prefix is |
| <code>catalina.</code> and the suffix is <code>.log</code> then the log |
| file name will be <code>catalina.log</code> instead of |
| <code>catalina..log</code>. Patch provided by Katya Stoycheva. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>61264</bug>: Correct a regression in the refactoring to use |
| <code>Charset</code> rather than <code>String</code> to store request |
| character encoding that prevented <code>getReader()</code> throwing an |
| <code>UnsupportedEncodingException</code> if the user agent specifies |
| an unsupported character encoding. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the fix for <bug>49464</bug> that could cause an |
| incorrect <code>Content-Length</code> header to be sent by the |
| <code>DefaultServlet</code> if the encoding of a static is not |
| consistent with the encoding of the response. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Enable TLS connectors to use Java key stores that contain multiple keys |
| where each key has a separate password. Based on a patch by Frank |
| Taffelt. (markt) |
| </fix> |
| <fix> |
| Improve the handling of HTTP/2 stream resets due to excessive headers |
| when a continuation frame is used. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>53031</bug>: Add support for the <code>fork</code> option when |
| compiling JSPs with the Jasper Ant task and javac. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>52791</bug>: Add the ability to set the defaults used by the |
| Windows installer from a configuration file. Patch provided by Sandra |
| Madden. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M23 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>49464</bug>: Improve the Default Servlet's handling of static files |
| when the file encoding is not compatible with the required response |
| encoding. (markt) |
| </fix> |
| <fix> |
| <bug>61214</bug>: Remove deleted attribute <code>servlets</code> from |
| the Context MBean description. Patch provided by Alexis Hassler. (markt) |
| </fix> |
| <fix> |
| <bug>61215</bug>: Correctly define <code>addConnectorPort</code> and |
| <code>invalidAuthenticationWhenDeny</code> in the |
| <code>mbean-descriptors.xml</code> file for the |
| <code>org.apache.catalina.valves</code> package so that the attributes |
| are accessible via JMX. (markt) |
| </fix> |
| <fix> |
| <bug>61216</bug>: Improve layout for <code>CompositeData</code> and |
| <code>TabularData</code> when viewing via the JMX proxy servlet. Patch |
| provided by Alexis Hassler. (markt) |
| </fix> |
| <fix> |
| Additional permission for deleting files is granted to JULI as it is |
| required by FileHandler when running under a Security Manager. The |
| thread that cleans the log files is marked as daemon thread. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>61229</bug>: Correct a regression in 9.0.0.M21 that broke WebDAV |
| handling for resources with names that included a <code>&</code> |
| character. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Restore the ability to configure support for SSLv3. Enabling this |
| protocol will trigger a warning in the logs since it is known to be |
| insecure. (markt) |
| </fix> |
| <add> |
| Add LoadBalancerDrainingValve, a Valve designed to reduce the amount of |
| time required for a node to drain its authenticated users. (schultz) |
| </add> |
| <fix> |
| Do not log a warning when a <code>null</code> session is returned for an |
| OpenSSL based TLS session since this is expected when session tickets |
| are enabled. (markt) |
| </fix> |
| <fix> |
| When the access log valve logs a TLS related request attribute and the |
| NIO2 connector is used with OpenSSL, ensure that the TLS attributes are |
| available to the access log valve when the connection is closing. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60461</bug>: Sync SSL session access for the APR connector. (remm) |
| </fix> |
| <fix> |
| <bug>61224</bug>: Make the <code>GlobalRequestProcessor</code> MBean |
| attributes read-only. Patch provided by Alexis Hassler. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>49176</bug>: When generating JSP runtime error messages that quote |
| the relevant JSP source code, switch from using the results of the JSP |
| page parsing process to using the JSR 045 source map data to identify |
| the correct part of the JSP source from the stack trace. This |
| significantly reduces the memory footprint of Jasper in development |
| mode, provides a small performance improvement for error page generation |
| and enables source quotes to continue to be provided after a Tomcat |
| restart. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Remove references to the Loader attribute |
| <code>searchExternalFirst</code> from the documentation since the |
| attribute is no longer supported. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| <bug>51513</bug>: Add support for the <code>compressionMinSize</code> |
| attribute to the <code>GzipInterceptor</code>, add optional statistics |
| collection and expose the Interceptor over JMX. Based on a patch by |
| Christian Stöber. (markt) |
| </add> |
| <add> |
| <bug>61127</bug>: Allow human-readable names for channelSendOptions and |
| mapSendOptions. Patch provided by Igal Sapir. (schultz) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <scode> |
| Restore the local definition of the web service annotations since the |
| JRE provided versions are deprecated and Java 9 does not provide them by |
| default. (markt) |
| </scode> |
| <fix> |
| Add necessary Java 9 configuration options to the startup scripts to |
| prevent warnings being generated on web application stop. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M22 (markt)" rtext="2017-06-26"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>48543</bug>: Add the option to specify an alternative file name for |
| the <code>catalina.config</code> system property. Also document that |
| relative, as well as absolute, URLs are permitted. (markt) |
| </fix> |
| <fix> |
| <bug>61072</bug>: Respect the documentation statements that allow |
| using the platform default secure random for session id generation. |
| (remm) |
| </fix> |
| <fix> |
| Correct the javadoc for |
| <code>o.a.c.connector.CoyoteAdapter#parseSessionCookiesId</code>. |
| Patch provided by John Andrew (XUZHOUWANG) via Github. (violetagg) |
| </fix> |
| <fix> |
| <bug>61101</bug>: CORS filter should set Vary header in response. |
| Submitted by Rick Riemer. (remm) |
| </fix> |
| <add> |
| <bug>61105</bug>: Add a new JULI FileHandler configuration for |
| specifying the maximum number of days to keep the log files. By default |
| the log files will be kept 90 days as configured in |
| <code>logging.properties</code>. (violetagg) |
| </add> |
| <update> |
| Update the Servlet 4.0 implementation to add support for setting |
| trailer fields for HTTP responses. (markt) |
| </update> |
| <fix> |
| <bug>61125</bug>: Ensure that <code>WarURLConnection</code> returns the |
| correct value for calls to <code>getLastModified()</code> as this is |
| required for the correct detection of JSP modifications when the JSP is |
| packaged in a WAR file. (markt) |
| </fix> |
| <fix> |
| Improve the <code>SSLValve</code> so it is able to handle client |
| certificate headers from Nginx. Based on a patch by Lucas Ventura Carro. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61134</bug>: Do not use '[' and ']' symbols around substituted |
| text fragments when generating the default error pages. Patch provided |
| by Katya Todorova. (violetagg) |
| </fix> |
| <fix> |
| <bug>61154</bug>: Allow the Manager and Host Manager web applications to |
| start by default when running under a security manager. This was |
| accomplished by adding a custom permission, |
| <code>org.apache.catalina.security.DeployXmlPermission</code>, that |
| permits an application to use a <code>META-INF/context.xml</code> file |
| and then granting that permission to the Manager and Host Manager. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61173</bug>: Polish the javadoc for |
| <code>o.a.catalina.startup.Tomcat</code>. Patch provided by |
| peterhansson_se. (violetagg) |
| </fix> |
| <add> |
| A new configuration property <code>crawlerIps</code> is added to the |
| <code>o.a.catalina.valves.CrawlerSessionManagerValve</code>. Using this |
| property one can specify a regular expression that will be used to |
| identify crawlers based on their IP address. Based on a patch provided |
| by Tetradeus. (violetagg) |
| </add> |
| <fix> |
| <bug>61180</bug>: Log a warning message rather than an information |
| message if it takes more than 100ms to initialised a |
| <code>SecureRandom</code> instance for a web application to use to |
| generate session identifiers. Patch provided by Piotr Chlebda. (markt) |
| </fix> |
| <fix> |
| <bug>61185</bug>: When an asynchronous request is dispatched via |
| <code>AsyncContext.dispatch()</code> ensure that |
| <code>getRequestURI()</code> for the dispatched request matches that of |
| the original request. (markt) |
| </fix> |
| <fix> |
| <bug>61197</bug>: Ensure that the charset name used in the |
| <code>Content-Type</code> header has exactly the same form as that |
| provided by the application. This reverts a behavioural change in |
| 9.0.0.M21 that caused problems for some clients. (markt) |
| </fix> |
| <fix> |
| <bug>61201</bug>: Ensure that the <code>SCRIPT_NAME</code> environment |
| variable for CGI executables is populated in a consistent way regardless |
| of how the CGI servlet is mapped to a request. (markt) |
| </fix> |
| <fix> |
| Ensure to send a space between trailer field name and field value |
| for HTTP responses trailer fields. (huxing) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61086</bug>: Explicitly signal an empty request body for HTTP 205 |
| responses. (markt) |
| </fix> |
| <fix> |
| <bug>61120</bug>: Do not ignore path parameters when processing HTTP/2 |
| requests. (markt) |
| </fix> |
| <fix> |
| Revert a change introduced in the fix for bug <bug>60718</bug> that |
| changed the status code recorded in the access log when the client |
| dropped the connection from 200 to 500. (markt) |
| </fix> |
| <fix> |
| Make asynchronous error handling more robust. In particular ensure that |
| <code>onError()</code> is called for any registered |
| <code>AsyncListener</code>s after an I/O error on a non-container |
| thread. (markt) |
| </fix> |
| <fix> |
| Add additional syncs to the SSL session object provided by the OpenSSL |
| engine so that a concurrent destruction cannot cause a JVM crash. |
| (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>44787</bug>: Improve error message when JSP compiler configuration |
| options are not valid. (markt) |
| </fix> |
| <add> |
| <bug>45931</bug>: Extend Jasper's <code>timeSpaces</code> option to add |
| support for <code>single</code> which replaces template text that |
| consists entirely of whitespace with a single space character. Based on |
| a patch by Meetesh Karia. (markt) |
| </add> |
| <fix> |
| <bug>53011</bug>: When pre-compiling with JspC, report all compilation |
| errors rather than stopping after the first error. A new option |
| <code>-failFast</code> can be used to restore the previous behaviour of |
| stopping after the first error. Based on a patch provided by Marc Pompl. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61137</bug>: <code>j.s.jsp.tagext.TagLibraryInfo#uri</code> and |
| <code>j.s.jsp.tagext.TagLibraryInfo#prefix</code> fields should not be |
| final. Patch provided by Katya Todorova. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Correct the log message when a <code>MessageHandler</code> for |
| <code>PongMessage</code> does not implement |
| <code>MessageHandler.Whole</code>. (rjung) |
| </fix> |
| <fix> |
| Improve thread-safety of <code>Future</code>s used to report the result |
| of sending WebSocket messages. (markt) |
| </fix> |
| <fix> |
| <bug>61183</bug>: Correct a regression in the previous fix for |
| <bug>58624</bug> that could trigger a deadlock depending on the locking |
| strategy employed by the client code. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Better document the meaning of the trimSpaces option for Jasper. (markt) |
| </fix> |
| <fix> |
| <bug>61150</bug>: Configure the Manager and Host-Manager web |
| applications to permit serialization and deserialization of |
| CRSFPreventionFilter related session objects to avoid warning messages |
| and/or stack traces on web application stop and/or start when running |
| under a security manager. (markt) |
| </fix> |
| <fix> |
| Correct the TLS configuration documentation to remove SSLv2 and SSLv3 |
| from the list of supported protocols. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>45832</bug>: Add HTTP DIGEST authentication support to the Catalina |
| Ant tasks used to communicate with the Manager application. (markt) |
| </add> |
| <fix> |
| <bug>45879</bug>: Add the <code>RELEASE-NOTES</code> file to the root of |
| the installation created by the Tomcat installer for Windows to make it |
| easier for users to identify the installed Tomcat version. (markt) |
| </fix> |
| <fix> |
| <bug>61055</bug>: Clarify the code comments in the rewrite valve to make |
| clear that there are no plans to provide proxy support for this valve |
| since Tomcat does not have proxy capabilities. (markt) |
| </fix> |
| <fix> |
| <bug>61076</bug>: Document the <code>altDDName</code> attribute for the |
| <code>Context</code> element. (markt) |
| </fix> |
| <fix> |
| Correct typo in Jar Scan Filter Configuration Reference. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| Correct the requirement for the minimum Java SE version in Application |
| Developer's Guide. Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| <bug>61145</bug>: Add missing <code>@Documented</code> annotation to |
| annotations in the annotations API. Patch provided by Katya Todorova. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61146</bug>: Add missing <code>lookup()</code> method to |
| <code>@EJB</code> annotation in the annotations API. Patch provided by |
| Katya Todorova. (markt) |
| </fix> |
| <fix> |
| Correct typo in Context Container Configuration Reference. |
| Patch provided by Katya Todorova. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M21 (markt)" rtext="2017-05-10"> |
| <subsection name="General"> |
| <changelog> |
| <add> |
| Allow to exclude JUnit test classes using the build property |
| <code>test.exclude</code> and document the property in |
| BUILDING.txt. (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Review those places where Tomcat re-encodes a URI or URI component and |
| ensure that the correct encoding (path differs from query string) is |
| applied and that the encoding is applied consistently. (markt) |
| </fix> |
| <fix> |
| Avoid a <code>NullPointerException</code> when reading attributes for a |
| initialised HTTP connector where TLS is enabled. (markt) |
| </fix> |
| <fix> |
| Always quote the <code>hostName</code> of an <code>SSLHostConfig</code> |
| element when using it as part of the JMX object name to avoid errors that |
| prevent the associated TLS connector from starting if a wild card |
| <code>hostName</code> is configured (because <code>*</code> is a |
| reserved character for JMX object names). (markt) |
| </fix> |
| <update> |
| Update the default <code>URIEncoding</code> for a <code>Connector</code> |
| to <code>UTF-8</code> as required by the Servlet 4.0 specification. |
| (markt) |
| </update> |
| <scode> |
| Switch to using <code>Charset</code> rather than <code>String</code> to |
| store encoding settings (including for configuration and for the |
| <code>Content-Type header</code>) to reduce the number of places the |
| associated <code>Charset</code> needs to be looked up. (markt) |
| </scode> |
| <fix> |
| Use a more reliable mechanism for the <code>DefaultServlet</code> when |
| determining if the current request is for custom error page or not. |
| (markt) |
| </fix> |
| <fix> |
| Ensure that when the Default or WebDAV servlets process an error |
| dispatch that the error resource is processed via the |
| <code>doGet()</code> method irrespective of the method used for the |
| original request that triggered the error. (markt) |
| </fix> |
| <fix> |
| If a static custom error page is specified that does not exist or cannot |
| be read, ensure that the intended error status is returned rather than a |
| 404 or 403. (markt) |
| </fix> |
| <fix> |
| When the WebDAV servlet is configured and an error dispatch is made to a |
| custom error page located below <code>WEB-INF</code>, ensure that the |
