| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <!DOCTYPE document [ |
| <!ENTITY project SYSTEM "project.xml"> |
| ]> |
| <?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?> |
| <document url="changelog.html"> |
| |
| &project; |
| |
| <properties> |
| <title>Changelog</title> |
| <no-comments /> |
| </properties> |
| |
| <body> |
| <!-- |
| Subsection ordering: |
| General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications, |
| Extras, Tribes, jdbc-pool, Other |
| |
| Item Ordering: |
| |
| Fixes having an issue number are sorted by their number, ascending. |
| |
| There is no ordering by add/update/fix/scode. |
| |
| Other fixed issues are added to the end of the list, chronologically. |
| They eventually become mixed with the numbered issues (i.e., numbered |
| issues do not "pop up" wrt. others). |
| --> |
| <section name="Tomcat 8.5.50 (markt)"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Improvements to CsrfPreventionFilter: additional logging, allow the |
| CSRF nonce request parameter name to be customized. |
| (schultz) |
| </add> |
| <add> |
| <bug>63681</bug>: Introduce RealmBase#authenticate(GSSName, GSSCredential) |
| and friends. (michaelo) |
| </add> |
| <fix> |
| <bug>63964</bug>: Correct a regression in the static resource caching |
| changes introduced in 9.0.28. URLs constructed from URLs obtained from |
| the cache could not be used to access resources. (markt) |
| </fix> |
| <fix> |
| <bug>63968</bug>: Fix <code>ClassCastException</code> in the |
| <code>Expires</code> filter which was a regression in the fix for |
| <bug>63909</bug>. (markt) |
| </fix> |
| <fix> |
| <bug>63970</bug>: Correct a regression in the static resource caching |
| changes introduced in 9.0.28. Connections to URLs obtained for JAR |
| resources could not be cast to <code>JarURLConnection</code>. (markt) |
| </fix> |
| <add> |
| <bug>63937</bug>: Add a new attribute to the standard |
| <code>Authenticator</code> implementations, |
| <code>allowCorsPreflight</code>, that allows the |
| <code>Authenticator</code>s to be configured to allow CORS preflight |
| requests to bypass authentication as required by the CORS specification. |
| (markt) |
| </add> |
| <fix> |
| <bug>63939</bug>: Correct the same origin check in the CORS filter. An |
| origin with an explicit default port is now considered to be the same as |
| an origin without a deafult port and origins are now compared in a |
| case-sensitive manner as required by the CORS specification. (markt) |
| </fix> |
| <fix> |
| <bug>63982</bug>: CombinedRealm makes assumptions about principal implementation |
| (michaelo) |
| </fix> |
| <fix> |
| <bug>63983</bug>: Correct a regression in the static resource caching |
| changes introduced in 9.0.28. A large number of file descriptors were |
| opened that could reach the OS limit before being released by GC. |
| (markt) |
| </fix> |
| <update> |
| <bug>63987</bug>: Deprecate <code>Realm.getRoles(Principal)</code>. (michaelo) |
| </update> |
| <scode> |
| Add a unit test for the session <code>FileStore</code> implementation |
| and refactor loops in <code>FileStore</code> to use the ForEach style. |
| Pull request provided by Govinda Sakhare. (markt) |
| </scode> |
| <fix> |
| Refactor FORM authentication to reduce duplicate code and to ensure that |
| the authenticated Principal is not cached in the session when caching is |
| disabled. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <scode> |
| Refactor the APR poller to always use a single pollset now that the |
| Windows operating systems that required multiple smaller pollsets to be |
| used are no longer supported. (markt) |
| </scode> |
| <update> |
| Add vectoring for NIO in the base and SSL channels. (remm) |
| </update> |
| <add> |
| Add async API to the NIO and APR connector. (remm) |
| </add> |
| <fix> |
| <bug>63931</bug>: Improve timeout handling for asyncIO to ensure that |
| blocking operations see a <code>SocketTimeoutException</code> if one |
| occurs. (remm/markt) |
| </fix> |
| <fix> |
| <bug>63932</bug>: By default, do not compress content that has a strong |
| ETag. This behaviour is configuration for the HTTP/1.1 and HTTP/2 |
| connectors via the new Connector attribute |
| <code>noCompressionStrongETag</code>. (markt) |
| </fix> |
| <fix> |
| Simplify regular endpoint writes by removing write(Non)BlockingDirect. |
| All regular writes will now be buffered for a more predictable |
| behavior. (remm) |
| </fix> |
| <fix> |
| Send an exception directly to the completion handler when a timeout |
| exception occurs for the operation, and add a boolean to make sure the |
| completion handler is called only once. (remm/markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Ensure a couple of very unlikely concurrency issues are avoided when |
| writing WebSocket messages. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Fix the broken re-try link on the error page for the FORM authentication |
| example in the JSP section of the examples web application. (markt) |
| </fix> |
| <fix> |
| Correct the documentation for the <code>maxConnections</code> attribute |
| of the <code>Connector</code> in the documentation web application. |
| (markt) |
| </fix> |
| <add> |
| Add the ability to set and display session attributes in the JSP FORM |
| authentication example to demonstrate session persistence across |
| restarts for authenticated sessions. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Correct the fix for <bug>63815</bug> (quoting the use of |
| <code>CATALINA_OPTS</code> and <code>JAVA_OPTS</code> when used in shell |
| scripts to avoid the expansion of <code>*</code>) as it caused various |
| regressions, particularly with <code>daemon.sh</code>. (markt) |
| </fix> |
| <add> |
| Expand the search made by the Windows installer for a suitable Java |
| installation to include the 64-bit JDK registry entries and the |
| <code>JAVA_HOME</code> environment variable. Pull request provided by |
| Alexander Norz. (markt) |
| </add> |
| <add> |
| Expand the coverage of the German translations provided with Apache |
| Tomcat. Contribution provided by Jens. (markt) |
| </add> |
| <add> |
| Expand the coverage of the French translations provided with Apache |
| Tomcat. (remm) |
| </add> |
| <add> |
| Expand the coverage of the Japanese translations provided with Apache |
| Tomcat. (markt) |
| </add> |
| <add> |
| Expand the coverage of the Korean translations provided with Apache |
| Tomcat. (woonsan) |
| </add> |
| <add> |
| Expand the coverage of the Chinese translations provided with Apache |
| Tomcat. Contributions provided by lins and 磊. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons BCEL to ff6941e (2019-12-06, |
| 6.4.2-dev). Code clean-up only. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons Codec to 9637dd4 (2019-12-06, |
| 1.14-SNAPSHOT). Code clean-up and a fix for CODEC-265. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons FileUpload to 2317552 |
| (2019-12-06, 2.0-SNAPSHOT). Refactoring. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons Pool 2 to 6092f92 (2019-12-06, |
| 2.8.0-SNAPSHOT). Clean-up and minor refactoring. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons DBCP 2 to a36390 (2019-12-06, |
| 2.7.1-SNAPSHOT). Minor refactoring. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.49 (markt)" rtext="2019-11-21"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct a regression introduced in 8.5.48 that could trigger a |
| <code>NullPointerException</code> when using a |
| <code>RequestDispatcher</code>. (markt) |
| </fix> |
| <add> |
| Improvement to CsrfPreventionFilter: expose the latest available nonce |
| as a request attribute; expose the expected nonce request parameter |
| name as a context attribute. |
| (schultz) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.48 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>63832</bug>: Properly mark container as FAILED when a JVM error |
| occurs on stop. (remm) |
| </fix> |
| <fix> |
| <bug>63836</bug>: Ensure that references to the Host object are cleared |
| once the Host instance is destroyed. (markt) |
| </fix> |
| <fix> |
| <bug>63872</bug>: Fix some edge cases where the docBase was not being |
| set using a canonical path which in turn meant resource URLs were not |
| being constructed as expected. (markt) |
| </fix> |
| <fix> |
| Make a best effort attempt to clean-up if a request fails during |
| processing due to an <code>OutOfMemoryException</code>. (markt) |
| </fix> |
| <fix> |
| Ensure that, when static resource caching is enabled for a web |
| application, all access to static files (including JSP files) goes via |
| the cache so that a consistent view of the static files is seen. Prior |
| to this change it was possible to see an updated last modified time but |
| the content would be that prior to the modification. (markt) |
| </fix> |
| <update> |
| <bug>63905</bug> Clean up Tomcat CSS. (michaelo) |
| </update> |
| <fix> |
| <bug>63909</bug>: When the <code>ExpiresFilter</code> is used without a |
| default and the response is served by the Default Servlet, ensure that |
| the filter processes the response if the Default Servlet sets a 304 (Not |
| Found) status code. (markt) |
| </fix> |
| <fix> |
| Update the Servlet 4 preview API to reflect changes made to the API in |
| the final release. Note that this preview API has been deprecated for over a |
| year and may be removed as soon as the next 8.5.x release. (markt) |
| </fix> |
| <fix> |
| Refactor JMX remote RMI registry creation. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that <code>ServletRequest.isAsyncStarted()</code> returns |
| <code>false</code> once <code>AsyncContext.complete()</code> or |
| <code>AsyncContext.dispatch()</code> has been called during |
| <code>AsyncListener.onTimeout()</code> or |
| <code>AsyncListener.onError()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63816</bug> and <bug>63817</bug>: Correctly handle I/O errors after |
| asynchronous processing has been started but before the container thread |
| that started asynchronous processing has completed processing the |
| current request/response. (markt) |
| </fix> |
| <fix> |
| <bug>63825</bug>: When processing the <code>Expect</code> and |
| <code>Connection</code> HTTP headers looking for a specific token, be |
| stricter in ensuring that the exact token is present. (markt) |
| </fix> |
| <fix> |
| <bug>63829</bug>: Improve the check of the <code>Content-Encoding</code> |
| header when looking to see if Tomcat is serving pre-compressed content. |
| Ensure that only a full token is matched and that the match is case |
| insensitive. (markt) |
| </fix> |
| <add> |
| <bug>63835</bug>: Add support for Keep-Alive response header. (michaelo) |
| </add> |
| <fix> |
| <bug>63864</bug>: Refactor parsing of the <code>transfer-encoding</code> |
| request header to use the shared parsing code and reduce duplication. |
| (markt) |
| </fix> |
| <fix> |
| <bug>63865</bug>: Add <code>Unset</code> option to same-site cookies |
| and pass through <code>None</code> value if set by user. Patch provided |
| by John Kelly. (markt) |
| </fix> |
| <fix> |
| <bug>63894</bug>: Ensure that the configured values for |
| <code>certificateVerification</code> and |
| <code>certificateVerificationDepth</code> are correctly passed to the |
| OpenSSL based SSLEngine implementation. (remm/markt) |
| </fix> |
| <fix> |
| Do not perform a blocking read after a <code>CPING</code> message is |
| received by the AJP connector because, if the JK Connector is configured |
| with <code>ping_mode="I"</code>, the <code>CPING</code> |
| message will not always be followed by the start of a request. (markt) |
| </fix> |
| <fix> |
| Properly calculate all dynamic parts of the ErrorReportValve response |
| on the fly in |
| <code>org.apache.coyote.http2.TestHttp2InitialConnection</code>. |
| (michaelo) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>63897</bug>: Capture the timestamp of a JSP for the purposes of |
| modification tracking before the JSP is compiled to prevent a race |
| condition if the JSP is modified during compilation. Patch provided by |
| Karl von Randow. (markt) |
| </fix> |
| <fix> |
| Fix a race condition that could mean changes to a modified JSP were not |
| visible to end users. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>63913</bug>: Wrap any <code>NullPointerException</code>s throw by |
| the <code>Inflater</code> or <code>Deflater</code> used by the |
| <code>PerMessageDeflate</code> extension in an <code>IOException</code> |
| so that the error can be caught and handled by the WebSocket error |
| handling mechanism. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the description of the default value for the server attribute in |
| the security How-To. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>63815</bug>: Quote the use of <code>CATALINA_OPTS</code> and |
| <code>JAVA_OPTS</code> when used in shell scripts to avoid the expansion |
| of <code>*</code>. Note that any newlines present in |
| <code>CATALINA_OPTS</code> and/or <code>JAVA_OPTS</code> will no longer |
| removed. (markt) |
| </fix> |
| <fix> |
| <bug>63826</bug>: Remove <code>commons-daemon-native.tar.gz</code> and |
| <code>tomcat-native.tar.gz</code> from the binary zip distributions for |
| Windows since compiled versions of those components are already |
| included within the zip distributions. (markt) |
| </fix> |
| <fix> |
| <bug>63838</bug>: Suppress reflexive access warnings when running the |
| unit tests on the command line. (markt) |
| </fix> |
| <fix> |
| Add missing charsets from the HPE JVM on HP-UX to pass unit tests in |
| <code>org.apache.tomcat.util.buf.TestCharsetCache</code>. (michaelo) |
| </fix> |
| <add> |
| Expand the coverage and quality of the French translations provided |
| with Apache Tomcat. (remm) |
| </add> |
| <add> |
| Expand the coverage and quality of the Korean translations provided |
| with Apache Tomcat. (woonsan) |
| </add> |
| <add> |
| Expand the coverage and quality of the Simplified Chinese translations |
| provided with Apache Tomcat. Contributions provided by rpo130, Mason |
| Shen, leeyazhou, winsonzhao, qingshi huang, Lay, Shucheng Hou and |
| Yanming Zhou. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.47 (markt)" rtext="2019-10-11"> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Use URL safe base 64 encoding rather than standard base 64 encoding when |
| generating or parsing the <code>HTTP2-Settings</code> header as part of |
| an HTTP upgrade to <code>h2c</code> as required by RFC 7540. (markt) |
| </fix> |
| <fix> |
| <bug>63765</bug>: NIO2 should try to unwrap after TLS handshake to |
| avoid edge cases. (remm) |
| </fix> |
| <fix> |
| <bug>63766</bug>: Ensure Processor objects are recycled when processing |
| an HTTP upgrade connection that terminates before processing switches to |
| the Processor for the upgraded protocol. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>63781</bug>: When performing various checks related to the |
| visibility of classes, fields and methods in the EL implementation, also |
| check that the containing module has been exported. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Socket"> |
| <changelog> |
| <fix> |
| <bug>63753</bug>: Ensure that the <code>Host</code> header in a Web |
| Socket HTTP upgrade request only contains a port if a non-default port |
| is being used. (markt) |
| </fix> |
| <fix> |
| When running on Java 9 and above, don't attempt to instantiate WebSocket |
| Endpoints found in modules that are not exported. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <docs> |
| Add Javadoc for the Common Annotations API implementation. (markt) |
| </docs> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| When connections are validated without an explicit validation query, |
| ensure that any transactions opened by the validation process are |
| committed. Patch provided by Pascal Davoust. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <scode> |
| Deprecate <code>org.apache.tomcat.util.compat.TLS</code>. |
| Its functionality was only used for unit tests in |
| <code>org.apache.tomcat.util.net.TesterSupport</code> |
| and has been moved there. (rjung) |
| </scode> |
| <fix> |
| <bug>63759</bug>: When installing Tomcat with the Windows installer, |
| grant sufficient privileges to enable the uninstaller to execute when |
| user account control is active. (markt) |
| </fix> |
| <add> |
| Use a build property to define the minimum supported Java version and |
| use that build property to reduce the number of edits required to update |
| the minimum supported Java version. (markt) |
| </add> |
| <update> |
| <bug>63767</bug>: Update to Commons Daemon 1.2.2. This corrects a |
| regression in Commons Daemon 1.2.0 and 1.2.1 that caused the Windows |
| Service to crash on start when running on an operating system that had |
| not been fully updated. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.46 (markt)" rtext="2019-09-19"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>63684</bug>: <code>Wrapper</code> never passed to |
| <code>RealmBase.hasRole()</code> for given security constraints. |
| (michaelo) |
| </fix> |
| <fix> |
| Avoid a potential <code>NullPointerException</code> on Service stop if a |
| Service is embedded directly (i.e. with no Server) in an application |
| and JNDI is enabled. Patch provided by S. Ali Tokmen. (markt) |
| </fix> |
| <add> |
| Add a new <code>PropertySource</code> implementation, |
| <code>EnvironmentPropertySource</code>, that can be used to do property |
| replacement in configuration files with environment variables. Based on |
| a pull request provided by Thomas Meyer. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>63682</bug>: Fix a potential hang when using the asynchronous |
| Servlet API to write the response body and the stream and/or connection |
| window reaches 0 bytes in size. (markt) |
| </fix> |
| <fix> |
| <bug>63690</bug>: Use the average of the current and previous sizes when |
| calculating overhead for HTTP/2 <code>DATA</code> and |
| <code>WINDOW_UPDATE</code> frames to avoid false positives as a result |
| of client side buffering behaviour that causes a small percentage of |
| non-final DATA frames to be smaller than expected. (markt) |
| </fix> |
| <fix> |
| <bug>63706</bug>: Avoid NPE accessing https port with plaintext. (remm) |
| </fix> |
| <fix> |
| Correct typos in the names of the configuration attributes |
| <code>overheadDataThreshold</code> and |
| <code>overheadWindowUpdateThreshold</code>. (markt) |
| </fix> |
| <fix> |
| If the HTTP/2 connection requires an initial window size larger than the |
| default, send a WINDOW_UPDATE to increase the flow control window for the |
| connection so that the initial size of the flow control window for the |
| connection is consistent with the increased value. (markt) |
| </fix> |
| <fix> |
| <bug>63710</bug>: When using HTTP/2, ensure that a |
| <code>content-length</code> header is not set for those responses with |
| status codes that do not permit one. (markt) |
| </fix> |
| <fix> |
| <bug>63737</bug>: Correct various issues when parsing the |
| <code>accept-encoding</code> header to determine if gzip encoding is |
| supported including only parsing the first header found. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the source code links on the index page for the ROOT web |
| application to point to Git rather than Subversion. (markt) |
| </fix> |
| <fix> |
| Fix various issues with the Javadoc generated for the documentation web |
| application to enable release builds to be built with Java 10 onwards. |
| (markt) |
| </fix> |
| <fix> |
| Fix a large number of Javadoc and documentation typos. Patch provided by |
| KangZhiDong. (markt) |
| </fix> |
| <fix> |
| Spelling and formatting corrections for the cluster how-to. Pull request |
| provided by Bill Mitchell. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Back-port various corrections and improvements to the English versions |
| of the i18n messages. (markt) |
| </fix> |
| <add> |
| Include the available German translations in the standard Tomcat |
| distribution. Back-port additions and updates to the German i18n |
| messages. (markt) |
| </add> |
| <fix> |
| Back-port various corrections and improvements to the Spanish i18n |
| messages. (markt) |
| </fix> |
| <fix> |
| Back-port various corrections and improvements to the French i18n |
| messages. (markt) |
| </fix> |
| <fix> |
| Back-port various corrections and improvements to the Japanese i18n |
| messages. (markt) |
| </fix> |
| <fix> |
| Back-port various corrections and improvements to the Russian i18n |
| messages. (markt) |
| </fix> |
| <add> |
| Add Korean translations to the standard Tomcat distribution. (markt) |
| </add> |
| <add> |
| Add Simplified Chinese translations to the standard Tomcat distribution. |
| (markt) |
| </add> |
| <fix> |
| <bug>62140</bug>: Additional usage documentation in comments for |
| <code>catalina.[bat|sh]</code>. (markt) |
| </fix> |
| <fix> |
| Fix <code>JSSE_OPTS</code> quoting in <code>catalina.bat</code>. |
| Contributed by Peter Uhnak. (fschumacher) |
| </fix> |
| <update> |
| <bug>63625</bug>: Update to Commons Daemon 1.2.1. This corrects several |
| regressions in Commons Daemon 1.2.1, most notably the Windows Service |
| crashing on start when using 32-bit JVMs. (markt) |
| </update> |
| <fix> |
| <bug>63689</bug>: Correct a regression in the fix for <bug>63285</bug> |
| that meant that when installing a service, the service display name was |
| not set. (markt) |
| </fix> |
| <fix> |
| When performing a silent install with the Windows Installer, ensure that |
| the registry entries are added to the 64-bit registry when using a |
| 64-bit JVM. (markt) |
| </fix> |
| <fix> |
| Remove unused i18n messages and associated translations. Patch provided |
| by KangZhiDong. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.45 (markt)" rtext="2019-08-21"> |
| <subsection name="Coyote"> |
| <changelog> |
| <scode> |
| Remove the code in the sendfile poller that ensured smaller pollsets |
| were used with older, no longer supported versions of Windows that |
| could not support larger pollsets. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.44 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>62258</bug>: Don't trigger the standard error page mechanism when |
| the error has caused the connection to the client to be closed as no-one |
| will ever see the error page. (markt) |
| </add> |
| <add> |
| <bug>62496</bug>: Add option to write auth information (remote user/auth type) |
| to response headers. (michaelo) |
| </add> |
| <add> |
| <bug>51497</bug>: Add an option, <code>ipv6Canonical</code>, to the |
| <code>AccessLogValve</code> that causes IPv6 addresses to be output in |
| canonical form defined by RFC 5952. (ognjen/markt) |
| </add> |
| <add> |
| <bug>57665</bug>: Add support for the <code>X-Forwarded-Host</code> |
| header to the <code>RemoteIpFilter</code> and <code>RemoteIpValve</code>. |
| (markt) |
| </add> |
| <fix> |
| <bug>63550</bug>: Only try the <code>alternateURL</code> in the |
| <code>JNDIRealm</code> if one has been specified. (markt) |
| </fix> |
| <add> |
| <bug>63556</bug>: Mark request as forwarded in RemoteIpValve and |
| RemoteIpFilter (michaelo) |
| </add> |
| <fix> |
| <bug>63579</bug>: Correct parsing of malformed OPTIONS requests and |
| reject them with a 400 response rather than triggering an internal error |
| that results in a 500 response. (markt) |
| </fix> |
| <fix> |
| <bug>63608</bug>: Align the implementation of the negative match feature |
| for patterns used with the <code>RewriteValve</code> with the |
| description in the documentation. (markt) |
| </fix> |
| <update> |
| <bug>63627</bug>: Implement more fine-grained handling in |
| <code>RealmBase.authenticate(GSSContext, boolean)</code>. (michaelo) |
| </update> |
| <fix> |
| If an unhandled exception occurs on a asynchronous thread started via |
| <code>AsyncContext.start(Runnable)</code>, process it using the standard |
| error page mechanism. (markt) |
| </fix> |
| <fix> |
| Discard large byte buffers allocated using setBufferSize when recycling |
| the request. (remm) |
| </fix> |
| <fix> |
| Correct version information in <code>X-Powered-By</code> header. (markt) |
| </fix> |
| <fix> |
| Avoid a <code>NullPointerException</code> in the |
| <code>CrawlerSessionManagerValve</code> if no ROOT Context is deployed |
| and a request does not map to any of the other deployed Contexts. Patch |
| provided by Jop Zinkweg. (markt) |
| </fix> |
| <fix> |
| <bug>63636</bug>: <code>Context.findRoleMapping()</code> never called |
| in <code>StandardWrapper.findSecurityReference()</code>. (michaelo) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>63524</bug>: Improve the handling of PEM file based keys and |
| certificates that do not include a full certificate chain when |
| configuring the internal, in-memory key store. Improve the handling of |
| PKCS#1 formatted private keys when configuring the internal, in-memory |
| key store. (markt) |
| </fix> |
| <fix> |
| <bug>63568</bug>: Avoid error when trying to set tcpNoDelay on socket |
| types that do not support it, which can occur when using the NIO |
| inherited channel capability. Submitted by František Kučera. (remm) |
| </fix> |
| <fix> |
| Correct parsing of invalid host names that contain bytes in the range |
| 128 to 255 and reject them with a 400 response rather than triggering an |
| internal error that results in a 500 response. (markt) |
| </fix> |
| <fix> |
| <bug>63571</bug>: Allow users to configure infinite TLS session caches |
| and/or timeouts. (markt) |
| </fix> |
| <fix> |
| <bug>63578</bug>: Improve handling of invalid requests so that 400 |
| responses are returned to the client rather than 500 responses. (markt) |
| </fix> |
| <fix> |
| Fix h2spec test suite failure. It is an error if a Huffman encoded |
| string literal contains the EOS symbol. (jfclere) |
| </fix> |
| <add> |
| Connections that fail the TLS handshake will now appear in the access |
| logs with a 400 status code. (markt) |
| </add> |
| <fix> |
| Timeouts for HTTP/2 connections were not always correctly handled |
| leaving some connections open for longer than expected. (markt) |
| </fix> |
| <add> |
| Expand the HTTP/2 excessive overhead protection to cover various forms |
| of abusive client behaviour and close the connection if any such |
| behaviour is detected. (markt) |
| </add> |
| <fix> |
| Fix a crash on shutdown with the APR/native connector when a blocking |
| I/O operation was still in progress when the connector stopped. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>63597</bug>: Update the custom 404 error page for the Host Manager |
| to take account of previous refactoring so that the page is used for |
| 404 errors rather than falling back to the default error page. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>55969</bug>: Tighten up the security of the Apache Tomcat |
| installation created by the Windows installer. Change the default |
| shutdown port used by the Windows installer from <code>8005</code> to |
| <code>-1</code> (disabled). Limit access to the chosen installation |
| directory to local administrators, Local System and Local Service. |
| (markt) |
| </fix> |
| <update> |
| <bug>62696</bug>: The digital signature for the Windows installer now |
| uses SHA-256 for hashes. (markt) |
| </update> |
| <fix> |
| <bug>63285</bug>: Modify <code>service.bat</code> so that when |
| installing a Windows service, by default, it changes the name of the |
| executables used by the Windows service to match the service name. This |
| makes the installation behaviour consistent with the Windows installer. |
| The original executable names will be restored when the Windows service |
| is removed. The renaming can be disabled by using the new |
| <code>--no-rename</code> option after the service name. (markt) |
| </fix> |
| <update> |
| Switch from Checkstyle to the JRE6 backport and update to version 8.22. |
| This allows Tomcat 8.5 to use the newer Checkstyle releases while still |
| building with Java 7. (markt) |
| </update> |
| <add> |
| <bug>63285</bug>: Add an option to <code>service.bat</code> so that when |
| installing a Windows service, the name of the executables used by the |
| Windows service may be changed to match the service name. This makes the |
| installation behaviour consistent with the Windows installer. The |
| original executable names will be restored when the Windows service is |
| removed. The renaming can be enabled by using the new |
| <code>--rename</code> option after the service name. (markt) |
| </add> |
| <update> |
| <bug>63310</bug>: Update to Commons Daemon 1.2.0. This provides improved |
| support for Java 11. This also changes the user configured by the |
| Windows installer for the Windows service from <code>Local System</code> |
| to the lower privileged <code>Local Service</code>. (markt) |
| </update> |
| <fix> |
| <bug>63567</bug>: Restore the passing of <code>$LOGGING_MANAGER</code> |
| to the jvm in <code>catalina.sh</code> when calling <code>stop</code>. |
| (markt) |
| </fix> |
| <update> |
| Update the internal fork of Commons Codec to 3ebef4a (2018-08-01) to |
| pick up the fix for CODEC-134. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Pool2 to 796e32d (2018-08-01) to |
| pick up the changes Commons Pool2 2.7.0. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons DBCP2 to 87d9e3a (2018-08-01) to |
| pick up the changes Commons DBCP2 2.7.0 and DBCP-555. (markt) |
| </update> |
| <update> |
| <bug>63648</bug>: Update the test TLS keys and certificates used in the |
| test suite to replace the keys and certificates that are about to |
| expire. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.43 (markt)" rtext="2019-07-09"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| Modify the Default and WebDAV Servlets so that a 405 status code is |
| returned for <code>PUT</code> and <code>DELETE</code> requests when |
| disabled via the <code>readonly</code> initialisation parameter. |
| </update> |
| <fix> |
| Align the contents of the <code>Allow</code> header with the response |
| code for the Default and WebDAV Servlets. For any given resource a |
| method that returns a 405 status code will not be listed in the |
| <code>Allow</code> header and a method listed in the <code>Allow</code> |
| header will not return a 405 status code. (markt) |
| </fix> |
| <fix> |
| When using WebDAV to copy a file resource to a destination that requires |
| a collection to be overwritten, ensure that the operation succeeds |
| rather than fails (with a 500 response). This enables Tomcat to pass two |
| additional tests from the Litmus WebDAV test suite. (markt) |
| </fix> |
| <fix> |
| <bug>49464</bug>: Improve the Default Servlet's handling of static files |
| when the file encoding is not compatible with the required response |
| encoding. (markt) |
| </fix> |
| <fix>Fix typo in UTF-32LE charset name. Patch by zhanhb vi Github. |
| (fschumacher) |
| </fix> |
| <add> |
| <bug>58590</bug>: Add the ability for a UserDatabase to monitor the |
| backing XML file for changes and reload the source file if a change in |
| the last modified time is detected. This is enabled by default meaning |
| that changes to <code>$CATALINA_BASE/conf/tomcat-users.xml</code> will |
| now take effect a short time after the file is saved. (markt) |
| </add> |
| <fix> |
| Improve parsing of Range request headers. (markt) |
| </fix> |
| <fix> |
| Range headers that specify a range unit Tomcat does not recognise should |
| be ignored rather than triggering a 416 response. Based on a pull |
| request by zhanhb. (markt) |
| </fix> |
| <fix> |
| When comparing a date from a <code>If-Range</code> header, an exact |
| match is required. Based on a pull request by zhanhb. (markt) |
| </fix> |
| <fix> |
| Add an option to the default servlet to disable processing of PUT |
| requests with Content-Range headers as partial PUTs. The default |
| behaviour (processing as partial PUT) is unchanged. Based on a pull |
| request by zhanhb. (markt) |
| </fix> |
| <fix> |
| Improve parsing of Content-Range headers. (markt) |
| </fix> |
| <fix> |
| Ensure that the HEAD response is consistent with the GET response when |
| <code>HttpServlet</code> is relied upon to generate the HEAD response |
| and the GET response uses chunking. (markt) |
