| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <!DOCTYPE document [ |
| <!ENTITY project SYSTEM "project.xml"> |
| ]> |
| <?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?> |
| <document url="changelog.html"> |
| |
| &project; |
| |
| <properties> |
| <author email="remm at apache.org">Remy Maucherat</author> |
| <author email="fhanik at apache.org">Filip Hanik</author> |
| <author email="rjung at apache.org">Rainer Jung</author> |
| <author email="kkolinko at apache.org">Konstantin Kolinko</author> |
| <author email="pero at apache.org">Peter Rossbach</author> |
| <author email="kfujino at apache.org">Keiichi Fujino</author> |
| <author email="timw at apache.org">Tim Whittington</author> |
| <author email="mturk at apache.org">Mladen Turk</author> |
| <author email="schultz at apache.org">Christopher Schultz</author> |
| <author email="slaurent at apache.org">Sylvain Laurent</author> |
| <author email="violetagg at apache.org">Violeta Georgieva</author> |
| <author email="jboynes at apache.org">Jeremy Boynes</author> |
| <author email="fschumacher at apache.org">Felix Schumacher</author> |
| <author email="huxing at apache.org">Huxing Zhang</author> |
| <author email="michaelo at apache.org">Michael Osipov</author> |
| <title>Changelog</title> |
| <no-comments /> |
| </properties> |
| |
| <body> |
| <!-- |
| Subsection ordering: |
| General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications, |
| Extras, Tribes, jdbc-pool, Other |
| |
| Item Ordering: |
| |
| Fixes having an issue number are sorted by their number, ascending. |
| |
| There is no ordering by add/update/fix. |
| |
| Other fixed issues are added to the end of the list, chronologically. |
| They eventually become mixed with the numbered issues (i.e., numbered |
| issues do not "pop up" wrt. others). |
| --> |
| <section name="Tomcat 7.0.107 (violetagg)"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct numerous spellings throughout the code base. Based on a pull |
| request from John Bampton. (markt) |
| </fix> |
| <fix> |
| <bug>64735</bug>: Ensure that none of the methods on a |
| <code>ServletContext</code> instance always fail when running under a |
| SecurityManager. Pull request provided by Kyle Stiemann. (markt) |
| </fix> |
| <fix> |
| <bug>64765</bug>: Ensure that the number of currently processing threads |
| is tracked correctly when a web application is undeployed, long running |
| requests are being processed and |
| <code>renewThreadsWhenStoppingContext</code> is enabled for the web |
| application. (markt) |
| </fix> |
| <add> |
| Improve the error messages when running under JPMS without the necessary |
| options to enable reflection required by the memory leak prevention / |
| detection code. (markt) |
| </add> |
| <fix> |
| <bug>64805</bug>: Correct imports used by <code>JMXProxyServlet</code>. |
| (markt) |
| </fix> |
| <add> |
| <bug>64871</bug>: Log a warning if Tomcat blocks access to a file |
| because it uses symlinks. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix processing of URIs with %nn encoded solidus characters when |
| <code>encodedSolidusHandling</code> was set to <code>passthrough</code> |
| and the encoded solidus was preceded by other %nn encoded characters. |
| Based on a pull request by willmeck. (markt) |
| </fix> |
| <fix> |
| <bug>55160</bug>: Re-fix this bug after the original fix was reverted by |
| a separate fix to timeouts in 7.0.81. (markt) |
| </fix> |
| <add> |
| Add additional debug logging for I/O issues when communicating with the |
| user agent. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Update the Manager How-To in the documentation web application to |
| clarify when a user may wish to deploy additional instances of the |
| Manager web application. (markt) |
| </fix> |
| <fix> |
| <bug>64797</bug>: Align manager.xml template file in Host-Manager with |
| context.xml of real Manager web application. (isapir) |
| </fix> |
| <add> |
| Configure the examples, Manager and Host Manager to use the HTTP header |
| security filter with default settings apart from no HSTS header. Based |
| on a suggestion by Debangshu Kundu. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| When building, only rebuild JAR files if the contents has changed. |
| (markt) |
| </add> |
| <add> |
| Improvements to Chinese translations. Pull request provided by Yang |
| Yang. (markt) |
| </add> |
| <add> |
| Expand coverage of Russian translations. Pull request provided by |
| Nikolay Gribanov. (markt) |
| </add> |
| <update> |
| Updated to Ant 1.9.1. The build now requires a minimum of Ant 1.9.1. |
| (markt) |
| </update> |
| <fix> |
| Fix running service.bat when called from <code>$CATALINA_HOME</code>. |
| (markt) |
| </fix> |
| <fix> |
| Complete the fix for <bug>63815</bug>. Users wishing to use system |
| properties that require quoting with <code>catalina.sh</code> and the |
| <code>debug</code> option must use a JRE that includes the fix for <a |
| href="https://bugs.openjdk.java.net/browse/JDK-8234808">JDK-8234808</a>. |
| (markt) |
| </fix> |
| <add> |
| Improvements to Chinese translations. Provided by leeyazhou. (markt) |
| </add> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Korean translations. (woonsan) |
| </add> |
| <add> |
| Improvements to Spanish translations. Provided by Andrewlanecarr. |
| (markt) |
| </add> |
| <add> |
| Improvements to Russian translations. Provided by Azat. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.106 (violetagg)" rtext="released 2020-09-20"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>64582</bug>: Pre-load the <code>CoyoteOutputStream</code> class to |
| prevent a potential exception when running under a security manager. |
| Patch provided by Johnathan Gilday. (markt) |
| </fix> |
| <add> |
| Refactor the Default servlet to provide a single method that can be |
| overridden (<code>generateETag()</code>) should a custom entity tag |
| format be required. (markt) |
| </add> |
| <fix> |
| Improve the validation of entity tags provided with conditional |
| requests. Requests with headers that contain invalid entity tags will be |
| rejected with a 400 response code. Improve the matching algorithm used |
| to compare entity tags in conditional requests with the entity tag for |
| the requested resource. Based on a pull request by Sergey Ponomarev. |
| (markt) |
| </fix> |
| <update> |
| Deprecate the JDBCRealm. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Refactor the implementation of |
| <code>ServletInputStream.available()</code> to provide a more accurate |
| return value, particularly when end of stream has been reached. (markt) |
| </fix> |
| <fix> |
| Fix a rare potential race condition when checking for timeouts with the |
| APR connector. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Requests received via proxies may be marked as using the <code>ws</code> |
| or <code>wss</code> protocol rather than <code>http</code> or |
| <code>https</code>. Ensure that such requests are not rejected. PR |
| provided by Ronny Perinke. (markt) |
| </fix> |
| <add> |
| <bug>64644</bug>: Add support for a read idle timeout and a write idle |
| timeout to the WebSocket session via custom properties in the user |
| properties instance associated with the session. Based on a pull request |
| by sakshamverma. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Remove the localization of the text output of the Manager application |
| list of contexts and the Host Manager application list of hosts so that |
| the output is more consistent. PR provided by Holomark. (markt) |
| </fix> |
| <fix> |
| Remove the out of date functional specification section from the |
| documentation web application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Improve the quality of the Japanese translations provided with Apache |
| Tomcat. Includes contributions from Yuki Shira. (markt) |
| </add> |
| <fix> |
| <bug>64645</bug>: Use a non-zero exit code if the |
| <code>service.bat</code> does not complete normally. (markt) |
| </fix> |
| <add> |
| Update the internal fork of Apache Commons BCEL to 6.5.0. Code clean-up |
| only. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons Codec to 53c93d0 (2020-08-18, |
| 1.15-SNAPSHOT). Code clean-up. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons FileUpload to c25a4e3 |
| (2020-08-26, 2.0-SNAPSHOT). Code clean-up and RFC 2231 support. (markt) |
| </add> |
| <update> |
| Update to Commons Daemon 1.2.3. This adds support to jsvc for |
| <code>--enable-preview</code> and native memory tracking (Procrun |
| already supported these features), adds some addition debug logging and |
| adds a new feature to Procrun that outputs the command to (re-)configure |
| the service with the current settings. (markt) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.25. |
| (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.105 (violetagg)" rtext="released 2020-07-07"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>64470</bug>: The default value of the solidus handling should |
| reflect the associated system property. (remm) |
| </fix> |
| <add> |
| Add <code>application/wasm</code> to the media types recognised by |
| Tomcat. Based on a PR by Thiago Henrique Hüpner. (markt) |
| </add> |
| <fix> |
| <bug>64541</bug>: Refactor the DTD used to validate |
| <code>mbeans-descriptors.xml</code> files to avoid issues when XML |
| entity expansion is limited or disabled. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>64483</bug>: Log a warning if an AJP request is rejected because it |
| contains an unexpected request attribute. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| <bug>64560</bug>: Refactor the replication of a changed session ID for a |
| replicated session so that the list of changes associated with the |
| session is not reset when the session ID changes. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Consistently throw a <code>DeploymentException</code> when an invalid |
| endpoint path is specified and catch invalid endpoint paths earlier. |
| (markt) |
| </fix> |
| <add> |
| Include the target URL in the log message when a WebSocket connection |
| fails. (markt) |
| </add> |
| <fix> |
| <bug>64563</bug>: Add additional validation of payload length for |
| WebSocket messages. (markt) |
| </fix> |
| <fix> |
| Correct the calculation of payload length when four or more bytes are |
| required to represent the payload length. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Use Apache archives when downloading commons-logging dependency. (violetagg) |
| </fix> |
| <update> |
| Update the list of known <code>Charset</code>s in the |
| <code>CharsetCache</code> to include <code>ISO-8859-16</code>, added in |
| OpenJDK 15. (markt) |
| </update> |
| <add> |
| Improve the quality and expand the coverage of the French translations |
| provided with Apache Tomcat. (remm) |
| </add> |
| <add> |
| <bug>64430</bug>: Add support for the <code>CATALINA_OUT_CMD</code> |
| environment variable that defines a command to which captured stdout and |
| stderr will be redirected. Patch provided by Harald Dunkel. (markt) |
| </add> |
| <update> |
| Switch from the unsupported Maven Ant Tasks to the supported Maven |
| Resolver Ant Tasks to upload artifacts to the ASF Maven repository (and |
| from there to Maven Central). (markt) |
| </update> |
| <fix> |
| <bug>64501</bug>: Refactor the handling of the deprecated |
| <code>LOGGING_CONFIG</code> environment variable to avoid using a POSIX |
| shell feature that is not available by default on Solaris 10. (markt) |
| </fix> |
| <fix> |
| <bug>64521</bug>: Avoid moving i18n translations into classes dir since |
| they are packaged into separate jars. Pull request provided by Raymond |
| Augé. (markt) |
| </fix> |
| <add> |
| Improve the quality and expand the coverage of the French translations |
| provided with Apache Tomcat. (remm) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.104 (violetagg)" rtext="released 2020-05-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>45995</bug>, <bug>64237</bug>: Align Tomcat with Apache httpd and |
| perform MIME type mapping based on file extension in a case insensitive |
| manner. (markt) |
| </add> |
| <add> |
| <bug>59203</bug>: Before calling <code>Thread.stop()</code> (if |
| configured to do so) on a web application created thread that is not |
| stopped by the web application when the web application is stopped, try |
| interrupting the thread first. Based on a pull request by Govinda |
| Sakhare. (markt) |
| </add> |
| <fix> |
| <bug>64226</bug>: Reset timezone after parsing a date since the date |
| format is reused. Test case submitted by Gary Thomas. (remm) |
| </fix> |
| <fix> |
| <bug>64265</bug>: Fix ETag comparison performed by the default servlet. |
| The default servlet always uses weak comparison. (markt) |
| </fix> |
| <fix> |
| Add support for default values when using <code>${...}</code> property |
| replacement in configuration files. Based on a pull request provided by |
| Bernd Bohmann. (markt) |
| </fix> |
| <fix> |
| Rework the fix for <bug>64021</bug> to better support web applications |
| that use a custom class loader that loads resources from non-standard |
| locations. (markt) |
| </fix> |
| <update> |
| Remove redundant sole path/URI from error page message on SC_NOT_FOUND. |
| (michaelo) |
| </update> |
| <add> |
| Add more descriptive error message in DefaultServlet for SC_NOT_FOUND. |
| (michaelo) |
| </add> |
| <add> |
| <bug>64386</bug>: WebdavServlet does not send "getlastmodified" |
| property for resource collections. (michaelo) |
| </add> |
| <fix> |
| <bug>64398</bug>: Change default value separator for property |
| replacement to <code>:-</code> due to possible conflicts. The |
| syntax is now <code>${name:-default}</code>. (remm) |
| </fix> |
| <add> |
| Improve validation of storage location when using FileStore. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| When configuring an HTTP Connector, warn if the encoding specified for |
| <code>URIEncoding</code> is not a superset of US-ASCII as required by |
| RFC7230. (markt) |
| </add> |
| <fix> |
| <bug>64240</bug>: Ensure that HTTP/0.9 requests that contain additional |
| data on the request line after the URI are treated consistently. Such |
| requests will now always be treated as HTTP/1.1. (markt) |
| </fix> |
| <add> |
| Replace the system property |
| <code>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</code> |
| with the Connector attribute <code>encodedSolidusHandling</code> that |
| adds an additional option to pass the <code>%2f</code> sequence through |
| to the application without decoding it in addition to rejecting such |
| sequences and decoding such sequences. (markt) |
| </add> |
| <fix> |
| Include the problematic data in the error message when reporting that |
| the provided request line contains an invalid component. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Add support for specifying Java 14 (with the value <code>14</code>) and |
| Java 15 (with the value <code>15</code>) as the compiler source and/or |
| compiler target for JSP compilation. If used with an ECJ version that |
| does not support these values, a warning will be logged and the latest |
| supported version will used. (markt) |
| </add> |
| <update> |
| Remove redundant sole path/URI from error page message on SC_NOT_FOUND. |
| (michaelo) |
| </update> |
| <add> |
| Add more descriptive error message in DefaultServlet for SC_NOT_FOUND. |
| (michaelo) |
| </add> |
| <fix> |
| Ensure that the Jasper code that interfaces with the Eclipse Compiler |
| for Java (ECJ) enables Jasper to compile JSPs using ECJ 4.14 onwards |
| when the JSPs have inner classes. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <scode> |
| Refactor the creation of <code>DeltaRequest</code> objects to make it |
| simpler to use custom implementations. Based on a pull request provided |
| by Thomas Stock. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the documentation web application to remove references to the |
| <code>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</code> |
| system property changing how the sequence <code>%5c</code> is |
| interpreted in a URI. (markt) |
| </fix> |
| <add> |
| Add a section to the TLS Connector documentation on different key store |
| types and how to configure them. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Improve the quality and expand the coverage of the French translations |
| provided with Apache Tomcat. Contribution provided by Tom Bens. (remm) |
| </add> |
| <add> |
| Expand the coverage of the Chinese translations provided with Apache |
| Tomcat. Contribution provided by Lee Yazhou. (markt) |
| </add> |
| <fix> |
| <bug>64270</bug>: Set the documented default umask of <code>0027</code> |
| when using jsvc via <code>daemon.sh</code> and allow the umask used to |
| be configured via the <code>UMASK</code> environment variable as it is |
| when using <code>catalina.sh</code>. (markt) |
| </fix> |
| <fix> |
| Deprecated the <code>LOGGING_CONFIG</code> environment variable and |
| replace it with the <code>CATALINA_LOGGING_CONFIG</code> environment |
| variable to avoid clashes with other components that use |
| <code>LOGGING_CONFIG</code>. (markt) |
| </fix> |
| <update> |
| Update JUnit to version 4.13. (markt) |
| </update> |
| <scode> |
| Refactor to use parameterized <code>Collection</code> constructors where |
| possible. Pull request provided by Lars Grefer. (markt) |
| </scode> |
| <scode> |
| Refactor to use empty arrays with <code>Collections.toArray()</code>. |
| Pull request provided by Lars Grefer. (markt) |
| </scode> |
| <scode> |
| Refactor loops with a condition to exit as soon as the condition is met. |
| Pull request provided by Lars Grefer. (markt) |
| </scode> |
| <scode> |
| Refactor bulk addition to collections to use <code>addAll()</code> |
| rather than a loop. Pull request provided by Lars Grefer. (markt) |
| </scode> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.24. |
| (markt) |
| </update> |
| <scode> |
| Refactor to use enhanced for loops where possible. Pull request by Lars |
| Grefer. (markt) |
| </scode> |
| <add> |
| Improve IDE support for IntelliJ IDEA. Patch provided by Lars Grefer. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.103 (violetagg)" rtext="released 2020-03-19"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>64191</bug>: Make an additional fix for the SCI regression |
| introduced by the fix for <bug>64021</bug> for the case, such as when |
| embedding, when the class loader performing the SCI service lookup is not |
| the Tomcat web application class loader. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.102 (violetagg)" rtext="not released"> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>64210</bug>: Correct a regression in the improvements to HTTP |
| header validation that caused requests to be incorrectly treated as |
| invalid if a <code>CRLF</code> sequence was split between TCP packets. |
| Improve validation of request lines, including for HTTP/0.9 requests. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.101 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Switch Tomcat embedded to loading MIME type mappings from a property |
| file generated from the default <code>web.xml</code> so the MIME type |
| mappings are consistent regardless of how Tomcat is started. (markt) |
| </fix> |
| <fix> |
| Ensure that the HEAD response is consistent with the GET response when |
| <code>HttpServlet</code> is relied upon to generate the HEAD response |
| and the GET response uses chunking. (markt) |
| </fix> |
| <fix> |
| <bug>64153</bug>: Ensure that the parent for the web application class |
| loader is set consistently. (markt) |
| </fix> |
| <fix> |
| <bug>64166</bug>: Ensure that the names returned by |
| <code>HttpServletResponse.getHeaderNames()</code> are unique. (markt) |
| </fix> |
| <add> |
| <bug>64189</bug>: Expose the web application version String as a |
| <code>ServletContext</code> attribute named |
| <code>org.apache.catalina.webappVersion</code>. (markt) |
| </add> |
| <fix> |
| <bug>64191</bug>: Fix an SCI support regression that was caused by a JAR |
| path lookup error in the classloader findResources. (remm) |
| </fix> |
| <scode> |
| Rename <code>org.apache.tomcat.util.digester.Digester$EnvironmentPropertySource</code> |
| to |
| <code>org.apache.tomcat.util.digester.EnvironmentPropertySource</code>. |
| The old class is still available but deprecated. Patch provided by Bernd |
| Bohmann. (markt) |
| </scode> |
| <add> |
| Add new attribute <code>persistAuthentication</code> to both |
| <code>StandardManager</code> and <code>PersistentManager</code> to |
| support authentication persistence. Patch provided by Carsten Klein. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Add the TLS request attributes used by IIS to the attributes that an AJP |
| Connector will always accept. (markt) |
| </fix> |
| <fix> |
| A zero length AJP secret will now behave as if it has not been |
| specified. (remm) |
| </fix> |
| <fix> |
| Allow async requests to complete cleanly when the Connector is paused |
| before <code>complete()</code> is called on a container thread. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Expand the documentation for the <code>address</code> attribute of the |
| AJP Connector. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Expand the coverage of the French translations provided with Apache |
| Tomcat. (remm) |
| </add> |
| <add> |
| Expand the coverage of the Korean translations provided with Apache |
| Tomcat. Contributions provided by B. Cansmile Cha. (markt) |
| </add> |
| <add> |
| <bug>64190</bug>: Add support for specifying milliseconds (using |
| <code>S</code>, <code>SS</code> or <code>SSS</code>) in the timestamp |
| used by JULI's <code>OneLineFormatter</code>. (markt) |
| </add> |
| <fix> |
| <bug>64206</bug>: Correct a regression introduced in 7.0.100 that meant |
| that the HTTP port specified when using the Windows Installer was |
| ignored and 8080 was always used. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.100 (violetagg)" rtext="released 2020-02-14"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Avoid useless environment restore when not using GSSCredential |
| in JNDIRealm. (remm) |
| </fix> |
| <fix> |
| <bug>58577</bug>: Respect the argument-count when searching for MBean |
| operations to invoke via the JMXProxyServlet. (schultz) |
| </fix> |
| <add> |
| <bug>62755</bug>: Add ability to opt out of adding the default web.xml |
| config when embedding Tomcat and adding a context via |
| <code>addWebapp()</code>. Call |
| <code>setAddDefaultWebXmlToWebapp(false)</code> to prevent the automatic |
| config. (isapir/markt) |
| </add> |
| <fix> |
| <bug>64008</bug>: Clarify/expand the Javadoc for the |
| <code>Tomcat#addWebapp()</code> and related methods. (markt) |
| </fix> |
| <scode> |
| Deprecate the <code>JmxRemoteLifecycleListener</code> as the features it |
| provides are now available in the remote JMX capability included with |
| the JRE. This listener will be removed in Tomcat 10 and may be removed |
| from Tomcat 7.0.x some time after 2020-12-31. (markt) |
| </scode> |
| <fix> |
| <bug>64011</bug>: <code>JNDIRealm</code> no longer authenticates to LDAP. |
| (michaelo) |
| </fix> |
| <fix> |
| <bug>64021</bug>: Ensure that container provided SCIs are always loaded |
| before application provided SCIs. Note that where both the container and |
| the application provide the same SCI, it is the application provided SCI |
| that will be used. (markt) |
| </fix> |
| <fix> |
| SCI definitions from JARs unpacked into <code>WEB-INF/classes</code> are |
| now handled consistently and will always be found irrespective of |
| whether the web application defines a JAR ordering or not. (markt) |
| </fix> |
| <fix> |
| <bug>64023</bug>: Skip null-valued session attributes when deserializing |
| sessions. (schultz) |
| </fix> |
| <fix> |
| Do not throw a NullPointerException when an MBean or operation cannot |
| be found by the JMXProxyServlet. (schultz) |
| </fix> |
| <update> |
| Refactor recycle facade system property into a new connector attribute |
| named <code>discardFacades</code>. (remm) |
| </update> |
| <fix> |
| <bug>64089</bug>: Add <code>${...}</code> property replacement support |
| to XML external entity definitions. (markt) |
| </fix> |
| <scode> |
| Deprecate <code>MappingData.contextPath</code> as it is unused. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| When reporting / logging invalid HTTP headers encode any non-printing |
| characters using the 0xNN form. (markt) |
| </add> |
| <fix> |
| Correct a regression introduced in 7.0.98 that meant invalid tokens in |
| the <code>Transfer-Encoding</code> header were ignored rather than |
| treated as an error. (markt) |
| </fix> |
| <fix> |
| Rename the HTTP Connector attribute <code>rejectIllegalHeaderName</code> |
| to <code>rejectIllegalHeader</code> and expand the underlying |
| implementation to include header values as well as names. (markt) |
| </fix> |
| <update> |
| Disable (comment out in server.xml) the AJP/1.3 connector by default. |
| (markt) |
| </update> |
| <update> |
| Change the default bind address for the AJP/1.3 connector to be the |
| loopback address. (markt) |
| </update> |
| <add> |
| Rename the <code>requiredSecret</code> attribute of the AJP/1.3 |
| Connector to <code>secret</code> and add a new attribute |
| <code>secretRequired</code> that defaults to <code>true</code>. When |
| <code>secretRequired</code> is <code>true</code> the AJP/1.3 Connector |
| will not start unless the <code>secret</code> attribute is configured to |
| a non-null, non-zero length String. (markt) |
| </add> |
| <add> |
| Add a new attribute, <code>allowedRequestAttributesPattern</code> to |
| the AJP/1.3 Connector. Requests with unrecognised attributes will be |
| blocked with a 403. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>64097</bug>: Replace the faulty custom services lookup used for |
| <code>ExpressionFactory</code> implementations with |
| <code>ServiceLoader</code>. (markt) |
| </fix> |
| <add> |
| Add a <code>META-INF/services</code> entry to jasper-el.jar so that the |
| Expression Language implementation can be discovered via the services |
| API. (markt) |
| </add> |
| <scode> |
| Parameterize JSP version and API class names in localization messages to |
| allow simpler re-use between major versions. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| <bug>64043</bug>: Ensure that session ID changes are replicated during |
| form-authentication. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>64000</bug>: In the examples web application, where a Servlet |
| example includes i18n support, the Locale used should be based on the |
| request locale and not the server locale. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add EncryptInterceptor to the portfolio of available clustering |
| interceptors. This adds symmetric encryption of session data |
| to Tomcat clustering regardless of the type of cluster manager |
| or membership being used. (schultz/markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Expand the coverage of the French translations provided with Apache |
| Tomcat. (remm) |
| </add> |
| <add> |
| Expand the coverage of the Chinese translations provided with Apache |
| Tomcat. Contribution provided by BoltzmannWxd. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.99 (violetagg)" rtext="released 2019-12-17"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>63681</bug>: Introduce RealmBase#authenticate(GSSName, GSSCredential) |
| and friends. (michaelo) |
| </add> |
| <add> |
| <bug>63937</bug>: Add a new attribute to the standard |
| <code>Authenticator</code> implementations, |
| <code>allowCorsPreflight</code>, that allows the |
| <code>Authenticator</code>s to be configured to allow CORS preflight |
| requests to bypass authentication as required by the CORS specification. |
| (markt) |
| </add> |
| <fix> |
| <bug>63939</bug>: Correct the same origin check in the CORS filter. An |
| origin with an explicit default port is now considered to be the same as |
| an origin without a default port and origins are now compared in a |
| case-sensitive manner as required by the CORS specification. (markt) |
| </fix> |
| <fix> |
| <bug>63950</bug>: Fix timing issue in |
| <code>TestAsyncContextStateChanges</code> test that caused it |
| to hang indefinitely. (markt) |
| </fix> |
| <fix> |
| <bug>63982</bug>: CombinedRealm makes assumptions about principal implementation |
| (michaelo) |
| </fix> |
| <scode> |
| Add a unit test for the session <code>FileStore</code> implementation |
| and refactor loops in <code>FileStore</code> to use the ForEach style. |
| Pull request provided by Govinda Sakhare. (markt) |
| </scode> |
| <fix> |
| Refactor FORM authentication to reduce duplicate code and to ensure that |
| the authenticated Principal is not cached in the session when caching is |
| disabled. This is the fix for CVE-2019-17563. (markt/kkolinko) |
| </fix> |
| <update> |
| Do not store username and password as session notes during |
| authentication if they are not needed. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>63932</bug>: By default, do not compress content that has a strong |
| ETag. This behaviour is configuration for the HTTP/1.1 connectors via |
| the new Connector attribute <code>noCompressionStrongETag</code>. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Ensure a very unlikely concurrency issue is avoided when writing |
| WebSocket messages. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Add the ability to set and display session attributes in the JSP FORM |
| authentication example to demonstrate session persistence across |
| restarts for authenticated sessions. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Correct the fix for <bug>63815</bug> (quoting the use of |
| <code>CATALINA_OPTS</code> and <code>JAVA_OPTS</code> when used in shell |
| scripts to avoid the expansion of <code>*</code>) as it caused various |
| regressions, particularly with <code>daemon.sh</code>. (markt) |
| </fix> |
| <add> |
| Expand the search made by the Windows installer for a suitable Java |
| installation to include the 64-bit JDK registry entries and the |
| <code>JAVA_HOME</code> environment variable. Pull request provided by |
| Alexander Norz. (markt) |
| </add> |
| <add> |
| Expand the coverage of the German translations provided with Apache |
| Tomcat. Contribution provided by Jens. (markt) |
| </add> |
| <add> |
| Expand the coverage of the French translations provided with Apache |
| Tomcat. (remm) |
| </add> |
| <add> |
| Expand the coverage of the Japanese translations provided with Apache |
| Tomcat. (markt) |
| </add> |
| <add> |
| Expand the coverage of the Korean translations provided with Apache |
| Tomcat. (woonsan) |
| </add> |
| <add> |
| Expand the coverage of the Chinese translations provided with Apache |
| Tomcat. Contributions provided by lins and 磊. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons BCEL to ff6941e (2019-12-06, |
| 6.4.2-dev). Code clean-up only. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons Codec to 9637dd4 (2019-12-06, |
| 1.14-SNAPSHOT). Code clean-up and a fix for CODEC-265. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons FileUpload to 2317552 |
| (2019-12-06, 2.0-SNAPSHOT). Refactoring. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.98 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>63832</bug>: Properly mark container as FAILED when a JVM error |
| occurs on stop. (remm) |
| </fix> |
| <fix> |
| Make a best efforts attempt to clean-up if a request fails during |
| processing due to an <code>OutOfMemoryException</code>. (markt) |
| </fix> |
| <update> |
| <bug>63905</bug> Clean up Tomcat CSS. (michaelo) |
| </update> |
| <fix> |
| Refactor JMX remote RMI registry creation. This is the fix for |
| CVE-2019-12418. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>63814</bug>: Do not set server socket timeout with negative |
| values in NIO. (remm) |
| </fix> |
| <fix> |
| Ensure that <code>ServletRequest.isAsyncStarted()</code> returns |
| <code>false</code> once <code>AsyncContext.complete()</code> or |
| <code>AsyncContext.dispatch()</code> has been called during |
| <code>AsyncListener.onTimeout()</code> or |
| <code>AsyncListener.onError()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63816</bug> and <bug>63817</bug>: Correctly handle I/O errors after |
| asynchronous processing has been started but before the container thread |
| that started asynchronous processing has completed processing the |
| current request/response. (markt) |
| </fix> |
| <fix> |
| <bug>63825</bug>: When processing the <code>Expect</code> and |
| <code>Connection</code> HTTP headers looking for a specific token, be |
| stricter in ensuring that the exact token is present. (markt) |
| </fix> |
| <fix> |
| <bug>63829</bug>: Improve the check of the <code>Content-Encoding</code> |
| header when looking to see if Tomcat is serving pre-compressed content. |
| Ensure that only a full token is matched and that the match is case |
| insensitive. (markt) |
| </fix> |
| <fix> |
| <bug>63836</bug>: Ensure that the memory reserved for the OOME parachute |
| is released when the NIO endpoint is stopped. (markt) |
| </fix> |
| <fix> |
| <bug>63864</bug>: Refactor parsing of the <code>transfer-encoding</code> |
| request header to use the shared parsing code and reduce duplication. |
| (markt) |
| </fix> |
| <scode> |
| Refactor the APR poller to always use a single pollset now that the |
| Windows operating systems that required multiple smaller pollsets to be |
| used are no longer supported. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>63897</bug>: Capture the timestamp of a JSP for the purposes of |
| modification tracking before the JSP is compiled to prevent a race |
| condition if the JSP is modified during compilation. Patch provided by |
| Karl von Randow. (markt) |
| </fix> |
| <fix> |
| Fix a race condition that could mean changes to a modified JSP were not |
| visible to end users. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>63913</bug>: Wrap any <code>NullPointerException</code>s throw by |
| the <code>Inflater</code> or <code>Deflater</code> used by the |
| <code>PerMessageDeflate</code> extension in an <code>IOException</code> |
| so that the error can be caught and handled by the WebSocket error |
| handling mechanism. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the description of the default value for the server attribute in |
| the security How-To. (markt) |
| </fix> |
| <fix> |
| Correct the documentation for the <code>maxConnections</code> attribute |
| of the <code>Connector</code> in the documentation web application. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>63815</bug>: Quote the use of <code>CATALINA_OPTS</code> and |
| <code>JAVA_OPTS</code> when used in shell scripts to avoid the expansion |
| of <code>*</code>. Note that any newlines present in |
| <code>CATALINA_OPTS</code> and/or <code>JAVA_OPTS</code> will no longer |
| removed. (markt) |
| </fix> |
| <fix> |
| <bug>63826</bug>: Remove <code>commons-daemon-native.tar.gz</code> and |
| <code>tomcat-native.tar.gz</code> from the binary zip distributions for |
| Windows since compiled versions of those components are already |
| included within the zip distributions. (markt) |
| </fix> |
| <fix> |
| <bug>63833</bug>: Fix an error in the generification of the copied |
| Commons DBCP 1.x code that caused a <code>NullPointerException</code> if |
| a DataSource was configured with a database that did not exist. Patch |
| provided by Guoxiong Li. (markt) |
| </fix> |
| <fix> |
| <bug>63838</bug>: Suppress reflexive access warnings when running the |
| unit tests on the command line. (markt) |
| </fix> |
| <fix> |
| Add missing charsets from the HPE JVM on HP-UX to pass unit tests in |
| <code>org.apache.tomcat.util.buf.TestCharsetCache</code>. (michaelo) |
| </fix> |
| <add> |
| Expand the coverage and quality of the French translations provided |
| with Apache Tomcat. (remm) |
| </add> |
| <add> |
| Expand the coverage and quality of the Korean translations provided |
| with Apache Tomcat. (woonsan) |
| </add> |
| <add> |
| Expand the coverage and quality of the Simplified Chinese translations |
| provided with Apache Tomcat. Contributions provided by rpo130, Mason |
| Shen, leeyazhou, winsonzhao, qingshi huang, Lay, Shucheng Hou and |
| Yanming Zhou. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.97 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>57665</bug>: Add support for the <code>X-Forwarded-Host</code> |
| header to the <code>RemoteIpFilter</code> and <code>RemoteIpValve</code>. |
| (markt) |
| </add> |
| <add> |
| <bug>62496</bug>: Add option to write auth information (remote user/auth type) |
| to response headers. (michaelo) |
| </add> |
| <fix> |
| <bug>63550</bug>: Only try the <code>alternateURL</code> in the |
| <code>JNDIRealm</code> if one has been specified. (markt) |
| </fix> |
| <update> |
| <bug>63627</bug>: Implement more fine-grained handling in |
| <code>RealmBase.authenticate(GSSContext, boolean)</code>. (michaelo) |
| </update> |
| <fix> |
| Avoid a <code>NullPointerException</code> in the |
| <code>CrawlerSessionManagerValve</code> if no ROOT Context is deployed |
| and a request does not map to any of the other deployed Contexts. Patch |
| provided by Jop Zinkweg. (markt) |
| </fix> |
| <fix> |
| <bug>63636</bug>: <code>Context.findRoleMapping()</code> never called |
| in <code>StandardWrapper.findSecurityReference()</code>. (michaelo) |
| </fix> |
| <fix> |
| Fix a crash on shutdown with the APR/native connector when a blocking |
| I/O operation was still in progress when the connector stopped. (markt) |
| </fix> |
| <fix> |
| <bug>63684</bug>: <code>Wrapper</code> never passed to |
| <code>RealmBase.hasRole()</code> for given security constraints. |
| (michaelo) |
| </fix> |
| <fix> |
| Avoid a potential <code>NullPointerException</code> on Service stop if a |
| Service is embedded directly (i.e. with no Server) in an application |
| and JNDI is enabled. Patch provided by S. Ali Tokmen. (markt) |
| </fix> |
| <add> |
| Add a new <code>PropertySource</code> implementation, |
| <code>EnvironmentPropertySource</code>, that can be used to do property |
| replacement in configuration files with environment variables. Based on |
| a pull request provided by Thomas Meyer. (markt) |
| </add> |
| <fix> |
| <bug>63758</bug>: Include the XML schema for the tomcat-users.xml file |
| in the binary distributions. (markt) |
| </fix> |
| <fix> |
| <bug>63778</bug>: When running on Java 7, use the correct signature to |
| look up the <code>DatabaseMetaData.getPseudoColumns()</code> method and |
| avoid the <code>NullPointerException</code>s caused by using the wrong |
| method. Add error logging to detect similar bugs. Based on a pull |
| request by liguoxiong. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>63571</bug>: Use the implementation default for JSSE TLS session |
| cache size. (markt) |
| </fix> |
| <fix> |
| <bug>63578</bug>: Improve handling of invalid requests so that 400 |
| responses are returned to the client rather than 500 responses. (markt) |
| </fix> |
| <scode> |
| Remove the code in the sendfile poller that ensured smaller pollsets |
| were used with older, no longer supported versions of Windows that |
| could not support larger pollsets. (markt) |
| </scode> |
| <fix> |
| <bug>63737</bug>: Correct various issues when parsing the |
| <code>accept-encoding</code> header to determine if gzip encoding is |
| supported including only parsing the first header found. (markt) |
| </fix> |
| <fix> |
| <bug>63766</bug>: Ensure Processor objects are recycled when processing |
| an HTTP upgrade connection that terminates before processing switches to |
| the Processor for the upgraded protocol. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>63781</bug>: When performing various checks related to the |
| visibility of classes, fields an methods in the EL implementation, also |
| check that the containing module has been exported. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Socket"> |
| <changelog> |
| <fix> |
| <bug>63753</bug>: Ensure that the <code>Host</code> header in a Web |
| Socket HTTP upgrade request only contains a port if a non-default port |
| is being used. (markt) |
| </fix> |
| <fix> |
| When running on Java 9 and above, don't attempt to instantiate WebSocket |
| Endpoints found in modules that are not exported. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the source code links on the index page for the ROOT web |
| application to point to Git rather than Subversion. (markt) |
| </fix> |
| <fix> |
| Fix various issues with the Javadoc generated for the documentation web |
| application to enable release builds to be built with Java 10 onwards. |
| (markt) |
| </fix> |
| <fix> |
| Fix a large number of Javadoc and documentation typos. Patch provided by |
| KangZhiDong. (markt) |
| </fix> |
| <fix> |
| Spelling and formatting corrections for the cluster how-to. Pull request |
| provided by Bill Mitchell. (markt) |
| </fix> |
| <docs> |
| Add Javadoc for the Common Annotations API implementation. (markt) |
| </docs> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| When connections are validated without an explicit validation query, |
| ensure that any transactions opened by the validation process are |
| committed. Patch provided by Pascal Davoust. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>55620</bug>: Partial fix. Prevent Tomcat from starting when |
| <code>$CATALINA_HOME</code> and/or <code>$CATALINA_BASE</code> contains |
| a semi-colon on Windows or a colon on Linux/FreeBSD/etc. (markt) |
| </fix> |
| <fix> |
| <bug>62140</bug>: Additional usage documentation in comments for |
| <code>catalina.[bat|sh]</code>. (markt) |
| </fix> |
| <add> |
| <bug>63285</bug>: Add an option to <code>service.bat</code> so that when |
| installing a Windows service, the name of the executables used by the |
| Windows service may be changed to match the service name. This makes the |
| installation behaviour consistent with the Windows installer. The |
| original executable names will be restored when the Windows service is |
| removed. The renaming can be enabled by using the new |
| <code>--rename</code> option after the service name. (markt) |
| </add> |
| <update> |
| <bug>63625</bug>: Update to Commons Daemon 1.2.1. This corrects several |
| regressions in Commons Daemon 1.2.0, most notably the Windows Service |
| crashing on start when using 32-bit JVMs. (markt) |
| </update> |
| <update> |
| <bug>63634</bug>: Align setproxy target in build.xml with |
| 8.5/9.0. (michaelo) |
| </update> |
| <add> |
| Limit the default JPDA (remote debugging interface) listen address to |
| <code>localhost:8000</code>. (markt) |
| </add> |
| <update> |
| Tighten up the default file permissions for the <code>.tar.gz</code> |
| distribution so no files or directories are world readable by default. |
| Configure Tomcat to run with a default umask of <code>0027</code> which |
| may be overridden by setting <code>UMASK</code> in |
| <code>setenv.sh</code>. (markt) |
| </update> |
| <fix> |
| Allow customization of service.bat, such as heap memory size, service |
| startup mode and JVM args. (isapir) |
| </fix> |
| <update> |
| Update the internal fork of Commons Codec to 3ebef4a (2018-08-01) to |
| pick up the fix for CODEC-134. (markt) |
| </update> |
| <update> |
| <bug>63648</bug>: Update the test TLS keys and certificates used in the |
| test suite to replace the keys and certificates that are about to |
| expire. (markt) |
| </update> |
| <fix> |
| Back-port various corrections and improvements to the English versions |
| of the i18n messages. (markt) |
| </fix> |
| <fix> |
| Back-port various corrections and improvements to the Spanish i18n |
| messages. (markt) |
| </fix> |
| <fix> |
| Back-port various corrections and improvements to the French i18n |
| messages. (markt) |
| </fix> |
| <fix> |
| Back-port various corrections and improvements to the Japanese i18n |
| messages. (markt) |
| </fix> |
| <fix> |
| Back-port various corrections and improvements to the Russian i18n |
| messages. (markt) |
| </fix> |
| <add> |
| Include the available German translations in the standard Tomcat |
| distribution. Back-port additions and updates to the German i18n |
| messages. (markt) |
| </add> |
| <add> |
| Add Korean translations to the standard Tomcat distribution. (markt) |
| </add> |
| <add> |
| Add simplified Chinese translations to the standard Tomcat distribution. |
| (markt) |
| </add> |
| <fix> |
| Fix <code>JSSE_OPTS</code> quoting in <code>catalina.bat</code>. |
| Contributed by Peter Uhnak. (fschumacher) |
| </fix> |
| <fix> |
| Remove unused i18n messages and associated translations. Patch provided |
| by KangZhiDong. (markt) |
| </fix> |
| <scode> |
| Deprecate <code>org.apache.tomcat.util.compat.TLS</code>. |
| Its functionality was only used for unit tests in |
| <code>org.apache.tomcat.util.net.TesterSupport</code> |
| and has been moved there. (rjung) |
| </scode> |
| <fix> |
| When performing a silent install with the Windows Installer, ensure that |
| the registry entries are added to the 64-bit registry when using a |
| 64-bit JVM. (markt) |
| </fix> |
| <fix> |
| <bug>63759</bug>: When installing Tomcat with the Windows installer, |
| grant sufficient privileges to enable the uninstaller to execute when |
| user account control is active. (markt) |
| </fix> |
| <add> |
| Use a build property to define the minimum supported Java version and |
| use that build property to reduce the number of edits required to update |
| the minimum supported Java version. (markt) |
| </add> |
| <update> |
| <bug>63767</bug>: Update to Commons Daemon 1.2.2. This corrects a |
| regression in Commons Daemon 1.2.0 and 1.2.1 that caused the Windows |
| Service to crash on start when running on an operating system that had |
| not been fully updated. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.96 (violetagg)" rtext="released 2019-07-29"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>63579</bug>: Correct parsing of malformed OPTIONS requests and |
| reject them with a 400 response rather than triggering an internal error |
| that results in a 500 response. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct parsing of invalid host names that contain bytes in the range |
| 128 to 255 and reject them with a 400 response rather than triggering an |
| internal error that results in a 500 response. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Correct a regression that prevented a default Tomcat 7 install from |
| starting on Java 6. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Enable the unit tests to execute in parallel. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.95 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>43548</bug>: Add an XML schema for the tomcat-users.xml file. |
| (markt) |
| </add> |
| <fix> |
| <bug>63324</bug>: Refactor the <code>CrawlerSessionManagerValve</code> |
| so that the object placed in the session is compatible with session |
| serialization with mem-cached. Patch provided by Martin Lemanski. |
| (markt) |
| </fix> |
| <fix> |
| <bug>63531</bug>: Refactor authenticators so that the session last |
| accessed time is not updated if the cache attribute is set to |
| <code>false</code> and <code>FORM</code> authentication is not being |
| used. (markt) |
| </fix> |
| <add> |
| <bug>63556</bug>: Mark request as forwarded in RemoteIpValve and |
| RemoteIpFilter (michaelo) |
| </add> |
| <fix> |
| Fix a potential resource leak when executing CGI scripts from a WAR |
| file. Identified by Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential concurrency issue in the StringCache identified by |
| Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential concurrency issue in the main Sendfile thread of the APR |
| connector. Identified by Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential resource leak on some exception paths in the |
| <code>DataSourceRealm</code>. Identified by Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential resource leak on an exception path when parsing JSP |
| files. Identified by Coverity scan. (markt) |
| </fix> |
| <fix> |
| Fix a potential resource leak when a JNDI lookup returns an object of an |
| in compatible class. Identified by Coverity scan. (markt) |
| </fix> |
| <scode> |
| Refactor <code>ManagerServlet</code> to avoid loading classes when |
| filtering JNDI resources for resources of a specified type. (markt) |
| </scode> |
| <fix> |
| Avoid a <code>NullPointerException</code> when a <code>Context</code> is |
| defined in <code>server.xml</code> with a <code>docBase</code> but not |
| the optional <code>path</code>. (markt) |
| </fix> |
| <fix> |
| Ensure that the default servlet reads the entire global XSLT file if |
| one is defined. Identified by Coverity Scan. (markt) |
| </fix> |
| <fix> |
| Avoid potential <code>NullPointerException</code> when generating an |