| target error page is displayed rather than a 404 response. (markt) |
| </fix> |
| <update> |
| Update the Servlet 4.0 implementation to add support for obtaining |
| trailer fields from chunked HTTP requests. (markt) |
| </update> |
| <add> |
| <bug>61047</bug>: Add MIME mapping for woff2 fonts in the default |
| web.xml. Patch provided by Justin Williamson. (violetagg) |
| </add> |
| <fix> |
| Correct the logic that selects the encoding to use to decode the query |
| string in the <code>SSIServletExternalResolver</code> so that the |
| <code>useBodyEncodingForURI</code> attribute of the |
| <code>Connector</code> is correctly taken into account. (markt) |
| </fix> |
| <fix> |
| Within the Expires filter, make the content type value specified with the |
| <code>ExpiresByType</code> parameter, case insensitive. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| When a <code>TrustManager</code> is configured that does not support |
| <code>certificateVerificationDepth</code> only log a warning about that |
| lack of support when <code>certificateVerificationDepth</code> has been |
| explicitly set. (markt) |
| </fix> |
| <fix> |
| <bug>60970</bug>: Extend the fix for large headers to push requests. |
| (markt) |
| </fix> |
| <fix> |
| Do not include a <code>Date</code> header in HTTP/2 responses with |
| status codes less than 200. (markt) |
| </fix> |
| <fix> |
| When sending an HTTP/2 push promise with the NIO2 connector, the pushed |
| stream ID should only be included with the initial push promise frame |
| and not any subsequent continuation frames. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| When no BOM is present and an encoding is detected, do not skip the |
| bytes used to detect the encoding since they are not part of a BOM. |
| (markt) |
| </fix> |
| <update> |
| <bug>61057</bug>: Update to Eclipse JDT Compiler 4.6.3. (violetagg) |
| </update> |
| <fix> |
| <bug>61065</bug>: Ensure that once the class is resolved by |
| <code>javax.el.ImportHandler#resolveClass</code> it will be cached with |
| the proper name. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <add> |
| Introduce new API <code>o.a.tomcat.websocket.WsSession#suspend</code>/ |
| <code>o.a.tomcat.websocket.WsSession#resume</code> that can be used to |
| suspend/resume reading of the incoming messages. (violetagg) |
| </add> |
| <fix> |
| <bug>61003</bug>: Ensure the flags for reading/writing in |
| <code>o.a.t.websocket.AsyncChannelWrapperSecure</code> are correctly |
| reset even if some exceptions occurred during processing. (markt/violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <add> |
| Add documents for <code>maxIdleTime</code> attribute to Channel Receiver |
| docs. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add features to get the statistics of the thread pool of the |
| <code>Receiver</code> component and |
| <code>MessageDispatchInterceptor</code>. These statistics information |
| can be acquired via JMX. (kfujino) |
| </add> |
| <add> |
| Add <code>maxIdleTime</code> attribute to <code>NioReceiverMBean</code> |
| in order to expose to JMX. (kfujino) |
| </add> |
| <add> |
| Add JMX support for <code>Channel Interceptors</code>. The Interceptors |
| that implement JMX support are <code>TcpFailureDetector</code>, |
| <code>ThroughputInterceptor</code>, <code>TcpPingInterceptor</code>, |
| <code>StaticMembershipInterceptor</code>, |
| <code>MessageDispatchInterceptor</code> and |
| <code>DomainFilterInterceptor</code>. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Modify the Ant build script used to publish to a Maven repository so |
| that it no longer requires artifacts to be GPG signed. This is make it |
| possible for the CI system to upload snapshot builds to the ASF Maven |
| repository. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M20 (markt)" rtext="2017-04-18"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| Update the Servlet 4.0 API implementation to reflect the change in |
| method name from <code>getPushBuilder()</code> to |
| <code>newPushBuilder()</code>. (markt) |
| </update> |
| <fix> |
| Correct various edge cases in the new HTTP Host header validation |
| parser. Patch provided by Katya Todorova. (martk) |
| </fix> |
| <fix> |
| Correct a regression in the X to comma refactoring that broke JMX |
| operations that take parameters. (markt) |
| </fix> |
| <fix> |
| Avoid a <code>NullPointerException</code> when reading attributes for a |
| running HTTP connector where TLS is not enabled. (markt) |
| </fix> |
| <fix> |
| <bug>47214</bug>: Refactor code so that explicitly referenced inner |
| classes are given explicit names rather than being anonymous. (markt) |
| </fix> |
| <fix> |
| <bug>59825</bug>: Log a message that lists the components in the |
| processing chain that do not support async processing when a call to |
| <code>ServletRequest.startAsync()</code> fails. (markt) |
| </fix> |
| <fix> |
| <bug>60940</bug>: Improve the handling of the <code>META-INF/</code> and |
| <code>META-INF/MANIFEST.MF</code> entries for Jar files located in |
| <code>/WEB-INF/lib</code> when running a web application from a packed |
| WAR file. (markt) |
| </fix> |
| <fix> |
| Pre-load the <code>ExceptionUtils</code> class. Since the class is used |
| extensively in error handling, it is prudent to pre-load it to avoid any |
| failure to load this class masking the true problem during error |
| handling. (markt) |
| </fix> |
| <fix> |
| Avoid potential <code>NullPointerException</code>s related to access |
| logging during shutdown, some of which have been observed when running |
| the unit tests. (markt) |
| </fix> |
| <fix> |
| When there is no <code>javax.servlet.WriteListener</code> registered |
| then a call to <code>javax.servlet.ServletOutputStream#isReady</code> |
| will return <code>false</code> instead of throwing |
| <code>IllegalStateException</code>. (violetagg) |
| </fix> |
| <fix> |
| When there is no <code>javax.servlet.ReadListener</code> registered |
| then a call to <code>javax.servlet.ServletInputStream#isReady</code> |
| will return <code>false</code> instead of throwing |
| <code>IllegalStateException</code>. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Align cipher configuration parsing with current OpenSSL master. (markt) |
| </fix> |
| <fix> |
| <bug>60970</bug>: Fix infinite loop if application tries to write a |
| large header to the response when using HTTP/2. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>47214</bug>: Refactor code so that explicitly referenced inner |
| classes are given explicit names rather than being anonymous. (markt) |
| </fix> |
| <fix> |
| <bug>60925</bug>: Improve the handling of access to properties defined |
| by interfaces when a <code>BeanELResolver</code> is used under a |
| <code>SecurityManager</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add JMX support for Tribes components. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <scode> |
| Refactor the creating a constructor for a proxy class to reduce |
| duplicate code. (kfujino) |
| </scode> |
| <fix> |
| In <code>StatementFacade</code>, the method call on the statements that |
| have been closed throw <code>SQLException</code> rather than |
| <code>NullPointerException</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>60932</bug>: Correctly escape single quotes when used in i18n |
| messages. Based on a patch by Michael Osipov. (markt) |
| </fix> |
| <scode> |
| Review i18n property files, remove unnecessary escaping and consistently |
| use <code>[...]</code> to delimit inserted values. (markt) |
| </scode> |
| <fix> |
| Update the custom Ant task that integrates with the Symantec code |
| signing service to use the now mandatory 2-factor authentication. |
| (markt) |
| </fix> |
| <scode> |
| Refactoring in preparation for Java 9. Refactor to avoid using some |
| methods that will be deprecated in Java 9 onwards. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M19 (markt)" rtext="2017-03-30"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>54618</bug>: Add support to the |
| <code>HttpHeaderSecurityFilter</code> for the HSTS preload parameter. |
| (markt) |
| </add> |
| <fix> |
| Correct a bug in the implementation of the Servlet 4.0 feature that |
| allows specifying a default request and/or response character encoding |
| per web application. <code>null</code> values passed via the |
| programmatic interface no longer trigger a |
| <code>NullPointerException</code>. (markt) |
| </fix> |
| <fix> |
| Correct a potential exception during shutdown when one or more |
| Containers are configured with a value of 1 for startStopThreads. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60853</bug>: Expose the <code>SSLHostConfig</code> and |
| <code>SSLHostConfigCertificate</code> objects via JMX. (markt) |
| </fix> |
| <fix> |
| <bug>60876</bug>: Ensure that <code>Set-Cookie</code> headers generated |
| by the <code>Rfc6265CookieProcessor</code> are aligned with the |
| specification. Patch provided by Jim Griswold. (markt) |
| </fix> |
| <fix> |
| <bug>60882</bug>: Fix a <code>NullPointerException</code> when obtaining |
| a <code>RequestDispatcher</code> for a request that will not have any |
| pathInfo associated with it. This was a regression in the changes in |
| 9.0.0.M18 for the Servlet 4.0 API changes. (markt) |
| </fix> |
| <update> |
| Align <code>PushBuilder</code> API with changes from the Servlet expert |
| group. (markt) |
| </update> |
| <update> |
| Align web.xml parsing rules with changes from the Servlet expert group |
| for <code><request-character-encoding></code> and |
| <code><response-character-encoding></code>. (markt) |
| </update> |
| <scode> |
| Refactor the various implementations of X to comma separated list to a |
| single utility class and update the code to use the new utility class. |
| (markt) |
| </scode> |
| <fix> |
| <bug>60911</bug>: Ensure NPE will not be thrown when looking for SSL |
| session ID. Based on a patch by Didier Gutacker. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Add async based IO groundwork for HTTP/2. (remm) |
| </fix> |
| <fix> |
| Fix HTTP/2 incorrect input unblocking on EOF. (remm) |
| </fix> |
| <fix> |
| Close the connection sooner if an event occurs for a current connection |
| that is not consistent with the current state of that connection. |
| (markt) |
| </fix> |
| <fix> |
| Speed up shutdown when using multiple acceptor threads by ensuring that |
| the code that unlocks the acceptor threads correctly handles the case |
| where there are multiple threads. (markt) |
| </fix> |
| <fix> |
| <bug>60851</bug>: Add <code>application/xml</code> and |
| <code>application/json</code> to the default list of compressible MIME |
| types. Patch by Michael Osipov. (markt) |
| </fix> |
| <fix> |
| <bug>60852</bug>: Correctly spell compressible when used in |
| configuration attributes and internal code. Based on a patch by Michael |
| Osipov. (markt) |
| </fix> |
| <fix> |
| <bug>60900</bug>: Avoid a <code>NullPointerException</code> in the APR |
| Poller if a connection is closed at the same time as new data arrives on |
| that connection. (markt) |
| </fix> |
| <fix> |
| Improve HPACK specification compliance by fixing some test failures |
| reported by the h2spec tool written by Moto Ishizawa. (markt) |
| </fix> |
| <fix> |
| Improve HTTP/2 specification compliance by fixing some test failures |
| reported by the h2spec tool written by Moto Ishizawa. (markt) |
| </fix> |
| <fix> |
| <bug>60918</bug>: Fix sendfile processing error that could lead to |
| subsequent requests experiencing an <code>IllegalStateException</code>. |
| (markt) |
| </fix> |
| <fix> |
| Improve sendfile handling when requests are pipelined. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60844</bug>: Correctly handle the error when fewer parameter values |
| than required by the method are used to invoke an EL method expression. |
| Patch provided by Daniel Gray. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>60764</bug>: Implement <code>equals()</code> and |
| <code>hashCode()</code> in the <code>StatementFacade</code> in order to |
| enable these methods to be called on the closed statements if any |
| statement proxy is set. This behavior can be changed with |
| <code>useStatementFacade</code> attribute. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Refactor the build script and the NSIS installer script so that either |
| NSIS 2.x or NSIS 3.x can be used to build the installer. This is |
| primarily to re-enable building the installer on the Linux based CI |
| system where the combination of NSIS 3.x and wine leads to failed |
| installer builds. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M18 (markt)" rtext="2017-03-13"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>60469</bug>: Refactor <code>RealmBase</code> for better code re-use |
| when implementing Realms that use a custom <code>Principal</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60490</bug>: Various formatting and layout improvements for the |
| <code>ErrorReportValve</code>. Patch provided by Michael Osipov. (markt) |
| </fix> |
| <fix> |
| <bug>60573</bug>: Remove the reason phrase when sending a |
| <code>100</code> response status for consistency with other response |
| status lines. Patch provided by Michael Osipov. (markt) |
| </fix> |
| <update> |
| <bug>60596</bug>: Improve performance of DefaultServlet when sendfile |
| feature is disabled on connector. (kkolinko) |
| </update> |
| <scode> |
| Make it easier for sub-classes of <code>Tomcat</code> to modify the |
| default web.xml settings by over-riding |
| <code>getDefaultWebXmlListener()</code>. Patch provided by Aaron |
| Anderson. (markt) |
| </scode> |
| <fix> |
| Reduce the contention in the default <code>InstanceManager</code> |
| implementation when multiple threads are managing objects and need to |
| reference the annotation cache. (markt) |
| </fix> |
| <fix> |
| <bug>60623</bug>: When startStopThreads is 1 (or a special value that |
| is equivalent to 1) then rather than using an |
| <code>ExecutorService</code> to start the children of the current |
| component, the children will be started on the current thread. (markt) |
| </fix> |
| <scode> |
| <bug>60674</bug>: Remove <code>final</code> marker from |
| <code>CorsFilter</code> to enable sub-classing. (markt) |
| </scode> |
| <fix> |
| <bug>60683</bug>: Security manager failure causing NPEs when doing IO |
| on some JVMs. (csutherl) |
| </fix> |
| <fix> |
| <bug>60688</bug>: Update the internal fork of Apache Commons BCEL to |
| r1782855 to add early access Java 9 support to the annotation scanning |
| code. (markt) |
| </fix> |
| <fix> |
| <bug>60694</bug>: Prevent NPE during authentication when no JASPIC |
| <code>AuthConfigFactory</code> is available. (markt) |
| </fix> |
| <fix> |
| <bug>60697</bug>: When HTTP TRACE requests are disabled on the |
| Connector, ensure that the HTTP OPTIONS response from custom servlets |
| does not include TRACE in the returned Allow header. (markt) |
| </fix> |
| <fix> |
| <bug>60718</bug>: Improve error handling for asynchronous processing and |
| correct a number of cases where the <code>requestDestroyed()</code> |
| event was not being fired and an entry wasn't being made in the access |
| logs. (markt) |
| </fix> |
| <fix> |
| <bug>60720</bug>: Replace "WWW-Authenticate" literal with static final |
| AUTH_HEADER_NAME in SpnegoAuthenticator. Patch provided by Michael |
| Osipov. (violetagg) |
| </fix> |
| <fix> |
| The default JASPIC <code>AuthConfigFactory</code> now correctly notifies |
| registered <code>RegistrationListener</code>s when a new |
| <code>AuthConfigProvider</code> is registered. (markt) |
| </fix> |
| <scode> |
| Improve the performance of <code>AuthenticatorBase</code> when there is |
| no JASPIC configuration available. (violetagg) |
| </scode> |
| <fix> |
| When HTTP TRACE requests are disabled on the Connector, ensure that the |
| HTTP OPTIONS response from the WebDAV servlet does not include |
| TRACE in the returned Allow header. (markt) |
| </fix> |
| <fix> |
| <bug>60722</bug>: Take account of the |
| <strong>dispatchersUseEncodedPaths</strong> setting on the current |
| <strong>Context</strong> when generating paths for dispatches triggered |
| by <code>AsyncContext.dispatch()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60728</bug>: Make the separator Tomcat uses in the Tomcat specific |
| <code>war:file:...</code> URL protocol customizable via a system |
| property. The separator is equivalent to the use of the <code>!</code> |
| character in <code>jar:file:...</code> URLs. The default separator of |
| <code>*</code> remains unchanged. (markt) |