| </fix> |
| <update> |
| Update the recommended minimum Tomcat Native version to 1.2.23. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Avoid a potential hang when a client connects using TLS 1.0 to a Tomcat |
| HTTPS connector configured to use NIO or NIO with OpenSSL 1.1.1 or |
| later. (markt) |
| </fix> |
| <fix> |
| Once a URI is identified as invalid don't attempt to process it further. |
| Based on a PR by Alex Repert. (markt) |
| </fix> |
| <fix> |
| Fix to avoid the possibility of long poll times for individual pollers |
| when using multiple pollers with APR. (markt) |
| </fix> |
| <fix> |
| Refactor the fix for <bug>63205</bug> so it only applies when using |
| PKCS12 keystores as regressions have been reported with some other |
| keystore types. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Include file names in error messages if SMAP processor is unable to |
| delete or rename a class file during SMAP generation. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>63521</bug>: As required by the WebSocket specification, if a POJO |
| that is deployed as a result of the SCI scan for annotated POJOs is |
| subsequently deployed via the programmatic API ignore the programmatic |
| deployment. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <scode> |
| Switch i18n message files to use UTF-8 and convert to ASCII at build |
| time. (markt) |
| </scode> |
| <fix> |
| <bug>63523</bug>: Restore SSLUtilBase methods as protected to preserve |
| compatibility. (remm) |
| </fix> |
| <fix> |
| Switch the check for terminal availability to test for stdin as using |
| stdout does not work when output is piped to another process. Patch |
| provided by Radosław Józwik. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.42 (markt)" rtext="2019-06-07"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>57287</bug>: Add file sorting to DefaultServlet (schultz) |
| </add> |
| <fix> |
| Ensure that the default servlet reads the entire global XSLT file if |
| one is defined. Identified by Coverity Scan. (markt) |
| </fix> |
| <fix> |
| Avoid potential <code>NullPointerException</code> when generating an |
| HTTP <code>Allow</code> header. Identified by Coverity Scan. (markt) |
| </fix> |
| <add> |
| Remove any fragment included in the target path used to obtain a |
| <code>RequestDispatcher</code>. The requested target path is logged as a |
| warning since this is an application error. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| Add additional NIO2 style read and write methods closer to core NIO2, |
| for possible use with an asynchronous workflow like CompletableFuture. |
| (remm) |
| </update> |
| <fix> |
| Avoid useless exception wrapping in async IO. (remm) |
| </fix> |
| <fix> |
| <bug>63412</bug>: Security manager failure when using the async IO |
| API from a webapp. (remm) |
| </fix> |
| <fix> |
| Fix concurrency issue that lead to incorrect HTTP/2 connection timeout. |
| (remm/markt) |
| </fix> |
| <update> |
| Reduce the default for <code>maxConcurrentStreams</code> on the |
| <code>Http2Protocol</code> from 200 to 100 to align with typical |
| defaults for HTTP/2 implementations. (markt) |
| </update> |
| <update> |
| Reduce the default HTTP/2 header list size from 4GB to 32kB to align |
| with typical HTTP/2 implementations. (markt) |
| </update> |
| <add> |
| Add support for same-site cookie attribute. Patch provided by John |
| Kelly. (markt) |
| </add> |
| <fix> |
| Correct a bug in the stream flushing code that could lead to multiple |
| threads processing the stream concurrently which in turn could cause |
| errors processing the stream. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| <bug>62841</bug>: Refactor the <code>DeltaRequest</code> serialization |
| to reduce the window during which the <code>DeltaSession</code> is |
| locked and to remove a potential cause of deadlocks during |
| serialization. (markt) |
| </fix> |
| <fix> |
| <bug>63441</bug>: Further streamline the processing of session creation |
| messages in the <code>DeltaManager</code> to reduce the possibility of a |
| session update message being processed before the session has been |
| created. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Treat <code>NoRouteToHostException</code> the same way as |
| <code>SocketTimeoutException</code> when checking the health of group |
| members. This avoids a SEVERE log message every time the check is |
| performed when the host associated with a group member is not powered |
| on. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Switch from FindBugs to SpotBugs. (fschumacher) |
| </update> |
| <fix> |
| <bug>63403</bug>: Fix TestHttp2InitialConnection test failures when |
| running with a non-English locale. (kkolinko) |
| </fix> |
| <fix> |
| Use the <code>test</code> command to check for terminal availability |
| rather than the <code>tty</code> command since the <code>tty</code> |
| based test fails on non-English locales. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.41 (markt)" rtext="2019-05-13"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Fix a potential resource leak when executing CGI scripts from a WAR |
| file. Identified by Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential concurrency issue in the StringCache identified by |
| Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential concurrency issue in the main Sendfile thread of the APR |
| connector. Identified by Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential resource leak when running a web application from a WAR |
| file. Identified by Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential resource leak on some exception paths in the |
| <code>DataSourceRealm</code>. Identified by Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential resource leak on an exception path when parsing JSP |
| files. Identified by Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential resource leak when a JNDI lookup returns an object of an |
| in compatible class. Identified by Coverity scan. (markt) |
| </fix> |
| <scode> |
| Refactor <code>ManagerServlet</code> to avoid loading classes when |
| filtering JNDI resources for resources of a specified type. (markt) |
| </scode> |
| <fix> |
| Avoid <code>OutOfMemoryError</code>s and |
| <code>ArrayIndexOutOfBoundsException</code>s when accessing large files |
| via the default servlet when resource caching has been disabled. (markt) |
| </fix> |
| <fix> |
| Avoid a <code>NullPointerException</code> when a <code>Context</code> is |
| defined in <code>server.xml</code> with a <code>docBase</code> but not |
| the optional <code>path</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63324</bug>: Refactor the <code>CrawlerSessionManagerValve</code> |
| so that the object placed in the session is compatible with session |
| serialization with mem-cached. Patch provided by Martin Lemanski. |
| (markt) |
| </fix> |
| <fix> |
| <bug>63333</bug>: Override the <code>isAvailable()</code> method in the |
| <code>JAASRealm</code> so that only login failures caused by invalid |
| credentials trigger account lock out when the <code>LockOutRealm</code> |
| is in use. Patch provided by jchobantonov. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| When running on newer JREs that don't support SSLv2Hello, don't warn |
| that it is not available unless explicitly configured. (markt) |
| </fix> |
| <scode> |
| Refactor Hostname validation to improve performance. Patch provided by |
| Uwe Hees. (markt) |
| </scode> |
| <fix> |
| Expand HTTP/2 timeout handling to include connection window exhaustion |
| on write. This is the fix for CVE-2019-10072. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>63335</bug>: Ensure that stack traces written by the |
| <code>OneLineFormatter</code> are fully indented. The entire stack trace |
| is now indented by an additional TAB character. (markt) |
| </fix> |
| <fix> |
| When using the <code>OneLineFormatter</code>, don't print a blank line |
| in the log after printing a stack trace. (markt) |
| </fix> |
| <update> |
| Update the internal fork of Apache Commons DBCP 2 to dcdbc72 |
| (2019-04-24) to pick up some clean-up and enhancements less the JDBC 4.2 |
| related changes that require Java 8. (markt) |
| </update> |
| <update> |
| Update the internal fork of Apache Commons Pool 2 to 0664f4d |
| (2019-04-30) to pick up some enhancements and bug fixes. (markt) |
| </update> |
| <update> |
| Update the internal fork of Apache Commons FileUpload to 41e4047 |
| (2019-04-24) pick up some enhancements. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.40 (markt)" rtext="2019-04-12"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>63196</bug>: Provide a default (<code>X-Forwarded-Proto</code>) for |
| the <code>protocolHeader</code> attribute of the |
| <code>RemoteIpFilter</code> and <code>RemoteIpValve</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63235</bug>: Refactor Charset cache to reduce start time. (markt) |
| </fix> |
| <fix> |
| <bug>63249</bug>: Use a consistent log level (<code>WARN</code>) when |
| logging the failure to register or deregister a JMX Bean. (markt) |
| </fix> |
| <fix> |
| <bug>63249</bug>: Use a consistent log level (<code>ERROR</code>) when |
| logging the <code>LifecycleException</code> associated with the failure |
| to start or stop a component. (markt) |
| </fix> |
| <fix> |
| When the SSI directive <code>fsize</code> is used with an invalid |
| target, return a file size of <code>-</code> rather than |
| <code>1k</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63251</bug>: Implement a work-around for a known JRE bug (<a |
| href="https://bugs.openjdk.java.net/browse/JDK-8194653">JDK-8194653</a>) |
| that may cause a dead-lock when Tomcat starts. (markt) |
| </fix> |
| <fix> |
| <bug>63275</bug>: When using a <code>RequestDispatcher</code> ensure |
| that <code>HttpServletRequest.getContextPath()</code> returns an encoded |
| path in the dispatched request. (markt) |
| </fix> |
| <fix> |
| <bug>63286</bug>: Document the differences in behaviour between the |
| <code>LogFormat</code> directive in httpd and the <code>pattern</code> |
| attribute in the <code>AccessLogValve</code> for <code>%D</code> and |
| <code>%T</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63311</bug>: Add support for https URLs to the local resolver within |
| Tomcat used to resolve standard XML DTDs and schemas when Tomcat is |
| configured to validate XML configuration files such as web.xml. (markt) |
| </fix> |
| <fix> |
| Encode the output of the SSI <code>printenv</code> command. This is the |
| fix for CVE-2019-0221. (markt) |
| </fix> |
| <scode> |
| Use constants for SSI encoding values. (markt) |
| </scode> |
| <add> |
| When the CGI Servlet is configured with |
| <code>enableCmdLineArguments</code> set to true, limit the encoded form |
| of the individual command line arguments to those values allowed by RFC |
| 3875. This restriction may be relaxed by the use of the new |
| initialisation parameter <code>cmdLineArgumentsEncoded</code>. (markt) |
| </add> |
| <add> |
| When the CGI Servlet is configured with |
| <code>enableCmdLineArguments</code> set to true, limit the decoded form |
| of the individual command line arguments to known safe values when |
| running on Windows. This restriction may be relaxed by the use of the |
| new initialisation parameter <code>cmdLineArgumentsDecoded</code>. This |
| is the fix for CVE-2019-0232. (markt) |
| </add> |
| <update> |
| Change the default for the <code>enableCmdLineArguments</code> parameter |
| of the CGI servlet from <code>true</code> to <code>false</code> as |
| additional hardening against CVE-2019-0232. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix bad interaction between NIO2 async read API and the regular read. |
| (remm) |
| </fix> |
| <fix> |
| Refactor NIO2 write pending strategy for the classic IO API. (remm) |
| </fix> |
| <fix> |
| Harmonize NIO2 isReadyForWrite with isReadyForRead code. (remm) |
| </fix> |
| <fix> |
| When using a JSSE TLS connector that supported ALPN (Java 9 onwards) and |
| a protocol was not negotiated, Tomcat failed to fallback to HTTP/1.1 and |
| instead dropped the connection. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the TLS connector refactoring in Tomcat 9.0.17 |
| that prevented the use of PKCS#8 private keys with OpenSSL based |
| connectors. (markt) |
| </fix> |
| <fix> |
| When performing an upgrade from HTTP/1.1 to HTTP/2, ensure that any |
| query string present in the original HTTP/1.1 request is passed to the |
| HTTP/2 request processing. (markt) |
| </fix> |
| <fix> |
| When Tomcat writes a final response without reading all of an HTTP/2 |
| request, reset the stream to inform the client that the remaining |
| request body is not required. (markt) |
| </fix> |
| <fix> |
| <bug>63312</bug>: Correct a regression in the error page handling that |
| prevented error pages from issuing redirects or taking other action that |
| required the response status code to be changed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Add support for specifying Java 11 (with the value <code>11</code>) as |
| the compiler source and/or compiler target for JSP compilation. (markt) |
| </add> |
| <add> |
| Add support for specifying Java 12 (with the value <code>12</code>) and |
| Java 13 (with the value <code>13</code>) as the compiler source and/or |
| compiler target for JSP compilation. If used with an ECJ version that |
| does not support these values, a warning will be logged and the latest |
| supported version will used. Based on a patch by Thomas Collignon. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Improve the handling of exceptions during TLS handshakes for the |
| WebSocket client. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>63184</bug>: Expand the SSI documentation to provide more |
| information on the supported directives and their attributes. Patch |
| provided by nightwatchcyber. (markt) |
| </fix> |
| <add> |
| Add a note to the documentation about the risk of DoS with poorly |
| written regular expressions and the <code>RewriteValve</code>. Patch |
| provided by salgattas. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>63320</bug>: Ensure that <code>StatementCache</code> caches |
| statements that include arrays in arguments. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.39 (markt)" rtext="2019-03-19"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Minor HTTP/2 push fixes. (remm) |
| </fix> |
| <fix> |
| Refactor how cookies are transferred from the base request to a |
| <code>PushBuilder</code> so that they are accessible, and may be edited, |
| via the standard <code>PushBuilder</code> methods for working with HTTP |
| headers. (markt) |
| </fix> |
| <add> |
| Refactor error handling to enable errors that occur before processing is |
| passed to the application to be handled by the application provided |
| error handling and/or the container provided error handling |
| (<code>ErrorReportValve</code>) as appropriate. (markt) |
| </add> |
| <add> |
| Pass 404 errors triggered by a missing ROOT web application to the |
| container error handling to generate the response body. (markt) |
| </add> |
| <add> |
| Pass 400 errors triggered by invalid request targets to the container |
| error handling to generate the response body. (markt) |
| </add> |
| <add> |
| Pass errors triggered by invalid requests or unavailable services to the |
| application provided error handling and/or the container provided error |
| handling (<code>ErrorReportValve</code>) as appropriate. (markt) |
| </add> |
| <scode> |
| Refactor the MBean implementations for the internal Tomcat components |
| to reduce code duplication. (markt) |
| </scode> |
| <update> |
| Simplify the value of <code>jarsToSkip</code> property in |
| <code>catalina.properties</code> file for tomcat-i18n jar files. |
| Use prefix pattern instead of listing each language. (kkolinko) |
| </update> |
| <fix> |
| Restore the getter and setter for the access log valve attribute |
| <code>maxLogMessageBufferSize</code> that were accidentally removed. |
| (markt) |
| </fix> |
| <add> |
| <bug>63206</bug>: Add a new attribute to <code>Context</code> - |
| <code>createUploadTargets</code> which, if <code>true</code> enables |
| Tomcat to create the temporary upload location used by a Servlet if the |
| location specified by the Servlet does not already exist. The default |
| value is <code>false</code>. (markt) |
| </add> |
| <fix> |
| <bug>63210</bug>: Ensure that the Apache Commons DBCP 2 based default |
| connection pool is correctly shutdown when it is no longer required. |
| This ensures that a non-daemon thread is not left running that will |
| prevent Tomcat from shutting down cleanly. (markt) |
| </fix> |
| <fix> |
| <bug>63213</bug>: Ensure the correct escaping of group names when |
| searching for nested groups when the JNDIRealm is configured with |
| <code>roleNested</code> set to <code>true</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63236</bug>: Use <code>String.intern()</code> as suggested by |
| Phillip Webb to reduce memory wasted due to String duplication. This |
| changes saves ~245k when starting a clean installation. With additional |
| thanks to YourKit Java profiler for helping to track down the wasted |
| memory and the root causes. (markt) |
| </fix> |
| <fix> |
| <bug>63246</bug>: Fix a potential <code>NullPointerException</code> when |
| calling <code>AsyncContext.dispatch()</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that the <code>toString()</code>, <code>toBytes()</code> and |
| <code>toChars()</code> methods of <code>MessageBytes</code> behave |
| consistently and do not throw a <code>NullPointerException</code> both |
| on newly created objects and immediately after a call to |
| <code>recycle()</code>. This should not impact typical Tomcat users. It |
| may impact users who use these classes directly in their own code. |
| (markt) |
| </fix> |
| <fix> |
| When performing an HTTP/1.1 upgrade to HTTP/2 (h2c) ensure that the hostname |
| and port from the HTTP/1.1 Host header of the upgraded request are made |
| available via the standard methods |
| <code>ServletRequest.getServerName()</code> and |
| <code>ServletRequest.getServerPort()</code>. (markt) |
| </fix> |
| <fix> |
| Make PEM file parser a public utility class. (remm) |
| </fix> |
| <fix> |
| Refactor the APR/Native endpoint TLS configuration code to enable JSSE |
| style configuration - including JKS keystores - to be used with the |
| APR/Native connector. (markt) |
| </fix> |
| <add> |
| With the TLS configuration refactoring, the configuration attributes |
| <code>sessionCacheSize</code> and <code>sessionTimeout</code> are no |
| longer limited to JSSE implementations. They may now be used with |
| OpenSSL implementations as well. (markt) |
| </add> |
| <fix> |
| Refactor NIO2 read pending strategy for the classic IO API. (remm) |
| </fix> |
| <fix> |
| <bug>63182</bug>: Avoid extra read notifications for HTTP/1.1 with |
| NIO2 when using asynchronous threads. (remm) |
| </fix> |
| <add> |
| <bug>63205</bug>: Add a work-around for a known |
| <a href="https://bugs.openjdk.java.net/browse/JDK-8157404">JRE KeyStore |
| loading bug</a>. (markt) |
| </add> |
| <update> |
| Sync with NIO2 async API from Tomcat 9 branch. (remm) |
| </update> |
| <fix> |
| NIO2 should try to use SocketTimeoutException everywhere rather than a |
| mix of it and InterruptedByTimeout. (remm) |
| </fix> |
| <fix> |
| Correct an error in the request validation that meant that HTTP/2 push |
| requests always resulted in a 400 response. (markt) |
| </fix> |
| <fix> |
| <bug>63223</bug>: Correctly account for push requests when tracking |
| currently active HTTP/2 streams. (markt) |
| </fix> |
| <fix> |
| Verify HTTP/2 stream is still writable before assuming a timeout |
| occurred. (remm) |
| </fix> |
| <fix> |
| Avoid some overflow cases with OpenSSL to improve efficiency, as the |
| OpenSSL engine has an internal buffer. (remm) |
| </fix> |
| <fix> |
| Harmonize HTTP/1.1 NIO2 keepalive code. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <scode> |
| Remove the <code>STREAMS_DROP_EMPTY_MESSAGES</code> system property that |
| was introduced to work-around four failing TCK tests. An alternative |
| solution has been implemented. Sending messages via |
| <code>getSendStream()</code> and <code>getSendWriter()</code> will now |
| only result in messages on the wire if data is written to the |
| <code>OutputStream</code> or <code>Writer</code>. Writing zero length |
| data will result in an empty message. Note that sending a message via an |
| <code>Encoder</code> may result in the message being send via |
| <code>getSendStream()</code> or <code>getSendWriter()</code>. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Use client's preferred language for the Server Status page of the |
| Manager web application. Review and fix several cases when the |
| client's language preference was not respected in Manager and |
| Host Manager web applications. (kkolinko) |
| </fix> |
| <fix> |
| Fix messages used by Manager and Host Manager web applications. |
| Disambiguate message keys used when adding or removing a host. |
| Improve display of summary values on the status page: separate |
| terms and values with a whitespace. Improve wording of messages |
| for expire sessions command. (kkolinko) |
| </fix> |
| <fix> |
| Do not add CSRF nonce parameter and suppress Referer header for external |
| links in Manager and Host Manager web applications. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensure that members registered in the addSuspects list are static |
| members. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Expand the coverage and quality of the Russian translations provided |
| with Apache Tomcat. (kkolinko) |
| </add> |
| <fix> |
| <bug>63041</bug>: Revert the changes for <bug>53930</bug> that added |
| support for the <code>CATALINA_OUT_CMD</code> environment variable as |
| they prevented correct operation with systemd configurations that did |
| not explicitly specify a PID file. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.38 (markt)" rtext="2019-02-08"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>54741</bug>: Add a new method, |
| <code>Tomcat.addWebapp(String,URL)</code>, that allows a web application |
| to be deployed from a URL when using Tomcat in embedded mode. (markt) |
| </fix> |
| <fix> |
| Ensure that the <code>ServletOutputStream</code> implementation is |
| consistent with the requirements of asynchronous I/O and that all of the |
| write methods use a single write rather than multiple writes. (markt) |
| </fix> |
| <fix> |
| Correct the Javadoc for <code>Context.getDocBase()</code> and |
| <code>Context.setDocBase()</code> and remove text that indicates that a |
| URL may be used for the <code>docBase</code> as this has not been the |
| case for quite some time. (markt) |
| </fix> |
| <add> |
| Ensure that Tomcat is fully terminated when running as a service. |
| (markt) |
| </add> |
| <scode> |
| Treat I/O errors during request body reads the same way as I/O errors |
| during response body writes. The errors are treated as client side |
| errors rather than server side errors and only logged at debug level. |
| (markt) |
| </scode> |
| <fix> |
| <bug>63038</bug>: Ensure that a <code>ClassNotFoundException</code> is |
| thrown when attempting to load a class from a corrupted JAR file. |
| (markt) |
| </fix> |
| <add> |
| Make the removal of leading and trailing whitespace from credentials |
| passed to BASIC authentication configurable via a new attribute, |
| <code>trimCredentials</code> on the <code>BasicAuthenticator</code>. |
| (markt) |
| </add> |
| <fix> |
| <bug>63003</bug>: Extend the <code>unloadDelay</code> attribute on a |
| <code>Context</code> to include in-flight asynchronous requests. (markt) |
| </fix> |
| <add> |
| <bug>63026</bug>: Add a new attribute, <code>forceDnHexEscape</code>, to |
| the <code>JNDIRealm</code> that forces escaping in the String |
| representation of a distinguished name to use the <code>\nn</code> form. |
| This may avoid issues with realms using Active Directory which appears |
| to be more tolerant of optional escaping when the <code>\nn</code> form |
| is used. (markt) |
| </add> |
| <fix> |
| Avoid a swallowed (and therefore ignored) access failure during web |
| application class loading when running under a |
| <code>SecurityManager</code>. (markt) |
| </fix> |
| <update> |
| Update the recommended minimum Tomcat Native version to 1.2.21. (markt) |
| </update> |
| <fix> |
| <bug>63137</bug>: If the resources for a web application have been |
| configured with multiple locations mapped to |
| <code>/WEB-INF/classes</code>, ensure that all of those locations are |
| used when building the web application class path. Patch provided by |
| Marcin Gołębski. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>63009</bug>: Include the optional <code>content-length</code> |
| header in HTTP/2 responses where an appropriate value is available. |
| (markt) |
| </add> |
| <fix> |
| <bug>63022</bug>: Do not use the socket open state when using the |
| wrapper isClosed method for NIO and NIO2, as it will disable all |
| further processing. (remm) |
| </fix> |
| <fix> |
| Fix socket close discrepancies for NIO2, now the wrapper close |
| is used everywhere except for socket accept problems. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>63056</bug>: Correct a regression in the fix for <bug>53737</bug> |
| that did not correctly scan the web application directory structure for |
| JSPs. (markt) |
| </fix> |
| <fix> |
| Update the performance optimisation for using expressions in tags that |
| depend on uninitialised tag attributes with implied scope to make the |
| performance optimisation aware of the new public class |
| (<code>java.lang.Enum$EnumDesc</code>) added in Java 12. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>57974</bug>: Ensure implementation of |
| <code>Session.getOpenSessions()</code> returns correct value for both |
| client-side and server-side calls. (markt) |
| </fix> |
| <fix> |
| <bug>63019</bug>: Use payload remaining bytes rather than limit when |
| writing. Submitted by Benoit Courtilly. (remm) |
| </fix> |
| <fix> |
| When running under a <code>SecurityManager</code>, ensure that the |
| <code>ServiceLoader</code> look-up for the default |
| <code>javax.websocket.server.ServerEndpointConfig.Configurator</code> |
| implementation completes correctly rather than silently using the |
| hard-coded fall-back. (markt) |
| </fix> |
| <fix> |
| Ensure that the network connection is closed if the client receives an |
| I/O error trying to communicate with the server. (markt) |
| </fix> |
| <fix> |
| Ignore synthetic methods when scanning POJO methods. (markt) |
| </fix> |
| <fix> |
| Implement the requirements of section 5.2.1 of the WebSocket 1.1 |
| specification and ensure that if the deployment of one Endpoint fails, |
| no Endpoints are deployed for that web application. (markt) |
| </fix> |
| <fix> |
| Implement the requirements of section 4.3 of the WebSocket 1.1 |
| specification and ensure that the deployment of an Endpoint fails if |
| <code>@PathParam</code> is used with an invalid parameter type. (markt) |
| </fix> |
| <fix> |
| Ensure a <code>DeploymentException</code> rather than an |
| <code>IllegalArgumentException</code> is thrown if a method annotated |
| with <code>@OnMessage</code> does not conform to the requirements set |
| out in the Javadoc. (markt) |
| </fix> |
| <fix> |
| Improve algorithm that determines if two <code>@OnMessage</code> |
| annotations have been added for the same message type. Prior to this |
| change some matches were missed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>63103</bug>: Remove the unused source.jsp file and associated tag |
| from the examples web application as it is no longer used. (markt) |
| </fix> |
| <fix> |
| <bug>63143</bug>: Ensure that the Manager web application respects the |
| language preferences of the user as configured in the browser when the |
| language of the default system locale is not English. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add EncryptInterceptor to the portfolio of available clustering |
| interceptors. This adds symmetric encryption of session data |
| to Tomcat clustering regardless of the type of cluster manager |
| or membership being used. (schultz) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.21 to |
| pick up the memory leak fixes when using NIO/NIO2 with OpenSSL. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>63041</bug>: Correct a regression in the fix for <bug>53930</bug> |
| that prevented Tomcat from working correctly with systemd. Patch |
| provided by Patrik S. (markt) |
| </fix> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.04. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.37 (markt)" rtext="2018-12-18"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| Update the recommended minimum Tomcat Native version to 1.2.19. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.19 to |
| pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL |
| 1.1.1a. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.36 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>62788</bug>: Add explicit logging configuration to write log files |
| using UTF-8 to align with Tomcat's use of UTF-8 by default |
| elsewhere. (markt) |
| </fix> |
| <fix> |
| The default Servlet should not override a previously set content-type. |
| (remm) |
| </fix> |
| <add> |
| <bug>62897</bug>: Provide a property |
| (<code>clearReferencesThreadLocals</code>) on the standard |
| <code>Context</code> implementation that enables the check for memory |
| leaks via <code>ThreadLocal</code>s to be disabled because this check |
| depends on the use of an API that has been deprecated in later versions |
| of Java. (markt) |
| </add> |
| <fix> |
| Fix more storeconfig issues with duplicated SSL attributes. (remm) |
| </fix> |
| <fix> |
| <bug>62968</bug>: Avoid unnecessary (and relatively expensive) |
| <code>getResources()</code> call in the Mapper when processing rule 7. |
| (markt) |
| </fix> |
| <fix> |
| <bug>62978</bug>: Update the RemoteIpValve to handle multiple values in |
| the <code>x-forwarded-proto</code> header. Patch provided by Tom Groot. |
| (markt) |
| </fix> |
| <fix> |
| Update the RemoteIpFilter to handle multiple values in the |
| <code>x-forwarded-proto</code> header. Based on a patch provided by Tom |
| Groot. (markt) |
| </fix> |
| <scode> |
| <bug>62986</bug>: Refactor the code that performs class scanning during |
| web application start to make integration simpler for downstream users. |
| Patch provided by rmannibucau. (markt) |
| </scode> |
| <fix> |
| <bug>62988</bug>: Fix the <code>LoadBalancerDrainingValve</code> so it |
| works when the session cookie configuration is not explicitly declared. |
| Based on a patch provided by Andreas Kurth. (markt) |
| </fix> |
| <fix> |
| <bug>63002</bug>: Fix setting rewrite qsdiscard flag. (remm) |
| </fix> |
| <fix> |
| Implement the requirements of section 8.2.2 2c of the Servlet |
| specification and prevent a web application from deploying if it has |
| fragments with duplicate names and is configured to use relative |
| ordering of fragments. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Avoid an exception when using Tomcat Native built with a version of |
| OpenSSL that does not support TLSv1.3. (markt) |
| </fix> |
| <fix> |
| <bug>62899</bug>: Prevent the incorrect timing out of connections when |
| Servlet non-blocking I/O is used to read a request body over an HTTP/2 |
| stream. (markt) |
| </fix> |
| <fix> |
| Avoid bad SSLHostConfig JMX registrations before init. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>53737</bug>: Extend JspC, the precompilation tool, to include |
| support for resource JARs. (markt) |
| </add> |
| <fix> |
| <bug>62976</bug>: Avoid an <code>IllegalStateException</code> when using |
| background compilation when tag files are packaged in JAR files. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>62918</bug>: Filter out subtype mbeans to avoid breaking the |
| connector status page. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Prevent an error when running in a Cygwin shell and the |
| <code>JAVA_ENDORSED_DIRS</code> system property is empty. Patch provided |