| HTTP <code>Allow</code> header. Identified by Coverity Scan. (markt) |
| </fix> |
| <add> |
| Remove any fragment included in the target path used to obtain a |
| <code>RequestDispatcher</code>. The requested target path is logged as a |
| warning since this is an application error. (markt) |
| </add> |
| <update> |
| Modify the Default and WebDAV Servlets so that a 405 status code is |
| returned for <code>PUT</code> and <code>DELETE</code> requests when |
| disabled via the <code>readonly</code> initialisation parameter. |
| </update> |
| <fix> |
| Align the contents of the <code>Allow</code> header with the response |
| code for the Default and WebDAV Servlets. For any given resource a |
| method that returns a 405 status code will not be listed in the |
| <code>Allow</code> header and a method listed in the <code>Allow</code> |
| header will not return a 405 status code. (markt) |
| </fix> |
| <fix> |
| Correct two failing tests from the Litmus test suite for WebDAV when |
| copying/moving a file over a collection. (markt) |
| </fix> |
| <update> |
| Update the recommended minimum Tomcat Native version to 1.2.23. (markt) |
| </update> |
| <fix> |
| If an unhandled exception occurs on a asynchronous thread started via |
| <code>AsyncContext.start(Runnable)</code>, process it using the standard |
| error page mechanism. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <scode> |
| Refactor Hostname validation to improve performance. Patch provided by |
| Uwe Hees. (markt) |
| </scode> |
| <fix> |
| Fix to avoid the possibility of long poll times for individual pollers |
| when using multiple pollers with APR. (markt) |
| </fix> |
| <fix> |
| Refactor the fix for <bug>63205</bug> so it only applies when using |
| PKCS12 keystores as regressions have been reported with some other |
| keystore types. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Include file names in error messages if SMAP processor is unable to |
| delete or rename a class file during SMAP generation. (markt) |
| </add> |
| <fix> |
| Improvements to varargs handling in the Java UEL implementation. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| <bug>62841</bug>: Refactor the <code>DeltaRequest</code> serialization |
| to reduce the window during which the <code>DeltaSession</code> is |
| locked and to remove a potential cause of deadlocks during |
| serialization. (markt) |
| </fix> |
| <fix> |
| <bug>63441</bug>: Further streamline the processing of session creation |
| messages in the <code>DeltaManager</code> to reduce the possibility of a |
| session update message being processed before the session has been |
| created. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>63521</bug>: As required by the WebSocket specification, if a POJO |
| that is deployed as a result of the SCI scan for annotated POJOs is |
| subsequently deployed via the programmatic API ignore the programmatic |
| deployment. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Treat <code>NoRouteToHostException</code> the same way as |
| <code>SocketTimeoutException</code> when checking the health of group |
| members. This avoids a SEVERE log message every time the check is |
| performed when the host associated with a group member is not powered |
| on. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>55969</bug>: Tighten up the security of the Apache Tomcat |
| installation created by the Windows installer. Change the default |
| shutdown port used by the Windows installer from <code>8005</code> to |
| <code>-1</code> (disabled). Limit access to the chosen installation |
| directory to local administrators, Local System and Local Service. |
| (markt) |
| </fix> |
| <add> |
| <bug>59871</bug>: Add a property (<code>timeFormat</code>) to |
| JULI's <code>OneLineFormatter</code> to enable the format of the |
| time stamp used in log messages to be configured. (markt) |
| </add> |
| <update> |
| <bug>63310</bug>: Update to Commons Daemon 1.2.0. This provides improved |
| support for Java 11. This also changes the user configured by the |
| Windows installer for the Windows service from <code>Local System</code> |
| to the lower privileged <code>Local Service</code>. (markt) |
| </update> |
| <fix> |
| <bug>63335</bug>: Ensure that stack traces written by the |
| <code>OneLineFormatter</code> are fully indented. The entire stack trace |
| is now indented by an additional TAB character. (markt) |
| </fix> |
| <fix> |
| When using the <code>OneLineFormatter</code>, don't print a blank line |
| in the log after printing a stack trace. (markt) |
| </fix> |
| <fix> |
| Use the <code>test</code> command to check for terminal availability |
| rather than the <code>tty</code> command since the <code>tty</code> |
| based test fails on non-English locales. Patch provided by Radosław |
| Józwik. (markt) |
| </fix> |
| <update> |
| Update JUnit to version 4.12. (markt) |
| </update> |
| <update> |
| Update optional WSDL dependency to 1.6.3. (markt) |
| </update> |
| <update> |
| Update Checkstyle to version 8.22. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.94 (markt)" rtext="released 2019-04-12"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>63196</bug>: Provide a default (<code>X-Forwarded-Proto</code>) for |
| the <code>protocolHeader</code> attribute of the |
| <code>RemoteIpFilter</code> and <code>RemoteIpValve</code>. (markt) |
| </fix> |
| <add> |
| <bug>63206</bug>: Add a new attribute to <code>Context</code> - |
| <code>createUploadTargets</code> which, if <code>true</code> enables |
| Tomcat to create the temporary upload location used by a Servlet if the |
| location specified by the Servlet does not already exist. The default |
| value is <code>false</code>. (markt) |
| </add> |
| <fix> |
| <bug>63213</bug>: Ensure the correct escaping of group names when |
| searching for nested groups when the JNDIRealm is configured with |
| <code>roleNested</code> set to <code>true</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63235</bug>: Refactor Charset cache to reduce start time. (markt) |
| </fix> |
| <fix> |
| <bug>63236</bug>: Use <code>String.intern()</code> as suggested by |
| Phillip Webb to reduce memory wasted due to String duplication. This |
| changes saves ~245k when starting a clean installation. With additional |
| thanks to YourKit Java profiler for helping to track down the wasted |
| memory and the root causes. (markt) |
| </fix> |
| <fix> |
| <bug>63246</bug>: Fix a potential <code>NullPointerException</code> when |
| calling <code>AsyncContext.dispatch()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63249</bug>: Use a consistent log level (<code>WARN</code>) when |
| logging the failure to register or deregister a JMX Bean. (markt) |
| </fix> |
| <fix> |
| <bug>63249</bug>: Use a consistent log level (<code>ERROR</code>) when |
| logging the <code>LifecycleException</code> associated with the failure |
| to start or stop a component. (markt) |
| </fix> |
| <fix> |
| When the SSI directive <code>fsize</code> is used with an invalid |
| target, return a file size of <code>-</code> rather than |
| <code>1k</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63251</bug>: Implement a work-around for a known JRE bug (<a |
| href="https://bugs.openjdk.java.net/browse/JDK-8194653">JDK-8194653</a>) |
| that may cause a dead-lock when Tomcat starts. (markt) |
| </fix> |
| <fix> |
| Ensure that the JarScanner correctly tests whether JARs found on the |
| class path should be skipped when running on Java 9 or later. (markt) |
| </fix> |
| <fix> |
| <bug>63275</bug>: When using a <code>RequestDispatcher</code> ensure |
| that <code>HttpServletRequest.getContextPath()</code> returns an encoded |
| path in the dispatched request. (markt) |
| </fix> |
| <fix> |
| <bug>63286</bug>: Document the differences in behaviour between the |
| <code>LogFormat</code> directive in httpd and the <code>pattern</code> |
| attribute in the <code>AccessLogValve</code> for <code>%D</code> and |
| <code>%T</code>. (markt) |
| </fix> |
| <fix> |
| <bug>63311</bug>: Add support for https URLs to the local resolver within |
| Tomcat used to resolve standard XML DTDs and schemas when Tomcat is |
| configured to validate XML configuration files such as web.xml. (markt) |
| </fix> |
| <fix> |
| Encode the output of the SSI <code>printenv</code> command. This is the |
| fix for CVE-2019-0221. (markt) |
| </fix> |
| <scode> |
| Use constants for SSI encoding values. (markt) |
| </scode> |
| <add> |
| When the CGI Servlet is configured with |
| <code>enableCmdLineArguments</code> set to true, limit the encoded form |
| of the individual command line arguments to those values allowed by RFC |
| 3875. This restriction may be relaxed by the use of the new |
| initialisation parameter <code>cmdLineArgumentsEncoded</code>. (markt) |
| </add> |
| <add> |
| When the CGI Servlet is configured with |
| <code>enableCmdLineArguments</code> set to true, limit the decoded form |
| of the individual command line arguments to known safe values when |
| running on Windows. This restriction may be relaxed by the use of the |
| new initialisation parameter <code>cmdLineArgumentsDecoded</code>. This |
| is the fix for CVE-2019-0232. (markt) |
| </add> |
| <update> |
| Change the default for the <code>enableCmdLineArguments</code> parameter |
| of the CGI servlet from <code>true</code> to <code>false</code> as |
| additional hardening against CVE-2019-0232. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>63194</bug>: Fix failing unit test so TLS1.3 client authentication |
| tests work correctly when using Java 11 onwards and the APR/Native |
| connector. (markt) |
| </fix> |
| <add> |
| <bug>63205</bug>: Add a work-around for a known |
| <a href="https://bugs.openjdk.java.net/browse/JDK-8157404">JRE KeyStore |
| loading bug</a>. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Add support for specifying Java 11 (with the value <code>11</code>) as |
| the compiler source and/or compiler target for JSP compilation. (markt) |
| </add> |
| <add> |
| Add support for specifying Java 12 (with the value <code>12</code>) and |
| Java 13 (with the value <code>13</code>) as the compiler source and/or |
| compiler target for JSP compilation. If used with an ECJ version that |
| does not support these values, a warning will be logged and the latest |
| supported version will used. Based on a patch by Thomas Collignon. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>63184</bug>: Expand the SSI documentation to provide more |
| information on the supported directives and their attributes. Patch |
| provided by nightwatchcyber. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>63320</bug>: Ensure that <code>StatementCache</code> caches |
| statements that include arrays in arguments. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <scode> |
| Copy Apache Commons DBCP 1.4 and Apache Commons Pool 1.5.7 source code |
| into the Tomcat 7.0.x tree to enable additional fixes to be pulled in. |
| (markt) |
| </scode> |
| <fix> |
| Update the copy of Apache Commons DBCP 1.4.x and Apache Commons pool |
| 1.5.x to the latest source code as of 2019-03-15 to pick up multiple bug |
| fixes including <bug>58338</bug>. (markt) |
| </fix> |
| <scode> |
| Update the copy of Apache Commons Pool to 1.6.x to pick up the generics |
| changes. (markt) |
| </scode> |
| <add> |
| Add JDBC 4.1 support to the default database connection pool provided by |
| Tomcat. (markt) |
| </add> |
| <update> |
| Switch from Checkstyle to the JRE6 backport and update to version 8.17. |
| This allows Tomcat 7 to use the newer configuration format (required by |
| Gump that uses the latest Checkstyle snapshot) while still building with |
| Java 6. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.93 (violetagg)" rtext="released 2019-02-21"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>54741</bug>: Add a new method, |
| <code>Tomcat.addWebapp(String,URL)</code>, that allows a web application |
| to be deployed from a URL when using Tomcat in embedded mode. (markt) |
| </fix> |
| <add> |
| <bug>62897</bug>: Provide a property |
| (<code>clearReferencesThreadLocals</code>) on the standard |
| <code>Context</code> implementation that enables the check for memory |
| leaks via <code>ThreadLocal</code>s to be disabled because this check |
| depends on the use of an API that has been deprecated in later versions |
| of Java. (markt) |
| </add> |
| <fix> |
| <bug>62978</bug>: Update the RemoteIpValve to handle multiple values in |
| the <code>x-forwarded-proto</code> header. Patch provided by Tom Groot. |
| (markt) |
| </fix> |
| <fix> |
| Update the RemoteIpFilter to handle multiple values in the |
| <code>x-forwarded-proto</code> header. Based on a patch provided by Tom |
| Groot. (markt) |
| </fix> |
| <scode> |
| <bug>62986</bug>: Refactor the code that performs class scanning during |
| web application start to make integration simpler for downstream users. |
| Based on a patch provided by rmannibucau. (markt) |
| </scode> |
| <fix> |
| Implement the requirements of section 8.2.2 2c of the Servlet |
| specification and prevent a web application from deploying if it has |
| fragments with duplicate names and is configured to use relative |
| ordering of fragments. (markt) |
| </fix> |
| <update> |
| Update the recommended minimum Tomcat Native version to 1.2.19. (markt) |
| </update> |
| <fix> |
| Ensure that the <code>ServletOutputStream</code> implementation is |
| consistent with the requirements of asynchronous I/O and that all of the |
| write methods use a single write rather than multiple writes. (markt) |
| </fix> |
| <fix> |
| Correct the Javadoc for <code>Context.getDocBase()</code> and |
| <code>Context.setDocBase()</code> and remove text that indicates that a |
| URL may be used for the <code>docBase</code> as this has not been the |
| case for quite some time. (markt) |
| </fix> |
| <add> |
| Ensure that Tomcat is fully terminated when running as a service. |
| (markt) |
| </add> |
| <fix> |
| <bug>63003</bug>: Extend the <code>unloadDelay</code> attribute on a |
| <code>Context</code> to include in-flight asynchronous requests. (markt) |
| </fix> |
| <add> |
| <bug>63026</bug>: Add a new attribute, <code>forceDnHexEscape</code>, to |
| the <code>JNDIRealm</code> that forces escaping in the String |
| representation of a distinguished name to use the <code>\nn</code> form. |
| This may avoid issues with realms using Active Directory which appears |
| to be more tolerant of optional escaping when the <code>\nn</code> form |
| is used. (markt) |
| </add> |
| <update> |
| Update the recommended minimum Tomcat Native version to 1.2.21. (markt) |
| </update> |
| <update> |
| Simplify the value of <code>jarsToSkip</code> property in |
| <code>catalina.properties</code> file for tomcat-i18n jar files. |
| Use prefix pattern instead of listing each language. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>57974</bug>: Ensure implementation of |
| <code>Session.getOpenSessions()</code> returns correct value for both |
| client-side and server-side calls. (markt) |
| </fix> |
| <fix> |
| <bug>63019</bug>: Use payload remaining bytes rather than limit when |
| writing. Submitted by Benoit Courtilly. (remm) |
| </fix> |
| <fix> |
| When running under a <code>SecurityManager</code>, ensure that the |
| <code>ServiceLoader</code> look-up for the default |
| <code>javax.websocket.server.ServerEndpointConfig.Configurator</code> |
| implementation completes correctly rather than silently using the |
| hard-coded fall-back. (markt) |
| </fix> |
| <fix> |
| Ensure that the network connection is closed if the client receives an |
| I/O error trying to communicate with the server. (markt) |
| </fix> |
| <fix> |
| Ignore synthetic methods when scanning POJO methods. (markt) |
| </fix> |
| <fix> |
| Implement the requirements of section 5.2.1 of the WebSocket 1.1 |
| specification and ensure that if the deployment of one Endpoint fails, |
| no Endpoints are deployed for that web application. (markt) |
| </fix> |
| <fix> |
| Implement the requirements of section 4.3 of the WebSocket 1.1 |
| specification and ensure that the deployment of an Endpoint fails if |
| <code>@PathParam</code> is used with an invalid parameter type. (markt) |
| </fix> |
| <fix> |
| Ensure a <code>DeploymentException</code> rather than an |
| <code>IllegalArgumentException</code> is thrown if a method annotated |
| with <code>@OnMessage</code> does not conform to the requirements set |
| out in the Javadoc. (markt) |
| </fix> |
| <fix> |
| Improve algorithm that determines if two <code>@OnMessage</code> |
| annotations have been added for the same message type. Prior to this |
| change some matches were missed. (markt) |
| </fix> |
| <scode> |
| Remove the <code>STREAMS_DROP_EMPTY_MESSAGES</code> system property that |
| was introduced to work-around four failing TCK tests. An alternative |
| solution has been implemented. Sending messages via |
| <code>getSendStream()</code> and <code>getSendWriter()</code> will now |
| only result in messages on the wire if data is written to the |
| <code>OutputStream</code> or <code>Writer</code>. Writing zero length |
| data will result in an empty message. Note that sending a message via an |
| <code>Encoder</code> may result in the message being send via |
| <code>getSendStream()</code> or <code>getSendWriter()</code>. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>63103</bug>: Remove the unused source.jsp file and associated tag |
| from the examples web application as it is no longer used. (markt) |
| </fix> |
| <fix> |
| <bug>63143</bug>: Ensure that the Manager web application respects the |
| language preferences of the user as configured in the browser when the |
| language of the default system locale is not English. (markt) |
| </fix> |
| <fix> |
| Use client's preferred language for the Server Status page of the |
| Manager web application. Review and fix several cases when the |
| client's language preference was not respected in Manager and |
| Host Manager web applications. (kkolinko) |
| </fix> |
| <fix> |
| Fix messages used by Manager and Host Manager web applications. |
| Disambiguate message keys used when adding or removing a host. |
| Improve display of summary values on the status page: separate |
| terms and values with a whitespace. Improve wording of messages |
| for expire sessions command. (kkolinko) |
| </fix> |
| <fix> |
| Do not add CSRF nonce parameter and suppress Referer header for external |
| links in Manager and Host Manager web applications. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Prevent an error when running in a Cygwin shell and the |
| <code>JAVA_ENDORSED_DIRS</code> system property is empty. Patch provided |
| by Zemian Deng. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.19 to |
| pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL |
| 1.1.1a. (markt) |
| </update> |
| <fix> |
| Correct AsyncFileHandler to FileHandler in logging.properties. (huxing) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.21 to |
| pick up the memory leak fixes when using NIO/NIO2 with OpenSSL. (markt) |
| </update> |
| <fix> |
| Enable compilation and test execution with Java 11. Note that the |
| deprecated class <code>org.apache.catalina.util.Base64</code> will be |
| excluded from the build in this case as it depends on JRE classes that |
| have been removed in Java 11 onwards. (markt) |
| </fix> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.04. (markt) |
| </update> |
| <add> |
| Expand the coverage and quality of the Russian translations provided |
| with Apache Tomcat. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.92 (violetagg)" rtext="released 2018-11-15"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Add documentation about the files <code>context.xml.default</code> and |
| <code>web.xml.default</code> that can be used to customize <code>conf/context.xml</code> |
| and <code>conf/web.xml</code> on a per host basis. (fschumacher) |
| </fix> |
| <fix> |
| Ensure that a canonical path is always used for the docBase of a Context |
| to ensure consistent behaviour. (markt) |
| </fix> |
| <fix> |
| <bug>62788</bug>: Add explicit logging configuration to write log files |
| using UTF-8 to align with Tomcat's use of UTF-8 by default |
| elsewhere. (markt) |
| </fix> |
| <fix> |
| <bug>62797</bug>: Pass throwable to keep client aborts with status 200 |
| rather than 500. Patch submitted by zikfat. (remm) |
| </fix> |
| <fix> |
| <bug>62809</bug>: Correct a regression in the implementation of DIGEST |
| authentication support for the Deployer Ant tasks (bug <bug>45832</bug>) |
| that prevented the <code>DeployTask</code> from working when |
| authentication was required. (markt) |
| </fix> |
| <update> |
| Update the recommended minimum Tomcat Native version to 1.2.18. (markt) |
| </update> |
| <add> |
| Ignore an attribute named <code>source</code> on <code>Context</code> |
| elements provided by <code>StandardContext</code>. This is to suppress |
| warnings generated by the Eclipse / Tomcat integration provided by |
| Eclipse. Based on a patch by mdfst13. (markt) |
| </add> |
| <add> |
| <bug>62830</bug>: Added <code>JniLifeCycleListener</code> and static |
| methods <code>Library.loadLibrary(libraryName)</code> and |
| <code>Library.load(filename)</code> to load a native library by a |
| shared class loader so that more than one Webapp can use it. (isapir) |
| </add> |
| <fix> |
| Correct a typo in the Spanish resource files. Patch provided by Diego |
| Agulló. (markt) |
| </fix> |
| <fix> |
| <bug>62868</bug>: Order the <code>Enumeration<URL></code> provided |
| by <code>WebappClassLoaderBase.getResources(String)</code> according to |
| the setting of the delegate flag. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Add TLSv1.3 to the default protocols and to the <code>all</code> |
| alias for JSSE based TLS connectors when running on a JVM that |
| supports TLS version 1.3. One such JVM is OpenJDK version 11. (rjung) |
| </add> |
| <fix> |
| <bug>62739</bug>: Do not reject requests with an empty HTTP Host header. |
| Such requests are unusual but not invalid. Patch provided by Michael |
| Orr. (markt) |
| </fix> |
| <add> |
| <bug>62748</bug>: Add TLS 1.3 support for the APR/Native connector. |
| (schultz/markt) |
| </add> |
| <fix> |
| <bug>62791</bug>: Remove an unnecessary check in the NIO TLS |
| implementation that prevented from secure WebSocket connections from |
| being established. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>62674</bug>: Correct a regression in the stand-alone JSP compiler |
| utility, <code>JspC</code>, caused by the fix for <bug>53492</bug>, that |
| caused the JSP compiler to hang. (markt) |
| </fix> |
| <fix> |
| <bug>62721</bug>: Correct generation of web.xml header when using JspC. |
| (markt) |
| </fix> |
| <fix> |
| Fix a regression in the TLD whitespace parsing fix that broke parsing |
| when whitespace was present between the method name and the parameters. |
| (markt) |
| </fix> |
| <fix> |
| <bug>62757</bug>: Correct a regression in the fix for <bug>62603</bug> |
| that caused <code>NullPointerException</code>s when compiling tag files |
| on first access when development mode was disabled and background |
| compilation was enabled. Based on a patch by Jordi Llach. (markt) |
| </fix> |
| <fix> |
| <bug>62808</bug>: Fix a regression in the TLD whitespace parsing fix |
| that broke parsing when new lines were present in the method signature. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>62731</bug>: Make the URI returned by |
| <code>HandshakeRequest.getRequestURI()</code> and |
| <code>Session.getRequestURI()</code> absolute so that the scheme, host |
| and port are accessible. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>62761</bug>: Correct the advanced CORS example in the Filter |
| documentation to use a valid configuration. (markt) |
| </fix> |
| <fix> |
| <bug>62786</bug>: Add a note to the Context documentation to explain |
| that, by default, settings for a Context element defined in server.xml |
| will be overwritten by settings specified in a default context file such |
| as <code>conf/context.xml</code>. (markt) |
| </fix> |
| <fix> |
| Create a little visual separation between the Undeploy button and the |
| other buttons in the Manager application. Patch provided by Łukasz |
| Jąder. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.18 to |
| pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL |
| 1.1.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.91 (violetagg)" rtext="released 2018-09-19"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>61692</bug>: Add the ability to control which HTTP methods are |
| handled by the CGI Servlet via a new initialization parameter |
| <code>cgiMethods</code>. (markt) |
| </add> |
| <fix> |
| Ensure that the HTTP Vary header is set correctly when using the CORS |
| filter and improve the cacheability of requests that pass through the |
| COPRS filter. (markt) |
| </fix> |
| <fix> |
| <bug>62527</bug>: Revert restriction of JNDI to the <code>java:</code> |
| namespace. (remm) |
| </fix> |
| <add> |
| Introduce a new class - <code>MultiThrowable</code> - to report |
| exceptions when multiple actions are taken where each action may throw |
| an exception but all actions are taken before any errors are reported. |
| Use this new class when reporting multiple container (e.g. web |
| application) failures during start. (markt) |
| </add> |
| <fix> |
| Correctly decode URL paths (<code>+</code> should not be decoded to a |
| space in the path) in the <code>RequestDispatcher</code> and the web |
| application class loader. (markt) |
| </fix> |
| <add> |
| <bug>62559</bug>: Add <code>jaxb-*.jar</code> to the list of JARs |
| ignored by <code>StandardJarScanner</code>. (markt) |
| </add> |
| <add> |
| <bug>62560</bug>: Add <code>oraclepki.jar</code> to the list of JARs |
| ignored by <code>StandardJarScanner</code>. (markt) |
| </add> |
| <add> |
| <bug>62607</bug>: Return a non-zero exit code from |
| <code>catalina.[bat|sh] run</code> if Tomcat fails to start. (markt) |
| </add> |
| <scode> |
| Remove <code>ServletException</code> from declaration of |
| <code>Tomcat.addWebapp(String,String)</code> since it is never thrown. |
| Patch provided by Tzafrir. (markt) |
| </scode> |
| <fix> |
| Use short circuit logic to prevent potential NPE in CorsFilter. (fschumacher) |
| </fix> |
| <scode> |
| Simplify construction of appName from container name in JAASRealm. (fschumacher) |
| </scode> |
| <fix> |
| Improve the handling of path parameters when working with |
| RequestDispatcher objects. (markt) |
| </fix> |
| <fix> |
| <bug>62664</bug>: Process requests with content type |
| <code>multipart/form-data</code> to servlets with a |
| <code>@MultipartConfig</code> annotation regardless of HTTP method. |
| (markt) |
| </fix> |
| <fix> |
| <bug>62669</bug>: When using the SSIFilter and a resource does not |
| specify a content type, do not force the content type to |
| <code>application/x-octet-stream</code>. (markt) |
| </fix> |
| <fix> |
| When generating a redirect to a directory in the Default Servlet, avoid |
| generating a protocol relative redirect. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Refactor code that adds an additional header name to the |
| <code>Vary</code> HTTP response header to use a common utility method |
| that addresses several additional edge cases. (markt) |
| </fix> |
| <fix> |
| <bug>62526</bug>: Correctly handle PKCS12 format key stores when the key |
| store password is configured to be the empty string. Note that Java 6 |
| does not support PKCS12 key stores configured to use a store password of |
| the empty string. (markt) |
| </fix> |
| <fix> |
| <bug>62670</bug>: Adjust the memory leak protection for the |
| <code>DriverManager</code> so that JDBC drivers located in |
| <code>$CATALINA_HOME/lib</code> and <code>$CATALINA_BASE/lib</code> are |
| loaded via the service loader mechanism when the protection is enabled. |
| (markt) |
| </fix> |
| <fix> |
| <bug>62685</bug>: Correct an error in host name validation parsing that |
| did not allow a fully qualified domain name to terminate with a period. |
| Patch provided by AG. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>53011</bug>: When pre-compiling with JspC, report all compilation |
| errors rather than stopping after the first error. A new option |
| <code>-failFast</code> can be used to restore the previous behaviour of |
| stopping after the first error. Based on a patch provided by Marc Pompl. |
| (markt) |
| </fix> |
| <add> |
| <bug>53492</bug>: Make the Java file generation process multi-threaded. |
| By default, one thread will be used per core. Based on a patch by Dan |
| Fabulich. (markt) |
| </add> |
| <fix> |
| <bug>62603</bug>: Fix a potential race condition when development mode |
| is disabled and background compilation checks are enabled. It was |
| possible that some updates would not take effect and/or |
| <code>ClassNotFoundException</code>s would occur. (markt) |
| </fix> |
| <fix> |
| Correct the JSP version in the X-PoweredBy HTTP header generated when |
| the xpoweredBy option is enabled. (markt) |
| </fix> |
| <fix> |
| <bug>62662</bug>: Fix the corruption of web.xml output during JSP |
| compilation caused by the fix for <bug>53492</bug>. Patch provided by |
| Bernhard Frauendienst. (markt) |
| </fix> |
| <fix> |
| Correct parsing of XML whitespace in TLD function signatures that |
| incorrectly only looked for the space character. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>62596</bug>: Remove the limit on the size of the initial HTTP |
| upgrade request used to establish the web socket connection. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>62558</bug>: Add Russian translations for the Manager and Host |
| Manager web applications. Based on a patch by Ivan Krasnov. (markt) |
| </add> |
| <add> |
| <bug>62561</bug>: Add advanced class loader configuration information |
| regarding the use of the Server and Shared class loaders to the |
| documentation web application. (markt) |
| </add> |
| <add> |
| Expand the information in the documentation web application regarding |
| the use of <code>CATALINA_HOME</code> and <code>CATALINA_BASE</code>. |
| Patch provided by Marek Czernek. (markt) |
| </add> |
| <fix> |
| <bug>62652</bug>: Make it clearer that the version of DBCP that is |
| packaged in Tomcat 7.0.x is DBCP 1. (markt) |
| </fix> |
| <add> |
| <bug>62666</bug>: Expand internationalisation support in the Manager |
| application to include the server status page and provide Russian |
| translations in addition to English. Patch provided by Artem Chebykin. |
| (markt) |
| </add> |
| <fix> |
| <bug>62676</bug>: Expand the CORS filter documentation to make it clear |
| that explicit configuration is required to enable support for |
| cross-origin requests. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensures that the specified <code>rxBufSize</code> is correctly set to |
| receiver buffer size. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Fixed spelling. Patch provided by Jimmy Casey via GitHub. (violetagg) |
| </fix> |
| <fix> |
| Correct various spelling errors throughout the source code and |
| documentation. Patch provided by Kazuhiro Sera. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.90 (violetagg)" rtext="released 2018-07-06"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>62498</bug>: Correct a regression in the fix for CVE-2017-12617 |
| that caused request failures for some requests when using the |
| <code>VirtualDirContext</code>. (markt) |
| </fix> |
| <fix> |
| Delete reference to removed class that prevented Tomcat from starting |
| when running under a security manager. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.89 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| JNDI resources that are defined with injection targets but no value are |
| now treated as if the resource is not defined. (markt) |
| </fix> |
| <fix> |
| Ensure that JNDI names used for <code><lookup-name></code> entries |
| in web.xml and for <code>lookup</code> elements of |
| <code>@Resource</code> annotations specify a name with an explicit |
| <code>java:</code> namespace. (markt) |
| </fix> |
| <add> |
| <bug>51953</bug>: Add the <code>RemoteCIDRFilter</code> and |
| <code>RemoteCIDRValve</code> that can be used to allow/deny requests |
| based on IPv4 and/or IPv6 client address where the IP ranges are defined |
| using CIDR notation. Based on a patch by Francis Galiegue. (markt) |
| </add> |
| <fix> |
| <bug>62343</bug>: Make CORS filter defaults more secure. This is the fix |
| for CVE-2018-8014. (markt) |
| </fix> |
| <fix> |
| Make all loggers associated with Tomcat provided Filters non-static to |
| ensure that log messages are not lost when a web application is |
| reloaded. (markt) |
| </fix> |
| <fix> |
| Correct the manifest for the annotations-api.jar. The JAR implements the |
| Common Annotations API 1.1 and the manifest should reflect that. (markt) |
| </fix> |
| <fix> |
| Switch to non-static loggers where there is a possibility of a logger |
| becoming associated with a web application class loader causing log |
| messages to be lost if the web application is stopped. (markt) |
| </fix> |
| <add> |
| <bug>62389</bug>: Add the IPv6 loopback address to the default |
| <code>internalProxies</code> regular expression. Patch by Craig Andrews. |
| (markt) |
| </add> |
| <fix> |
| In the <code>RemoteIpValve</code> and <code>RemoteIpFilter</code>, |
| correctly handle the case when the request passes through one or more |
| <code>trustedProxies</code> but no <code>internalProxies</code>. Based |
| on a patch by zhanhb. (markt) |
| </fix> |
| <fix> |
| Correct the logic in <code>MBeanFactory.removeConnector()</code> to |
| ensure that the correct Connector is removed when there are multiple |
| Connectors using different addresses but the same port. (markt) |
| </fix> |
| <fix> |
| Make <code>JAASRealm</code> mis-configuration more obvious by requiring |
| the authenticated Subject to include at least one Principal of a type |
| specified by <code>userClassNames</code>. (markt) |
| </fix> |
| <fix> |
| <bug>62476</bug>: Use GMT timezone for the value of |
| <code>Expires</code> header as required by HTTP specification |
| (RFC 7231, 7234). (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Log an error message if the AJP connector detects that the reverse proxy |
| is sending AJP messages that are too large for the configured |
| <code>packetSize</code>. (markt) |
| </fix> |
| <fix> |
| <bug>62371</bug>: Improve logging of Host validation failures. (markt) |
| </fix> |
| <fix> |
| Correctly handle a digest authorization header when the user name |
| contains an escaped character. (markt) |
| </fix> |
| <fix> |
| Correctly handle a digest authorization header when one of the hex |
| field values ends the header with in an invalid character. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Update web.xml, web-fragment.xml and web.xml extracts generated by JspC |
| to use the Servlet 3.0 version of the relevant schemas. (markt) |
| </fix> |
| <fix> |
| Improve IPv6 validation by ensuring that IPv4-Mapped IPv6 addresses do |
| not contain leading zeros in the IPv4 part. Based on a patch by Katya |
| Stoycheva. (markt) |
| </fix> |
| <fix> |
| <bug>62080</bug>: Ensure that all reads of the current thread's context |
| class loader made by the UEL API and implementation are performed via a |
| <code>PrivilegedAction</code> to ensure that a |
| <code>SecurityException</code> is not triggered when running under a |
| <code>SecurityManager</code>. (mark) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| When decoding of path parameter failed, make sure to throw |
| <code>DecodeException</code> instead of throwing |
| <code>ArrayIndexOutOfBoundsException</code>. (kfujino) |
| </fix> |
| <fix> |
| Enable host name verification when using TLS with the WebSocket client. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changlog> |
| <fix> |
| <bug>62395</bug>: Clarify the meaning of the connector attribute |
| <code>minSpareThreads</code> in the documentation web application. |
| (markt) |
| </fix> |
| </changlog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| When <code>logValidationErrors</code> is set to true, the connection |
| validation error is logged as <code>SEVERE</code> instead of |
| <code>WARNING</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>62391</bug>: Remove references to <code>javaw.exe</code> as this |
| file is not required by Tomcat and the references prevent the use of the |
| Server JRE. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.17 to |
| pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL |
| 1.0.2o. (markt) |
| </update> |
| <add> |
| Implement checksum checks when downloading dependencies that are used |
| to build Tomcat. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.88 (violetagg)" rtext="released 2018-05-11"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Treat the <code><mapped-name></code> element of a |
| <code><env-entry></code> in web.xml in the same way as the |
| <code>mappedName</code> element of the equivalent <code>@Resource</code> |
| annotation. Both now attempt to set the <code>mappedName</code> property |
| of the resource. (markt) |
| </fix> |
| <fix> |
| Correct the processing of resources with |
| <code><injection-target></code>s defined in web.xml. First look |
| for a match using JavaBean property names and then, only if a match is |
| not found, look for a match using fields. (markt) |
| </fix> |
| <fix> |
| When restoring a saved request with a request body after FORM |
| authentication, ensure that calls to the <code>HttpServletRequest</code> |
| methods <code>getRequestURI()</code>, <code>getQueryString()</code> and |
| <code>getProtocol()</code> are not corrupted by the processing of the |
| saved request body. (markt) |
| </fix> |
| <fix> |
| Fix startup failure when running under SecurityManager, a regression |
| from the fix for bug <bug>62273</bug>. (kkolinko) |
| </fix> |
| <fix> |
| <bug>62353</bug>: Correct a regression introduced in Tomcat 7.0.86. |
| Restore the ability for Tomcat 7 to run on Java 6 where Common |
| Annotations 1.0 is available. Document the requirement to use the Java |
| endorsed mechanism to use Common Annotations 1.1. (markt) |
| </fix> |
| <scode> |
| Refactor the <code>org.apache.naming</code> package to reduce duplicate |
| code. Duplicate code identified by the Simian tool. (markt) |
| </scode> |
| <fix> |
| <bug>50019</bug>: Add support for <code><lookup-name></code>. |
| Based on a patch by Gurkan Erdogdu. (markt) |
| </fix> |
| <fix> |
| <bug>60490</bug>: Various formatting and layout improvements for the |
| <code>ErrorReportValve</code>. Patch provided by Michael Osipov. (markt) |
| </fix> |
| <fix> |
| Relax Host validation by removing the requirement that the final |
| component of a FQDN must be alphabetic. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>50234</bug>: Add the capability to generate a web-fragment.xml file |
| to JspC. (markt) |
| </add> |
| <fix> |
| <bug>62350</bug>: Refactor |
| <code>org.apache.jasper.runtime.BodyContentImpl</code> so a |
| <code>SecurityException</code> is not thrown when running under a |
| SecurityManger and additional permissions are not required in the |
| <code>catalina.policy</code> file. This is a follow-up to the fix for |
| <bug>43925</bug>. (kkolinko/markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Remove duplicate calls when creating a replicated session to reduce the |
| time taken to create the session and thereby reduce the chances of a |
| subsequent session update message being ignored because the session does |
| not yet exist. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensure that the correct default value is returned when retrieve unset |
| properties in <code>McastService</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Add a <code>.gitattributes</code> file to make sure that Git |
| handles test data files for bug <bug>52121</bug> as binary. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.87 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>62316</bug>: Correct a regression in some refactoring that |
| broke the default factory for JDBC datasources. (markt) |
| </fix> |
| <fix> |
| Fix a rare edge case that is unlikely to occur in real usage. This edge |
| case meant that writing long streams of UTF-8 characters to the HTTP |
| response that consisted almost entirely of surrogate pairs could result |
| in one surrogate pair being dropped. (markt) |
| </fix> |
| <fix> |
| Register MBean when DataSource Resource |
| <code>type="javax.sql.XADataSource"</code>. |
| Patch provided by Masafumi Miura. (csutherl) |
| </fix> |
| <add> |
| Update the internal fork of Apache Commons BCEL to r1829827 to add early |
| access Java 11 support to the annotation scanning code. (markt) |
| </add> |
| <fix> |
| <bug>62297</bug>: Enable the <code>CrawlerSessionManagerValve</code> to |
| correctly handle bots that crawl multiple hosts and/or web applications |
| when the Valve is configured on a Host or an Engine. (fschumacher) |
| </fix> |
| <add> |
| Collapse multiple leading <code>/</code> characters to a single |
| <code>/</code> in the return value of |
| <code>HttpServletRequest#getContextPath()</code> to avoid issues if the |
| value is used with <code>HttpServletResponse#sendRedirect()</code>. This |
| behaviour is enabled by default and configurable via the new Context |
| attribute <code>allowMultipleLeadingForwardSlashInPath</code>. (markt) |
| </add> |
| <fix> |
| Improve handing of overflow in the UTF-8 decoder with supplementary |
| characters. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Enable strict validation of the provided host name and port for all |
| connectors. Requests with invalid host names and/or ports will be |
| rejected with a 400 response. (markt) |
| </add> |
| <fix> |
| Implement the requirements of RFC 7230 (and RFC 2616) that HTTP/1.1 |
| requests must include a <code>Host</code> header and any request that |
| does not must be rejected with a 400 response. (markt) |
| </fix> |
| <fix> |
| Implement the requirements of RFC 7230 that any HTTP/1.1 request that |
| specifies a host in the request line, must specify the same host in the |
| <code>Host</code> header and that any such request that does not, must |
| be rejected with a 400 response. This check is optional and disabled by |
| default. It may be enabled with the |
| <code>allowHostHeaderMismatch</code> attribute of the Connector. (markt) |
| </fix> |
| <fix> |
| Implement the requirements of RFC 7230 that any HTTP/1.1 request that |
| contains multiple <code>Host</code> headers is rejected with a 400 |
| response. (markt) |
| </fix> |
| <add> |
| <bug>62273</bug>: Implement configuration options to work-around |
| specification non-compliant user agents (including all the major |
| browsers) that do not correctly %nn encode URI paths and query strings |
| as required by RFC 7230 and RFC 3986. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Enable ECJ version 4.7 and later to be used as a drop in replacement for |
| the ECJ version that ships with Apache Tomcat. (markt) |
| </fix> |
| <fix> |
| Enable Java 10 to be specified as a JSP source and/or target if a newer |
| ECJ version is used. (markt) |
| </fix> |
| <fix> |
| <bug>62287</bug>: Do not rely on hash codes to test instances of |
| <code>ValueExpressionImpl</code> for equality. Patch provided by Mark |
| Struberg. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>62301</bug>: Correct a regression in the fix for <bug>61491</bug> |
| that didn't correctly handle a final empty message part in all |
| circumstances when using <code>PerMessageDeflate</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Avoid warning when running under Cygwin when the |
| <code>JAVA_ENDORSED_DIRS</code> environment variable is not set. Patch |
| provided by Zemian Deng. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.86 (violetagg)" rtext="released 2018-04-13"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>51195</bug>: Avoid a false positive report of a web application |
| memory leak by clearing <code>ObjectStreamClass$Caches</code> of classes |
| loaded by the web application when the web application is stopped. |
| (markt) |
| </fix> |
| <fix> |
| <bug>52688</bug>: Add support for the <code>maxDays</code> attribute to |
| the <code>AccessLogValve</code> and <code>ExtendedAccessLogValve</code>. |
| This allows the maximum number of days for which rotated access logs |
| should be retained before deletion to be defined. (markt) |
| </fix> |
| <fix> |
| Prevent Tomcat from applying gzip compression to content that is already |
| compressed with brotli compression. Based on a patch provided by burka. |
| (markt) |
| </fix> |
| <fix> |
| <bug>62090</bug>: Null container names are not allowed. (remm) |
| </fix> |
| <fix> |
| <bug>62104</bug>: Fix programmatic login regression as the |
| NonLoginAuthenticator has to be set for it to work (if no login method |
| is specified). (remm) |
| </fix> |
| <fix> |
| <bug>62117</bug>: Improve error message in <code>catalina.sh</code> when |
| calling <code>kill -0 <pid></code> fails. Based on a suggestion |
| from Mark Morschhaeuser. (markt) |
| </fix> |
| <fix> |
| <bug>62118</bug>: Correctly create a JNDI <code>ServiceRef</code> using |
| the specified interface rather than the concrete type. Based on a |
| suggestion by Ángel Álvarez Páscua. (markt) |
| </fix> |
| <fix> |
| Fix for <code>RequestDumperFilter</code> log attribute. Patch provided |
| by Kirill Romanov via Github. (violetagg) |
| </fix> |
| <fix> |
| <bug>62123</bug>: Avoid <code>ConcurrentModificationException</code> |
| when attempting to clean up application triggered RMI memory leaks on |
| web application stop. (markt) |
| </fix> |
| <fix> |
| <bug>62168</bug>: When using the <code>PersistentManager</code> honor a |
| value of <code>-1</code> for <code>minIdleSwap</code> and do not swap |
| out sessions to keep the number of active sessions under |
| <code>maxActive</code>. Patch provided by Holger Sunke. (markt) |
| </fix> |
| <fix> |
| <bug>62172</bug>: Improve Javadoc for |
| <code>org.apache.catalina.startup.Constants</code> and ensure that the |
| constants are correctly used. (markt) |
| </fix> |
| <fix> |
| <bug>62175</bug>: Avoid infinite recursion, when trying to validate |
| a session while loading it with <code>PersistentManager</code>. |
| (fschumacher) |
| </fix> |
| <fix> |
| Ensure that <code>NamingContextListener</code> instances are only |
| notified once of property changes on the associated naming resources. |
| (markt) |
| </fix> |
| <add> |
| <bug>62224</bug>: Disable the <code>forkJoinCommonPoolProtection</code> |
| of the <code>JreMemoryLeakPreventionListener</code> when running on Java |
| 9 and above since the underlying JRE bug has been fixed. (markt) |
| </add> |
| <fix> |
| <bug>62263</bug>: Avoid a <code>NullPointerException</code> when the |
| <code>RemoteIpValve</code> processes a request for which no Context can |
| be found. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct off-by-one error in thread pool that allowed thread pools to |
| increase in size to one more than the configured limit. Patch provided |
| by usc. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Work-around a known, non-specification compliant behaviour in some |
| versions of IE that can allow XSS when the Manager application generates |
| a plain text response. Based on a suggestion from Muthukumar Marikani. |
| (markt) |
| </add> |
| <add> |
| Add document for <code>FragmentationInterceptor</code>. (kfujino) |
| </add> |
| <add> |
| Document how the roles for an authenticated user are determined when the |
| <code>CombinedRealm</code> is used. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Ensure that <code>SQLWarning</code> has been cleared when connection |
| returns to the pool. (kfujino) |
| </fix> |
| <fix> |
| Ensure that parameters have been cleared when |
| <code>PreparedStatement</code> and/or <code>CallableStatement</code> are |
| cached. (kfujino) |
| </fix> |
| <fix> |
| Enable PoolCleaner to be started even if <code>validationQuery</code> |
| is not set. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the build script so MD5 hashes are no longer generated for |
| releases as per the change in the ASF distribution policy. (markt) |
| </update> |
| <fix> |
| <bug>62164</bug>: Switch the build script to use TLS for downloads from |
| SourceForge and Maven Central to avoid failures due to HTTP to HTTPS |
| redirects. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.85 (violetagg)" rtext="released 2018-02-13"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Prevent a stack trace being written to standard out when running on Java |
| 10 due to changes in the <code>LogManager</code> implementation. (markt) |
| </fix> |
| <fix> |
| Avoid duplicate load attempts if one has been made already. (remm) |
| </fix> |
| <fix> |
| Avoid NPE in ThreadLocalLeakPreventionListener if there is no Engine. |
| (remm) |
| </fix> |