| </fix> |
| <update> |
| Update the Servlet 4.0 API implementation to align with the latest |
| proposals from the Servlet 4.0 expert group. This includes updates to |
| the new Servlet mapping API, new methods on the |
| <code>ServletContext</code> to make the available API more equivalent to |
| the deployment descriptor, updates to the HTTP push API and the ability |
| to set default request and response character encoding per web |
| application. Note that the Servlet 4.0 API is still a work in progress |
| and further changes are likely. (markt) |
| </update> |
| <fix> |
| <bug>60798</bug>: Correct a bug in the handling of JARs in unpacked WARs |
| that meant multiple attempts to read the same entry from a JAR in |
| succession would fail for the second and subsequent attempts. (markt) |
| </fix> |
| <fix> |
| <bug>60808</bug>: Ensure that the <code>Map</code> returned by |
| <code>ServletRequest.getParameterMap()</code> is fully immutable. Based |
| on a patch provided by woosan. (markt) |
| </fix> |
| <fix> |
| <bug>60824</bug>: Correctly cache the <code>Subject</code> in the |
| session - if there is a session - when running under a |
| <code>SecurityManager</code>. Patch provided by Jan Engehausen. (markt) |
| </fix> |
| <fix> |
| Ensure request and response facades are used when firing application |
| listeners. (markt/remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Improve handling of case when an HTTP/2 client sends more data that is |
| subject to flow control than the current window size allows. (markt) |
| </fix> |
| <fix> |
| Improve NIO2 look-ahead parsing of TLS client hello for SNI with large |
| client hello messages. (markt) |
| </fix> |
| <add> |
| Enable ALPN and also, therefore, HTTP/2 for the NIO and NIO2 HTTP |
| connectors when using the JSSE implementation for TLS when running on |
| Java 9. (markt) |
| </add> |
| <fix> |
| Restore Java 9 direct byte buffer compatibility. (remm) |
| </fix> |
| <fix> |
| <bug>59807</bug>: Provide a better error message when there is no |
| <strong>SSLHostConfig</strong> defined with a <code>hostName</code> that |
| matches the <code>defaultSSLHostConfigName</code> for the associated |
| <strong>Connector</strong>. (markt) |
| </fix> |
| <fix> |
| <bug>60627</bug>: Modify the <code>Rfc6265CookieProcessor</code> so that |
| in addition to cookie headers that start with an explicit RFC 2109 |
| <code>$Version=1</code>, cookies that start with <code>$Version=0</code> |
| are also parsed as RFC 2109 cookies. (markt) |
| </fix> |
| <fix> |
| Include the value of <code>SslHostConfig.truststoreAlgorithm</code> when |
| warning that the algorithm does not support the |
| <code>certificateVerificationDepth</code> configuration option. (markt) |
| </fix> |
| <fix> |
| Ensure that executor thread pools used with connectors pre-start the |
| configured minimum number of idle threads. (markt) |
| </fix> |
| <fix> |
| <bug>60716</bug>: Add a new JSSE specific attribute, |
| <code>revocationEnabled</code>, to <code>SSLHostConfig</code> to permit |
| JSSE provider revocation checks to be enabled when no |
| <code>certificateRevocationListFile</code> has been configured. The |
| expectation is that configuration will be performed via a JSSE provider |
| specific mechanisms. (markt) |
| </fix> |
| <fix> |
| Modify the cookie header generated by the |
| <code>Rfc6265CookieProcessor</code> so it always sends an |
| <code>Expires</code> attribute as well as a <code>Max-Age</code> |
| attribute to avoid problems with Microsoft browsers that do not support |
| the <code>Max-Age</code> attribute. (markt) |
| </fix> |
| <fix> |
| <bug>60761</bug>: Expose a protected getter and setter for |
| <code>NioEndpoint.stopLatch</code> to make the class easier to extend. |
| (markt) |
| </fix> |
| <fix> |
| Prevent blocking reads after a stream exception occurs with HTTP/2. |
| (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Follow up to the fix for <bug>58178</bug>. When creating the |
| <code>ELContext</code> for a tag file, ensure that any registered |
| <code>ELContextListener</code>s are fired. (markt) |
| </fix> |
| <fix> |
| Refactor code generated for JSPs to reduce the size of the code required |
| for tags. (markt) |
| </fix> |
| <fix> |
| Improve the error handling for simple tags to ensure that the tag is |
| released and destroyed once used. (remm, violetagg) |
| </fix> |
| <fix> |
| <bug>60769</bug>: Correct a regression in the XML encoding detection |
| refactoring carried out for 9.0.0.M16 that incorrectly always used the |
| detected BOM encoding in preference to any encoding specified in the |
| prolog. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| Make the <code>accessTimeout</code> configurable in |
| <code>BackupManager</code> and <code>ClusterSingleSignOn</code>. The |
| <code>accessTimeout</code> is used as a timeout period for PING in |
| replication map. (kfujino) |
| </add> |
| <fix> |
| <bug>60806</bug>: To avoid <code>ClassNotFoundException</code>, make |
| sure that the web application class loader is passed to |
| <code>ReplicatedContext</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>60617</bug>: Correctly create a <code>CONNECT</code> request when |
| establishing a WebSocket connection via a proxy. Patch provided by |
| Svetlin Zarev. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add log message that PING message has received beyond the timeout |
| period. (kfujino) |
| </add> |
| <fix> |
| When a PING message that beyond the time-out period has been received, |
| make sure that valid member is added to the map membership. (kfujino) |
| </fix> |
| <fix> |
| Ensure that <code>NoRpcChannelReply</code> messages are not received on |
| <code>RpcCallback</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| Add Specification and Javadoc references for JASPIC to the Docs |
| application. (csutherl) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Spelling corrections provided by Josh Soref. (violetagg) |
| </fix> |
| <scode> |
| Remove local definition of web service annotations since these are |
| provided by the JRE. (markt) |
| </scode> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.12 to |
| pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg) |
| </update> |
| <add> |
| <bug>60784</bug>: Update all unit tests that test the HTTP status line |
| to check for the required space after the status code. Patch provided by |
| Michael Osipov. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M17 (markt)" rtext="2017-01-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>60620</bug>: |
| Extend the <code>JreMemoryLeakPreventionListener</code> to provide |
| protection against <code>ForkJoinPool.commonPool()</code> related memory |
| leaks. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure UpgradeProcessor instances associated with closed connections are |
| removed from the map of current connections to Processors. (markt) |
| </fix> |
| <fix> |
| Remove a workaround for a problem previously reported with WebSocket, |
| TLS and APR that treated some error conditions as not errors. The |
| original problem cannot be reproduced with the current code and the |
| work-around is now causing problems. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60497</bug>: Follow up fix using a better variable name for the |
| tag reuse flag. (remm) |
| </fix> |
| <fix> |
| Revert use of try/finally for simple tags. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Prevent potential processing loop on unexpected WebSocket connection |
| closure. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <add> |
| Enable reset the statistics without restarting the pool. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.01. (markt) |
| </update> |
| <fix> |
| Spelling corrections provided by Josh Soref. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M16 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>53602</bug>: Add HTTP status code 451 (RFC 7725) to the list of |
| HTTP status codes recognised by the ErrorReportValve. (markt) |
| </add> |
| <fix> |
| <bug>60446</bug>: Handle the case where the stored user credential uses |
| a different key length than the length currently configured for the |
| <code>CredentialHandler</code>. Based on a patch by Niklas Holm. (markt) |
| </fix> |
| <update> |
| Update the warnings that reference required options for running on Java |
| 9 to use the latest syntax for those options. (markt) |
| </update> |
| <fix> |
| <bug>60513</bug>: Fix thread safety issue with RMI cleanup code. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Expand the search process for a server certificate when OpenSSL is used |
| with a JSSE connector and an explicit alias has not been configured. |
| (markt) |
| </fix> |
| <scode> |
| Extract the common Acceptor code from each Endpoint into a new Acceptor |
| class that is used by all Endpoints. (markt) |
| </scode> |
| <fix> |
| <bug>60450</bug>: Improve the selection algorithm for the default trust |
| store type for a TLS Virtual Host. In particular, don't use |
| <code>PKCS12</code> as a default trust store type. Better document how |
| the default trust store type is selected for a TLS virtual host. (markt) |
| </fix> |
| <fix> |
| <bug>60451</bug>: Correctly handle HTTP/2 header values that contain |
| characters with unicode code points in the range 128 to 255. Reject |
| with a clear error message HTTP/2 header values that contain characters |
| with unicode code points above 255. (markt) |
| </fix> |
| <fix> |
| Improve the logic that selects an address to use to unlock the Acceptor |
| to take account of platforms what do not listen on all local addresses |
| when configured with an address of <code>0.0.0.0</code> or |
| <code>::</code>. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the refactoring to make wider use of |
| <code>ByteBuffer</code> that caused an intermittent failure in the unit |
| tests. (markt) |
| </fix> |
| <fix> |
| <bug>60482</bug>: HTTP/2 shouldn't do URL decoding on the query string. |
| (remm) |
| </fix> |
| <fix> |
| Fix an HTTP/2 compression error. Once a new size has been agreed for the |
| dynamic HPACK table, the next header block must begin with a dynamic |
| table update. (markt) |
| </fix> |
| <fix> |
| <bug>60508</bug>: Set request start time for HTTP/2. (remm) |
| </fix> |
| <fix> |
| The default output buffer size for AJP connectors is now based on the |
| configured AJP packet size rather than the minimum permitted AJP packet |
| size. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Implement a simpler JSP file encoding detector that delegates XML prolog |
| encoding detection to the JRE rather than using a custom XML parser. |
| (markt) |
| </update> |
| <fix> |
| <bug>60497</bug>: Restore previous tag reuse behavior following the use |
| of try/finally. (remm) |
| </fix> |
| <fix> |
| Improve the error handling for simple tags to ensure that the tag is |
| released and destroyed once used. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Correctly handle blocking WebSocket writes when the write times out just |
| before the write is attempted. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| <bug>60344</bug>: Add a note to BUILDING.txt regarding using the source |
| bundle with the correct line endings. (markt) |
| </fix> |
| <fix> |
| <bug>60467</bug>: remove problematic characters from XML documentation. |
| Based upon a patch by Michael Osipov. (schultz) |
| </fix> |
| <add> |
| In the documentation web application, be explicit that clustering |
| requires a secure network for all of the cluster network traffic. |
| (markt) |
| </add> |
| <update> |
| Update the ASF logos to the new versions. |
| </update> |
| <fix> |
| <bug>60468</bug>: Correct the format of the sample ISO-8601 date used |
| to report the build date for the documentation. Patch provided by |
| Michael Osipov. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the ASF logos used in the Apache Tomcat installer for Windows to |
| use the new versions. |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M15 (markt)" rtext="2016-12-08"> |
| <subsection name="Other"> |
| <changelog> |
| <scode> |
| Increment version due a local build configuration error with 9.0.0.M14 |
| that wasn't caught until after digital signing had been completed |
| Signing requires unique names so a new tag was required. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M14 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| <bug>60202</bug>: Add an available flag to realms, to indicate the |
| state, or the realm backend. Update lockout realm to only register |
| auth failures if the realm is available. (remm) |
| </update> |
| <fix> |
| <bug>60340</bug>: Readability improvements for CSS used in |
| DefaultServlet and ErrorReportValve. Patch provided by Michael |
| Osipov. (violetagg) |
| </fix> |
| <fix> |
| <bug>60351</bug>: Delay creating <code>META-INF/war-tracker</code> file |
| until after the WAR has been expanded to address the case where the |
| Tomcat process terminates during the expansion. (markt) |
| </fix> |
| <fix> |
| Correctly generate URLs for resources located inside JARs that are |
| themselves located inside a packed WAR file. (markt) |
| </fix> |
| <fix> |
| Correctly handle the <code>configClass</code> attribute of a Host when |
| embedding Tomcat. (markt) |
| </fix> |
| <update> |
| <bug>60368</bug>: Stop creating a default connector on start in |
| embedded mode. (remm) |
| </update> |
| <fix> |
| <bug>60379</bug>: Dispose of the GSS credential once it is no longer |
| required. Patch provided by Michael Osipov. (markt) |
| </fix> |
| <fix> |
| <bug>60380</bug>: Ensure that a call to |
| <code>HttpServletRequest#logout()</code> triggers a call to |
| <code>TomcatPrincipal#logout()</code>. Based on a patch by Michael |
| Osipov. (markt) |
| </fix> |
| <fix> |
| <bug>60381</bug>: Provide a standard <code>toString()</code> |
| implementation for components that implement <code>Contained</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60387</bug>: Correct the javadoc for |
| <code>o.a.catalina.AccessLog.setRequestAttributesEnabled</code>. |
| The default value is different for the different implementations. |
| (violetagg) |
| </fix> |
| <scode> |
| <bug>60393</bug>: Use consistent parameter naming in implementations of |
| <code>Realm#authenticate(GSSContext, boolean)</code>. (markt) |
| </scode> |
| <scode> |
| Refactor the <code>org.apache.naming</code> package to reduce duplicate |
| code. Duplicate code identified by the Simian tool. (markt) |
| </scode> |
| <scode> |
| Refactor the implementations of |
| <code>HttpServletRequest#getRequestURL()</code> to reduce duplicate |
| code. Duplicate code identified by the Simian tool. (markt) |
| </scode> |
| <scode> |
| Refactor Catalina interfaces to make wider use of the |
| <code>Contained</code> interface and reduce duplication. (markt) |
| </scode> |
| <scode> |
| Remove the <code>getName()</code> method from <code>RealmBase</code> |
| along with the various constants used by the sub-classes to store the |
| return value. (markt) |
| </scode> |
| <fix> |
| <bug>60395</bug>: Log when an <code>Authenticator</code> passes an |
| incomplete <code>GSSContext</code> to a Realm since it indicates a bug |
| in the <code>Authenticator</code>. Patch provided by Michael Osipov. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60400</bug>: When expanding the buffer used for reading the |
| request body, ensure the read position will be restored to the |
| original one. (violetagg) |
| </fix> |
| <scode> |
| Refactor the MBean implementations for the internal Tomcat components |
| to reduce code duplication. (markt) |
| </scode> |
| <fix> |
| <bug>60410</bug>: Ensure that multiple calls to |
| <code>JarInputStreamWrapper#close()</code> do not incorrectly trigger |
| the closure of the underlying JAR or WAR file. (markt) |
| </fix> |
| <fix> |
| <bug>60411</bug>: Implement support in the <code>RewriteValve</code> for |
| symbolic names to specify the redirect code to use when returning a |
| redirect response to the user agent. Patch provided by Michael Osipov. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60413</bug>: In the <code>RewriteValve</code> write empty capture |
| groups as the empty string rather than as <code>"null"</code> |
| when generating the re-written URL. Based on a patch by Michael Osipov. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>60372</bug>: Ensure the response headers' buffer limit is reset to |
| the capacity of this buffer when IOException occurs while writing the |
| headers to the socket. (violetagg) |
| </fix> |
| <fix> |
| Ensure that the availability of configured upgrade protocols that |