| by Zemian Deng. (markt) |
| </fix> |
| <add> |
| <bug>53930</bug>: Add support for the <code>CATALINA_OUT_CMD</code> |
| environment variable that defines a command to which captured stdout and |
| stderr will be redirected. Patch provided by Casey Lucas. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.35 (markt)" rtext="2018-11-07"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>61692</bug>: Add the ability to control which HTTP methods are |
| handled by the CGI Servlet via a new initialization parameter |
| <code>cgiMethods</code>. (markt) |
| </add> |
| <fix> |
| <bug>62687</bug>: Expose content length information for resources |
| when using a compressed war. (remm) |
| </fix> |
| <fix> |
| <bug>62737</bug>: Fix rewrite substitutions parsing of {} nesting. |
| (remm) |
| </fix> |
| <fix> |
| Add rewrite flags output when getting the rewrite configuration back. |
| (remm) |
| </fix> |
| <fix> |
| Add missing qsdiscard flag to the rewrite flags as a cleaner way to |
| discard the query string. (remm) |
| </fix> |
| <fix> |
| Add documentation about the files <code>context.xml.default</code> and |
| <code>web.xml.default</code> that can be used to customize <code>conf/context.xml</code> |
| and <code>conf/web.xml</code> on a per host basis. (fschumacher) |
| </fix> |
| <fix> |
| Ensure that a canonical path is always used for the docBase of a Context |
| to ensure consistent behaviour. (markt) |
| </fix> |
| <fix> |
| <bug>62803</bug>: Fix SSL connector configuration processing |
| in storeconfig. (remm) |
| </fix> |
| <fix> |
| <bug>62797</bug>: Pass throwable to keep client aborts with status 200 |
| rather than 500. Patch submitted by zikfat. (remm) |
| </fix> |
| <fix> |
| <bug>62809</bug>: Correct a regression in the implementation of DIGEST |
| authentication support for the Deployer Ant tasks (bug <bug>45832</bug>) |
| that prevented the <code>DeployTask</code> from working when |
| authentication was required. (markt) |
| </fix> |
| <update> |
| Update the recommended minimum Tomcat Native version to 1.2.18. (markt) |
| </update> |
| <add> |
| Ignore an attribute named <code>source</code> on <code>Context</code> |
| elements provided by <code>StandardContext</code>. This is to suppress |
| warnings generated by the Eclipse / Tomcat integration provided by |
| Eclipse. Based on a patch by mdfst13. (markt) |
| </add> |
| <add> |
| <bug>62830</bug>: Added <code>JniLifeCycleListener</code> and static |
| methods <code>Library.loadLibrary(libraryName)</code> and |
| <code>Library.load(filename)</code> to load a native library by a |
| shared class loader so that more than one Webapp can use it. (isapir) |
| </add> |
| <fix> |
| Correct a typo in the Spanish resource files. Patch provided by Diego |
| Agulló. (markt) |
| </fix> |
| <fix> |
| <bug>62868</bug>: Order the <code>Enumeration<URL></code> provided |
| by <code>WebappClassLoaderBase.getResources(String)</code> according to |
| the setting of the delegate flag. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Add TLSv1.3 to the default protocols and to the <code>all</code> |
| alias for JSSE based TLS connectors when running on a JVM that |
| supports TLS version 1.3. One such JVM is OpenJDK version 11. (rjung) |
| </add> |
| <fix> |
| <bug>62685</bug>: Correct an error in host name validation parsing that |
| did not allow a fully qualified domain name to terminate with a period. |
| Patch provided by AG. (markt) |
| </fix> |
| <fix> |
| <bug>62739</bug>: Do not reject requests with an empty HTTP Host header. |
| Such requests are unusual but not invalid. Patch provided by Michael |
| Orr. (markt) |
| </fix> |
| <add> |
| <bug>62748</bug>: Add TLS 1.3 support for the APR/Native connector and |
| the NIO/NIO2 connector when using the OpenSSL backed JSSE |
| implementation. (schultz/markt) |
| </add> |
| <fix> |
| <bug>62791</bug>: Remove an unnecessary check in the NIO TLS |
| implementation that prevented from secure WebSocket connections from |
| being established. (markt) |
| </fix> |
| <fix> |
| Fix server initiated TLS renegotiation to obtain a client certificate |
| when using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation. |
| (markt) |
| </fix> |
| <fix> |
| <bug>62871</bug>: Improve MBeans for Endpoint instances (type |
| <code>ThreadPool</code> in JMX) by using explicit declaration of |
| attributes and operations rather than relying on introspection. Add a |
| new MBean to expose the <code>Socketproperties</code> values. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Correct parsing of XML whitespace in TLD function signatures that |
| incorrectly only looked for the space character. (markt) |
| </fix> |
| <fix> |
| <bug>62674</bug>: Correct a regression in the stand-alone JSP compiler |
| utility, <code>JspC</code>, caused by the fix for <bug>53492</bug>, that |
| caused the JSP compiler to hang. (markt) |
| </fix> |
| <fix> |
| <bug>62721</bug>: Correct generation of web.xml header when using JspC. |
| (markt) |
| </fix> |
| <fix> |
| <bug>62757</bug>: Correct a regression in the fix for <bug>62603</bug> |
| that caused <code>NullPointerException</code>s when compiling tag files |
| on first access when development mode was disabled and background |
| compilation was enabled. Based on a patch by Jordi Llach. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>62731</bug>: Make the URI returned by |
| <code>HandshakeRequest.getRequestURI()</code> and |
| <code>Session.getRequestURI()</code> absolute so that the scheme, host |
| and port are accessible. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>62676</bug>: Expand the CORS filter documentation to make it clear |
| that explicit configuration is required to enable support for |
| cross-origin requests. (markt) |
| </fix> |
| <fix> |
| <bug>62712</bug>: Correct NPE in Manager application when attempting to |
| view configured certificates for an APR/native TLS connector. (markt) |
| </fix> |
| <fix> |
| <bug>62761</bug>: Correct the advanced CORS example in the Filter |
| documentation to use a valid configuration. (markt) |
| </fix> |
| <fix> |
| <bug>62786</bug>: Add a note to the Context documentation to explain |
| that, by default, settings for a Context element defined in server.xml |
| will be overwritten by settings specified in a default context file such |
| as <code>conf/context.xml</code>. (markt) |
| </fix> |
| <fix> |
| Create a little visual separation between the Undeploy button and the |
| other buttons in the Manager application. Patch provided by Łukasz |
| Jąder. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the internal fork of Apache Commons Pool 2 to d4e0e88 |
| (2018-09-12) to pick up some bug fixes and enhancements. (markt) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.18 to |
| pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL |
| 1.1.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.34 (markt)" rtext="2018-09-10"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Make the <code>isLocked()</code> method of the <code>LockOutRealm</code> |
| public and expose the method via JMX. (markt) |
| </add> |
| <fix> |
| Improve the handling of path parameters when working with |
| RequestDispatcher objects. (markt) |
| </fix> |
| <fix> |
| <bug>62664</bug>: Process requests with content type |
| <code>multipart/form-data</code> to servlets with a |
| <code>@MultipartConfig</code> annotation regardless of HTTP method. |
| (markt) |
| </fix> |
| <fix> |
| <bug>62667</bug>: Add recursion to rewrite substitution parsing. (remm) |
| </fix> |
| <fix> |
| <bug>62669</bug>: When using the SSIFilter and a resource does not |
| specify a content type, do not force the content type to |
| <code>application/x-octet-stream</code>. (markt) |
| </fix> |
| <fix> |
| <bug>62670</bug>: Adjust the memory leak protection for the |
| <code>DriverManager</code> so that JDBC drivers located in |
| <code>$CATALINA_HOME/lib</code> and <code>$CATALINA_BASE/lib</code> are |
| loaded via the service loader mechanism when the protection is enabled. |
| (markt) |
| </fix> |
| <fix> |
| When generating a redirect to a directory in the Default Servlet, avoid |
| generating a protocol relative redirect. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix potential deadlocks when using asynchronous Servlet processing with |
| HTTP/2 connectors. (markt) |
| </fix> |
| <fix> |
| <bug>62620</bug>: Fix corruption of response bodies when writing large |
| bodies using asynchronous processing over HTTP/2. (markt) |
| </fix> |
| <fix> |
| <bug>62628</bug>: Additional fixes for output corruption of response |
| bodies when writing large bodies using asynchronous processing over |
| HTTP/2. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Correct the JSP version in the X-PoweredBy HTTP header generated when |
| the xpoweredBy option is enabled. (markt) |
| </fix> |
| <fix> |
| <bug>62662</bug>: Fix the corruption of web.xml output during JSP |
| compilation caused by the fix for <bug>53492</bug>. Patch provided by |
| Bernhard Frauendienst. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Expand the information in the documentation web application regarding |
| the use of <code>CATALINA_HOME</code> and <code>CATALINA_BASE</code>. |
| Patch provided by Marek Czernek. (markt) |
| </add> |
| <fix> |
| <bug>62652</bug>: Make it clearer that the version of DBCP that is |
| packaged in Tomcat 8.5.x is DBCP 2. Correct the names of some DBCP 2 |
| configuration attributes that changed between 1.x and 2.x. (markt) |
| </fix> |
| <add> |
| <bug>62666</bug>: Expand internationalisation support in the Manager |
| application to include the server status page and provide Russian |
| translations in addition to English. Patch provided by Artem Chebykin. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Switch the build script to use http for downloads from an ASF mirror |
| using the closer.lua script to avoid failures due to HTTPS to HTTP |
| redirects. (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.33 (markt)" rtext="2018-08-17"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Ensure that the HTTP Vary header is set correctly when using the CORS |
| filter and improve the cacheability of requests that pass through the |
| COPRS filter. (markt) |
| </fix> |
| <fix> |
| <bug>62527</bug>: Revert restriction of JNDI to the <code>java:</code> |
| namespace. (remm) |
| </fix> |
| <add> |
| Introduce a new class - <code>MultiThrowable</code> - to report |
| exceptions when multiple actions are taken where each action may throw |
| an exception but all actions are taken before any errors are reported. |
| Use this new class when reporting multiple container (e.g. web |
| application) failures during start. (markt) |
| </add> |
| <fix> |
| Correctly decode URL paths (<code>+</code> should not be decoded to a |
| space in the path) in the <code>RequestDispatcher</code> and the web |
| application class loader. (markt) |
| </fix> |
| <add> |
| Make logout more robust if JASPIC subject is unexpectedly unavailable. |
| (markt) |
| </add> |
| <fix> |
| <bug>62547</bug>: JASPIC <code>cleanSubject()</code> was not called on |
| logout when the authenticator was configured to cache the authenticated |
| Principal. Patch provided by Guillermo González de Agüero. (markt) |
| </fix> |
| <add> |
| <bug>62559</bug>: Add <code>jaxb-*.jar</code> to the list of JARs |
| ignored by <code>StandardJarScanner</code>. (markt) |
| </add> |
| <add> |
| <bug>62560</bug>: Add <code>oraclepki.jar</code> to the list of JARs |
| ignored by <code>StandardJarScanner</code>. (markt) |
| </add> |
| <add> |
| <bug>62607</bug>: Return a non-zero exit code from |
| <code>catalina.[bat|sh] run</code> if Tomcat fails to start. (markt) |
| </add> |
| <scode> |
| Remove <code>ServletException</code> from declaration of |
| <code>Tomcat.addWebapp(String,String)</code> since it is never thrown. |
| Patch provided by Tzafrir. (markt) |
| </scode> |
| <fix> |
| Use short circuit logic to prevent potential NPE in CorsFilter. (fschumacher) |
| </fix> |
| <scode> |
| Simplify construction of appName from container name in JAASRealm. (fschumacher) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| <bug>60560</bug>: Add support for using an inherited channel to |
| the NIO connector. Based on a patch submitted by Thomas Meyer with |
| testing and suggestions by Coty Sutherland. (remm) |
| </update> |
| <fix> |
| <bug>62507</bug>: Ensure that JSSE based TLS connectors work correctly |
| with a DKS keystore. Note: DKS keystores require Java 8 or later. |
| (markt) |
| </fix> |
| <fix> |
| Refactor code that adds an additional header name to the |
| <code>Vary</code> HTTP response header to use a common utility method |
| that addresses several additional edge cases. (markt) |
| </fix> |
| <fix> |
| <bug>62515</bug>: When a connector is configured (via setting |
| <code>bindOnInit</code> to <code>false</code>) to bind/unbind the server |
| socket during start/stop, close the socket earlier in the stop process |
| so new connections do not sit in the TCP backlog during the shutdown |
| process only to be dropped as stop completes. In this scenario new |
| connections will now be refused immediately. (markt) |
| </fix> |
| <fix> |
| <bug>62526</bug>: Correctly handle PKCS12 format key stores when the key |
| store password is configured to be the empty string. (markt) |
| </fix> |
| <fix> |
| Fix error in back-port of HTTP/2 compression that meant compression was |
| never enabled. (markt) |
| </fix> |
| <fix> |
| <bug>62605</bug>: Ensure <code>ReadListener.onDataAvailable()</code> is |
| called when the initial request body data arrives after the request |
| headers when using asynchronous processing over HTTP/2. (markt) |
| </fix> |
| <fix> |
| <bug>62614</bug>: Ensure that |
| <code>WriteListener.onWritePossible()</code> is called after |
| <code>isReady()</code> returns <code>false</code> and the window size is |
| subsequently incremented when using asynchronous processing over HTTP/2. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>53011</bug>: When pre-compiling with JspC, report all compilation |
| errors rather than stopping after the first error. A new option |
| <code>-failFast</code> can be used to restore the previous behaviour of |
| stopping after the first error. Based on a patch provided by Marc Pompl. |
| (markt) |
| </fix> |
| <add> |
| <bug>53492</bug>: Make the Java file generation process multi-threaded. |
| By default, one thread will be used per core. Based on a patch by Dan |
| Fabulich. (markt) |
| </add> |
| <add> |
| <bug>62453</bug>: Add a performance optimisation for using expressions |
| in tags that depend on uninitialised tag attributes with implied scope. |
| Generally, using an explicit scope with tag attributes in EL is the best |
| way to avoid various potential performance issues. (markt) |
| </add> |
| <fix> |
| Correctly decode URL paths (<code>+</code> should not be decoded to a |
| space in the path) in the Jasper class loader. (markt) |
| </fix> |
| <fix> |
| <bug>62603</bug>: Fix a potential race condition when development mode |
| is disabled and background compilation checks are enabled. It was |
| possible that some updates would not take effect and/or |
| <code>ClassNotFoundException</code>s would occur. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>62596</bug>: Remove the limit on the size of the initial HTTP |
| upgrade request used to establish the web socket connection. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>61565</bug>: Add the ability to trigger a reloading of TLS host |
| configuration (certificate and key files, server.xml is not re-parsed) |
| via the Manager web application. (markt) |
| </add> |
| <add> |
| <bug>62558</bug>: Add Russian translations for the Manager and Host |
| Manager web applications. Based on a patch by Ivan Krasnov. (markt) |
| </add> |
| <add> |
| <bug>62561</bug>: Add advanced class loader configuration information |
| regarding the use of the Server and Shared class loaders to the |
| documentation web application. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensures that the specified <code>rxBufSize</code> is correctly set to |
| receiver buffer size. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Support building with Java 9+ while preserving the Java 7 compatibility |
| at runtime (requires Ant 1.9.8 or later). (ebourg) |
| </update> |
| <update> |
| Update WSDL4J library to version 1.6.3 (from 1.6.2). (kkolinko) |
| </update> |
| <update> |
| Update JUnit library to version 4.12 (from 4.11). (kkolinko) |
| </update> |
| <update> |
| Downgrade CGLib library used for testing with EasyMock to version |
| 2.2.2 (from 2.2.3) as version 2.2.3 is not available from Maven Central. |
| (markt/kkolinko) |
| </update> |
| <add> |
| Implement checksum checks when downloading dependencies that are used |
| to build Tomcat. (kkolinko) |
| </add> |
| <fix> |
| Fixed spelling. Patch provided by Jimmy Casey via GitHub. (violetagg) |
| </fix> |
| <update> |
| Update the internal fork of Apache Commons Pool 2 to 3e02523 |
| (2018-08-09) to pick up some bug fixes and enhancements. (markt) |
| </update> |
| <update> |
| Update the internal fork of Apache Commons DBCP 2 to abc0484 |
| (2018-08-09) to pick up some bug fixes and enhancements. (markt) |
| </update> |
| <fix> |
| Correct various spelling errors throughout the source code and |
| documentation. Patch provided by Kazuhiro Sera. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.32 (markt)" rtext="2018-06-25"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Treat the <code><mapped-name></code> element of a |
| <code><env-entry></code> in web.xml in the same way as the |
| <code>mappedName</code> element of the equivalent <code>@Resource</code> |
| annotation. Both now attempt to set the <code>mappedName</code> property |
| of the resource. (markt) |
| </fix> |
| <fix> |
| Correct the processing of resources with |
| <code><injection-target></code>s defined in web.xml. First look |
| for a match using JavaBean property names and then, only if a match is |
| not found, look for a match using fields. (markt) |
| </fix> |
| <fix> |
| When restoring a saved request with a request body after FORM |
| authentication, ensure that calls to the <code>HttpServletRequest</code> |
| methods <code>getRequestURI()</code>, <code>getQueryString()</code> and |
| <code>getProtocol()</code> are not corrupted by the processing of the |
| saved request body. (markt) |
| </fix> |
| <fix> |
| JNDI resources that are defined with injection targets but no value are |
| now treated as if the resource is not defined. (markt) |
| </fix> |
| <fix> |
| Ensure that JNDI names used for <code><lookup-name></code> entries |
| in web.xml and for <code>lookup</code> elements of |
| <code>@Resource</code> annotations specify a name with an explicit |
| <code>java:</code> namespace. (markt) |
| </fix> |
| <scode> |
| Refactor the <code>org.apache.naming</code> package to reduce duplicate |
| code. Duplicate code identified by the Simian tool. (markt) |
| </scode> |
| <fix> |
| <bug>50019</bug>: Add support for <code><lookup-name></code>. |
| Based on a patch by Gurkan Erdogdu. (markt) |
| </fix> |
| <add> |
| <bug>51953</bug>: Add the <code>RemoteCIDRFilter</code> and |
| <code>RemoteCIDRValve</code> that can be used to allow/deny requests |
| based on IPv4 and/or IPv6 client address where the IP ranges are defined |
| using CIDR notation. Based on a patch by Francis Galiegue. (markt) |
| </add> |
| <fix> |
| <bug>62343</bug>: Make CORS filter defaults more secure. This is the fix |
| for CVE-2018-8014. (markt) |
| </fix> |
| <fix> |
| Ensure that the web application resources implementation does not |
| incorrectly cache results for resources that are only visible as class |
| loader resources. (markt) |
| </fix> |
| <fix> |
| Make all loggers associated with Tomcat provided Filters non-static to |
| ensure that log messages are not lost when a web application is |
| reloaded. (markt) |
| </fix> |
| <fix> |
| Correct the manifest for the annotations-api.jar. The JAR implements the |
| Common Annotations API 1.2 and the manifest should reflect that. (markt) |
| </fix> |
| <fix> |
| Switch to non-static loggers where there is a possibility of a logger |
| becoming associated with a web application class loader causing log |
| messages to be lost if the web application is stopped. (markt) |
| </fix> |
| <add> |
| <bug>62389</bug>: Add the IPv6 loopback address to the default |
| <code>internalProxies</code> regular expression. Patch by Craig Andrews. |
| (markt) |
| </add> |
| <fix> |
| In the <code>RemoteIpValve</code> and <code>RemoteIpFilter</code>, |
| correctly handle the case when the request passes through one or more |
| <code>trustedProxies</code> but no <code>internalProxies</code>. Based |
| on a patch by zhanhb. (markt) |
| </fix> |
| <fix> |
| Correct the logic in <code>MBeanFactory.removeConnector()</code> to |
| ensure that the correct Connector is removed when there are multiple |
| Connectors using different addresses but the same port. (markt) |
| </fix> |
| <fix> |
| Make <code>JAASRealm</code> mis-configuration more obvious by requiring |
| the authenticated Subject to include at least one Principal of a type |
| specified by <code>userClassNames</code>. (markt) |
| </fix> |
| <fix> |
| <bug>62476</bug>: Use GMT timezone for the value of |
| <code>Expires</code> header as required by HTTP specification |
| (RFC 7231, 7234). (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Consistent exception propagation for NIO2 SSL close. (remm) |
| </fix> |
| <fix> |
| Log an error message if the AJP connector detects that the reverse proxy |
| is sending AJP messages that are too large for the configured |
| <code>packetSize</code>. (markt) |
| </fix> |
| <fix> |
| Relax Host validation by removing the requirement that the final |
| component of a FQDN must be alphabetic. (markt) |
| </fix> |
| <fix> |
| <bug>62371</bug>: Improve logging of Host validation failures. (markt) |
| </fix> |
| <fix> |
| Add missing handshake timeout for NIO2. (remm) |
| </fix> |
| <fix> |
| Correctly handle a digest authorization header when the user name |
| contains an escaped character. (markt) |
| </fix> |
| <fix> |
| Correctly handle a digest authorization header when one of the hex |
| field values ends the header with in an invalid character. (markt) |
| </fix> |
| <fix> |
| Correctly handle an invalid quality value in an |
| <code>Accept-Language</code> header. (markt) |
| </fix> |
| <docs> |
| <bug>62423</bug>: Fix SSL docs CRL attribute typo. (remm) |
| </docs> |
| <fix> |
| Improve IPv6 validation by ensuring that IPv4-Mapped IPv6 addresses do |
| not contain leading zeros in the IPv4 part. Based on a patch by Katya |
| Stoycheva. (markt) |
| </fix> |
| <fix> |
| Fix <code>NullPointerException</code> thrown from <code> |
| replaceSystemProperties()</code> when trying to log messages. (csutherl) |
| </fix> |
| <fix> |
| Avoid unnecessary processing of async timeouts. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>50234</bug>: Add the capability to generate a web-fragment.xml file |
| to JspC. (markt) |
| </add> |
| <fix> |
| <bug>62080</bug>: Ensure that all reads of the current thread's context |
| class loader made by the UEL API and implementation are performed via a |
| <code>PrivilegedAction</code> to ensure that a |
| <code>SecurityException</code> is not triggered when running under a |
| <code>SecurityManager</code>. (mark) |
| </fix> |
| <fix> |
| <bug>62350</bug>: Refactor |
| <code>org.apache.jasper.runtime.BodyContentImpl</code> so a |
| <code>SecurityException</code> is not thrown when running under a |
| SecurityManger and additional permissions are not required in the |
| <code>catalina.policy</code> file. This is a follow-up to the fix for |
| <bug>43925</bug>. (kkolinko/markt) |
| </fix> |
| <fix> |
| Update web.xml, web-fragment.xml and web.xml extracts generated by JspC |
| to use the Servlet 3.1 version of the relevant schemas. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Remove duplicate calls when creating a replicated session to reduce the |
| time taken to create the session and thereby reduce the chances of a |
| subsequent session update message being ignored because the session does |
| not yet exist. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| When decoding of path parameter failed, make sure to throw |
| <code>DecodeException</code> instead of throwing |
| <code>ArrayIndexOutOfBoundsException</code>. (kfujino) |
| </fix> |
| <fix> |
| Enable host name verification when using TLS with the WebSocket client. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changlog> |
| <fix> |
| <bug>62395</bug>: Clarify the meaning of the connector attribute |
| <code>minSpareThreads</code> in the documentation web application. |
| (markt) |
| </fix> |
| <fix> |
| Correct the documentation for the <code>allowHostHeaderMismatch</code> |
| attribute of the standard HTTP Connector implementations. (markt) |
| </fix> |
| </changlog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensure that the correct default value is returned when retrieve unset |
| properties in <code>McastService</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| When <code>logValidationErrors</code> is set to true, the connection |
| validation error is logged as <code>SEVERE</code> instead of |
| <code>WARNING</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>62391</bug>: Remove references to <code>javaw.exe</code> as this |
| file is not required by Tomcat and the references prevent the use of the |
| Server JRE. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.17 to |
| pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL |
| 1.0.2o. (markt) |
| </update> |
| <update> |
| <bug>62458</bug>: Update the internal fork of Commons Pool 2 to dfef97b |
| (2018-06-18) to pick up some bug fixes and enhancements. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons DBCP 2 to 2.4.0. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.31 (markt)" rtext="2018-05-03"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>62263</bug>: Avoid a <code>NullPointerException</code> when the |
| <code>RemoteIpValve</code> processes a request for which no Context can |
| be found. (markt) |
| </fix> |
| <fix> |
| Fix a rare edge case that is unlikely to occur in real usage. This edge |
| case meant that writing long streams of UTF-8 characters to the HTTP |
| response that consisted almost entirely of surrogate pairs could result |
| in one surrogate pair being dropped. (markt) |
| </fix> |
| <fix> |
| Register MBean when DataSource Resource <code> |
| type="javax.sql.XADataSource"</code>. Patch provided by Masafumi Miura. |
| (csutherl) |
| </fix> |
| <add> |
| Update the internal fork of Apache Commons BCEL to r1829827 to add early |
| access Java 11 support to the annotation scanning code. (markt) |
| </add> |
| <fix> |
| <bug>62297</bug>: Enable the <code>CrawlerSessionManagerValve</code> to |
| correctly handle bots that crawl multiple hosts and/or web applications |
| when the Valve is configured on a Host or an Engine. (fschumacher) |
| </fix> |
| <fix> |
| <bug>62309</bug>: Fix a <code>SecurityException</code> when using JASPIC |
| under a <code>SecurityManager</code> when authentication is not |
| mandatory. (markt) |
| </fix> |
| <fix> |
| <bug>62329</bug>: Correctly list resources in JAR files when directories |
| do not have dedicated entries. Patch provided by Meelis Müür. (markt) |
| </fix> |
| <add> |
| Collapse multiple leading <code>/</code> characters to a single |
| <code>/</code> in the return value of |
| <code>HttpServletRequest#getContextPath()</code> to avoid issues if the |
| value is used with <code>HttpServletResponse#sendRedirect()</code>. This |
| behaviour is enabled by default and configurable via the new Context |
| attribute <code>allowMultipleLeadingForwardSlashInPath</code>. (markt) |
| </add> |
| <fix> |
| Improve handing of overflow in the UTF-8 decoder with supplementary |
| characters. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct off-by-one error in thread pool that allowed thread pools to |
| increase in size to one more than the configured limit. Patch provided |
| by usc. (markt) |
| </fix> |
| <fix> |
| Prevent unexpected TLS handshake failures caused by errors during a |
| previous handshake that were not correctly cleaned-up when using the NIO |
| or NIO2 connector with the <code>OpenSSLImplementation</code>. (markt) |
| </fix> |
| <add> |
| Enable strict validation of the provided host name and port for all |
| connectors. Requests with invalid host names and/or ports will be |
| rejected with a 400 response. (markt) |
| </add> |
| <add> |
| <bug>62273</bug>: Implement configuration options to work-around |
| specification non-compliant user agents (including all the major |
| browsers) that do not correctly %nn encode URI paths and query strings |
| as required by RFC 7230 and RFC 3986. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Enable ECJ version 4.7 and later to be used as a drop in replacement for |
| the ECJ version that ships with Apache Tomcat. (markt) |
| </fix> |
| <fix> |
| Enable Java 10 to be specified as a JSP source and/or target if a newer |
| ECJ version is used. (markt) |
| </fix> |
| <fix> |
| <bug>62287</bug>: Do not rely on hash codes to test instances of |
| <code>ValueExpressionImpl</code> for equality. Patch provided by Mark |
| Struberg. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>62301</bug>: Correct a regression in the fix for <bug>61491</bug> |
| that didn't correctly handle a final empty message part in all |
| circumstances when using <code>PerMessageDeflate</code>. (markt) |
| </fix> |
| <fix> |
| <bug>62332</bug>: Ensure WebSocket connections are closed after an I/O |
| error is experienced reading from the client. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Avoid warning when running under Cygwin when the |
| <code>JAVA_ENDORSED_DIRS</code> environment variable is not set. Patch |
| provided by Zemian Deng. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.30 (markt)" rtext="2018-04-07"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>51195</bug>: Avoid a false positive report of a web application |
| memory leak by clearing <code>ObjectStreamClass$Caches</code> of classes |
| loaded by the web application when the web application is stopped. |
| (markt) |
| </fix> |
| <fix> |
| <bug>52688</bug>: Add support for the <code>maxDays</code> attribute to |
| the <code>AccessLogValve</code> and <code>ExtendedAccessLogValve</code>. |
| This allows the maximum number of days for which rotated access logs |
| should be retained before deletion to be defined. (markt) |
| </fix> |
| <fix> |
| Ensure the MBean names for the <code>SSLHostConfig</code> and |
| <code>SSLHostConfigCertificate</code> are correctly formed when the |
| <code>Connector</code> is bound to a specific IP address. (markt) |
| </fix> |
| <fix> |
| <bug>62168</bug>: When using the <code>PersistentManager</code> honor a |
| value of <code>-1</code> for <code>minIdleSwap</code> and do not swap |
| out sessions to keep the number of active sessions under |
| <code>maxActive</code>. Patch provided by Holger Sunke. (markt) |
| </fix> |
| <fix> |
| <bug>62172</bug>: Improve Javadoc for |
| <code>org.apache.catalina.startup.Constants</code> and ensure that the |
| constants are correctly used. (markt) |
| </fix> |
| <fix> |
| <bug>62175</bug>: Avoid infinite recursion, when trying to validate |
| a session while loading it with <code>PersistentManager</code>. |
| (fschumacher) |
| </fix> |
| <fix> |
| Ensure that <code>NamingContextListener</code> instances are only |
| notified once of property changes on the associated naming resources. |
| (markt) |
| </fix> |
| <add> |
| Add LoadBalancerDrainingValve, a Valve designed to reduce the amount of |
| time required for a node to drain its authenticated users. (schultz) |
| </add> |
| <add> |
| <bug>62224</bug>: Disable the <code>forkJoinCommonPoolProtection</code> |
| of the <code>JreMemoryLeakPreventionListener</code> when running on Java |
| 9 and above since the underlying JRE bug has been fixed. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Avoid potential loop in APR/Native poller. (markt) |
| </fix> |
| <fix> |
| Ensure streams that are received but not processed are excluded from the |
| tracking of maximum ID of processed streams. (markt) |
| </fix> |
| <fix> |