| <fix> |
| <bug>58143</bug>: Fix calling classloading transformers broken in 7.0.70 |
| by the fix for <bug>59619</bug>. This was observed when using Spring |
| weaving. (rjung) |
| </fix> |
| <fix> |
| <bug>62000</bug>: When a JNDI reference cannot be resolved, ensure that |
| the root cause exception is reported rather than swallowed. (markt) |
| </fix> |
| <fix> |
| <bug>62036</bug>: When caching an authenticated user Principal in the |
| session when the web application is configured with the |
| <code>NonLoginAuthenticator</code>, cache the internal Principal object |
| rather than the user facing Principal object as Tomcat requires the |
| internal object to correctly process later authorization checks. (markt) |
| </fix> |
| <fix> |
| <bug>62067</bug>: Correctly apply security constraints mapped to the |
| context root using a URL pattern of <code>""</code>. (markt) |
| </fix> |
| <fix> |
| When using Tomcat embedded, only perform Authenticator configuration |
| once during web application start. (markt) |
| </fix> |
| <fix> |
| Process all <code>ServletSecurity</code> annotations at web application |
| start rather than at servlet load time to ensure constraints are applied |
| consistently. (markt) |
| </fix> |
| <fix> |
| Minor optimization when calling class transformers. (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>48672</bug>: Add documentation for the Host Manager web |
| application. Patch provided by Marek Czernek. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.03. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.84 (violetagg)" rtext="released 2018-01-24"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>47214</bug>: Use a loop to preload anonymous inner classes |
| when running under a <code>SecurityManager</code>, to be safe for |
| future changes in the code or using a different compiler. (kkolinko) |
| </fix> |
| <add> |
| <bug>57619</bug>: Implement a small optimisation to how JAR URLs are |
| processed to reduce the storage of duplicate String objects in memory. |
| Patch provided by Dmitri Blinov. (markt) |
| </add> |
| <add> |
| <bug>61810</bug>: Support configure the interval to keep all jars open |
| if no jar is accessed, a non-positive interval indicates |
| keeping jars always open. (huxing) |
| </add> |
| <fix> |
| <bug>61886</bug>: Pre-load additional classes to prevent |
| <code>SecurityException</code>s if the first request received when |
| running under a <code>SecurityManager</code> is an asynchronous Servlet. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61916</bug>: Extend the <code>AddDefaultCharsetFilter</code> to add |
| a character set when the content type is set via |
| <code>setHeader()</code> or <code>addHeader()</code> as well as when it |
| is set via <code>setContentType()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>61999</bug>: maxSavePostSize set to 0 should disable saving POST |
| data during authentication. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61886</bug>: Log errors on non-container threads at |
| <code>DEBUG</code> rather than <code>INFO</code>. The exception will be |
| made available to the application via the asynchronous error handling |
| mechanism. (markt) |
| </fix> |
| <fix> |
| <bug>61993</bug>: Improve handling for <code>ByteChunk</code> and |
| <code>CharChunk</code> instances that grow close to the maximum size |
| allowed by the JRE. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>43925</bug>: Add a new system property |
| (<code>org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE</code>) to |
| control the size of the buffer used by Jasper when buffering tag bodies. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>61223</bug>: Add the mbeans-descriptors.dtd file to the custom |
| MBean documentation so users have a reference to use when constructing |
| mbeans-descriptors.xml files for custom components. (markt) |
| </add> |
| <fix> |
| Partial fix for <bug>61886</bug>. Ensure that multiple threads do not |
| attempt to complete the <code>AsyncContext</code> if an I/O error occurs |
| in the stock ticker example Servlet. (markt) |
| </fix> |
| <fix> |
| <bug>61886</bug>: Prevent <code>ConcurrentModificationException</code> |
| when running the asynchronous stock ticker in the examples web |
| application. (markt) |
| </fix> |
| <fix> |
| <bug>61886</bug>: Prevent <code>NullPointerException</code> and other |
| errors if the stock ticker example is running when the examples web |
| application is stopped. (markt) |
| </fix> |
| <fix> |
| <bug>61910</bug>: Clarify the meaning of the <code>allowLinking</code> |
| option in the documentation web application. (markt) |
| </fix> |
| <add> |
| Add OCSP configuration information to the SSL How-To. Patch provided by |
| Marek Czernek. (markt) |
| </add> |
| <fix> |
| <bug>62006</bug>: Document the new <code>JvmOptions9</code> command line |
| parameter for <code>tomcat7.exe</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>61312</bug>: Prevent <code>NullPointerException</code> when using |
| the statement cache of connection that has been closed. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the internal fork of Commons FileUpload to 6c00d57 (2017-11-23) |
| to pick up some code clean-up. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Codec to r1817136 to pick up some |
| code clean-up. (markt) |
| </update> |
| <fix> |
| The native source bundles (for Commons Daemon and Tomcat Native) are no |
| longer copied to the bin directory for the deploy target. They are now |
| only copied to the bin directory for the release target. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.83 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| When running under Java 9 or later, and the |
| <code>urlCacheProtection</code> option of the |
| <code>JreMemoryLeakPreventionListener</code> is enabled, use the API |
| added in Java 9 to only disable the caching for JAR URL connections. |
| (markt) |
| </add> |
| <fix> |
| <bug>61581</bug>: Fix possible <code>SecurityException</code> when using |
| the APR/native connector with a <code>SecurityManager</code>. (markt) |
| </fix> |
| <fix> |
| <bug>61597</bug>: Extend the <code>StandardJarScanner</code> to scan |
| JARs on the module path when running on Java 9 and class path scanning |
| is enabled. (markt) |
| </fix> |
| <fix> |
| Fix the JMX descriptor for <code>Wrapper.findInitParameter()</code>. |
| (rjung) |
| </fix> |
| <fix> |
| <bug>61601</bug>: Add support for multi-release JARs in JAR scanning and |
| web application class loading. (markt) |
| </fix> |
| <fix> |
| Revert the change from 7.0.80 that called |
| <code>ServletResponse.setLocale()</code> if the |
| <code>Content-Language</code> HTTP header was set directly. (markt) |
| </fix> |
| <add> |
| Provide the <code>SessionInitializerFilter</code> that can be used to |
| ensure that an HTTP session exists when initiating a WebSocket |
| connection. Patch provided by isapir. (markt) |
| </add> |
| <fix> |
| Avoid a possible <code>NullPointerException</code> when timing out |
| <code>AsyncContext</code> instances during shut down. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>57870</bug>: When running on Java 7 or later, take advantage of the |
| new <code>syncFlush</code> parameter when constructing a |
| <code>GZIPOutputStream</code> rather than using the custom |
| <code>FlushableGZIPOutputStream</code> implementation as a work-around. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61736</bug>: Improve performance of NIO connector when clients |
| leave large time gaps between network packets. Patch provided by Zilong |
| Song. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Enable Jasper to compile JSPs for Java 9. In addition to configuring the |
| JSP servlet with for Java 9 via the <code>compilerSourceVM</code> and |
| <code>compilerTargetVM</code>, it is necessary to replace |
| <code>ecj-4.4.2.jar</code> with a more recent version that supports Java |
| 9. (markt) |
| </add> |
| <fix> |
| <bug>61816</bug>: Invalid expressions in attribute values or template |
| text should trigger a translation (compile time) error, not a run time |
| error. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>61604</bug>: Add support for authentication in the websocket |
| client. Patch submitted by J Fernandez. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>61603</bug>: Add XML filtering for the status servlet output where |
| needed. (remm) |
| </fix> |
| <fix> |
| Correct the description of how the CGI servlet maps a request to a |
| script in the CGI How-To. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Fix incorrect behavior that attempts to resend channel messages more |
| than the actual setting value of <code>maxRetryAttempts</code>. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that the remaining Sender can send channel messages by avoiding |
| unintended <code>ChannelException</code> caused by comparing the number |
| of failed members and the number of remaining Senders. (kfujino) |
| </fix> |
| <fix> |
| Ensure that remaining SelectionKeys that were not handled by throwing a |
| <code>ChannelException</code> during SelectionKey processing are |
| handled. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Improve the fix for <bug>61439</bug> and exclude the JPA, JAX-WS and EJB |
| annotations completely from the Tomcat distributions. (markt) |
| </fix> |
| <fix> |
| Improve handling of endorsed directories. The endorsed directory |
| mechanism will only be used if the <code>JAVA_ENDORSED_DIRS</code> |
| system property is explicitly set or if |
| <code>$CATALINA_HOME/endorsed</code> exists. When running on Java 9, any |
| such attempted use of the endorsed directory mechanism will trigger an |
| error and Tomcat will fail to start. (rjung) |
| </fix> |
| <scode> |
| Refactoring in preparation for Java 9. Refactor to avoid using some |
| methods that will be deprecated in Java 9 onwards. (markt) |
| </scode> |
| <add> |
| <bug>51496</bug>: When using the Windows installer, check if the |
| requested service name already exists and, if it does, prompt the user |
| to select an alternative service name. Patch provided by Ralph |
| Plawetzki. (markt) |
| </add> |
| <fix> |
| Add necessary Java 9 configuration options to the startup scripts to |
| prevent warnings being generated on web application stop. (markt) |
| </fix> |
| <fix> |
| <bug>61590</bug>: Enable <code>service.bat</code> to recognise when |
| <code>JAVA_HOME</code> is configured for a Java 9 JDK. (markt) |
| </fix> |
| <fix> |
| <bug>61598</bug>: Update the Windows installer to search the new (as of |
| Java 9) registry locations when looking for a JRE. (markt) |
| </fix> |
| <add> |
| Add generation of a SHA-512 hash for release artifacts to the build |
| script. (markt) |
| </add> |
| <fix> |
| <bug>61658</bug>: Update MIME mappings for fonts to use |
| <code>font/*</code> as per RFC8081. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.16 to |
| pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL |
| 1.0.2m. (markt) |
| </update> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.02.1. (kkolinko) |
| </update> |
| <update> |
| Update the Windows installer to use "The Apache Software Foundation" as |
| the Publisher when Tomcat is displayed in the list of installed |
| applications in Microsoft Windows. (kkolinko) |
| </update> |
| <fix> |
| <bug>61803</bug>: Remove outdated SSL information from the Security |
| documentation. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.82 (violetagg)" rtext="released 2017-10-03"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>61210</bug>: When running under a SecurityManager, do not print a |
| warning about not being able to read a logging configuration file when |
| that file does not exist. (markt) |
| </fix> |
| <add> |
| <bug>61280</bug>: Add RFC 7617 support to the |
| <code>BasicAuthenticator</code>. Note that the default configuration |
| does not change the existing behaviour. (markt) |
| </add> |
| <fix> |
| <bug>61452</bug>: Fix a copy paste error that caused an |
| <code>UnsupportedEncodingException</code> when using WebDAV. (markt) |
| </fix> |
| <fix> |
| Correct regression in 7.0.80 that broke the use of relative paths with |
| the <code>extraResourcePaths</code> attribute of a |
| <code>VirtualDirContext</code>. (markt) |
| </fix> |
| <add> |
| <bug>61489</bug>: When using the CGI servlet, make the generation of |
| command line arguments from the query string (as per section 4.4 of RFC |
| 3875) optional. The feature is enabled by default for consistency with |
| previous releases. Based on a patch by jm009. (markt) |
| </add> |
| <fix> |
| Correct a regression in 7.0.80 and 7.0.81 that wrapped the |
| <code>DirContext</code> that represented the web application in a |
| <code>ProxyDirContext</code> twice rather than just once. (markt) |
| </fix> |
| <fix> |
| <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being |
| uploaded via a specially crafted request when HTTP PUT was enabled. |
| (markt) |
| </fix> |
| <fix> |
| Use the correct path when loading the JVM <code>logging.properties</code> |
| file for Java 9. (rjung) |
| </fix> |
| <fix> |
| <bug>61554</bug>: Exclude test files in unusual encodings and markdown |
| files intended for display in GitHub from RAT analysis. Patch provided |
| by Chris Thistlethwaite. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>48655</bug>: Enable Tomcat to shutdown cleanly when using sendfile, |
| the APR/native connector and a multi-part download is in progress. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58244</bug>: Handle the case when OpenSSL resumes a TLS session |
| using a ticket and the full client certificate chain is not available. |
| In this case the client certificate without the chain will be presented |
| to the application. (markt) |
| </fix> |
| <fix> |
| Fix random <code>SocketTimeoutException</code>s when reading the request |
| <code>InputStream</code>. Based on a patch by Peter Major. (markt) |
| </fix> |
| <fix> |
| <bug>60900</bug>: Avoid a <code>NullPointerException</code> in the APR |
| Poller if a connection is closed at the same time as new data arrives on |
| that connection. (markt) |
| </fix> |
| <add> |
| Add an option to reject requests that contain HTTP headers with invalid |
| (non-token) header names with a 400 response. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>61491</bug>: When using the <code>permessage-deflate</code> |
| extension, correctly handle the sending of empty messages after |
| non-empty messages to avoid the <code>IllegalArgumentException</code>. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| To avoid unexpected session timeout notification from backup session, |
| update the access time when receiving the map member notification |
| message. (kfujino) |
| </fix> |
| <fix> |
| Add member info to the log message when the failure detection check |
| fails in <code>TcpFailureDetector</code>. (kfujino) |
| </fix> |
| <fix> |
| Avoid Ping timeout until the added map member by receiving |
| <code>MSG_START</code> message is completely started. (kfujino) |
| </fix> |
| <fix> |
| When sending a channel message, make sure that the Sender has connected. |
| (kfujino) |
| </fix> |
| <fix> |
| Correct the backup node selection logic that node 0 is returned twice |
| consecutively. (kfujino) |
| </fix> |
| <fix> |
| Fix race condition of <code>responseMap</code> in |
| <code>RpcChannel</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>61391</bug>: Ensure that failed queries are logged if the |
| <code>SlowQueryReport</code> interceptor is configured to do so and the |
| connection has been abandoned. Patch provided by Craig Webb. (markt) |
| </fix> |
| <fix> |
| <bug>61425</bug>: Ensure that transaction of idle connection has |
| terminated when the <code>testWhileIdle</code> is set to |
| <code>true</code> and <code>defaultAutoCommit</code> is set to |
| <code>false</code>. Patch provided by WangZheng. (kfujino) |
| </fix> |
| <fix> |
| <bug>61545</bug>: Correctly handle invocations of methods defined in the |
| <code>PooledConnection</code> interface when using pooled XA |
| connections. Patch provided by Nils Winkler. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>61439</bug>: Remove the Java Annotation API classes from |
| tomcat-embed-core.jar and package them in a separate JAR in the |
| embedded distribution to provide end users with greater flexibility to |
| handle potential conflicts with the JRE and/or other JARs. (markt) |
| </fix> |
| <fix> |
| <bug>61441</bug>: Improve the detection of <code>JAVA_HOME</code> by the |
| <code>daemon.sh</code> script when running on a platform where Java has |
| been installed from an RPM. (rjung) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.14 to |
| pick up the latest Windows binaries built with APR 1.6.2 and OpenSSL |
| 1.0.2l. (markt) |
| </update> |
| <fix> |
| Update fix for <bug>59904</bug> so that values less than zero are accepted |
| instead of throwing a NegativeArraySizeException. (remm) |
| </fix> |
| <fix> |
| <bug>61563</bug>: Correct typos in Spanish translation. Patch provided by |
| Gonzalo Vásquez. (csutherl) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.81 (violetagg)" rtext="released 2017-08-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct regression in 7.0.80 that broke WebDAV. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.80 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>56785</bug>: Avoid <code>NullPointerException</code> if directory |
| exists on the class path that is not readable by the Tomcat user. |
| (markt) |
| </fix> |
| <fix> |
| Additional permission for deleting files is granted to JULI as it is |
| required by FileHandler when running under a Security Manager. The |
| thread that cleans the log files is marked as daemon thread. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>61229</bug>: Correct a regression in 7.0.78 that broke WebDAV |
| handling for resources with names that included a <code>&</code> |
| character. (markt) |
| </fix> |
| <add> |
| If the <code>Content-Language</code> HTTP header is set directly, |
| attempt to determine the Locale from the header value and call |
| <code>ServletResponse.setLocale()</code> with the derived Locale. |
| (markt) |
| </add> |
| <fix> |
| <bug>61232</bug>: When log rotation is disabled only one separator will |
| be used when generating the log file name. For example if the prefix is |
| <code>catalina.</code> and the suffix is <code>.log</code> then the log |
| file name will be <code>catalina.log</code> instead of |
| <code>catalina..log</code>. Patch provided by Katya Stoycheva. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>61253</bug>: Add warn message when Digester.updateAttributes |
| throws an exception instead of ignoring it. (csutherl) |
| </fix> |
| <fix> |
| <bug>61313</bug>: Make the read timeout configurable in the |
| <code>JNDIRealm</code> and ensure that a read timeout will result in an |
| attempt to fail over to the alternateURL. Based on patches by Peter |
| Maloney and Felix Schumacher. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61086</bug>: Ensure to explicitly signal an empty request body for |
| HTTP 205 responses. Additional fix to r1795278. Based on a patch |
| provided by Alexandr Saperov. (violetagg) |
| </fix> |
| <fix> |
| <bug>61322</bug>: Correct two regressions caused by the fix for |
| <bug>60319</bug> when using BIO with an external Executor. Firstly, use |
| the <code>maxThreads</code> setting from the Executor as the default for |
| <code>maxConnections</code> if none is specified. Secondly, use |
| <code>maxThreads</code> from the Executor when calculating the point at |
| which to disable keep-alive. (markt) |
| </fix> |
| <add> |
| Add additional logging to record problems that occur while waiting for |
| the NIO pollers to stop during the Connector stop process. (markt) |
| </add> |
| <fix> |
| Prevent exceptions being thrown during normal shutdown of NIO |
| connections. This enables TLS connections to close cleanly. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>53031</bug>: Add support for the <code>fork</code> option when |
| compiling JSPs with the Jasper Ant task and javac. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <add> |
| <bug>57767</bug>: Add support to the WebSocket client for following |
| redirects when attempting to establish a WebSocket connection. Patch |
| provided by J Fernandez. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>52791</bug>: Add the ability to set the defaults used by the |
| Windows installer from a configuration file. Patch provided by Sandra |
| Madden. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.79 (violetagg)" rtext="released 2017-07-01"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>61101</bug>: CORS filter should set Vary header in response. |
| Submitted by Rick Riemer. (remm) |
| </fix> |
| <add> |
| <bug>61105</bug>: Add a new JULI FileHandler configuration for |
| specifying the maximum number of days to keep the log files. |
| (violetagg) |
| </add> |
| <fix> |
| Improve the <code>SSLValve</code> so it is able to handle client |
| certificate headers from Nginx. Based on a patch by Lucas Ventura Carro. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61154</bug>: Allow the Manager and Host Manager web applications to |
| start by default when running under a security manager. This was |
| accomplished by adding a custom permission, |
| <code>org.apache.catalina.security.DeployXmlPermission</code>, that |
| permits an application to use a <code>META-INF/context.xml</code> file |
| and then granting that permission to the Manager and Host Manager. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61173</bug>: Polish the javadoc for |
| <code>o.a.catalina.startup.Tomcat</code>. Patch provided by |
| peterhansson_se. (violetagg) |
| </fix> |
| <add> |
| A new configuration property <code>crawlerIps</code> is added to the |
| <code>o.a.catalina.valves.CrawlerSessionManagerValve</code>. Using this |
| property one can specify a regular expression that will be used to |
| identify crawlers based on their IP address. Based on a patch provided |
| by Tetradeus. (violetagg) |
| </add> |
| <fix> |
| <bug>61180</bug>: Log a warning message rather than an information |
| message if it takes more than 100ms to initialised a |
| <code>SecureRandom</code> instance for a web application to use to |
| generate session identifiers. Patch provided by Piotr Chlebda. (markt) |
| </fix> |
| <fix> |
| <bug>61185</bug>: When an asynchronous request is dispatched via |
| <code>AsyncContext.dispatch()</code> ensure that |
| <code>getRequestURI()</code> for the dispatched request matches that of |
| the original request. (markt) |
| </fix> |
| <fix> |
| <bug>61201</bug>: Ensure that the <code>SCRIPT_NAME</code> environment |
| variable for CGI executables is populated in a consistent way regardless |
| of how the CGI servlet is mapped to a request. (markt) |
| </fix> |
| <fix> |
| <bug>61215</bug>: Correctly define <code>addConnectorPort</code> and |
| <code>invalidAuthenticationWhenDeny</code> in the |
| <code>mbean-descriptors.xml</code> file for the |
| <code>org.apache.catalina.valves</code> package so that the attributes |
| are accessible via JMX. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61086</bug>: Explicitly signal an empty request body for HTTP 205 |
| responses. (markt) |
| </fix> |
| <fix> |
| Revert a change introduced in the fix for bug <bug>60718</bug> that |
| changed the status code recorded in the access log when the client |
| dropped the connection from 200 to 500. (markt) |
| </fix> |
| <fix> |
| Make asynchronous error handling more robust. In particular ensure that |
| <code>onError()</code> is called for any registered |
| <code>AsyncListener</code>s after an I/O error on a non-container |
| thread. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>44787</bug>: Improve error message when JSP compiler configuration |
| options are not valid. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Correct the log message when a <code>MessageHandler</code> for |
| <code>PongMessage</code> does not implement |
| <code>MessageHandler.Whole</code>. (rjung) |
| </fix> |
| <fix> |
| Improve thread-safety of <code>Future</code>s used to report the result |
| of sending WebSocket messages. (markt) |
| </fix> |
| <fix> |
| <bug>61183</bug>: Correct a regression in the previous fix for |
| <bug>58624</bug> that could trigger a deadlock depending on the locking |
| strategy employed by the client code. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Better document the meaning of the trimSpaces option for Jasper. (markt) |
| </fix> |
| <fix> |
| <bug>61150</bug>: Configure the Manager and Host-Manager web |
| applications to permit serialization and deserialization of |
| CRSFPreventionFilter related session objects to avoid warning messages |
| and/or stack traces on web application stop and/or start when running |
| under a security manager. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add JMX support for Tribes components. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>45832</bug>: Add HTTP DIGEST authentication support to the Catalina |
| Ant tasks used to communicate with the Manager application. (markt) |
| </add> |
| <fix> |
| <bug>45879</bug>: Add the <code>RELEASE-NOTES</code> file to the root of |
| the installation created by the Tomcat installer for Windows to make it |
| easier for users to identify the installed Tomcat version. (markt) |
| </fix> |
| <fix> |
| <bug>61076</bug>: Document the <code>altDDName</code> attribute for the |
| <code>Context</code> element. (markt) |
| </fix> |
| <fix> |
| <bug>61145</bug>: Add missing <code>@Documented</code> annotation to |
| annotations in the annotations API. Patch provided by Katya Todorova. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61146</bug>: Add missing <code>lookup()</code> method to |
| <code>@EJB</code> annotation in the annotations API. Patch provided by |
| Katya Todorova. (markt) |
| </fix> |
| <fix> |
| Correct typo in Context Container Configuration Reference. |
| Patch provided by Katya Todorova. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.78 (violetagg)" rtext="released 2017-05-16"> |
| <subsection name="General"> |
| <changelog> |
| <add> |
| Allow to exclude JUnit test classes using the build property |
| <code>test.exclude</code> and document the property in |
| BUILDING.txt. (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Review those places where Tomcat re-encodes a URI or URI component and |
| ensure that the correct encoding (path differs from query string) is |
| applied and that the encoding is applied consistently. (markt) |
| </fix> |
| <fix> |
| Use a more reliable mechanism for the <code>DefaultServlet</code> when |
| determining if the current request is for custom error page or not. |
| (markt) |
| </fix> |
| <fix> |
| Ensure that when the Default or WebDAV servlets process an error |
| dispatch that the error resource is processed via the |
| <code>doGet()</code> method irrespective of the method used for the |
| original request that triggered the error. (markt) |
| </fix> |
| <fix> |
| If a static custom error page is specified that does not exist or cannot |
| be read, ensure that the intended error status is returned rather than a |
| 404. (markt) |
| </fix> |
| <fix> |
| When the WebDAV servlet is configured and an error dispatch is made to a |
| custom error page located below <code>WEB-INF</code>, ensure that the |
| target error page is displayed rather than a 404 response. (markt) |
| </fix> |
| <add> |
| <bug>61047</bug>: Add MIME mapping for woff2 fonts in the default |
| web.xml. Patch provided by Justin Williamson. (violetagg) |
| </add> |
| <fix> |
| Correct the logic that selects the encoding to use to decode the query |
| string in the <code>SSIServletExternalResolver</code> so that the |
| <code>useBodyEncodingForURI</code> attribute of the |
| <code>Connector</code> is correctly taken into account. (markt) |
| </fix> |
| <fix> |
| <bug>61072</bug>: Respect the documentation statements that allow |
| using the platform default secure random for session id generation. |
| (remm) |
| </fix> |
| <fix> |
| Correct the javadoc for |
| <code>o.a.c.connector.CoyoteAdapter#parseSessionCookiesId</code>. |
| Patch provided by John Andrew (XUZHOUWANG) via Github. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60925</bug>: Improve the handling of access to properties defined |
| by interfaces when a <code>BeanELResolver</code> is used under a |
| <code>SecurityManager</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>61003</bug>: Ensure the flags for reading/writing in |
| <code>o.a.t.websocket.AsyncChannelWrapperSecure</code> are correctly |
| reset even if some exceptions occurred during processing. (markt/violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Document the property <code>test.excludePerformance</code> |
| in BUILDING.txt. (rjung) |
| </add> |
| <add> |
| Add documents for <code>maxIdleTime</code> attribute to Channel Receiver |
| docs. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <scode> |
| Refactor the creating a constructor for a proxy class to reduce |
| duplicate code. (kfujino) |
| </scode> |
| <fix> |
| In <code>StatementFacade</code>, the method call on the statements that |
| have been closed throw <code>SQLException</code> rather than |
| <code>NullPointerException</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Correct comments about Java 8 in <code>Jre8Compat</code>. |
| Patch provided by fibbers via Github. (violetagg) |
| </fix> |
| <fix> |
| <bug>60932</bug>: Correctly escape single quotes when used in i18n |
| messages. Based on a patch by Michael Osipov. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.77 (violetagg)" rtext="released 2017-04-02"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>54618</bug>: Add support to the |
| <code>HttpHeaderSecurityFilter</code> for the HSTS preload parameter. |
| (markt) |
| </add> |
| <fix> |
| <bug>60911</bug>: Ensure NPE will not be thrown when looking for SSL |
| session ID. Based on a patch by Didier Gutacker. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| When using the NIO2 connector, ensure a WebSocket close frame is |
| processed before the end of stream is processed to ensure that the end |
| of stream is processed correctly. (markt) |
| </fix> |
| <fix> |
| <bug>60852</bug>: Correctly spell compressible when used in |
| configuration attributes and internal code. Based on a patch by Michael |
| Osipov. (markt) |
| </fix> |
| <fix> |
| Improve sendfile handling when requests are pipelined. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Improve the error handling for simple tags to ensure that the tag is |
| released and destroyed once used. (remm, violetagg) |
| </fix> |
| <fix> |
| <bug>60844</bug>: Correctly handle the error when fewer parameter values |
| than required by the method are used to invoke an EL method expression. |
| Patch provided by Daniel Gray. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>60764</bug>: Implement <code>equals()</code> and |
| <code>hashCode()</code> in the <code>StatementFacade</code> in order to |
| enable these methods to be called on the closed statements if any |
| statement proxy is set. This behavior can be changed with |
| <code>useStatementFacade</code> attribute. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.76 (markt)" rtext="released 2017-03-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <scode> |
| Make it easier for sub-classes of <code>Tomcat</code> to modify the |
| default web.xml settings by over-riding |
| <code>getDefaultWebXmlListener()</code>. Patch provided by Aaron |
| Anderson. (markt) |
| </scode> |
| <fix> |
| Reduce the contention in the default <code>InstanceManager</code> |
| implementation when multiple threads are managing objects and need to |
| reference the annotation cache. (markt) |
| </fix> |
| <scode> |
| <bug>60674</bug>: Remove <code>final</code> marker from |
| <code>CorsFilter</code> to enable sub-classing. (markt) |
| </scode> |
| <fix> |
| <bug>60683</bug>: Security manager failure causing NPEs when doing IO |
| on some JVMs. (csutherl) |
| </fix> |
| <fix> |
| <bug>60688</bug>: Update the internal fork of Apache Commons BCEL to |
| r1782855 to add early access Java 9 support to the annotation scanning |
| code. (markt) |
| </fix> |
| <fix> |
| <bug>60718</bug>: Improve error handling for asynchronous processing and |
| correct a number of cases where the <code>requestDestroyed()</code> |
| event was not being fired and an entry wasn't being made in the access |
| logs. (markt) |
| </fix> |
| <fix> |
| <bug>60808</bug>: Ensure that the <code>Map</code> returned by |
| <code>ServletRequest.getParameterMap()</code> is fully immutable. Based |
| on a patch provided by woosan. (markt) |
| </fix> |
| <fix> |
| <bug>60824</bug>: Correctly cache the <code>Subject</code> in the |
| session - if there is a session - when running under a |
| <code>SecurityManager</code>. Patch provided by Jan Engehausen. (markt) |
| </fix> |
| <fix> |
| Ensure request and response facades are used when firing application |
| listeners. (markt/remm) |
| </fix> |
| <fix> |
| When HTTP TRACE requests are disabled on the Connector, ensure that the |
| HTTP OPTIONS response from the WebDAV servlet does not include |
| TRACE in the returned Allow header. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that executor thread pools used with connectors pre-start the |
| configured minimum number of idle threads. (markt) |
| </fix> |
| <add> |
| <bug>60594</bug>: Allow some invalid characters that were recently |
| restricted to be processed in requests by using the system property |
| <code>tomcat.util.http.parser.HttpParser.requestTargetAllow</code>. |
| (csutherl) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Refactor code generated for JSPs to reduce the size of the code required |
| for tags. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| Make the <code>accessTimeout</code> configurable in |
| <code>ClusterSingleSignOn</code>. The <code>accessTimeout</code> is used |
| as a timeout period for PING in replication map. (kfujino) |
| </add> |
| <fix> |
| <bug>60806</bug>: To avoid <code>ClassNotFoundException</code>, make |
| sure that the web application class loader is passed to |
| <code>ReplicatedContext</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>60617</bug>: Correctly create a <code>CONNECT</code> request when |
| establishing a WebSocket connection via a proxy. Patch provided by |
| Svetlin Zarev. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensure that <code>NoRpcChannelReply</code> messages are not received on |
| <code>RpcCallback</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>60722</bug>: Take account of the |
| <strong>dispatchersUseEncodedPaths</strong> setting on the current |
| <strong>Context</strong> when generating paths for dispatches triggered |
| by <code>AsyncContext.dispatch()</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>60620</bug>: Fix configuration of Eclipse projects, broken by |
| introduction of <code>SafeForkJoinWorkerThreadFactory</code> helper |
| class. This class cannot be built with Java 6. (kkolinko) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.12 to |
| pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg) |
| </update> |
| <add> |
| <bug>60784</bug>: Update all unit tests that test the HTTP status line |
| to check for the required space after the status code. Patch provided by |
| Michael Osipov. (markt) |
| </add> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.01. (markt) |
| </update> |
| <fix> |
| Refactor the build script and the NSIS installer script so that either |
| NSIS 2.x or NSIS 3.x can be used to build the installer. This is |
| primarily to re-enable building the installer on the Linux based CI |
| system where the combination of NSIS 3.x and wine leads to failed |
| installer builds. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.75 (violetagg)" rtext="released 2017-01-24"> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| Make the <code>accessTimeout</code> configurable in |
| <code>BackupManager</code>. The <code>accessTimeout</code> is used as a |
| timeout period for PING in replication map. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Ensure the ASF logo image is correctly displayed in docs and |
| host-manager applications. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.74 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>53602</bug>: Add HTTP status code 451 (RFC 7725) to the list of |
| HTTP status codes recognised by Tomcat. (markt) |
| </add> |
| <fix> |
| Correctly handle the <code>configClass</code> attribute of a Host when |
| embedding Tomcat. (markt) |
| </fix> |
| <fix> |
| <bug>60379</bug>: Dispose of the GSS credential once it is no longer |
| required. Patch provided by Michael Osipov. (markt) |
| </fix> |
| <fix> |
| <bug>60380</bug>: Ensure that a call to |
| <code>HttpServletRequest#logout()</code> triggers a call to |
| <code>TomcatPrincipal#logout()</code>. Based on a patch by Michael |
| Osipov. (markt) |
| </fix> |
| <fix> |
| <bug>60387</bug>: Correct the javadoc for |
| <code>o.a.catalina.AccessLog.setRequestAttributesEnabled</code>. |
| The default value is different for the different implementations. |
| (violetagg) |
| </fix> |
| <scode> |
| <bug>60393</bug>: Use consistent parameter naming in implementations of |
| <code>Realm#authenticate(GSSContext, boolean)</code>. (markt) |
| </scode> |
| <fix> |
| <bug>60395</bug>: Log when an <code>Authenticator</code> passes an |
| incomplete <code>GSSContext</code> to a Realm since it indicates a bug |
| in the <code>Authenticator</code>. Patch provided by Michael Osipov. |
| (markt) |
| </fix> |
| <update> |
| Update the warnings that reference required options for running on Java |
| 9 to use the latest syntax for those options. (markt) |
| </update> |
| <fix> |
| <bug>60513</bug>: Fix thread safety issue with RMI cleanup code. (remm) |
| </fix> |
| <add> |
| <bug>60620</bug>: |
| Extend the <code>JreMemoryLeakPreventionListener</code> to provide |
| protection against <code>ForkJoinPool.commonPool()</code> related memory |
| leaks. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that the endpoint is able to unlock the acceptor thread during |
| shutdown if the endpoint is configured to listen to any local address |
| of a specific type such as <code>0.0.0.0</code> or <code>::</code>. |
| (markt) |
| </fix> |
| <fix> |
| Ensure sendfile is enabled by default for APR. (markt) |
| </fix> |
| <fix> |
| Prevent read time out when the file is deleted while serving the |
| response. The issue was observed only with APR Connector and |
| sendfile enabled. (violetagg) |
| </fix> |
| <fix> |
| Improve the logic that selects an address to use to unlock the Acceptor |
| to take account of platforms what do not listen on all local addresses |
| when configured with an address of <code>0.0.0.0</code> or |
| <code>::</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60409</bug>: When unable to complete sendfile request, ensure the |
| Processor will be added to the cache only once. (markt/violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>44294</bug>: Add support for varargs in UEL expressions. (markt) |
| </add> |
| <fix> |
| <bug>60356</bug>: Fix pre-compilation of JSPs that depend on nested tag |
| files packaged in a JAR. (markt) |
| </fix> |
| <fix> |
| <bug>60431</bug>: Improve handling of varargs in UEL expressions. Based |
| on a patch by Ben Wolfe. (markt) |
| </fix> |
| <fix> |
| <bug>60497</bug>: Restore previous tag reuse behavior following the use |
| of try/finally. (remm) |
| </fix> |
| <fix> |
| Improve the error handling for simple tags to ensure that the tag is |
| released and destroyed once used. (remm) |
| </fix> |
| <fix> |
| <bug>60497</bug>: Follow up fix using a better variable name for the |
| tag reuse flag. (remm) |
| </fix> |
| <fix> |
| Revert use of try/finally for simple tags. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct a typo in Host Configuration Reference. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <add> |
| In the documentation web application, be explicit that clustering |
| requires a secure network for all of the cluster network traffic. |
| (markt) |
| </add> |
| <update> |
| Update the ASF logos to the new versions. |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Reduce the warning logs for a message received from a different domain |
| in order to avoid excessive log outputs. (kfujino) |
| </fix> |
| <add> |
| Add log message that PING message has received beyond the timeout |
| period. (kfujino) |
| </add> |
| <fix> |
| When a PING message that beyond the time-out period has been received, |
| make sure that valid member is added to the map membership. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>60437</bug>: Avoid possible handshake overflows in the websocket |
| client. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <add> |
| <bug>58816</bug>: Implement the statistics of jdbc-pool. The stats infos |
| are <code>borrowedCount</code>, <code>returnedCount</code>, |
| <code>createdCount</code>, <code>releasedCount</code>, |
| <code>reconnectedCount</code>, <code>releasedIdleCount</code> and |
| <code>removeAbandonedCount</code>. (kfujino) |
| </add> |
| <fix> |
| <bug>60194</bug>: If <code>validationQuery</code> is not specified, |
| connection validation is done by calling the <code>isValid()</code> |
| method. (kfujino) |
| </fix> |
| <fix> |
| <bug>60398</bug>: Fix testcase of <code>TestSlowQueryReport</code>. |
| (kfujino) |
| </fix> |
| <add> |
| Enable reset the statistics without restarting the pool. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>60366</bug>: Change <code>catalina.bat</code> to use directly |
| <code>LOGGING_MANAGER</code> and <code>LOGGING_CONFIG</code> variables |
| in order to configure logging, instead of modifying |
| <code>JAVA_OPTS</code>. Patch provided by Petter Isberg. (violetagg) |
| </fix> |
| <add> |
| New property is added <code>test.verbose</code> in order to control |
| whether the output of the tests is displayed on the console or not. |
| Patch provided by Emmanuel Bourg. (violetagg) |
| </add> |
| <update> |
| Update the ASF logos used in the Apache Tomcat installer for Windows to |
| use the new versions. |
| </update> |
| <fix> |
| Spelling corrections provided by Josh Soref. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.73 (violetagg)" rtext="released 2016-11-14"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>60117</bug>: Ensure that the name of <code>LogLevel</code> is |
| localized when using <code>OneLineFormatter</code>. Patch provided by |
| Tatsuya Bessho. (kfujino) |
| </fix> |
| <add> |
| <bug>60151</bug>: Improve the exception error messages when a |
| <code>ResourceLink</code> fails to specify the type, specifies an |
| unknown type or specifies the wrong type. (markt) |
| </add> |
| <fix> |
| <bug>60167</bug>: Ignore empty lines in <code>/etc/passwd</code> files |
| when using the <code>PasswdUserDatabase</code>. (markt) |
| </fix> |
| <fix> |
| Improve the access checks for linked global resources to handle the case |
| where the current class loader is a child of the web application class |
| loader. (markt) |
| </fix> |
| <fix> |
| <bug>60199</bug>: Log a warning if deserialization issues prevent a |
| session attribute from being loaded. (markt) |
| </fix> |
| <fix> |
| Correctly test for control characters when reading the provided shutdown |
| password. (markt) |
| </fix> |
| <fix> |
| When configuring the JMX remote listener, specify the allowed types for |
| the credentials. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>60123</bug>: Avoid potential threading issues that could cause |
| excessively large vales to be returned for the processing time of |
| a current request. (markt) |
| </fix> |
| <fix> |
| <bug>60174</bug>: Log instances of <code>HeadersTooLargeException</code> |
| during request processing. (markt) |
| </fix> |
| <fix> |
| Correct the HTTP header parser so that DEL is not treated as a valid |
| token character. (markt) |
| </fix> |
| <fix> |
| <bug>60319</bug>: When using an Executor, disconnect it from the |
| Connector attributes <code>maxThreads</code>, |
| <code>minSpareThreads</code> and <code>threadPriority</code> to enable |
| the configuration settings to be consistently reported. These Connector |
| attributes will be reported as <code>-1</code> when an Executor is in |
| use. The values used by the executor may be set and obtained via the |
| Executor. (markt) |
| </fix> |
| <fix> |
| If an I/O error occurs during async processing on a non-container |
| thread, ensure that the <code>onError()</code> event is triggered. |
| (markt) |
| </fix> |
| <fix> |
| Improve detection of I/O errors during async processing on non-container |
| threads and trigger async error handling when they are detected. (markt) |
| </fix> |
| <add> |
| Add additional checks for valid characters to the HTTP request line |
| parsing so invalid request lines are rejected sooner. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Add an example of using the <code>classesToInitialize</code> attribute |
| of the <code>JreMemoryLeakPreventionListener</code> to the documentation |
| web application. Based on a patch by Cris Berneburg. (markt) |
| </add> |
| <fix> |
| <bug>60192</bug>: Correct a typo in the status output of the Manager |
| application. Patch provided by Radhakrishna Pemmasani. (markt) |
| </fix> |
| <fix> |
| Correct a typo in HTTP Connector How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| Fix default value of <code>validationInterval</code> attribute in |
| jdbc-pool. (kfujino) |
| </fix> |
| <fix> |
| Correct a typo in CGI How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| <bug>60344</bug>: Add a note to BUILDING.txt regarding using the source |
| bundle with the correct line endings. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| When the proxy node sends a backup retrieve message, ensure that using |
| the <code>channelSendOptions</code> that has been set rather than the |
| default <code>channelSendOptions</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>60099</bug>: Ensure that use all method arguments as a cache key |
| when using <code>StatementCache</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>60139</bug>: Correct Javadocs for |
| <code>PoolConfiguration.getValidationInterval</code> and |
| <code>setValidationInterval</code>. Reported by Phillip Webb. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Add documentation to the bin/catalina.bat script to remind users that |
| environment variables don't affect the configuration of Tomcat when |
| run as a Windows Service. Based upon a documentation patch by |
| James H.H. Lampert. (schultz) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.72 (violetagg)" rtext="released 2016-09-19"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Ensure <code>Digester.useContextClassLoader</code> is considered in |
| case the class loader is used. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60101</bug>: Remove preloading of the class that was deleted. |
| (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Notify jmx when returning the connection that has been marked suspect. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that the <code>POOL_EMPTY</code> notification has been added to |
| the jmx notification types. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.10 to |
| pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt) |
| </update> |
| <update> |
| <bug>61599</bug>: Update to Commons Daemon 1.1.0 for improved Java 9 |
| support. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.71 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>57705</bug>: Add debug logging for requests denied by the remote |
| host and remote address valves and filters. Based on a patch by Graham |
| Leggett. (markt) |
| </fix> |
| <update> |
| Change the default of the |
| <code>sessionCookiePathUsesTrailingSlash</code> attribute of the |
| <code>Context</code> element to <code>false</code> since the problems |
| caused when a Servlet is mapped to <code>/*</code> are more significant |
| than the security risk of not enabling this option by default. (markt) |
| </update> |
| <fix> |
| <bug>59708</bug>: Modify the LockOutRealm logic. Valid authentication |
| attempts during the lock out period will no longer reset the lock out |
| timer to zero. (markt) |
| </fix> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| <fix> |
| Ensure that reading the <code>singleThreadModel</code> attribute of a |
| <code>StandardWrapper</code> via JMX does not trigger initialisation of |
| the associated servlet. With some frameworks this can trigger an |
| unexpected initialisation thread and if initilisation is not thread-safe |
| the initialisation can then fail. (markt) |
| </fix> |
| <fix> |
| By default, treat paths used to obtain a request dispatcher as encoded. |