| require ALPN is correctly reported during Tomcat start. (markt) |
| </fix> |
| <fix> |
| <bug>60386</bug>: Implement a more sophisticated pruning algorithm for |
| removing closed streams from the priority tree to ensure that the tree |
| does not grow too large. (markt) |
| </fix> |
| <fix> |
| <bug>60409</bug>: When unable to complete sendfile request, ensure the |
| Processor will be added to the cache only once. (markt/violetagg) |
| </fix> |
| <fix> |
| Ensure that the endpoint is able to unlock the acceptor thread during |
| shutdown if the endpoint is configured to listen to any local address |
| of a specific type such as <code>0.0.0.0</code> or <code>::</code>. |
| (markt) |
| </fix> |
| <add> |
| Add a new configuration option, <code>ipv6v6only</code> to the APR |
| connectors that allows them to be configure to only accept IPv6 |
| connections when configured with an IPv6 address rather than the |
| default which is to accept IPv4 connections as well if the operating |
| system uses a dual network stack. (markt) |
| </add> |
| <fix> |
| Improve the logic that unlocks the acceptor thread so a better choice is |
| made for the address to connect to when a connector is configured for |
| any local port. This reduces the likelihood of the unlock failing. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60436</bug>: Avoid a potential NPE when processing async timeouts. |
| (markt) |
| </fix> |
| <fix> |
| Reduce the window in which an async request that has just started |
| processing on a container thread remains eligible for an async timeout. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60431</bug>: Improve handling of varargs in UEL expressions. Based |
| on a patch by Ben Wolfe. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct a typo in Host Configuration Reference. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| <bug>60412</bug>: Add information on the comment syntax for the |
| <code>RewriteValve</code> configuration. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Reduce the warning logs for a message received from a different domain |
| in order to avoid excessive log outputs. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>60437</bug>: Avoid possible handshake overflows in the websocket |
| client. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <add> |
| <bug>58816</bug>: Implement the statistics of jdbc-pool. The stats infos |
| are <code>borrowedCount</code>, <code>returnedCount</code>, |
| <code>createdCount</code>, <code>releasedCount</code>, |
| <code>reconnectedCount</code>, <code>releasedIdleCount</code> and |
| <code>removeAbandonedCount</code>. (kfujino) |
| </add> |
| <fix> |
| <bug>60194</bug>: If <code>validationQuery</code> is not specified, |
| connection validation is done by calling the <code>isValid()</code> |
| method. (kfujino) |
| </fix> |
| <fix> |
| <bug>60398</bug>: Fix testcase of <code>TestSlowQueryReport</code>. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Allow customization of service.bat, such as heap memory size, service |
| startup mode and JVM args. Patch provided by isapir via Github. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>60366</bug>: Change <code>catalina.bat</code> to use directly |
| <code>LOGGING_MANAGER</code> and <code>LOGGING_CONFIG</code> variables |
| in order to configure logging, instead of modifying |
| <code>JAVA_OPTS</code>. Patch provided by Petter Isberg. (violetagg) |
| </fix> |
| <fix> |
| <bug>60383</bug>: JASPIC API is added as a dependency to the |
| <code>org.apache.tomcat:tomcat-catalina</code> maven artifact. |
| (violetagg) |
| </fix> |
| <fix> |
| Update the comments associated with the TLS Connector examples in |
| <code>server.xml</code>. (markt) |
| </fix> |
| <add> |
| New property is added <code>test.verbose</code> in order to control |
| whether the output of the tests is displayed on the console or not. |
| Patch provided by Emmanuel Bourg. (violetagg) |
| </add> |
| <scode> |
| <code>TestOpenSSLCipherConfigurationParser.testSpecification</code> |
| - if there are test failures, provide more detailed information. Patch |
| provided by Emmanuel Bourg. (violetagg) |
| </scode> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M13 (markt)" rtext="2016-11-08"> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Check that threadPriority values used in AbstractProtocol are valid. |
| (fschumacher) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M12 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| When creating a new Connector via JMX, ensure that both HTTP/1.1 and |
| AJP/1.3 connectors can be created. (markt) |
| </fix> |
| <fix> |
| Reduce multiple error messages when Connector fails to instantiate the |
| associated ProtocolHandler. (markt) |
| </fix> |
| <fix> |
| <bug>60152</bug>: Provide an option for Connector Lifecycle exceptions |
| to be re-thrown rather than logged. This is controlled by the new |
| <code>throwOnFailure</code> attribute of the Connector. (markt) |
| </fix> |
| <fix> |
| Include the Context name in the log message when an item cannot be |
| added to the cache. (markt) |
| </fix> |
| <fix> |
| Exclude JAR files in <code>/WEB-INF/lib</code> from the static resource |
| cache. (markt) |
| </fix> |
| <fix> |
| When calling <code>getResourceAsStream()</code> on a directory, ensure |
| that <code>null</code> is returned. (markt) |
| </fix> |
| <fix> |
| <bug>60161</bug>: Allow creating subcategories of the container logger, |
| and use it for the rewrite valve. (remm) |
| </fix> |
| <fix> |
| Correctly test for control characters when reading the provided shutdown |
| password. (markt) |
| </fix> |
| <fix> |
| <bug>60297</bug>: Simplify connector creation in embedded mode. (remm) |
| </fix> |
| <fix> |
| Refactor creation of containers in embedded mode for more consistency |
| and flexibility. (remm) |
| </fix> |
| <add> |
| Log a warning if running on Java 9 with the ThreadLocal memory leak |
| detection enabled (the default) but without the command line option it |
| now requires. (markt) |
| </add> |
| <fix> |
| When a Connector is configured to use an executor, ensure that the |
| StoreConfig component includes the executor name when writing the |
| Connector configuration. (markt) |
| </fix> |
| <fix> |
| When configuring the JMX remote listener, specify the allowed types for |
| the credentials. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct the HPACK header table size configuration that transposed the |
| client and server table sizes when creating the encoder and decoder. |
| (markt) |
| </fix> |
| <scode> |
| Review HTTP/2 implementation removing unused code, reducing visibility |
| where possible and using final where appropriate. (markt) |
| </scode> |
| <fix> |
| Don't continue to process an HTTP/2 stream if it is reset during header |
| parsing. (markt) |
| </fix> |
| <fix> |
| HTTP/2 uses separate headers for each Cookie. As required by RFC 7540, |
| merge these into a single Cookie header before processing continues. |
| (markt) |
| </fix> |
| <fix> |
| Align the HTTP/2 implementation with the HTTP/1.1 implementation and |
| return a 500 response when an unhandled exception occurs during request |
| processing. (markt) |
| </fix> |
| <fix> |
| Correct the HTTP header parser so that DEL is not treated as a valid |
| token character. (markt) |
| </fix> |
| <add> |
| Add checks around the handling of HTTP/2 pseudo headers. (markt) |
| </add> |
| <add> |
| Add support for trailer headers to the HTTP/2 implementation. (markt) |
| </add> |
| <fix> |
| <bug>60232</bug>: When processing headers for an HTTP/2 stream, ensure |
| that the read buffer is large enough for the header being processed. |
| (markt) |
| </fix> |
| <add> |
| Add configuration options to the HTTP/2 implementation to control the |
| maximum number of headers allowed, the maximum size of headers allowed, |
| the maximum number of trailer headers allowed, the maximum size of |
| trailer headers allowed and the maximum number of cookies allowed. |
| (markt) |
| </add> |
| <fix> |
| Correctly differentiate between sending and receiving a reset frame when |
| tracking the state of an HTTP/2 stream. (markt) |
| </fix> |
| <scode> |
| Remove the undocumented support for using the old Connector attribute |
| names <code>backlog</code>, <code>soLinger</code> and |
| <code>soTimeout</code> that were renamed several major versions ago. |
| (markt) |
| </scode> |
| <fix> |
| <bug>60319</bug>: When using an Executor, disconnect it from the |
| Connector attributes <code>maxThreads</code>, |
| <code>minSpareThreads</code> and <code>threadPriority</code> to enable |
| the configuration settings to be consistently reported. These Connector |
| attributes will be reported as <code>-1</code> when an Executor is in |
| use. The values used by the executor may be set and obtained via the |
| Executor. (markt) |
| </fix> |
| <fix> |
| If an I/O error occurs during async processing on a non-container |
| thread, ensure that the <code>onError()</code> event is triggered. |
| (markt) |
| </fix> |
| <fix> |
| Improve detection of I/O errors during async processing on non-container |
| threads and trigger async error handling when they are detected. (markt) |
| </fix> |
| <add> |
| Add additional checks for valid characters to the HTTP request line |
| parsing so invalid request lines are rejected sooner. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Update to the Eclipse JDT Compiler 4.6.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Add HTTP/2 configuration information to the documentation web |
| application. (markt) |
| </add> |
| <fix> |
| Fix default value of <code>validationInterval</code> attribute in |
| jdbc-pool. (kfujino) |
| </fix> |
| <fix> |
| Correct a typo in CGI How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| When the proxy node sends a backup retrieve message, ensure that using |
| the <code>channelSendOptions</code> that has been set rather than the |
| default <code>channelSendOptions</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Add the JASPIC API jar to the Maven Central publication script. (markt) |
| </add> |
| <fix> |
| Remove classes from tomcat-util-scan.jar that are duplicates of those in |
| tomcat-util.jar. (markt) |
| </fix> |
| <add> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.0. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M11 (markt)" rtext="2016-10-10"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>59961</bug>: Add an option to the <code>StandardJarScanner</code> |
| to control whether or not JAR Manifests are scanned for additional |
| class path entries. (markt) |
| </add> |
| <fix> |
| <bug>60013</bug>: Refactor the previous fix to align the behaviour of |
| the Rewrite Valve with mod_rewrite. As part of this, provide an |
| implementation for the <code>B</code> and <code>NE</code> flags and |
| improve the handling for the <code>QSA</code> flag. Includes multiple |
| test cases by Santhana Preethiand a patch by Tiago Oliveira. (markt) |
| </fix> |
| <fix> |
| <bug>60087</bug>: Refactor the web resources handling to use the Tomcat |
| specific <code>war:file:...</code> URL protocol to refer to WAR files |
| and their contents rather than the standard <code>jar:file:...</code> |
| form since some components of the JRE, such as JAR verification, give |
| unexpected results when the standard form is used. A side-effect of the |
| refactoring is that when using packed WARs, it is now possible to |
| reference a WAR and/or specific JARs within a WAR in the security policy |
| file used when running under a <code>SecurityManager</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60116</bug>: Fix a problem with the rewrite valve that caused back |
| references evaluated in conditions to be forced to lower case when using |
| the <code>NC</code> flag. (markt) |
| </fix> |
| <fix> |
| Ensure <code>Digester.useContextClassLoader</code> is considered in |
| case the class loader is used. (violetagg) |
| </fix> |
| <fix> |
| <bug>60117</bug>: Ensure that the name of <code>LogLevel</code> is |
| localized when using <code>OneLineFormatter</code>. Patch provided by |
| Tatsuya Bessho. (kfujino) |
| </fix> |
| <fix> |
| <bug>60138</bug>: Fix the <code>SSLHostConfig</code> so that the |
| <code>protocols</code> attribute is limited to the protocols supported |
| by the current JSSE implementation rather than the default protocols |
| used by the implementation. (markt) |
| </fix> |
| <fix> |
| <bug>60146</bug>: Improve performance for resource retrieval by making |
| calls to WebResource.getInputStream() trigger caching if the resource is |
| small enough. Patch provided by mohitchugh. (markt) |
| </fix> |
| <add> |
| <bug>60151</bug>: Improve the exception error messages when a |
| <code>ResourceLink</code> fails to specify the type, specifies an |
| unknown type or specifies the wrong type. (markt) |
| </add> |
| <fix> |
| <bug>60167</bug>: Ignore empty lines in <code>/etc/passwd</code> files |
| when using the <code>PasswdUserDatabase</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60170</bug>: Exclude the compressed test file |
| <code>index.html.br</code> from RAT analysis. Patch provided by Gavin |
| McDonald. (markt) |
| </fix> |
| <fix> |
| When starting web resources, ensure that class resources are only |
| started once. (markt) |
| </fix> |
| <fix> |
| Improve the access checks for linked global resources to handle the case |
| where the current class loader is a child of the web application class |
| loader. (markt) |
| </fix> |
| <fix> |
| <bug>60196</bug>: Ensure that the <code>isMandatory</code> flag is |
| correctly set when using JASPIC authentication. (markt) |
| </fix> |
| <fix> |
| <bug>60199</bug>: Log a warning if deserialization issues prevent a |
| session attribute from being loaded. (markt) |
| </fix> |
| <fix> |
| <bug>60208</bug>: When using RFC6265 compliant cookies, the |
| <code>/</code> character should not be allowed in a cookie name since |
| the RFC6265 will drop such cookies as invalid. (markt) |
| </fix> |
| <add> |
| Introduce new methods <code>read(ByteBuffer)</code>/ |
| <code>write(ByteBuffer)</code> in |
| <code>o.a.catalina.connector.CoyoteInputStream</code>/ |
| <code>o.a.catalina.connector.CoyoteOutputStream</code>. (violetagg) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Refactor the code that implements the requirement that a call to |
| <code>complete()</code> or <code>dispatch()</code> made from a |
| non-container thread before the container initiated thread that called |
| <code>startAsync()</code> completes must be delayed until the container |
| initiated thread has completed. Rather than implementing this by |
| blocking the non-container thread, extend the internal state machine to |
| track this. This removes the possibility that blocking the non-container |
| thread could trigger a deadlock. (markt) |
| </add> |
| <fix> |
| Fail earlier if the client closes the connection during SNI processing. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60123</bug>: Avoid potential threading issues that could cause |
| excessively large values to be returned for the processing time of |
| a current request. (markt) |
| </fix> |
| <fix> |
| <bug>60174</bug>: Log instances of <code>HeadersTooLargeException</code> |
| during request processing. (markt) |
| </fix> |
| <fix> |
| <bug>60173</bug>: Allow up to 64kB HTTP/2 header table size limit. (remm) |
| </fix> |
| <fix> |
| Java 9 compatibility of direct ByteBuffer cleaner. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60101</bug>: Remove preloading of the class that was deleted. |
| (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Expand the documentation for the nested elements within a |
| <code>Resources</code> element to clarify the behaviour of different |
| configuration options with respect to the order in which resources are |
| searched. (markt) |
| </add> |
| <add> |
| Add an example of using the <code>classesToInitialize</code> attribute |
| of the <code>JreMemoryLeakPreventionListener</code> to the documentation |
| web application. Based on a patch by Cris Berneburg. (markt) |
| </add> |
| <fix> |
| <bug>60192</bug>: Correct a typo in the status output of the Manager |
| application. Patch provided by Radhakrishna Pemmasani. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Notify jmx when returning the connection that has been marked suspect. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that the <code>POOL_EMPTY</code> notification has been added to |
| the jmx notification types. (kfujino) |
| </fix> |
| <fix> |
| <bug>60099</bug>: Ensure that use all method arguments as a cache key |