| Refactor the check for a paused connector to consistently prevent new |
| streams from being created after the connector has been paused. (markt) |
| </fix> |
| <fix> |
| Improve debug logging for HTTP/2 pushed streams. (markt) |
| </fix> |
| <fix> |
| The OpenSSL engine SSL session will now ignore invalid accesses. (remm) |
| </fix> |
| <fix> |
| <bug>62177</bug>: Correct two protocol errors with HTTP/2 |
| <code>PUSH_PROMISE</code> frames. Firstly, the HTTP/2 protocol only |
| permits pushes to be sent on peer initiated requests. Secondly, pushes |
| must be sent in order of increasing stream ID. These restriction were |
| not being enforced leading to protocol errors at the client. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Add document for <code>FragmentationInterceptor</code>. (kfujino) |
| </add> |
| <add> |
| Document how the roles for an authenticated user are determined when the |
| <code>CombinedRealm</code> is used. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Add JMX support for <code>FragmentationInterceptor</code> in order to |
| prevent warning of startup. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Ensure that <code>SQLWarning</code> has been cleared when connection |
| returns to the pool. (kfujino) |
| </fix> |
| <add> |
| Enable clearing of <code>SQLWarning</code> via JMX. (kfujino) |
| </add> |
| <fix> |
| Ensure that parameters have been cleared when |
| <code>PreparedStatement</code> and/or <code>CallableStatement</code> are |
| cached. (kfujino) |
| </fix> |
| <fix> |
| Enable PoolCleaner to be started even if <code>validationQuery</code> |
| is not set. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>62164</bug>: Switch the build script to use TLS for downloads from |
| SourceForge and Maven Central to avoid failures due to HTTP to HTTPS |
| redirects. (markt) |
| </fix> |
| <add> |
| Always report the OS's umask when launching the JVM. (schultz) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.29 (markt)" rtext="2018-03-08"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Minor optimization when calling class transformers. (rjung) |
| </fix> |
| <fix> |
| Prevent Tomcat from applying gzip compression to content that is already |
| compressed with brotli compression. Based on a patch provided by burka. |
| (markt) |
| </fix> |
| <fix> |
| <bug>62090</bug>: Null container names are not allowed. (remm) |
| </fix> |
| <fix> |
| <bug>62104</bug>: Fix programmatic login regression as the |
| NonLoginAuthenticator has to be set for it to work (if no login method |
| is specified). (remm) |
| </fix> |
| <fix> |
| <bug>62117</bug>: Improve error message in <code>catalina.sh</code> when |
| calling <code>kill -0 <pid></code> fails. Based on a suggestion |
| from Mark Morschhaeuser. (markt) |
| </fix> |
| <fix> |
| <bug>62118</bug>: Correctly create a JNDI <code>ServiceRef</code> using |
| the specified interface rather than the concrete type. Based on a |
| suggestion by Ángel Álvarez Páscua. (markt) |
| </fix> |
| <fix> |
| Fix for <code>RequestDumperFilter</code> log attribute. Patch provided |
| by Kirill Romanov via Github. (violetagg) |
| </fix> |
| <fix> |
| <bug>62123</bug>: Avoid <code>ConcurrentModificationException</code> |
| when attempting to clean up application triggered RMI memory leaks on |
| web application stop. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the fix for <bug>60276</bug> that meant that |
| compression was applied to all MIME types. Patch provided by Stefan |
| Knoblich. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Add minor HPACK fixes, based on fixes by Stuart Douglas. (remm) |
| </fix> |
| <fix> |
| <bug>61751</bug>: Follow up fix so that OpenSSL engine returns |
| underflow when unwrapping if no bytes were produced and the input is |
| empty. (remm) |
| </fix> |
| <fix> |
| Minor OpenSSL engine cleanups. (remm) |
| </fix> |
| <fix> |
| NIO SSL handshake should throw an exception on overflow status, like |
| NIO2 SSL. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>48672</bug>: Add documentation for the Host Manager web |
| application. Patch provided by Marek Czernek. (markt) |
| </add> |
| <add> |
| Work-around a known, non-specification compliant behaviour in some |
| versions of IE that can allow XSS when the Manager application generates |
| a plain text response. Based on a suggestion from Muthukumar Marikani. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the build script so MD5 hashes are no longer generated for |
| releases as per the change in the ASF distribution policy. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.28 (markt)" rtext="2018-02-11"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Prevent a stack trace being written to standard out when running on Java |
| 10 due to changes in the <code>LogManager</code> implementation. (markt) |
| </fix> |
| <fix> |
| <bug>62000</bug>: When a JNDI reference cannot be resolved, ensure that |
| the root cause exception is reported rather than swallowed. (markt) |
| </fix> |
| <fix> |
| <bug>62036</bug>: When caching an authenticated user Principal in the |
| session when the web application is configured with the |
| <code>NonLoginAuthenticator</code>, cache the internal Principal object |
| rather than the user facing Principal object as Tomcat requires the |
| internal object to correctly process later authorization checks. (markt) |
| </fix> |
| <fix> |
| Avoid duplicate load attempts if one has been made already. (remm) |
| </fix> |
| <fix> |
| Avoid NPE in ThreadLocalLeakPreventionListener if there is no Engine. |
| (remm) |
| </fix> |
| <fix> |
| <bug>62067</bug>: Correctly apply security constraints mapped to the |
| context root using a URL pattern of <code>""</code>. (markt) |
| </fix> |
| <fix> |
| When using Tomcat embedded, only perform Authenticator configuration |
| once during web application start. (markt) |
| </fix> |
| <fix> |
| Process all <code>ServletSecurity</code> annotations at web application |
| start rather than at servlet load time to ensure constraints are applied |
| consistently. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61751</bug>: Fix truncated request input streams when using NIO2 |
| with TLS. (markt) |
| </fix> |
| <fix> |
| <bug>62023</bug>: Log error reporting multiple SSLHostConfig elements |
| when using the APR Connector instead of crashing Tomcat. (csutherl) |
| </fix> |
| <fix> |
| <bug>62032</bug>: Fix NullPointerException when certificateFile is not |
| defined on an SSLHostConfig and unify the behavior when a |
| certificateFile is defined but the file does not exist for both |
| JKS and PEM file types. (csutherl) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>62024</bug>: When closing a connection with an abnormal close, |
| close the socket immediately rather than waiting for a close message |
| from the client that may never arrive. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Webapps"> |
| <changelog> |
| <fix> |
| <bug>62049</bug>: Fix missing class from manager 404 JSP error page. |
| (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <add> |
| Enhance the JMX support for jdbc-pool in order to expose |
| <code>PooledConnection</code> and <code>JdbcInterceptors</code>. |
| (kfujino) |
| </add> |
| <add> |
| Add MBean for <code>PooledConnection</code>. (kfujino) |
| </add> |
| <add> |
| <bug>62011</bug>: Add MBean for <code>StatementCache</code>. (kfujino) |
| </add> |
| <add> |
| Expose the cache size for each connection via JMX in |
| <code>StatementCache</code>. (kfujino) |
| </add> |
| <add> |
| Add MBean for <code>ResetAbandonedTimer</code>. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.03. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.27 (markt)" rtext="2018-01-22"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct a regression in the previous fix for <bug>61916</bug> that meant |
| that any call to <code>addHeader()</code> would have been replaced with |
| a call to <code>setHeader()</code> for all requests mapped to the |
| <code>AddDefaultCharsetFilter</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61993</bug>: Improve handling for <code>ByteChunk</code> and |
| <code>CharChunk</code> instances that grow close to the maximum size |
| allowed by the JRE. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>43925</bug>: Add a new system property |
| (<code>org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE</code>) to |
| control the size of the buffer used by Jasper when buffering tag bodies. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>62006</bug>: Document the new <code>JvmOptions9</code> command line |
| parameter for <code>tomcat8.exe</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.26 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct Javadoc errors in release build. |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.25 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>47214</bug>: Use a loop to preload anonymous inner classes |
| when running under a <code>SecurityManager</code>, to be safe for |
| future changes in the code or using a different compiler. (kkolinko) |
| </fix> |
| <add> |
| <bug>57619</bug>: Implement a small optimisation to how JAR URLs are |
| processed to reduce the storage of duplicate String objects in memory. |
| Patch provided by Dmitri Blinov. (markt) |
| </add> |
| <fix> |
| Add some missing NPEs to ServletContext. (remm) |
| </fix> |
| <fix> |
| <bug>61916</bug>: Extend the <code>AddDefaultCharsetFilter</code> to add |
| a character set when the content type is set via |
| <code>setHeader()</code> or <code>addHeader()</code> as well as when it |
| is set via <code>setContentType()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>61999</bug>: maxSavePostSize set to 0 should disable saving POST |
| data during authentication. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>60276</bug>: Implement GZIP compression support for responses |
| served over HTTP/2. (markt) |
| </add> |
| <fix> |
| Do not call onDataAvailable without any data to read. (remm) |
| </fix> |
| <fix> |
| <bug>61886</bug>: Log errors on non-container threads at |
| <code>DEBUG</code> rather than <code>INFO</code>. The exception will be |
| made available to the application via the asynchronous error handling |
| mechanism. (markt) |
| </fix> |
| <fix> |
| <bug>61914</bug>: Possible NPE with Java 9 when creating an SSL engine. |
| Patch submitted by Evgenij Ryazanov. (remm) |
| </fix> |
| <fix> |
| <bug>61918</bug>: Fix connectionLimitLatch counting when closing an |
| already closed socket. Based on a patch by Ryan Fong. (remm) |
| </fix> |
| <add> |
| Add support for the OpenSSL ARIA ciphers to the OpenSSL to JSSE |
| cipher mapping. (markt) |
| </add> |
| <fix> |
| <bug>61932</bug>: Allow a call to <code>AsyncContext.dispatch()</code> |
| to terminate non-blocking I/O. (markt) |
| </fix> |
| <fix> |
| <bug>61948</bug>: Improve the handling of malformed ClientHello messages |
| in the code that extracts the SNI information from a TLS handshake for |
| the JSSE based NIO and NIO2 connectors. (markt) |
| </fix> |
| <fix> |
| Fix NIO2 handshaking with a full input buffer. (remm) |
| </fix> |
| <add> |
| Return a simple, plain text error message if a client attempts to make a |
| plain text HTTP connection to a TLS enabled NIO or NIO2 Connector. |
| (markt) |
| </add> |
| <fix> |
| Correctly handle EOF when <code>ServletInputStream.isReady()</code> is |
| called. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>61854</bug>: When using sets and/or maps in EL expressions, ensure |
| that Jasper correctly parses the expression. Patch provided by Ricardo |
| Martin Camarero. (markt) |
| </fix> |
| <fix> |
| Improve the handling of methods with varargs in EL expressions. In |
| particular, the calling of a varargs method with no parameters now works |
| correctly. Based on a patch by Nitkalya (Ing) Wiriyanuparb. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Remove the Servlet 4.0 early preview example from the examples web |
| application as the early preview is now deprecated in favour of Tomcat |
| 9 which provides a full Servlet 4.0 implementation. (markt) |
| </fix> |
| <add> |
| <bug>61223</bug>: Add the mbeans-descriptors.dtd file to the custom |
| MBean documentation so users have a reference to use when constructing |
| mbeans-descriptors.xml files for custom components. (markt) |
| </add> |
| <add> |
| <bug>61566</bug>: Expose the currently in use certificate chain and list |
| of trusted certificates for all virtual hosts configured using the JSSE |
| style (keystore) TLS configuration via the Manager web application. |
| (markt) |
| </add> |
| <fix> |
| Partial fix for <bug>61886</bug>. Ensure that multiple threads do not |
| attempt to complete the <code>AsyncContext</code> if an I/O error occurs |
| in the stock ticker example Servlet. (markt) |
| </fix> |
| <fix> |
| <bug>61886</bug>: Prevent <code>ConcurrentModificationException</code> |
| when running the asynchronous stock ticker in the examples web |
| application. (markt) |
| </fix> |
| <fix> |
| <bug>61886</bug>: Prevent <code>NullPointerException</code> and other |
| errors if the stock ticker example is running when the examples web |
| application is stopped. (markt) |
| </fix> |
| <fix> |
| <bug>61910</bug>: Clarify the meaning of the <code>allowLinking</code> |
| option in the documentation web application. (markt) |
| </fix> |
| <add> |
| Add OCSP configuration information to the SSL How-To. Patch provided by |
| Marek Czernek. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>61312</bug>: Prevent <code>NullPointerException</code> when using |
| the statement cache of connection that has been closed. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Add an additional system property for the system property replacement. |
| (remm) |
| </fix> |
| <fix> |
| Add missing SHA-512 hash for release artifacts to the build script. |
| (markt) |
| </fix> |
| <update> |
| Update the internal fork of Commons Pool 2 to 2.4.3. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons DBCP 2 to 8a71764 (2017-10-18) to |
| pick up some bug fixes and enhancements. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons FileUpload to 6c00d57 (2017-11-23) |
| to pick up some code clean-up. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Codec to r1817136 to pick up some |
| code clean-up. (markt) |
| </update> |
| <fix> |
| The native source bundles (for Commons Daemon and Tomcat Native) are no |
| longer copied to the bin directory for the deploy target. They are now |
| only copied to the bin directory for the release target. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.24 (markt)" rtext="2017-11-30"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| When running under Java 9 or later, and the |
| <code>urlCacheProtection</code> option of the |
| <code>JreMemoryLeakPreventionListener</code> is enabled, use the API |
| added in Java 9 to only disable the caching for JAR URL connections. |
| (markt) |
| </add> |
| <fix> |
| Fix possible <code>SecurityException</code> when using TLS related |
| request attributes. (markt) |
| </fix> |
| <fix> |
| <bug>61597</bug>: Extend the <code>StandardJarScanner</code> to scan |
| JARs on the module path when running on Java 9 and class path scanning |
| is enabled. (markt) |
| </fix> |
| <fix> |
| <bug>61601</bug>: Add support for multi-release JARs in JAR scanning and |
| web application class loading. (markt) |
| </fix> |
| <fix> |
| <bug>61681</bug>: Allow HTTP/2 push when using request wrapping. (remm) |
| </fix> |
| <add> |
| Provide the <code>SessionInitializerFilter</code> that can be used to |
| ensure that an HTTP session exists when initiating a WebSocket |
| connection. Patch provided by isapir. (markt) |
| </add> |
| <fix> |
| <bug>61682</bug>: When re-prioritising HTTP/2 streams, ensure that both |
| parent and children fields are correctly updated to avoid a possible |
| <code>StackOverflowError</code>. (markt) |
| </fix> |
| <fix> |
| Improve concurrency by reducing the scope of the synchronisation for |
| <code>javax.security.auth.message.config.AuthConfigFactory</code> in the |
| JASPIC API implementation. Based on a patch by Pavan Kumar. (markt) |
| </fix> |
| <fix> |
| Avoid a possible <code>NullPointerException</code> when timing out |
| <code>AsyncContext</code> instances during shut down. (markt) |
| </fix> |
| <fix> |
| <bug>61777</bug>: Avoid a <code>NullPointerException</code> when |
| detaching a JASPIC <code>RegistrationListener</code>. Patch provided by |
| Lazar. (markt) |
| </fix> |
| <fix> |
| <bug>61778</bug>: Correct the return value when detaching a JASPIC |
| <code>RegistrationListener</code>. Patch provided by Lazar. (markt) |
| </fix> |
| <fix> |
| <bug>61779</bug>: Avoid a <code>NullPointerException</code> when a |
| <code>null</code> <code>RegistrationListener</code> is passed to |
| <code>AuthConfigFactory.getConfigProvider()</code>. Patch provided by |
| Lazar. (markt) |
| </fix> |
| <fix> |
| <bug>61780</bug>: Only include the default JASPIC registration ID in the |
| return value for a call to |
| <code>AuthConfigFactory.getRegistrationIDs()</code> if a |
| <code>RegistrationContext</code> has been registered using the default |
| registration ID. Patch provided by Lazar. (markt) |
| </fix> |
| <fix> |
| <bug>61781</bug>: Enable JASPIC provider registrations to be persisted |
| when the layer and/or application context are <code>null</code>. Patch |
| provided by Lazar. (markt) |
| </fix> |
| <fix> |
| <bug>61782</bug>: When calling |
| <code>AuthConfigFactory.doRegisterConfigProvider()</code> and the |
| requested JASPIC config provider class is found by the web application |
| class loader, do not attempt to load the class with the class loader |
| that loaded the JASPIC API. Patch provided by Lazar. (markt) |
| </fix> |
| <fix> |
| <bug>61783</bug>: When calling |
| <code>AuthConfigFactory.removeRegistration()</code> and the registration |
| is persistent, it should be removed from the persistent store. Patch |
| provided by Lazar. (markt) |
| </fix> |
| <fix> |
| <bug>61784</bug>: Correctly handle the case when |
| <code>AuthConfigFactoryImpl.registerConfigProvider()</code> is called |
| with a provider name of <code>null</code>. Patch provided by Lazar. |
| (markt) |
| </fix> |
| <add> |
| <bug>61795</bug>: Add a property to the <code>Authenticator</code> |
| implementations to enable a custom JASPIC <code>CallbackHandler</code> |
| to be specified. Patch provided by Lazar. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Enable ALPN and also, therefore, HTTP/2 for the NIO and NIO2 HTTP |
| connectors when using the JSSE implementation for TLS when running on |
| Java 9. (markt) |
| </add> |
| <add> |
| <bug>60762</bug>: Add the ability to make changes to the TLS |
| configuration of a connector at runtime without having to restart the |
| Connector. (markt) |
| </add> |
| <fix> |
| <bug>61568</bug>: Avoid a potential <code>SecurityException</code> when |
| using the NIO2 connector and a new thread is added to the pool. (markt) |
| </fix> |
| <fix> |
| <bug>61583</bug>: Correct a further regression in the fix to enable the |
| use of Java key stores that contained multiple keys that did not all |
| have the same password. This fixes PKCS11 key store handling with |
| multiple keys selected with an alias. (markt) |
| </fix> |
| <fix> |
| Reduce default HTTP/2 stream concurrent execution within a connection |
| from 200 to 20. (remm) |
| </fix> |
| <fix> |
| <bug>61668</bug>: Avoid a possible NPE when calling |
| <code>AbstractHttp11Protocol.getSSLProtocol()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>61673</bug>: Avoid a possible |
| <code>ConcurrentModificationException</code> when working with the |
| streams associated with a connection. (markt) |
| </fix> |
| <fix> |
| <bug>61719</bug>: Avoid possible NPE calling |
| InputStream.setReadListener with HTTP/2. (remm) |
| </fix> |
| <fix> |
| <bug>61736</bug>: Improve performance of NIO connector when clients |
| leave large time gaps between network packets. Patch provided by Zilong |
| Song. (markt) |
| </fix> |
| <fix> |
| <bug>61740</bug>: Correct an off-by-one error in the Hpack header index |
| validation that caused intermittent request failures when using HTTP/2. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>61816</bug>: Invalid expressions in attribute values or template |
| text should trigger a translation (compile time) error, not a run time |
| error. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>61604</bug>: Add support for authentication in the websocket |
| client. Patch submitted by J Fernandez. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Enable Javadoc to be built with Java 9. (markt) |
| </fix> |
| <fix> |
| <bug>61603</bug>: Add XML filtering for the status servlet output where |
| needed. (remm) |
| </fix> |
| <fix> |
| Correct the description of how the CGI servlet maps a request to a |
| script in the CGI How-To. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Fix incorrect behavior that attempts to resend channel messages more |
| than the actual setting value of <code>maxRetryAttempts</code>. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that the remaining Sender can send channel messages by avoiding |
| unintended <code>ChannelException</code> caused by comparing the number |
| of failed members and the number of remaining Senders. (kfujino) |
| </fix> |
| <fix> |
| Ensure that remaining SelectionKeys that were not handled by throwing a |
| <code>ChannelException</code> during SelectionKey processing are |
| handled. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Improve the fix for <bug>61439</bug> and exclude the JPA, JAX-WS and EJB |
| annotations completely from the Tomcat distributions. (markt) |
| </fix> |
| <fix> |
| Improve handling of endorsed directories. The endorsed directory |
| mechanism will only be used if the <code>JAVA_ENDORSED_DIRS</code> |
| system property is explicitly set or if |
| <code>$CATALINA_HOME/endorsed</code> exists. When running on Java 9, any |
| such attempted use of the endorsed directory mechanism will trigger an |
| error and Tomcat will fail to start. (rjung) |
| </fix> |
| <scode> |
| Refactoring in preparation for Java 9. Refactor to avoid using some |
| methods that will be deprecated in Java 9 onwards. (markt) |
| </scode> |
| <add> |
| <bug>51496</bug>: When using the Windows installer, check if the |
| requested service name already exists and, if it does, prompt the user |
| to select an alternative service name. Patch provided by Ralph |
| Plawetzki. (markt) |
| </add> |
| <fix> |
| Add necessary Java 9 configuration options to the startup scripts to |
| prevent warnings being generated on web application stop. (markt) |
| </fix> |
| <fix> |
| <bug>61590</bug>: Enable <code>service.bat</code> to recognise when |
| <code>JAVA_HOME</code> is configured for a Java 9 JDK. (markt) |
| </fix> |
| <fix> |
| <bug>61598</bug>: Update the Windows installer to search the new (as of |
| Java 9) registry locations when looking for a JRE. (markt) |
| </fix> |
| <add> |
| Add generation of a SHA-512 hash for release artifacts to the build |
| script. (markt) |
| </add> |
| <fix> |
| <bug>61658</bug>: Update MIME mappings for fonts to use |
| <code>font/*</code> as per RFC8081. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.16 to |
| pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL |
| 1.0.2m. (markt) |
| </update> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.02.1. (kkolinko) |
| </update> |
| <update> |
| Update the Windows installer to use "The Apache Software Foundation" as |
| the Publisher when Tomcat is displayed in the list of installed |
| applications in Microsoft Windows. (kkolinko) |
| </update> |
| <fix> |
| <bug>61803</bug>: Remove outdated SSL information from the Security |
| documentation. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.23 (markt)" rtext="2017-10-01"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Use the correct path when loading the JVM <code>logging.properties</code> |
| file for Java 9. (rjung) |
| </fix> |
| <fix> |
| Add additional validation to the resource handling required to fix |
| CVE-2017-12617 on Windows. The checks were being performed elsewhere but |
| adding them to the resource handling ensures that the checks are always |
| performed. (markt) |
| </fix> |
| <fix> |
| <bug>61554</bug>: Exclude test files in unusual encodings and markdown |
| files intended for display in GitHub from RAT analysis. Patch provided |
| by Chris Thistlethwaite. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>61563</bug>: Correct typos in Spanish translation. Patch provided by |
| Gonzalo Vásquez. (csutherl) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.22 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>60963</bug>: Add <code>ExtractingRoot</code>, a new |
| <code>WebResourceRoot</code> implementation that extracts JARs to the |
| work directory for improved performance when deploying packed WAR files. |
| (markt) |
| </fix> |
| <add> |
| Add an option to reject requests that contain HTTP headers with invalid |
| (non-token) header names with a 400 response. (markt) |
| </add> |
| <fix> |
| <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being |
| uploaded via a specially crafted request when HTTP PUT was enabled. |
| (markt) |
| </fix> |
| <fix> |
| Implement the requirements of RFC 7230 (and RFC 2616) that HTTP/1.1 |
| requests must include a <code>Host</code> header and any request that |
| does not must be rejected with a 400 response. (markt) |
| </fix> |
| <fix> |
| Implement the requirements of RFC 7230 that any HTTP/1.1 request that |
| specifies a host in the request line, must specify the same host in the |
| <code>Host</code> header and that any such request that does not, must |
| be rejected with a 400 response. This check is optional but disabled by |
| default. It may be enabled with the |
| <code>allowHostHeaderMismatch</code> attribute of the Connector. (markt) |
| </fix> |
| <fix> |
| Implement the requirements of RFC 7230 that any HTTP/1.1 request that |
| contains multiple <code>Host</code> headers is rejected with a 400 |
| response. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| Add a way to set the property source in embedded mode. (remm) |
| </update> |
| <fix> |
| <bug>61557</bug>: Correct a further regression in the fix to enable the |
| use of Java key stores that contain multiple keys that do not all have |
| the same password. The regression broke support for some FIPS compliant |
| key stores. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>61545</bug>: Correctly handle invocations of methods defined in the |
| <code>PooledConnection</code> interface when using pooled XA |
| connections. Patch provided by Nils Winkler. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Update fix for <bug>59904</bug> so that values less than zero are accepted |
| instead of throwing a NegativeArraySizeException. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.21 (markt)" rtext="2017-09-19"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Before generating an error page in the <code>ErrorReportValve</code>, |
| check to see if I/O is still permitted for the associated connection |
| before generating the error page so that the page generation can be |
| skipped if the page is never going to be sent. (markt) |
| </fix> |
| <add> |
| <bug>61189</bug>: Add the ability to set environment variables for |
| individual CGI scripts. Based on a patch by jm009. (markt) |
| </add> |
| <fix> |
| <bug>61210</bug>: When running under a SecurityManager, do not print a |
| warning about not being able to read a logging configuration file when |
| that file does not exist. (markt) |
| </fix> |
| <add> |
| <bug>61280</bug>: Add RFC 7617 support to the |
| <code>BasicAuthenticator</code>. Note that the default configuration |
| does not change the existing behaviour. (markt) |
| </add> |
| <fix> |
| <bug>61424</bug>: Avoid a possible <code>StackOverflowError</code> when |
| running under a <code>SecurityManager</code> and using |
| <code>Subject.doAs()</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| The minimum required Tomcat Native version has been increased to 1.2.14. |
| This version includes a new API needed for correct client certificate |
| support when using a Java connector with OpenSSL TLS implementation and |
| support for the <code>SSL_CONF</code> OpenSSL API. (rjung) |
| </update> |
| <add> |
| Add support for the OpenSSL <code>SSL_CONF</code> API when using |
| TLS with OpenSSL implementation. It can be used by adding |
| <code>OpenSSLConf</code> elements underneath <code>SSLHostConfig</code>. |
| The new element contains a list of <code>OpenSSLConfCmd</code> elements, |
| each with the attributes <code>name</code> and <code>value</code>. |
| (rjung) |
| </add> |
| <fix> |
| When using a Java connector in combination with the OpenSSL TLS |
| implementation, do not configure each SSL connection object via |
| the OpenSSLEngine. For OpenSSL the SSL object inherits its |
| settings from the SSL_CTX which we have already configured. |
| (rjung) |
| </fix> |
| <fix> |
| When using JSSE TLS configuration with the OpenSSL implementation and |
| client certificates: include client CA subjects in the TLS handshake |
| so that the client can choose an appropriate client certificate to |
| present. (rjung) |
| </fix> |
| <fix> |
| If an invalid option is specified for the |
| <code>certificateVerification</code> attribute of an |
| <code>SSLHostConfig</code> element, treat it as <code>required</code> |
| which is the most secure / restrictive option in addition to reporting |
| the configuration error. (markt) |
| </fix> |
| <fix> |
| Improve the handling of client disconnections during the TLS |
| renegotiation handshake. (markt) |
| </fix> |
| <fix> |
| Prevent exceptions being thrown during normal shutdown of NIO |
| connections. This enables TLS connections to close cleanly. (markt) |
| </fix> |
| <fix> |
| Fix possible race condition when setting IO listeners on an upgraded |
| connection. (remm) |
| </fix> |
| <fix> |
| <bug>48655</bug>: Enable Tomcat to shutdown cleanly when using sendfile, |
| the APR/native connector and a multi-part download is in progress. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58244</bug>: Handle the case when OpenSSL resumes a TLS session |
| using a ticket and the full client certificate chain is not available. |
| In this case the client certificate without the chain will be presented |
| to the application. (markt) |
| </fix> |
| <fix> |
| Improve the warning message when JSSE and OpenSSL configuration styles |
| are mixed on the same <code>SSLHostConfig</code>. (markt) |
| </fix> |
| <fix> |
| <bug>61415</bug>: Fix TLS renegotiation with OpenSSL based connections |
| and session caching. (markt) |
| </fix> |
| <fix> |
| Delay checking that the configured attributes for an |
| <code>SSLHostConfig</code> instance are consistent with the configured |
| SSL implementation until <code>Connector</code> start to avoid incorrect |
| warnings when the SSL implementation changes during initialisation. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61450</bug>: Fix default key alias algorithm. (remm) |
| </fix> |
| <fix> |
| <bug>61451</bug>: Correct a regression in the fix to enable the use of |
| Java key stores that contained multiple keys that did not all have the |
| same password. The regression broke support for any key store that did |
| not store keys in PKCS #8 format such as hardware key stores and Windows |
| key stores. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>60523</bug>: Reduce the number of packets used to send WebSocket |
| messages by not flushing between the header and the payload when the |
| two are written together. (markt) |
| </fix> |
| <fix> |
| <bug>61491</bug>: When using the <code>permessage-deflate</code> |
| extension, correctly handle the sending of empty messages after |
| non-empty messages to avoid the <code>IllegalArgumentException</code>. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Show connector cipher list in the manager web application in the |
| correct cipher order. (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| To avoid unexpected session timeout notification from backup session, |
| update the access time when receiving the map member notification |
| message. (kfujino) |
| </fix> |