| This behaviour can be changed per web application via the |
| <code>dispatchersUseEncodedPaths</code> attribute of the Context. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59839</bug>: Apply <code>roleSearchAsUser</code> to all nested searches |
| in JNDIRealm. (fschumacher) |
| </fix> |
| <add> |
| Provide a mechanism that enables the container to check if a component |
| (typically a web application) has been granted a given permission when |
| running under a SecurityManager without the current execution stack |
| having to have passed through the component. Use this new mechanism to |
| extend SecurityManager protection to the system property replacement |
| feature of the digester. (markt) |
| </add> |
| <add> |
| When retrieving an object via a <code>ResourceLink</code>, ensure that |
| the object obtained is of the expected type. (markt) |
| </add> |
| <fix> |
| <bug>59866</bug>: When scanning <code>WEB-INF/classes</code> for |
| annotations, don't scan the contents of |
| <code>WEB-INF/classes/META-INF</code> (if present) since classes will |
| never be loaded from that location. (markt) |
| </fix> |
| <fix> |
| <bug>59912</bug>: Fix an edge case in input stream handling where an |
| <code>IOException</code> could be thrown when reading a POST body. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59966</bug>: Do not start the web application if the error page |
| configuration in web.xml is invalid. (markt) |
| </fix> |
| <fix> |
| Switch the CGI servlet to the standard logging mechanism and remove |
| support for the debug attribute. (markt) |
| </fix> |
| <add> |
| Add a new initialisation parameter, <code>envHttpHeaders</code>, to |
| the CGI Servlet to mitigate <a href="https://httpoxy.org">httpoxy</a> |
| (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388" |
| >CVE-2016-5388</a>) by default and to provide a mechanism that can be |
| used to mitigate any future, similar issues. (markt) |
| </add> |
| <add> |
| When adding and removing <code>ResourceLink</code>s dynamically, ensure |
| that the global resource is only visible via the |
| <code>ResourceLinkFactory</code> when it is meant to be. (markt) |
| </add> |
| <fix> |
| <bug>60008</bug>: When processing CORs requests, treat any origin with a |
| URI scheme of <code>file</code> as a valid origin. (markt) |
| </fix> |
| <fix> |
| Improve handling of exceptions during a Lifecycle events triggered by a |
| state transition. The exception is now caught and the component is now |
| placed into the <code>FAILED</code> state. (markt) |
| </fix> |
| <fix> |
| Fix a file descriptor leak when reading the global web.xml. (markt) |
| </fix> |
| <fix> |
| <bug>60041</bug>: Better error message if a JAR is deleted while a web |
| application is running. Note: Deleting a JAR while the application is |
| running is not supported and errors are expected. Based on a patch by |
| gehui. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| <fix> |
| <bug>59904</bug>: Add a limit (default 200) for the number of cookies |
| allowed per request. Based on a patch by gehui. (markt) |
| </fix> |
| <fix> |
| Make timing attacks against the Realm implementations harder. (schultz) |
| </fix> |
| <add> |
| Refactor the code that implements the requirement that a call to |
| <code>complete()</code> or <code>dispatch()</code> made from a |
| non-container thread before the container initiated thread that called |
| <code>startAsync()</code> completes must be delayed until the container |
| initiated thread has completed. Rather than implementing this by |
| blocking the non-container thread, extend the internal state machine to |
| track this. This removes the possibility that blocking the non-container |
| thread could trigger a deadlock. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| <fix> |
| Improve the error handling for custom tags to ensure that the tag is |
| returned to the pool or released and destroyed once used. (markt) |
| </fix> |
| <fix> |
| Fixed StringIndexOutOfBoundsException. Based on a patch provided by |
| wuwen via Github. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| <fix> |
| <bug>59868</bug>: Clarify the documentation for the Manager web |
| application to make clearer that the host name and IP address in the |
| server section are the primary host name and IP address. (markt) |
| </fix> |
| <fix> |
| <bug>59908</bug>: Ensure that a reason phrase is included in the close |
| message if a session is closed due to a timeout. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| Do not log an additional case of <code>IOException</code>s in the |
| error handler for the Drawboard WebSocket example when the root cause is |
| the client disconnecting since the logs add no value. (markt) |
| </fix> |
| <fix> |
| <bug>59642</bug>: Mention the <code>localDataSource</code> in the |
| <code>DataSourceRealm</code> section of the Realm How-To. (markt) |
| </fix> |
| <fix> |
| Follow-up to the fix for <bug>59399</bug>. Ensure that the new attribute |
| <code>transportGuaranteeRedirectStatus</code> is documented for all |
| <strong>Realm</strong>s. Also document the <code>NullRealm</code> and |
| when it is automatically created for an <strong>Engine</strong>. (markt) |
| </fix> |
| <fix> |
| MBeans Descriptors How-To is moved to |
| <code>mbeans-descriptors-howto.html</code>. Patch provided by Radoslav |
| Husar. (violetagg) |
| </fix> |
| <fix> |
| <bug>60034</bug>: Correct a typo in the Manager How-To page of the |
| documentation web application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add log message when the ping has timed-out. (kfujino) |
| </add> |
| <fix> |
| If the ping message has been received at the |
| <code>AbstractReplicatedMap#leftOver</code> method, ensure that notify |
| the member is alive than ignore it. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix the duplicated connection release when connection verification |
| failed. (kfujino) |
| </fix> |
| <fix> |
| Ensure that do not remove the abandoned connection that has been already |
| released. (kfujino) |
| </fix> |
| <fix> |
| In order to avoid the unintended skip of <code>PoolCleaner</code>, |
| remove the check code of the execution interval in the task that has |
| been scheduled. (kfujino) |
| </fix> |
| <fix> |
| <bug>59849</bug>: Ensure that the connection verification is executed by |
| <code>initSQL</code> (if required) if the borrowing |
| <code>PooledConnection</code> has not been initialized. (kfujino) |
| </fix> |
| <fix> |
| <bug>59850</bug>: Ensure that the <code>ResultSet</code> is closed when |
| enabling the <code>StatementCache</code> interceptor. (kfujino) |
| </fix> |
| <fix> |
| <bug>59923</bug>: Reduce the default value of |
| <code>validationInterval</code> in order to avoid the potential issue |
| that continues to return an invalid connection after database restart. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that the <code>ResultSet</code> is returned as Proxy object when |
| enabling the <code>StatementDecoratorInterceptor</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>60043</bug>: Ensure that the <code>suspectTimeout</code> works |
| without removing connection when the <code>removeAbandoned</code> is |
| disabled. (kfujino) |
| </fix> |
| <fix> |
| Add log message of when returning the connection that has been marked |
| suspect. (kfujino) |
| </fix> |
| <fix> |
| Correct Javadoc for <code>ConnectionPool.suspect()</code>. Based on a |
| patch by Yahya Cahyadi. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Use the mirror network rather than the ASF master site to download the |
| current ASF dependencies. (markt) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.8 to |
| pick up the latest fixes and make 1.2.8 the minimum recommended version. |
| (markt) |
| </update> |
| <fix> |
| Fixed typos in mbeans-descriptors.xml files. (violetagg) |
| </fix> |
| <update> |
| Update the internal fork of Commons BCEL to r1757132 to align with the |
| BCEL 6 release. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Codec to r1757174. Code formatting |
| changes only. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons FileUpload to afdedc9. This pulls in |
| a fix to improve the performance with large multipart boundaries. |
| (markt) |
| </update> |
| <fix> |
| Update the download location for Objenesis. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.70 (violetagg)" rtext="released 2016-06-20"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>59219</bug>: Ensure <code>AsyncListener.onError()</code> is called |
| if an <code>Exception</code> is thrown during async processing. (markt) |
| </fix> |
| <fix> |
| <bug>59220</bug>: Ensure that <code>AsyncListener.onComplete()</code> is |
| called if the async request times out and the response is already |
| committed. (markt) |
| </fix> |
| <fix> |
| <bug>59261</bug>: <code>ServletRequest.getAsyncContext()</code> now |
| throws an <code>IllegalStateException</code> as required by the Servlet |
| specification if the request is not in asynchronous mode when called. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59310</bug>: Do not add a <code>Content-Length: 0</code> header for |
| custom responses to <code>HEAD</code> requests that do not set a |
| <code>Content-Length</code> value. (markt) |
| </fix> |
| <fix> |
| When normalizing paths, improve the handling when paths end with |
| <code>/.</code> or <code>/..</code> and ensure that input and output are |
| consistent with respect to whether or not they end with <code>/</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59317</bug>: Ensure that |
| <code>HttpServletRequest.getRequestURI()</code> returns an encoded URI |
| rather than a decoded URI after a dispatch. (markt) |
| </fix> |
| <fix> |
| Ensure that the value for the header <code>X-Frame-Options</code> is |
| constructed correctly according to the specification when |
| <code>ALLOW-FROM</code> option is used. (violetagg) |
| </fix> |
| <add> |
| <bug>59399</bug>: Add a new option to the Realm implementations that |
| ship with Tomcat that allows the HTTP status code used for HTTP -> HTTPS |
| redirects to be controlled per Realm. (markt) |
| </add> |
| <fix> |
| <bug>59449</bug>: In <code>ContainerBase</code>, ensure that the process |
| to remove a child container is the reverse of the process to add one. |
| Patch provided by Huxing Zhang. (markt) |
| </fix> |
| <fix> |
| RMI Target related memory leaks are avoidable which makes them an |
| application bug that needs to be fixed rather than a JRE bug to work |
| around. Therefore, start logging RMI Target related memory leaks on web |
| application stop. Add an option that controls if the check for these |
| leaks is made. Log a warning if running on Java 9 with this check |
| enabled but without the command line option it requires. (markt) |
| </fix> |
| <fix> |
| Fix a potential concurrency issue with the web application class loader |
| and concurrent reads and writes of the resource cache. (markt) |
| </fix> |
| <fix> |
| <bug>59619</bug>: Within the web application class loader, always use |
| path as the key for the resource cache to improve the hit ratio. This |
| also fixes a problem exposed by the fix for <bug>56777</bug> that |
| enabled file based configuration resources to be loaded from the class |
| path. (markt) |
| </fix> |
| <fix> |
| Fix error message when failed to register MBean. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>58970</bug>: Fix a connection counting bug in the NIO connector |
| that meant some dropped connections were not removed from the current |
| connection count. (markt) |
| </fix> |
| <fix> |
| <bug>59289</bug>: Do not recycle upgrade processors in unexpected close |
| situations. (remm) |
| </fix> |
| <fix> |
| Ensure that requests with HTTP method names that are not tokens (as |
| required by RFC 7231) are rejected with a 400 response. (markt) |
| </fix> |
| <fix> |
| When an asynchronous request is processed by the AJP connector, ensure |
| that request processing has fully completed before starting the next |
| request. (markt) |
| </fix> |
| <fix> |
| If an async dispatch results in the completion of request processing, |
| ensure that any remaining request body is swallowed before starting the |
| processing of the next request else the remaining body may be read as the |
| start of the next request leading to a 400 response. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Fix a memory leak in the expression language implementation that caused |
| the class loader of the first web application to use expressions to be |
| pinned in memory. (markt) |
| </fix> |
| <fix> |
| <bug>59654</bug>: Enforce the requirements of section 7.3.1 of the JSP |
| specification regarding the permitted locations for TLD files. Patch |
| provided by Huxing Zhang. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Ensure that a client disconnection triggers the error handling for the |
| associated WebSocket end point. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| Correct a typo in SSL/TLS Configuration How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| <bug>58891</bug>: Update the SSL how-to. Based on a suggestion by |
| Alexander Kjäll. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Fix potential NPE that depends on the setting order of attributes of |
| static member when using the static cluster. (kfujino) |
| </fix> |
| <add> |
| Add get/set method for the channel that is related to |
| <code>ChannelInterceptorBase</code>. (kfujino) |
| </add> |
| <fix> |
| As with the multicast cluster environment, in the static cluster |
| environment, the local member inherits properties from the cluster |
| receiver. (kfujino) |
| </fix> |
| <add> |
| Add get/set method for the channel that is related to each Channel |
| services. (kfujino) |
| </add> |
| <add> |
| Add name to channel in order to identify channels. In tomcat cluster |
| environment, it is set the cluster name + "-Channel" as default value. |
| (kfujino) |
| </add> |
| <add> |
| Add the channel name to the thread which is invoked by channel services |
| in order to identify the associated channel. (kfujino) |
| </add> |
| <fix> |
| Ensure that clear the channel instance from channel services when |
| stopping channel. (kfujino) |
| </fix> |
| <add> |
| Implement map state in the replication map. (kfujino) |
| </add> |
| <fix> |
| Ensure that the ping is not executed during the start/stop of the |
| replication map. (kfujino) |
| </fix> |
| <fix> |
| In ping processing in the replication map, send not the |
| <code>INIT</code> message but the newly introduced <code>PING</code> |
| message. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix a memory leak with the pool cleaner thread that retained a reference |
| to the web application class loader for the first web application to use |
| a connection pool. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.7 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2h and APR |
| 1.5.2. (violetagg/markt) |
| </update> |
| <update> |
| Remove native code (Windows Service Wrapper, APR/native connector) |
| support for Windows Itanium. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus |
| additional fixes). (markt) |
| </update> |
| <fix> |
| <bug>58626</bug>: Add support for a new environment variable |
| (<code>USE_NOHUP</code>) that causes <code>nohup</code> to be used when |
| starting Tomcat. It is disabled by default except on HP-UX where it is |
| enabled by default since it is required when starting Tomcat at boot on |
| HP-UX. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.69 (violetagg)" rtext="released 2016-04-15"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Fix the type of <code>InstanceManager</code> attribute of mbean |
| definition of <code>StandardContext</code>. (kfujino) |
| </fix> |
| <add> |
| <bug>58351</bug>: Make the server build date and server version number |
| accessible via JMX. Patch provided by Huxing Zhang. (markt) |
| </add> |
| <fix> |
| <bug>59001</bug>: Correctly handle the case when Tomcat is installed on |
| a path where one of the segments ends in an exclamation mark. (markt) |
| </fix> |
| <fix> |
| Expand the fix for <bug>59001</bug> to cover the special sequences used |
| in Tomcat's custom jar:war: URLs. (markt) |
| </fix> |
| <fix> |
| <bug>59043</bug>: Avoid warning while expiring sessions associated with |
| a single sign on if <code>HttpServletRequest.logout()</code> is used. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59054</bug>: Ensure that using the |
| <code>CrawlerSessionManagerValve</code> in a distributed environment |
| does not trigger an error when the Valve registers itself in the |
| session. (markt) |
| </fix> |
| <add> |
| Log a warning message if a user tries to configure the default session |
| timeout via the deprecated (and ignored) |
| <code>Manager.setMaxInactiveInterval()</code> method. (markt) |
| </add> |
| <fix> |
| Correct a regression introduced in 7.0.68 where the deprecated |
| <code>Manager.getMaxInactiveInterval()</code> method returned the |
| current default session timeout in minutes rather than seconds. (markt) |
| </fix> |
| <fix> |
| When a Host is configured with an appBase that does not exist, create |
| the appBase before trying to expand an external WAR file into it. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59115</bug>: When using the Servlet 3.0 file upload, the submitted |
| file name may be provided as a token or a quoted-string. If a |
| quoted-string, unquote the string before returning it to the user. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59123</bug>: Close <code>NamingEnumeration</code> objects used by |
| the <code>JNDIRealm</code> once they are no longer required. |
| (fschumacher/markt) |
| </fix> |
| <fix> |
| <bug>59138</bug>: Correct a false positive warning for ThreadLocal |
| related memory leaks when the key class but not the value class has been |
| loaded by the web application class loader. (markt) |
| </fix> |
| <fix> |
| <bug>59145</bug>: Don't log an invalid warning when a user logs out of |
| a session associated with SSO. (markt) |
| </fix> |
| <fix> |
| <bug>59151</bug>: Fix a regression in the fix for <bug>56917</bug> that |
| added additional (and arguably unnecessary) validation to the provided |
| redirect location. (markt) |
| </fix> |
| <fix> |
| <bug>59206</bug>: Ensure NPE will not be thrown by |
| <code>o.a.tomcat.util.file.ConfigFileLoader</code> when |
| <code>catalina.base</code> is not specified. (violetagg) |
| </fix> |
| <fix> |
| <bug>59213</bug>: Async dispatches should be based off a wrapped request. |
| (remm) |
| </fix> |
| <fix> |
| <bug>59217</bug>: Remove duplication in the recycling of the path in |
| <code>o.a.tomcat.util.http.ServerCookie</code>. Patch is provided by |
| Kyohei Nakamura. (violetagg) |
| </fix> |
| <fix> |
| Ensure that <code>javax.servlet.ServletRequest</code> and |
| <code>javax.servlet.ServletResponse</code> provided during |
| <code>javax.servlet.AsyncListener</code> registration are made |
| available via <code>javax.servlet.AsyncEvent.getSuppliedRequest</code> |
| and <code>javax.servlet.AsyncEvent.getSuppliedResponse</code> |
| (violetagg) |
| </fix> |
| <fix> |
| Clarify the log message that specifying both urlPatterns and value |
| attributes in WebServlet and WebFilter annotations is not allowed. |
| (violetagg) |
| </fix> |
| <fix> |
| Ensure the exceptions caused by Valves will be available in the log |
| files so that they can be evaluated when |
| <code>o.a.catalina.valves.ErrorReportValve.showReport</code> is |
| disabled. Patch is provided by Svetlin Zarev. (violetagg) |
| </fix> |
| <fix> |
| <bug>59247</bug>: Preload ResourceEntry as a workaround for security |
| manager issues on some JVMs. (kkolinko/remm) |
| </fix> |
| <fix> |
| <bug>59269</bug>: Correct the implementation of |
| <code>PersistentManagerBase</code> so that <code>minIdleSwap</code> |
| functions as designed and sessions are swapped out to keep the active |
| session count below <code>maxActiveSessions</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>58646</bug>: Correct a problem with sendfile that resulted in a |
| Processor being added to the cache twice leading to broken responses. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59015</bug>: Fix potential cause of endless APR Poller loop during |
| shutdown if the Poller experiences an error during the shutdown process. |
| (markt) |
| </fix> |
| <fix> |
| Limit the default TLS ciphers for JSSE (BIO, NIO) and OpenSSL (APR) to |
| those currently considered secure. (markt) |
| </fix> |
| <add> |
| Add a new environment variable <code>JSSE_OPTS</code> that is intended |
| to be used to pass JVM wide configuration to the JSSE implementation. |
| The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code> |
| which protects against weak Diffie-Hellman keys. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>59014</bug>: Ensure that a WebSocket close message can be sent |
| after a close message has been received. (markt) |
| </fix> |
| <fix> |
| Correctly handle compression of partial messages when the final message |
| fragment has a zero length payload. (markt) |
| </fix> |
| <add> |
| Extend the WebSocket programmatic echo endpoint provided in the examples |
| to handle binary messages and also partial messages. This aligns the |
| code with Tomcat 8 and makes it easier to run the Autobahn testsuite |
| against the WebSocket implementation. (markt) |
| </add> |
| <fix> |
| <bug>59119</bug>: Correct read logic for WebSocket client when using |
| secure connections. (markt) |
| </fix> |
| <fix> |
| <bug>59134</bug>: Correct client connect logic for secure connections |
| made through a proxy. (markt) |
| </fix> |
| <fix> |
| <bug>59189</bug>: Explicitly release the native memory held by the |
| <code>Inflater</code> and <code>Deflater</code> when using |
| PerMessageDeflate and the WebSocket session ends. Based on a patch by |
| Henrik Olsson. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| Correct the description of the |
| <code>ServletRequest.getServerPort()</code> in Proxy How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| Fix a potential indefinite wait in the Comet Chat servlet in the |
| examples web application. (markt) |
| </fix> |
| <fix> |
| <bug>59229</bug>: Fix error in HTTP docs and make clear that the HTTP NIO |
| connector uses non-blocking I/O to read the HTTP request headers. |
| (markt) |
| </fix> |
| <fix> |
| Update in the documentation the link to the maven repository where |
| Tomcat snapshot artifacts are deployed. (markt/violetagg) |
| </fix> |
| <fix> |
| Clarify in the documentation that calls to |
| <code>ServletContext.log(String, Throwable)</code> or |
| <code>GenericServlet.log(String, Throwable)</code> are logged at the |
| SEVERE level. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| If promoting a proxy node to a primary node when getting a session, |
| notify the change of the new primary node to the original backup node. |
| (kfujino) |
| </fix> |
| <fix> |
| Avoid NPE when a proxy node failed to retrieve a backup entry. (kfujino) |
| </fix> |
| <add> |
| Add log of when received an unexpected messages. (kfujino) |
| </add> |
| <add> |
| Add the flag indicating that member is a localMember. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>58283</bug>: Change the default download location for libraries |
| during the build process from <code>/usr/share/java</code> to |
| <code>${user.home}/tomcat-build-libs</code>. Patch provided by |
| Ahmed Hosni. (markt) |
| </fix> |
| <fix> |
| <bug>59031</bug>: When using the Windows uninstaller, do not remove the |
| contents of any directories that have been symlinked into the Tomcat |
| directory structure. (markt) |
| </fix> |
| <update> |
| Modify the default <code>tomcat-users.xml</code> file to make it harder |
| for users to configure the entries intended for use with the examples |
| web application for the Manager application. (markt) |
| </update> |
| <fix> |
| <bug>59211</bug>: Add hamcrest to Eclipse classpath. Patch is provided |
| by Huxing Zhang. (violetagg) |
| </fix> |
| <update> |
| <bug>59280</bug>: Update the NSIS Installer used to build the |
| Windows Installers to version 2.51. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.68 (violetagg)" rtext="released 2016-02-16"> |
| <subsection name="General"> |
| <changelog> |
| <add> |
| Allow to configure multiple JUnit test class patterns with the build |
| property <code>test.name</code> and document the property in |
| BUILDING.txt. (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct implementation of |
| <code>validateClientProvidedNewSessionId</code> so client provided |
| session IDs may be rejected if validation is enabled. (markt) |
| </fix> |
| <fix> |
| <bug>56785</bug>: Avoid <code>NullPointerException</code> if directory |
| exists on the class path that is not readable by the Tomcat user. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>57906</bug>: Suppress WebappClassLoader log messages when running |
| with a security manager on Java 6, caused by |
| <code>java.beans.Introspector.findExplicitBeanInfo()</code> calls |
| during evaluation of EL expressions. (kkolinko) |
| </fix> |
| <fix> |
| <bug>58692</bug>: Make <code>StandardJarScanner</code> more robust. Log |
| a warning if a class path entry cannot be scanned rather than triggering |
| the failure of the web application. (markt) |
| </fix> |
| <fix> |
| <bug>58701</bug>: Reset the <code>instanceInitialized</code> field in |
| <code>StandardWrapper</code> when unloading a Servlet so that a new |
| instance may be correctly initialized. (markt) |
| </fix> |
| <fix> |
| <bug>58702</bug>: Ensure an access log entry is generated if the client |
| aborts the connection. (markt) |
| </fix> |
| <fix> |
| Fixed various issues reported by Findbugs. (violetagg) |
| </fix> |
| <fix> |
| <bug>58735</bug>: Add support for the <code>X-XSS-Protection</code> |
| header to the <code>HttpHeaderSecurityFilter</code>. Patch provided by |
| Jacopo Cappellato. (markt) |
| </fix> |
| <fix> |
| <bug>58751</bug>: Correctly handle the case where an |
| <code>AsyncListener</code> dispatches to a Servlet on an asynchronous |
| timeout and the Servlet uses <code>sendError()</code> to trigger an |
| error page. Includes a test case based on code provided by Andy |
| Wilkinson.(markt) |
| </fix> |
| <fix> |
| <bug>58765</bug>: Change default for |
| <code>mapperContextRootRedirectEnabled</code> to <code>true</code> since |
| this is required for correct session management because of the default |
| for <code>sessionCookiePathUsesTrailingSlash</code>. (markt) |
| </fix> |
| <fix> |
| Add the <code>StatusManagerServlet</code> to the list of Servlets that |
| can only be loaded by privileged applications. (markt) |
| </fix> |
| <fix> |
| Simplify code and fix messages in |
| <code>org.apache.catalina.core.DefaultInstanceManager</code> class. |
| (kkolinko) |
| </fix> |
| <fix> |
| Ensure that the proper file encoding if specified will be used when |
| a readme file is served by DefaultServlet. (violetagg) |
| </fix> |
| <fix> |
| Fix declaration of <code>localPort</code> attribute of Connector MBean: |
| it is read-only. (kkolinko) |
| </fix> |
| <fix> |
| <bug>58766</bug>: Make skipping non-class files during annotation |
| scanning faster by checking the file name first. Improve debug logging. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>58768</bug>: Log a warning if a redirect fails because of an |
| invalid location. (markt) |
| </fix> |
| <fix> |
| <bug>58836</bug>: Correctly merge query string parameters when |
| processing a forwarded request where the target includes a query string |
| that contains a parameter with no value. (markt/kkolinko) |
| </fix> |
| <fix> |
| Make sure that shared Digester is reset in an unlikely error case |
| in <code>HostConfig.deployWAR()</code>. (kkolinko) |
| </fix> |
| <fix> |
| Fix a potential JDBC resource leak in DataSourceRealm. (schultz) |
| </fix> |
| <fix> |
| <bug>58900</bug>: Correctly undeploy symlinked resources and prevent an |
| infinite cycle of deploy / undeploy. (markt) |
| </fix> |
| <fix> |
| Protect initialization of <code>ResourceLinkFactory</code> when |
| running with a SecurityManager. (kkolinko) |
| </fix> |
| <add> |
| Extend the feature available in the cluster session manager |
| implementations that enables session attribute replication to be |
| filtered based on attribute name to all session manager implementations. |
| Note that configuration attribute name has changed from |
| <code>sessionAttributeFilter</code> to |
| <code>sessionAttributeNameFilter</code>. Apply the filter on load as |
| well as unload to ensure that configuration changes made while the web |
| application is stopped are applied to any persisted data. (markt) |
| </add> |
| <add> |
| Extend the session attribute filtering options to include filtering |
| based on the implementation class of the value and optional |
| <code>WARN</code> level logging if an attribute is filtered. These |
| options are available for all of the Manager implementations that ship |
| with Tomcat. When a <code>SecurityManager</code> is used filtering will |
| be enabled by default. (markt) |
| </add> |
| <fix> |
| <bug>58905</bug>: Ensure that <code>Tomcat.silence()</code> silences the |
| correct logger and respects the current setting. (markt) |
| </fix> |
| <fix> |
| <bug>58946</bug>: Ensure that the request parameter map remains |
| immutable when processing via a RequestDispatcher. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| New configuration option <code>ajpFlush</code> for the AJP connectors |
| to disable the sending of AJP flush packets. (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Fix handling of missing messages in |
| <code>org.apache.el.util.MessageFactory</code>. (violetagg) |
| </fix> |
| <fix> |
| Ignore <code>engineOptionsClass</code> and <code>scratchdir</code> when |
| running under a security manager. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| In order to avoid that the heartbeat thread and the background thread to |
| run <code>Channel.heartbeat</code> simultaneously, if |
| <code>heartbeatBackgroundEnabled</code> of <code>SimpleTcpCluster</code> |
| set to <code>true</code>, ensure that the heartbeat thread does not |
| start. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>57489</bug>: Ensure <code>onClose()</code> is called when a |
| WebSocket connection is closed even if the sending of the close message |
| fails. Includes test cases by Barry Coughlan. (markt) |
| </fix> |
| <fix> |
| Fix a timing issue on session close that could result in an exception |
| being thrown for an incomplete message even through the message was |
| completed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| Correct some typos in the JNDI resources How-To. (markt) |
| </fix> |
| <fix> |
| Don't create sessions unnecessarily in the Manager application. (markt) |
| </fix> |
| <fix> |
| Don't create sessions unnecessarily in the Host Manager application. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58723</bug>: Clarify documentation and error messages for the text |
| interface of the manager to make clear that version must be used with |
| path when referencing contexts deployed using parallel deployment. |
| (markt) |
| </fix> |
| <fix> |
| Correct an error in the documentation of the expected behaviour for |
| automatic deployment. If a WAR is updated and an expanded directory is |
| present, the directory will always be deleted and recreated by expanding |
| the WAR if <code>unpackWARs</code> is <code>true</code>. (markt) |
| </fix> |
| <fix> |
| <bug>58935</bug>: Remove incorrect references in the documentation to |
| using <code>jar:file:</code> URLs with the Manager application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Add support for the startup notification of local members in the static |
| cluster. (kfujino) |
| </fix> |
| <fix> |
| Ignore the unnecessary member remove operation from different domain. |
| (kfujino) |
| </fix> |
| <fix> |
| Add support for the shutdown notification of local members in the static |
| cluster. (kfujino) |
| </fix> |
| <fix> |
| Ensure that asynchronous session replication thread is a daemon thread. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the NSIS Installer used to build the Windows Installers to |
| version 2.50. (markt/kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.67 (violetagg)" rtext="released 2015-12-10"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>56917</bug>: As per RFC7231 (HTTP/1.1), allow HTTP/1.1 and later |
| redirects to use relative URIs. This is controlled by a new attribute |
| <code>useRelativeRedirects</code> on the <strong>Context</strong> and |
| defaults to <code>true</code>. (markt) |
| </add> |
| <fix> |
| <bug>58660</bug>: Correct a regression in 7.0.66 caused by the change |
| that moved the redirection for context roots from the Mapper to the |
| Default Servlet. (markt) |
| </fix> |
| <fix> |
| Fixed potential NPE in <code>HostConfig</code> while deploying an |
| application. Issue reported by coverity scan. (violetagg) |
| </fix> |
| <fix> |
| <bug>58655</bug>: Fix an <code> IllegalStateException</code> when |
| calling <code>HttpServletResponse.sendRedirect()</code> with the |
| <code>RemoteIpFilter</code>. This was caused by trying to correctly |
| generate the absolute URI for the redirect. With the fix for |
| <bug>56917</bug>, redirects may now be relative making the |
| <code>sendRedirect()</code> implementation for the |
| <code>RemoteIpFilter</code> much simpler. This also addresses issues |
| where the redirect may not have behaved as expected when redirecting |
| from http to https to from https to http. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>58658</bug>: Correct a regression in 7.0.66 that prevented Tomcat |
| from starting on Java 6 unless the WebSocket JARs (that require Java 7) |
| were removed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <add> |
| Add a description of the default value of |
| <code>heartbeatSleeptime</code> attribute and <code>optionCheck</code> |
| attribute in the cluster channel docs. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Fix potential NPE in <code>AbstractReplicatedMap.breakdown()</code>. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.66 (violetagg)" rtext="not released"> |
| <subsection name="General"> |
| <changelog> |
| <update> |
| <bug>58596</bug>: Clarify the description in RUNNING.txt of how |
| environment variables are used. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>34319</bug>: Only load those keys in <code>StoreBase.processExpire</code> |
| from JDBCStore, that are old enough, to be expired. Based on a patch |
| by Tom Anderson. (fschumacher) |
| </fix> |
| <fix> |
| <bug>56777</bug>: Allow file based configuration resources (user |
| database, certificate revocation lists, keystores and trust stores) to |
| be configured using URLs as well as files. Back-port provided by Huxing |
| Zhang. (markt/violetagg) |
| </fix> |
| <add> |
| <bug>57741</bug>: Enable the CGI servlet to use the standard error page |
| mechanism. Note that if the CGI servlet's debug init parameter is |
| set to 10 or higher then the standard error page mechanism will be |
| bypassed and a debug response generated by the CGI servlet will be |
| returned instead. (markt) |
| </add> |
| <add> |
| <bug>58486</bug>: Protect against two further possible memory leaks |
| associated with XML parsing. (markt) |
| </add> |
| <scode> |
| <bug>58497</bug>: Make <code>AbstractHttp11Processor</code> easy to |
| extend. (markt) |
| </scode> |
| <fix> |
| <bug>58508</bug>: Escape role names when generating associated MBeans in |
| case the role name contains characters not permitted in an MBean name. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58522</bug>: Fixed concurrency issue when iterating web |
| application's resources. (violetagg) |
| </fix> |
| <fix> |
| <bug>58534</bug>: Removed repeated conditional tests in |
| <code>o.a.tomcat.websocket.pojo.PojoMethodMapping</code> and |
| <code>o.a.tomcat.util.net.AprEndpoint</code> |
| Patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58535</bug>: Use <code>Collections.reverseOrder</code> |
| when a reverse ordering is needed. (violetagg) |
| </fix> |
| <fix> |
| <bug>58537</bug>: Some of the inner classes in |
| <code>o.a.catalina.valves.ExtendedAccessLogValve</code> are made static. |
| Patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58540</bug>: Removed unused code from |
| <code>o.a.catalina.connector.Request</code>. |
| Patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58541</bug>, <bug>58544</bug>: It is more efficient to call |
| <code>Integer.toString(int)</code> instead of |
| <code>Integer.valueOf(int).toString()</code> when only a string |
| representation of a primitive is needed. Based on a patch provided by |
| Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58541</bug>, <bug>58547</bug>: It is more efficient to call |
| <code>valueOf(...)</code> instead of Number constructor. Based on a |
| patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58545</bug>: In some use cases it is more efficient to use |
| <code>Map.entrySet()</code> instead of <code>Map.keySet()</code> |
| Based on a patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <add> |
| Add a new RestCsrfPreventionFilter that provides basic CSRF protection |
| for REST APIs. (violetagg) |
| </add> |
| <fix> |
| <bug>58581</bug>: If a custom error page fails, fall back to the |
| standard error page rather than throwing an NPE. Based on a patch by |
| Huxing Zhang. (markt) |
| </fix> |
| <fix> |
| <bug>58582</bug>: Combined realm should perform background processing |
| on its sub-realms. Based upon a patch provided by Aidan. (kkolinko) |
| </fix> |
| <fix> |
| Handle the unlikely case where different versions of a web application |
| are deployed with different session settings. (markt) |
| </fix> |
| <add> |
| Add a new Context option, enabled by default, that enables an additional |
| check that a client provided session ID is in use in at least one other |
| web application before allowing it to be used as the ID for a new |
| session in the current web application. (markt) |
| </add> |
| <add> |
| Add support for DIGEST authentication to the JNDIRealm. Based on a patch |
| by Alexis Hassler. (markt) |
| </add> |
| <fix> |
| <bug>58603</bug>: Ensure that |
| <code>HttpServletRequest.getRequestURL()</code> returns the correct |
| value when using the <code>RemoteIpFilter</code>. (markt) |
| </fix> |
| <fix> |
| Ensure that in an embedded Tomcat the logging configuration is |
| not lost during garbage collection. (violetagg) |
| </fix> |
| <add> |
| Move the functionality that provides redirects for context roots and |
| directories where a trailing <code>/</code> is added from the Mapper to |
| the <code>DefaultServlet</code>. This enables such requests to be |
| processed by any configured Valves and Filters before the redirect is |
| made. This behaviour is configurable via the |
| <code>mapperContextRootRedirectEnabled</code> and |
| <code>mapperDirectoryRedirectEnabled</code> attributes of the Context |
| which may be used to restore the previous behaviour. (markt) |
| </add> |
| <fix> |
| <bug>58635</bug>: Enable break points to be set within agent code when |
| running Tomcat with a Java agent. Based on a patch by Huxing Zhang. |
| (markt) |
| </fix> |
| <fix> |
| Add path parameter handling to |
| <code>HttpServletRequest.getContextPath()</code>. This is a follow-up to |
| the fix for <bug>57215</bug>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57136#c25</bug>: Implement a setting that controls what quoting |
| rule is used when parsing EL expressions in attributes on a JSP page |
| (chapter JSP.1.6 of specification). The setting name is |
| <code>quoteAttributeEL</code> and it is configured as initialisation |
| parameter of JSP Servlet (per web application configuration is possible) |
| and as a command line option for JspC. The default value was changed to |
| <code>true</code>, which restores behaviour implemented in |
| Tomcat 7.0.64. It means that attribute quoting is applied on top of EL |
| quoting. This provides better compatibility with older versions of |
| Tomcat and other implementations. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Optimize the session lock range in DeltaManager.requestCompleted. |
| (kfujino) |
| </fix> |
| <fix> |
| Enable an explicit configuration of local member in the static cluster |
| membership. (kfujino) |
| </fix> |
| <fix> |
| Fix potential integer overflow in <code>DeltaSession</code>. |
| Reported by coverity scan. (fschumacher) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <scode> |
| Distinguish the handling of the shutdown payload and member verification |
| clearly. When handling shutdown payload, verification completion message |
| is not required. (kfujino) |
| </scode> |
| <fix> |
| When starting the <code>StaticMembershipInterceptor</code>, |
| <code>StaticMembershipInterceptor</code> checks the required |
| Interceptors. If the required Interceptor does not exist, it issues |
| warning logs. (kfujino) |
| </fix> |
| <fix> |
| Ensure that the static member is registered to the add suspect list even |
| if the static member that is registered to the remove suspect list has |
| disappeared. (kfujino) |
| </fix> |
| <fix> |
| Correct the warning log of when the member that is not registered in the |
| membership is detected. (kfujino) |
| </fix> |
| <fix> |
| When using a static cluster, add the members that have been cached in |
| the membership service to the map members list in order to ensure that |
| the map member is a static member. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Use instance manager for server endpoint instances. (remm) |
| </fix> |
| <add> |
| <bug>55006</bug>: The WebSocket client now honors the |
| <code>java.net.java.net.ProxySelector</code> configuration (using the |
| HTTP type) when establishing WebSocket connections to servers. Based on |
| a patch by Niki Dokovski. (markt) |
| </add> |
| <fix> |
| <bug>58624</bug>: Correct a thread safety issue that meant that blocking |
| message writes could block indefinitely if the WebSocket connection was |
| closed while a message write was in progress. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Make it clear in the documentation for the CGI servlet that the debug |
| page is not considered secure and should not be used in production. |
| (markt) |
| </add> |
| <fix> |
| The <code>domain</code> attribute of <code>StaticMember</code> is not |
| required but optional. (kfujino) |
| </fix> |
| <fix> |
| <bug>58631</bug>: Correct the continuation character use in the Windows |
| Service How-To page of the documentation web application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>58489</bug>: Correct QueryStatsComparator to hold up the |
| general contract for Comparator. (fschumacher) |
| </fix> |
| <fix> |
| When creating a <code>QueryStats</code> object, ensure that |
| <code>maxQueries</code> is checked. If <code>maxQueries</code> is a |
| value less than or equal to 0, <code>QueryStats</code> are never |
| created. (kfujino) |
| </fix> |
| <fix> |
| Fix potential integer overflow in <code>ConnectionPool</code> and |
| <code>PooledConnection</code>. Reported by coverity scan. (fschumacher) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.65 (violetagg)" rtext="released 2015-10-19"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>57681</bug>: Add a web application class loader implementation that |
| supports the parallel loading of web application classes. Use of this |
| feature requires a Java 7 or later JRE. Based on a patch by Huxing |
| Zhang. (markt) |
| </add> |
| <fix> |
| <bug>58187</bug>: Correct a regression in the fix for <bug>57765</bug> |
| that meant that deployment of web applications deployed via the Manager |
| application was delayed until the next execution of the automatic |
| deployment background process. (markt) |
| </fix> |
| <fix> |
| <bug>58284</bug>: Correctly implement session serialization so |
| non-serializable attributes are skipped with a warning. Patch provided |
| by Andrew Shore. (markt) |
| </fix> |
| <fix> |
| <bug>58313</bug>: Fix concurrent access of encoders map when clearing |
| encoders prior to switch to async. (markt) |
| </fix> |
| <fix> |
| <bug>58320</bug>: Fix concurrent access of request attributes which is |
| possible during asynchronous processing. (markt) |
| </fix> |
| <scode> |
| In preparation for implementing enhancement <bug>57681</bug>, replace |
| the use of the <code>StandardClassLoader</code> with |
| <code>URLClassLoader</code>. This removes the server class loader from |
| JMX. (markt) |
| </scode> |
| <fix> |
| <bug>58352</bug>: Always trigger a thread dump if Tomcat fails to stop |
| gracefully from <code>catalina.sh</code> even if using |
| <code>-force</code>. Patch provided by Alexandre Garnier. (markt) |
| </fix> |
| <fix> |
| <bug>58416</bug>: Correctly detect when a forced stop fails to stop |
| Tomcat because the Tomcat process is waiting on some system call or is |
| uninterruptible. (markt) |
| </fix> |
| <fix> |
| <bug>58436</bug>: Fix some rare data races in JULI's |
| <code>ClassLoaderLogManager</code> during shutdown. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct some edge cases in <code>RequestUtil.normalize()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>58275</bug>: The IBM JREs accept cipher suite names starting with |
| <code>TLS_</code> or <code>SSL_</code> but when listing the supported |
| cipher suites only the <code>SSL_</code> version is reported. This can |
| break Tomcat's check that at least one requested cipher suite is |
| supported. Tomcat now includes a work-around so either form of the |
| cipher suite name can be used when running on an IBM JRE. (markt) |
| </fix> |
| <fix> |
| <bug>58357</bug>: For reasons not currently understood when the |
| APR/native connector is used with OpenSSL reads can return an error code |
| when there is no apparent error. This was work-around for HTTP upgrade |
| connections by treating this as <code>EAGAIN</code>. The same fix has |
| now been applied to the standard HTTP connector. (markt) |
| </fix> |
| <fix> |
| <bug>57799</bug>: Remove useless sendfile check for NIO SSL. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57136</bug>: Correct a regression in the previous fix for this |
| issue. <code>\${</code> should only be an escape for <code>${</code> |
| within an EL expression. Within a JSP page <code>\$</code> should be an |
| escape for <code>$</code>. The EL specification applies when parsing the |
| expression delimited by <code>${</code> and <code>}</code>. Parsing of |
| the delimiting <code>${</code> and <code>}</code> is the responsibility |
| of the JSP specification. (markt) |
| </fix> |
| <fix> |
| <bug>58296</bug>: Fix a memory leak in the JSP unloading feature that |
| meant that using a value other than <code>-1</code> for |
| <code>maxLoadedJsps</code> triggered a memory leak once the limit was |
| reached. (markt) |
| </fix> |
| <fix> |
| <bug>58340</bug>: Improve error reporting for tag files packaged in |
| JARs. (markt) |
| </fix> |
| <fix> |
| <bug>58444</bug>: Ensure that JSPs work with any custom base class that |
| meets the requirements defined in the JSP specification without |
| requiring that base class to implement Tomcat specific code. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Fix a default clusterListeners in <code>SimpleTcpCluster</code>. The |
| optimal default value is different for each session manager. |
| <code>ClusterSessionListener</code> is never used in |
| <code>BackupManager</code>. (kfujino) |
| </fix> |
| <fix> |
| Correct log messages in case of using <code>BackupManager</code>. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>58342</bug>: Fix a copy and paste error that meant MessageHandler |
| removal could fail for binary and pong MessageHandlers. Patch provided |
| by DJ. (markt) |
| </fix> |
| <fix> |
| <bug>58414</bug>: Correctly handle sending zero length messages when |
| using per message deflate. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct documentation for cluster-howto. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Extras"> |
| <changelog> |
| <fix> |
| Ensure JULI adapters does not include the LogFactoryImpl class. Patch |
| provided by Benjamin Gandon. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add support for configurations of <code>ChannelListener</code> and |
| <code>MembershipListener</code> in server.xml. (kfujino) |
| </add> |
| <fix> |
| Correct log messages in case of using <code>ReplicatedMap</code>. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Make sure the pool has been properly configured when attributes that |
| related to the pool size are changed via JMX. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.64 (violetagg)" rtext="released 2015-08-25"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>55317</bug>: Facilitate weaving by allowing ClassFileTransformer to |