| when using <code>StatementCache</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Update the download location for Objenesis. (violetagg) |
| </fix> |
| <fix> |
| <bug>60164</bug>: Replace <code>log4j-core*.jar</code> with |
| <code>log4j-web*.jar</code> since it is <code>log4j-web*.jar</code> that |
| contains the <code>ServletContainerInitializer</code>. (markt) |
| </fix> |
| <add> |
| Add documentation to the bin/catalina.bat script to remind users that |
| environment variables don't affect the configuration of Tomcat when |
| run as a Windows Service. Based upon a documentation patch by |
| James H.H. Lampert. (schultz) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.10 to |
| pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M10 (markt)" rtext="2016-09-05"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>59813</bug>: Ensure that circular relations of the Class-Path |
| attribute from JAR manifests will be processed correctly. (violetagg) |
| </fix> |
| <fix> |
| Ensure that reading the <code>singleThreadModel</code> attribute of a |
| <code>StandardWrapper</code> via JMX does not trigger initialisation of |
| the associated servlet. With some frameworks this can trigger an |
| unexpected initialisation thread and if initialisation is not thread-safe |
| the initialisation can then fail. (markt) |
| </fix> |
| <fix> |
| Compatibility with rewrite from httpd for non existing headers. |
| (jfclere) |
| </fix> |
| <fix> |
| By default, treat paths used to obtain a request dispatcher as encoded. |
| This behaviour can be changed per web application via the |
| <code>dispatchersUseEncodedPaths</code> attribute of the Context. |
| (markt) |
| </fix> |
| <add> |
| Provide a mechanism that enables the container to check if a component |
| (typically a web application) has been granted a given permission when |
| running under a SecurityManager without the current execution stack |
| having to have passed through the component. Use this new mechanism to |
| extend SecurityManager protection to the system property replacement |
| feature of the digester. (markt) |
| </add> |
| <add> |
| When retrieving an object via a <code>ResourceLink</code>, ensure that |
| the object obtained is of the expected type. (markt) |
| </add> |
| <fix> |
| <bug>59823</bug>: Ensure that JASPIC configuration is taken into account |
| when calling <code>HttpServletRequest.authenticate()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>59824</bug>: Mark the <code>RewriteValve</code> as supporting async |
| processing by default. (markt) |
| </fix> |
| <fix> |
| <bug>59839</bug>: Apply <code>roleSearchAsUser</code> to all nested |
| searches in JNDIRealm. (fschumacher) |
| </fix> |
| <fix> |
| <bug>59859</bug>: Fix resource leak in WebDAV servlet. Based on patch by |
| Coty Sutherland. (fschumacher) |
| </fix> |
| <fix> |
| <bug>59862</bug>: Allow nested jar files scanning to be filtered with |
| the system property |
| <code>tomcat.util.scan.StandardJarScanFilter.jarsToSkip</code>. Patch |
| is provided by Terence Bandoian. (violetagg) |
| </fix> |
| <fix> |
| <bug>59866</bug>: When scanning <code>WEB-INF/classes</code> for |
| annotations, don't scan the contents of |
| <code>WEB-INF/classes/META-INF</code> (if present) since classes will |
| never be loaded from that location. (markt) |
| </fix> |
| <fix> |
| <bug>59888</bug>: Correctly handle tabs and spaces in quoted version one |
| cookies when using the <code>Rfc6265CookieProcessor</code>. (markt) |
| </fix> |
| <fix> |
| A number of the JRE memory leaks addressed by the |
| <code>JreMemoryLeakPreventionListener</code> have been fixed in Java 9 |
| so the associated protection is now disabled when running on Java 9 |
| onwards. (markt) |
| </fix> |
| <fix> |
| <bug>59912</bug>: Fix an edge case in input stream handling where an |
| <code>IOException</code> could be thrown when reading a POST body. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59913</bug>: Correct a regression introduced with the support for |
| the Servlet 4 <code>HttpServletRequest.getMapping()</code> API that |
| caused the attributes for forwarded requests to be lost if requested |
| from within a subsequent include. (markt) |
| </fix> |
| <fix> |
| <bug>59966</bug>: Do not start the web application if the error page |
| configuration in web.xml is invalid. (markt) |
| </fix> |
| <fix> |
| Switch the CGI servlet to the standard logging mechanism and remove |
| support for the debug attribute. (markt) |
| </fix> |
| <fix> |
| <bug>60012</bug>: Improvements in the log messages. Based on |
| suggestions by Nemo Chen. (violetagg) |
| </fix> |
| <fix> |
| Changes to the <code>allowLinking</code> attribute of a |
| <code>StandardRoot</code> instance now invalidate the cache if caching |
| is enabled. (markt) |
| </fix> |
| <add> |
| Add a new initialisation parameter, <code>envHttpHeaders</code>, to |
| the CGI Servlet to mitigate <a href="https://httpoxy.org">httpoxy</a> |
| (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388" |
| >CVE-2016-5388</a>) by default and to provide a mechanism that can be |
| used to mitigate any future, similar issues. (markt) |
| </add> |
| <add> |
| When adding and removing <code>ResourceLink</code>s dynamically, ensure |
| that the global resource is only visible via the |
| <code>ResourceLinkFactory</code> when it is meant to be. (markt) |
| </add> |
| <fix> |
| <bug>60008</bug>: When processing CORs requests, treat any origin with a |
| URI scheme of <code>file</code> as a valid origin. (markt) |
| </fix> |
| <fix> |
| Improve handling of exceptions during a Lifecycle events triggered by a |
| state transition. The exception is now caught and the component is now |
| placed into the <code>FAILED</code> state. (markt) |
| </fix> |
| <fix> |
| <bug>60013</bug>: Fix encoding issues when using the RewriteValve with |
| UTF-8 query strings or UTF-8 redirect URLs. (markt) |
| </fix> |
| <fix> |
| <bug>60022</bug>: Improve handling when a WAR file and/or the associated |
| exploded directory are symlinked into the <code>appBase</code>. (markt) |
| </fix> |
| <fix> |
| Fix a file descriptor leak when reading the global web.xml. (markt) |
| </fix> |
| <fix> |
| Consistently decode URL patterns provided via web.xml using the encoding |
| of the web.xml file where specified or UTF-8 where no explicit encoding |
| is specified. (markt) |
| </fix> |
| <fix> |
| Make timing attacks against the Realm implementations harder. (schultz) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct a regression in refactoring to enable injection of custom |
| keystores that broke the automatic conversion of OpenSSL style PEM |
| key and certificate files for use with JSSE TLS connectors. (markt) |
| </fix> |
| <fix> |
| <bug>59910</bug>: Don't hardcode key alias value to "tomcat" for JSSE. |
| When using a keystore, OpenSSL will still default to it. (remm) |
| </fix> |
| <fix> |
| <bug>59904</bug>: Add a limit (default 200) for the number of cookies |
| allowed per request. Based on a patch by gehui. (markt) |
| </fix> |
| <fix> |
| <bug>59925</bug>: Correct regression in r1628368 and ensure that HTTP |
| separators are handled as configured in the |
| <code>LegacyCookieProcessor</code>. Patch provided by Kyohei Nakamura. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59950</bug>: Correct log message when reporting that the current |
| number of HTTP/2 streams for a connection could not be pruned to below |
| the limit. (markt) |
| </fix> |
| <fix> |
| Ensure that <code>Semaphore.release</code> is called in all cases. Even |
| when there is an exception. (violetagg) |
| </fix> |
| <fix> |
| <bug>60030</bug>: Correct a potential infinite loop in the SNI parsing |
| code triggered by failing to handle an end of stream condition. (markt) |
| </fix> |
| <fix> |
| Refactor the JSSE client certificate validation so that the |
| effectiveness of the <code>certificateVerificationDepth</code> |
| configuration attribute does not depend on the presence of a certificate |
| revocation list. (markt) |
| </fix> |
| <fix> |
| Small logging optimization in the <code>Rfc6265CookieProcessor</code>. |
| Patch provided by Svetlin Zarev. (markt) |
| </fix> |
| <fix> |
| OpenSSL now disables 3DES by default so reflect this when using OpenSSL |
| syntax to select ciphers. (markt) |
| </fix> |
| <fix> |
| Use the proper ERROR socket status code for async errors with NIO2. |
| (remm) |
| </fix> |
| <fix> |
| <bug>60035</bug>: Fix a potential connection leak if the client drops a |
| TLS connection before the handshake completes. (markt) |
| </fix> |
| <add> |
| Log a warning at start up if a JSSE TLS connector is configured with |
| a trusted certificate that is either not yet valid or has expired. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| When writing out a full web.xml file with JspC ensure that the encoding |
| used in the XML prolog matches the encoding used to write the contents |
| of the file. (markt) |
| </fix> |
| <fix> |
| Improve the error handling for custom tags to ensure that the tag is |
| returned to the pool or released and destroyed once used. (markt) |
| </fix> |
| <fix> |
| <bug>60032</bug>: Fix handling of method calls that use varargs within |
| EL value expressions. (markt) |
| </fix> |
| <fix> |
| Ignore <code>engineOptionsClass</code> and <code>scratchdir</code> when |
| running under a security manager. (markt) |
| </fix> |
| <fix> |
| Fixed StringIndexOutOfBoundsException. Based on a patch provided by |
| wuwen via Github. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>59908</bug>: Ensure that a reason phrase is included in the close |
| message if a session is closed due to a timeout. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>59867</bug>: Correct the documentation provided by Manager's |
| 403.jsp. (violetagg) |
| </fix> |
| <fix> |
| <bug>59868</bug>: Clarify the documentation for the Manager web |
| application to make clearer that the host name and IP address in the |
| server section are the primary host name and IP address. (markt) |
| </fix> |
| <fix> |
| <bug>59940</bug>: Correct the name of the |
| <code>truststorePassword</code> attribute of the |
| <code>SSLHostConfig</code> element in the configuration documentation. |
| (markt) |
| </fix> |
| <fix> |
| MBeans Descriptors How-To is moved to |
| <code>mbeans-descriptors-howto.html</code>. Patch provided by Radoslav |
| Husar. (violetagg) |
| </fix> |
| <fix> |
| Update NIO Connector configuration documentation with an information |
| about <code>socket.directSslBuffer</code>. (violetagg) |
| </fix> |
| <fix> |
| <bug>60034</bug>: Correct a typo in the Manager How-To page of the |
| documentation web application. (markt) |
| </fix> |
| <fix> |
| Correct the name of the CRL location configuration attributes in the |
| documentation web application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| In order to avoid the unintended skip of <code>PoolCleaner</code>, |
| remove the check code of the execution interval in the task that has |
| been scheduled. (kfujino) |
| </fix> |
| <fix> |
| <bug>59850</bug>: Ensure that the <code>ResultSet</code> is closed when |
| enabling the <code>StatementCache</code> interceptor. (kfujino) |
| </fix> |
| <fix> |
| <bug>59923</bug>: Reduce the default value of |
| <code>validationInterval</code> in order to avoid the potential issue |
| that continues to return an invalid connection after database restart. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that the <code>ResultSet</code> is returned as Proxy object when |
| enabling the <code>StatementDecoratorInterceptor</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>60043</bug>: Ensure that the <code>suspectTimeout</code> works |
| without removing connection when the <code>removeAbandoned</code> is |
| disabled. (kfujino) |
| </fix> |
| <fix> |
| Add log message of when returning the connection that has been marked |
| suspect. (kfujino) |
| </fix> |
| <fix> |
| Correct Javadoc for <code>ConnectionPool.suspect()</code>. Based on a |
| patch by Yahya Cahyadi. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>59871</bug>: Add a property (<code>timeFormat</code>) to |
| JULI's <code>OneLineFormatter</code> to enable the format of the |
| time stamp used in log messages to be configured. (markt) |
| </add> |
| <fix> |
| <bug>59899</bug>: Update Tomcat's copy of the Java Persistence |
| annotations to include the changes made in 2.1 / JavaEE 7. (markt) |
| </fix> |
| <fix> |
| Fixed typos in mbeans-descriptors.xml files. (violetagg) |
| </fix> |
| <update> |
| Update the internal fork of Commons BCEL to r1757132 to align with the |
| BCEL 6 release. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons DBCP 2 to r1757164 to pick up a |
| couple of bug fixes. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Codec to r1757174. Code formatting |
| changes only. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons FileUpload to afdedc9. This pulls in |
| a fix to improve the performance with large multipart boundaries. |
| (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M9 (markt)" rtext="2016-07-12"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>18500</bug>: Add limited support for wildcard host names and host |
| aliases. Names of the form <code>*.domainname</code> are now permitted. |
| Note that an exact host name match takes precedence over a wild card |
| host name match. (markt) |
| </fix> |
| <fix> |
| <bug>57705</bug>: Add debug logging for requests denied by the remote |
| host and remote address valves and filters. Based on a patch by Graham |
| Leggett. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the fix for <bug>58588</bug> that removed the |
| entire <code>org.apache.juli</code> package from the embedded JARs |
| rendering them unusable. (markt) |
| </fix> |
| <add> |
| <bug>59399</bug>: Add a new option to the Realm implementations that |
| ship with Tomcat that allows the HTTP status code used for HTTP -> HTTPS |
| redirects to be controlled per Realm. (markt) |
| </add> |
| <fix> |
| <bug>59708</bug>: Modify the LockOutRealm logic. Valid authentication |
| attempts during the lock out period will no longer reset the lock out |
| timer to zero. (markt) |
| </fix> |
| <update> |
| Change the default of the |
| <code>sessionCookiePathUsesTrailingSlash</code> attribute of the |
| <code>Context</code> element to <code>false</code> since the problems |
| caused when a Servlet is mapped to <code>/*</code> are more significant |
| than the security risk of not enabling this option by default. (markt) |
| </update> |
| <fix> |
| Follow-up to <bug>59655</bug>. Improve the documentation for configuring |
| permitted cookie names. Patch provided by Kyohei Nakamura. (markt) |
| </fix> |
| <fix> |
| Do not attempt to start web resources during a web application's |
| initialisation phase since the web application is not fully configured |
| at that point and the web resources may not be correctly configured. |
| (markt) |
| </fix> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix a cause of multiple attempts to close the same socket. (markt) |
| </fix> |
| <scode> |
| Refactor the certificate keystore and trust store generation to make it |
| easier for embedded users to inject their own key stores. (markt) |
| </scode> |
| <update> |
| Add a <code>maxConcurrentStreamExecution</code> on the HTTP/2 |
| protocol handler to allow restricting the amount of concurrent stream |
| that are being executed in a single connection. The default is to |
| not limit it. (remm) |
| </update> |
| <add> |
| <bug>59233</bug>: Add the ability to add TLS virtual hosts dynamically. |
| (markt) |
| </add> |
| <fix> |
| Correct a problem with <code>ServletRequest.getServerPort()</code> for |
| secure HTTP/2 connections that meant an incorrect value was returned when |
| using the default port. (markt) |
| </fix> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| <fix> |
| Document the default for the HTTP/2 configuration parameter |
| <code>maxConcurrentStreamExecution</code> as 20. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <scode> |
| Now the WebSocket implementation is not built directly on top of the |
| Servlet API and can use Tomcat internals, there is no need for the |
| dedicated WebSocket Executor. It has been replaced by the use of the |
| Connector/Endpoint provided Executor. (markt) |
| </scode> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| Do not log an additional case of <code>IOException</code>s in the |
| error handler for the Drawboard WebSocket example when the root cause is |
| the client disconnecting since the logs add no value. (markt) |
| </fix> |
| <fix> |
| <bug>59642</bug>: Mention the <code>localDataSource</code> in the |