| <fix> |
| Add member info to the log message when the failure detection check |
| fails in <code>TcpFailureDetector</code>. (kfujino) |
| </fix> |
| <fix> |
| Avoid Ping timeout until the added map member by receiving |
| <code>MSG_START</code> message is completely started. (kfujino) |
| </fix> |
| <fix> |
| When sending a channel message, make sure that the Sender has connected. |
| (kfujino) |
| </fix> |
| <fix> |
| Correct the backup node selection logic that node 0 is returned twice |
| consecutively. (kfujino) |
| </fix> |
| <fix> |
| Fix race condition of <code>responseMap</code> in |
| <code>RpcChannel</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>61391</bug>: Ensure that failed queries are logged if the |
| <code>SlowQueryReport</code> interceptor is configured to do so and the |
| connection has been abandoned. Patch provided by Craig Webb. (markt) |
| </fix> |
| <fix> |
| <bug>61425</bug>: Ensure that transaction of idle connection has |
| terminated when the <code>testWhileIdle</code> is set to |
| <code>true</code> and <code>defaultAutoCommit</code> is set to |
| <code>false</code>. Patch provided by WangZheng. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>61439</bug>: Remove the Java Annotation API classes from |
| tomcat-embed-core.jar and package them in a separate JAR in the |
| embedded distribution to provide end users with greater flexibility to |
| handle potential conflicts with the JRE and/or other JARs. (markt) |
| </fix> |
| <fix> |
| <bug>61441</bug>: Improve the detection of <code>JAVA_HOME</code> by the |
| <code>daemon.sh</code> script when running on a platform where Java has |
| been installed from an RPM. (rjung) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.14 to |
| pick up the latest Windows binaries built with APR 1.6.2 and OpenSSL |
| 1.0.2l. (markt) |
| </update> |
| <update> |
| <bug>61599</bug>: Update to Commons Daemon 1.1.0 for improved Java 9 |
| support. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.20 (markt)" rtext="2017-08-08"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Revert the fix for <bug>49464</bug> since it continued to trigger |
| regressions. (markt) |
| </fix> |
| <fix> |
| Correct a bug in the <code>PushBuilder</code> implementation that |
| meant push URLs containing <code>%nn</code> sequences were not correctly |
| decoded. Identified by FindBugs. (markt) |
| </fix> |
| <add> |
| <bug>61164</bug>: Add support for the <code>%X</code> pattern in the |
| <code>AccessLogValve</code> that reports the connection status at the |
| end of the request. Patch provided by Zemian Deng. (markt) |
| </add> |
| <fix> |
| <bug>61351</bug>: Correctly handle %nn decoding of URL patterns in |
| web.xml and similar locations that may legitimately contain characters |
| that are not permitted by RFC 3986. (markt) |
| </fix> |
| <add> |
| <bug>61366</bug>: Add a new attribute, <code>localDataSource</code>, to |
| the <code>JDBCStore</code> that allows the Store to be configured to use |
| a DataSource defined by the web application rather than the default of |
| using a globally defined DataSource. Patch provided by Jonathan |
| Horowitz. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61086</bug>: Ensure to explicitly signal an empty request body for |
| HTTP 205 responses. Additional fix to r1795278. Based on a patch |
| provided by Alexandr Saperov. (violetagg) |
| </fix> |
| <update> |
| <bug>61345</bug>: Add a server listener that can be used to do system |
| property replacement from the property source configured in the |
| digester. (remm) |
| </update> |
| <add> |
| Add additional logging to record problems that occur while waiting for |
| the NIO pollers to stop during the Connector stop process. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>61364</bug>: Ensure that files are closed after detecting encoding |
| of JSPs so that files do not remain locked by the file system. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <add> |
| <bug>57767</bug>: Add support to the WebSocket client for following |
| redirects when attempting to establish a WebSocket connection. Patch |
| provided by J Fernandez. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.19 (markt)" rtext="2017-07-28"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Performance improvements for service loader look-ups (and look-ups of |
| other class loader resources) when the web application is deployed in a |
| packed WAR file. (markt) |
| </fix> |
| <fix> |
| <bug>61253</bug>: Add warn message when Digester.updateAttributes |
| throws an exception instead of ignoring it. (csutherl) |
| </fix> |
| <fix> |
| Correct a further regression in the fix for <bug>49464</bug> that could |
| cause an byte order mark character to appear at the start of content |
| included by the <code>DefaultServlet</code>. (markt) |
| </fix> |
| <fix> |
| <bug>61313</bug>: Make the read timeout configurable in the |
| <code>JNDIRealm</code> and ensure that a read timeout will result in an |
| attempt to fail over to the alternateURL. Based on patches by Peter |
| Maloney and Felix Schumacher. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the documentation for how <code>StandardRoot</code> is |
| configured. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>61316</bug>: Fix corruption of UTF-16 encoded source files in |
| released source distributions. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.18 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>61232</bug>: When log rotation is disabled only one separator will |
| be used when generating the log file name. For example if the prefix is |
| <code>catalina.</code> and the suffix is <code>.log</code> then the log |
| file name will be <code>catalina.log</code> instead of |
| <code>catalina..log</code>. Patch provided by Katya Stoycheva. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>61264</bug>: Correct a regression in the refactoring to use |
| <code>Charset</code> rather than <code>String</code> to store request |
| character encoding that prevented <code>getReader()</code> throwing an |
| <code>UnsupportedEncodingException</code> if the user agent specifies |
| an unsupported character encoding. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the fix for <bug>49464</bug> that could cause an |
| incorrect <code>Content-Length</code> header to be sent by the |
| <code>DefaultServlet</code> if the encoding of a static is not |
| consistent with the encoding of the response. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Enable TLS connectors to use Java key stores that contain multiple keys |
| where each key has a separate password. Based on a patch by Frank |
| Taffelt. (markt) |
| </fix> |
| <fix> |
| Improve the handling of HTTP/2 stream resets due to excessive headers |
| when a continuation frame is used. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>53031</bug>: Add support for the <code>fork</code> option when |
| compiling JSPs with the Jasper Ant task and javac. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>52791</bug>: Add the ability to set the defaults used by the |
| Windows installer from a configuration file. Patch provided by Sandra |
| Madden. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.17 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>49464</bug>: Improve the Default Servlet's handling of static files |
| when the file encoding is not compatible with the required response |
| encoding. (markt) |
| </fix> |
| <fix> |
| <bug>61214</bug>: Remove deleted attribute <code>servlets</code> from |
| the Context MBean description. Patch provided by Alexis Hassler. (markt) |
| </fix> |
| <fix> |
| <bug>61215</bug>: Correctly define <code>addConnectorPort</code> and |
| <code>invalidAuthenticationWhenDeny</code> in the |
| <code>mbean-descriptors.xml</code> file for the |
| <code>org.apache.catalina.valves</code> package so that the attributes |
| are accessible via JMX. (markt) |
| </fix> |
| <fix> |
| Make asynchronous error handling more robust. In particular ensure that |
| <code>onError()</code> is called for any registered |
| <code>AsyncListener</code>s after an I/O error on a non-container |
| thread. (markt) |
| </fix> |
| <fix> |
| Additional permission for deleting files is granted to JULI as it is |
| required by FileHandler when running under a Security Manager. The |
| thread that cleans the log files is marked as daemon thread. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>61229</bug>: Correct a regression in 8.5.15 that broke WebDAV |
| handling for resources with names that included a <code>&</code> |
| character. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Restore the ability to configure support for SSLv3. Enabling this |
| protocol will trigger a warning in the logs since it is known to be |
| insecure. (markt) |
| </fix> |
| <fix> |
| Do not log a warning when a <code>null</code> session is returned for an |
| OpenSSL based TLS session since this is expected when session tickets |
| are enabled. (markt) |
| </fix> |
| <fix> |
| When the access log valve logs a TLS related request attribute and the |
| NIO2 connector is used with OpenSSL, ensure that the TLS attributes are |
| available to the access log valve when the connection is closing. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60461</bug>: Sync SSL session access for the APR connector. (remm) |
| </fix> |
| <add> |
| To ease migration from 8.0.x to 8.5.x, if the HTTP or AJP BIO connector |
| is explicitly configured, rather than failing to start the connector |
| because BIO has been removed, automatically switch to NIO and continue. |
| A warning will be logged to alert the user to the switch. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Remove references to the Loader attribute |
| <code>searchExternalFirst</code> from the documentation since the |
| attribute is no longer supported. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.16 (markt)" rtext="2017-06-26"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>61072</bug>: Respect the documentation statements that allow |
| using the platform default secure random for session id generation. |
| (remm) |
| </fix> |
| <fix> |
| Correct the javadoc for |
| <code>o.a.c.connector.CoyoteAdapter#parseSessionCookiesId</code>. |
| Patch provided by John Andrew (XUZHOUWANG) via Github. (violetagg) |
| </fix> |
| <fix> |
| <bug>61101</bug>: CORS filter should set Vary header in response. |
| Submitted by Rick Riemer. (remm) |
| </fix> |
| <add> |
| <bug>61105</bug>: Add a new JULI FileHandler configuration for |
| specifying the maximum number of days to keep the log files. |
| (violetagg) |
| </add> |
| <fix> |
| <bug>61125</bug>: Ensure that <code>WarURLConnection</code> returns the |
| correct value for calls to <code>getLastModified()</code> as this is |
| required for the correct detection of JSP modifications when the JSP is |
| packaged in a WAR file. (markt) |
| </fix> |
| <fix> |
| Improve the <code>SSLValve</code> so it is able to handle client |
| certificate headers from Nginx. Based on a patch by Lucas Ventura Carro. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61134</bug>: Do not use '[' and ']' symbols around substituted |
| text fragments when generating the default error pages. Patch provided |
| by Katya Todorova. (violetagg) |
| </fix> |
| <fix> |
| <bug>61154</bug>: Allow the Manager and Host Manager web applications to |
| start by default when running under a security manager. This was |
| accomplished by adding a custom permission, |
| <code>org.apache.catalina.security.DeployXmlPermission</code>, that |
| permits an application to use a <code>META-INF/context.xml</code> file |
| and then granting that permission to the Manager and Host Manager. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61173</bug>: Polish the javadoc for |
| <code>o.a.catalina.startup.Tomcat</code>. Patch provided by |
| peterhansson_se. (violetagg) |
| </fix> |
| <add> |
| A new configuration property <code>crawlerIps</code> is added to the |
| <code>o.a.catalina.valves.CrawlerSessionManagerValve</code>. Using this |
| property one can specify a regular expression that will be used to |
| identify crawlers based on their IP address. Based on a patch provided |
| by Tetradeus. (violetagg) |
| </add> |
| <fix> |
| <bug>61180</bug>: Log a warning message rather than an information |
| message if it takes more than 100ms to initialised a |
| <code>SecureRandom</code> instance for a web application to use to |
| generate session identifiers. Patch provided by Piotr Chlebda. (markt) |
| </fix> |
| <fix> |
| <bug>61185</bug>: When an asynchronous request is dispatched via |
| <code>AsyncContext.dispatch()</code> ensure that |
| <code>getRequestURI()</code> for the dispatched request matches that of |
| the original request. (markt) |
| </fix> |
| <fix> |
| <bug>61197</bug>: Ensure that the charset name used in the |
| <code>Content-Type</code> header has exactly the same form as that |
| provided by the application. This reverts a behavioural change in |
| 8.5.15 that caused problems for some clients. (markt) |
| </fix> |
| <fix> |
| <bug>61201</bug>: Ensure that the <code>SCRIPT_NAME</code> environment |
| variable for CGI executables is populated in a consistent way regardless |
| of how the CGI servlet is mapped to a request. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61086</bug>: Explicitly signal an empty request body for HTTP 205 |
| responses. (markt) |
| </fix> |
| <fix> |
| <bug>61120</bug>: Do not ignore path parameters when processing HTTP/2 |
| requests. (markt) |
| </fix> |
| <fix> |
| Revert a change introduced in the fix for bug <bug>60718</bug> that |
| changed the status code recorded in the access log when the client |
| dropped the connection from 200 to 500. (markt) |
| </fix> |
| <fix> |
| Add additional syncs to the SSL session object provided by the OpenSSL |
| engine so that a concurrent destruction cannot cause a JVM crash. |
| (remm) |
| </fix> |
| <fix> |
| <bug>61195</bug>: Backport, with deprecation where appropriate, the |
| endpoint and protocol property changes from 9.0.x to ease migration from |
| 8.5.x to 9.0.x. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>44787</bug>: Improve error message when JSP compiler configuration |
| options are not valid. (markt) |
| </fix> |
| <fix> |
| <bug>61137</bug>: <code>j.s.jsp.tagext.TagLibraryInfo#uri</code> and |
| <code>j.s.jsp.tagext.TagLibraryInfo#prefix</code> fields should not be |
| final. Patch provided by Katya Todorova. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Correct the log message when a <code>MessageHandler</code> for |
| <code>PongMessage</code> does not implement |
| <code>MessageHandler.Whole</code>. (rjung) |
| </fix> |
| <add> |
| Introduce new API <code>o.a.tomcat.websocket.WsSession#suspend</code>/ |
| <code>o.a.tomcat.websocket.WsSession#resume</code> that can be used to |
| suspend/resume reading of the incoming messages. (violetagg) |
| </add> |
| <fix> |
| Improve thread-safety of <code>Future</code>s used to report the result |
| of sending WebSocket messages. (markt) |
| </fix> |
| <fix> |
| <bug>61183</bug>: Correct a regression in the previous fix for |
| <bug>58624</bug> that could trigger a deadlock depending on the locking |
| strategy employed by the client code. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Better document the meaning of the trimSpaces option for Jasper. (markt) |
| </fix> |
| <fix> |
| <bug>61150</bug>: Configure the Manager and Host-Manager web |
| applications to permit serialization and deserialization of |
| CRSFPreventionFilter related session objects to avoid warning messages |
| and/or stack traces on web application stop and/or start when running |
| under a security manager. (markt) |
| </fix> |
| <fix> |
| Correct the TLS configuration documentation to remove SSLv2 and SSLv3 |
| from the list of supported protocols. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add JMX support for Tribes components. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>45832</bug>: Add HTTP DIGEST authentication support to the Catalina |
| Ant tasks used to communicate with the Manager application. (markt) |
| </add> |
| <fix> |
| <bug>45879</bug>: Add the <code>RELEASE-NOTES</code> file to the root of |
| the installation created by the Tomcat installer for Windows to make it |
| easier for users to identify the installed Tomcat version. (markt) |
| </fix> |
| <fix> |
| <bug>61055</bug>: Clarify the code comments in the rewrite valve to make |
| clear that there are no plans to provide proxy support for this valve |
| since Tomcat does not have proxy capabilities. (markt) |
| </fix> |
| <fix> |
| <bug>61076</bug>: Document the <code>altDDName</code> attribute for the |
| <code>Context</code> element. (markt) |
| </fix> |
| <fix> |
| Correct typo in Jar Scan Filter Configuration Reference. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| <bug>61145</bug>: Add missing <code>@Documented</code> annotation to |
| annotations in the annotations API. Patch provided by Katya Todorova. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61146</bug>: Add missing <code>lookup()</code> method to |
| <code>@EJB</code> annotation in the annotations API. Patch provided by |
| Katya Todorova. (markt) |
| </fix> |
| <fix> |
| Correct typo in Context Container Configuration Reference. |
| Patch provided by Katya Todorova. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.15 (markt)" rtext="2017-05-10"> |
| <subsection name="General"> |
| <changelog> |
| <add> |
| Allow to exclude JUnit test classes using the build property |
| <code>test.exclude</code> and document the property in |
| BUILDING.txt. (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Review those places where Tomcat re-encodes a URI or URI component and |
| ensure that the correct encoding (path differs from query string) is |
| applied and that the encoding is applied consistently. (markt) |
| </fix> |
| <fix> |
| Avoid a <code>NullPointerException</code> when reading attributes for a |
| initialised HTTP connector where TLS is enabled. (markt) |
| </fix> |
| <fix> |
| Always quote the <code>hostName</code> of an <code>SSLHostConfig</code> |
| element when using it as part of the JMX object name to avoid errors that |
| prevent the associated TLS connector from starting if a wild card |
| <code>hostName</code> is configured (because <code>*</code> is a |
| reserved character for JMX object names). (markt) |
| </fix> |
| <scode> |
| Switch to using <code>Charset</code> rather than <code>String</code> to |
| store encoding settings (including for configuration and for the |
| <code>Content-Type header</code>) to reduce the number of places the |
| associated <code>Charset</code> needs to be looked up. (markt) |
| </scode> |
| <fix> |
| Use a more reliable mechanism for the <code>DefaultServlet</code> when |
| determining if the current request is for custom error page or not. |
| (markt) |
| </fix> |
| <fix> |
| Ensure that when the Default or WebDAV servlets process an error |
| dispatch that the error resource is processed via the |
| <code>doGet()</code> method irrespective of the method used for the |
| original request that triggered the error. (markt) |
| </fix> |
| <fix> |
| If a static custom error page is specified that does not exist or cannot |
| be read, ensure that the intended error status is returned rather than a |
| 404 or 403. (markt) |
| </fix> |
| <fix> |
| When the WebDAV servlet is configured and an error dispatch is made to a |
| custom error page located below <code>WEB-INF</code>, ensure that the |
| target error page is displayed rather than a 404 response. (markt) |
| </fix> |
| <add> |
| <bug>61047</bug>: Add MIME mapping for woff2 fonts in the default |
| web.xml. Patch provided by Justin Williamson. (violetagg) |
| </add> |
| <fix> |
| Correct the logic that selects the encoding to use to decode the query |
| string in the <code>SSIServletExternalResolver</code> so that the |
| <code>useBodyEncodingForURI</code> attribute of the |
| <code>Connector</code> is correctly taken into account. (markt) |
| </fix> |
| <fix> |
| Within the Expires filter, make the content type value specified with the |
| <code>ExpiresByType</code> parameter, case insensitive. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| When a <code>TrustManager</code> is configured that does not support |
| <code>certificateVerificationDepth</code> only log a warning about that |
| lack of support when <code>certificateVerificationDepth</code> has been |
| explicitly set. (markt) |
| </fix> |
| <fix> |
| <bug>60970</bug>: Extend the fix for large headers to push requests. |
| (markt) |
| </fix> |
| <fix> |
| Do not include a <code>Date</code> header in HTTP/2 responses with |
| status codes less than 200. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| When no BOM is present and an encoding is detected, do not skip the |
| bytes used to detect the encoding since they are not part of a BOM. |
| (markt) |
| </fix> |
| <update> |
| <bug>61057</bug>: Update to Eclipse JDT Compiler 4.6.3. (violetagg) |
| </update> |
| <fix> |
| <bug>61065</bug>: Ensure that once the class is resolved by |
| <code>javax.el.ImportHandler#resolveClass</code> it will be cached with |
| the proper name. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>61003</bug>: Ensure the flags for reading/writing in |
| <code>o.a.t.websocket.AsyncChannelWrapperSecure</code> are correctly |
| reset even if some exceptions occurred during processing. (markt/violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <add> |
| Add documents for <code>maxIdleTime</code> attribute to Channel Receiver |
| docs. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Modify the Ant build script used to publish to a Maven repository so |
| that it no longer requires artifacts to be GPG signed. This is make it |
| possible for the CI system to upload snapshot builds to the ASF Maven |
| repository. (markt) |
| </add> |
| <scode> |
| Review i18n property files, remove unnecessary escaping and consistently |
| use <code>[...]</code> to delimit inserted values. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.14 (markt)" rtext="2017-04-18"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>59825</bug>: Log a message that lists the components in the |
| processing chain that do not support async processing when a call to |
| <code>ServletRequest.startAsync()</code> fails. (markt) |
| </fix> |
| <fix> |
| <bug>60926</bug>: Ensure |
| <code>o.a.c.core.ApplicationContextFacade#setSessionTimeout</code> will |
| invoke the correct method when running Tomcat with security manager. |
| (markt) |
| </fix> |
| <update> |
| Update the early access Servlet 4.0 API implementation to reflect the |
| change in method name from <code>getPushBuilder()</code> to |
| <code>newPushBuilder()</code>. (markt) |
| </update> |
| <fix> |
| Correct a regression in the X to comma refactoring that broke JMX |
| operations that take parameters. (markt) |
| </fix> |
| <fix> |
| Avoid a <code>NullPointerException</code> when reading attributes for a |
| running HTTP connector where TLS is not enabled. (markt) |
| </fix> |
| <fix> |
| <bug>60940</bug>: Improve the handling of the <code>META-INF/</code> and |
| <code>META-INF/MANIFEST.MF</code> entries for Jar files located in |
| <code>/WEB-INF/lib</code> when running a web application from a packed |
| WAR file. (markt) |
| </fix> |
| <fix> |
| Pre-load the <code>ExceptionUtils</code> class. Since the class is used |
| extensively in error handling, it is prudent to pre-load it to avoid any |
| failure to load this class masking the true problem during error |
| handling. (markt) |
| </fix> |
| <fix> |
| Avoid potential <code>NullPointerException</code>s related to access |
| logging during shutdown, some of which have been observed when running |
| the unit tests. (markt) |
| </fix> |
| <fix> |
| When there is no <code>javax.servlet.WriteListener</code> registered |
| then a call to <code>javax.servlet.ServletOutputStream#isReady</code> |
| will return <code>false</code> instead of throwing |
| <code>IllegalStateException</code>. (violetagg) |
| </fix> |
| <fix> |
| When there is no <code>javax.servlet.ReadListener</code> registered |
| then a call to <code>javax.servlet.ServletInputStream#isReady</code> |
| will return <code>false</code> instead of throwing |
| <code>IllegalStateException</code>. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Align cipher configuration parsing with current OpenSSL master. (markt) |
| </fix> |
| <fix> |
| <bug>60970</bug>: Fix infinite loop if application tries to write a |
| large header to the response when using HTTP/2. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60925</bug>: Improve the handling of access to properties defined |
| by interfaces when a <code>BeanELResolver</code> is used under a |
| <code>SecurityManager</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <scode> |
| Refactor the creating a constructor for a proxy class to reduce |
| duplicate code. (kfujino) |
| </scode> |
| <fix> |
| In <code>StatementFacade</code>, the method call on the statements that |
| have been closed throw <code>SQLException</code> rather than |
| <code>NullPointerException</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Correct comments about Java 8 in <code>Jre8Compat</code>. |
| Patch provided by fibbers via Github. (violetagg) |
| </fix> |
| <fix> |
| <bug>60932</bug>: Correctly escape single quotes when used in i18n |
| messages. Based on a patch by Michael Osipov. (markt) |
| </fix> |
| <fix> |
| Update the custom Ant task that integrates with the Symantec code |
| signing service to use the now mandatory 2-factor authentication. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.13 (markt)" rtext="2017-03-30"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>54618</bug>: Add support to the |
| <code>HttpHeaderSecurityFilter</code> for the HSTS preload parameter. |
| (markt) |
| </add> |
| <fix> |
| <bug>60853</bug>: Expose the <code>SSLHostConfig</code> and |
| <code>SSLHostConfigCertificate</code> objects via JMX. (markt) |
| </fix> |
| <fix> |
| <bug>60876</bug>: Ensure that <code>Set-Cookie</code> headers generated |
| by the <code>Rfc6265CookieProcessor</code> are aligned with the |
| specification. Patch provided by Jim Griswold. (markt) |
| </fix> |
| <fix> |
| <bug>60882</bug>: Fix a <code>NullPointerException</code> when obtaining |
| a <code>RequestDispatcher</code> for a request that will not have any |
| pathInfo associated with it. This was a regression in the changes in |
| 8.5.12 for the Servlet 4.0 API early preview changes. (markt) |
| </fix> |
| <update> |
| Align <code>PushBuilder</code> API with changes from Servlet expert |
| group. (markt) |
| </update> |
| <scode> |
| Refactor the various implementations of X to comma separated list to a |
| single utility class and update the code to use the new utility class. |
| (markt) |
| </scode> |
| <fix> |
| <bug>60911</bug>: Ensure NPE will not be thrown when looking for SSL |
| session ID. Based on a patch by Didier Gutacker. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>60362</bug>: Add a new Connector configuration |
| <code>sendReasonPhrase</code>. When this attribute is set to |
| <code>true</code>, a reason phrase will be sent with the response. |
| By default a reason phrase will not be sent. This option is deprecated |
| and is not available in Tomcat 9. (violetagg) |
| </add> |
| <fix> |
| Fix HTTP/2 incorrect input unblocking on EOF. (remm) |
| </fix> |
| <fix> |
| Close the connection sooner if an event occurs for a current connection |
| that is not consistent with the current state of that connection. |
| (markt) |
| </fix> |
| <fix> |
| Speed up shutdown when using multiple acceptor threads by ensuring that |
| the code that unlocks the acceptor threads correctly handles the case |
| where there are multiple threads. (markt) |
| </fix> |
| <fix> |
| <bug>60852</bug>: Correctly spell compressible when used in |
| configuration attributes and internal code. Based on a patch by Michael |
| Osipov. (markt) |
| </fix> |
| <fix> |
| <bug>60900</bug>: Avoid a <code>NullPointerException</code> in the APR |
| Poller if a connection is closed at the same time as new data arrives on |
| that connection. (markt) |
| </fix> |
| <fix> |
| Improve HPACK specification compliance by fixing some test failures |
| reported by the h2spec tool written by Moto Ishizawa. (markt) |
| </fix> |
| <fix> |
| Improve HTTP/2 specification compliance by fixing some test failures |
| reported by the h2spec tool written by Moto Ishizawa. (markt) |
| </fix> |
| <fix> |
| <bug>60918</bug>: Fix sendfile processing error that could lead to |
| subsequent requests experiencing an <code>IllegalStateException</code>. |
| (markt) |
| </fix> |
| <fix> |
| Improve sendfile handling when requests are pipelined. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Improve the error handling for simple tags to ensure that the tag is |
| released and destroyed once used. (remm, violetagg) |
| </fix> |
| <fix> |
| <bug>60844</bug>: Correctly handle the error when fewer parameter values |
| than required by the method are used to invoke an EL method expression. |
| Patch provided by Daniel Gray. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>60764</bug>: Implement <code>equals()</code> and |
| <code>hashCode()</code> in the <code>StatementFacade</code> in order to |
| enable these methods to be called on the closed statements if any |
| statement proxy is set. This behavior can be changed with |
| <code>useStatementFacade</code> attribute. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Refactor the build script and the NSIS installer script so that either |
| NSIS 2.x or NSIS 3.x can be used to build the installer. This is |
| primarily to re-enable building the installer on the Linux based CI |
| system where the combination of NSIS 3.x and wine leads to failed |
| installer builds. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.12 (markt)" rtext="2017-03-13"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>60469</bug>: Refactor <code>RealmBase</code> for better code re-use |
| when implementing Realms that use a custom <code>Principal</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60490</bug>: Various formatting and layout improvements for the |
| <code>ErrorReportValve</code>. Patch provided by Michael Osipov. (markt) |
| </fix> |
| <update> |
| <bug>60596</bug>: Improve performance of DefaultServlet when sendfile |
| feature is disabled on connector. (kkolinko) |
| </update> |
| <scode> |
| Make it easier for sub-classes of <code>Tomcat</code> to modify the |
| default web.xml settings by over-riding |
| <code>getDefaultWebXmlListener()</code>. Patch provided by Aaron |
| Anderson. (markt) |
| </scode> |
| <fix> |
| Reduce the contention in the default <code>InstanceManager</code> |
| implementation when multiple threads are managing objects and need to |
| reference the annotation cache. (markt) |
| </fix> |
| <scode> |
| <bug>60674</bug>: Remove <code>final</code> marker from |
| <code>CorsFilter</code> to enable sub-classing. (markt) |
| </scode> |
| <fix> |
| <bug>60683</bug>: Security manager failure causing NPEs when doing IO |
| on some JVMs. (csutherl) |
| </fix> |
| <fix> |
| <bug>60688</bug>: Update the internal fork of Apache Commons BCEL to |
| r1782855 to add early access Java 9 support to the annotation scanning |
| code. (markt) |
| </fix> |
| <fix> |
| <bug>60694</bug>: Prevent NPE during authentication when no JASPIC |
| <code>AuthConfigFactory</code> is available. (markt) |
| </fix> |
| <fix> |
| <bug>60697</bug>: When HTTP TRACE requests are disabled on the |
| Connector, ensure that the HTTP OPTIONS response from custom servlets |
| does not include TRACE in the returned Allow header. (markt) |
| </fix> |
| <fix> |
| <bug>60718</bug>: Improve error handling for asynchronous processing and |
| correct a number of cases where the <code>requestDestroyed()</code> |
| event was not being fired and an entry wasn't being made in the access |
| logs. (markt) |
| </fix> |
| <fix> |
| <bug>60720</bug>: Replace "WWW-Authenticate" literal with static final |
| AUTH_HEADER_NAME in SpnegoAuthenticator. Patch provided by Michael |
| Osipov. (violetagg) |
| </fix> |
| <fix> |
| The default JASPIC <code>AuthConfigFactory</code> now correctly notifies |
| registered <code>RegistrationListener</code>s when a new |