| be added to WebappClassLoader. Patch by Nick Williams. (markt) |
| </add> |
| <fix> |
| <bug>58031</bug>: Make the (first) reason parameter parsing failed |
| available as a request attribute and then use it to provide a better |
| status code via the FailedRequstFilter (if configured). (markt) |
| </fix> |
| <fix> |
| <bug>58086</bug>: Ensure that WAR URLs are handled properly when using |
| Apache Ant for web application deployment. (violetagg) |
| </fix> |
| <fix> |
| <bug>58094</bug>: Fix cosmetic error log when using non standard |
| non cacheable resources, like with the empty resources used in some |
| tests. (remm) |
| </fix> |
| <fix> |
| <bug>58096</bug>: Classes loaded from <code>/WEB-INF/classes/</code> |
| should use that directory as their code base. (markt) |
| </fix> |
| <fix> |
| Fix possible resource leaks by closing streams properly. |
| Issues reported by Coverity Scan. (violetagg) |
| </fix> |
| <fix> |
| <bug>58116</bug>: Fix a regression in the fix for <bug>57281</bug> that |
| broke Comet support when running under a security manager. Based on a |
| patch provided by Johno Crawford. (markt) |
| </fix> |
| <fix> |
| <bug>58179</bug>: Fix a thread safety issues that could mean concurrent |
| threads setting the same attribute on a <code>ServletContext</code> |
| could both see <code>null</code> as the old value. (markt) |
| </fix> |
| <fix> |
| <bug>58192</bug>: Correct a regression in the previous fix for |
| <bug>58023</bug>. Ensure that classes are associated with their manifest |
| even if the class file is first read (and cached) without the manifest. |
| (markt) |
| </fix> |
| <fix> |
| Fix thread safety issue in the <code>AsyncContext</code> implementation |
| that meant a sequence of <code>start();dispatch();</code> calls using |
| non-container threads could result in a previous dispatch interfering |
| with a subsequent start. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>57943</bug>: Prevent the same socket being added to the cache |
| twice. Patch based on analysis by Ian Luo / Sun Qi. (markt) |
| </fix> |
| <fix> |
| Add <code>text/javascript,application/javascript</code> to the default |
| list of compressable MIME types. (violetagg) |
| </fix> |
| <fix> |
| <bug>58103</bug>: When pipelining requests, and the previous request was |
| an async request, ensure that the socket is removed from the waiting |
| requests so that the async timeout thread doesn't process it during the |
| next request. (markt) |
| </fix> |
| <fix> |
| Fix a concurrency issue that meant that a change in socket timeout (e.g. |
| when switching to asynchronous I/O) did not always take effect |
| immediately. (markt) |
| </fix> |
| <fix> |
| In the AJP and HTTP NIO connectors, ensure that the socket timeout is |
| correctly set before adding the socket back to the poller for read. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58157</bug>: Ensure that the handling of async timeouts does not |
| result in an unnecessary dispatch to a container thread that could |
| result in the current socket being added to the Poller multiple times |
| with multiple attempts to process the same event for the same socket. |
| (markt) |
| </fix> |
| <fix> |
| Correct a couple of edge cases in <code>RequestUtil.normalize()</code>. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>58110</bug>: Like scriptlet sections, declaration sections of JSP |
| pages have a one-to-one mapping of lines to the generated .java file. |
| Use this information to provide more accurate error messages if a |
| compilation error occurs in a declaration section. (markt) |
| </fix> |
| <fix> |
| <bug>58119</bug>: When tags are compiled they must be placed in the |
| org/apache/jsp/tag/web directory. Correct a regression in the fix for |
| 52725. (violetagg) |
| </fix> |
| <fix> |
| <bug>58178</bug>: Expressions in a tag file should use the tag |
| file's <code>PageContext</code> rather than that of the containing |
| page. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>58166</bug>: Allow applications to send close codes in the range |
| 3000-4999 inclusive. (markt) |
| </fix> |
| <fix> |
| <bug>58232</bug>: Avoid possible NPE when adding endpoints |
| programmatically to the |
| <code>javax.websocket.server.ServerContainer</code>. |
| Based on a patch provided by bastian.(violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the incorrect document of <code>QueryTimeoutInterceptor</code>. |
| The setting value is not in milliseconds but in seconds. (kfujino) |
| </fix> |
| <fix> |
| <bug>58112</bug>: Update the documentation for using the Catalina tasks |
| in an Apache Ant build file. (markt) |
| </fix> |
| <fix> |
| Improve the Javadoc for some of the APR socket read functions that have |
| inconsistent behaviour for return values. (markt) |
| </fix> |
| <add> |
| <bug>58255</bug>: Document the Semaphore valve. Patch provided by |
| Kyohei Nakamura. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix potential NPE in <code>QueryTimeoutInterceptor</code>. (kfujino) |
| </fix> |
| <fix> |
| Add support for stopping the pool cleaner via JMX. (kfujino) |
| </fix> |
| <fix> |
| The <code>fairness</code> attribute and |
| <code>ignoreExceptionOnPreLoad</code> attribute do not allow a change |
| via JMX. (kfujino) |
| </fix> |
| <fix> |
| If the <code>timeBetweenEvictionRunsMillis</code> attribute is changed |
| via jmx, it should restart the pool cleaner because this attribute |
| affects the execution interval of the pool cleaner. (kfujino) |
| </fix> |
| <fix> |
| Eliminate the dependence on <code>maxActive</code> of busy queues and |
| idle queue in order to enable the expansion of the pool size via JMX. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Update sample Eclipse IDE configuration to exclude test/webapp* and |
| similar paths from compiler sourcepath. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.63 (violetagg)" rtext="released 2015-07-06"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>57938</bug>: Correctly handle empty form fields when a form is |
| submitted as <code>multipart/form-data</code>, the |
| <code>maxPostSize</code> attribute of the Connector has been set to a |
| negative value and the Context has been configured with a value of |
| <code>true</code> for <code>allowCasualMultipartParsing</code>. The |
| meaning of the value zero for the <code>maxPostSize</code> has also been |
| changed to mean a limit of zero rather than no limit to align it with |
| <code>maxSavePostSize</code> and to be more intuitive. (markt) |
| </fix> |
| <add> |
| <bug>54618</bug>: Add a new <code>HttpHeaderSecurityFilter</code> that |
| adds the <code>Strict-Transport-Security</code>, |
| <code>X-Frame-Options</code> and <code>X-Content-Type-Options</code> |
| HTTP headers to the response. (markt) |
| </add> |
| <fix> |
| Add a workaround for issues with SPNEGO authentication when running on |
| Java 8 update 40 and later. The workaround should be safe for earlier |
| Java versions but it can be disabled with the |
| <code>applyJava8u40Fix</code> attribute of the SPNEGO authenticator if |
| necessary. (markt) |
| </fix> |
| <add> |
| <bug>57154</bug>: Add support for web applications (Context elements) |
| that do not have a docBase. This is primarily for use when embedding but |
| it also fixes a rare issue when running the unit test. Patch provided by |
| Huxing Zhang. (markt) |
| </add> |
| <fix> |
| <bug>57959</bug>: Fixed deadlock in |
| <code>org.apache.juli.FileHandler</code> when log is rotated. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>57977</bug>: Correctly bind and unbind the web application class |
| loader during execution of the PersistentValve. (markt) |
| </fix> |
| <fix> |
| <bug>58023</bug>: Fix potentially excessive memory usage due to |
| unnecessary caching of JAR manifests in the web application class |
| loader. (markt) |
| </fix> |
| <fix> |
| <bug>57700</bug>: Ensure that Container event |
| <code>ADD_CHILD_EVENT</code> will be sent in all cases. (violetagg) |
| </fix> |
| <fix> |
| Add configuration fields for header names in SSLValve. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>57265</bug>: Further fix to address a potential threading issue |
| for NIO when sendfile is used in conjunction with TLS. (markt) |
| </fix> |
| <fix> |
| <bug>57931</bug>: Ensure that TLS connections with the NIO HTTP |
| connector that experience issues during the handshake (e.g. missing or |
| invalid client certificate) are closed cleanly and that the client |
| receives the correct error code rather than simply closing the |
| connection. (markt) |
| </fix> |
| <add> |
| <bug>57943</bug>: Added a work-around to catch |
| <code>ConcurrentModificationException</code>s during Poller timeout |
| processing that were causing the Poller thread to stop. The root cause |
| of these exceptions is currently unknown. (markt) |
| </add> |
| <fix> |
| Fix possible very long (1000 seconds) timeout with APR/native connector. |
| (markt) |
| </fix> |
| <add> |
| Support "-" separator in the SSLProtocol configuration of the |
| APR/native connector for protocol exclusion. (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Make sure that stream is closed after using it in |
| <code>DeltaSession.applyDiff()</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <add> |
| <bug>57676</bug>: List conflicting WebSocket endpoint classes when |
| there is a path conflict. Based upon a patch proposed by yangkun. |
| (schultz) |
| </add> |
| <add> |
| Extend support for the <code>permessage-deflate</code> extension to the |
| client implementation. |
| </add> |
| <fix> |
| <bug>57969</bug>: Provide path parameters to POJO via per session |
| <code>javax.websocket.server.ServerEndpointConfig</code> as they vary |
| between different requests. (violetagg) |
| </fix> |
| <fix> |
| <bug>57974</bug>: Session.getOpenSessions should return all sessions |
| associated with a given endpoint instance, rather than all sessions |
| from the endpoint class. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>57282</bug>: Update request processing sequence diagrams. Updated |
| diagrams provided by Stephen Chen. (markt) |
| </fix> |
| <fix> |
| <bug>57971</bug>: Correct the documentation for the cluster |
| configuration setting <code>recoverySleepTime</code>. (markt) |
| </fix> |
| <add> |
| <bug>57758</bug>: Add document of <code>testOnConnect</code> attribute |
| in jdbc-pool doc. (kfujino) |
| </add> |
| <add> |
| Add description of <code>validatorClassName</code> attribute to testXXXX |
| attributes in jdbc-pool docs. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensure that the state transfer flag is updated to true only when the map |
| states have been transferred correctly from existing map members. |
| (kfujino) |
| </fix> |
| <fix> |
| Do not set the nodes that failed to replication to the backup nodes. |
| Ensure that the nodes that the data has been successfully replicated are |
| set to the backup node. (kfujino) |
| </fix> |
| <fix> |
| When failed to replication, rather than all member is handled as a |
| failed member, exclude the failure members from backup members. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Refactoring of the <code>removeOldest</code> method in |
| <code>SlowQueryReport</code> to behave as expected. (kfujino) |
| </fix> |
| <fix> |
| <bug>57783</bug>: Fix <code>NullPointerException</code> in |
| <code>SlowQueryReport</code>. To avoid this NPE, Refactor |
| <code>SlowQueryReport#removeOldest</code> and handle the abandoned |
| connection properly. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update package renamed Apache Commons BCEL to r1682271 to pick up some |
| some code clean up. (markt) |
| </update> |
| <update> |
| Update package renamed Apache Commons File upload to r1682322 to pick up |
| the post 1.3.1 fixes. (markt) |
| </update> |
| <update> |
| Update package renamed Apache Commons Codec to r1682326. No functional |
| changes. Javadoc only. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.62 (violetagg)" rtext="released 2015-05-14"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Allow logging of the remote port in the access log using the format |
| pattern <code>%{remote}p</code>. (rjung) |
| </add> |
| <fix> |
| <bug>57765</bug>: When checking last modified times as part of the |
| automatic deployment process, account for the fact that |
| <code>File.lastModified()</code> has a resolution of one second to |
| ensure that if a file has been modified within the last second, the |
| latest version of the file is always used. Note that a side-effect of |
| this change is that files with modification times in the future are |
| treated as if they are unmodified. (markt) |
| </fix> |
| <fix> |
| Align redeploy resource modification checking with reload modification |
| checking so that now, in both cases, a change in modification time |
| rather than an increase in modification time is used to determine if the |
| resource has changed. (markt) |
| </fix> |
| <fix> |
| Cleanup <code>o.a.tomcat.util.digester.Digester</code> from debug |
| messages that do not give any valuable information. Patch provided |
| by Polina Genova. (violetagg) |
| </fix> |
| <fix> |
| <bug>57772</bug>: When reloading a web application and a directory |
| representing an expanded WAR needs to be deleted, delete the directory |
| after the web application has been stopped rather than before to avoid |
| potential ClassNotFoundExceptions. (markt) |
| </fix> |
| <fix> |
| <bug>57801</bug>: Improve the error message in the start script in case |
| the PID read from the PID file is already owned by a process. (rjung) |
| </fix> |
| <fix> |
| <bug>57824</bug>: Correct a regression in the fix for <bug>57252</bug> |
| that broke request listeners for non-async requests that triggered an |
| error that was handled by the ErrorReportingValve. (markt/violetagg) |
| </fix> |
| <fix> |
| <bug>57841</bug>: Improve error logging during web application start. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57856</bug>: Ensure that any scheme/port changes implemented by the |
| <code>RemoteIpFilter</code> also affect |
| <code>HttpServletResponse.sendRedirect()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>57896</bug>: Support defensive copying of "cookie" header so that |
| unescaping double quotes in a cookie value does not corrupt original |
| value of "cookie" header. This is an opt-in feature, enabled by |
| <code>org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER</code> |
| or <code>org.apache.catalina.STRICT_SERVLET_COMPLIANCE</code> |
| system property. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>57779</bug>: When an I/O error occurs on a non-container thread |
| only dispatch to a container thread to handle the error if using Servlet |
| 3+ asynchronous processing. This avoids potential deadlocks if an |
| application is performing I/O on a non-container thread without using |
| the Servlet 3+ asynchronous API. (markt) |
| </fix> |
| <fix> |
| <bug>57833</bug>: When using JKS based keystores for NIO, ensure that |
| the key alias is always converted to lower case since that is what JKS |
| key stores expect. Based on a patch by Santosh Giri Govind M. (markt) |
| </fix> |
| <fix> |
| <bug>57837</bug>: Add <code>text/css</code> to the default list of |
| compressable MIME types. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57845</bug>: Ensure that, if the same JSP is accessed directly and |
| via a <code><jsp-file></code> declaration in web.xml, updates to |
| the JSP are visible (subject to the normal rules on re-compilation) |
| regardless of how the JSP is accessed. (markt) |
| </fix> |
| <fix> |
| <bug>57855</bug>: Explicitly handle the case where a |
| <code>MethodExpression</code> is invoked with null or the wrong number |
| of parameters. Rather than failing with an |
| <code>ArrayIndexOutOfBoundsException</code> or a |
| <code>NullPointerException</code> throw an |
| <code>IllegalArgumentException</code> with a useful error message. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| Add new attribute that send all actions for session across Tomcat |
| cluster nodes. (kfujino) |
| </add> |
| <fix> |
| Remove unused <code>pathname</code> attribute in mbean definition of |
| <code>BackupManager</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>57338</bug>: Improve the ability of the ClusterSingleSignOn valve |
| to handle nodes being added and removed from the Cluster at run time. |
| (markt) |
| </fix> |
| <fix> |
| Avoid unnecessary call of <code>DeltaRequest.addSessionListener()</code> |
| in non-primary nodes. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>57762</bug>: Ensure that the WebSocket client correctly detects |
| when the connection to the server is dropped. (markt) |
| </fix> |
| <fix> |
| <bug>57776</bug>: Revert the 8.0.21 fix for the |
| <code>permessage-deflate</code> implementation and incorrect op-codes |
| since the fix was unnecessary (the bug only affected trunk) and the fix |
| broke rather than fixed <code>permessage-deflate</code> if an |
| uncompressed message was converted into more than one compressed |
| message. (markt) |
| </fix> |
| <fix> |
| Fix log name typo in <code>WsRemoteEndpointImplServer</code> class, |
| caused by a copy-paste. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>57788</bug>: Avoid NPE when looking up a class hierarchy without |
| finding anything. (remm) |
| </fix> |
| <add> |
| Make WebSocket client more robust when handling errors during the close |
| of a WebSocket session. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>57759</bug>: Add information to the keyAlias documentation to make |
| it clear that the order keys are read from the keystore is |
| implementation dependent. (markt) |
| </add> |
| <fix> |
| <bug>57864</bug>: Update the documentation web application to make it |
| clearer that hex values are not valid for cluster send options. Based on |
| a patch by Kyohei Nakamura. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Fix a concurrency issue when a backup message that has all session data |
| and a backup message that has diff data are processing at the same time. |
| This fix ensures that <code>MapOwner</code> is set to |
| <code>ReplicatedMapEntry</code>. (kfujino) |
| </fix> |
| <fix> |
| Clarify the handling of Copy message and Copy nodes. (kfujino) |
| </fix> |
| <fix> |
| Copy node does not need to send the entry data. It is enough to send |
| only the node information of the entry. (kfujino) |
| </fix> |
| <fix> |
| <code>ReplicatedMap</code> should send the Copy message when |
| replicating. (kfujino) |
| </fix> |
| <fix> |
| Fix behavior of <code>ReplicatedMap</code> when member has disappeared. |
| If map entry is primary, rebuild the backup members. If primary node of |
| map entry has disappeared, backup node is promoted to primary. (kfujino) |
| </fix> |
| <fix> |
| When a map member has been added to <code>ReplicatedMap</code>, make |
| sure to add it to backup nodes list of all other members. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.61 (violetagg)" rtext="released 2015-04-07"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>55988</bug>: Correct the check used for Java 8 JSSE |
| server-preferred TLS cipher suite ordering. Ensure that SSL parameters |
| are provided to <code>SSLServerSocket</code> and <code>SSLEngine</code>. |
| Patch provided by Ognjen Blagojevic. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>57761</bug>: Ensure that the opening HTTP request is correctly |
| formatted when the WebSocket client connects to a server root. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.60 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Clarify threaded usage of variables by removing volatile marker |
| in NonceInfo. Issue reported by Coverity Scan. (fschumacher) |
| </fix> |
| <add> |
| <bug>49785</bug>: Enable StartTLS connections for JNDIRealm. |
| (fschumacher) |
| </add> |
| <fix> |
| <bug>55988</bug>: Add support for Java 8 JSSE server-preferred TLS |
| cipher suite ordering. This feature requires Java 8 |
| and is controlled by <code>useServerCipherSuitesOrder</code> |
| attribute on an HTTP connector. |
| Based upon patches provided by Ognjen Blagojevic. (schultz) |
| </fix> |
| <add> |
| <bug>56438</bug>: Add logging that reports when a JAR is scanned for |
| TLDs but nothing is found so that Tomcat may be configured to skip this |
| JAR in future. Based on a patch by VIN. (markt) |
| </add> |
| <fix> |
| <bug>56848</bug>: Use <code>Locale.forLanguageTag</code> to process |
| Locale headers when running on a Java 7 or later JRE. (markt) |
| </fix> |
| <add> |
| <bug>57021</bug>: Improve logging in AprLifecycleListener and |
| jni.Library when Tomcat-Native DLL fails to load. Based on a patch by |
| Pravallika Peddi. (markt/kkolinko) |
| </add> |
| <fix> |
| <bug>57180</bug>: Further fixes to support the use of arbitrary HTTP |
| methods with the CORS filter. (markt) |
| </fix> |
| <add> |
| Warn about problematic setting of appBase. (fschumacher) |
| </add> |
| <fix> |
| <bug>57534</bug>: CORS Filter should only look at media type component of |
| Content-Type request header. (markt) |
| </fix> |
| <fix> |
| Ensure that user name checking in the optional SecurityListener is |
| case-insensitive (as documented) and than the case-insensitive |
| comparison is performed using the system default Locale. (markt) |
| </fix> |
| <fix> |
| When docBase refers internal war and unpackWARs is set to false, avoid |
| registration of the invalid redeploy resource that has been added ".war" |
| extension in duplicate. (kfujino) |
| </fix> |
| <fix> |
| If WAR exists, it is not necessary to trigger a reload when adding a |
| Directory. (kfujino) |
| </fix> |
| <fix> |
| <bug>56608</bug>: When deploying an external WAR, add watched resources |
| in the expanded directory based on whether the expanded directory is |
| expected to exist rather than if it does exist. |
| </fix> |
| <fix> |
| When triggering a reload due to a modified watched resource, ensure |
| that multiple changed watched resources only trigger one reload rather |
| than a series of reloads. |
| </fix> |
| <fix> |
| <bug>57601</bug>: Ensure that HEAD requests return the correct content |
| length (i.e. the same as for a GET) when the requested resource includes |
| a resource served by the Default servlet. (jboynes/markt) |
| </fix> |
| <fix> |
| <bug>57602</bug>: Ensure that HEAD requests return the correct content |
| length (i.e. the same as for a GET) when the requested resource includes |
| a resource served by a servlet that extends <code>HttpServlet</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57621</bug>: When an async request completes, ensure that any |
| remaining request body data is swallowed. (markt) |
| </fix> |
| <fix> |
| <bug>57637</bug>: Do not create unnecessary sessions when using |
| PersistentValve. (jboynes/fschumacher) |
| </fix> |
| <fix> |
| <bug>57645</bug>: Correct a regression in the fix for |
| <bug>57190</bug> that incorrectly required the path passed to |
| <code>ServletContext.getContext(String)</code> to be an exact match to a |
| path to an existing context. (markt) |
| </fix> |
| <fix> |
| Make sure that <code>unpackWAR</code> attribute of <code>Context</code> |
| is handled correctly in <code>HostConfig</code>. (kfujino) |
| </fix> |
| <fix> |
| When deploying a WAR file that contains a context.xml file and |
| <code>unpackWARs</code> is <code>false</code> ignore any context.xml |
| file that may exist in an expanded directory associated with the WAR. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57675</bug>: Correctly quote strings when using the extended |
| access log. (markt) |
| </fix> |
| <fix> |
| <bug>57704</bug>: Fix potential NPEs during web application start/stop |
| when <code>org.apache.tomcat.InstanceManager</code> is not initialized. |
| (violetagg) |
| </fix> |
| <fix> |
| Add support for <code>LAST_ACCESS_AT_START</code> system property to |
| <code>SingleSignOn</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>57723</bug>: Ensure that the Context name and path remain |
| consistent when adding a web application to an embedded Tomcat instance |
| via <code>Tomcat.addWebapp(Host,String,String,String)</code>. (markt) |
| </fix> |
| <fix> |
| <bug>57724</bug>: Handle the case in the CORS filter where a user agent |
| includes an origin header for a non-CORS request. (markt) |
| </fix> |
| <scode> |
| Refactor Authenticator implementations to reduce code duplication. |
| (markt) |
| </scode> |
| <fix> |
| When searching for SCIs |
| <code>o.a.catalina.Context.getParentClassLoader</code> will be used |
| instead of <code>java.lang.ClassLoader.getParent</code>. Thus one can |
| provide the correct parent class loader when running embedded Tomcat in |
| other environments such as OSGi. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>57509</bug>: Improve length check when writing HTTP/1.1 |
| response headers: reserve space for 4 extra bytes. (kkolinko) |
| </fix> |
| <add> |
| <bug>57540</bug>: Make TLS/SSL protocol available in a new request |
| attribute |
| (<code>org.apache.tomcat.util.net.secure_protocol_version</code>). |
| (Note that AJP connectors will require <tt>mod_jk</tt> 1.2.41 or later, |
| or an as-yet-unknown version of mod_proxy_ajp, or configure the proxy |
| to send the AJP_SSL_PROTOCOL request attribute to Tomcat. Please see |
| the bug comments for details.) |
| Based upon a patch provided by Ralf Hauser. (schultz) |
| </add> |
| <fix> |
| <bug>57544</bug>: Fix potential infinite loop when preparing a kept |
| alive HTTP connection for the next request. (markt) |
| </fix> |
| <fix> |
| <bug>57546</bug>: Ensure that a dropped network connection does not |
| leave references to the UpgradeProcessor associated with the connection |
| in memory. (markt) |
| </fix> |
| <fix> |
| <bug>57570</bug>: Make the processing of trailer headers with chunked |
| input optional and disabled by default. (markt) |
| </fix> |
| <fix> |
| When applying the <code>maxSwallowSize</code> limit to a connection read |
| that many bytes first before closing the connection to give the client a |
| chance to read the response. (markt) |
| </fix> |
| <fix> |
| Prevent an async timeout being processed multiple times for the same |
| socket when running on slow and/or heavily loaded systems. (markt) |
| </fix> |
| <fix> |
| <bug>57581</bug>: Change statistics byte counter in coyote Request |
| object to be long to allow values above 2Gb. (kkolinko) |
| </fix> |
| <fix> |
| Fix a concurrency issue in the APR Poller that meant it was possible |
| under low load for a socket queued to be added to the Poller not to be |
| added for 10 seconds. (markt) |
| </fix> |
| <fix> |
| <bug>57638</bug>: Avoid an IllegalArgumentException when an AJP request |
| body chunk larger than the socket read buffer is being read. This |
| typically requires a larger than default AJP packetSize. (markt) |
| </fix> |
| <fix> |
| <bug>57674</bug>: Avoid a BufferOverflowException when an AJP response |
| body chunk larger than the socket write buffer is being written. This |
| typically requires a larger than default AJP packetSize. (markt) |
| </fix> |
| <scode> |
| Refactor Connector authentication (only used by AJP) into a separate |
| method. (markt) |
| </scode> |
| <add> |
| <bug>57708</bug>: Implement a new feature for AJP connectors - Tomcat |
| Authorization. If the new tomcatAuthorization attribute is set to |
| <code>true</code> (it is disabled by default) Tomcat will take an |
| authenticated user name from the AJP protocol and use the appropriate |
| Realm for the request to authorize (i.e. add roles) to that user. |
| (markt) |
| </add> |
| <fix> |
| Fix an issue that meant that any pipe-lined data read by Tomcat before |
| an asynchronous request completed was lost during the completion of the |
| asynchronous request. This mean that the pipe-lined request(s) would be |
| lost and/or corrupted. (markt) |
| </fix> |
| <update> |
| Update the minimum recommended version of the Tomcat Native library (if |
| used) to 1.1.33. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57136</bug>: Ensure only <code>\${</code> and <code>\#{</code> are |
| treated as escapes for <code>${</code> and <code>#{</code> rather than |
| <code>\$</code> and <code>\#</code> being treated as escapes for |
| <code>$</code> and <code>#</code> when processing literal expressions in |
| expression language. (markt) |
| </fix> |
| <fix> |
| <bug>57148</bug>: When coercing an object to a given type and a |
| <code>PropertyEditor</code> has been registered for the type correctly |
| coerce the empty string to <code>null</code> if the |
| <code>PropertyEditor</code> throws an exception. (kkolinko/markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Remove unnecessary method that always returns true. The domain filtering |
| works on <code>DomainFilterInterceptor</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Correct a bug in the <code>permessage-deflate</code> implementation that |
| meant that the incorrect op-codes were used if an uncompressed message |
| was converted into more than one compressed message. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Fix possible resource leaks by closing streams properly. Issues |
| reported by Coverity Scan. (fschumacher) |
| </fix> |
| <fix> |
| <bug>56058</bug>: Add links to the AccessLogValve documentation for |
| configuring reverse proxies and/or Tomcat to ensure that the desired |
| information is used entered in the access log when Tomcat is running |
| behind a reverse proxy. (markt) |
| </fix> |
| <fix> |
| <bug>57503</bug>: Make clear that the JULI integration for log4j only |
| works with log4j 1.2.x. (markt) |
| </fix> |
| <fix> |
| Remove incorrect note from context configuration page in the |
| documentation web application that stated WAR files located outside the |
| appBase were never unpacked. (markt) |
| </fix> |
| <update> |
| <bug>57644</bug>: Update examples to use Apache Standard Taglib 1.2.5. |
| (jboynes) |
| </update> |
| <fix> |
| <bug>57683</bug>: Ensure that if a client aborts their connection to the |
| stock ticker example (the only way a client can disconnect), the example |
| continues to work for existing and new clients. (markt) |
| </fix> |
| <fix> |
| Correct the documentation for deployOnStartup to make clear that if a |
| WAR file is updated while Tomcat is stopped and unpackWARs is true, |
| Tomcat will not detect the changed WAR file when it starts and will not |
| replace the unpacked WAR file with the contents of the updated WAR. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Extras"> |
| <changelog> |
| <fix> |
| <bug>57377</bug>: Remove the restriction that prevented the use of SSL |
| when specifying a bind address with the JMXRemoteLifecycleListener. Also |
| enable SSL to be configured for the registry as well as the server. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Make sure that refuse the messages from a different domain in |
| <code>DomainFilterInterceptor</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Enhance bean factory used for JNDI resources. New attribute |
| <code>forceString</code> allows to support non-standard |
| string argument property setters. (rjung) |
| </add> |
| <fix> |
| Fix <code>TestAbstractAjpProcessor</code> unit test failures on |
| Windows. (kkolinko) |
| </fix> |
| <fix> |
| Guard the digester from MbeansDescriptorsDigesterSource with its own |
| lock object. (fschumacher) |
| </fix> |
| <fix> |
| <bug>57558</bug>: Add missing JAR in Ant task definition required by |
| the validate task. (markt/kkolinko) |
| </fix> |
| <add> |
| List names of Testsuites that have failed or skipped tests when |
| running tests with Ant. (kkolinko) |
| </add> |
| <fix> |
| <bug>57703</bug>: Update the <code>http-method</code> definition for |
| web applications using a Servlet 2.5 descriptor as per Servlet 2.5 MR 6. |
| (markt) |
| </fix> |
| <update> |
| Update to Tomcat Native Library version 1.1.33 to pick up the Windows |
| binaries that are based on OpenSSL 1.0.1m and APR 1.5.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.59 (violetagg)" rtext="released 2015-02-04"> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57504</bug>: Initialize TLD locations cache when creating the |
| ServletContext. (jboynes) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Fix a possible deadlock when receiver thread invokes |
| <code>mapMemberAdded()</code> while ping thread invokes |
| <code>memberAlive()</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.58 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>57173</bug>: Revert the fix for <bug>56953</bug> that broke |
| annotation scanning in some cases. (markt) |
| </fix> |
| <fix> |
| <bug>57178</bug>: The CORS filter now treats <code>null</code> as a |
| valid origin that matches <code>*</code>. Patch provided by Gregor |
| Zurowski. (markt) |
| </fix> |
| <fix> |
| <bug>57180</bug>: Do not limit the CORS filter to only accepting |
| requests that use an HTTP method defined in RFC 7231. (markt) |
| </fix> |
| <fix> |
| <bug>57190</bug>: Fix <code>ServletContext.getContext(String)</code> |
| when parallel deployment is used so that the correct ServletContext is |
| returned. (markt) |
| </fix> |
| <fix> |
| <bug>57208</bug>: Prevent NPE in JNDI Realm when no results are found |
| in a directory context for a user with specified user name. Based on |
| a patch provided by Jason McIntosh. (violetagg) |
| </fix> |
| <add> |
| <bug>57209</bug>: Add a new attribute, userSearchAsUser to the JNDI |
| Realm. (markt) |
| </add> |
| <fix> |
| <bug>57215</bug>: Ensure that the result of calling |
| <code>HttpServletRequest.getContextPath()</code> is neither decoded nor |
| normalized as required by the Servlet specification. (markt) |
| </fix> |
| <fix> |
| <bug>57216</bug>: Improve handling of invalid context paths. A context |
| path should either be an empty string or start with a |
| <code>'/'</code> and do not end with a |
| <code>'/'</code>. Invalid context path are automatically |
| corrected and a warning is logged. The <code>null</code> and |
| <code>"/"</code> values are now correctly changed to |
| <code>""</code>. (markt/kkolinko) |
| </fix> |
| <fix> |
| Correct message that is logged when load-on-startup servlet fails |
| to load. It was logging a wrong name. (kkolinko) |
| </fix> |
| <fix> |
| <bug>57239</bug>: Correct several message typos. Includes patch by |
| vladk. (kkolinko) |
| </fix> |
| <add> |
| Make the session id generator extensible by adding a |
| <code>SessionIdGenerator</code> interface, an abstract |
| base class and a standard implementation. (rjung) |
| </add> |
| <add> |
| Back-port clarification from Servlet 3.1 specification that during |
| async processing an <code>IllegalStateException</code> should be thrown |
| if <code>getRequest()</code> or <code>getResponse()</code> is called |
| after <code>complete()</code> or <code>dispatch()</code>. (markt) |
| </add> |
| <fix> |
| Fix a concurrency issue in async processing. Ensure that a non-container |
| thread can not change the async state until the container thread has |
| completed. (markt) |
| </fix> |
| <fix> |
| <bug>57252</bug>: Provide application configured error pages with a |
| chance to handle an async error before the built-in error reporting. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57281</bug>: Enable non-public Filter and Servlet classes to be |
| configured programmatically via the Servlet 3.0 API and then used |
| without error when running under a SecurityManager. (markt) |
| </fix> |
| <fix> |
| <bug>57308</bug>: Remove unnecessary calls to |
| <code>System.getProperty()</code> where more suitable API calls are |
| available. (markt) |
| </fix> |
| <add> |
| Add unit tests for RemoteAddrValve and RemoteHostValve. (rjung) |
| </add> |
| <add> |
| Allow to configure RemoteAddrValve and RemoteHostValve to |
| adopt behavior depending on the connector port. Implemented |
| by optionally adding the connector port to the string compared |
| with the patterns <code>allow</code> and <code>deny</code>. Configured |
| using <code>addConnectorPort</code> attribute on valve. (rjung) |
| </add> |
| <add> |
| Optionally trigger authentication instead of denial in |
| RemoteAddrValve and RemoteHostValve. This only works in |
| combination with <code>preemptiveAuthentication</code> |
| on the application context. Configured using |
| <code>invalidAuthenticationWhenDeny</code> attribute on valve. (rjung) |
| </add> |
| <fix> |
| Prevent file descriptors leak and ensure that files are closed after |
| retrieving the last modification time. (violetagg) |
| </fix> |
| <fix> |
| <bug>57326</bug>: Enable <code>AsyncListener</code> implementations to |
| re-register themselves during <code>AsyncListener.onStartAsync</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57331</bug>: Allow ExpiresFilter to use "year" as synonym for |
| "years" in its configuration. (kkolinko) |
| </fix> |
| <update> |
| Improve SnoopServlet in unit tests. (rjung) |
| </update> |
| <add> |
| Add RequestDescriptor class to unit tests. |
| Adjust TestRewriteValve to use RequestDescriptor. (rjung) |
| </add> |
| <update> |
| Add more AJP unit tests. (rjung) |
| </update> |
| <fix> |
| <bug>57363</bug>: Log to stderr if LogManager is unable to read |
| configuration files rather than swallowing the exception silently. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57420</bug>: Make UEncoder a local variable in |
| DirContextURLConnection to make it threadsafe. Based on ideas from |
| kkolinko and violetagg. (fschumacher) |
| </fix> |
| <fix> |
| <bug>57425</bug>: Don't add attributes with null value or name to the |
| replicated context. (fschumacher) |
| </fix> |
| <add> |
| <bug>57431</bug>: Enable usage of custom class for context creation when |
| using embedded tomcat. (fschumacher) |
| </add> |
| <fix> |
| <bug>57446</bug>: Ensure that <code>ServletContextListener</code>s that |
| have limited access to <code>ServletContext</code> methods are called |
| with the same <code>ServletContext</code> instance for both |
| <code>contextInitialized()</code> and <code>contextDestroyed()</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57461</bug>: When an instance of |
| <code>org.apache.catalina.startup.VersionLoggerListener</code> logs the |
| result of <code>System.getProperty("java.home")</code> don't report it |
| in a manner that makes it look like the <code>JAVA_HOME</code> |
| environment variable. (markt) |
| </fix> |
| <fix> |
| While closing streams for given resources ensure that if an exception |
| happens it will be handled properly. Issue is reported by Coverity Scan. |
| (violetagg) |
| </fix> |
| <fix> |
| Change Response to use UEncoder instances with shared safeChars. |
| (fschumacher) |
| </fix> |
| <add> |
| Allow <code>VersionLoggerListener</code> to log all system properties. |
| This feature is off by default. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>57234</bug>: Make SSL protocol filtering to remove insecure |
| protocols case insensitive. (markt) |
| </fix> |
| <fix> |
| <bug>57265</bug>: Fix some potential concurrency issues with sendFile |
| and the NIO connector. (markt) |
| </fix> |
| <fix> |
| <bug>57324</bug>: If the client uses <code>Expect: 100-continue</code> |
| and Tomcat responds with a non-2xx response code, Tomcat also closes the |
| connection. If Tomcat knows the connection is going to be closed when |
| committing the response, Tomcat will now also send the |
| <code>Connection: close</code> response header. (markt) |
| </fix> |
| <fix> |
| <bug>57340</bug>: When using Comet, ensure that Socket and SocketWrapper |
| are only returned to their respective caches once on socket close (it is |
| possible for multiple threads to call close concurrently). (markt) |
| </fix> |
| <fix> |
| <bug>57446</bug>: Ensure that <code>ServletContextListener</code>s that |
| have limited access to <code>ServletContext</code> methods are called |
| with the same <code>ServletContext</code> instance for both |
| <code>contextInitialized()</code> and <code>contextDestroyed()</code>. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| CVE-2014-7810: |
| Do not use a privileged code block when evaluating EL expressions |
| when running under a security manager, which allowed to bypass code |
| restrictions. (markt) |
| </fix> |
| <fix> |
| Fix an issue with BeanELResolver when running under a security |
| manager. Some classes may not be accessible but may have accessible |
| interfaces. (markt) |
| </fix> |
| <fix> |
| <bug>57316</bug>: Fix JspC when directory name contains a character |
| sequence that appears to be URL encoded. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| In order to enable define in <code>Cluster</code> element, |
| <code>ClusterSingleSignOn</code> implements <code>ClusterValve</code>. |
| (kfujino) |
| </fix> |
| <fix> |
| Fix mbean descriptor of <code>ClusterSingleSignOn</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>57473</bug>: Add sanity check to FarmWebDeployer's WarWatcher to |
| detect suspected incorrect permissions on the watch directory. (schultz) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Correct multiple issues with the flushing of batched messages that could |
| lead to duplicate and/or corrupt messages. (markt) |
| </fix> |
| <fix> |
| Correctly implement headers case insensitivity. (markt/remm) |
| </fix> |
| <fix> |
| Allow optional use of user extensions. (remm) |
| </fix> |
| <fix> |
| Allow using partial binary message handlers. (remm) |
| </fix> |
| <fix> |
| Limit ping/pong message size. (remm) |
| </fix> |
| <fix> |
| Allow configuration of the time interval for the periodic event. (remm) |
| </fix> |
| <fix> |
| More accurate annotations processing. (remm) |
| </fix> |
| <fix> |
| Allow optional default for origin header in the client. (remm) |
| </fix> |
| <fix> |
| <bug>57490</bug>: Make it possible to use Tomcat's WebSocket client |
| within a web application when running under a SecurityManager. Based on |
| a patch by Mikael Sterner. (markt) |
| </fix> |
| <add> |
| Add some debug logging to the WebSocket session to track session |
| creation and session closure. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Update documentation for CGI servlet. Recommend to copy the servlet |
| declaration into web application instead of enabling it globally. |
| Correct documentation for cgiPathPrefix. (kkolinko) |
| </fix> |
| <update> |
| Improve HTML version of build instructions and align with |
| BUILDING.txt. Document creating second Eclipse project to compile |
| WebSocket classes with Java 7 (<code>ide-eclipse-websocket</code> |
| target added in 7.0.56). (kkolinko) |
| </update> |
| <update> |
| Improve Tomcat Manager documentation. Rearrange, add section on |
| HTML GUI, document /expire command and Server Status page. (kkolinko) |
| </update> |
| <fix> |
| Fix ambiguity of section links on Valves configuration reference page. |
| (kkolinko) |
| </fix> |
| <update> |
| <bug>57238</bug>: Update information on SSL/TLS on Security and SSL |
| documentation pages. Based on patch by Glen Peterson. (kkolinko) |
| </update> |
| <add> |
| <bug>57261</bug>: Add vminfo and threaddump commands to Manager |
| application. Implement <code>VminfoTask</code> and |
| <code>ThreaddumpTask</code> Ant tasks. (kkolinko) |
| </add> |
| <fix> |
| <bug>57323</bug>: Correct display of outdated sessions in sessions |
| count listing in Manager application. (kkolinko) |
| </fix> |
| <add> |
| Add document of <code>ClusterSingleSignOn</code>. (kfujino) |
| </add> |
| <update> |
| Clarify documentation for <code>useBodyEncodingForURI</code> |
| attribute of a connector. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| When downloading required libraries at build time, use random name |
| for temporary file and automatically create destination directory |
| (<code>base.path</code>). (kkolinko) |
| </update> |
| <update> |
| Update optional Checkstyle library to 6.1.1. (kkolinko) |
| </update> |
| <update> |
| Simplify <code>setproxy</code> task in <code>build.xml</code>. |
| Taskdef there is not needed since Ant 1.8.2. (kkolinko) |
| </update> |
| <fix> |
| Improve Java 7 support in <code>build.xml</code>. Check whether |
| the specified ${java.7.home} is valid. By default use Java that |
| runs Ant (${java.home}) instead of the one found on $PATH |
| to run JUnit tests. (kkolinko) |
| </fix> |
| <add> |
| <bug>57344</bug>: Provide sha1 checksum files for Tomcat downloads. |
| Correct filename patterns for apache-tomcat-*-embed.tar.gz archive |
| to exclude an *.asc file. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.57 (violetagg)" rtext="released 2014-11-11"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>47919</bug>: Extend the information logged when Tomcat starts to |
| optionally log the values of command line arguments (enabled by |
| default) and environment variables (disabled by default). Note that |
| the values added to CATALINA_OPTS and JAVA_OPTS environment variables |
| will be logged, as they are used to build up the command line. (markt) |
| </add> |
| <add> |
| <bug>56401</bug>: Log version information when Tomcat starts. |
| (markt/kkolinko) |
| </add> |
| <fix> |
| <bug>57022</bug>: Ensure SPNEGO authentication continues to work with |
| the JNDI Realm using delegated credentials with recent Oracle JREs. |
| (markt) |
| </fix> |
| <fix> |
| Correct a couple of NPEs in the JNDI Realm that could be triggered with |
| when not specifying a roleBase and enabling roleSearchAsUser. (markt) |
| </fix> |
| <fix> |
| Remove the unnecessary registration of context.xml as a redeploy |
| resource. The context.xml having an external docBase has already been |
| registered as a redeploy resources at first. (kfujino) |
| </fix> |
| <fix> |
| Improve the previous fix for <bug>56401</bug>. Avoid logging version |
| information in the constructor since it then gets logged at undesirable |
| times such as when using <code>StoreConfig</code>. (markt) |
| </fix> |
| <fix> |
| <bug>57105</bug>: When parsing web.xml do not limit the buffer element |
| of the jsp-property-group element to integer values as the allowed |
| values are <code><number>kb</code> or <code>none</code>. (markt) |
| </fix> |
| <update> |
| Update the minimum required version of the Tomcat Native library (if |
| used) to 1.1.32. (markt) |
| </update> |
| <update> |
| <bug>57144</bug>: Improve ClientAbortException to provide non-null |
| message. (kkolinko) |
| </update> |
| <fix> |
| AsyncContext should remain usable until fireOnComplete is called. (remm) |
| </fix> |
| <fix> |
| AsyncContext createListener should wrap any instantiation exception |
| using a ServletException. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>53952</bug>: Add support for TLSv1.1 and TLSv1.2 for APR connector. |
| Based upon a patch by Marcel Šebek. This feature requires |
| Tomcat Native library 1.1.32 or later. (schultz/jfclere) |
| </add> |
| <add> |
| Disable SSLv3 by default for JSSE based HTTPS connectors (BIO and NIO). |
| The change also ensures that SSLv2 is disabled for these connectors |
| although SSLv2 should already be disabled by default by the JRE. (markt) |
| </add> |
| <add> |
| Disable SSLv3 by default for the APR/native HTTPS connector. (markt) |
| </add> |
| <fix> |
| Do not increase remaining counter at end of stream in |
| IdentityInputFilter. (kkolinko) |
| </fix> |
| <fix> |
| Async state MUST_COMPLETE should still be started. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57099</bug>: Ensure that semi-colons are not permitted in JSP |
| import page directives. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Avoid possible integer overflows reported by Coverity Scan. (fschumacher) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>57054</bug>: Correctly handle the case in the WebSocket client |
| when the HTTP response to the upgrade request can not be read in a |
| single pass; either because the buffer is too small or the server sent |
| the response in multiple packets. (markt) |
| </fix> |
| <fix> |
| Fix client subprotocol handling. (remm) |
| </fix> |
| <fix> |
| Add null checks for arguments in remote endpoint. (remm/kkolinko) |
| </fix> |
| <fix> |
| <bug>57091</bug>: Work around the behaviour of the Oracle JRE when |
| creating new threads in an applet environment that breaks the WebSocket |
| client implementation. Patch provided by Niklas Hallqvist. (markt) |
| </fix> |
| <fix> |
| <bug>57118</bug>: Ensure that an <code>EncodeException</code> is |
| thrown by <code>RemoteEndpoint.Basic.sendObject(Object)</code> rather |
| than an <code>IOException</code> when no suitable <code>Encoder</code> |
| is configured for the given Object. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct documentation for <code>ServerCookie.ALLOW_NAME_ONLY</code> |
| system property. (kkolinko) |
| </fix> |
| <fix> |
| <bug>57049</bug>: Clarified that <code>jvmRoute</code> can be set in |
| <code><Engine></code>'s <code>jvmRoute</code> or in a system |
| property. (schultz) |
| </fix> |
| <fix> |
| Correct version of Java WebSocket mentioned in documentation |