| <code>DataSourceRealm</code> section of the Realm How-To. (markt) |
| </fix> |
| <fix> |
| <bug>59672</bug>: Update the security considerations page of the |
| documentation web application to take account of the fact that the |
| Manager and HostManager applications now have a |
| <code>RemoteAddrValve</code> configured by default. (markt) |
| </fix> |
| <fix> |
| Follow-up to the fix for <bug>59399</bug>. Ensure that the new attribute |
| <code>transportGuaranteeRedirectStatus</code> is documented for all |
| <strong>Realm</strong>s. Also document the <code>NullRealm</code> and |
| when it is automatically created for an <strong>Engine</strong>. (markt) |
| </fix> |
| <fix> |
| Fix the description of <code>maxAge</code> attribute in jdbc-pool doc. |
| This attribute works both when a connection is returned and when a |
| connection is borrowed. (kfujino) |
| </fix> |
| <fix> |
| <bug>59774</bug>: Correct the <code>prefix</code> values in the |
| documented examples for configuring the <code>AccessLogValve</code>. |
| Patch provided by Mike Noordermeer. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add log message when the ping has timed-out. (kfujino) |
| </add> |
| <fix> |
| If the ping message has been received at the |
| <code>AbstractReplicatedMap#leftOver</code> method, ensure that notify |
| the member is alive than ignore it. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix the duplicated connection release when connection verification |
| failed. (kfujino) |
| </fix> |
| <fix> |
| Ensure that do not remove the abandoned connection that has been already |
| released. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Remove JULI plus log4j extras and embedded artifacts from Maven release |
| script. (markt) |
| </fix> |
| <add> |
| Use the mirror network rather than the ASF master site to download the |
| current ASF dependencies. (markt) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.8 to |
| pick up the latest fixes and make 1.2.8 the minimum recommended version. |
| (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M8 (markt)" rtext="2016-06-13"> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Remove accidentally committed debug code. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M7 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| RMI Target related memory leaks are avoidable which makes them an |
| application bug that needs to be fixed rather than a JRE bug to work |
| around. Therefore, start logging RMI Target related memory leaks on web |
| application stop. Add an option that controls if the check for these |
| leaks is made. Log a warning if running on Java 9 with this check |
| enabled but without the command line option it requires. (markt) |
| </fix> |
| <fix> |
| Ensure NPE will not be thrown during deployment when scanning jar files |
| without MANIFEST.MF file. (violetagg) |
| </fix> |
| <scode> |
| Remove the <code>clearReferencesStatic</code> option from |
| <code>StandardContext</code>. It was known to cause problems with some |
| libraries (such as log4j) and was only linked to suspected memory leaks |
| rather than known memory leaks. It had been disabled by default with no |
| increase in the reports of memory leaks for some time. (markt) |
| </scode> |
| <fix> |
| <bug>59604</bug>: Correct the assumption made in the URL decoding that |
| the default platform encoding is always compatible with ISO-8859-1. This |
| assumption is not always valid, e.g. on z/OS. (markt) |
| </fix> |
| <fix> |
| <bug>59608</bug>: Skip over any invalid <code>Class-Path</code> attribute |
| from JAR manifests. Log errors at debug level due to many bad libraries. |
| (remm) |
| </fix> |
| <fix> |
| Fix error message when failed to register MBean. (kfujino) |
| </fix> |
| <fix> |
| <bug>59655</bug>: Configure the cookie name validation to use RFC6265 |
| rules by default to align it with the default cookie parser. Document |
| the impact system properties have on cookie name validation. (mark) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that requests with HTTP method names that are not tokens (as |
| required by RFC 7231) are rejected with a 400 response. (markt) |
| </fix> |
| <fix> |
| When an asynchronous request is processed by the AJP connector, ensure |
| that request processing has fully completed before starting the next |
| request. (markt) |
| </fix> |
| <fix> |
| Improve handling of HTTP/2 stream resets. (markt) |
| </fix> |
| <add> |
| <bug>58750</bug>: The HTTP Server header is no longer set by default. A |
| Server header may be configured by setting the <code>server</code> |
| attribute on the <code>Connector</code>. A new <code>Connector</code> |
| attribute, <code>serverRemoveAppProvidedValues</code> may be used to |
| remove any Server header set by a web application. (markt) |
| </add> |
| <fix> |
| <bug>59564</bug>: Correct offset when reading into HTTP/2 input buffer |
| that could cause problems reading request bodies. (violetagg/markt) |
| </fix> |
| <fix> |
| Modify the handling of read/write timeouts so that the appropriate error |
| handling (<code>ReadListener.onError()</code>, |
| <code>WriteListener.onError()</code> or |
| <code>AsyncListener.onError()</code>) is called. (markt) |
| </fix> |
| <fix> |
| If an async dispatch results in the completion of request processing, |
| ensure that any remaining request body is swallowed before starting the |
| processing of the next request else the remaining body may be read as the |
| start of the next request leading to a 400 response. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>59567</bug>: Fix NPE scanning webapps for TLDs when an exploded |
| JAR has an empty WEB-INF/classes/META-INF folder. (remm) |
| </fix> |
| <fix> |
| Fix a memory leak in the expression language implementation that caused |
| the class loader of the first web application to use expressions to be |
| pinned in memory. (markt) |
| </fix> |
| <fix> |
| <bug>59654</bug>: Improve error message when attempting to use a TLD |
| file from an invalid location. Patch provided by Huxing Zhang. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>59659</bug>: Fix possible memory leak in WebSocket handling of |
| unexpected client disconnects. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>58891</bug>: Update the SSL How-To. Based on a suggestion by |
| Alexander Kjäll. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Extras"> |
| <changelog> |
| <scode> |
| <bug>58588</bug>: Remove the JULI extras package from the distribution. |
| It was only useful for switching Tomcat's internal logging to log4j |
| 1.2.x and that version of log4j is no longer supported. No additional |
| Tomcat code is required if switching Tomcat's internal logging to log |
| via log4j 2.x. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix a memory leak with the pool cleaner thread that retained a reference |
| to the web application class loader for the first web application to use |
| a connection pool. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the internal fork of Commons DBCP 2 to r1743696 (2.1.1 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Pool 2 to r1743697 (2.4.2 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus |
| additional fixes). (markt) |
| </update> |
| <scode> |
| Use UTF-8 with a standard prolog for all XML files. (markt) |
| </scode> |
| <fix> |
| <bug>58626</bug>: Add support for a new environment variable |
| (<code>USE_NOHUP</code>) that causes <code>nohup</code> to be used when |
| starting Tomcat. It is disabled by default except on HP-UX where it is |
| enabled by default since it is required when starting Tomcat at boot on |
| HP-UX. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M6 (markt)" rtext="2016-05-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Ensure that annotated web components packed in web fragments will be |
| processed when <code>unpackWARs</code> is enabled. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M5 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>48922</bug>: Apply a very small performance improvement to the |
| date formatting in Tomcat's internal request object. Based on a patch |
| provided by Ondrej Medek. (markt) |
| </fix> |
| <fix> |
| <bug>59206</bug>: Ensure NPE will not be thrown by |
| <code>o.a.tomcat.util.file.ConfigFileLoader</code> when |
| <code>catalina.base</code> is not specified. (violetagg) |
| </fix> |
| <fix> |
| <bug>59217</bug>: Remove duplication in the recycling of the path in |
| <code>o.a.tomcat.util.http.ServerCookie</code>. Patch is provided by |
| Kyohei Nakamura. (violetagg) |
| </fix> |
| <fix> |
| Fixed possible NPE in |
| <code>o.a.catalina.loader.WebappClassLoaderBase.getResourceAsStream</code> |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>59213</bug>: Async dispatches should be based off a wrapped |
| request. (remm) |
| </fix> |
| <fix> |
| Ensure that <code>javax.servlet.ServletRequest</code> and |
| <code>javax.servlet.ServletResponse</code> provided during |
| <code>javax.servlet.AsyncListener</code> registration are made |
| available via <code>javax.servlet.AsyncEvent.getSuppliedRequest</code> |
| and <code>javax.servlet.AsyncEvent.getSuppliedResponse</code> |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>59219</bug>: Ensure <code>AsyncListener.onError()</code> is called |
| if an <code>Exception</code> is thrown during async processing. (markt) |
| </fix> |
| <fix> |
| <bug>59220</bug>: Ensure that <code>AsyncListener.onComplete()</code> is |
| called if the async request times out and the response is already |
| committed. (markt) |
| </fix> |
| <fix> |
| <bug>59226</bug>: Process the <code>Class-Path</code> attribute from |
| JAR manifests for JARs on the class path excluding JARs packaged in |
| <code>WEB-INF/lib</code>. (markt) |
| </fix> |
| <fix> |
| <bug>59255</bug>: Fix possible NPE in mapper. (kkolinko/remm) |
| </fix> |
| <fix> |
| <bug>59256</bug>: <code>slf4j-taglib*.jar</code> should not be excluded |
| from the standard JAR scanning by default. (violetagg) |
| </fix> |
| <fix> |
| Clarify the log message that specifying both urlPatterns and value |
| attributes in @WebServlet and @WebFilter annotations is not allowed. |
| (violetagg) |
| </fix> |
| <fix> |
| Ensure the exceptions caused by Valves will be available in the log |
| files so that they can be evaluated when |
| <code>o.a.catalina.valves.ErrorReportValve.showReport</code> is |
| disabled. Patch is provided by Svetlin Zarev. (violetagg) |
| </fix> |
| <fix> |
| Remove unused <code>distributable</code> attribute that is defined as |
| <code>TransientAttribute</code> of <code>Manager</code> in StoreConfig. |
| (kfujino) |
| </fix> |
| <fix> |
| Fix handling of Cluster Receiver in StoreConfig. The <code>bind</code> |
| and <code>host</code> attributes define as |
| <code>TransientAttribute</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>59261</bug>: <code>ServletRequest.getAsyncContext()</code> now |
| throws an <code>IllegalStateException</code> as required by the Servlet |
| specification if the request is not in asynchronous mode when called. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59269</bug>: Correct the implementation of |
| <code>PersistentManagerBase</code> so that <code>minIdleSwap</code> |
| functions as designed and sessions are swapped out to keep the active |
| session count below <code>maxActiveSessions</code>. (markt) |
| </fix> |
| <update> |
| Update the implementation of the proposed Servlet 4.0 API to provide |
| mapping type information for the current request to reflect discussions |
| within the EG. (markt) |
| </update> |
| <fix> |
| Correctly configure the base path for a resources directory provided by |
| an expanded JAR file. Patch provided by hengyunabc. (markt) |
| </fix> |
| <add> |
| When multiple compressed formats are available and the client does not |
| express a preference, use the server order to determine the preferred |
| format. Based on a patch by gmokki. (markt) |
| </add> |
| <fix> |
| <bug>59284</bug>: Allow the Tomcat provided JASPIC |
| <code>SimpleServerAuthConfig</code> to pick up module configuration |
| properties from either the property set passed to its constructor or |
| from the properties passed in the call to <code>getAuthContext</code>. |
| Based on a patch by Thomas Maslen. (markt) |
| </fix> |
| <fix> |
| <bug>59310</bug>: Do not add a <code>Content-Length: 0</code> header for |
| custom responses to <code>HEAD</code> requests that do not set a |
| <code>Content-Length</code> value. (markt) |
| </fix> |
| <fix> |
| When normalizing paths, improve the handling when paths end with |
| <code>/.</code> or <code>/..</code> and ensure that input and output are |
| consistent with respect to whether or not they end with <code>/</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59317</bug>: Ensure that |
| <code>HttpServletRequest.getRequestURI()</code> returns an encoded URI |
| rather than a decoded URI after a dispatch. (markt) |
| </fix> |
| <fix> |
| Use the correct URL for the fragment when reporting errors processing |
| a <code>web-fragment.xml</code> file from a JAR located in an unpacked |
| WAR. (markt) |
| </fix> |
| <fix> |
| Ensure that <code>JarScanner</code> only uses the explicit call-back to |
| process <code>WEB-INF/classes</code> and only when configured to treat |
| the contents of <code>WEB-INF/classes</code> as a possible exploded JAR. |
| (markt) |
| </fix> |
| <scode> |
| Remove the <code>java2DDisposerProtection</code> option from the |
| <code>JreMemoryLeakPreventionListener</code>. The leak is fixed in Java |
| 7 onwards and Tomcat 9 requires Java 8 so the option is unnecessary. |
| (markt) |
| </scode> |
| <scode> |
| Remove the <code>securityPolicyProtection</code> option from the |
| <code>JreMemoryLeakPreventionListener</code>. The leak is fixed in Java |
| 8 onwards and Tomcat 9 requires Java 8 so the option is unnecessary. |
| (markt) |
| </scode> |
| <scode> |
| Remove the <code>securityLoginConfigurationProtection</code> option from |
| the <code>JreMemoryLeakPreventionListener</code>. The leak is fixed in |
| Java 8 onwards and Tomcat 9 requires Java 8 so the option is |
| unnecessary. (markt) |
| </scode> |
| <fix> |
| Ensure that the value for the header <code>X-Frame-Options</code> is |
| constructed correctly according to the specification when |
| <code>ALLOW-FROM</code> option is used. (violetagg) |
| </fix> |
| <fix> |
| Fix an <code>IllegalArgumentException</code> if the first use of an |
| internal <code>Response</code> object requires JASPIC authentication. |
| (markt) |
| </fix> |
| <fix> |
| Do not trigger unnecessary session ID changes when using JASPIC and the |
| user is authenticated using cached credentials. (markt) |
| </fix> |
| <fix> |
| <bug>59437</bug>: Ensure that the JASPIC <code>CallbackHandler</code> is |
| thread-safe. (markt) |
| </fix> |
| <fix> |
| <bug>59449</bug>: In <code>ContainerBase</code>, ensure that the process |
| to remove a child container is the reverse of the process to add one. |
| Patch provided by Huxing Zhang. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Improves OpenSSL engine robustness when SSL allocation fails for |
| some reason. (remm) |
| </fix> |
| <fix> |
| OpenSSL engine code cleanups. (remm) |
| </fix> |
| <fix> |
| Align cipher configuration parsing with current OpenSSL master. (markt) |
| </fix> |
| <update> |
| Change the default for <code>honorCipherOrder</code> to |
| <code>false</code>. With the current default TLS configuration, it is no |
| longer necessary for this to be <code>true</code> for a reasonably |
| secure configuration. (markt) |
| </update> |
| <add> |
| Add a new environment variable <code>JSSE_OPTS</code> that is intended |
| to be used to pass JVM wide configuration to the JSSE implementation. |
| The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code> |
| which protects against weak Diffie-Hellman keys. (markt) |
| </add> |
| <fix> |
| <bug>58970</bug>: Fix a connection counting bug in the NIO connector |
| that meant some dropped connections were not removed from the current |
| connection count. (markt) |
| </fix> |
| <fix> |
| <bug>59289</bug>: Do not recycle upgrade processors in unexpected close |
| situations. (remm) |
| </fix> |
| <fix> |
| <bug>59295</bug>: Use <code>Locale.toLanguageTag()</code> to construct |
| the <code>Content-Language</code> HTTP header to ensure the locale is |
| correctly represented. Patch provided by zikfat. (markt) |
| </fix> |
| <update> |
| <bug>59295</bug>: Add support for using pem encoded certificates with |
| JSSE SSL. Submitted by Emmanuel Bourg with additional tweaks. (remm) |