| <code>AuthConfigProvider</code> is registered. (markt) |
| </fix> |
| <scode> |
| Improve the performance of <code>AuthenticatorBase</code> when there is |
| no JASPIC configuration available. (violetagg) |
| </scode> |
| <fix> |
| When HTTP TRACE requests are disabled on the Connector, ensure that the |
| HTTP OPTIONS response from the WebDAV servlet does not include |
| TRACE in the returned Allow header. (markt) |
| </fix> |
| <fix> |
| <bug>60722</bug>: Take account of the |
| <strong>dispatchersUseEncodedPaths</strong> setting on the current |
| <strong>Context</strong> when generating paths for dispatches triggered |
| by <code>AsyncContext.dispatch()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60728</bug>: Make the separator Tomcat uses in the Tomcat specific |
| <code>war:file:...</code> URL protocol customizable via a system |
| property. The separator is equivalent to the use of the <code>!</code> |
| character in <code>jar:file:...</code> URLs. The default separator of |
| <code>*</code> remains unchanged. (markt) |
| </fix> |
| <update> |
| Update the <code>org.apache.catalina.servlet4preview</code> package that |
| can be used to gain early access to Servlet 4.0 features to align with |
| the latest proposals from the Servlet 4.0 expert group. This includes |
| updates to the new Servlet mapping API, new methods on the |
| <code>ServletContext</code> to make the available API more equivalent to |
| the deployment descriptor, updates to the HTTP push API and the ability |
| to set default request and response character encoding per web |
| application. Note that the Servlet 4.0 API is still a work in progress |
| and further changes are likely. (markt) |
| </update> |
| <fix> |
| <bug>60798</bug>: Correct a bug in the handling of JARs in unpacked WARs |
| that meant multiple attempts to read the same entry from a JAR in |
| succession would fail for the second and subsequent attempts. (markt) |
| </fix> |
| <fix> |
| <bug>60808</bug>: Ensure that the <code>Map</code> returned by |
| <code>ServletRequest.getParameterMap()</code> is fully immutable. Based |
| on a patch provided by woosan. (markt) |
| </fix> |
| <fix> |
| <bug>60824</bug>: Correctly cache the <code>Subject</code> in the |
| session - if there is a session - when running under a |
| <code>SecurityManager</code>. Patch provided by Jan Engehausen. (markt) |
| </fix> |
| <fix> |
| Ensure request and response facades are used when firing application |
| listeners. (markt/remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Improve handling of case when an HTTP/2 client sends more data that is |
| subject to flow control than the current window size allows. (markt) |
| </fix> |
| <fix> |
| Improve NIO2 look-ahead parsing of TLS client hello for SNI with large |
| client hello messages. (markt) |
| </fix> |
| <fix> |
| <bug>59807</bug>: Provide a better error message when there is no |
| <strong>SSLHostConfig</strong> defined with a <code>hostName</code> that |
| matches the <code>defaultSSLHostConfigName</code> for the associated |
| <strong>Connector</strong>. (markt) |
| </fix> |
| <fix> |
| Include the value of <code>SslHostConfig.truststoreAlgorithm</code> when |
| warning that the algorithm does not support the |
| <code>certificateVerificationDepth</code> configuration option. (markt) |
| </fix> |
| <fix> |
| Ensure that executor thread pools used with connectors pre-start the |
| configured minimum number of idle threads. (markt) |
| </fix> |
| <add> |
| <bug>60594</bug>: Allow some invalid characters that were recently |
| restricted to be processed in requests by using the system property |
| <code>tomcat.util.http.parser.HttpParser.requestTargetAllow</code>. |
| (csutherl) |
| </add> |
| <fix> |
| <bug>60627</bug>: Modify the <code>Rfc6265CookieProcessor</code> so that |
| in addition to cookie headers that start with an explicit RFC 2109 |
| <code>$Version=1</code>, cookies that start with <code>$Version=0</code> |
| are also parsed as RFC 2109 cookies. (markt) |
| </fix> |
| <fix> |
| <bug>60716</bug>: Add a new JSSE specific attribute, |
| <code>revocationEnabled</code>, to <code>SSLHostConfig</code> to permit |
| JSSE provider revocation checks to be enabled when no |
| <code>certificateRevocationListFile</code> has been configured. The |
| expectation is that configuration will be performed via a JSSE provider |
| specific mechanisms. (markt) |
| </fix> |
| <fix> |
| Modify the cookie header generated by the |
| <code>Rfc6265CookieProcessor</code> so it always sends an |
| <code>Expires</code> attribute as well as a <code>Max-Age</code> |
| attribute to avoid problems with Microsoft browsers that do not support |
| the <code>Max-Age</code> attribute. (markt) |
| </fix> |
| <fix> |
| <bug>60761</bug>: Expose a protected getter and setter for |
| <code>NioEndpoint.stopLatch</code> to make the class easier to extend. |
| (markt) |
| </fix> |
| <fix> |
| Prevent blocking reads after a stream exception occurs with HTTP/2. |
| (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Follow up to the fix for <bug>58178</bug>. When creating the |
| <code>ELContext</code> for a tag file, ensure that any registered |
| <code>ELContextListener</code>s are fired. (markt) |
| </fix> |
| <fix> |
| Refactor code generated for JSPs to reduce the size of the code required |
| for tags. (markt) |
| </fix> |
| <fix> |
| <bug>60769</bug>: Correct a regression in the XML encoding detection |
| refactoring carried out for 8.5.10 that incorrectly always used the |
| detected BOM encoding in preference to any encoding specified in the |
| prolog. (markt) |
| </fix> |
| <update> |
| Update to the Eclipse JDT Compiler 4.6.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| Make the <code>accessTimeout</code> configurable in |
| <code>BackupManager</code> and <code>ClusterSingleSignOn</code>. The |
| <code>accessTimeout</code> is used as a timeout period for PING in |
| replication map. (kfujino) |
| </add> |
| <fix> |
| <bug>60806</bug>: To avoid <code>ClassNotFoundException</code>, make |
| sure that the web application class loader is passed to |
| <code>ReplicatedContext</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>60617</bug>: Correctly create a <code>CONNECT</code> request when |
| establishing a WebSocket connection via a proxy. Patch provided by |
| Svetlin Zarev. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add log message that PING message has received beyond the timeout |
| period. (kfujino) |
| </add> |
| <fix> |
| When a PING message that beyond the time-out period has been received, |
| make sure that valid member is added to the map membership. (kfujino) |
| </fix> |
| <fix> |
| Ensure that <code>NoRpcChannelReply</code> messages are not received on |
| <code>RpcCallback</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| Add Specification and Javadoc references for JASPIC to the Docs |
| application. (csutherl) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Spelling corrections provided by Josh Soref. (violetagg) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.12 to |
| pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg) |
| </update> |
| <add> |
| <bug>60784</bug>: Update all unit tests that test the HTTP status line |
| to check for the required space after the status code. Patch provided by |
| Michael Osipov. (markt) |
| </add> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.01. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.11 (markt)" rtext="2017-01-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>60620</bug>: |
| Extend the <code>JreMemoryLeakPreventionListener</code> to provide |
| protection against <code>ForkJoinPool.commonPool()</code> related memory |
| leaks. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure UpgradeProcessor instances associated with closed connections are |
| removed from the map of current connections to Processors. (markt) |
| </fix> |
| <fix> |
| Remove a workaround for a problem previously reported with WebSocket, |
| TLS and APR that treated some error conditions as not errors. The |
| original problem cannot be reproduced with the current code and the |
| work-around is now causing problems. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60497</bug>: Follow up fix using a better variable name for the |
| tag reuse flag. (remm) |
| </fix> |
| <fix> |
| Revert use of try/finally for simple tags. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Prevent potential processing loop on unexpected WebSocket connection |
| closure. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <add> |
| Enable reset the statistics without restarting the pool. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Spelling corrections provided by Josh Soref. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.10 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>53602</bug>: Add HTTP status code 451 (RFC 7725) to the list of |
| HTTP status codes recognised by the ErrorReportValve. (markt) |
| </add> |
| <fix> |
| <bug>60446</bug>: Handle the case where the stored user credential uses |
| a different key length than the length currently configured for the |
| <code>CredentialHandler</code>. Based on a patch by Niklas Holm. (markt) |
| </fix> |
| <update> |
| Update the warnings that reference required options for running on Java |
| 9 to use the latest syntax for those options. (markt) |
| </update> |
| <fix> |
| <bug>60513</bug>: Fix thread safety issue with RMI cleanup code. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Expand the search process for a server certificate when OpenSSL is used |
| with a JSSE connector and an explicit alias has not been configured. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60450</bug>: Improve the selection algorithm for the default trust |
| store type for a TLS Virtual Host. In particular, don't use |
| <code>PKCS12</code> as a default trust store type. Better document how |
| the default trust store type is selected for a TLS virtual host. (markt) |
| </fix> |
| <fix> |
| <bug>60451</bug>: Correctly handle HTTP/2 header values that contain |
| characters with unicode code points in the range 128 to 255. Reject |
| with a clear error message HTTP/2 header values that contain characters |
| with unicode code points above 255. (markt) |
| </fix> |
| <fix> |
| Improve the logic that selects an address to use to unlock the Acceptor |
| to take account of platforms what do not listen on all local addresses |
| when configured with an address of <code>0.0.0.0</code> or |
| <code>::</code>. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the refactoring to make wider use of |
| <code>ByteBuffer</code> that caused an intermittent failure in the unit |
| tests. (markt) |
| </fix> |
| <fix> |
| <bug>60482</bug>: HTTP/2 shouldn't do URL decoding on the query string. |
| (remm) |
| </fix> |
| <fix> |
| Fix an HTTP/2 compression error. Once a new size has been agreed for the |
| dynamic HPACK table, the next header block must begin with a dynamic |
| table update. (markt) |
| </fix> |
| <fix> |
| <bug>60508</bug>: Set request start time for HTTP/2. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Implement a simpler JSP file encoding detector that delegates XML prolog |
| encoding detection to the JRE rather than using a custom XML parser. |
| (markt) |
| </update> |
| <fix> |
| <bug>60497</bug>: Restore previous tag reuse behavior following the use |
| of try/finally. (remm) |
| </fix> |
| <fix> |
| Improve the error handling for simple tags to ensure that the tag is |
| released and destroyed once used. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Correctly handle blocking WebSocket writes when the write times out just |
| before the write is attempted. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <add> |
| In the documentation web application, be explicit that clustering |
| requires a secure network for all of the cluster network traffic. |
| (markt) |
| </add> |
| <update> |
| Update the ASF logos to the new versions. |
| </update> |
| <fix> |
| <bug>60344</bug>: Add a note to BUILDING.txt regarding using the source |
| bundle with the correct line endings. (markt) |
| </fix> |
| <fix> |
| <bug>60468</bug>: Correct the format of the sample ISO-8601 date used |
| to report the build date for the documentation. Patch provided by |
| Michael Osipov. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the ASF logos used in the Apache Tomcat installer for Windows to |
| use the new versions. |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.9 (markt)" rtext="2016-12-08"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| <bug>60202</bug>: Add an available flag to realms, to indicate the |
| state, or the realm backend. Update lockout realm to only register |
| auth failures if the realm is available. (remm) |
| </update> |
| <fix> |
| <bug>60340</bug>: Readability improvements for CSS used in |
| DefaultServlet and ErrorReportValve. Patch provided by Michael |
| Osipov. (violetagg) |
| </fix> |
| <fix> |
| <bug>60351</bug>: Delay creating <code>META-INF/war-tracker</code> file |
| until after the WAR has been expanded to address the case where the |
| Tomcat process terminates during the expansion. (markt) |
| </fix> |
| <fix> |
| Correctly generate URLs for resources located inside JARs that are |
| themselves located inside a packed WAR file. (markt) |
| </fix> |
| <fix> |
| Correctly handle the <code>configClass</code> attribute of a Host when |
| embedding Tomcat. (markt) |
| </fix> |
| <fix> |
| <bug>60368</bug>: Restore egde case for embedded allowing the connector |
| to be removed. (remm) |
| </fix> |
| <fix> |
| <bug>60379</bug>: Dispose of the GSS credential once it is no longer |
| required. Patch provided by Michael Osipov. (markt) |
| </fix> |
| <fix> |
| <bug>60380</bug>: Ensure that a call to |
| <code>HttpServletRequest#logout()</code> triggers a call to |
| <code>TomcatPrincipal#logout()</code>. Based on a patch by Michael |
| Osipov. (markt) |
| </fix> |
| <fix> |
| <bug>60387</bug>: Correct the javadoc for |
| <code>o.a.catalina.AccessLog.setRequestAttributesEnabled</code>. |
| The default value is different for the different implementations. |
| (violetagg) |
| </fix> |
| <scode> |
| <bug>60393</bug>: Use consistent parameter naming in implementations of |
| <code>Realm#authenticate(GSSContext, boolean)</code>. (markt) |
| </scode> |
| <fix> |
| <bug>60395</bug>: Log when an <code>Authenticator</code> passes an |
| incomplete <code>GSSContext</code> to a Realm since it indicates a bug |
| in the <code>Authenticator</code>. Patch provided by Michael Osipov. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60400</bug>: When expanding the buffer used for reading the |
| request body, ensure the read position will be restored to the |
| original one. (violetagg) |
| </fix> |
| <fix> |
| <bug>60410</bug>: Ensure that multiple calls to |
| <code>JarInputStreamWrapper#close()</code> do not incorrectly trigger |
| the closure of the underlying JAR or WAR file. (markt) |
| </fix> |
| <fix> |
| <bug>60411</bug>: Implement support in the <code>RewriteValve</code> for |
| symbolic names to specify the redirect code to use when returning a |
| redirect response to the user agent. Patch provided by Michael Osipov. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60413</bug>: In the <code>RewriteValve</code> write empty capture |
| groups as the empty string rather than as <code>"null"</code> |
| when generating the re-written URL. Based on a patch by Michael Osipov. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>60372</bug>: Ensure the response headers' buffer limit is reset to |
| the capacity of this buffer when IOException occurs while writing the |
| headers to the socket. (violetagg) |
| </fix> |
| <fix> |
| Ensure that the availability of configured upgrade protocols that |
| require ALPN is correctly reported during Tomcat start. (markt) |
| </fix> |
| <fix> |
| <bug>60386</bug>: Implement a more sophisticated pruning algorithm for |
| removing closed streams from the priority tree to ensure that the tree |
| does not grow too large. (markt) |
| </fix> |
| <fix> |
| <bug>60409</bug>: When unable to complete sendfile request, ensure the |
| Processor will be added to the cache only once. (markt/violetagg) |
| </fix> |
| <fix> |
| Ensure that the endpoint is able to unlock the acceptor thread during |
| shutdown if the endpoint is configured to listen to any local address |
| of a specific type such as <code>0.0.0.0</code> or <code>::</code>. |
| (markt) |
| </fix> |
| <add> |
| Add a new configuration option, <code>ipv6v6only</code> to the APR |
| connectors that allows them to be configure to only accept IPv6 |
| connections when configured with an IPv6 address rather than the |
| default which is to accept IPv4 connections as well if the operating |
| system uses a dual network stack. (markt) |
| </add> |
| <fix> |
| Improve the logic that unlocks the acceptor thread so a better choice is |
| made for the address to connect to when a connector is configured for |
| any local port. This reduces the likelihood of the unlock failing. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60436</bug>: Avoid a potential NPE when processing async timeouts. |
| (markt) |
| </fix> |
| <fix> |
| Reduce the window in which an async request that has just started |
| processing on a container thread remains eligible for an async timeout. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60431</bug>: Improve handling of varargs in UEL expressions. Based |
| on a patch by Ben Wolfe. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Fix JDK version number documented in BUILDING.txt. (rjung) |
| </fix> |
| <fix> |
| Correct a typo in Host Configuration Reference. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| <bug>60412</bug>: Add information on the comment syntax for the |
| <code>RewriteValve</code> configuration. (markt) |
| </fix> |
| <fix> |
| <bug>60467</bug>: remove problematic characters from XML documentation. |
| Based upon a patch by Michael Osipov. (schultz) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Reduce the warning logs for a message received from a different domain |
| in order to avoid excessive log outputs. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>60437</bug>: Avoid possible handshake overflows in the websocket |
| client. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <add> |
| <bug>58816</bug>: Implement the statistics of jdbc-pool. The stats infos |
| are <code>borrowedCount</code>, <code>returnedCount</code>, |
| <code>createdCount</code>, <code>releasedCount</code>, |
| <code>reconnectedCount</code>, <code>releasedIdleCount</code> and |
| <code>removeAbandonedCount</code>. (kfujino) |
| </add> |
| <fix> |
| <bug>60194</bug>: If <code>validationQuery</code> is not specified, |
| connection validation is done by calling the <code>isValid()</code> |
| method. (kfujino) |
| </fix> |
| <fix> |
| <bug>60398</bug>: Fix testcase of <code>TestSlowQueryReport</code>. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Allow customization of service.bat, such as heap memory size, service |
| startup mode and JVM args. Patch provided by isapir via Github. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>60366</bug>: Change <code>catalina.bat</code> to use directly |
| <code>LOGGING_MANAGER</code> and <code>LOGGING_CONFIG</code> variables |
| in order to configure logging, instead of modifying |
| <code>JAVA_OPTS</code>. Patch provided by Petter Isberg. (violetagg) |
| </fix> |
| <fix> |
| <bug>60383</bug>: JASPIC API is added as a dependency to the |
| <code>org.apache.tomcat:tomcat-catalina</code> maven artifact. |
| (violetagg) |
| </fix> |
| <fix> |
| Update the comments associated with the TLS Connector examples in |
| <code>server.xml</code>. (markt) |
| </fix> |
| <add> |
| New property is added <code>test.verbose</code> in order to control |
| whether the output of the tests is displayed on the console or not. |
| Patch provided by Emmanuel Bourg. (violetagg) |
| </add> |
| <scode> |
| <code>TestOpenSSLCipherConfigurationParser.testSpecification</code> |
| - if there are test failures, provide more detailed information. Patch |
| provided by Emmanuel Bourg. (violetagg) |
| </scode> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.8 (markt)" rtext="2016-11-08"> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Check that threadPriority values used in AbstractProtocol are valid. |
| (fschumacher) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.7 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| When creating a new Connector via JMX, ensure that both HTTP/1.1 and |
| AJP/1.3 connectors can be created. (markt) |
| </fix> |
| <fix> |
| Include the Context name in the log message when an item cannot be |
| added to the cache. (markt) |
| </fix> |
| <fix> |
| Exclude JAR files in <code>/WEB-INF/lib</code> from the static resource |
| cache. (markt) |
| </fix> |
| <fix> |
| When calling <code>getResourceAsStream()</code> on a directory, ensure |
| that <code>null</code> is returned. (markt) |
| </fix> |
| <fix> |
| <bug>60161</bug>: Allow creating subcategories of the container logger, |
| and use it for the rewrite valve. (remm) |
| </fix> |
| <fix> |
| Correctly test for control characters when reading the provided shutdown |
| password. (markt) |
| </fix> |
| <fix> |
| <bug>60297</bug>: Simplify connector creation in embedded mode. (remm) |
| </fix> |
| <fix> |
| Refactor creation of containers in embedded mode for more consistency |
| and flexibility. (remm) |
| </fix> |
| <add> |
| Introduce new methods <code>read(ByteBuffer)</code>/ |
| <code>write(ByteBuffer)</code> in |
| <code>o.a.catalina.connector.CoyoteInputStream</code>/ |
| <code>o.a.catalina.connector.CoyoteOutputStream</code>. (violetagg) |
| </add> |
| <fix> |
| When configuring the JMX remote listener, specify the allowed types for |
| the credentials. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct the HPACK header table size configuration that transposed the |
| client and server table sizes when creating the encoder and decoder. |
| (markt) |
| </fix> |
| <fix> |
| Don't continue to process an HTTP/2 stream if it is reset during header |
| parsing. (markt) |
| </fix> |
| <fix> |
| HTTP/2 uses separate headers for each Cookie. As required by RFC 7540, |
| merge these into a single Cookie header before processing continues. |
| (markt) |
| </fix> |
| <fix> |
| Align the HTTP/2 implementation with the HTTP/1.1 implementation and |
| return a 500 response when an unhandled exception occurs during request |
| processing. (markt) |
| </fix> |
| <fix> |
| Correct the HTTP header parser so that DEL is not treated as a valid |
| token character. (markt) |
| </fix> |
| <add> |
| Add checks around the handling of HTTP/2 pseudo headers. (markt) |
| </add> |
| <add> |
| Add support for trailer headers to the HTTP/2 implementation. (markt) |
| </add> |
| <fix> |
| <bug>60232</bug>: When processing headers for an HTTP/2 stream, ensure |
| that the read buffer is large enough for the header being processed. |
| (markt) |
| </fix> |
| <add> |
| Add configuration options to the HTTP/2 implementation to control the |
| maximum number of headers allowed, the maximum size of headers allowed, |
| the maximum number of trailer headers allowed, the maximum size of |
| trailer headers allowed and the maximum number of cookies allowed. |
| (markt) |
| </add> |
| <fix> |
| Correctly differentiate between sending and receiving a reset frame when |
| tracking the state of an HTTP/2 stream. (markt) |
| </fix> |
| <fix> |
| <bug>60319</bug>: When using an Executor, disconnect it from the |
| Connector attributes <code>maxThreads</code>, |
| <code>minSpareThreads</code> and <code>threadPriority</code> to enable |
| the configuration settings to be consistently reported. These Connector |
| attributes will be reported as <code>-1</code> when an Executor is in |
| use. The values used by the executor may be set and obtained via the |
| Executor. (markt) |
| </fix> |
| <fix> |
| If an I/O error occurs during async processing on a non-container |
| thread, ensure that the <code>onError()</code> event is triggered. |
| (markt) |
| </fix> |
| <fix> |
| Improve detection of I/O errors during async processing on non-container |
| threads and trigger async error handling when they are detected. (markt) |
| </fix> |
| <add> |
| Add additional checks for valid characters to the HTTP request line |
| parsing so invalid request lines are rejected sooner. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Add HTTP/2 configuration information to the documentation web |
| application. (markt) |
| </add> |
| <fix> |
| Fix default value of <code>validationInterval</code> attribute in |
| jdbc-pool. (kfujino) |
| </fix> |
| <fix> |
| Correct a typo in CGI How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| When the proxy node sends a backup retrieve message, ensure that using |
| the <code>channelSendOptions</code> that has been set rather than the |
| default <code>channelSendOptions</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Add the JASPIC API jar to the Maven Central publication script. (markt) |
| </add> |
| <fix> |
| Remove classes from tomcat-util-scan.jar that are duplicates of those in |
| tomcat-util.jar. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.6 (markt)" rtext="2016-10-10"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>59961</bug>: Add an option to the <code>StandardJarScanner</code> |
| to control whether or not JAR Manifests are scanned for additional |
| class path entries. (markt) |
| </add> |
| <fix> |
| <bug>60013</bug>: Refactor the previous fix to align the behaviour of |
| the Rewrite Valve with mod_rewrite. As part of this, provide an |
| implementation for the <code>B</code> and <code>NE</code> flags and |
| improve the handling for the <code>QSA</code> flag. Includes multiple |
| test cases by Santhana Preethiand a patch by Tiago Oliveira. (markt) |
| </fix> |
| <fix> |
| <bug>60087</bug>: Refactor the web resources handling to use the Tomcat |
| specific <code>war:file:...</code> URL protocol to refer to WAR files |
| and their contents rather than the standard <code>jar:file:...</code> |
| form since some components of the JRE, such as JAR verification, give |
| unexpected results when the standard form is used. A side-effect of the |
| refactoring is that when using packed WARs, it is now possible to |
| reference a WAR and/or specific JARs within a WAR in the security policy |
| file used when running under a <code>SecurityManager</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60116</bug>: Fix a problem with the rewrite valve that caused back |
| references evaluated in conditions to be forced to lower case when using |
| the <code>NC</code> flag. (markt) |
| </fix> |
| <fix> |
| Ensure <code>Digester.useContextClassLoader</code> is considered in |
| case the class loader is used. (violetagg) |
| </fix> |
| <fix> |
| <bug>60117</bug>: Ensure that the name of <code>LogLevel</code> is |
| localized when using <code>OneLineFormatter</code>. Patch provided by |
| Tatsuya Bessho. (kfujino) |
| </fix> |
| <fix> |
| <bug>60138</bug>: Fix the <code>SSLHostConfig</code> so that the |
| <code>protocols</code> attribute is limited to the protocols supported |
| by the current JSSE implementation rather than the default protocols |
| used by the implementation. (markt) |
| </fix> |
| <fix> |
| <bug>60146</bug>: Improve performance for resource retrieval by making |
| calls to WebResource.getInputStream() trigger caching if the resource is |
| small enough. Patch provided by mohitchugh. (markt) |
| </fix> |
| <add> |
| <bug>60151</bug>: Improve the exception error messages when a |
| <code>ResourceLink</code> fails to specify the type, specifies an |
| unknown type or specifies the wrong type. (markt) |
| </add> |
| <fix> |
| <bug>60167</bug>: Ignore empty lines in <code>/etc/passwd</code> files |
| when using the <code>PasswdUserDatabase</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60170</bug>: Exclude the compressed test file |
| <code>index.html.br</code> from RAT analysis. Patch provided by Gavin |
| McDonald. (markt) |
| </fix> |
| <fix> |
| When starting web resources, ensure that class resources are only |
| started once. (markt) |
| </fix> |
| <fix> |
| Improve the access checks for linked global resources to handle the case |
| where the current class loader is a child of the web application class |
| loader. (markt) |
| </fix> |
| <fix> |
| <bug>60196</bug>: Ensure that the <code>isMandatory</code> flag is |
| correctly set when using JASPIC authentication. (markt) |
| </fix> |
| <fix> |
| <bug>60199</bug>: Log a warning if deserialization issues prevent a |
| session attribute from being loaded. (markt) |
| </fix> |
| <fix> |
| <bug>60208</bug>: When using RFC6265 compliant cookies, the |
| <code>/</code> character should not be allowed in a cookie name since |
| the RFC6265 will drop such cookies as invalid. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Refactor the code that implements the requirement that a call to |
| <code>complete()</code> or <code>dispatch()</code> made from a |
| non-container thread before the container initiated thread that called |
| <code>startAsync()</code> completes must be delayed until the container |
| initiated thread has completed. Rather than implementing this by |
| blocking the non-container thread, extend the internal state machine to |
| track this. This removes the possibility that blocking the non-container |
| thread could trigger a deadlock. (markt) |
| </add> |
| <fix> |
| Fail earlier if the client closes the connection during SNI processing. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60123</bug>: Avoid potential threading issues that could cause |
| excessively large vales to be returned for the processing time of |
| a current request. (markt) |
| </fix> |
| <fix> |
| <bug>60174</bug>: Log instances of <code>HeadersTooLargeException</code> |
| during request processing. (markt) |
| </fix> |
| <fix> |
| <bug>60173</bug>: Allow up to 64kB HTTP/2 header table size limit. (remm) |
| </fix> |
| <fix> |
| Java 9 compatibility of direct ByteBuffer cleaner. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60101</bug>: Remove preloading of the class that was deleted. |
| (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Expand the documentation for the nested elements within a |
| <code>Resources</code> element to clarify the behaviour of different |
| configuration options with respect to the order in which resources are |
| searched. (markt) |
| </add> |
| <add> |
| Add an example of using the <code>classesToInitialize</code> attribute |
| of the <code>JreMemoryLeakPreventionListener</code> to the documentation |
| web application. Based on a patch by Cris Berneburg. (markt) |
| </add> |
| <fix> |
| <bug>60192</bug>: Correct a typo in the status output of the Manager |
| application. Patch provided by Radhakrishna Pemmasani. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Notify jmx when returning the connection that has been marked suspect. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that the <code>POOL_EMPTY</code> notification has been added to |
| the jmx notification types. (kfujino) |
| </fix> |
| <fix> |
| <bug>60099</bug>: Ensure that use all method arguments as a cache key |
| when using <code>StatementCache</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>60139</bug>: Correct Javadocs for |
| <code>PoolConfiguration.getValidationInterval</code> and |
| <code>setValidationInterval</code>. Reported by Phillip Webb. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Update the download location for Objenesis. (violetagg) |
| </fix> |
| <fix> |
| <bug>60164</bug>: Replace <code>log4j-core*.jar</code> with |
| <code>log4j-web*.jar</code> since it is <code>log4j-web*.jar</code> that |
| contains the <code>ServletContainerInitializer</code>. (markt) |
| </fix> |
| <add> |
| Add documentation to the bin/catalina.bat script to remind users that |
| environment variables don't affect the configuration of Tomcat when |
| run as a Windows Service. Based upon a documentation patch by |
| James H.H. Lampert. (schultz) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.10 to |
| pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.5 (markt)" rtext="2016-09-05"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>18500</bug>: Add limited support for wildcard host names and host |