| (s/1.0/1.1/). (markt/kkolinko) |
| </fix> |
| <update> |
| In examples web application move Async and Comet examples from JSP |
| to Servlet examples page. (kkolinko) |
| </update> |
| <update> |
| Suppress timestamp comments and enable charset header in Javadoc. |
| (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>57079</bug>: Use Tomcat version number for jdbc-pool module when |
| building and shipping the module as part of Tomcat. (markt/kkolinko) |
| </fix> |
| <fix> |
| Fix broken overview page in javadoc generated via "javadoc" task in |
| jdbc-pool build.xml file. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| <bug>56079</bug>: The Apache Tomcat Windows service and the Apache |
| Tomcat Windows service monitor application are now digitally |
| signed. (markt) |
| </update> |
| <fix> |
| Fix timestamps in Tomcat build and jdbc-pool to use 24-hour format |
| instead of 12-hour one and use UTC timezone. (markt/kkolinko) |
| </fix> |
| <update> |
| Improve Tomcat build script to ensure that only one ecj-nn.jar file |
| is present in Tomcat <code>lib</code> directory when Eclipse JDT |
| Compiler is updated to a new version. (kkolinko) |
| </update> |
| <update> |
| <bug>56596</bug>: Update to Tomcat Native Library version 1.1.32 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR |
| 1.5.1. (markt) |
| </update> |
| <scode> |
| In Tomcat tests: log name of the current test method at start time. |
| (kkolinko) |
| </scode> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.56 (violetagg)" rtext="released 2014-10-06"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| When scanning class files (e.g. for annotations) and reading the number |
| of parameters in a <code>MethodParameters</code> structure only read a |
| single byte (rather than two bytes) as per the JVM specification. Patch |
| provided by Francesco Komauli. (markt) |
| </fix> |
| <fix> |
| Allow the JNDI Realm to start even if the directory is not available. |
| The directory not being available is not fatal once the Realm is started |
| and it need not be fatal when the Realm starts. Based on a patch by |
| Cédric Couralet. (markt) |
| </fix> |
| <fix> |
| <bug>56736</bug>: Avoid an incorrect <code>IllegalStateException</code> |
| if the async timeout fires after a non-container thread has called |
| <code>AsyncContext.dispatch()</code> but before a container thread |
| starts processing the dispatch. (markt) |
| </fix> |
| <fix> |
| <bug>56739</bug>: If an application handles an error on an application |
| thread during asynchronous processing by calling |
| <code>HttpServletResponse.sendError()</code>, then ensure that the |
| application is given an opportunity to report that error via an |
| appropriate application defined error page if one is configured. (markt) |
| </fix> |
| <fix> |
| <bug>56771</bug>: When lookup for a resource in all the alternate or |
| backup <code>javax.naming.directory.DirContext</code>, |
| <code>javax.naming.NameNotFoundException</code> will be thrown at the |
| end of the search if the resource is not available in these alternate |
| or backup <code>javax.naming.directory.DirContext</code>. Based on a |
| patch by Sheldon Shao. (violetagg) |
| </fix> |
| <fix> |
| <bug>56796</bug>: Remove unnecessary sleep when stopping a web |
| application. (markt) |
| </fix> |
| <fix> |
| <bug>56801</bug>: Improve performance of |
| <code>org.apache.tomcat.util.file.Matcher</code> which is to filter JARs |
| for scanning during web application start. Based on a patch by Sheldon |
| Shao. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56825</bug>: Enable pre-emptive authentication to work with the |
| SSL authenticator. Based on a patch by jlmonteiro. (markt) |
| </fix> |
| <fix> |
| <bug>56857</bug>: Fix thread safety issue when calling ServletContext |
| methods while running under a security manager. (markt) |
| </fix> |
| <scode> |
| <bug>56882</bug>: Add testcase for processing of forwards and includes |
| when Context have been reloaded. (kkolinko) |
| </scode> |
| <fix> |
| <bug>56900</bug>: Fix some potential resource leaks when reading |
| property files reported by Coverity Scan. Based on patches provided by |
| Felix Schumacher. (markt) |
| </fix> |
| <fix> |
| <bug>56902</bug>: Fix a potential resource leak in the Default Servlet |
| reported by Coverity Scan. Based on a patch provided by Felix |
| Schumacher. (markt) |
| </fix> |
| <fix> |
| <bug>56903</bug>: Correct the return value for |
| <code>StandardContext.getResourceOnlyServlets()</code> so that multiple |
| names are separated by commas. Identified by Coverity Scan and fixed |
| based on a patch by Felix Schumacher. (markt) |
| </fix> |
| <fix> |
| Fixed the multipart elements merge operation performed during web |
| application deployment. Identified by Coverity Scan. (violetagg) |
| </fix> |
| <fix> |
| Correct the information written by |
| <code>ExtendedAccessLogValve</code> when a format token x-O(XXX) is |
| used so that multiple values for a header XXX are separated by commas. |
| Identified by Coverity Scan. (violetagg) |
| </fix> |
| <fix> |
| Fix a potential resource leak when reading MANIFEST.MF file for |
| extension dependencies reported by Coverity Scan. (violetagg) |
| </fix> |
| <fix> |
| Correctly handle multiple <code>accept-language</code> headers rather |
| than just using the first header to determine the user's preferred |
| Locale. (markt) |
| </fix> |
| <fix> |
| Fix some potential resource leaks when reading properties, files and |
| other resources. Reported by Coverity Scan. (violetagg) |
| </fix> |
| <fix> |
| When using parallel deployment and <code>undeployOldVersions</code> |
| feature is enabled on a Host, correctly undeploy context of old |
| version. Make sure that Tomcat does not undeploy older Context if |
| current context is not running. (kfujino) |
| </fix> |
| <fix> |
| When deploying war, add XML file in the config base to the redeploy |
| resources if war does not have META-INF/context.xml or |
| <code>deployXML</code> is false. If XML file is created in the config |
| base, redeploy will occur. (kfujino) |
| </fix> |
| <scode> |
| Various changes to reduce unnecessary code in Tomcat's copy of |
| Apache Commons BCEL to reduce the time taken for annotation scanning |
| when web applications start. Includes contributions from kkolinko and |
| hzhang9. (markt) |
| </scode> |
| <fix> |
| <bug>56938</bug>: Ensure web applications that have mixed case context |
| paths and are deployed as directories are correctly removed on undeploy |
| when running on a case sensitive file system. (markt) |
| </fix> |
| <add> |
| <bug>57004</bug>: Add <code>stuckThreadCount</code> property to |
| <code>StuckThreadDetectionValve</code>'s JMX bean. Patch provided by |
| Jiří Pejchal. (schultz) |
| </add> |
| <fix> |
| <bug>57011</bug>: Ensure that the request and response are correctly |
| recycled when processing errors during async processing. (markt) |
| </fix> |
| <fix> |
| <bug>57016</bug>: When using the <code>PersistentValve</code> do not |
| remove sessions from the store when persisting them. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>56780</bug>: Enable Tomcat to start when using SSL with an IBM JRE |
| in strict SP800-131a mode. (markt) |
| </fix> |
| <fix> |
| <bug>56910</bug>: Prevent the invalid value of <code>-1</code> being |
| used for <code>maxConnections</code> with APR connectors. (markt) |
| </fix> |
| <fix> |
| Ensure that <code>AjpNioProtocol</code> and <code>AjpAprProtocol</code> |
| enable the <code>KeepAliveTimeout</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>43001</bug>: Enable the JspC Ant task to set the JspC option |
| <code>mappedFile</code>. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56797</bug>: When matching a method in an EL expression, do not |
| treat bridge methods as duplicates of the method they bridge to. In this |
| case always call the target of the bridge method. (markt) |
| </fix> |
| <fix> |
| Correct a logic error in the <code>JasperElResolver</code>. There was no |
| functional impact but the code was less efficient as a result of the |
| error. Based on a patch by martinschaef. (markt) |
| </fix> |
| <fix> |
| Ensure that the implementation of |
| <code>javax.servlet.jsp.PageContext.include(String)</code> |
| and |
| <code>javax.servlet.jsp.PageContext.include(String, boolean)</code> |
| will throw <code>IOException</code> when an I/O error occur during |
| the operation. (violetagg) |
| </fix> |
| <fix> |
| <bug>56908</bug>: Fix some potential resource leaks when reading jar |
| files. Reported by Coverity Scan. Based on patch provided by Felix |
| Schumacher. (violetagg) |
| </fix> |
| <fix> |
| <bug>56991</bug>: Deprecate the use of a request attribute to pass a |
| <jsp-file> declaration to Jasper and prevent an infinite loop |
| if this technique is used in conjunction with an include. (markt) |
| </fix> |
| <fix> |
| Fix a potential resource leak in JDTCompiler when checking whether |
| a resource is a package. Reported by Coverity Scan. (fschumacher) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <scode> |
| <bug>56446</bug>: Clearer handling of exceptions when calling a method |
| on a POJO based WebSocket endpoint. Based on a suggestion by Eugene |
| Chung. (markt) |
| </scode> |
| <fix> |
| <bug>56746</bug>: Allow secure WebSocket client threads to use the |
| current context class loader rather than explicitly setting it to the |
| class loader that loaded the WebSocket implementation. This allows |
| WebSocket client connections from within web applications to access, |
| amongst other things, the JNDI resources associated with the web |
| application. (markt) |
| </fix> |
| <fix> |
| <bug>56905</bug>: Make destruction on web application stop of thread |
| group used for WebSocket connections more robust. (kkolinko/markt) |
| </fix> |
| <fix> |
| <bug>56907</bug>: Ensure that client IO threads are stopped if a secure |
| WebSocket client connection fails. (markt) |
| </fix> |
| <fix> |
| When a WebSocket client attempts to write to a closed connection, handle |
| the resulting <code>IllegalStateException</code> in a manner consistent |
| with the handling of an <code>IOException</code>. (markt) |
| </fix> |
| <add> |
| Add support for the <code>permessage-deflate</code> extension. This is |
| currently limited to decompressing incoming messages on the server side. |
| It is expected that support will be extended to outgoing messages and to |
| the client side shortly. (markt) |
| </add> |
| <add> |
| Extend support for the <code>permessage-deflate</code> extension to |
| compression of outgoing messages on the server side. (markt) |
| </add> |
| <fix> |
| <bug>56982</bug>: Return the actual negotiated extensions rather than an |
| empty list for <code>Session.getNegotiatedExtensions()</code>. (markt) |
| </fix> |
| <update> |
| Update the WebSocket implementation to support the Java WebSocket |
| specification version 1.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the label in the list of sessions by idle time for the bin that |
| represents the idle time immediately below the maximum permitted idle |
| time when using the expire command of the Manager application. (markt) |
| </fix> |
| <update> |
| Update the Windows authentication documentation after some additional |
| testing to answer the remaining questions. (markt) |
| </update> |
| <fix> |
| Correct a couple of broken links in the Javadoc. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>56788</bug>: Display the full version in the list of installed |
| applications when installed via the Windows installer package. Patch |
| provided by Alexandre Garnier. (markt) |
| </add> |
| <add> |
| <bug>56829</bug>: Add the ability for users to define their own values |
| for <code>_RUNJAVA</code> and <code>_RUNJDB</code> environment |
| variables. Be more strict with executable filename on Windows |
| (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko) |
| </add> |
| <fix> |
| <bug>56895</bug>: Correctly compose <code>JAVA_OPTS</code> in |
| <code>catalina.bat</code> so that escape sequences are preserved. Patch |
| by Lucas Theisen. (markt) |
| </fix> |
| <update> |
| <bug>56988</bug>: Allow to use relative path in <code>base.path</code> |
| setting when building Tomcat. (kkolinko) |
| </update> |
| <fix> |
| <bug>56990</bug>: Ensure that the <code>ide-eclipse</code> build target |
| downloads all the libraries required by the default Eclipse |
| configuration files and configures Eclipse to use Java 6 for the |
| project. Add build target <code>ide-eclipse-websocket</code> that |
| creates a separate linked project that compiles websocket classes |
| of Tomcat 7 with Java 7 compiler. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.55 (violetagg)" rtext="released 2014-07-27"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>44312</bug>: Log an error if there is a conflict between Host and |
| Alias names. Improve host management methods in <code>Mapper</code> |
| to avoid occasionally removing a wrong host. Check that host management |
| operations are performed on the host and not on an alias. (kkolinko) |
| </fix> |
| <fix> |
| <bug>55282</bug>: Ensure that one and the same application listener is |
| added only once when starting the web application. (violetagg) |
| </fix> |
| <add> |
| <bug>56461</bug>: New <code>failCtxIfServletStartFails</code> attribute |
| on Context and Host configuration to force the context startup to fail |
| if a load-on-startup servlet fails its startup. (slaurent) |
| </add> |
| <add> |
| <bug>56526</bug>: Improved the <code>StuckThreadDetectionValve</code> to |
| optionally interrupt stuck threads to attempt to unblock them. |
| (slaurent) |
| </add> |
| <fix> |
| <bug>56545</bug>: Pre-load an additional class, the loading of which |
| may otherwise be triggered by a web application which in turn would |
| trigger an exception when running under a security manager. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56578</bug>: Correct regression in the fix for <bug>56339</bug> |
| that prevented sessions from expiring when using clustering. (markt) |
| </fix> |
| <scode> |
| <bug>56588</bug>: Update deprecation of Context.addApplicationListener() |
| methods according to changes in Tomcat 8. (kkolinko) |
| </scode> |
| <fix> |
| <bug>56600</bug>: In WebdavServlet: Do not waste time generating |
| response for broken PROPFIND request. (kkolinko) |
| </fix> |
| <fix> |
| Provide a better error message when asynchronous operations are not |
| supported by a filter or servlet. Patch provided by Romain Manni-Bucau. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>56606</bug>: User entries in <code>tomcat-users.xml</code> file |
| are recommended to use "username" attribute rather than legacy "name" |
| attribute. Fix inconsistencies in Windows installer, examples. Update |
| digester rules and documentation for <code>MemoryRealm</code>. |
| (markt/kkolinko) |
| </fix> |
| <scode> |
| <bug>56611</bug>: Refactor code to remove inefficient calls to |
| <code>Method.isAnnotationPresent()</code>. Based on a patch by Jian Mou. |
| (markt/kkolinko) |
| </scode> |
| <fix> |
| <bug>56653</bug>: Fix concurrency issue with lists of contexts in |
| <code>Mapper</code> when stopping Contexts. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56657</bug>: When using parallel deployment, if the same session id |
| matches different versions of a web application, prefer the latest |
| version. Ensure that remapping selects the version that we expect. |
| (kkolinko) |
| </fix> |
| <fix> |
| Assert that mapping result object is empty before performing mapping |
| work in <code>Mapper</code>. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56658</bug>: Avoid delay between registrations of mappings for |
| context and for its servlets. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56665</bug>: Correct the generation of the effective web.xml when |
| elements contain an empty string as value. (violetagg) |
| </fix> |
| <fix> |
| <bug>56666</bug>: When clearing the SSO cookie use the same values for |
| domain, path, httpOnly and secure as were used to set the SSO cookie. |
| (markt) |
| </fix> |
| <fix> |
| <bug>56677</bug>: Ensure that |
| <code>HttpServletRequest.getServletContext()</code> returns the correct |
| value during a cross-context dispatch. (markt) |
| </fix> |
| <fix> |
| <bug>56684</bug>: Ensure that Tomcat does not shut down if the socket |
| waiting for the shutdown command experiences a |
| <code>SocketTimeoutException</code>. (markt) |
| </fix> |
| <fix> |
| When the current PathInfo is modified as a result of dispatching a |
| request, ensure that a call to |
| <code>HttpServletRequest.getPathTranslated()</code> returns a value that |
| is based on the modified PathInfo. (markt) |
| </fix> |
| <fix> |
| <bug>56698</bug>: When persisting idle sessions, only persist newly idle |
| sessions. Patch provided by Felix Schumacher. (markt) |
| </fix> |
| <fix> |
| <bug>56710</bug>: Do not map requests to servlets when context is |
| being reloaded. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56712</bug>: Fix session idle time calculations in |
| <code>PersistenceManager</code>. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56717</bug>: Fix duplicate registration of |
| <code>MapperListener</code> during repeated starts of embedded Tomcat. |
| (kkolinko) |
| </fix> |
| <add> |
| <bug>56724</bug>: Write an error message to Tomcat logs if container |
| background thread is aborted unexpectedly. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>56518</bug>: When using NIO, do not attempt to write to the socket |
| if the thread is marked interrupted as this will lead to a connection |
| limit leak. This fix was based on analysis of the issue by hanyong. |
| (markt) |
| </fix> |
| <fix> |
| <bug>56521</bug>: Re-use the asynchronous write buffer between writes to |
| reduce allocation and GC overhead. Based on a patch by leonzhx. Also |
| make the buffer size configurable and remove copying of data within |
| buffer when the buffer is only partially written on a subsequent write. |
| (markt) |
| </fix> |
| <fix> |
| Correct a copy/paste error and return a 500 response rather than a 400 |
| response when an internal server error occurs on early stages of |
| request processing. (markt) |
| </fix> |
| <scode> |
| <bug>56582</bug>: Use switch(actionCode) in processors instead of a |
| chain of "elseif"s. (kkolinko) |
| </scode> |
| <fix> |
| Fix CVE-2014-0227: |
| Various improvements to ChunkedInputFilter including clean-up, i18n for |
| error messages and adding an error flag to allow subsequent attempts at |
| reading after an error to fail fast. (markt) |
| </fix> |
| <fix> |
| If request contains an unrecognized Expect header, respond with error |
| 417 (Expectation Failed), according to RFC2616 chapter 14.20. (markt) |
| </fix> |
| <fix> |
| When an error occurs after the response has been committed close the |
| connection immediately rather than attempting to finish the response to |
| make it easier for the client to differentiate between a complete |
| response and one that failed part way though. (markt) |
| </fix> |
| <fix> |
| <bug>56620</bug>: Avoid bogus access log entries when pausing the NIO |
| HTTP connector and ensure that access log entries generated by error |
| conditions use the correct request start time. (markt) |
| </fix> |
| <add> |
| Fix CVE-2014-0230: |
| Add a new limit, defaulting to 2MB, for the amount of data Tomcat will |
| swallow for an aborted upload. The limit is configurable by |
| <code>maxSwallowSize</code> attribute of an HTTP connector. (markt) |
| </add> |
| <update> |
| Allow to configure <code>maxSwallowSize</code> attribute of an HTTP |
| connector via JMX. (kkolinko) |
| </update> |
| <fix> |
| <bug>56661</bug>: Fix <code>getLocalAddr()</code> for AJP connectors. |
| The complete fix is only available with a recent AJP forwarder like |
| the forthcoming mod_jk 1.2.41. (rjung) |
| </fix> |
| <fix> |
| <bug>59451</bug>: Correct Javadoc for <code>MessageBytes</code>. Patch |
| provided by Kyohei Nakamura. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>56334#c15</bug>: Fix a regression in EL parsing when quoted string |
| follows a whitespace. (kkolinko/markt) |
| </fix> |
| <fix> |
| <bug>56543</bug>: Update to the Eclipse JDT Compiler 4.4. (violetagg) |
| </fix> |
| <fix> |
| <bug>56561</bug>: Avoid <code>NoSuchElementException</code> while handling |
| attributes with empty string value. (violetagg) |
| </fix> |
| <update> |
| <bug>56581</bug>: If an error on a JSP page occurs when response has |
| already been committed, do not clear the buffer of JspWriter, but flush |
| it. It will make more clear where the error occurred. (kkolinko) |
| </update> |
| <fix> |
| <bug>56612</bug>: Correctly parse two consecutive escaped single quotes |
| when used in UEL expression in a JSP. (markt) |
| </fix> |
| <update> |
| Move code that parses EL expressions within JSP template text from |
| <code>Parser</code> to <code>JspReader</code> class for better |
| performance. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>56577</bug>: Improve the executor configuration used for the |
| callbacks associated with asynchronous writes. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Set the path for cookies created by the examples web application so they |
| only returned to the examples application. This reduces the opportunity |
| for using such cookies for malicious purposes should the advice to |
| remove the examples web application from security sensitive systems be |
| ignored. (markt/kkolinko) |
| </fix> |
| <fix> |
| Attempt to obfuscate session cookie values associated with other web |
| applications when viewing HTTP request headers with the Request Header |
| example from the examples web application. This reduces the opportunity |
| to use this example for malicious purposes should the advice to remove |
| the examples web application from security sensitive systems be ignored. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update optional Checkstyle library to 5.7. (kkolinko) |
| </update> |
| <fix> |
| <bug>56685</bug>: Add quotes necessary for <code>daemon.sh</code> to |
| work correctly on Solaris. Based on a suggestion by lfuka. (markt) |
| </fix> |
| <update> |
| <bug>56596</bug>: Update to Tomcat Native Library version 1.1.31 to pick |
| up the Windows binaries that are based on OpenSSL 1.0.1h. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.54 (violetagg)" rtext="released 2014-05-22"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Fix custom UTF-8 decoder so that a byte of value 0xC1 is always rejected |
| immediately as it is never valid in a UTF-8 byte sequence. Update UTF-8 |
| decoder tests to account for UTF-8 decoding improvements in Java 8. |
| The custom UTF-8 decoder is still required due to bugs in the UTF-8 |
| decoder provided by Java. Java 8's decoder is better than Java |
| 7's but it is still buggy. (markt) |
| </fix> |
| <fix> |
| <bug>56027</bug>: Add more options for managing FIPS mode in the |
| AprLifecycleListener. (schultz/kkolinko) |
| </fix> |
| <fix> |
| <bug>56321</bug>: When a WAR is modified, undeploy the web application |
| before deleting any expanded directory as the undeploy process may |
| refer to classes that need to be loaded from the expanded directory. If |
| the expanded directory is deleted first, any attempt to load a new class |
| during undeploy will fail. (markt) |
| </fix> |
| <fix> |
| <bug>56339</bug>: Avoid an infinite loop if an application calls |
| <code>session.invalidate()</code> from the session destroyed event for |
| that session. (markt) |
| </fix> |
| <update> |
| <bug>56365</bug>: Simplify file name pattern matching code in |
| <code>StandardJarScanner</code>. Ignore leading and trailing whitespace |
| and empty strings when configuring patterns. Improve documentation. |
| (kkolinko) |
| </update> |
| <fix> |
| <bug>56369</bug>: Ensure that removing an MBean notification listener |
| reverts all the operations performed when adding an MBean notification |
| listener. (markt) |
| </fix> |
| <add> |
| <bug>56382</bug>: Information about finished deployment and its execution |
| time is added to the log files. Patch is provided by Danila Galimov. |
| (violetagg) |
| </add> |
| <add> |
| <bug>56383</bug>: Properties for disabling server information and error |
| report are added to the <code>org.apache.catalina.valves.ErrorReportValve</code>. |
| Based on the patch provided by Nick Bunn. (violetagg/kkolinko) |
| </add> |
| <fix> |
| Fix CVE-2014-0119: |
| Only create XML parsing objects if required and fix associated potential |
| memory leak in the default Servlet. |
| Extend XML factory, parser etc. memory leak protection to cover some |
| additional locations where, theoretically, a memory leak could occur. |
| Ensure that a TLD parser obtained from the cache has the correct value |
| of <code>blockExternal</code>. (markt) |
| </fix> |
| <fix> |
| Modify generic exception handling so that |
| <code>StackOverflowError</code> is not treated as a fatal error and can |
| handled and/or logged as required. (markt) |
| </fix> |
| <fix> |
| <bug>56409</bug>: Avoid <code>StackOverflowError</code> on non-Windows |
| systems if a file named <code>\</code> is encountered when scanning for |
| TLDs. (markt) |
| </fix> |
| <add> |
| <bug>56430</bug>: Extend checks for suspicious URL patterns to include |
| patterns of the form <code>*.a.b</code> which are not valid patterns for |
| extension mappings. (markt) |
| </add> |
| <fix> |
| <bug>56441</bug>: Raise the visibility of exceptions thrown when a |
| problem is encountered calling a getter or setter on a component |
| attribute. The logging level is raised from debug to warning. (markt) |
| </fix> |
| <fix> |
| <bug>56451</bug>: Make resources accessed via a context alias accessible |
| via JNDI in the same way standard resources are available. (markt) |
| </fix> |
| <add> |
| <bug>56463</bug>: Property for disabling server information is added to |
| the <code>DefaultServlet</code>. Server information is presented in the |
| response sent to the client when directory listings is enabled. |
| (violetagg) |
| </add> |
| <add> |
| Add the <code>org.apache.naming</code> package to the packages requiring |
| code to have the <code>defineClassInPackage</code> permission when |
| running under a security manager. (markt) |
| </add> |
| <add> |
| Add the <code>org.apache.naming.resources</code> package to the packages |
| requiring code to have the <code>accessClassInPackage</code> permission |
| when running under a security manager. (markt) |
| </add> |
| <fix> |
| Make the naming context tokens for containers more robust. Require |
| RuntimePermission when introducing a new token. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>56472</bug>: Allow NamingContextListener to clean up on stop if its |
| start failed. (kkolinko) |
| </fix> |
| <add> |
| <bug>56492</bug>: Avoid eclipse debugger pausing on uncaught exceptions |
| when tomcat renews its threads. (slaurent) |
| </add> |
| <fix> |
| Minor fixes to <code>ThreadLocalLeakPreventionListener</code>. Do not |
| trigger threads renewal for failed contexts. Do not ignore |
| <code>threadRenewalDelay</code> setting. Improve documentation. (kkolinko) |
| </fix> |
| <fix> |
| Correct regression introduced in <rev>797162</rev> that broke |
| authentication of users when using the |
| <code>JAASMemoryLoginModule</code>. (markt) |
| </fix> |
| <fix> |
| <bug>56501</bug>: <code>HttpServletRequest.getContextPath()</code> |
| should return the undecoded context path used by the user agent. (markt) |
| </fix> |
| <fix> |
| <bug>56523</bug>: When using SPNEGO authentication, log the exceptions |
| associated with failed user logins at debug level rather than error |
| level. (markt) |
| </fix> |
| <fix> |
| <bug>56536</bug>: Ensure that |
| <code>HttpSessionBindingListener.valueUnbound()</code> uses the correct |
| class loader when the <code>SingleSignOn</code> valve is used. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>56399</bug>: Assert that both Coyote and Catalina request objects |
| have been properly recycled. (kkolinko) |
| </add> |
| <fix> |
| <bug>56416</bug>: Correct documentation for default value of socket |
| linger for the AJP and HTTP connectors. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>56334</bug>: Fix a regression in the handling of back-slash |
| escaping introduced by the fix for <bug>55735</bug>. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>56425</bug>: Improve method matching for EL expressions. When |
| looking for matching methods, an exact match between parameter types is |
| preferred followed by an assignable match followed by a coercible match. |
| (markt) |
| </fix> |
| <fix> |
| Correct the handling of back-slash escaping in the EL parser and no |
| longer require that <code>\$</code> or <code>\#</code> must be followed |
| by <code>{</code> in order for the back-slash escaping to take effect. |
| (markt) |
| </fix> |
| <fix> |
| <bug>56529</bug>: Avoid <code>NoSuchElementException</code> while handling |
| attributes with empty string value in custom tags. Patch provided by |
| Hariprasad Manchi. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Remove cluster and replicationValve from cluster manager template. These |
| instance are not necessary to template. (kfujino) |
| </fix> |
| <fix> |
| Add support for cross context session replication to |
| <code>org.apache.catalina.ha.session.BackupManager</code>. (kfujino) |
| </fix> |
| <fix> |
| Remove the unnecessary cross context check. It does not matter whether |
| the context that is referenced by other context is set to |
| <code>crossContext</code>=true. The context that refers to the different |
| context must be set to <code>crossContext</code>=true. (kfujino) |
| </fix> |
| <scode> |
| Move to <code>org.apache.catalina.ha.session.ClusterManagerBase</code> |
| common logics of |
| <code>org.apache.catalina.ha.session.BackupManager</code> and |
| <code>org.apache.catalina.ha.session.DeltaManager</code>. (kfujino) |
| </scode> |
| <scode> |
| Simplify the code of <code>o.a.c.ha.tcp.SimpleTcpCluster</code>. In |
| order to add or remove cluster valve to Container, use pipeline instead |
| of <code>IntrospectionUtils</code>. (kfujino) |
| </scode> |
| <fix> |
| There is no need to set cluster instance when |
| <code>SimpleTcpCluster.unregisterClusterValve</code> is called. |
| Set null than cluster instance for cleanup. (kfujino) |
| </fix> |
| <scode> |
| Backport refactoring of <code>AbstractReplicatedMap</code> to implement |
| <code>Map</code> rather than extend <code>ConcurrentHashMap</code> to |
| enable Tomcat 7 to be built with Java 8. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>56343</bug>: Avoid a NPE if Tomcat's Java WebSocket 1.0 |
| implementation is used with the Java WebSocket 1.0 API JAR from the |
| reference implementation. (markt) |
| </fix> |
| <fix> |
| Increase the default maximum size of the executor used by the WebSocket |
| implementation for call backs associated with asynchronous writes from |
| 10 to 200. (markt) |
| </fix> |
| <add> |
| Add a warning if the thread group created for WebSocket asynchronous |
| write call backs can not be destroyed when the web application is |
| stopped. (markt) |
| </add> |
| <fix> |
| Ensure that threads created to support WebSocket clients are stopped |
| when no longer required. This will happen automatically for WebSocket |
| client connections initiated by web applications but stand alone clients |
| must call <code>WsWebSocketContainer.destroy()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>56449</bug>: When creating a new session, add the message handlers |
| to the session before calling <code>Endpoint.onOpen()</code> so the |
| message handlers are in place should the <code>onOpen()</code> method |
| trigger the sending of any messages. (markt) |
| </fix> |
| <fix> |
| <bug>56458</bug>: Report WebSocket sessions that are created over secure |
| connections as secure rather than as not secure. (markt) |
| </fix> |
| <fix> |
| Stop threads used for secure WebSocket client connections when they are |
| no longer required and give them better names for easier debugging while |
| they are running. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Add Support for <code>copyXML</code> attribute of Host to Host Manager. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that "name" request parameter is used as a application base of |
| host if "webapps" request parameter is not set when adding host in |
| HostManager Application. (kfujino) |
| </fix> |
| <fix> |
| Correct documentation on Windows service options, aligning it with |
| Apache Commons Daemon documentation. (kkolinko) |
| </fix> |
| <update> |
| <bug>55215</bug>: Improve log4j configuration example. Clarify access |
| logging documentation. Based on patches provided by Brian Burch. |
| (kkolinko) |
| </update> |
| <update> |
| <bug>55383</bug>: Backport improved HTML markup for tables and code |
| fragments from Tomcat 8 documentation. (kkolinko) |
| </update> |
| <fix> |
| <bug>56418</bug>: Ensure that the Manager web application does not |
| report success for a web application deployment that fails. (slaurent) |
| </fix> |
| <fix> |
| Fix target and rel attributes on links in documentation. They were |
| lost during XSLT transformation. (kkolinko) |
| </fix> |
| <update> |
| Improve valves documentation. Split valves into groups. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Align DisplayName of Tomcat installed by <code>service.bat</code> with |
| one installed by the *.exe installer. Print a warning in case if neither |
| server nor client jvm is found by <code>service.bat</code>. (kkolinko) |
| </fix> |
| <update> |
| <bug>56363</bug>: Update to version 1.1.30 of Tomcat Native library. |
| (schultz) |
| </update> |
| <update> |
| Update package renamed Apache Commons BCEL to r1593495 to pick up some |
| additional changes for Java 7 support and some code clean up. (markt) |
| </update> |
| <add> |
| In tests: allow to configure directory where JUnit reports and access |
| log are written to. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.53 (violetagg)" rtext="released 2014-03-30"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Make it easier for applications embedding and/or extending Tomcat to |
| modify the <code>javaseClassLoader</code> attribute of the |
| <code>WebappClassLoader</code>. (markt) |
| </add> |
| <fix> |
| Improve the robustness of web application undeployment based on some |
| code analysis triggered by the report for <bug>54315</bug>. (markt) |
| </fix> |
| <fix> |
| <bug>56219</bug>: |
| Improve merging process for web.xml files to take account of the |
| elements and attributes supported by the Servlet version of the merged |
| file. (markt) |
| </fix> |
| <fix> |
| <bug>56190</bug>: The response should be closed (i.e. no further output |
| is permitted) when a call to <code>AsyncContext.complete()</code> takes |
| effect. (markt) |
| </fix> |
| <fix> |
| <bug>56236</bug>: Enable Tomcat to work with alternative Servlet and |
| JSP API JARs that package the XML schemas in such as way as to require |
| a dependency on the JSP API before enabling validation for web.xml. |
| Tomcat has no such dependency. (markt) |
| </fix> |
| <fix> |
| <bug>56246</bug>: Fix NullPointerException in MemoryRealm when |
| authenticating an unknown user. (markt) |
| </fix> |
| <fix> |
| <bug>56248</bug>: Allow the deployer to update an existing WAR file |
| without undeploying the existing application if the update flag is set. |
| This allows any existing custom context.xml for the application to be |
| retained. To update an application and remove any existing context.xml |
| simply undeploy the old version of the application before deploying the |
| new version. (markt) |
| </fix> |
| <fix> |
| Fix CVE-2014-0096: |
| Redefine the <code>globalXsltFile</code> initialisation parameter of the |
| DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf. |
| Prevent user supplied XSLTs used by the DefaultServlet from defining |
| external entities. (markt) |
| </fix> |
| <add> |
| Add a work around for validating XML documents (often TLDs) that use |
| just the file name to refer to the JavaEE schema on which they |
| are based. (markt) |
| </add> |
| <fix> |
| <bug>56293</bug>: Cache resources loaded by the class loader from |
| <code>/META-INF/services/</code> for better performance for repeated |
| look ups. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>53119</bug>: Make sure the NIO AJP output buffer is cleared on any |
| error to prevent any possible overflow if it is written to again before |
| the connection is closed. This extends the original fix for the |
| APR/native output buffer to the NIO connector. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56172</bug>: Avoid possible request corruption when using the AJP |
| NIO connector and a request is sent using more than one AJP message. |
| Patch provided by Amund Elstad. (markt) |
| </fix> |
| <fix> |
| <bug>56213</bug>: Reduce garbage collection when the NIO connector is |
| under heavy load. (markt) |
| </fix> |
| <fix> |
| Fix CVE-2014-0075: |
| Improve processing of chuck size from chunked headers. Avoid overflow |
| and use a bit shift instead of a multiplication as it is marginally |
| faster. (markt/kkolinko) |
| </fix> |
| <fix> |
| Fix CVE-2014-0099: |
| Fix possible overflow when parsing long values from a byte array. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>54475</bug>: Add Java 8 support to SMAP generation for JSPs. Patch |
| by Robbie Gibson. (markt) |
| </fix> |
| <fix> |
| <bug>55483</bug>: Improve handing of overloaded methods and constructors |
| in expression language implementation. (markt) |
| </fix> |
| <fix> |
| <bug>56208</bug>: |
| Restore the validateXml option to Jasper that was previously renamed |
| validateTld. Both options are now supported. validateXml controls the |
| validation of web.xml files when Jasper parses them and validateTld |
| controls the validation of *.tld files when Jasper parses them. (markt) |
| </fix> |
| <fix> |
| <bug>56223</bug>: Throw an <code>IllegalStateException</code> if a call |
| is made to <code>ServletContext.setInitParameter()</code> after the |
| ServletContext has been initialized. (markt) |
| </fix> |
| <fix> |
| <bug>56265</bug>: Do not escape values of dynamic tag attributes |
| containing EL expressions. (kkolinko) |
| </fix> |
| <fix> |
| Make the default compiler source and target versions for JSPs Java 6 |
| since Tomcat 7 requires Java 6 as a minimum. (markt) |
| </fix> |
| <update> |
| <bug>56283</bug>: Update to the Eclipse JDT Compiler P20140317-1600 |
| which adds support for Java 8 syntax to JSPs. Add support for value |
| "1.8" for the <code>compilerSourceVM</code> and |
| <code>compilerTargetVM</code> options. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Avoid a possible deadlock when one thread is shutting down a connection |
| while another thread is trying to write to it. (markt) |
| </fix> |
| <fix> |
| Call onError if an exception is thrown calling onClose when closing |
| a session. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <scode> |
| In the documentation: add support for several documentation tags from |
| Tomcat 8. Such as <code><version-major/></code>. (kkolinko) |
| </scode> |
| <add> |
| <bug>56093</bug>: Add the SSL Valve to the documentation web |
| application. (markt) |
| </add> |
| <fix> |
| <bug>56217</bug>: Improve readability by using left alignment for the |
| table cell containing the request information on the Manager application |
| status page. (markt) |
| </fix> |
| <fix> |
| Fixed <code>java.lang.NegativeArraySizeException</code> when using |
| "Expire sessions" command in the manager web application on a |
| context where the session timeout is disabled. (kfujino) |
| </fix> |
| <fix> |
| Add support for <code>LAST_ACCESS_AT_START</code> system property to |
| Manager web application. (kfujino) |
| </fix> |
| <fix> |
| Add definition of <code>org.apache.catalina.ant.FindLeaksTask</code>. |
| (kfujino) |
| </fix> |
| <fix> |
| <bug>56273</bug>: If the Manager web application does not perform an |
| operation because the web application is already being serviced, report |
| an error rather than reporting success. (markt) |
| </fix> |
| <fix> |
| <bug>56304</bug>: Add a note to the documentation about not using |
| WebSocket with BIO HTTP in production. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>56143</bug>: Improve <code>service.bat</code> so that it can be |
| launched from a non-UAC console. This includes using a single call to |
| <code>tomcat7.exe</code> to install the Windows service rather than |
| three calls, and using command line arguments instead of environment |
| variables to pass the settings. (markt/kkolinko) |
| </fix> |
| <fix> |
| Fix regression in 7.0.52: when using <code>service.bat install</code> |
| to install the service the values for --StdOutput, --StdError options |
| were passed as blank instead of "auto". (kkolinko) |
| </fix> |
| <fix> |
| Align options between <code>service.bat</code> and <code>exe</code> |
| Windows installer. For <code>service.bat</code> the changes are in |
| --Classpath, --DisplayName, --StartPath, --StopPath. For |
| <code>exe</code> installer the changes are in --JvmMs, --JvmMx options, |
| which are now 128 Mb and 256 Mb respectively instead of being empty. |
| Explicitly specify --LogPath path when uninstalling Windows service, |
| avoiding default value for that option. (kkolinko) |
| </fix> |
| <scode> |
| Simplify Windows *.bat files: remove %OS% checks, as java 6 does |
| not run on ancient non-NT operating systems. (kkolinko) |
| </scode> |
| <fix> |
| <bug>56137</bug>: Explicitly use the BIO connector in the SSL example in |
| server.xml so it doesn't break if APR is enabled. (markt) |
| </fix> |
| <fix> |
| <bug>56139</bug>: Avoid a web application class loader leak in some unit |
| tests when running on Windows. (markt) |
| </fix> |
| <fix> |
| Correct build script to avoid building JARs with empty packages. (markt) |
| </fix> |
| <add> |
| Allow to limit JUnit test run to a number of selected test case |
| methods. (kkolinko) |
| </add> |
| <fix> |
| <bug>56189</bug>: Remove used file cpappend.bat from the distribution. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.52 (violetagg)" rtext="released 2014-02-17"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Generate a valid root element for the effective web.xml for a web |
| application for all supported versions of web.xml. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <scode> |
| Pull up <code>SocketWrapper</code> to <code>AbstractProcessor</code>. |
| (markt) |
| </scode> |
| <fix> |
| In some circumstances asynchronous requests could time out too soon. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.51 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>55287</bug>: <code>ServletContainerInitializer</code> defined in |
| the container may not be found. (markt/jboynes) |
| </fix> |
| <fix> |
| <bug>55855</bug>: Provide a per Context option (containerSciFilter) to |
| exclude container SCIs. (markt) |
| </fix> |
| <fix> |
| <bug>55937</bug>: When deploying applications, treat a context path of |
| <code>/ROOT</code> as equivalent to <code>/</code>. (markt) |
| </fix> |
| <fix> |
| <bug>55943</bug>: Improve the implementation of the class loader check |
| that prevents web applications from trying to override J2SE |
| implementation classes. As part of this fix, refactor the way a null |
| parent class loader is handled which enables a number of null checks and |
| object creation calls to be removed. Note that this change means that, |
| by default, the web application class loader is now a higher priority |
| for loading classes than the system class loader. (markt) |
| </fix> |
| <fix> |
| <bug>55958</bug>: Differentiate between <code>foo.war</code> the WAR |
| file and <code>foo.war</code> the directory. (markt) |
| </fix> |
| <fix> |
| <bug>55960</bug>: Improve the single sign on (SSO) unit tests. Patch |
| provided by Brian Burch. (markt) |
| </fix> |
| <fix> |
| <bug>55974</bug>: Retain order when reporting errors and warnings while |
| parsing XML configuration files. (markt) |
| </fix> |
| <fix> |
| <bug>56013</bug>: Fix issue with SPNEGO authentication when using IBM |
| JREs. IBM JREs only understand the option of infinite lifetime for |
| Kerberos credentials. Based on a patch provided by Arunav Sanyal. |
| (markt) |
| </fix> |
| <fix> |
| <bug>56016</bug>: When loading resources for XML schema validation, take |
| account of the possibility that servlet-api.jar and jsp-api.jar may not |
| be loaded by the same class loader. Patch by Juan Carlos Estibariz. |
| (markt) |
| </fix> |
| <fix> |
| <bug>56025</bug>: When creating a WebSocket connection, always call |
| <code>ServerEndpointConfig.Configurator.getNegotiatedSubprotocol()</code> |
| and always create the EndPoint instance after calling |
| <code>ServerEndpointConfig.Configurator.modifyHandshake()</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>56032</bug>: Ensure that the WebSocket connection is closed after |
| an IO error or an interrupt while sending a WebSocket message. (markt) |
| </fix> |
| <fix> |
| <bug>56042</bug>: If a request in async mode has an error but has |
| already been dispatched don't generate an error page in the |
| ErrorReportValve so the dispatch target can handle it. (markt) |
| </fix> |
| <fix> |
| Add missing <code>javax.annotation.sql.*</code> classes to |
| annotations-api.jar. (markt) |
| </fix> |
| <fix> |
| The type of logger attribute of Context MBean should be not |
| <code>org.apache.commons.logging.Log</code> but |
| <code>org.apache.juli.logging.Log</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>56082</bug>: Fix a concurrency bug in JULI's LogManager |
| implementation. (markt) |
| </fix> |
| <fix> |
| <bug>56096</bug>: When the attribute <code>rmiBindAddress</code> of the |
| JMX Remote Lifecycle Listener is specified it's value will be used when |
| constructing the address of a JMX API connector server. Patch is |
| provided by Jim Talbut. (violetagg) |
| </fix> |
| <fix> |
| When environment entry with one and the same name is defined in the web |
| deployment descriptor and with annotation then the one specified in the |
| web deployment descriptor is with priority. (violetagg) |
| </fix> |
| <fix> |
| Change default value of <code>xmlBlockExternal</code> attribute of |
| Context. It is <code>true</code> now. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Avoid possible NPE if a content type is specified without a character |
| set. (markt) |
| </fix> |
| <fix> |
| <bug>55956</bug>: Make the forwarded remote IP address available to the |
| Connectors via a request attribute. (markt) |
| </fix> |
| <fix> |
| <bug>55976</bug>: Fix sendfile support for the HTTP NIO connector. |
| (markt) |
| </fix> |
| <fix> |
| <bug>55996</bug>: Ensure Async requests timeout correctly when using the |
| NIO HTTP connector. (markt) |
| </fix> |
| <add> |
| <bug>56021</bug>: Make it possible to use the Windows-MY key store with |
| the BIO and NIO connectors for SSL configuration. It requires a |
| <code>keystoreFile="" keystoreType="Windows-My"</code> |
| to be set on the connector. Based on a patch provided by Asanka. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Correct a regression in the XML refactoring that meant that errors in |
| TLD files were swallowed. (markt) |
| </fix> |
| <fix> |
| <bug>55671</bug>: Correct typo in the log message for a wrong value of |
| genStringAsCharArray init-param of JspServlet. This parameter |
| had a different name in Tomcat 6. (kkolinko) |
| </fix> |
| <fix> |
| <bug>55973</bug>: Fix processing of XML schemas when validation is |
| enabled in Jasper. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56010</bug>: Don't throw an |
| <code>IllegalArgumentException</code> when |
| <code>JspFactory.getPageContext</code> is used with |
| <code>JspWriter.DEFAULT_BUFFER</code>. Based on a patch by Eugene Chung. |
| (markt) |
| </fix> |
| <fix> |
| <bug>56012</bug>: When using the extends attribute of the page directive |
| do not import the super class if it is in an unnamed package as imports |
| from unnamed packages are now explicitly illegal. (markt) |
| </fix> |
| <fix> |
| <bug>56029</bug>: A regression in the fix for <bug>55198</bug> meant |
| that when EL containing a ternary expression was used in an attribute |
| a compilation error would occur for some expressions. (markt) |
| </fix> |
| <fix> |
| Correct several errors in jspxml Schema and DTD. (kkolinko) |
| </fix> |
| <fix> |
| Change default value of the <code>blockExternal</code> attribute of |
| JspC task. The default value is <code>true</code>. Add support for |
| <code>-no-blockExternal</code> switch when JspC is run as a |
| standalone application. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <scode> |
| Simplify the code of |
| <code>o.a.c.ha.tcp.SimpleTcpCluster.createManager(String)</code>. |