| </update> |
| <fix> |
| Make the TLS certificate chain available to clients when using |
| JSSE+OpenSSL with the certificate chain stored in a Java KeyStore. |
| (markt) |
| </fix> |
| <fix> |
| Work around <a href="https://github.com/openssl/openssl/issues/188">a |
| known issue in OpenSSL</a> that does not permit the TLS handshake to be |
| failed if the ALPN negotiation fails. (markt) |
| </fix> |
| <update> |
| <bug>59421</bug>: Add direct HTTP/2 connection support. (remm) |
| </update> |
| <fix> |
| Correctly handle a call to <code>AsyncContext.complete()</code> from a |
| non-container thread when non-blocking I/O is being used. (markt) |
| </fix> |
| <fix> |
| <bug>59451</bug>: Correct Javadoc for <code>MessageBytes</code>. Patch |
| provided by Kyohei Nakamura. (markt) |
| </fix> |
| <fix> |
| <bug>59450</bug>: Correctly handle the case where the |
| <code>LegacyCookieProcessor</code> is configured with |
| <code>allowHttpSepsInV0</code> set to <code>false</code> and |
| <code>forwardSlashIsSeparator</code> set to <code>true</code>. Patch |
| provided by Kyohei Nakamura. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| When scanning JARs for TLDs, correctly handle the (rare) case where a |
| JAR has been exploded into <code>WEB-INF/classes</code> and the web |
| application is deployed as a packed WAR. (markt) |
| </fix> |
| <fix> |
| <bug>59640</bug>: NPEs with not found TLDs. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>59189</bug>: Explicitly release the native memory held by the |
| <code>Inflater</code> and <code>Deflater</code> when using |
| PerMessageDeflate and the WebSocket session ends. Based on a patch by |
| Henrik Olsson. (markt) |
| </fix> |
| <fix> |
| Restore the <code>WsServerContainer.doUpgrade()</code> method which was |
| accidentally removed since it is not used by Tomcat. (markt) |
| </fix> |
| <fix> |
| Fix a regression caused by the connector refactoring and ensure that the |
| thread context class loader is set to the web application |
| classloader when processing WebSocket messages on the server. (markt) |
| </fix> |
| <fix> |
| Ensure that a client disconnection triggers the error handling for the |
| associated WebSocket end point. (markt) |
| </fix> |
| <add> |
| Make WebSocket client more robust when handling errors during the close |
| of a WebSocket session. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>59218</bug>: Correct the path to <code>jaspic-providers.xml</code> |
| in Jaspic How-To. Patch is provided by Tatsuya Bessho. (violetagg) |
| </fix> |
| <fix> |
| Remove button that has accidentally been added to the host manager. |
| Submitted by Coty Sutherland. (remm) |
| </fix> |
| <fix> |
| Update in the documentation the link to the maven repository where |
| Tomcat snapshot artifacts are deployed. (markt/violetagg) |
| </fix> |
| <fix> |
| Clarify in the documentation that calls to |
| <code>ServletContext.log(String, Throwable)</code> or |
| <code>GenericServlet.log(String, Throwable)</code> are logged at the |
| SEVERE level. (violetagg) |
| </fix> |
| <fix> |
| Correct a typo in SSL/TLS Configuration How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Avoid NPE when a proxy node failed to retrieve a backup entry. (kfujino) |
| </fix> |
| <add> |
| Add the flag indicating that member is a localMember. (kfujino) |
| </add> |
| <fix> |
| Fix potential NPE that depends on the setting order of attributes of |
| static member when using the static cluster. (kfujino) |
| </fix> |
| <add> |
| Add get/set method for the channel that is related to |
| <code>ChannelInterceptor</code>. (kfujino) |
| </add> |
| <fix> |
| As with the multicast cluster environment, in the static cluster |
| environment, the local member inherits properties from the cluster |
| receiver. (kfujino) |
| </fix> |
| <add> |
| Add get/set method for the channel that is related to each Channel |
| services. (kfujino) |
| </add> |
| <add> |
| Add name to channel in order to identify channels. In tomcat cluster |
| environment, it is set the cluster name + "-Channel" as default value. |
| (kfujino) |
| </add> |
| <add> |
| Add the channel name to the thread which is invoked by channel services |
| in order to identify the associated channel. (kfujino) |
| </add> |
| <fix> |
| Ensure that clear the channel instance from channel services when |
| stopping channel. (kfujino) |
| </fix> |
| <add> |
| Implement map state in the replication map. (kfujino) |
| </add> |
| <fix> |
| Ensure that the ping is not executed during the start/stop of the |
| replication map. (kfujino) |
| </fix> |
| <fix> |
| In ping processing in the replication map, send not the |
| <code>INIT</code> message but the newly introduced <code>PING</code> |
| message. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>59211</bug>: Add hamcrest to Eclipse classpath. Patch is provided |
| by Huxing Zhang. (violetagg) |
| </fix> |
| <update> |
| <bug>59276</bug>: Update optional Checkstyle library to 6.17. |
| (kkolinko) |
| </update> |
| <update> |
| <bug>59280</bug>: Update the NSIS Installer used to build the |
| Windows Installers to version 2.51. (kkolinko) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.7 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2h and APR |
| 1.5.2. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M4 (markt)" rtext="2016-03-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Ensure that <code>/WEB-INF/classes</code> is never processed as a web |
| fragment. (markt) |
| </fix> |
| <update> |
| Switch default connector when native is installed. Unless configured |
| otherwise, the NIO endpoint will be used by default. If SSL is |
| configured, OpenSSL will be used rather than JSSE. (remm) |
| </update> |
| <fix> |
| Correct a regression in the fix for <bug>58867</bug>. When configuring a |
| Context to use an external directory for the <code>docBase</code>, and |
| that directory happens to be located along side the original WAR, use |
| the directory as the <code>docBase</code> rather than expanding the |
| WAR into the <code>appBase</code> and using the newly created expanded |
| directory as the <code>docBase</code>. (markt) |
| </fix> |
| <add> |
| <bug>58351</bug>: Make the server build date and server version number |
| accessible via JMX. Patch provided by Huxing Zhang. (markt) |
| </add> |
| <add> |
| <bug>58988</bug>: Special characters in the substitutions for the |
| RewriteValve can now be quoted with a backslash. (fschumacher) |
| </add> |
| <fix> |
| <bug>58999</bug>: Fix class and resource name filtering in |
| WebappClassLoader. It throws a StringIndexOutOfBoundsException if the |
| name is exactly "org" or "javax". (rjung) |
| </fix> |
| <add> |
| Add JASPIC (JSR-196) support. (markt) |
| </add> |
| <add> |
| Make checking for var and map replacement in RewriteValve a bit stricter |
| and correct detection of colon in var replacement. (fschumacher) |
| </add> |
| <fix> |
| Refactor the web application class loader to reduce the impact of JAR |
| scanning on the memory footprint of the web application. (markt) |
| </fix> |
| <fix> |
| Fix some resource leaks in the error handling for accessing files from |
| JARs and WARs. (markt) |
| </fix> |
| <fix> |
| Refactor the JAR and JAR-in-WAR resource handling to reduce the memory |
| footprint of the web application. (markt) |
| </fix> |
| <fix> |
| Refactor the web.xml parsing so a new parser is created every time the |
| web application starts rather than creating and caching the parser when |
| the Context is created. This enables the parser to take account of |
| modified Context configuration parameters and reduces (slightly) the |
| memory footprint of a running Tomcat instance. (markt) |
| </fix> |
| <update> |
| Switch the web application class loader to the |
| <code>ParallelWebappClassLoader</code> by default. (markt) |
| </update> |
| <fix> |
| <bug>57809</bug>: Remove the custom context attribute that held the |
| effective web.xml. Components needing access to configuration |
| information may access it via the Servlet API. (markt) |
| </fix> |
| <fix> |
| Refactor JAR scanning to reduce memory footprint. (markt) |
| </fix> |
| <fix> |
| <bug>59001</bug>: Correctly handle the case when Tomcat is installed on |
| a path where one of the segments ends in an exclamation mark. (markt) |
| </fix> |
| <fix> |
| Expand the fix for <bug>59001</bug> to cover the special sequences used |
| in Tomcat's custom jar:war: URLs. (markt) |
| </fix> |
| <fix> |
| <bug>59043</bug>: Avoid warning while expiring sessions associated with |
| a single sign on if <code>HttpServletRequest.logout()</code> is used. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59054</bug>: Ensure that using the |
| <code>CrawlerSessionManagerValve</code> in a distributed environment |
| does not trigger an error when the Valve registers itself in the |
| session. (markt) |
| </fix> |
| <fix> |
| Add socket properties support to storeconfig. (remm) |
| </fix> |
| <fix> |
| Fix incorrect parsing of the NE and NC flags in rewrite rules. (remm) |
| </fix> |
| <fix> |
| <bug>59065</bug>: Correct the timing of the check for colons in paths |
| on non-Windows systems implemented in <code>catalina.sh</code> so it |
| works correctly with Cygwin. Patch provided by Ed Randall. (markt) |
| </fix> |
| <fix> |
| When a Host is configured with an appBase that does not exist, create |
| the appBase before trying to expand an external WAR file into it. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59115</bug>: When using the Servlet 3.0 file upload, the submitted |
| file name may be provided as a token or a quoted-string. If a |
| quoted-string, unquote the string before returning it to the user. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59123</bug>: Close <code>NamingEnumeration</code> objects used by |
| the <code>JNDIRealm</code> once they are no longer required. |
| (fschumacher/markt) |
| </fix> |
| <add> |
| Implement the proposed Servlet 4.0 API to provide mapping type |
| information for the current request. (markt) |
| </add> |
| <fix> |
| <bug>59138</bug>: Correct a false positive warning for ThreadLocal |
| related memory leaks when the key class but not the value class has been |
| loaded by the web application class loader. (markt) |
| </fix> |
| <add> |
| <bug>59017</bug>: Make the pre-compressed file support in the Default |
| Servlet generic so any compression may be used rather than just gzip. |
| Patch provided by Mikko Tiihonen. (markt) |
| </add> |
| <fix> |
| <bug>59145</bug>: Don't log an invalid warning when a user logs out of |
| a session associated with SSO. (markt) |
| </fix> |
| <fix> |
| <bug>59150</bug>: Add an additional flag on APR listener to allow |
| disabling automatic use of OpenSSL. (remm) |
| </fix> |
| <fix> |
| <bug>59151</bug>: Fix a regression in the fix for <bug>56917</bug> that |
| added additional (and arguably unnecessary) validation to the provided |
| redirect location. (markt) |
| </fix> |
| <fix> |
| <bug>59154</bug>: Fix a <code>NullPointerException</code> in the |
| <code>JAASMemoryLoginModule</code> resulting from the introduction of |
| the <code>CredentialHandler</code> to <code>Realm</code>s. |
| (schultz/markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Handle the case in the NIO2 connector where the required TLS buffer |
| sizes increase after the connection has been initiated. (markt/remm) |
| </fix> |
| <fix> |
| Bad processing of handshake errors in NIO2. (remm) |
| </fix> |
| <fix> |
| Use JSSE session configuration options with OpenSSL. (remm) |
| </fix> |
| <fix> |
| <bug>59015</bug>: Fix potential cause of endless APR Poller loop during |
| shutdown if the Poller experiences an error during the shutdown process. |
| (markt) |
| </fix> |
| <fix> |
| Align cipher aliases for <code>kECDHE</code> and <code>ECDHE</code> with |
| the current OpenSSL implementation. (markt) |
| </fix> |
| <fix> |
| <bug>59081</bug>: Retain the user defined cipher order when defining |
| ciphers. (markt) |
| </fix> |
| <fix> |
| <bug>59089</bug>: Correctly ignore HTTP headers that include non-token |
| characters in the header name. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Update to the Eclipse JDT Compiler 4.5.1. (markt) |
| </update> |
| <fix> |
| <bug>57583</bug>: Improve the performance of |
| <code>javax.servlet.jsp.el.ScopedAttributeELResolver</code> when |
| resolving attributes that do not exist. This improvement only works when |
| Jasper is used with Tomcat's EL implementation. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Fix a timing issue on session close that could result in an exception |
| being thrown for an incomplete message even through the message was |
| completed. (markt) |
| </fix> |
| <fix> |
| Correctly handle compression of partial messages when the final message |
| fragment has a zero length payload. (markt) |
| </fix> |
| <fix> |
| <bug>59119</bug>: Correct read logic for WebSocket client when using |
| secure connections. (markt) |
| </fix> |
| <fix> |
| <bug>59134</bug>: Correct client connect logic for secure connections |
| made through a proxy. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct an error in the documentation of the expected behaviour for |
| automatic deployment. If a WAR is updated and an expanded directory is |
| present, the directory will always be deleted and recreated by expanding |
| the WAR if <code>unpackWARs</code> is <code>true</code>. (markt) |
| </fix> |
| <fix> |
| <bug>48674</bug>: Implement an option within the Host Manager web |
| application to persist the current configuration. Based on a patch by |
| Coty Sutherland. (markt) |
| </fix> |
| <fix> |
| <bug>58935</bug>: Remove incorrect references in the documentation to |
| using <code>jar:file:</code> URLs with the Manager application. (markt) |
| </fix> |
| <fix> |
| Correct the description of the |
| <code>ServletRequest.getServerPort()</code> in Proxy How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <add> |
| The Manager and Host Manager applications are now only accessible via |
| <code>localhost</code> by default. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| If promoting a proxy node to a primary node when getting a session, |
| notify the change of the new primary node to the original backup node. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>58283</bug>: Change the default download location for libraries |
| during the build process from <code>/usr/share/java</code> to |
| <code>${user.home}/temp</code>. Patch provided by Ahmed Hosni. (markt) |
| </fix> |
| <fix> |
| <bug>59031</bug>: When using the Windows uninstaller, do not remove the |
| contents of any directories that have been symlinked into the Tomcat |
| directory structure. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.5 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2g and APR |
| 1.5.1. (markt) |
| </update> |
| <update> |
| Modify the default <code>tomcat-users.xml</code> file to make it harder |
| for users to configure the entries intended for use with the examples |
| web application for the Manager application. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M3 (markt)" rtext="2016-02-05"> |
| <subsection name="General"> |
| <changelog> |
| <add> |
| Allow to configure multiple JUnit test class patterns with the build |
| property <code>test.name</code> and document the property in |
| BUILDING.txt. (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Protect initialization of <code>ResourceLinkFactory</code> when |
| running with a SecurityManager. (kkolinko) |
| </fix> |
| <fix> |
| Correct a thread safety issue in the filtering of session attributes |
| based on the implementing class name of the value object. (markt) |
| </fix> |
| <fix> |
| Fix class loader decision on the delegation for class loading and |
| resource lookup and make it faster too. (rjung) |
| </fix> |
| <fix> |
| <bug>58768</bug>: Log a warning if a redirect fails because of an |
| invalid location. (markt) |
| </fix> |
| <scode> |
| <bug>58827</bug>: Remove remains of JSR-77 implementation. (markt) |
| </scode> |
| <fix> |
| <bug>58946</bug>: Ensure that the request parameter map remains |
| immutable when processing via a RequestDispatcher. (markt) |
| </fix> |
| <fix> |
| <bug>58905</bug>: Ensure that <code>Tomcat.silence()</code> silences the |
| correct logger and respects the current setting. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct a regression in the connector refactoring in 9.0.0.M2 that broke |
| TLS support for the APR/native connector. (remm) |
| </fix> |
| <fix> |
| Correct an NPE when listing the enabled ciphers (e.g. via the Manager |
| web application) for a TLS enabled APR/native connector. (markt) |