| aliases. Names of the form <code>*.domainname</code> are now permitted. |
| Note that an exact host name match takes precedence over a wild card |
| host name match. (markt) |
| </fix> |
| <fix> |
| <bug>59813</bug>: Ensure that circular relations of the Class-Path |
| attribute from JAR manifests will be processed correctly. (violetagg) |
| </fix> |
| <fix> |
| Ensure that reading the <code>singleThreadModel</code> attribute of a |
| <code>StandardWrapper</code> via JMX does not trigger initialisation of |
| the associated servlet. With some frameworks this can trigger an |
| unexpected initialisation thread and if initialisation is not thread-safe |
| the initialisation can then fail. (markt) |
| </fix> |
| <fix> |
| Compatibility with rewrite from httpd for non existing headers. |
| (jfclere) |
| </fix> |
| <fix> |
| By default, treat paths used to obtain a request dispatcher as encoded. |
| This behaviour can be changed per web application via the |
| <code>dispatchersUseEncodedPaths</code> attribute of the Context. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59839</bug>: Apply <code>roleSearchAsUser</code> to all nested searches |
| in JNDIRealm. (fschumacher) |
| </fix> |
| <fix> |
| <bug>59859</bug>: Fix resource leak in WebDAV servlet. Based on patch by |
| Coty Sutherland. (fschumacher) |
| </fix> |
| <add> |
| Provide a mechanism that enables the container to check if a component |
| (typically a web application) has been granted a given permission when |
| running under a SecurityManager without the current execution stack |
| having to have passed through the component. Use this new mechanism to |
| extend SecurityManager protection to the system property replacement |
| feature of the digester. (markt) |
| </add> |
| <add> |
| When retrieving an object via a <code>ResourceLink</code>, ensure that |
| the object obtained is of the expected type. (markt) |
| </add> |
| <fix> |
| <bug>59823</bug>: Ensure that JASPIC configuration is taken into account |
| when calling <code>HttpServletRequest.authenticate()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>59824</bug>: Mark the <code>RewriteValve</code> as supporting async |
| processing by default. (markt) |
| </fix> |
| <fix> |
| <bug>59862</bug>: Allow nested jar files scanning to be filtered with |
| the system property |
| <code>tomcat.util.scan.StandardJarScanFilter.jarsToSkip</code>. Patch |
| is provided by Terence Bandoian. (violetagg) |
| </fix> |
| <fix> |
| <bug>59866</bug>: When scanning <code>WEB-INF/classes</code> for |
| annotations, don't scan the contents of |
| <code>WEB-INF/classes/META-INF</code> (if present) since classes will |
| never be loaded from that location. (markt) |
| </fix> |
| <fix> |
| <bug>59888</bug>: Correctly handle tabs and spaces in quoted version one |
| cookies when using the <code>Rfc6265CookieProcessor</code>. (markt) |
| </fix> |
| <fix> |
| <bug>59912</bug>: Fix an edge case in input stream handling where an |
| <code>IOException</code> could be thrown when reading a POST body. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59913</bug>: Correct a regression introduced with the support for |
| the Servlet 4 <code>HttpServletRequest.getMapping()</code> API that |
| caused the attributes for forwarded requests to be lost if requested |
| from within a subsequent include. (markt) |
| </fix> |
| <fix> |
| <bug>59966</bug>: Do not start the web application if the error page |
| configuration in web.xml is invalid. (markt) |
| </fix> |
| <fix> |
| Switch the CGI servlet to the standard logging mechanism and remove |
| support for the debug attribute. (markt) |
| </fix> |
| <fix> |
| <bug>60012</bug>: Improvements in the log messages. Based on |
| suggestions by Nemo Chen. (violetagg) |
| </fix> |
| <fix> |
| Changes to the <code>allowLinking</code> attribute of a |
| <code>StandardRoot</code> instance now invalidate the cache if caching |
| is enabled. (markt) |
| </fix> |
| <add> |
| Add a new initialisation parameter, <code>envHttpHeaders</code>, to |
| the CGI Servlet to mitigate <a href="https://httpoxy.org">httpoxy</a> |
| (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388" |
| >CVE-2016-5388</a>) by default and to provide a mechanism that can be |
| used to mitigate any future, similar issues. (markt) |
| </add> |
| <add> |
| When adding and removing <code>ResourceLink</code>s dynamically, ensure |
| that the global resource is only visible via the |
| <code>ResourceLinkFactory</code> when it is meant to be. (markt) |
| </add> |
| <fix> |
| <bug>60008</bug>: When processing CORs requests, treat any origin with a |
| URI scheme of <code>file</code> as a valid origin. (markt) |
| </fix> |
| <fix> |
| Improve handling of exceptions during a Lifecycle events triggered by a |
| state transition. The exception is now caught and the component is now |
| placed into the <code>FAILED</code> state. (markt) |
| </fix> |
| <fix> |
| <bug>60013</bug>: Fix encoding issues when using the RewriteValve with |
| UTF-8 query strings or UTF-8 redirect URLs. (markt) |
| </fix> |
| <fix> |
| <bug>60022</bug>: Improve handling when a WAR file and/or the associated |
| exploded directory are symlinked into the <code>appBase</code>. (markt) |
| </fix> |
| <fix> |
| Fix a file descriptor leak when reading the global web.xml. (markt) |
| </fix> |
| <fix> |
| Consistently decode URL patterns provided via web.xml using the encoding |
| of the web.xml file where specified or UTF-8 where no explicit encoding |
| is specified. (markt) |
| </fix> |
| <fix> |
| Make timing attacks against the Realm implementations harder. (schultz) |
| </fix> |
| <fix> |
| A number of the JRE memory leaks addressed by the |
| <code>JreMemoryLeakPreventionListener</code> have been fixed in Java 9 |
| so the associated protection is now disabled when running on Java 9 |
| onwards. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct a regression in refactoring to enable injection of custom |
| keystores that broke the automatic conversion of OpenSSL style PEM |
| key and certificate files for use with JSSE TLS connectors. (markt) |
| </fix> |
| <fix> |
| <bug>59910</bug>: Don't hardcode key alias value to "tomcat" for JSSE. |
| When using a keystore, OpenSSL will still default to it. (remm) |
| </fix> |
| <fix> |
| <bug>59904</bug>: Add a limit (default 200) for the number of cookies |
| allowed per request. Based on a patch by gehui. (markt) |
| </fix> |
| <fix> |
| <bug>59925</bug>: Correct regression in r1628368 and ensure that HTTP |
| separators are handled as configured in the |
| <code>LegacyCookieProcessor</code>. Patch provided by Kyohei Nakamura. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59950</bug>: Correct log message when reporting that the current |
| number of HTTP/2 streams for a connection could not be pruned to below |
| the limit. (markt) |
| </fix> |
| <fix> |
| Ensure that <code>Semaphore.release</code> is called in all cases. Even |
| when there is an exception. (violetagg) |
| </fix> |
| <fix> |
| <bug>60030</bug>: Correct a potential infinite loop in the SNI parsing |
| code triggered by failing to handle an end of stream condition. (markt) |
| </fix> |
| <fix> |
| Small logging optimization in the <code>Rfc6265CookieProcessor</code>. |
| Patch provided by Svetlin Zarev. (markt) |
| </fix> |
| <fix> |
| OpenSSL now disables 3DES by default so reflect this when using OpenSSL |
| syntax to select ciphers. (markt) |
| </fix> |
| <fix> |
| Use the proper ERROR socket status code for async errors with NIO2. |
| (remm) |
| </fix> |
| <fix> |
| <bug>60035</bug>: Fix a potential connection leak if the client drops a |
| TLS connection before the handshake completes. (markt) |
| </fix> |
| <fix> |
| Refactor the JSSE client certificate validation so that the |
| effectiveness of the <code>certificateVerificationDepth</code> |
| configuration attribute does not depend on the presence of a certificate |
| revocation list. (markt) |
| </fix> |
| <add> |
| Log a warning at start up if a JSSE TLS connector is configured with |
| a trusted certificate that is either not yet valid or has expired. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| When writing out a full web.xml file with JspC ensure that the encoding |
| used in the XML prolog matches the encoding used to write the contents |
| of the file. (markt) |
| </fix> |
| <fix> |
| Improve the error handling for custom tags to ensure that the tag is |
| returned to the pool or released and destroyed once used. (markt) |
| </fix> |
| <fix> |
| <bug>60032</bug>: Fix handling of method calls that use varargs within |
| EL value expressions. (markt) |
| </fix> |
| <fix> |
| Ignore <code>engineOptionsClass</code> and <code>scratchdir</code> when |
| running under a security manager. (markt) |
| </fix> |
| <fix> |
| Fixed StringIndexOutOfBoundsException. Based on a patch provided by |
| wuwen via Github. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>59908</bug>: Ensure that a reason phrase is included in the close |
| message if a session is closed due to a timeout. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>59867</bug>: Correct the documentation provided by Manager's |
| 403.jsp. (violetagg) |
| </fix> |
| <fix> |
| <bug>59868</bug>: Clarify the documentation for the Manager web |
| application to make clearer that the host name and IP address in the |
| server section are the primary host name and IP address. (markt) |
| </fix> |
| <fix> |
| <bug>59940</bug>: Correct the name of the |
| <code>truststorePassword</code> attribute of the |
| <code>SSLHostConfig</code> element in the configuration documentation. |
| (markt) |
| </fix> |
| <fix> |
| MBeans Descriptors How-To is moved to |
| <code>mbeans-descriptors-howto.html</code>. Patch provided by Radoslav |
| Husar. (violetagg) |
| </fix> |
| <fix> |
| Update NIO Connector configuration documentation with an information |
| about <code>socket.directSslBuffer</code>. (violetagg) |
| </fix> |
| <fix> |
| <bug>60034</bug>: Correct a typo in the Manager How-To page of the |
| documentation web application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| In order to avoid the unintended skip of <code>PoolCleaner</code>, |
| remove the check code of the execution interval in the task that has |
| been scheduled. (kfujino) |
| </fix> |
| <fix> |
| <bug>59850</bug>: Ensure that the <code>ResultSet</code> is closed when |
| enabling the <code>StatementCache</code> interceptor. (kfujino) |
| </fix> |
| <fix> |
| <bug>59923</bug>: Reduce the default value of |
| <code>validationInterval</code> in order to avoid the potential issue |
| that continues to return an invalid connection after database restart. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that the <code>ResultSet</code> is returned as Proxy object when |
| enabling the <code>StatementDecoratorInterceptor</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>60043</bug>: Ensure that the <code>suspectTimeout</code> works |
| without removing connection when the <code>removeAbandoned</code> is |
| disabled. (kfujino) |
| </fix> |
| <fix> |
| Add log message of when returning the connection that has been marked |
| suspect. (kfujino) |
| </fix> |
| <fix> |
| Correct Javadoc for <code>ConnectionPool.suspect()</code>. Based on a |
| patch by Yahya Cahyadi. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>59871</bug>: Add a property (<code>timeFormat</code>) to |
| JULI's <code>OneLineFormatter</code> to enable the format of the |
| time stamp used in log messages to be configured. (markt) |
| </add> |
| <fix> |
| <bug>59899</bug>: Update Tomcat's copy of the Java Persistence |
| annotations to include the changes made in 2.1 / JavaEE 7. (markt) |
| </fix> |
| <fix> |
| Fixed typos in mbeans-descriptors.xml files. (violetagg) |
| </fix> |
| <update> |
| Update the internal fork of Commons BCEL to r1757132 to align with the |
| BCEL 6 release. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons DBCP 2 to r1757164 to pick up a |
| couple of bug fixes. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Codec to r1757174. Code formatting |
| changes only. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons FileUpload to afdedc9. This pulls in |
| a fix to improve the performance with large multipart boundaries. |
| (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.4 (markt)" rtext="2016-07-12"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>57705</bug>: Add debug logging for requests denied by the remote |
| host and remote address valves and filters. Based on a patch by Graham |
| Leggett. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the fix for <bug>58588</bug> that removed the |
| entire <code>org.apache.juli</code> package from the embedded JARs |
| rendering them unusable. (markt) |
| </fix> |
| <add> |
| <bug>59399</bug>: Add a new option to the Realm implementations that |
| ship with Tomcat that allows the HTTP status code used for HTTP -> HTTPS |
| redirects to be controlled per Realm. (markt) |
| </add> |
| <update> |
| Change the default of the |
| <code>sessionCookiePathUsesTrailingSlash</code> attribute of the |
| <code>Context</code> element to <code>false</code> since the problems |
| caused when a Servlet is mapped to <code>/*</code> are more significant |
| than the security risk of not enabling this option by default. (markt) |
| </update> |
| <fix> |
| Follow-up to <bug>59655</bug>. Improve the documentation for configuring |
| permitted cookie names. Patch provided by Kyohei Nakamura. (markt) |
| </fix> |
| <fix> |
| Do not attempt to start web resources during a web application's |
| initialisation phase since the web application is not fully configured |
| at that point and the web resources may not be correctly configured. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59708</bug>: Modify the LockOutRealm logic. Valid authentication |
| attempts during the lock out period will no longer reset the lock out |
| timer to zero. (markt) |
| </fix> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <scode> |
| Refactor the certificate keystore and trust store generation to make it |
| easier for embedded users to inject their own key stores. (markt) |
| </scode> |
| <add> |
| <bug>59233</bug>: Add the ability to add TLS virtual hosts dynamically. |
| (markt) |
| </add> |
| <update> |
| Add a <code>maxConcurrentStreamExecution</code> on the HTTP/2 |
| protocol handler to allow restricting the amount of concurrent stream |
| that are being executed in a single connection. The default is to |
| not limit it. (remm) |
| </update> |
| <fix> |
| Correct a problem with <code>ServletRequest.getServerPort()</code> for |
| secure HTTP/2 connections that meant an incorrect value was returned when |
| using the default port. (markt) |
| </fix> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| <fix> |
| Document the default for the HTTP/2 configuration parameter |
| <code>maxConcurrentStreamExecution</code> as 20. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <scode> |
| Now the WebSocket implementation is not built directly on top of the |
| Servlet API and can use Tomcat internals, there is no need for the |
| dedicated WebSocket Executor. It has been replaced by the use of the |
| Connector/Endpoint provided Executor. (markt) |
| </scode> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| Do not log an additional case of <code>IOException</code>s in the |
| error handler for the Drawboard WebSocket example when the root cause is |
| the client disconnecting since the logs add no value. (markt) |
| </fix> |
| <fix> |
| <bug>59642</bug>: Mention the <code>localDataSource</code> in the |
| <code>DataSourceRealm</code> section of the Realm How-To. (markt) |
| </fix> |
| <fix> |
| <bug>59672</bug>: Update the security considerations page of the |
| documentation web application to take account of the fact that the |
| Manager and HostManager applications now have a |
| <code>RemoteAddrValve</code> configured by default. (markt) |
| </fix> |
| <fix> |
| Follow-up to the fix for <bug>59399</bug>. Ensure that the new attribute |
| <code>transportGuaranteeRedirectStatus</code> is documented for all |
| <strong>Realm</strong>s. Also document the <code>NullRealm</code> and |
| when it is automatically created for an <strong>Engine</strong>. (markt) |
| </fix> |
| <fix> |
| Fix the description of <code>maxAge</code> attribute in jdbc-pool doc. |
| This attribute works both when a connection is returned and when a |
| connection is borrowed. (kfujino) |
| </fix> |
| <fix> |
| <bug>59774</bug>: Correct the <code>prefix</code> values in the |
| documented examples for configuring the <code>AccessLogValve</code>. |
| Patch provided by Mike Noordermeer. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Extras"> |
| <changelog> |
| <scode> |
| <bug>58588</bug>: Remove the JULI extras package from the distribution. |
| It was only useful for switching Tomcat's internal logging to log4j |
| 1.2.x and that version of log4j is no longer supported. No additional |
| Tomcat code is required if switching Tomcat's internal logging to log |
| via log4j 2.x. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add log message when the ping has timed-out. (kfujino) |
| </add> |
| <fix> |
| If the ping message has been received at the |
| <code>AbstractReplicatedMap#leftOver</code> method, ensure that notify |
| the member is alive than ignore it. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix the duplicated connection release when connection verification |
| failed. (kfujino) |
| </fix> |
| <fix> |
| Ensure that do not remove the abandoned connection that has been already |
| released. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| <bug>59276</bug>: Update optional Checkstyle library to 6.17. (kkolinko) |
| </update> |
| <add> |
| Use the mirror network rather than the ASF master site to download the |
| current ASF dependencies. (markt) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.8 to |
| pick up the latest fixes and make 1.2.8 the minimum recommended version. |
| (markt) |
| </update> |
| <scode> |
| Use UTF-8 with a standard prolog for all XML files. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.3 (markt)" rtext="2016-06-13"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| RMI Target related memory leaks are avoidable which makes them an |
| application bug that needs to be fixed rather than a JRE bug to work |
| around. Therefore, start logging RMI Target related memory leaks on web |
| application stop. Add an option that controls if the check for these |
| leaks is made. Log a warning if running on Java 9 with this check |
| enabled but without the command line option it requires. (markt) |
| </fix> |
| <fix> |
| Ensure NPE will not be thrown during deployment when scanning jar files |
| without MANIFEST.MF file. (violetagg) |
| </fix> |
| <scode> |
| Remove the <code>clearReferencesStatic</code> option from |
| <code>StandardContext</code>. It was known to cause problems with some |
| libraries (such as log4j) and was only linked to suspected memory leaks |
| rather than known memory leaks. It had been disabled by default with no |
| increase in the reports of memory leaks for some time. (markt) |
| </scode> |
| <fix> |
| <bug>59604</bug>: Correct the assumption made in the URL decoding that |
| the default platform encoding is always compatible with ISO-8859-1. This |
| assumption is not always valid, e.g. on z/OS. (markt) |
| </fix> |
| <fix> |
| <bug>59608</bug>: Skip over any invalid <code>Class-Path</code> attribute |
| from JAR manifests. Log errors at debug level due to many bad libraries. |
| (remm) |
| </fix> |
| <fix> |
| Fix error message when failed to register MBean. (kfujino) |
| </fix> |
| <fix> |
| <bug>59655</bug>: Configure the cookie name validation to use RFC6265 rules by default to |
| align it with the default cookie parser. Document the impact system properties have on |
| cookie name validation. (mark) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that requests with HTTP method names that are not tokens (as |
| required by RFC 7231) are rejected with a 400 response. (markt) |
| </fix> |
| <fix> |
| When an asynchronous request is processed by the AJP connector, ensure |
| that request processing has fully completed before starting the next |
| request. (markt) |
| </fix> |
| <fix> |
| Improve handling of HTTP/2 stream resets. (markt) |
| </fix> |
| <add> |
| <bug>58750</bug>: The HTTP Server header is no longer set by default. A |
| Server header may be configured by setting the <code>server</code> |
| attribute on the <code>Connector</code>. A new <code>Connector</code> |
| attribute, <code>serverRemoveAppProvidedValues</code> may be used to |
| remove any Server header set by a web application. (markt) |
| </add> |
| <fix> |
| <bug>59564</bug>: Correct offset when reading into HTTP/2 input buffer |
| that could cause problems reading request bodies. (violetagg/markt) |
| </fix> |
| <fix> |
| Modify the handling of read/write timeouts so that the appropriate error |
| handling (<code>ReadListener.onError()</code>, |
| <code>WriteListener.onError()</code> or |
| <code>AsyncListener.onError()</code>) is called. (markt) |
| </fix> |
| <fix> |
| If an async dispatch results in the completion of request processing, |
| ensure that any remaining request body is swallowed before starting the |
| processing of the next request else the remaining body may be read as the |
| start of the next request leading to a 400 response. (markt) |
| </fix> |
| <fix> |
| Fix a cause of multiple attempts to close the same socket. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>59567</bug>: Fix NPE scanning webapps for TLDs when an exploded |
| JAR has an empty WEB-INF/classes/META-INF folder. (remm) |
| </fix> |
| <fix> |
| Fix a memory leak in the expression language implementation that caused |
| the class loader of the first web application to use expressions to be |
| pinned in memory. (markt) |
| </fix> |
| <fix> |
| <bug>59654</bug>: Improve error message when attempting to use a TLD |
| file from an invalid location. Patch provided by Huxing Zhang. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>59659</bug>: Fix possible memory leak in WebSocket handling of |
| unexpected client disconnects. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>58891</bug>: Update the SSL how-to. Based on a suggestion by |
| Alexander Kjäll. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix a memory leak with the pool cleaner thread that retained a reference |
| to the web application class loader for the first web application to use |
| a connection pool. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the internal fork of Commons DBCP 2 to r1743696 (2.1.1 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Pool 2 to r1743697 (2.4.2 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus |
| additional fixes). (markt) |
| </update> |
| <fix> |
| <bug>58626</bug>: Add support for a new environment variable |
| (<code>USE_NOHUP</code>) that causes <code>nohup</code> to be used when |
| starting Tomcat. It is disabled by default except on HP-UX where it is |
| enabled by default since it is required when starting Tomcat at boot on |
| HP-UX. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.2 (markt)" rtext="2016-05-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Ensure that annotated web components packed in web fragments will be |
| processed when <code>unpackWARs</code> is enabled. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.1 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>59206</bug>: Ensure NPE will not be thrown by |
| <code>o.a.tomcat.util.file.ConfigFileLoader</code> when |
| <code>catalina.base</code> is not specified. (violetagg) |
| </fix> |
| <fix> |
| <bug>59217</bug>: Remove duplication in the recycling of the path in |
| <code>o.a.tomcat.util.http.ServerCookie</code>. Patch is provided by |
| Kyohei Nakamura. (violetagg) |
| </fix> |
| <fix> |
| Fixed possible NPE in |
| <code>o.a.catalina.loader.WebappClassLoaderBase.getResourceAsStream</code> |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>59213</bug>: Async dispatches should be based off a wrapped request. |
| (remm) |
| </fix> |
| <fix> |
| Ensure that <code>javax.servlet.ServletRequest</code> and |
| <code>javax.servlet.ServletResponse</code> provided during |
| <code>javax.servlet.AsyncListener</code> registration are made |
| available via <code>javax.servlet.AsyncEvent.getSuppliedRequest</code> |
| and <code>javax.servlet.AsyncEvent.getSuppliedResponse</code> |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>59219</bug>: Ensure <code>AsyncListener.onError()</code> is called |
| if an <code>Exception</code> is thrown during async processing. (markt) |
| </fix> |
| <fix> |
| <bug>59220</bug>: Ensure that <code>AsyncListener.onComplete()</code> is |
| called if the async request times out and the response is already |
| committed. (markt) |
| </fix> |
| <fix> |
| <bug>59226</bug>: Process the <code>Class-Path</code> attribute from |
| JAR manifests for JARs on the class path excluding JARs packaged in |
| <code>WEB-INF/lib</code>. (markt) |
| </fix> |
| <fix> |
| <bug>59255</bug>: Fix possible NPE in mapper. (kkolinko/remm) |
| </fix> |
| <fix> |
| <bug>59256</bug>: <code>slf4j-taglib*.jar</code> should not be excluded |
| from the standard JAR scanning by default. (violetagg) |
| </fix> |
| <fix> |
| Clarify in the log message that specifying both urlPatterns and value |
| attributes in WebServlet and WebFilter annotations is not allowed. |
| (violetagg) |
| </fix> |
| <fix> |
| Ensure the exceptions caused by Valves will be available in the log |
| files so that they can be evaluated when |
| <code>o.a.catalina.valves.ErrorReportValve.showReport</code> is |
| disabled. Patch is provided by Svetlin Zarev. (violetagg) |
| </fix> |
| <fix> |
| Remove unused <code>distributable</code> attribute that is defined as |
| <code>TransientAttribute</code> of <code>Manager</code> in StoreConfig. |
| (kfujino) |
| </fix> |
| <fix> |
| Fix handling of Cluster Receiver in StoreConfig. The <code>bind</code> |
| and <code>host</code> attributes define as |
| <code>TransientAttribute</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>59261</bug>: <code>ServletRequest.getAsyncContext()</code> now |
| throws an <code>IllegalStateException</code> as required by the Servlet |
| specification if the request is not in asynchronous mode when called. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59269</bug>: Correct the implementation of |
| <code>PersistentManagerBase</code> so that <code>minIdleSwap</code> |
| functions as designed and sessions are swapped out to keep the active |
| session count below <code>maxActiveSessions</code>. (markt) |
| </fix> |
| <add> |
| Add the <code>org.apache.catalina.servlet4preview</code> package that |
| can be used to gain early access to Servlet 4.0 features. Note that this |
| package will <strong>not</strong> be present in Tomcat 9. (markt) |
| </add> |
| <fix> |
| Correctly configure the base path for a resources directory provided by |
| an expanded JAR file. Patch provided by hengyunabc. (markt) |
| </fix> |
| <add> |
| When multiple compressed formats are available and the client does not |
| express a preference, use the server order to determine the preferred |
| format. Based on a patch by gmokki. (markt) |
| </add> |
| <fix> |
| <bug>59284</bug>: Allow the Tomcat provided JASPIC |
| <code>SimpleServerAuthConfig</code> to pick up module configuration |
| properties from either the property set passed to its constructor or |
| from the properties passed in the call to <code>getAuthContext</code>. |
| Based on a patch by Thomas Maslen. (markt) |
| </fix> |
| <fix> |
| <bug>59310</bug>: Do not add a <code>Content-Length: 0</code> header for |
| custom responses to <code>HEAD</code> requests that do not set a |
| <code>Content-Length</code> value. (markt) |
| </fix> |
| <fix> |
| When normalizing paths, improve the handling when paths end with |
| <code>/.</code> or <code>/..</code> and ensure that input and output are |
| consistent with respect to whether or not they end with <code>/</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59317</bug>: Ensure that |
| <code>HttpServletRequest.getRequestURI()</code> returns an encoded URI |
| rather than a decoded URI after a dispatch. (markt) |
| </fix> |
| <fix> |
| Use the correct URL for the fragment when reporting errors processing |
| a <code>web-fragment.xml</code> file from a JAR located in an unpacked |
| WAR. (markt) |
| </fix> |
| <fix> |
| Ensure that <code>JarScanner</code> only uses the explicit call-back to |
| process <code>WEB-INF/classes</code> and only when configured to treat |
| the contents of <code>WEB-INF/classes</code> as a possible exploded JAR. |
| (markt) |
| </fix> |
| <scode> |
| Remove the <code>java2DDisposerProtection</code> option from the |
| <code>JreMemoryLeakPreventionListener</code>. The leak is fixed in Java |
| 7 onwards and Tomcat 8 requires Java 7 so the option is unnecessary. |
| (markt) |
| </scode> |
| <fix> |
| Ensure that the value for the header <code>X-Frame-Options</code> is |
| constructed correctly according to the specification when |
| <code>ALLOW-FROM</code> option is used. (violetagg) |
| </fix> |
| <fix> |
| Fix an <code>IllegalArgumentException</code> if the first use of an |
| internal <code>Response</code> object requires JASPIC authentication. |
| (markt) |
| </fix> |
| <fix> |
| Do not trigger unnecessary session ID changes when using JASPIC and the |
| user is authenticated using cached credentials. (markt) |
| </fix> |
| <fix> |
| <bug>59437</bug>: Ensure that the JASPIC <code>CallbackHandler</code> is |
| thread-safe. (markt) |
| </fix> |
| <fix> |
| <bug>59449</bug>: In <code>ContainerBase</code>, ensure that the process |
| to remove a child container is the reverse of the process to add one. |
| Patch provided by Huxing Zhang. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Align cipher configuration parsing with current OpenSSL master. (markt) |
| </fix> |
| <update> |
| Change the default for <code>honorCipherOrder</code> to |
| <code>false</code>. With the current default TLS configuration, it is no |
| longer necessary for this to be <code>true</code> for a reasonably |
| secure configuration. (markt) |
| </update> |
| <add> |
| Add a new environment variable <code>JSSE_OPTS</code> that is intended |
| to be used to pass JVM wide configuration to the JSSE implementation. |
| The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code> |
| which protects against weak Diffie-Hellman keys. (markt) |
| </add> |
| <fix> |
| When running on Java 7, exclude DHE ciphers from the default cipher list |
| for JSSE connectors since they use weak 768 bit DH keys and cannot be |
| configured to use more secure keys. (markt) |
| </fix> |
| <fix> |
| <bug>58970</bug>: Fix a connection counting bug in the NIO connector |
| that meant some dropped connections were not removed from the current |
| connection count. (markt) |
| </fix> |
| <fix> |
| <bug>59289</bug>: Do not recycle upgrade processors in unexpected close |
| situations. (remm) |
| </fix> |
| <fix> |
| <bug>59295</bug>: Use <code>Locale.toLanguageTag()</code> to construct |
| the <code>Content-Language</code> HTTP header to ensure the locale is |
| correctly represented. Patch provided by zikfat. (markt) |
| </fix> |
| <update> |
| <bug>59295</bug>: Add support for using pem encoded certificates with |
| JSSE SSL. Submitted by Emmanuel Bourg with additional tweaks. (remm) |
| </update> |
| <fix> |
| Make the TLS certificate chain available to clients when using |
| JSSE+OpenSSL with the certificate chain stored in a Java KeyStore. |
| (markt) |
| </fix> |
| <fix> |
| Work around <a href="https://github.com/openssl/openssl/issues/188">a |
| known issue in OpenSSL</a> that does not permit the TLS handshake to be |
| failed if the ALPN negotiation fails. (markt) |
| </fix> |
| <update> |
| <bug>59421</bug>: Add direct HTTP/2 connection support. (remm) |
| </update> |
| <fix> |
| Correctly handle a call to <code>AsyncContext.complete()</code> from a |
| non-container thread when non-blocking I/O is being used. (markt) |
| </fix> |
| <fix> |
| <bug>59451</bug>: Correct Javadoc for <code>MessageBytes</code>. Patch |
| provided by Kyohei Nakamura. (markt) |
| </fix> |
| <fix> |
| <bug>59450</bug>: Correctly handle the case where the |