| Remove unnecessary class cast. (kfujino) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Do not return an empty string for the |
| <code>Sec-WebSocket-Protocol</code> HTTP header when no sub-protocol has |
| been requested or no sub-protocol could be agreed as RFC6455 requires |
| that no <code>Sec-WebSocket-Protocol</code> header is returned in this |
| case. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Add index.xhtml to the welcome files list for the examples web |
| application. (kkolinko) |
| </fix> |
| <fix> |
| Clarify that the connectionTimeout may also be used as the read timeout |
| when reading a request body (if any) in the documentation web |
| application. (markt) |
| </fix> |
| <fix> |
| Clarify the behaviour of the maxConnections attribute for a connector in |
| the documentation web application. (markt) |
| </fix> |
| <fix> |
| <bug>55888</bug>: Update the documentation web application to make it |
| clearer that a Container may define no more than one Realm. (markt) |
| </fix> |
| <fix> |
| <bug>55956</bug>: Where available, displayed the forwarded remote IP |
| address available on the status page of the Manager web application. |
| (markt) |
| </fix> |
| <fix> |
| Correct links to the Tomcat mailing lists in the ROOT web application. |
| (kkolinko) |
| </fix> |
| <fix> |
| In Manager web application improve handling of file upload errors. |
| Display a message instead of error 500 page. Simplify parts handling |
| code, as it is known that Tomcat takes care of them when recycling a |
| request. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Extras"> |
| <changelog> |
| <fix> |
| <bug>55166</bug>, <bug>56045</bug>: Copy the XML schemas used for |
| validation that are packaged in jsp-api.jar to servlet-api.jar so that |
| an embedded Tomcat instance can start without Jasper being available. |
| This also enables validation to work without Jasper being available. |
| (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>56039</bug>: Enable the JmxRemoteLifecycleListener to work over |
| SSL. Patch by esengstrom. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>55743</bug>: Enable the stop script to work when the shutdown port |
| is disabled and a PID file is defined. This is only available on |
| platforms that use <code>catalina.sh</code>. (markt) |
| </fix> |
| <fix> |
| <bug>55986</bug>: When forcing Tomcat to stop via |
| <code>kill -9 $CATALINA_PID</code>, the <code>catalina.sh</code> script |
| could incorrectly report that Tomcat had not yet completely stopped when |
| it had. Based on a patch by jess. (markt) |
| </fix> |
| <fix> |
| Package correct license and notice files with embedded JARs. (markt) |
| </fix> |
| <scode> |
| Remove svn keywords (such as $Id) from source files and documentation. |
| (kkolinko) |
| </scode> |
| <fix> |
| Fix CVE-2014-0050, a denial of service with a malicious, malformed |
| Content-Type header and multipart request processing. Fixed by merging |
| latest code (r1565163) from Commons FileUpload. (markt) |
| </fix> |
| <fix> |
| <bug>56115</bug>: Expose the <code>httpusecaches</code> property of |
| Ant's <code>get</code> task as some users may need to change the |
| default. Based on a suggestion by Anthony. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.50 (violetagg)" rtext="released 2014-01-08"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Handle the case where a <code>context.xml</code> file is added to a |
| web application deployed from a directory. Previously the file was |
| ignored until Tomcat was restarted. Now (assuming automatic deployment |
| is enabled) it will trigger a redeploy of the web application. (markt) |
| </fix> |
| <fix> |
| Fix string comparison in <code>HostConfig.setContextClass()</code>. |
| (kkolinko) |
| </fix> |
| <scode> |
| Streamline handling of WebSocket messages when no handler is configured |
| for the message currently being received. (markt) |
| </scode> |
| <fix> |
| Handle the case where a WebSocket annotation configures a message size |
| limit larger than the default permitted by Tomcat. (markt) |
| </fix> |
| <fix> |
| <bug>55855</bug>: This is a partial fix that bypasses the relatively |
| expensive check for a WebSocket upgrade request if no WebSocket |
| endpoints have been registered. (markt) |
| </fix> |
| <fix> |
| <bug>55905</bug>: Prevent a NPE when web.xml references a taglib file |
| that does not exist. Provide better error message. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| When using the BIO connector with an internal executor, do not display a |
| warning that the executor has not shutdown as the default configuration |
| for BIO connectors is not to wait. This is because threads in |
| keep-alive connections cannot be interrupted and therefore the warning |
| was nearly always displayed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| JspC uses servlet context initialization parameters to pass |
| configuration so ensure that the servlet context used supports |
| initialization parameters. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| In <code>AbstractReplicatedMap#finalize</code>, remove rpcChannel from |
| channel Listener of group channel before sending |
| <code>MapMessage.MSG_STOP</code> message. This prevents that the node |
| that sent the <code>MapMessage.MSG_STOP</code> by normal shutdown is |
| added to member map again by ping at heartbeat thread in the node that |
| received the <code>MapMessage.MSG_STOP</code>. (kfujino) |
| </fix> |
| <fix> |
| Add time stamp to <code>GET_ALL_SESSIONS</code> message. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Fix the sample configuration of <code>StaticMembershipInterceptor</code> |
| in order to prevent warning log. uniqueId must be 16 bytes. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Extras"> |
| <changelog> |
| <update> |
| Update dependencies that are used to build tomcat-juli extras component. |
| Apache Avalon Framework is updated to version 4.1.5, Apache Log4J to |
| version 1.2.17. (rjung) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.49 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct a regression in the new XML local resolver that triggered false |
| failures when XML validation was configured. (markt) |
| </fix> |
| <fix> |
| Prevent a NPE when destroying HTTP upgrade handler for WebSocket |
| connections. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.48 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>51294</bug>: Add support for unpacking WARs located outside of the |
| Host's appBase in to the appBase. (markt) |
| </add> |
| <fix> |
| <bug>55656</bug>: Configure the Digester to use the server class loader |
| when parsing server.xml rather than the class loader that loaded |
| StandardServer. Patch provided by Roberto Benedetti. (markt) |
| </fix> |
| <fix> |
| <bug>55664</bug>: Correctly handle JSR 356 WebSocket Encoder, Decoder |
| and MessageHandler implementations that use a generic type such as |
| <code>Encoder.Text<List<String>></code>. Includes a test |
| case by Niki Dokovski. (markt) |
| </fix> |
| <fix> |
| Correctly handle WebSocket <code>Encoder</code>s, <code>Decoder</code>s |
| and <code>MessageHandler</code>s that use arrays of generic types. |
| (markt) |
| </fix> |
| <fix> |
| <bug>55681</bug>: Ensure that the WebSocket session is made available |
| to <code>MessageHandler</code> method calls. (markt) |
| </fix> |
| <fix> |
| Updated servlet spec version and documentation section-number reported |
| when JAR files are rejected for containing a trigger class |
| (e.g. javax.servlet.Servlet). (schultz) |
| </fix> |
| <add> |
| Modify the WebSocket handshake process so that the user properties |
| <code>Map</code> exposed by the <code>ServerEndpointConfig</code> during |
| the call to <code>Configurator.modifyHandshake()</code> is unique to the |
| connection rather than shared by all connections associated with the |
| Endpoint. This allows for easier configuration of per connection |
| properties from within <code>modifyHandshake()</code>. (markt) |
| </add> |
| <fix> |
| <bug>55684</bug>: Log a warning but continue if the memory leak |
| detection code is unable to access all threads to check for possible |
| memory leaks when a web application is stopped. (markt) |
| </fix> |
| <fix> |
| Define the web-fragment.xml in tomcat7-websocket.jar as a Servlet 3.0 |
| web fragment rather than as a Servlet 3.1 web fragment. (markt) |
| </fix> |
| <fix> |
| <bug>55715</bug>: Add a per web application executor to the WebSocket |
| implementation and use it for calling |
| <code>SendHandler.onResult()</code> when there is a chance that the |
| current thread also initiated the write. (markt) |
| </fix> |
| <fix> |
| Prevent file descriptors leak and ensure that files are closed when |
| configuring the web application. (violetagg) |
| </fix> |
| <fix> |
| Fixed the name of the provider-configuration file located in |
| <code>tomcat7-websocket.jar!/META-INF/services</code> that exposes |
| information for |
| <code>javax.websocket.server.ServerEndpointConfig$Configurator</code> |
| implementation. (violetagg) |
| </fix> |
| <fix> |
| <bug>55760</bug>: Remove the unnecessary setting of the |
| <code>javax.security.auth.useSubjectCredsOnly</code> system property in |
| the <code>SpnegoAuthenticator</code> as in addition to it being |
| unnecessary, it causes problems with using SPNEGO with IBM JDKs. Patch |
| provided by Arunav Sanyal. (markt) |
| </fix> |
| <fix> |
| <bug>55772</bug>: Ensure that the request and response are recycled |
| after an error during asynchronous processing. Includes a test case |
| based on code contributed by Todd West. (markt) |
| </fix> |
| <fix> |
| <bug>55778</bug>: Add an option to the JNDI Realm to control the QOP |
| used for the connection to the LDAP server after authentication when |
| using SPNEGO with delegated credentials. This value is used to set the |
| <code>javax.security.sasl.qop</code> environment property for the LDAP |
| connection. (markt) |
| </fix> |
| <fix> |
| <bug>55798</bug>: Log an error if the MemoryUserDatabase is unable to |
| find the specified user database file. (markt) |
| </fix> |
| <fix> |
| <bug>55799</bug>: Correctly enforce the restriction in JSR356 that no |
| more than one data message may be sent to a remote WebSocket endpoint at |
| a time. (markt) |
| </fix> |
| <fix> |
| When Catalina parses TLD files, always use a namespace aware parser to |
| be consistent with how Jasper parses TLD files. The |
| <code>tldNamespaceAware</code> attribute of the Context is now ignored. |
| (markt) |
| </fix> |
| <fix> |
| Deprecate the <code>tldNamespaceAware</code> Context attribute as TLDs |
| are always parsed with a namespace aware parser. (markt) |
| </fix> |
| <fix> |
| Correct a logic error that meant that unpackWARs was ignored and the WAR |
| was always expanded if a WAR failed to deploy. (markt) |
| </fix> |
| <add> |
| Add support for defining <code>copyXML</code> on a per Context basis. |
| (markt) |
| </add> |
| <fix> |
| Define the expected behaviour of the automatic deployment and align the |
| implementation to that definition. (markt) |
| </fix> |
| <add> |
| When running under a security manager, change the default value of the |
| Host's <code>deployXML</code> attribute to <code>false</code>. |
| (markt) |
| </add> |
| <add> |
| If a Host is configured with a value of <code>false</code> for |
| <code>deployXML</code>, a web application has an embedded |
| descriptor at <code>META-INF/context.xml</code> and no explicit |
| descriptor has been defined for this application, do not allow the |
| application to start. The reason for this is that the embedded |
| descriptor may contain configuration necessary for secure operation |
| such as a <code>RemoteAddrValve</code>. (markt) |
| </add> |
| <fix> |
| Prevent an NPE in the WebSocket <code>ServerContainer</code> when |
| processing an HTTP session end event. (markt) |
| </fix> |
| <add> |
| <bug>55801</bug>: Add the ability to set a custom |
| <code>SSLContext</code> to use for client wss connections. Patch |
| provided by Maciej Lypik. (markt) |
| </add> |
| <fix> |
| <bug>55804</bug>: If the GSSCredential for the cached Principal expires |
| when using SPNEGO authentication, force a re-authentication. (markt) |
| </fix> |
| <add> |
| <bug>55811</bug>: If the main web.xml contains an empty |
| absolute-ordering element and validation of web.xml is not enabled, skip |
| parsing any web-fragment.xml files as the result is never used. (markt) |
| </add> |
| <fix> |
| <bug>55839</bug>: Extend support for digest prefixes {MD5}, {SHA} and |
| {SSHA} to all Realms rather than just the JNDIRealm. (markt) |
| </fix> |
| <fix> |
| <bug>55842</bug>: Ensure that if a larger than default response buffer |
| is configured that the full buffer is used when a Servlet outputs via a |
| Writer. (markt) |
| </fix> |
| <fix> |
| <bug>55851</bug>: Further fixes to enable SPNEGO authentication to work |
| with IBM JDKs. Based on a patch by Arunav Sanyal. (markt) |
| </fix> |
| <add> |
| Fix CVE-2013-4590: |
| Add an option to the Context to control the blocking of XML external |
| entities when parsing XML configuration files and enable this blocking |
| by default when a security manager is used. The block is implemented via |
| a custom resolver to enable the logging of any blocked entities. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <scode> |
| Implement a number of small refactorings to the APR/native handler for |
| upgraded HTTP connections. (markt) |
| </scode> |
| <fix> |
| Fix an issue with upgraded HTTP connections over HTTPS (e.g. secure |
| WebSocket) when using the APR/native connector that resulted in the |
| unexpected closure of the connection. (markt) |
| </fix> |
| <fix> |
| Ensure that the application class loader is used when calling the |
| <code>ReadListener</code> and <code>WriteListener</code> methods when |
| using non-blocking IO. A side effect of not doing this was that JNDI was |
| not available when processing WebSocket events. (markt) |
| </fix> |
| <add> |
| Make the time that the internal executor (if used) waits for request |
| processing threads to terminate before continuing with the connector |
| stop process configurable. (markt) |
| </add> |
| <fix> |
| <bug>55749</bug>: Improve the error message when <code>SSLEngine</code> |
| is disabled in the <code>AprLifecycleListener</code> and SSL is |
| configured for an APR/native connector. (markt) |
| </fix> |
| <add> |
| If a request that includes an <code>Expect: 100-continue</code> header |
| receives anything other than a 2xx response, close the connection This |
| protects against misbehaving clients that may not sent the request body |
| in that case and send the next request instead. (markt) |
| </add> |
| <fix> |
| Improve the parsing of trailing headers in HTTP requests. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>55735</bug>: Fix a regression caused by the fix to |
| <bug>55198</bug>. When processing JSP documents, attributes in XML |
| elements that are template content should have their text xml-escaped, |
| but output of EL expressions in them should not be escaped. (markt) |
| </fix> |
| <fix> |
| <bug>55807</bug>: The JSP compiler used a last modified time of -1 for |
| TLDs in JARs expanded in to WEB-INF/classes (IDEs often do this |
| expansion) when creating the dependency list for JSPs that used that |
| TLD. This meant JSPs using that TLD were recompiled on every access. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| Add log message that initialization of |
| <code>AbstractReplicatedMap</code> has been completed. (kfujino) |
| </add> |
| <fix> |
| The logger of <code>AbstractReplicatedMap</code> should be non-static in |
| order to enable logging of each application. Side-effects of this change |
| is to throw <code>RuntimeException</code> in |
| <code>MapMessage#getKey()</code> and <code>getValue()</code> instead of |
| Null return and error log. (kfujino) |
| </fix> |
| <scode> |
| Simplify the code of <code>DeltaManager#startInternal()</code>. Reduce |
| unnecessary nesting for acquisition of cluster instance. (kfujino) |
| </scode> |
| <fix> |
| Remove unnecessary attributes of |
| <code>stateTransferCreateSendTime</code> and <code>receiverQueue</code> |
| from cluster manager template. These attributes should not be defined as |
| a template. (kfujino) |
| </fix> |
| <fix> |
| Fix MBean attribute definition of <code>stateTransfered</code>. The |
| method name is not <code>isStateTransfered()</code> but |
| <code>getStateTransfered()</code>. (kfujino) |
| </fix> |
| <fix> |
| Correct stop failure log of cluster. Failure cause is not only Valve. |
| (kfujino) |
| </fix> |
| <fix> |
| Remove unnecessary sleep when sending session blocks on session sync |
| phase. (kfujino) |
| </fix> |
| <fix> |
| Expose <code>stateTimestampDrop</code> of |
| <code>org.apache.catalina.ha.session.DeltaManager</code> via JMX. |
| (kfujino) |
| </fix> |
| <fix> |
| When the ping timeouted, make sure that <code>memberDisappeared</code> |
| method is not called by specifying the members that has already been |
| removed. (kfujino) |
| </fix> |
| <add> |
| Add log message of session relocation when member disappeared. (kfujino) |
| </add> |
| <fix> |
| If ping message fails, prevent wrong timeout detection of normal member |
| that is no failure members. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Add some documentation on the SSL configuration options for WebSocket |
| clients. (markt) |
| </add> |
| <add> |
| Add to cluster document a description of |
| <code>notifyLifecycleListenerOnFailure</code> and |
| <code>heartbeatBackgroundEnabled</code>. (kfujino) |
| </add> |
| <fix> |
| Update the documentation with information for WebSocket 1.0 specification |
| and javadoc. (violetagg) |
| </fix> |
| <fix> |
| <bug>55703</bug>: Clarify the role of the singleton attribute for JNDI |
| resource factories. (markt) |
| </fix> |
| <fix> |
| <bug>55746</bug>: Add documentation on the <code>allRolesMode</code> to |
| the <code>CombinedRealm</code> and <code>LockOutRealm</code>. Patch by |
| Cédric Couralet. (markt) |
| </fix> |
| <add> |
| Expand the information on web applications that ship as part of Tomcat |
| in the security how-to section of the documentation web application. |
| (markt) |
| </add> |
| <fix> |
| Expand the description of the WebSocket buffers in the documentation web |
| application to clarify their purpose. (markt) |
| </fix> |
| <add> |
| Correct the documentation for Cluster manager. (kfujino) |
| </add> |
| <add> |
| Add information on how to configure integrated Windows authentication |
| when Tomcat is running on a non-Windows host. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Extras"> |
| <changelog> |
| <update> |
| Update commons-logging to version 1.1.3. (rjung) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>52323</bug>: Add support for the Cobertura code coverage tool |
| when running the unit tests. Based on a patch by mhasko. |
| (markt/kkolinko) |
| </add> |
| <update> |
| Update sample Eclipse IDE project. Explicitly use a Java 6 SE JDK. |
| Exclude JSR356 WebSocket classes from build path, as they cannot be |
| compiled with Java 6. (kkolinko) |
| </update> |
| <update> |
| Update the Eclipse compiler to 4.3.1. (kkolinko/markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.47 (violetagg)" rtext="released 2013-10-24"> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix regression with legacy WebSocket implementation in NIO and APR |
| connectors. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Avoid hang observed with Java 6 on Windows when stopping the Tomcat |
| process via CTRL-C. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>55663</bug>: NOTICE files are corrected according to |
| <a href="http://www.apache.org/legal/src-headers.html#notice">NOTICE files requirements</a>. |
| (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.46 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Only send a WebSocket close message on an IOException if the client has |
| not yet received a close control message from the server as the |
| IOException may be in response to the client continuing to send a |
| message after the server sent a close control message. (markt) |
| </fix> |
| <fix> |
| <bug>49134</bug>: Ensure nested realms are correctly destroyed, when a |
| CombinedRealm is destroyed. This ensures that the associated MBeans are |
| deregistered. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <scode> |
| Refactor APR/native connector to reduce the scope of |
| <code>localAddList</code>. (markt) |
| </scode> |
| <fix> |
| <bug>55602</bug>: Ensure that sockets removed from the Poller and then |
| closed in the APR/native connector are removed and then closed in a |
| thread-safe manner. (markt) |
| </fix> |
| <fix> |
| Update the APR/native connector to version 1.1.29. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>55642</bug>: Correct logic error in the JSP parser that was |
| incorrectly identifying EL expressions in jsp:param element values as a |
| literal string. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| Add support for notify periodic event of cluster. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the javadoc for <code>org.apache.catalina.Lifecycle</code>. |
| (kfujino) |
| </fix> |
| <add> |
| Add document for sessionIdAttribute attribute in |
| <code>org.apache.catalina.ha.session.JvmRouteBinderValve</code>. |
| (kfujino) |
| </add> |
| <fix> |
| Handle the case when a user closes the browser whilst playing the |
| snake game in the JSR356 WebSocket examples. (markt) |
| </fix> |
| <fix> |
| Ensure Javadoc comments are associated with the correct elements in |
| <code>org.apache.tomcat.jni.Poll</code>. (markt) |
| </fix> |
| <add> |
| Expand Context documentation for the use of |
| <code>sessionCookiePath="/"</code> to make the implications |
| for session fixation protection clearer. (markt) |
| </add> |
| <fix> |
| <bug>55629</bug>: Ensure that the JMX notification listener added during |
| initialization of the servlet org.apache.catalina.manager.StatusManagerServlet |
| is removed in the destroy phase. (violetagg) |
| </fix> |
| <fix> |
| Correct the documentation for Deployment Organization in the App Dev |
| Guide. (violetagg) |
| </fix> |
| <add> |
| <bug>55639</bug>: Add a Drawboard WebSocket example. (kpreisser) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.45 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>55576</bug>: Preserve the order in which request parameters were |
| received when accessing them via the Servlet API. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Logger instance of cluster session manager is changed to non-static in |
| order to enable logging of each application. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.44 (violetagg)" rtext="not released"> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>55582</bug>: Correct concurrency issue that can result in two |
| instances of JspServletWrapper being created for one tag Patch provided |
| by Sheldon Shao. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.43 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>51526</bug>: <code>o.a.catalina.startup.Tomcat#addWebapp</code> |
| methods now process the web application's <code>META-INF/context.xml</code> |
| when it is available in the provided path. (violetagg) |
| </add> |
| <fix> |
| <bug>55186</bug>: Ensure local name is recycled between requests so IP |
| virtual hosting works correctly. (markt) |
| </fix> |
| <fix> |
| <bug>55210</bug>: Correct the processing of the provider-configuration |
| file for <code>javax.servlet.ServletContainerInitializer</code> in the |
| resource directory <code>META-INF/services</code> when this file |
| contains comments and multiple SCIs. Patch provided by Nick Williams. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>55230</bug>: Use the correct resource path when obtaining an |
| InputStream for resources served by a ProxyDirContext. (markt) |
| </fix> |
| <fix> |
| Ensure that the JAR scanning process scans the Apache Log4j version 2 |
| JARs. Patch provided by Nick Williams. (markt) |
| </fix> |
| <fix> |
| <bug>55261</bug>: Fix failing unit test for file upload checks when |
| running on platform / JVM combinations that have large network buffers. |
| (markt) |
| </fix> |
| <fix> |
| <bug>55268</bug>: Added optional --service-start-wait-time |
| command-line option to change service start wait time from default of 10 |
| seconds. |
| </fix> |
| <fix> |
| The <code>contextClass</code> attribute of <code>HostConfig</code> |
| refers to the value of the <code>contextClass</code> attribute of Host. |
| (kfujino) |
| </fix> |
| <fix> |
| <bug>55331</bug>: Dispatching to an asynchronous servlet from |
| <code>AsyncListener.onTimeout()</code> should not trigger an |
| <code>IllegalStateException</code>. (markt) |
| </fix> |
| <fix> |
| <bug>55333</bug>: Correct a regression in the fix for <bug>55071</bug>. |
| (markt) |
| </fix> |
| <fix> |
| When using a security manager, ensure that calls to the ServletContext |
| that are routed via an <code>AccessController.doPrivileged</code> block |
| do not result in a call to a different underlying method on the |
| ServletContext. (markt) |
| </fix> |
| <fix> |
| <bug>55354</bug>: Ensure that the naming context environment parameters |
| are restored after associating the Principle with the user name. Based |
| on patch provided by Richard Begg. (violetagg) |
| </fix> |
| <fix> |
| <bug>55357</bug>: Ensure the web application class loader is set as a |
| thread context class loader during session deserialization. (violetagg) |
| </fix> |
| <fix> |
| <bug>55404</bug>: Log warnings about using security roles in web.xml |
| without defining them as warnings. (markt) |
| </fix> |
| <fix> |
| <bug>55439</bug>: Don't try a forced stop when <code>stop |
| -force</code> is used if Tomcat has already been stopped. This avoids |
| error messages when the PID file has been cleared. If a forced stop is |
| required, improve handling of the case when the PID file can be read |
| from or written to but not deleted. (markt) |
| </fix> |
| <fix> |
| <bug>55454</bug>: Avoid NPE when parsing an incorrect content type. |
| (violetagg) |
| </fix> |
| <update> |
| Back-port the JSR-356 Java WebSocket 1.0 implementation from Tomcat 8. |
| Note that use of this functionality requires Java 7. (markt) |
| </update> |
| <update> |
| Deprecate the Tomcat proprietary WebSocket API in favour of the new |
| JSR-356 implementation. (markt) |
| </update> |
| <fix> |
| <bug>55494</bug>: Reduce severity of log message from warning to |
| information for JNDI Realm connection issues where the JNDI Realm |
| automatically re-tries the action that failed. Make clear in the log |
| message that the action is being re-tried. (markt) |
| </fix> |
| <fix> |
| Correct several incorrect formats of <code>JdkLoggerFormatter</code>. |
| (kfujino) |
| </fix> |
| <fix> |
| <bug>55521</bug>: Ensure that calls to |
| <code>HttpSession.invalidate()</code> do not return until the session |
| has been invalidated. Also ensure that checks on the validity of a |
| session return a result consistent with any previous call to |
| <code>HttpSession.invalidate()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>55524</bug>: Refactor to avoid a possible deadlock when handling an |
| <code>IOException</code> during output when using Tomcat' |
| proprietary (and deprecated) WebSocket API. (markt) |
| </fix> |
| <fix> |
| The loaded attribute never exists in <code>PersistentManager</code>. |
| isLoaded is defined as operation in mbeans-descriptors. (kfujino) |
| </fix> |
| <add> |
| Added logging of logging.properties location when system property |
| <code>org.apache.juli.ClassLoaderLogManager.debug=true</code> |
| is set. |
| </add> |
| <fix> |
| <bug>55570</bug>: Correctly log exceptions for all error conditions in |
| the SPNEGO authenticator. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>55228</bug>: Allow web applications to set a HTTP Date header. |
| (markt) |
| </fix> |
| <add> |
| Expose the current connection count for each protocol handler via JMX. |
| (markt) |
| </add> |
| <fix> |
| <bug>55267</bug>: If an application configures a timeout for a Comet |
| connection ensure it is only used for read and not write operations. |
| This prevents a long timeout delaying the closing of the socket |
| associated with a Comet connection after an error occurs. (markt) |
| </fix> |
| <fix> |
| Ensure that <code>java.lang.VirtualMachineError</code>s are not |
| swallowed when using the HTTP or AJP NIO connectors. (markt) |
| </fix> |
| <fix> |
| <bug>55399</bug>: Use the response locale to select the language to use |
| for the status message in the HTTP response. (markt) |
| </fix> |
| <update> |
| Refactor the connectors to support the new JSR-356 Java WebSocket |
| 1.0 implementation. The most noticeable change is that the AJP |
| APR/native and HTTP APR/native connectors no longer support multiple |
| poller threads. Both connectors now use a single poller thread. (markt) |
| </update> |
| <fix> |
| Internally, content length is managed as a <code>long</code>. Fix a few |
| places in the AJP connector where this was restricted to an |
| <code>int</code>. (markt) |
| </fix> |
| <fix> |
| <bug>55453</bug>: Ensure that the AJP connector does not permit response |
| bodies to be included for responses with status codes and/or request |
| methods that are not permitted to have a response body. (markt) |
| </fix> |
| <fix> |
| <bug>55500</bug>: Don't ignore the value of an asynchronous context |
| timeout when using the AJP NIO connector. (markt) |
| </fix> |
| <fix> |
| Fix CVE-2013-4286: |
| Better adherence to RFC2616 for content-length headers. (markt) |
| </fix> |
| <fix> |
| Fix CVE-2013-4322: Add support for limiting the size of chunk extensions |
| when using chunked encoding. (markt) |
| </fix> |
| <fix> |
| Update the APR/native connector to version 1.1.28. Make this the minimum |
| acceptable version as the correct behaviour of the JSR-356 WebSocket |
| implementation when using the APR/native HTTP connector depends on a bug |
| fix in the 1.1.28 release. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>55198</bug>: Ensure attribute values in tagx files that include EL |
| and quoted XML characters are correctly quoted in the output. (markt) |
| </fix> |
| <fix> |
| Ensure that <code>javax.el.ELContext.getContext(Class)</code> will |
| throw <code>NullPointerException</code> when the provided class is |
| null. (violetagg) |
| </fix> |
| <fix> |
| Ensure that <code>FeatureDescriptor</code> objects returned by |
| <code>javax.el.MapELResolver.getFeatureDescriptors(ELContext,Object)</code> |
| will be created with a correct <code>shortDescription</code> - an empty string and |
| a named attribute <code>ELResolver.RESOLVABLE_AT_DESIGN_TIME</code> - |
| true. (violetagg) |
| </fix> |
| <fix> |
| Ensure that <code>FeatureDescriptor</code> objects returned by |
| <code>javax.el.ResourceBundleELResolver.getFeatureDescriptors(ELContext,Object)</code> |
| will be created with a correct <code>shortDescription</code> - an empty |
| string. |
| <code>javax.el.ResourceBundleELResolver.isReadOnly(ELContext,Object,Object)</code> |
| returns true if the base object is an instance of ResourceBundle. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>55207</bug>: Enforce the restriction that a <jsp:text> |
| element may not contain any sub-elements from any namespace. Patch |
| provided by Jeremy Boynes. (markt) |
| </fix> |
| <fix> |
| Ensure that |
| <code>javax.el.ListELResolver.getFeatureDescriptors(ELContext,Object)</code> |
| will always return null. |
| <code>javax.el.ListELResolver.isReadOnly(ELContext,Object,Object)</code> |
| will return a result when the property cannot be coerced into an |
| integer. (violetagg) |
| </fix> |
| <fix> |
| Ensure that |
| <code>javax.el.ArrayELResolver.getFeatureDescriptors(ELContext,Object)</code> |
| will always return null. |
| <code>javax.el.ArrayELResolver.isReadOnly(ELContext,Object,Object)</code> |
| and |
| <code>javax.el.ArrayELResolver.getType(ELContext,Object,Object)</code> |
| will return a result when the property cannot be coerced into an |
| integer. (violetagg) |
| </fix> |
| <fix> |
| <bug>55309</bug>: Fix concurrency issue with JSP compilation and the |
| tag plug-in manager. Patch provided by Sheldon Shao. (markt) |
| </fix> |
| <fix> |
| Ensure that |
| <code>javax.el.BeanELResolver.getFeatureDescriptors(ELContext,Object)</code> |
| and |
| <code>javax.el.BeanELResolver.getCommonPropertyType(ELContext,Object)</code> |
| do not throw <code>NullPointerException</code> when the provided context |
| is null. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| Add new attribute terminateOnStartFailure. Set to true if you wish to |
| terminate replication map when replication map fails to start. |
| If replication map is terminated, associated context will fail to start. |
| If you set this attribute to false, replication map does not end. |
| It will try to join the map membership in the heartbeat. Default value |
| is false. (kfujino) |
| </add> |
| <fix> |
| Avoid ConcurrentModificationException when sending a heartbeat. |
| (kfujino) |
| </fix> |
| <fix> |
| Avoid NPE when the channel fails to start. (kfujino) |
| </fix> |
| <fix> |
| <bug>55301</bug>: Fix <code>IllegalArgumentException</code> thrown by |
| simple test for McastService. (kfujino) |
| </fix> |
| <fix> |
| <bug>55332</bug>: Fix NPE in <code>FileMessageFactory.main</code> when |
| specify empty file as arguments. (kfujino) |
| </fix> |
| <fix> |
| More definite thread name for <code>MessageDispatch15Interceptor</code>. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <update> |
| Remove the experimental label from the AJP NIO connector documentation. |
| (markt) |
| </update> |
| <fix> |
| Correctly associated the default resource bundle with the English locale |
| so that requests that specify an Accept-Language of English ahead of |
| French, Spanish or Japanese get the English messages they asked for. |
| (markt) |
| </fix> |
| <fix> |
| <bug>55469</bug>: Fixed tags that were not properly closed. Based on a |
| patch provided by Larry Shatzer, jr. (violetagg) |
| </fix> |
| <update> |
| The WebSocket examples in the examples web application have been changed |
| to use the new JSR-356 Java WebSocket 1.0 implementation. (markt) |
| </update> |
| <add> |
| Add document for |
| <code>org.apache.catalina.tribes.group.GroupChannel</code>. (kfujino) |
| </add> |
| <fix> |
| Correct Realm Component page of Tomcat documentation. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>54693</bug>: Add a validationQueryTimeout property. Patch provided |
| by Daniel Mikusa. (kfujino) |
| </fix> |
| <fix> |
| <bug>54693#c6</bug>: Avoid NPE caused by <code>createConnection()</code> |
| method returns null. Patch provided by Daniel Mikusa. (kfujino) |
| </fix> |
| <fix> |
| <bug>55342</bug>: Remove unnecessary reset of interrupted flag. If |
| <code>InterruptedException</code> is thrown, the interrupted flag has |
| been cleared. (kfujino) |
| </fix> |
| <fix> |
| <bug>55343</bug>: Add flag to ignore exceptions of connection creation |
| while initializing the pool. (kfujino) |
| </fix> |
| <fix> |
| Add undefined attributes and operations to mbeans-descriptor. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>45428</bug>: Trigger a thread dump written to standard out if |
| Tomcat fails to stop in a timely manner to aid diagnostics. This is only |
| available on platforms that use <code>catalina.sh</code>. (markt) |
| </add> |
| <fix> |
| <bug>55204</bug>: Correct namespace used in Servlet 2.4 test web |
| application. Patch provided by Jeremy Boynes. (markt) |
| </fix> |
| <fix> |
| <bug>55205</bug>: Reorder elements so web.xml complies with schema for |
| Servlet 3.0 test web application. Patch provided by Jeremy Boynes. |
| (markt) |
| </fix> |
| <fix> |
| <bug>55211</bug>: Correct namespace in TLD files used in test web |
| applications. Rename elements <code>tagclass</code> to |
| <code>tag-class</code> so TLD files complies with DTD/schema. Patch |
| provided by Jeremy Boynes. (violetagg) |
| </fix> |
| <update> |
| Update package renamed version of Commons BCEL to the latest code from |
| Commons BCEL trunk. (markt) |
| </update> |
| <update> |
| Update package renamed version of Commons FileUpload to the latest code |
| from Commons FileUpload trunk. (markt) |
| </update> |
| <fix> |
| <bug>55297</bug>: When looking for the jsvc executable, if an explicit |
| path is not set and it is not found in $CATALINA_BASE, look in |
| $CATALINA_HOME as well. (markt) |
| </fix> |
| <fix> |
| <bug>55336</bug>: Correctly escape parameters passed to eval in the |
| catalina.sh script to ensure that Tomcat starts when installed on a path |
| that contains multiple consecutive spaces. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.42 (markt)" rtext="released 2013-07-05"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Enforce the restriction described in section 4.4 of the Servlet 3.0 |
| specification that requires the new pluggability methods only to be |
| available to <code>ServletContextListener</code>s defined in one of the |
| specified ways. (markt) |
| </fix> |
| <fix> |
| Better handle FORM authentication when requesting a resource as an |
| unauthenticated user that is only protected for a sub-set of HTTP |
| methods that does not include GET. (markt) |
| </fix> |
| <fix> |
| <bug>53777</bug>: Add support for a JAAS Realm instance to use a |
| dedicated configuration rather than the JVM global JAAS configuration. |
| This is most likely to be useful for per web application JAAS Realms. |
| Based on a patch by eolivelli. (markt) |
| </fix> |
| <fix> |
| <bug>54745</bug>: Fix JAR file scanning when Tomcat is deployed via Java |
| Web Start. Patch provided by Nick Williams. (markt) |
| </fix> |
| <add> |
| <bug>55017</bug>: Add the ability to configure the RMI bind address when |
| using the JMX remote lifecycle listener. Patch provided by Alexey |
| Noskov. (markt) |
| </add> |
| <fix> |
| <bug>55071</bug>: Ensure original exception is reported if JDBC Realm |
| fails to read a user's credentials. (markt) |
| </fix> |
| <fix> |
| <bug>55073</bug>, <bug>55108</bug>, <bug>55109</bug>, <bug>55110</bug>, |
| <bug>55158</bug> & <bug>55159</bug>: Small performance improvements. |
| Patches provided by Adrian Nistor. (markt/violetagg) |
| </fix> |
| <add> |
| <bug>55102</bug>: Add support for time to first byte in the |
| AccessLogValve. Patch provided by Jeremy Boynes. (markt) |
| </add> |
| <fix> |
| <bug>55125</bug>: If the Server container fails to start, don't allow |
| the Catalina wrapper to start (used when running from the command line |
| and when running as a service) since Tomcat will not be able to do any |
| useful work. (markt) |
| </fix> |
| <fix> |
| Update the <code>JreMemoryLeakPreventionListener</code> to take account |
| of changes in the behaviour of |
| <code>java.beans.Introspector.flushCaches()</code> and |
| <code>sun.awt.AppContext.getAppContext()</code> in Java 7. (markt) |
| </fix> |
| <fix> |
| Avoid WARNING log message of |
| <code>Users:type=UserDatabase,database=UserDatabase</code> at Tomcat |
| shutdown. (pero) |
| </fix> |
| <fix> |
| Avoid <code>ClassCastException</code> when an asynchronous dispatch is |
| invoked in an asynchronous cycle which is started by a call to |
| <code>ServletRequest.startAsync(ServletRequest,ServletResponse)</code> |
| where ServletRequest/ServletResponse are custom implementations. |
| (violetagg) |
| </fix> |
| <fix> |
| Correct a regression introduced in 7.0.39 (refactoring of base 64 |
| encoding and decoding) that broke the JNDI Realm when |
| <code>userPassword</code> was set and passwords were hashed with MD5 or |
| SHA1. (markt/kkolinko) |
| </fix> |
| <fix> |
| Correct the mechanism for the path calculation in |
| <code>AsyncContext.dispatch()</code>. (violetagg) |
| </fix> |
| <fix> |
| <bug>55155</bug>: Avoid constant focus grabbing when running the Tomcat |
| unit tests under Java 6 on OSX. Patch provided by Casey Lucas. (markt) |
| </fix> |
| <fix> |
| <bug>55160</bug>: Don't ignore connectionUploadTimeout setting when |
| using HTTP NIO connector. (markt) |
| </fix> |
| <fix> |
| <bug>55176</bug>: Correctly handle regular expressions within SSI |
| expressions that contain an equals character. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>55177</bug>: Correctly handle infinite soTimeout for BIO HTTP |
| connector. Based on a patch by Nick Bunn. (markt) |
| </fix> |
| <fix> |
| <bug>55180</bug>: Correctly handle infinite soTimeout when |
| <code>disableUploadTimeout</code> is set to false. Patch provided by |
| Nick Bunn. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Delete leftover of war file from tempDir when removing invalid |
| <code>FileMessageFactory</code>. (kfujino) |
| </fix> |
| <fix> |
| Ensure that the keepAlive of NioSender works correctly when |
| <code>keepAliveCount</code>/<code>keepAliveTime</code> is set to a value |
| greater than 0. (kfujino) |
| </fix> |
| <add> |
| Add logging of when a member is unable to join the cluster. (kfujino) |
| </add> |
| <fix> |
| Replace Tribes's <code>TaskQueue</code> as executor's |
| workQueue in order to ensure that executor's <code>maxThread</code> |
| works correctly. (kfujino) |
| </fix> |
| <fix> |
| <bug>54086</bug>: Fix an additional code path that could lead to |
| multiple threads attempting to modify the same selector key set. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Complete the document for <code>MessageDispatch15Interceptor</code>. |
| (kfujino) |
| </add> |
| <add> |
| <bug>53655</bug>: Document the circumstances under which Tomcat will add |
| a <code>javax.mail.Authenticator</code> to mail sessions created via a |
| JNDI resource. (markt) |
| </add> |
| <fix> |
| <bug>55179</bug>: Correct the Javadoc for the remote IP valve so the |
| correct name is used to refer to the <code>proxiesHeader</code> |
| property. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>55031</bug>: Fixed <code>Export-Package</code> header and |
| <code>uses</code> directives in MANIFEST.MF. Change the version for |
| package <code>org.apache.juli.logging</code> to "0" in |
| <code>Import-Package</code> header. Thus any version of that package |
| can be used. Patch provided by Martin Lichtin. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update Maven Central location used to download dependencies at build time |
| to be <code>repo.maven.apache.org</code>. (kkolinko) |
| </update> |
| <update> |
| Update JUnit to version 4.11. Configure separate download for Hamcrest |
| 1.3 core library as its classes are no longer included in junit.jar. |
| (kkolinko) |
| </update> |
| <fix> |
| <bug>54013</bug>: When using a forced stop, allow a short period of time |
| (5s) for the process to die before returning. Patch provided by |
| mukarram.baig. (markt) |
| </fix> |
| <fix> |
| <bug>55119</bug>: Ensure that the build process produces Javadoc that is |
| not vulnerable to CVE-2013-1571. Based on a patch by Uwe Schindler. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.41 (markt)" rtext="released 2013-06-10"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>54703</bug>: Make parsing of HTTP Content-Type headers tolerant of |
| any CR or LF characters that appear in the value passed by the |
| application. Also fix some whitespace parsing issues identified by the |
| additional test cases. (markt) |
| </fix> |
| <fix> |
| Prevent possible WAR file locking when reading a context.xml file from |
| an unexpanded WAR file. Note that in normal usage, the |
| <code>JreMemoryLeakPreventionListener</code> would protect against this. |
| (markt) |
| </fix> |
| <fix> |
| Ensure that when auto deployment runs for a Host, it uses the latest |
| values for copyXML, deployXML and unpackWARs. (markt) |
| </fix> |
| <fix> |
| <bug>54939</bug>: Provide logging (using a UserDataHelper) when HTTP |
| header parsing fails (e.g. when maxHeaderCount is exceeded). (markt) |
| </fix> |
| <add> |
| <bug>54944</bug>: Enhancements to the unit tests for FORM |
| authentication. Patch provided by Brian Burch. (markt) |
| </add> |
| <fix> |
| <bug>54955</bug>: When a reload of the application is performed ensure |
| that a subsequent request to the context root does not result in a 404 |
| response. (violetagg) |
| </fix> |
| <fix> |
| <bug>54971</bug>: Ensure that the correct location is used when writing |
| files via <code>javax.servlet.http.Part.write(String)</code>. (markt) |
| </fix> |
| <fix> |
| <bug>54974</bug>: Ensure that |
| <code>SessionCookieConfig#set<methods></code> |
| will throw <code>IllegalStateException</code> if the |
| <code>ServletContext</code> from which this |
| <code>SessionCookieConfig</code> was acquired has already been |
| initialized. (violetagg) |
| </fix> |
| <fix> |
| <bug>54981</bug>: Ensure that |
| <code>ServletContext#getJspConfigDescriptor()</code> will return |
| <code>null</code> when there is no jsp configuration provided by |
| web.xml/web-fragment.xml. (violetagg) |
| </fix> |
| <fix> |
| Ensure that when Tomcat's anti-resource locking features are used |
| that the temporary copy of the web application and not the original is |
| removed when the web application stops. (markt) |
| </fix> |
| <fix> |
| <bug>54984</bug>: Use the correct encoding when processing a form data |
| posted as multipart/form-data even when the request parameters are not |
| parsed. (violetagg) |
| </fix> |
| <fix> |
| <bug>54999</bug>: The old JSESSIONIDSSO needs to be removed when SSO is |
| being used and logout() and login() occur within a single request. Patch |
| provided by Keith Mashinter. (markt) |
| </fix> |
| <add> |
| <bug>55035</bug>: Add support for the version attribute to the deploy |
| command of the Ant tasks for interfacing with the text based Manager |
| application. Patch provided by Sergey Tcherednichenko. (markt) |
| </add> |
| <add> |
| <bug>55046</bug>: Add a Servlet Filter that implements |
| <a href="http://www.w3.org/TR/cors/" rel="nofollow">CORS</a>. Patch |
| provided by Mohit Soni. (markt) |
| </add> |
| <add> |
| <bug>55052</bug>: JULI's LogManager now additionally looks for |
| logging properties without prefixes if the property cannot be found with |
| a prefix. (markt) |
| </add> |
| <fix> |
| Ensure that only the first asynchronous dispatch operation for a given |
| asynchronous cycle will be performed. Any subsequent asynchronous |
| dispatch operation for the same asynchronous cycle will be ignored and |
| <code>IllegalStateException</code> will be thrown. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>54947</bug>: Fix the HTTP NIO connector that incorrectly rejected a |
| request if the CRLF terminating the request line was split across |
| multiple packets. Patch by Konstantin Preißer. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>54964</bug>: Allow tag plug-ins to be packaged with a web |
| application. Patch provided by Sheldon Shao. (markt) |
| </fix> |
| <fix> |
| <bug>54968</bug>: Return the correct version number (2.2) of the JSP |
| specification that is supported by the JSP engine when |
| <code>javax.servlet.jsp.JspEngineInfo#getSpecificationVersion()</code> |
| is invoked. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| Add <code>maxValidTime</code> attribute to prevent the leak of |
| <code>FileMessageFactory</code> in <code>FarmWarDeployer</code>. |
| (kfujino) |
| </add> |
| <scode> |
| Simplify the code of <code>ReplicationValve</code>: Rather than get |
| cluster instance from container on every request, use instance variable. |
| (kfujino) |
| </scode> |
| <add> |
| Add <code>maxWait</code> attribute that the senderPool will wait when |
| there are no available senders. (kfujino) |
| </add> |
| <add> |
| Improve error message by including specified timeout if failed to |
| retrieve a data sender. (kfujino) |
| </add> |
| <add> |
| Add <code>removeSuspectsTimeout</code> attribute in order to remove a |
| suspect node in TcpFailureDetector. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>54931</bug>: Add information to the Window Service how-to about |
| installing and running multiple instances. Based on a patch by Chris |
| Derham. (markt) |
| </fix> |
| <fix> |
| <bug>54932</bug>: Correct the link to Tribes documentation. (violetagg) |
| </fix> |
| <add> |
| Add document for |
| <code>o.a.c.tribes.group.interceptors.TcpFailureDetector</code>. |
| (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.40 (markt)" rtext="released 2013-05-09"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| Update Tomcat's internal copy of Commons FileUpload to FileUpload 1.3. |
| (markt) |
| </update> |
| <fix> |
| <bug>54178</bug>, CVE-2013-2071: Protect against |
| <code>AsyncListener</code> implementations that throw |
| <code>RuntimeException</code>s in response to an event. (markt) |
| </fix> |
| <fix> |
| <bug>54791</bug>: Restore <code>tools.jar</code> entry in |
| <code>jarsToSkip</code> property to prevent warnings when running Tomcat |
| from Eclipse. (markt) |