| </fix> |
| <add> |
| New configuration option <code>ajpFlush</code> for the AJP connectors |
| to disable the sending of AJP flush packets. (rjung) |
| </add> |
| <fix> |
| Handle the case in the NIO connector where the required TLS buffer sizes |
| increase after the connection has been initiated. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M2 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <scode> |
| Refactor creation of <code>MapperListener</code> to ensure that the |
| <code>Mapper</code> used is the <code>Mapper</code> associated with the |
| <code>Service</code> for which the listener was created. (markt) |
| </scode> |
| <add> |
| Move the functionality that provides redirects for context roots and |
| directories where a trailing <code>/</code> is added from the Mapper to |
| the <code>DefaultServlet</code>. This enables such requests to be |
| processed by any configured Valves and Filters before the redirect is |
| made. This behaviour is configurable via the |
| <code>mapperContextRootRedirectEnabled</code> and |
| <code>mapperDirectoryRedirectEnabled</code> attributes of the Context |
| which may be used to restore the previous behaviour. (markt) |
| </add> |
| <scode> |
| Refactor <code>Service.getContainer()</code> to return an |
| <code>Engine</code> rather than a <code>Container</code>. (markt) |
| </scode> |
| <fix> |
| <bug>34319</bug>: Only load those keys in <code>StoreBase.processExpire</code> |
| from JDBCStore, that are old enough, to be expired. Based on a patch |
| by Tom Anderson. (fschumacher) |
| </fix> |
| <add> |
| <bug>56917</bug>: As per RFC7231 (HTTP/1.1), allow HTTP/1.1 and later |
| redirects to use relative URIs. This is controlled by a new attribute |
| <code>useRelativeRedirects</code> on the <strong>Context</strong> and |
| defaults to <code>true</code>. (markt) |
| </add> |
| <fix> |
| <bug>58629</bug>: Allow an embedded Tomcat instance to start when the |
| <code>Service</code> has no <code>Engine</code> configured. (markt) |
| </fix> |
| <fix> |
| Correctly notify the MapperListener associated with a Service if the |
| Engine for that Service is changed. (markt) |
| </fix> |
| <add> |
| Make a web application's CredentialHandler available through a context |
| attribute. This allows a web application to use the same algorithm |
| for validating or generating new stored credentials from cleartext |
| ones. (schultz) |
| </add> |
| <fix> |
| <bug>58635</bug>: Enable break points to be set within agent code when |
| running Tomcat with a Java agent. Based on a patch by Huxing Zhang. |
| (markt) |
| </fix> |
| <fix> |
| Fixed potential NPE in <code>HostConfig</code> while deploying an |
| application. Issue reported by coverity scan. (violetagg) |
| </fix> |
| <fix> |
| <bug>58655</bug>: Fix an <code> IllegalStateException</code> when |
| calling <code>HttpServletResponse.sendRedirect()</code> with the |
| <code>RemoteIpFilter</code>. This was caused by trying to correctly |
| generate the absolute URI for the redirect. With the fix for |
| <bug>56917</bug>, redirects may now be relative making the |
| <code>sendRedirect()</code> implementation for the |
| <code>RemoteIpFilter</code> much simpler. This also addresses issues |
| where the redirect may not have behaved as expected when redirecting |
| from http to https to from https to http. (markt) |
| </fix> |
| <fix> |
| <bug>58657</bug>: Exceptions in a Servlet 3.1 <code>ReadListener</code> |
| or <code>WriteListener</code> do not need to be immediately fatal to the |
| connection. Allow an error response to be written. (markt) |
| </fix> |
| <fix> |
| Correct implementation of |
| <code>validateClientProvidedNewSessionId</code> so client provided |
| session IDs may be rejected if validation is enabled. (markt) |
| </fix> |
| <fix> |
| <bug>58701</bug>: Reset the <code>instanceInitialized</code> field in |
| <code>StandardWrapper</code> when unloading a Servlet so that a new |
| instance may be correctly initialized. (markt) |
| </fix> |
| <update> |
| Add a new flag <code>aprPreferred</code> to the Apr listener. if set to |
| <code>false</code>, when using the connector defaults, it will use |
| NIO + OpenSSL if tomcat-native is available, rather than the APR |
| connector. (remm) |
| </update> |
| <fix> |
| Add path parameter handling to |
| <code>HttpServletRequest.getContextPath()</code>. This is a follow-up to |
| the fix for <bug>57215</bug>. (markt) |
| </fix> |
| <fix> |
| <bug>58692</bug>: Make <code>StandardJarScanner</code> more robust. Log |
| a warning if a class path entry cannot be scanned rather than triggering |
| the failure of the web application. Includes a test case written by |
| Derek Abdine. (markt) |
| </fix> |
| <fix> |
| <bug>58702</bug>: Ensure an access log entry is generated if the client |
| aborts the connection. (markt) |
| </fix> |
| <fix> |
| Fixed various issues reported by Findbugs. (violetagg) |
| </fix> |
| <fix> |
| <bug>58735</bug>: Add support for the <code>X-XSS-Protection</code> |
| header to the <code>HttpHeaderSecurityFilter</code>. Patch provided by |
| Jacopo Cappellato. (markt) |
| </fix> |
| <fix> |
| Add the <code>StatusManagerServlet</code> to the list of Servlets that |
| can only be loaded by privileged applications. (markt) |
| </fix> |
| <fix> |
| Simplify code and fix messages in |
| <code>org.apache.catalina.core.DefaultInstanceManager</code> class. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>58751</bug>: Correctly handle the case where an |
| <code>AsyncListener</code> dispatches to a Servlet on an asynchronous |
| timeout and the Servlet uses <code>sendError()</code> to trigger an |
| error page. Includes a test case based on code provided by Andy |
| Wilkinson.(markt) |
| </fix> |
| <fix> |
| Ensure that the proper file encoding if specified will be used when |
| a readme file is served by DefaultServlet. (violetagg) |
| </fix> |
| <fix> |
| Fix declaration of <code>localPort</code> attribute of Connector MBean: |
| it is read-only. (kkolinko) |
| </fix> |
| <fix> |
| <bug>58766</bug>: Make skipping non-class files during annotation |
| scanning faster by checking the file name first. Improve debug logging. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>58836</bug>: Correctly merge query string parameters when |
| processing a forwarded request where the target includes a query string |
| that contains a parameter with no value. (markt/kkolinko) |
| </fix> |
| <fix> |
| Make sure that shared Digester is reset in an unlikely error case |
| in <code>HostConfig.deployWAR()</code>. (kkolinko) |
| </fix> |
| <add> |
| Extend the feature available in the cluster session manager |
| implementations that enables session attribute replication to be |
| filtered based on attribute name to all session manager implementations. |
| Note that configuration attribute name has changed from |
| <code>sessionAttributeFilter</code> to |
| <code>sessionAttributeNameFilter</code>. Apply the filter on load as |
| well as unload to ensure that configuration changes made while the web |
| application is stopped are applied to any persisted data. (markt) |
| </add> |
| <add> |
| Extend the session attribute filtering options to include filtering |
| based on the implementation class of the value and optional |
| <code>WARN</code> level logging if an attribute is filtered. These |
| options are available for all of the Manager implementations that ship |
| with Tomcat. When a <code>SecurityManager</code> is used filtering will |
| be enabled by default. (markt) |
| </add> |
| <scode> |
| Remove <code>distributable</code> and <code>maxInactiveInterval</code> |
| from the <code>Manager</code> interface because the attributes are never |
| used. The equivalent attributes from the <code>Context</code> always |
| take precedence. (markt) |
| </scode> |
| <fix> |
| <bug>58867</bug>: Improve checking on Host start for WAR files that have |
| been modified while Tomcat has stopped and re-expand them if |
| <code>unpackWARs</code> is <code>true</code>. (markt) |
| </fix> |
| <fix> |
| <bug>58900</bug>: Correctly undeploy symlinked resources and prevent an |
| infinite cycle of deploy / undeploy. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>58621</bug>: The certificate chain cannot be set using the main |
| certificate attribute, so restore the certificate chain property. (remm) |
| </fix> |
| <fix> |
| Allow a new SSL config type where a connector can use either JSSE or |
| OpenSSL. Both could be allowed, but it would likely create support |
| issues. This type is used by the OpenSSL implementation for NIOx. (remm) |
| </fix> |
| <fix> |
| Improve upgrade context classloader handling by using Context.bind and |
| unbind. (remm) |
| </fix> |
| <add> |
| Improve OpenSSL keystore/truststore configuration by using the code |
| from the JSSE implementation. (remm, jfclere) |
| </add> |
| <fix> |
| Fix a potential loop when a client drops the connection unexpectedly. |
| (markt) |
| </fix> |
| <add> |
| OpenSSL renegotiation support for client certificate authentication. |
| (remm) |
| </add> |
| <fix> |
| Fix NIO connector renegotiation. (remm) |
| </fix> |
| <fix> |
| <bug>58659</bug>: Fix a potential deadlock during HTTP/2 processing when |
| the connection window size is limited. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57136#c25</bug>: Change default value of |
| <code>quoteAttributeEL</code> setting in Jasper to be <code>true</code> |
| for better compatibility with other implementations and older versions |
| of Tomcat. Add command line option <code>-no-quoteAttributeEL</code> in |
| JspC. (kkolinko) |
| </fix> |
| <fix> |
| Fix handling of missing messages in |
| <code>org.apache.el.util.MessageFactory</code>. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Enable an explicit configuration of local member in the static cluster |
| membership. (kfujino) |
| </fix> |
| <fix> |
| Fix potential integer overflow in <code>DeltaSession</code>. |
| Reported by coverity scan. (fschumacher) |
| </fix> |
| <fix> |
| In order to avoid that the heartbeat thread and the background thread to |
| run <code>Channel.heartbeat</code> simultaneously, if |
| <code>heartbeatBackgroundEnabled</code> of <code>SimpleTcpCluster</code> |
| set to <code>true</code>, ensure that the heartbeat thread does not |
| start. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <add> |
| <bug>55006</bug>: The WebSocket client now honors the |
| <code>java.net.java.net.ProxySelector</code> configuration (using the |
| HTTP type) when establishing WebSocket connections to servers. Based on |
| a patch by Niki Dokovski. (markt) |
| </add> |
| <fix> |
| <bug>58624</bug>: Correct a potential deadlock if the WebSocket |
| connection is closed when a message write is in progress. (markt) |
| </fix> |
| <fix> |
| <bug>57489</bug>: Ensure <code>onClose()</code> is called when a |
| WebSocket connection is closed even if the sending of the close message |
| fails. Includes test cases by Barry Coughlan. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| <bug>58631</bug>: Correct the continuation character use in the Windows |
| Service How-To page of the documentation web application. (markt) |
| </fix> |
| <fix> |
| Correct the SSL documentation for deprecated attributes to point to the |
| correct, new location for attributes related to individual certificates. |
| (markt) |
| </fix> |
| <fix> |
| Correct some typos in the JNDI resources How-To. (markt) |
| </fix> |
| <fix> |
| Don't create session unnecessarily in the Manager application. (markt) |
| </fix> |
| <fix> |
| Don't create session unnecessarily in the Host Manager application. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58723</bug>: Clarify documentation and error messages for the text |
| interface of the manager to make clear that version must be used with |
| path when referencing contexts deployed using parallel deployment. |
| (markt) |
| </fix> |
| <add> |
| Document <code>test.threads</code> option in BUILDING.txt. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensure that the static member is registered to the add suspect list even |
| if the static member that is registered to the remove suspect list has |
| disappeared. (kfujino) |
| </fix> |
| <fix> |
| When using a static cluster, add the members that have been cached in |
| the membership service to the map members list in order to ensure that |
| the map member is a static member. (kfujino) |
| </fix> |
| <fix> |
| Add support for the startup notification of local members in the static |
| cluster. (kfujino) |
| </fix> |
| <fix> |
| Ignore the unnecessary member remove operation from different domain. |
| (kfujino) |
| </fix> |
| <fix> |
| Add support for the shutdown notification of local members in the static |
| cluster. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Correct evaluation of system property |
| <code>org.apache.tomcat.jdbc.pool.onlyAttemptCurrentClassLoader</code>. |
| It was basically ignored before. Reported by coverity scan. (fschumacher) |
| </fix> |
| <fix> |
| Fix potential integer overflow in <code>ConnectionPool</code> and |
| <code>PooledConnection</code>. Reported by coverity scan. (fschumacher) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update optional Checkstyle library to 6.14.1. (kkolinko) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.4 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2e and APR |
| 1.5.1. (markt) |
| </update> |
| <update> |
| Update the NSIS Installer used to build the Windows Installers to |
| version 2.50. (markt/kkolinko) |
| </update> |
| <update> |
| Update the internal fork of Commons BCEL to r1725718 to align with the |
| refactoring for BCEL 6, the next major BCEL release. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons DBCP 2 to r1725730 (2.1.1 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Pool 2 to r1725738 (2.4.2 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Codec to r1725746 (1.9 plus |
| additional fixes). (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 9.0.0.M1 (markt)" rtext="2015-11-17"> |
| <subsection name="General"> |
| <changelog> |
| <add> |
| Make Java 8 the minimum required version to build and run Tomcat 9. |
| (markt) |
| </add> |
| <update> |
| Remove support for Comet. (markt) |
| </update> |
| <update> |
| Tighten up the default file permissions for the <code>.tar.gz</code> |
| distribution so no files or directories are world readable by default. |
| Configure Tomcat to run with a default umask of <code>0027</code> which |
| may be overridden by setting <code>UMASK</code> in |
| <code>setenv.sh</code>. (markt) |
| </update> |
| <update> |
| Remove native code (Windows Service Wrapper, APR/native connector) |
| support for Windows Itanium. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| The default HTTP cookie parser has been changed to |
| <code>org.apache.tomcat.util.http.Rfc6265CookieProcessor</code>. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| Remove support for the HTTP BIO and AJP BIO connectors. (markt) |
| </update> |
| <scode> |
| Refactor HTTP upgrade and AJP implementations to reduce duplication. |
| (markt) |
| </scode> |
| <add> |
| Add support for HPACK header encoding and decoding, contributed |
| by Stuart Douglas. (remm) |
| </add> |
| <add> |
| <bug>57108</bug>: Add support for Server Name Indication (SNI). There |
| has been significant changes to the SSL configuration in server.xml to |
| support this. (markt) |
| </add> |
| <add> |
| Add SSL engine for JSSE backed by OpenSSL. Includes ALPN support. |
| Based on code contributed by Numa de Montmollin and derived from code |
| developed by Twitter and Netty. (remm) |
| </add> |
| <fix> |
| RFC 7230 states that clients should ignore reason phrases in HTTP/1.1 |
| response messages. Since the reason phrase is optional, Tomcat no longer |
| sends it. As a result the system property |
| <code>org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER</code> is no |
| longer used and has been removed. (markt) |
| </fix> |
| <update> |
| The minimum required Tomcat Native version has been increased to 1.2.2. |
| The 1.2.x branch includes ALPN and SNI support which are required for |
| HTTP/2. (markt) |
| </update> |
| <add> |
| Add support for HTTP/2 including server push. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Clarify the handling of Copy message and Copy nodes. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Support the use of the <code>threads</code> attribute on Ant's |
| junit task. Note that using this with a value of greater than one will |
| disable Cobertura code coverage. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| </body> |
| </document> |