| <code>LegacyCookieProcessor</code> is configured with |
| <code>allowHttpSepsInV0</code> set to <code>false</code> and |
| <code>forwardSlashIsSeparator</code> set to <code>true</code>. Patch |
| provided by Kyohei Nakamura. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| When scanning JARs for TLDs, correctly handle the (rare) case where a |
| JAR has been exploded into <code>WEB-INF/classes</code> and the web |
| application is deployed as a packed WAR. (markt) |
| </fix> |
| <fix> |
| <bug>59640</bug>: NPEs with not found TLDs. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>59189</bug>: Explicitly release the native memory held by the |
| <code>Inflater</code> and <code>Deflater</code> when using |
| PerMessageDeflate and the WebSocket session ends. Based on a patch by |
| Henrik Olsson. (markt) |
| </fix> |
| <fix> |
| Return back a container specific extension to the WsServerContainer |
| to allow frameworks to more easily dispatch requests to WebSocket |
| endpoints. (violetagg) |
| </fix> |
| <fix> |
| Fix a regression caused by the connector refactoring and ensure that the |
| thread context class loader is set to the web application |
| classloader when processing WebSocket messages on the server. (markt) |
| </fix> |
| <fix> |
| Ensure that a client disconnection triggers the error handling for the |
| associated WebSocket end point. (markt) |
| </fix> |
| <add> |
| Make WebSocket client more robust when handling errors during the close |
| of a WebSocket session. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>59210</bug>: Server push example has to use |
| <code>o.a.catalina.connector.RequestFacade</code> when obtaining |
| <code>o.a.catalina.core.ApplicationPushBuilder</code>. Patch is |
| provided by Huxing Zhang. (violetagg) |
| </fix> |
| <fix> |
| <bug>59218</bug>: Correct the path to <code>jaspic-providers.xml</code> |
| in Jaspic How-To. Patch is provided by Tatsuya Bessho. (violetagg) |
| </fix> |
| <fix> |
| Remove button that has accidentally been added to the host manager. |
| Submitted by Coty Sutherland. (remm) |
| </fix> |
| <fix> |
| Update in the documentation the link to the maven repository where |
| Tomcat snapshot artifacts are deployed. (markt/violetagg) |
| </fix> |
| <fix> |
| Clarify in the documentation that calls to |
| <code>ServletContext.log(String, Throwable)</code> or |
| <code>GenericServlet.log(String, Throwable)</code> are logged at the |
| SEVERE level. (violetagg) |
| </fix> |
| <fix> |
| Correct a typo in SSL/TLS Configuration How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Avoid NPE when a proxy node failed to retrieve a backup entry. (kfujino) |
| </fix> |
| <add> |
| Add log of when received an unexpected messages. (kfujino) |
| </add> |
| <add> |
| Add the flag indicating that member is a localMember. (kfujino) |
| </add> |
| <fix> |
| Fix potential NPE that depends on the setting order of attributes of |
| static member when using the static cluster. (kfujino) |
| </fix> |
| <add> |
| Add get/set method for the channel that is related to |
| <code>ChannelInterceptor</code>. (kfujino) |
| </add> |
| <fix> |
| As with the multicast cluster environment, in the static cluster |
| environment, the local member inherits properties from the cluster |
| receiver. (kfujino) |
| </fix> |
| <add> |
| Add get/set method for the channel that is related to each Channel |
| services. (kfujino) |
| </add> |
| <add> |
| Add name to channel in order to identify channels. In tomcat cluster |
| environment, it is set the cluster name + "-Channel" as default value. |
| (kfujino) |
| </add> |
| <add> |
| Add the channel name to the thread which is invoked by channel services |
| in order to identify the associated channel. (kfujino) |
| </add> |
| <fix> |
| Ensure that clear the channel instance from channel services when |
| stopping channel. (kfujino) |
| </fix> |
| <add> |
| Implement map state in the replication map. (kfujino) |
| </add> |
| <fix> |
| Ensure that the ping is not executed during the start/stop of the |
| replication map. (kfujino) |
| </fix> |
| <fix> |
| In ping processing in the replication map, send not the |
| <code>INIT</code> message but the newly introduced <code>PING</code> |
| message. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>59209</bug>: Remove <code>honorCipherOrder=false</code> attribute |
| from the connector example in server.xml. When the block is uncommented |
| the connector will use the default value for this attribute which is |
| <code>false</code>. If one needs to enable it, one can add it |
| explicitly to the connector definition. Use of this feature requires |
| Java 8 or later. Patch is provided by Huxing Zhang. (violetagg) |
| </fix> |
| <fix> |
| <bug>59211</bug>: Add hamcrest to Eclipse classpath. Patch is provided |
| by Huxing Zhang. (violetagg) |
| </fix> |
| <update> |
| <bug>59280</bug>: Update the NSIS Installer used to build the |
| Windows Installers to version 2.51. (kkolinko) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.7 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2h and APR |
| 1.5.2. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.5.0 (markt)" rtext="2016-03-24"> |
| <subsection name="General"> |
| <changelog> |
| <update> |
| Remove support for Comet. (markt) |
| </update> |
| <update> |
| Tighten up the default file permissions for the <code>.tar.gz</code> |
| distribution so no files or directories are world readable by default. |
| Configure Tomcat to run with a default umask of <code>0027</code> which |
| may be overridden by setting <code>UMASK</code> in |
| <code>setenv.sh</code>. (markt) |
| </update> |
| <update> |
| Remove native code (Windows Service Wrapper, APR/native connector) |
| support for Windows Itanium. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| The default HTTP cookie parser has been changed to |
| <code>org.apache.tomcat.util.http.Rfc6265CookieProcessor</code>. (markt) |
| </update> |
| <scode> |
| Refactor creation of <code>MapperListener</code> to ensure that the |
| <code>Mapper</code> used is the <code>Mapper</code> associated with the |
| <code>Service</code> for which the listener was created. (markt) |
| </scode> |
| <add> |
| Move the functionality that provides redirects for context roots and |
| directories where a trailing <code>/</code> is added from the Mapper to |
| the <code>DefaultServlet</code>. This enables such requests to be |
| processed by any configured Valves and Filters before the redirect is |
| made. This behaviour is configurable via the |
| <code>mapperContextRootRedirectEnabled</code> and |
| <code>mapperDirectoryRedirectEnabled</code> attributes of the Context |
| which may be used to restore the previous behaviour. (markt) |
| </add> |
| <scode> |
| Refactor <code>Service.getContainer()</code> to return an |
| <code>Engine</code> rather than a <code>Container</code>. (markt) |
| </scode> |
| <fix> |
| <bug>34319</bug>: Only load those keys in |
| <code>StoreBase.processExpire</code> from JDBCStore that are old enough |
| to be expired. Based on a patch by Tom Anderson. (fschumacher) |
| </fix> |
| <add> |
| <bug>58351</bug>: Make the server build date and server version number |
| accessible via JMX. Patch provided by Huxing Zhang. (markt) |
| </add> |
| <add> |
| <bug>56917</bug>: As per RFC7231 (HTTP/1.1), allow HTTP/1.1 and later |
| redirects to use relative URIs. This is controlled by a new attribute |
| <code>useRelativeRedirects</code> on the <strong>Context</strong> and |
| defaults to <code>true</code>. (markt) |
| </add> |
| <fix> |
| <bug>58629</bug>: Allow an embedded Tomcat instance to start when the |
| <code>Service</code> has no <code>Engine</code> configured. (markt) |
| </fix> |
| <fix> |
| Correctly notify the MapperListener associated with a Service if the |
| Engine for that Service is changed. (markt) |
| </fix> |
| <add> |
| Make a web application's CredentialHandler available through a context |
| attribute. This allows a web application to use the same algorithm |
| for validating or generating new stored credentials from cleartext |
| ones. (schultz) |
| </add> |
| <fix> |
| <bug>58635</bug>: Enable break points to be set within agent code when |
| running Tomcat with a Java agent. Based on a patch by Huxing Zhang. |
| (markt) |
| </fix> |
| <fix> |
| Fixed potential NPE in <code>HostConfig</code> while deploying an |
| application. Issue reported by coverity scan. (violetagg) |
| </fix> |
| <fix> |
| <bug>58655</bug>: Fix an <code> IllegalStateException</code> when |
| calling <code>HttpServletResponse.sendRedirect()</code> with the |
| <code>RemoteIpFilter</code>. This was caused by trying to correctly |
| generate the absolute URI for the redirect. With the fix for |
| <bug>56917</bug>, redirects may now be relative making the |
| <code>sendRedirect()</code> implementation for the |
| <code>RemoteIpFilter</code> much simpler. This also addresses issues |
| where the redirect may not have behaved as expected when redirecting |
| from http to https to from https to http. (markt) |
| </fix> |
| <fix> |
| <bug>58657</bug>: Exceptions in a Servlet 3.1 <code>ReadListener</code> |
| or <code>WriteListener</code> do not need to be immediately fatal to the |
| connection. Allow an error response to be written. (markt) |
| </fix> |
| <fix> |
| Correct implementation of |
| <code>validateClientProvidedNewSessionId</code> so client provided |
| session IDs may be rejected if validation is enabled. (markt) |
| </fix> |
| <fix> |
| <bug>58701</bug>: Reset the <code>instanceInitialized</code> field in |
| <code>StandardWrapper</code> when unloading a Servlet so that a new |
| instance may be correctly initialized. (markt) |
| </fix> |
| <update> |
| Add a new flag <code>aprPreferred</code> to the Apr listener. if set to |
| <code>false</code>, when using the connector defaults, it will use |
| NIO + OpenSSL if tomcat-native is available, rather than the APR |
| connector. (remm) |
| </update> |
| <fix> |
| Add path parameter handling to |
| <code>HttpServletRequest.getContextPath()</code>. This is a follow-up to |
| the fix for <bug>57215</bug>. (markt) |
| </fix> |
| <fix> |
| <bug>58692</bug>: Make <code>StandardJarScanner</code> more robust. Log |
| a warning if a class path entry cannot be scanned rather than triggering |
| the failure of the web application. Includes a test case written by |
| Derek Abdine. (markt) |
| </fix> |
| <fix> |
| <bug>58702</bug>: Ensure an access log entry is generated if the client |
| aborts the connection. (markt) |
| </fix> |
| <fix> |
| Fixed various issues reported by Findbugs. (violetagg) |
| </fix> |
| <fix> |
| <bug>58735</bug>: Add support for the <code>X-XSS-Protection</code> |
| header to the <code>HttpHeaderSecurityFilter</code>. Patch provided by |
| Jacopo Cappellato. (markt) |
| </fix> |
| <fix> |
| Add the <code>StatusManagerServlet</code> to the list of Servlets that |
| can only be loaded by privileged applications. (markt) |
| </fix> |
| <fix> |
| Simplify code and fix messages in |
| <code>org.apache.catalina.core.DefaultInstanceManager</code> class. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>58751</bug>: Correctly handle the case where an |
| <code>AsyncListener</code> dispatches to a Servlet on an asynchronous |
| timeout and the Servlet uses <code>sendError()</code> to trigger an |
| error page. Includes a test case based on code provided by Andy |
| Wilkinson.(markt) |
| </fix> |
| <fix> |
| Ensure that the proper file encoding, if specified, will be used when |
| a readme file is served by DefaultServlet. (violetagg) |
| </fix> |
| <fix> |
| Fix declaration of <code>localPort</code> attribute of Connector MBean: |
| it is read-only. (kkolinko) |
| </fix> |
| <fix> |
| <bug>58766</bug>: Make skipping non-class files during annotation |
| scanning faster by checking the file name first. Improve debug logging. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>58768</bug>: Log a warning if a redirect fails because of an |
| invalid location. (markt) |
| </fix> |
| <scode> |
| <bug>58827</bug>: Remove remains of JSR-77 implementation. (markt) |
| </scode> |
| <fix> |
| <bug>58836</bug>: Correctly merge query string parameters when |
| processing a forwarded request where the target includes a query string |
| that contains a parameter with no value. (markt/kkolinko) |
| </fix> |
| <fix> |
| Make sure that shared Digester is reset in an unlikely error case |
| in <code>HostConfig.deployWAR()</code>. (kkolinko) |
| </fix> |
| <add> |
| Extend the feature available in the cluster session manager |
| implementations that enables session attribute replication to be |
| filtered based on attribute name to all session manager implementations. |
| Note that configuration attribute name has changed from |
| <code>sessionAttributeFilter</code> to |
| <code>sessionAttributeNameFilter</code>. Apply the filter on load as |
| well as unload to ensure that configuration changes made while the web |
| application is stopped are applied to any persisted data. (markt) |
| </add> |
| <add> |
| Extend the session attribute filtering options to include filtering |
| based on the implementation class of the value and optional |
| <code>WARN</code> level logging if an attribute is filtered. These |
| options are available for all of the Manager implementations that ship |
| with Tomcat. When a <code>SecurityManager</code> is used filtering will |
| be enabled by default. (markt) |
| </add> |
| <scode> |
| Remove <code>distributable</code> and <code>maxInactiveInterval</code> |
| from the <code>Manager</code> interface because the attributes are never |
| used. The equivalent attributes from the <code>Context</code> always |
| take precedence. (markt) |
| </scode> |
| <fix> |
| <bug>58867</bug>: Improve checking on Host start for WAR files that have |
| been modified while Tomcat has stopped and re-expand them if |
| <code>unpackWARs</code> is <code>true</code>. (markt) |
| </fix> |
| <fix> |
| <bug>58900</bug>: Correctly undeploy symlinked resources and prevent an |
| infinite cycle of deploy / undeploy. (markt) |
| </fix> |
| <fix> |
| Protect initialization of <code>ResourceLinkFactory</code> when |
| running with a SecurityManager. (kkolinko) |
| </fix> |
| <fix> |
| Correct a thread safety issue in the filtering of session attributes |
| based on the implementing class name of the value object. (markt) |
| </fix> |
| <fix> |
| Fix class loader decision on the delegation for class loading and |
| resource lookup and make it faster too. (rjung) |
| </fix> |
| <fix> |
| <bug>58905</bug>: Ensure that <code>Tomcat.silence()</code> silences the |
| correct logger and respects the current setting. (markt) |
| </fix> |
| <fix> |
| <bug>58946</bug>: Ensure that the request parameter map remains |
| immutable when processing via a RequestDispatcher. (markt) |
| </fix> |
| <fix> |
| Ensure that <code>/WEB-INF/classes</code> is never processed as a web |
| fragment. (markt) |
| </fix> |
| <update> |
| Switch default connector when native is installed. Unless configured |
| otherwise, the NIO endpoint will be used by default. If SSL is |
| configured, OpenSSL will be used rather than JSSE. (remm) |
| </update> |
| <fix> |
| Correct a regression in the fix for <bug>58867</bug>. When configuring a |
| Context to use an external directory for the <code>docBase</code>, and |
| that directory happens to be located along side the original WAR, use |
| the directory as the <code>docBase</code> rather than expanding the |
| WAR into the <code>appBase</code> and using the newly created expanded |
| directory as the <code>docBase</code>. (markt) |
| </fix> |
| <add> |
| <bug>58988</bug>: Special characters in the substitutions for the |
| RewriteValve can now be quoted with a backslash. (fschumacher) |
| </add> |
| <fix> |
| <bug>58999</bug>: Fix class and resource name filtering in |
| WebappClassLoader. It throws a StringIndexOutOfBoundsException if the |
| name is exactly "org" or "javax". (rjung) |
| </fix> |
| <add> |
| Add JASPIC (JSR-196) support. (markt) |
| </add> |
| <add> |
| Make checking for var and map replacement in RewriteValve a bit stricter |
| and correct detection of colon in var replacement. (fschumacher) |
| </add> |
| <fix> |
| Refactor the web application class loader to reduce the impact of JAR |
| scanning on the memory footprint of the web application. (markt) |
| </fix> |
| <fix> |
| Fix some resource leaks in the error handling for accessing files from |
| JARs and WARs. (markt) |
| </fix> |
| <fix> |
| Refactor the JAR and JAR-in-WAR resource handling to reduce the memory |
| footprint of the web application. (markt) |
| </fix> |
| <fix> |
| Refactor the web.xml parsing so a new parser is created every time the |
| web application starts rather than creating and caching the parser when |
| the Context is created. This enables the parser to take account of |
| modified Context configuration parameters and reduces (slightly) the |
| memory footprint of a running Tomcat instance. (markt) |
| </fix> |
| <update> |
| Switch the web application class loader to the |
| <code>ParallelWebappClassLoader</code> by default. (markt) |
| </update> |
| <fix> |
| <bug>57809</bug>: Remove the custom context attribute that held the |
| effective web.xml. Components needing access to configuration |
| information may access it via the Servlet API. (markt) |
| </fix> |
| <fix> |
| Refactor JAR scanning to reduce memory footprint. (markt) |
| </fix> |
| <fix> |
| <bug>59001</bug>: Correctly handle the case when Tomcat is installed on |
| a path where one of the segments ends in an exclamation mark. (markt) |
| </fix> |
| <fix> |
| Expand the fix for <bug>59001</bug> to cover the special sequences used |
| in Tomcat's custom jar:war: URLs. (markt) |
| </fix> |
| <fix> |
| <bug>59043</bug>: Avoid warning while expiring sessions associated with |
| a single sign on if <code>HttpServletRequest.logout()</code> is used. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59054</bug>: Ensure that using the |
| <code>CrawlerSessionManagerValve</code> in a distributed environment |
| does not trigger an error when the Valve registers itself in the |
| session. (markt) |
| </fix> |
| <fix> |
| Add socket properties support to storeconfig. (remm) |
| </fix> |
| <fix> |
| Fix incorrect parsing of the NE and NC flags in rewrite rules. (remm) |
| </fix> |
| <fix> |
| <bug>59065</bug>: Correct the timing of the check for colons in paths |
| on non-Windows systems implemented in <code>catalina.sh</code> so it |
| works correctly with Cygwin. Patch provided by Ed Randall. (markt) |
| </fix> |
| <fix> |
| When a Host is configured with an appBase that does not exist, create |
| the appBase before trying to expand an external WAR file into it. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59115</bug>: When using the Servlet 3.0 file upload, the submitted |
| file name may be provided as a token or a quoted-string. If a |
| quoted-string, unquote the string before returning it to the user. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59123</bug>: Close <code>NamingEnumeration</code> objects used by |
| the <code>JNDIRealm</code> once they are no longer required. |
| (fschumacher/markt) |
| </fix> |
| <add> |
| Implement the proposed Servlet 4.0 API to provide mapping type |
| information for the current request. (markt) |
| </add> |
| <fix> |
| <bug>59138</bug>: Correct a false positive warning for ThreadLocal |
| related memory leaks when the key class but not the value class has been |
| loaded by the web application class loader. (markt) |
| </fix> |
| <add> |
| <bug>59017</bug>: Make the pre-compressed file support in the Default |
| Servlet generic so any compression may be used rather than just gzip. |
| Patch provided by Mikko Tiihonen. (markt) |
| </add> |
| <fix> |
| <bug>59145</bug>: Don't log an invalid warning when a user logs out of |
| a session associated with SSO. (markt) |
| </fix> |
| <fix> |
| <bug>59150</bug>: Add an additional flag on APR listener to allow |
| disabling automatic use of OpenSSL. (remm) |
| </fix> |
| <fix> |
| <bug>59151</bug>: Fix a regression in the fix for <bug>56917</bug> that |
| added additional (and arguably unnecessary) validation to the provided |
| redirect location. (markt) |
| </fix> |
| <fix> |
| <bug>59154</bug>: Fix a <code>NullPointerException</code> in the |
| <code>JAASMemoryLoginModule</code> resulting from the introduction of |
| the <code>CredentialHandler</code> to <code>Realm</code>s. |
| (schultz/markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| Remove support for the HTTP BIO and AJP BIO connectors. (markt) |
| </update> |
| <scode> |
| Refactor HTTP upgrade and AJP implementations to reduce duplication. |
| (markt) |
| </scode> |
| <add> |
| Add support for HPACK header encoding and decoding, contributed |
| by Stuart Douglas. (remm) |
| </add> |
| <add> |
| <bug>57108</bug>: Add support for Server Name Indication (SNI). There |
| has been significant changes to the SSL configuration in server.xml to |
| support this. (markt) |
| </add> |
| <add> |
| Add SSL engine for JSSE backed by OpenSSL. Includes ALPN support. |
| Based on code contributed by Numa de Montmollin and derived from code |
| developed by Twitter and Netty. (remm) |
| </add> |
| <fix> |
| RFC 7230 states that clients should ignore reason phrases in HTTP/1.1 |
| response messages. Since the reason phrase is optional, Tomcat no longer |
| sends it. As a result the system property |
| <code>org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER</code> is no |
| longer used and has been removed. (markt) |
| </fix> |
| <update> |
| The minimum required Tomcat Native version has been increased to 1.2.2. |
| The 1.2.x branch includes ALPN and SNI support which are required for |
| HTTP/2. (markt) |
| </update> |
| <add> |
| Add support for HTTP/2 including server push. (markt) |
| </add> |
| <fix> |
| <bug>58621</bug>: The certificate chain cannot be set using the main |
| certificate attribute, so restore the certificate chain property. (remm) |
| </fix> |
| <fix> |
| Allow a new SSL config type where a connector can use either JSSE or |
| OpenSSL. Both could be allowed, but it would likely create support |
| issues. This type is used by the OpenSSL implementation for NIOx. (remm) |
| </fix> |
| <fix> |
| Improve upgrade context classloader handling by using Context.bind and |
| unbind. (remm) |
| </fix> |
| <add> |
| Improve OpenSSL keystore/truststore configuration by using the code |
| from the JSSE implementation. (remm, jfclere) |
| </add> |
| <fix> |
| Fix a potential loop when a client drops the connection unexpectedly. |
| (markt) |
| </fix> |
| <add> |
| OpenSSL renegotiation support for client certificate authentication. |
| (remm) |
| </add> |
| <fix> |
| Fix NIO connector renegotiation. (remm) |
| </fix> |
| <fix> |
| <bug>58659</bug>: Fix a potential deadlock during HTTP/2 processing when |
| the connection window size is limited. (markt) |
| </fix> |
| <fix> |
| Correct an NPE when listing the enabled ciphers (e.g. via the Manager |
| web application) for a TLS enabled APR/native connector. (markt) |
| </fix> |
| <add> |
| New configuration option <code>ajpFlush</code> for the AJP connectors |
| to disable the sending of AJP flush packets. (rjung) |
| </add> |
| <fix> |
| Handle the case in the NIO connector where the required TLS buffer sizes |
| increase after the connection has been initiated. (markt) |
| </fix> |
| <fix> |
| Handle the case in the NIO2 connector where the required TLS buffer |
| sizes increase after the connection has been initiated. (markt/remm) |
| </fix> |
| <fix> |
| Bad processing of handshake errors in NIO2. (remm) |
| </fix> |
| <fix> |
| Use JSSE session configuration options with OpenSSL. (remm) |
| </fix> |
| <fix> |
| <bug>59015</bug>: Fix potential cause of endless APR Poller loop during |
| shutdown if the Poller experiences an error during the shutdown process. |
| (markt) |
| </fix> |
| <fix> |
| Align cipher aliases for <code>kECDHE</code> and <code>ECDHE</code> with |
| the current OpenSSL implementation. (markt) |
| </fix> |
| <fix> |
| <bug>59081</bug>: Retain the user defined cipher order when defining |
| ciphers. (markt) |
| </fix> |
| <fix> |
| <bug>59089</bug>: Correctly ignore HTTP headers that include non-token |
| characters in the header name. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57136#c25</bug>: Change default value of |
| <code>quoteAttributeEL</code> setting in Jasper to be <code>true</code> |
| for better compatibility with other implementations and older versions |
| of Tomcat. Add command line option <code>-no-quoteAttributeEL</code> in |
| JspC. (kkolinko) |
| </fix> |
| <fix> |
| Fix handling of missing messages in |
| <code>org.apache.el.util.MessageFactory</code>. (violetagg) |
| </fix> |
| <update> |
| Update to the Eclipse JDT Compiler 4.5.1. (markt) |
| </update> |
| <fix> |
| <bug>57583</bug>: Improve the performance of |
| <code>javax.servlet.jsp.el.ScopedAttributeELResolver</code> when |
| resolving attributes that do not exist. This improvement only works when |
| Jasper is used with Tomcat's EL implementation. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Enable an explicit configuration of local member in the static cluster |
| membership. (kfujino) |
| </fix> |
| <fix> |
| Fix potential integer overflow in <code>DeltaSession</code>. |
| Reported by coverity scan. (fschumacher) |
| </fix> |
| <fix> |
| In order to avoid that the heartbeat thread and the background thread to |
| run <code>Channel.heartbeat</code> simultaneously, if |
| <code>heartbeatBackgroundEnabled</code> of <code>SimpleTcpCluster</code> |
| set to <code>true</code>, ensure that the heartbeat thread does not |
| start. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <add> |
| <bug>55006</bug>: The WebSocket client now honors the |
| <code>java.net.java.net.ProxySelector</code> configuration (using the |
| HTTP type) when establishing WebSocket connections to servers. Based on |
| a patch by Niki Dokovski. (markt) |
| </add> |
| <fix> |
| <bug>57489</bug>: Ensure <code>onClose()</code> is called when a |
| WebSocket connection is closed even if the sending of the close message |
| fails. Includes test cases by Barry Coughlan. (markt) |
| </fix> |
| <fix> |
| <bug>58624</bug>: Correct a potential deadlock if the WebSocket |
| connection is closed when a message write is in progress. (markt) |
| </fix> |
| <fix> |
| Fix a timing issue on session close that could result in an exception |
| being thrown for an incomplete message even through the message was |
| completed. (markt) |
| </fix> |
| <fix> |
| Correctly handle compression of partial messages when the final message |
| fragment has a zero length payload. (markt) |
| </fix> |
| <fix> |
| <bug>59119</bug>: Correct read logic for WebSocket client when using |
| secure connections. (markt) |
| </fix> |
| <fix> |
| <bug>59134</bug>: Correct client connect logic for secure connections |
| made through a proxy. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>48674</bug>: Implement an option within the Host Manager web |
| application to persist the current configuration. Based on a patch by |
| Coty Sutherland. (markt) |
| </fix> |
| <fix> |
| <bug>58631</bug>: Correct the continuation character use in the Windows |
| Service How-To page of the documentation web application. (markt) |
| </fix> |
| <fix> |
| Correct the SSL documentation for deprecated attributes to point to the |
| correct, new location for attributes related to individual certificates. |
| (markt) |
| </fix> |
| <fix> |
| Correct some typos in the JNDI resources How-To. (markt) |
| </fix> |
| <fix> |
| Don't create session unnecessarily in the Manager application. (markt) |
| </fix> |
| <fix> |
| Don't create session unnecessarily in the Host Manager application. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58723</bug>: Clarify documentation and error messages for the text |
| interface of the manager to make clear that version must be used with |
| path when referencing contexts deployed using parallel deployment. |
| (markt) |
| </fix> |
| <add> |
| Document <code>test.threads</code> option in BUILDING.txt. (kkolinko) |
| </add> |
| <fix> |
| Correct an error in the documentation of the expected behaviour for |
| automatic deployment. If a WAR is updated and an expanded directory is |
| present, the directory will always be deleted and recreated by expanding |
| the WAR if <code>unpackWARs</code> is <code>true</code>. (markt) |
| </fix> |
| <fix> |
| <bug>58935</bug>: Remove incorrect references in the documentation to |
| using <code>jar:file:</code> URLs with the Manager application. (markt) |
| </fix> |
| <fix> |
| Correct the description of the |
| <code>ServletRequest.getServerPort()</code> in Proxy How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <add> |
| The Manager and Host Manager applications are now only accessible via |
| <code>localhost</code> by default. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Clarify the handling of Copy message and Copy nodes. (kfujino) |
| </fix> |
| <fix> |
| Ensure that the static member is registered to the add suspect list even |
| if the static member that is registered to the remove suspect list has |
| disappeared. (kfujino) |
| </fix> |
| <fix> |
| When using a static cluster, add the members that have been cached in |
| the membership service to the map members list in order to ensure that |
| the map member is a static member. (kfujino) |
| </fix> |
| <fix> |
| Add support for the startup notification of local members in the static |
| cluster. (kfujino) |
| </fix> |
| <fix> |
| Ignore the unnecessary member remove operation from different domain. |
| (kfujino) |
| </fix> |
| <fix> |
| Add support for the shutdown notification of local members in the static |
| cluster. (kfujino) |
| </fix> |
| <fix> |
| If promoting a proxy node to a primary node when getting a session, |
| notify the change of the new primary node to the original backup node. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Correct evaluation of system property |
| <code>org.apache.tomcat.jdbc.pool.onlyAttemptCurrentClassLoader</code>. |
| It was basically ignored before. Reported by coverity scan. (fschumacher) |
| </fix> |
| <fix> |
| Fix potential integer overflow in <code>ConnectionPool</code> and |
| <code>PooledConnection</code>. Reported by coverity scan. (fschumacher) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Allow to configure multiple JUnit test class patterns with the build |
| property <code>test.name</code> and document the property in |
| BUILDING.txt. (rjung) |
| </add> |
| <add> |
| Support the use of the <code>threads</code> attribute on Ant's |
| junit task. Note that using this with a value of greater than one will |
| disable Cobertura code coverage. (markt) |
| </add> |
| <update> |
| Update optional Checkstyle library to 6.14.1. (kkolinko) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.4 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2e and APR |
| 1.5.1. (markt) |
| </update> |
| <update> |
| Update the NSIS Installer used to build the Windows Installers to |
| version 2.50. (markt/kkolinko) |
| </update> |
| <update> |
| Update the internal fork of Commons BCEL to r1725718 to align with the |
| refactoring for BCEL 6, the next major BCEL release. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons DBCP 2 to r1725730 (2.1.1 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Pool 2 to r1725738 (2.4.2 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Codec to r1725746 (1.9 plus |
| additional fixes). (markt) |
| </update> |
| <fix> |
| <bug>58283</bug>: Change the default download location for libraries |
| during the build process from <code>/usr/share/java</code> to |
| <code>${user.home}/temp</code>. Patch provided by Ahmed Hosni. (markt) |
| </fix> |
| <fix> |
| <bug>59031</bug>: When using the Windows uninstaller, do not remove the |
| contents of any directories that have been symlinked into the Tomcat |
| directory structure. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.5 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2g and APR |
| 1.5.1. (markt) |
| </update> |
| <update> |
| Modify the default <code>tomcat-users.xml</code> file to make it harder |
| for users to configure the entries intended for use with the examples |
| web application for the Manager application. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| </body> |
| </document> |