| </fix> |
| <fix> |
| <bug>54851</bug>: When scanning for web fragments, directories without |
| any web-fragment.xml should not impact the status of distributable |
| element. Patch provided by Trask Stalnaker. (violetagg) |
| </fix> |
| <fix> |
| When an error occurs during the sending of a WebSocket message, notify |
| the Inbound side (where all the events occur that the application reacts |
| to) that an error has occurred and that the connection is being closed. |
| (markt) |
| </fix> |
| <fix> |
| <bug>54906</bug>: Better error message if a |
| <code>ConcurrentModificationException</code> occurs while checking for |
| memory leaks when a web application stops. Also ensure that the |
| exception does not cause remaining checks to be skipped. Based on a |
| patch by NateC. |
| </fix> |
| <fix> |
| Allow 204 responses (no content) to include entity headers as required |
| by RFC2616. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure write errors when using HTTP Upgrade with the APR/native |
| connector result in <code>IOException</code>s rather than errors being |
| silently swallowed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>54802</bug>: Provide location information for exceptions thrown |
| by JspDocumentParser. (kkolinko) |
| </fix> |
| <fix> |
| <bug>54801</bug>: Do not attempt to parse text that looks like an EL |
| expressions inside a scriptlet in a JSP document because EL expressions |
| are not permitted in scriptlets. (kkolinko/markt) |
| </fix> |
| <fix> |
| <bug>54821</bug>: Do not attempt to parse text that looks like an EL |
| expressions in a JSP document if EL expressions have been disabled. |
| (kkolinko/markt) |
| </fix> |
| <fix> |
| <bug>54888</bug>: Add support for CSV lists with the ForEach tag plugin. |
| Patch provided by Sheldon Shao. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Add several improvements for FarmWarDeployer. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>54872</bug>: Correct Cluster Receiver page of Tomcat |
| documentation. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <update> |
| Document <code>StatementCache</code> interceptor. (kkolinko) |
| </update> |
| <fix> |
| Fix minor threading issue in <code>ConnectionPool</code>. |
| (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>54732</bug>: Fix leak of statements in <code>StatementCache</code> |
| interceptor. (kkolinko) |
| </fix> |
| <fix> |
| Fix NPE in <code>SlowQueryReportJmx</code> when running |
| <code>TestSlowQueryReport</code> test. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update to Eclipse JDT Compiler 4.2.2. (kkolinko) |
| </update> |
| <update> |
| <bug>54890</bug>: Update to Apache Commons Daemon 1.0.15. (mturk) |
| </update> |
| <update> |
| Convert remaining unit tests to JUnit 4 and enable Checkstyle rule |
| that forbids use of methods from JUnit 3. (markt/kkolinko) |
| </update> |
| <fix> |
| Remove unneeded permissions for reading UserDataHelper properties |
| from <code>catalina.policy</code> file. The class that needed those |
| was moved in 7.0.26. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.39 (markt)" rtext="released 2013-03-26"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Ensure a log message is generated when a web application fails to start |
| due to an error processing a ServletContainerInitializer. (markt) |
| </fix> |
| <fix> |
| Prevent NPE in JAR scanning when running in an environment where the |
| bootstrap class loader is not an ancestor of the web application class |
| loader such as OSGi environments. (violetagg) |
| </fix> |
| <fix> |
| Ensure that, if a call to UEncoder#encodeURL is made, all internal |
| structures are properly cleaned. (violetagg) |
| </fix> |
| <add> |
| <bug>54660</bug>: Enable the modification of an access log's |
| <code>fileDateFormat</code> attribute while the access log is in use. |
| The change will take effect when the next entry is made to the access |
| log. (markt) |
| </add> |
| <update> |
| Update Tomcat's internal copy of Commons FileUpload to FileUpload trunk, |
| revision 1458500 and the associated extract from Commons IO to 2.4. |
| (markt) |
| </update> |
| <fix> |
| <bug>54702</bug>: Prevent file descriptors leak and ensure that files |
| are closed when parsing web application deployment descriptors. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>54707</bug>: Further relax the parsing of DIGEST authentication |
| headers to allow for buggy clients that quote values that RFC2617 states |
| should not be quoted. (markt/kkolinko) |
| </fix> |
| <fix> |
| Enable support for MBeans with multiple operations with the same name |
| but different signatures. (markt) |
| </fix> |
| <scode> |
| Deprecate Tomcat's internal Base 64 encoder/decoder and switch to |
| using a package renamed copy of the Commons Codec implementation. |
| (markt) |
| </scode> |
| <fix> |
| Ensure that StandardJarScanner#scan will use the provided class loader |
| when scanning the class loader hierarchy. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>54690</bug>: Fix a regression caused by the previous fix for |
| <bug>54406</bug>. If no values are specified for sslEnabledProtocols or |
| ciphers use the default values for server sockets rather than the |
| default values for client sockets. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <update> |
| Correct Deployer, Manager and Context pages of Tomcat documentation. |
| (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>52318</bug>: Version for imported package |
| <code>org.apache.juli.logging</code> is extended to include also 7.0.x |
| versions. The fix is applicable only when running in OSGi environment. |
| Patch provided by Martin Lichtin. (violetagg) |
| </fix> |
| <fix> |
| <bug>54599</bug>: Do not print connection password in |
| <code>PoolProperties.toString()</code>. Based on a patch by |
| Daniel Mikusa. (kkolinko) |
| </fix> |
| <fix> |
| <bug>54684</bug>: Add <code>javax.naming.spi</code> to |
| <code>Import-Package</code> header in MANIFEST.MF in order to resolve |
| <code>ClassNotFoundException</code> when running in OSGi environment. |
| (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Update to Apache Commons Daemon 1.0.14 to resolve <bug>54609</bug> |
| which meant that installation of Windows service could fail |
| producing incorrect service launch command. (mturk) |
| </fix> |
| <fix> |
| Ensure HEAD requests return the correct content length when the |
| requested resource uses a Writer. Patch by Nick Williams. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.38 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Ensure that the request start time (used by the access log valve to |
| calculate request processing time) is correctly recorded for the HTTP |
| NIO connector. In some cases the request processing time may have been |
| longer than that recorded. (markt) |
| </fix> |
| <update> |
| Add one more library from JDK 7 to the value of <code>jarsToSkip</code> |
| property in the <code>catalina.properties</code> file. (kkolinko) |
| </update> |
| <add> |
| <bug>53871</bug>: If annotation scanning results in a |
| <code>StackOverflowError</code> due to broken class dependencies, add |
| the class hierarchy that triggered the exception to the error message. |
| (markt) |
| </add> |
| <add> |
| Add a new option to the standard JarScanner implementation |
| (<code>scanBootstrapClassPath</code>) to control if the bootstrap |
| classpath is scanned or not. By default, it will not be scanned. (markt) |
| </add> |
| <update> |
| Provide more consolidated servlet MBean data in the webapp MBean. |
| (rjung) |
| </update> |
| <fix> |
| <bug>54584</bug>: Take account of the delegate attribute when building |
| the web application class path to pass to the JSP compiler. (markt) |
| </fix> |
| <fix> |
| Copy the updated and re-packaged UTF-8 decoder from Tomcat 8.0.x and use |
| this improved decoder for WebSocket connections. Remove the WebSocket |
| specific UTF-8 decoder. (markt) |
| </fix> |
| <fix> |
| <bug>54602</bug>: Recycle the byte to character converter used for URIs |
| between requests to ensure an error in one request does not trigger a |
| failure in the next request. (markt) |
| </fix> |
| <fix> |
| Use the newly added improved UTF-8 decoder for decoding UTF-8 encoded |
| URIs and UTF-8 encoded request bodies. Invalid UTF-8 URIs will not |
| cause an error but will make use of the replacement character when an |
| error is detected. This will allow web applications to handle the URI |
| which will most likely result in a 404 response. The fall-back to |
| decoding with ISO-8859-1 if UTF-8 decoding fails has been removed. |
| Invalid UTF-8 sequences in a request body will trigger an IOException. |
| The way the decoder is used has also been improved. The notable change |
| is that invalid sequences at the end of the input now trigger an error |
| rather than being silently swallowed. (markt) |
| </fix> |
| <fix> |
| <bug>54624</bug>: Ensure that the correct request body length is used |
| when swallowing a request body after FORM authentication prior to |
| restoring the original request preventing possible hanging when |
| restoring POST requests submitted over AJP. (markt) |
| </fix> |
| <fix> |
| <bug>54628</bug>: When writing binary WebSocket messages write from |
| start position in array rather than the start of the array. Patch |
| provided by blee. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <scode> |
| Refactor char encoding/decoding using NIO APIs. (remm) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>54203</bug>: Complete the Javadoc for |
| <code>javax.servlet.http.Part</code>. (markt) |
| </fix> |
| <fix> |
| <bug>54638</bug>: Fix display of "Used" memory value for memory pools |
| on the status page in Manager web application when the page is rendered |
| as XML. (kkolinko) |
| </fix> |
| <fix> |
| Correct typos in configuration samples on SSL Configuration page |
| of Tomcat documentation. (kkolinko) |
| </fix> |
| <update> |
| Disable support for comments on Changelog page of Tomcat |
| documentation. (kkolinko) |
| </update> |
| <fix> |
| Fix several issues with <code>status.xsd</code> schema in Manager web |
| application, testing it against actual output of StatusTransformer |
| class. (kkolinko) |
| </fix> |
| <fix> |
| Clarify the documentation on how context paths may be configured for web |
| applications. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| <bug>54601</bug>: Change <code>catalina.sh</code> to consistently use |
| <code>LOGGING_MANAGER</code> variable to configure logging, |
| instead of modifying <code>JAVA_OPTS</code> one. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.37 (markt)" rtext="released 2013-02-18"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>54521</bug>: Ensure that concurrent requests that require a DIGEST |
| authentication challenge receive different nonce values. (markt) |
| </fix> |
| <fix> |
| <bug>54534</bug>: Ensure that, if a call to |
| <code>StandardWrapper#isSingleThreadModel()</code> triggers the loading |
| of a Servlet, the correct class loader is used. (markt) |
| </fix> |
| <fix> |
| <bug>54536</bug>: Ensure the default error page is displayed if a custom |
| HTTP status code is used when calling |
| <code>HttpServletResponse#sendError(int, String)</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>54456</bug>: Ensure that if a client aborts a request when sending |
| a chunked request body that this is communicated correctly to the client |
| reading the request body. (markt) |
| </fix> |
| <update> |
| Update the native component of the APR/native connector to 1.1.27 and |
| make that version the recommended minimum version. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>54239</bug>: Enable web applications to provide their own |
| Expression Language interpreter to enable them to optimise processing of |
| expressions. Based on a patch by Sheldon Shao. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>54505</bug>: Create clearer links from the JNDI How-To to the |
| Tomcat specific options for configuring JNDI resources. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update to Apache Commons Daemon 1.0.13. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.36 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Make additional allowances for buggy client implementations of HTTP |
| DIGEST authentication. This is a follow-on to <bug>54060</bug>. (markt) |
| </fix> |
| <fix> |
| <bug>54438</bug>: Fix a regression in the fix for <bug>52953</bug> that |
| triggered a NPE when digested passwords were used and an authentication |
| attempt was made for a user that did not exist in the realm. (markt) |
| </fix> |
| <fix> |
| <bug>54448</bug>: Correctly handle <code>@Resource</code> annotations on |
| primitives. Patch provided by Violeta Georgieva. (markt) |
| </fix> |
| <fix> |
| <bug>54450</bug>: Correctly handle resource injection when part of the |
| servlet properties uses <code>@Resource</code> and the other uses |
| <code>injection-target</code>. Patch provided by Violeta Georgieva. |
| (markt) |
| </fix> |
| <fix> |
| <bug>54458</bug>: Include exception when logging errors in the |
| DataSourceRealm. Patch provided by Violeta Georgieva. (markt) |
| </fix> |
| <fix> |
| <bug>54483</bug>: Correct one of the Spanish translations. Based on a |
| suggestion from adinamita. (markt) |
| </fix> |
| <fix> |
| Prevent the SSO deregister when web application is stopped or reloaded. |
| When StandardManager(pathname="") or DeltaManager stops normally, all |
| sessions in the context are expired. |
| In this case, because most sessions is not time-out, SSO deregister was |
| triggered. (kfujino) |
| </fix> |
| <fix> |
| Include the exception in the log message if the parsing of the |
| context.xml file fails. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>54497</bug>: Make memory leak detection code more robust so a |
| failure in the leak detection code does not prevent the Context from |
| stopping unless the error is fatal to the JVM. (markt) |
| </fix> |
| <fix> |
| <bug>54507</bug>: Do not start the background thread that is used for |
| expiring sessions (amongst other things) until the web application is |
| fully started. Stop the background thread as soon as the web application |
| is stopped. (markt) |
| </fix> |
| <fix> |
| Allow WebSocket Ping/Pong messages to be sent between fragments of a |
| fragmented message. (markt) |
| </fix> |
| <fix> |
| <bug>54612</bug>: Check if the socket is closed before trying to write a |
| WebSocket message to it. Also, flush any partial buffered data before |
| closing the socket. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>54324</bug>: Allow APR connector to disable TLS compression |
| if OpenSSL supports it. (schultz) |
| </fix> |
| <fix> |
| <bug>54406</bug>: Fix NIO HTTPS connector to prune specified <code> |
| ciphers</code> and <code>sslEnableProtocols</code> options to those |
| supported by the SSL implementation, sharing logic with the BIO |
| connector. Modified ciphers and sslEnabledProtocols option pruning to |
| not silently revert to JVM defaults when none of the options specified |
| are supported - new behaviour is to warn and explicitly enable no |
| options. (timw) |
| </fix> |
| <fix> |
| Align NIO HTTP connector with other HTTP connectors and include leading |
| blank lines when determining the size of the HTTP headers. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>53869</bug>: Performance improvement for pages with lots of heavily |
| nested tags. Retain a reference to the root JSP context rather than |
| traversing the hierarchy on every call. Based on a patch suggested by |
| Sheldon Shao. (markt) |
| </fix> |
| <fix> |
| <bug>54440</bug>: Correct a regression caused by the changes for |
| <bug>54240</bug> that broke compilation of JSPs with JspC. Patch |
| provided by Sheldon Shao. (markt) |
| </fix> |
| <fix> |
| <bug>54466</bug>: Improve error message by including the name of the |
| file when the java file generated from a tag file cannot be compiled. |
| Based on a patch by Sheldon Shao. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Fix incorrect increment of <code>counterSend_EVT_SESSION_EXPIRED</code> |
| and <code>counterSend_EVT_CHANGE_SESSION_ID</code>. These values are not |
| incremented if no members active in cluster group. (kfujino) |
| </fix> |
| <fix> |
| <bug>54476</bug>: Correct error in Javadoc of GroupChannel send methods |
| to maker clear that the minimum length of the destination member array |
| is one, not two. (markt) |
| </fix> |
| <fix> |
| Prevent SSO deregister when node shutdown normally in cluster |
| environment. (kfujino) |
| </fix> |
| <fix> |
| Check cluster member before sending replicate message in |
| ClusterSingleSignOn. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>54461</bug>: Improve the documentation for the compiler attribute |
| in the Jasper how-to. (markt) |
| </fix> |
| <add> |
| Add Jespa to the list of third-party Windows authentication providers |
| and make external links in the documentation for those providers |
| <code>no-follow</code>. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| <bug>54496</bug>: Don't use a hard-coded class name in |
| <code>MemberImpl.toString()</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update to Apache Commons Daemon 1.0.12. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.35 (markt)" rtext="released 2013-01-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>54247</bug>: Prevent <code>ClassNotFoundException</code>s on stop |
| when running as a service. (markt) |
| </fix> |
| <fix> |
| <bug>54249</bug>: Ensure resource properties are available when the |
| context path contains encoded characters such as a space. This triggered |
| compilation issues in Jasper. Patch provided by Polina Genova. (markt) |
| </fix> |
| <fix> |
| <bug>54256</bug>: Improve error reporting when a JAR file fails |
| extension validation by including the name of the JAR file in the |
| exception. (markt) |
| </fix> |
| <fix> |
| Allow web applications to be stopped cleanly even if filters throw |
| exceptions when their destroy() method is called. (markt/kkolinko) |
| </fix> |
| <fix> |
| Fix memory leak of servlet instances when running with a |
| SecurityManager and either init() or destroy() methods fail |
| or the servlet is a SingleThreadModel one. (kkolinko) |
| </fix> |
| <scode> |
| Cleanup method cache lookup code in <code>SecurityUtil</code> class. |
| (kkolinko) |
| </scode> |
| <add> |
| Make the Tomcat 7 non-JSR356 WebSocket implementation non-blocking |
| (where supported by the connector) between the HTTP upgrade and the |
| first WebSocket message from the client to the server. (markt) |
| </add> |
| <fix> |
| <bug>54262</bug>: Ensure that an empty |
| <code><absolute-ordering /></code> element in the main web.xml |
| file disables scanning for web fragments. Based on a patch by Violeta |
| Georgieva. (markt) |
| </fix> |
| <fix> |
| <bug>54284</bug>: As per clarification from the Servlet EG, anonymous |
| Filters and Servlets are not permitted. Patch by Violeta Georgieva. |
| (markt) |
| </fix> |
| <fix> |
| <bug>54371</bug>: Prevent exceptions when processing web fragments for |
| unexpanded WAR files when the context path contains characters that |
| need to be encoded in URLs such as spaces. Based on a patch by Polina |
| Genova. (markt) |
| </fix> |
| <add> |
| <bug>54372</bug>: Make HTTP Digest authentication header parsing |
| tolerant of invalid headers sent by known buggy clients. (markt) |
| </add> |
| <fix> |
| <bug>54377</bug>: Correctly set request attributes for AccessLog in |
| RemoteIpFilter. Patch by Violeta Georgieva. (markt) |
| </fix> |
| <fix> |
| <bug>54379</bug>: Implement support for post-construct and pre-destroy |
| elements in web.xml. Patch by Violeta Georgieva. (markt) |
| </fix> |
| <fix> |
| <bug>54380</bug>: Do not try to register servlets or contexts into the |
| mapper too early (which just caused a warning to be logged). (kkolinko) |
| </fix> |
| <fix> |
| Fix NPE in <code>WebappLoader.stopInternal</code> when stop is called |
| after a failed start. (kkolinko) |
| </fix> |
| <add> |
| <bug>54381</bug>: Add support for receiving WebSocket pong messages. |
| (markt) |
| </add> |
| <fix> |
| <bug>54382</bug>: Fix NPE when SSI processing is enabled and an empty |
| SSI directive is present. (markt) |
| </fix> |
| <fix> |
| Fix <code>ArrayIndexOutOfBoundsException</code> in |
| <code>HttpParser</code> when parsing incorrect HTTP headers. (kkolinko) |
| </fix> |
| <fix> |
| <bug>54387</bug>: Deployment must fail when multiple servlets are mapped |
| to the same url-pattern. (markt) |
| </fix> |
| <fix> |
| <bug>54391</bug>: Provide a value for the |
| <code>javax.servlet.context.orderedLibs</code> attribute. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>54248</bug>: Ensure that byte order marks are swallowed when using |
| a Reader to read a request body with a BOM for those encodings that |
| require byte order marks. (markt) |
| </fix> |
| <fix> |
| Fix release of processors in <code>AjpNioProtocol</code>. Wrong object |
| was used as a key in the connections map. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>54240</bug>: Add support for auto-detection and configuration of |
| JARs on the classpath that provide tag plug-in implementations. Based on |
| a patch by Sheldon Shao. (markt) |
| </add> |
| <fix> |
| <bug>54241</bug>: Revert the fix for <bug>35410</bug> as it was not |
| compliant with the JSP specification, specifically that |
| <code><%= obj %></code> must be translated to |
| <code>out.print(obj)</code> which in turn becomes |
| <code>out.write(String.valueOf(obj))</code>. This will trigger a |
| <code>NullPointerException</code> if <code>obj.toString()</code> returns |
| <code>null</code>. The fix for <bug>35410</bug> incorrectly suppressed |
| the <code>NullPointerException</code> in this case. (markt) |
| </fix> |
| <fix> |
| <bug>54242</bug>: Correct handle null iterations with in the JSTL |
| ForEach tag plug-in implementation. Patch provided by Sheldon Shao. |
| (markt) |
| </fix> |
| <fix> |
| <bug>54260</bug>: Avoid <code>NullPointerException</code> when using |
| JSP unloading and tag files. (markt) |
| </fix> |
| <fix> |
| <bug>54370</bug>: Improve handling of nulls when trying to match sets of |
| parameters to a method in EL. (markt) |
| </fix> |
| <fix> |
| <bug>54338</bug>: Correctly coerce the value to the expected type when |
| using the tag plug-in for the JSTL set tag. Patch provided by Sheldon |
| Shao. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>54244</bug>: Clarify the documentation for the BIO and NIO SSL |
| configuration attributes <code>sslEnabledProtocols</code> and |
| <code>sslProtocol</code> within the documentation web application. |
| (markt) |
| </fix> |
| <add> |
| Integrate documentation of Tomcat 7 with Apache Comments System. |
| People can leave their comments when reading documentation online |
| at the <a href="http://tomcat.apache.org/">tomcat.apache.org</a> |
| site. (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>54390</bug>: Use 'java_home' on Mac OS X to auto-detect JAVA_HOME. |
| (schultz) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.34 (markt)" rtext="released 2012-12-12"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>53871</bug>: Improve error message if annotation scanning fails |
| during web application start due to poor configuration or illegal |
| cyclic inheritance with the application's classes. (markt) |
| </fix> |
| <fix> |
| Fix unit test for AccessLogValve when using non-GMT time zone. (rjung) |
| </fix> |
| <fix> |
| <bug>54170</bug>: Ensure correct registration of Filters and Servlets in |
| the JMX registry if the Filter or Servlet name includes a character that |
| must be quoted if used in an ObjectName value. (markt) |
| </fix> |
| <add> |
| Add new attribute <code>renameOnRotate</code> to the AccessLogValve. |
| (rjung) |
| </add> |
| <fix> |
| <bug>54190</bug>: Correct unit tests for BASIC authentication so that |
| session timeout is correctly tested. Also refactor unit test to make it |
| easier to add additional tests. Patch by Brian Burch. (markt) |
| </fix> |
| <fix> |
| <bug>54220</bug>: Ensure the ErrorReportValve only generates an error |
| report if the error flag on the response has been set. (markt) |
| </fix> |
| <fix> |
| Simplify time zone handling in the access log valve and correctly handle |
| various edge cases for non-standard DST changes. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>54198</bug>: Clarify that |
| <code>HttpServletResponse.sendError(int)</code> results in an HTML |
| response by default. (markt) |
| </fix> |
| <fix> |
| <bug>54207</bug>: Correct JNDI factory package name in Javadoc for |
| <code>org.apache.naming.java.javaURLContextFactory</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <scode> |
| Fix a handful of Eclipse warnings in the JDBC pool source code including |
| the warnings reported in <bug>53565</bug>. (markt) |
| </scode> |
| <fix> |
| <bug>54150</bug>: Make sure that SlowQueryReportJmx mbean deregistered |
| during webapp shutdown. Reported by Alex Franken. (kfujino) |
| </fix> |
| <fix> |
| <bug>54194</bug>: Make sure that connection pool mbean is not registered |
| when jmxEnabled is false. Patch provided by tobias.gierke. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update to Eclipse JDT Compiler 4.2.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.33 (markt)" rtext="released 2012-11-21"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>53960</bug>, <bug>54115</bug>: Extensions to HttpClient test |
| helper class. Patches by Brian Burch. (markt/kkolinko) |
| </add> |
| <fix> |
| <bug>53993</bug>: Avoid a possible NPE in the AccessLogValve when the |
| session ID is logged and a session is invalidated. (markt) |
| </fix> |
| <fix> |
| Add support for LAST_ACCESS_AT_START system property to |
| PersistentManager. (kfujino) |
| </fix> |
| <add> |
| Update MIME type mapping with additional / updated mime.types from the |
| Apache web server. (markt) |
| </add> |
| <fix> |
| <bug>54007</bug>: Fix a memory leak that prevented deletion of a |
| context.xml file associated with a Context that had failed to deploy. |
| Also fix the problems uncovered with undeploying such a Context once the |
| leak had been fixed and the file could be deleted. (markt) |
| </fix> |
| <fix> |
| <bug>54044</bug>: Correct bug in timestamp cache used by logging |
| (including the access log valve) that meant entries could be made with |
| an earlier timestamp than the true timestamp. (markt) |
| </fix> |
| <fix> |
| <bug>54054</bug>: Do not share shell environment variables between |
| multiple instances of the CGI servlet. (markt) |
| </fix> |
| <fix> |
| <bug>54060</bug>: Use a simple parser rather than a regular expression |
| to parse HTTP Digest authentication headers so the header is correctly |
| parsed. The new approach is also faster and generates less garbage. |
| (markt) |
| </fix> |
| <fix> |
| <bug>54068</bug>: Rewrite the web fragment ordering algorithm to resolve |
| multiple issues that resulted in incorrect ordering or failure to find |
| a correct, valid order. (markt) |
| </fix> |
| <update> |
| The HTTP header parser added to address <bug>52811</bug> has been |
| removed and replaced with the light-weight HTTP header parser created to |
| address <bug>54060</bug>. The new parser includes a work-around for a |
| bug in the Adobe Acrobat Reader 9.x plug-in for Microsoft Internet |
| Explorer that was identified when the old parser was introduced |
| (<bug>53814</bug>). |
| </update> |
| <fix> |
| <bug>54076</bug>: Add an alternative work-around for clients that use |
| SPNEGO authentication and expect the authenticated user to be cached |
| per connection (Tomcat only does this if an HTTP session is available). |
| (markt) |
| </fix> |
| <fix> |
| <bug>54087</bug>: Correctly handle (ignore) invalid If-Modified-Since |
| header rather than throwing an exception. (markt) |
| </fix> |
| <fix> |
| <bug>54096</bug>: In web.xml, <env-entry> should accept any type |
| that has a constructor that takes a single String or char. (markt) |
| </fix> |
| <add> |
| <bug>54127</bug>: Add support for sending a WebSocket Ping. Patch |
| provided by Sean Winterberger. (markt) |
| </add> |
| <fix> |
| Fix CVE-2013-2067: |
| In FormAuthenticator: If it is configured to change Session IDs, |
| do the change before displaying the login form. (kkolinko) |
| </fix> |
| <fix> |
| Ensure <code>AsyncListener.timeout()</code> and |
| <code>AsyncListener.complete()</code> are called with the correct |
| thread context class loader. (fhanik) |
| </fix> |
| <fix> |
| <bug>54123</bug>: If an asynchronous request times out without any |
| <code>AsyncListener</code>s defined, a 500 error will be triggered. |
| (markt) |
| </fix> |
| <fix> |
| <bug>54124</bug>: Correct provided value of request attribute |
| <code>javax.servlet.async.request_uri</code> and add missing request |
| attribute <code>javax.servlet.async.path_info</code>. (markt) |
| </fix> |
| <add> |
| Add <code>denyStatus</code> initialization parameter to |
| <code>CsrfPreventionFilter</code>, allowing to customize the HTTP |
| status code used for denied requests. (kkolinko) |
| </add> |
| <fix> |
| <bug>54141</bug>: Increase the permitted number of nested Realm levels |
| from 2 to 3 by default and make the limit configurable via a system |
| property. (markt) |
| </fix> |
| <fix> |
| Revert occasional API change in <code>BaseDirContext</code> class that |
| was done in 7.0.32. Methods should not be <code>final</code>. (kkolinko) |
| </fix> |
| <fix> |
| Prevent failures in the AccessLogValve when running under a |
| SecurityManager and the first request received is an asynchronous one. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct an issue that prevented WebSockets from being used over SSL when |
| using the HTTP NIO connector. (markt) |
| </fix> |
| <fix> |
| <bug>54022</bug>: Ensure the Comet END event is triggered on client |
| disconnect with APR/native on Windows Vista/2k8 or later. Patch provided |
| by Douglas Beachy. (markt) |
| </fix> |
| <fix> |
| <bug>54067</bug>: Ensure responses with 1xx response codes are correctly |
| marked as not containing an entity body. This caused an issue for some |
| WebSocket clients when an Transfer-Encoding header was sent with the |
| 101 (HTTP upgrade) response. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <scode> |
| <bug>53867</bug>: Optimise the XML escaping provided by the PageContext |
| implementation. Based on a patch by Sheldon Shao. (markt) |
| </scode> |
| <scode> |
| <bug>53896</bug>: Use an optimised CompositeELResolver for Jasper that |
| skips resolvers that are known to be unable to resolve the value. Patch |
| by Jarek Gawor. (markt) |
| </scode> |
| <fix> |
| <bug>53986</bug>: Correct a regression introduced by the fix for |
| <bug>53713</bug>. JSP comments that ended with the sequence ---%> (or |
| any similar sequence with a odd number of - characters) was not |
| correctly parsed. (markt) |
| </fix> |
| <fix> |
| <bug>54011</bug>: Fix a bug in the tag plug-in for |
| <code><c:out></code> that triggered a JSP compilation error if the |
| <code>escapeXml</code> attribute was used. Patch provided by Sheldon |
| Shao. (markt) |
| </fix> |
| <scode> |
| Follow up to <bug>54011</bug>. Simplify generated code for |
| <code><c:out></code>. Based on a patch by Sheldon Shao. (markt) |
| </scode> |
| <fix> |
| <bug>54012</bug>: Fix a bug in the tag plug-in infrastructure that meant |
| the <code><c:set></code> triggered a JSP compilation error when |
| used in a tag file. Based on a patch provided by Sheldon Shao. (markt) |
| </fix> |
| <scode> |
| <bug>54017</bug>: Simplify coercion of <code>String</code> instances to |
| <code>Object</code>. (markt) |
| </scode> |
| <fix> |
| <bug>54144</bug>: Fix a bug in the tag plug-in for |
| <code><c:out></code> that meant that if the value of the tag |
| evaluated to a <code>java.io.Reader</code> object then it was not |
| correctly handled. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Add getSessionIdsFull operation to mbeans-descriptor. listSessionIdsFull |
| no longer exist. (kfujino) |
| </fix> |
| <fix> |
| <bug>54086</bug>: Fix threading issue when stopping an |
| <code>NioReceiver</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>54143</bug>: Add display of the memory pools usage (including |
| PermGen) to the Status page of the Manager web application. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| <bug>54045</bug>: Make sure getMembers() returns available member when |
| TcpFailureDetector works in static cluster. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.32 (markt)" rtext="released 2012-10-09"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Revert multiple operation support for the <code>JMXProxyServlet</code> |
| pending further discussion. (schultz) |
| </fix> |
| <fix> |
| CVE-2012-4431: Fix bypass of <code>CsrfPreventionFilter</code> when |
| there is no session. Improve session management in the filter. |
| (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the couple of broken links in the Tomcat Javadoc. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update optional Checkstyle library to 5.6. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.31 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| Add one library from JDK 7 to the value of <code>jarsToSkip</code> |
| property in the <code>catalina.properties</code> file. (kkolinko) |
| </update> |
| <add> |
| <bug>52777</bug>: Add an option to automatically remove old, unused |
| versions (ones where there are no longer any active sessions) of |
| applications deployed using parallel deployment. (markt) |
| </add> |
| <fix> |
| <bug>53828</bug>: Use correct status code when closing a WebSocket |
| connection normally in response to a close frame from a client. (markt) |
| </fix> |
| <update> |
| <code>JMXProxyServlet</code> now allows multiple operation commands like |
| <code>invokeAndSet</code>, <code>invokeAndGet</code>, |
| etc. (schultz) <em>Note</em>: reverted in 7.0.32. |
| </update> |
| <fix> |
| <bug>53843</bug>: <code>request.isAsyncStarted()</code> must continue to |
| return true until the dispatch actually happens (which at the earliest |
| isn't until the thread where <code>startAsync()</code> was called |
| returns to the container). (markt) |
| </fix> |
| <fix> |
| <bug>53863</bug>: Ensure that the implicit servlets (JSP and default) are |
| marked as override-able when using embedded mode. (markt) |
| </fix> |
| <fix> |
| When the <code>DefaultServlet</code> is under heavy load, the HTTP |
| header parser added to address <bug>52811</bug> generates large amounts |
| of garbage and uses significant CPU time. A cache has been added that |
| significantly reduces the overhead of this parser. (markt) |
| </fix> |
| <fix> |
| <bug>53854</bug>: Make directory listings work correctly when aliases |
| are used. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <scode> |
| <bug>53713</bug>: Performance improvement of up to four times faster |
| parsing of JSP pages. Patch provided by Sheldon Shao. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| Make the cluster members and the cluster deployer associated with the |
| cluster accessible via JMX. (markt) |
| </add> |
| <fix> |
| Fix a behavior of TcpPingInterceptor#useThread. If set to false, ping |
| thread is never started. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Improve the documentation web application to clarify the difference |
| between the tag and version parameters when using text interface of the |
| Manager web application. (markt) |
| </add> |
| <add> |
| Make sessions saved in the <code>Store</code> associated with a |
| <code>Manager</code> that extends <code>PersistentManager</code> |
| optionally visible (via the showProxySessions Servlet initialisation |
| parameter in web.xml) to the Manager web application. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.30 (markt)" rtext="released 2012-09-06"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Automatically delete temporary files used by Servlet 3.0 file |
| upload (for parts which size is greater than |
| <code>file-size-threshold</code> option in web.xml) |
| when request processing completes. (kkolinko) |
| </fix> |
| <fix> |
| <bug>53071</bug>: This additional fix for this issue improves the |
| formatting of Jasper errors (or any exceptions that use a multi-line |
| message) with the <code>ErrorReportValve</code>. (markt) |
| </fix> |
| <fix> |
| <bug>53469</bug>: If a URL passed to |
| <code>javax.servlet.http.HttpServletResponse.encodeURL()</code> cannot |
| be made absolute, never encode it and return it unchanged. Previously, |
| the fix for <bug>53062</bug> meant than an |
| <code>IllegalArgumentException</code> was thrown. (markt) |
| </fix> |
| <fix> |
| <bug>53481</bug>: Added support for SSLHonorCipherOrder to allow |
| the server to impose its cipher order on the client. Based on a patch |
| provided by Marcel Šebek. This feature requires |
| Tomcat Native 1.1.25 or later. (schultz) |
| </fix> |
| <fix> |
| <bug>53498</bug>: Fix atomicity bugs in use of concurrent collections. |
| Based on a patch by Yu Lin. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the previous fix for <bug>53062</bug> that did |
| not always correctly normalize redirect URLs when the redirect URL |
| included a query string or fragment component. (markt) |
| </fix> |
| <fix> |
| Add missing getter and setter for <code>roleSearchAsUser</code> option |
| on JNDI Realm. (markt) |
| </fix> |
| <update> |
| Add some HTTP status codes registered at IANA. (rjung) |
| </update> |
| <fix> |
| <bug>53531</bug>: Fix ExpandWar.expand to check the return value of |
| File.mkdir and File.mkdirs. (schultz) |
| </fix> |
| <fix> |
| <bug>53535</bug>: Reduce memory footprint when performing class scanning |
| on Context start. Patch provided by Cedomir Igaly. (markt) |
| </fix> |
| <fix> |
| <bug>53541</bug>: Fix JAR scanning when WEB-INF/lib is provided via |
| VirtualDirContext. Patch provided by Philip Zuev. (markt) |
| </fix> |
| <fix> |
| <bug>53574</bug>: Ensure Servlets defined using jsp-file are available |
| when metadata-complete is true. (markt) |
| </fix> |
| <fix> |
| <bug>53584</bug>: Ignore path parameters when comparing URIs for FORM |
| authentication. This prevents users being prompted twice for passwords |
| when logging in when session IDs are being encoded as path parameters. |
| (markt) |
| </fix> |
| <fix> |
| <bug>53623</bug>: When performing a asynchronous dispatch after series |
| of forwards, ensure that the request properties are correct for the |
| request at each stage. (markt) |
| </fix> |
| <fix> |
| <bug>53624</bug>: Ensure that |
| <code>HttpServletResponse.sendRedirect()</code> works when called after |
| a dispatch from an <code>AsyncContext</code>. (markt) |
| </fix> |
| <fix> |
| <bug>53641</bug>: Correct name of HTTP header used in WebSocket |
| handshake for listing the preferred protocols. (markt) |
| </fix> |
| <scode> |
| Document the constants that were added to the |
| <code>RequestDispatcher</code> interface in Servlet 3.0. (kkolinko) |
| </scode> |
| <fix> |
| Ensure custom error pages are not truncated if the page that triggered |
| the error set a content length header. (markt) |
| </fix> |
| <fix> |
| <bug>53677</bug>: Ensure that a 500 response rather than no response is |
| returned if the HTTP headers exceed the size limit. (markt) |
| </fix> |
| <fix> |
| <bug>53702</bug>: When merging web.xml fragments, allow for |
| <code><jsp-property-group></code> elements having multiple |
| <code><url-pattern></code> elements. (markt) |
| </fix> |
| <add> |
| Always make the resulting web.xml available even if metadata-complete is |
| true. (markt) |
| </add> |
| <fix> |
| <bug>53714</bug>: Provide separate system properties to control which |
| JARs are excluded from which scans when using the JarScanner. This |
| allows JARs to be excluded from all scans or only from TLD scanning |
| and/or Servlet 3.0 pluggability scanning. (markt) |
| </fix> |
| <update> |
| Add several JDK libraries to the value of <code>jarsToSkip</code> |
| property in the <code>catalina.properties</code> file. (markt, kkolinko) |
| </update> |
| <fix> |
| Fix typos etc. in the code that logs merged web.xml (as enabled by |
| <code>logEffectiveWebXml</code> option on Context). (kkolinko) |
| </fix> |
| <fix> |
| <bug>53758</bug>: When adding filters via |
| <code>FilterRegistration.Dynamic</code> the filters were added at the |
| wrong point because the <code>isMatchAfter </code> logic was inverted. |
| (markt) |
| </fix> |
| <fix> |
| <bug>53783</bug>: Correctly handle JARs generated by tools that do not |
| create specific entries for directories. Patch provided by Violeta |
| Georgieva. (markt) |
| </fix> |
| <fix> |
| Improvements to DIGEST authenticator including the disabling caching of |
| authenticated user in session by default, tracking server rather than |
| client nonces and better handling of stale nonce values. (markt) |
| </fix> |
| <fix> |
| Improve performance of DIGEST authenticator for concurrent requests. |
| (markt) |
| </fix> |
| <fix> |
| CVE-2012-3546: Fix bypass of security constraint checks with FORM |
| authentication. Remove unneeded processing in <code>RealmBase</code>. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>53800</bug>: <code>FileDirContext.list()</code> did not provide |
| correct paths for subdirectories. Patch provided by Kevin Wooten. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>53801</bug>: Overlapping URL patterns were sometimes merged |
| incorrectly in security constraints leading to incorrect 401 responses. |
| Note: it was possible for access to be denied when it should have been |
| granted but it was not possible for access to be granted when it should |
| have been denied. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Remove the <code>socket.soTrafficClass</code> from the BIO and NIO |
| HTTP and AJP connectors because any use of the option is either ignored |
| or in some cases (Java 7 with NIO) throws an Exception. (markt) |
| </fix> |
| <fix> |
| Prevent possible NPE when processing Comet requests during Connector |
| shutdown. (markt) |
| </fix> |
| <fix> |
| <bug>42181</bug>: Better handling of edge conditions in chunk header |
| processing. (kkolinko) |
| </fix> |
| <fix> |
| <bug>53697</bug>: Correct a regression in the fix for <bug>51881</bug> |
| that mean that in some circumstances the <code>comet</code> flag was not |
| reset on <code>HttpAprProcessor</code> instances. This caused problems |
| when the Processor was re-used for a new connection that would trigger a |
| <code>NullPointerException</code> and could result in a JVM crash. |
| (markt) |
| </fix> |
| <fix> |
| <bug>53725</bug>: Fix possible corruption of GZIP'd output. |
| (markt/kkolinko) |
| </fix> |
| <fix> |
| Better parsing of line-terminators for requests using chunked encoding. |
| (markt) |
| </fix> |
| <fix> |
| Further improvements to handling of Comet END events when the connector |
| is stopped. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>53545</bug>: Ensure buffered data is cleared when using a |
| jsp:forward action inside a classic custom tag. (markt) |
| </fix> |
| <fix> |
| <bug>53654</bug>: Support <code>file://</code> URLs for JSP |
| dependencies. Patch provided by Viola Lu. (markt) |
| </fix> |
| <fix> |
| <bug>53792</bug>: Support <code>MethodExpression</code>s that include a |
| method invocation that is not at the end of the expression. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Fix an issue when running under Java 7 which throws exceptions when |
| trying to set an invalid option whereas Java 6 silently swallowed them. |
| The option using the problem was <code>soTrafficClass</code>. |
| Investigations showed that this option had no effect for Cluster Channel |
| Receivers so it was removed. (markt) |
| </fix> |
| <fix> |
| <bug>53513</bug>: Fix race condition between the processing of session |
| sync message and transfer complete message. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Update JSTL version information in the JNDI section of the documentation |
| web application. (markt) |
| </fix> |
| <fix> |
| <bug>53524</bug>: Correct a typo in the cluster how-to section of the |
| documentation web application. Also fix a handful of spelling errors. |
| (markt) |
| </fix> |
| <fix> |
| <bug>53601</bug>: Clarify in documentation that building Apache Tomcat 7 |
| from sources requires a Java 6 JDK. (kkolinko) |
| </fix> |
| <fix> |
| <bug>53653</bug>: Allow for wrapped source code example in |
| config/context.html. Patch provided by Terence Bandoian. (schultz) |
| </fix> |
| <update> |
| <bug>53793</bug>: Change links on the list of applications in the |
| Manager to point to '/appname/' instead of '/appname'. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Avoid potential NPE identified by Find Bugs in |
| <code>org.apache.catalina.tribes.io.ReplicationStream</code>. (markt) |
| </fix> |
| <fix> |
| <bug>53606</bug>: Fix potential NPE in <code>TcpPingInterceptor</code>. |
| Based on a patch by F. Arnoud. (markt) |
| </fix> |
| <fix> |
| <bug>53607</bug>: To avoid NPE, set TCP PING data to ChannelMessage. |
| Patch provided by F.Arnoud (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>53701</bug>: Javadoc fixes. Patch provided by sebb. (markt) |
| </fix> |
| <scode> |
| Remove some unused code from Tomcat's package renamed, cut-down |
| copy of Commons BCEL used for annotation scanning. (markt) |
| </scode> |
| <add> |
| <bug>53735</bug>: Add support for Java 7 byte code to Tomcat's |
| package renamed, cut-down copy of Commons BCEL used for annotation |
| scanning. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.29 (markt)" rtext="released 2012-07-08"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Add support for searching for roles in JNDI/LDAP |
| using another value than the actual DN or username specified. |
| Rather it will use a value from the users directory entry. |
| The new attribute introduced to the JNDIRealm is userRoleAttribute |
| (fhanik) |
| </add> |
| <fix> |
| Fix checking of recommended tcnative library version when using the APR |
| connector. (rjung) |
| </fix> |
| <update> |
| <bug>50306</bug>: Improve StuckThreadDetectionValve: add |
| stuckThreadNames property as a pair for the stuckThreadIds one, |
| add thread ids to the log messages. (kkolinko) |
| </update> |
| <add> |
| <bug>52135</bug>: Add support for a default error page to be defined in |
| web.xml by defining an error page with just a nested location element. |
| It appears this feature was intended to be included in the Servlet 3.0 |
| specification but was accidently left out. (markt) |
| </add> |
| <fix> |
| <bug>53450</bug>: Correct regression in fix for <bug>52999</bug> that |
| could easily trigger a deadlock when deploying a ROOT web application. |
| (markt) |
| </fix> |
| <fix> |
| As per section 1.6.2 of the Servlet 3.0 specification and clarification |
| from the Servlet Expert Group, the servlet specification version |
| declared in web.xml no longer controls if Tomcat scans for annotations. |
| Annotation scanning is now always performed - regardless of the version |
| declared in web.xml - unless metadata complete is set to true. (markt) |
| </fix> |
| <fix> |
| <bug>53619</bug>: As per clarification from the Servlet Expert Group, |
| JARs will always be scanned for ServletContainerInitializers regardless |
| of the setting of metadata complete. However, if an absolute ordering is |
| specified and a JAR is excluded from that ordering it will not be |
| scanned for ServletContainerInitializers nor will it be scanned for |
| matches to any HandleTypes annotations. (markt) |
| </fix> |
| <add> |
| <bug>53465</bug>: Populate mapped-name property for resources defined in |
| web.xml. Based on a patch by Violeta Georgieva. (markt) |
| </add> |
| <add> |
| Make the request available when establishing a WebSocket connection. |
| (markt) |
| </add> |
| <fix> |
| <bug>53467</bug>: Correct a regression in the fix for <bug>53257</bug> |
| that introduced problems for JSPs that used characters that must be |
| encoded if used in a URI. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>53430</bug>: Avoid a JVM crash when a connector that requires the |
| APR/native library is explicitly specified and the library, or a recent |
| enough version of it, is not available. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>53421</bug>: Provide a more helpful error message if a getter or |
| setter cannot be found for a bean property when using expression |
| language. (markt) |
| </fix> |
| <fix> |
| <bug>53460</bug>: Allow container to handle errors if the creation of the |
| PageContext fails rather than swallowing the error. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Update the WebSocket examples in the examples web application so that |
| they work with secure connections (wss) as well as non-secure (ws) |
| connections. (markt) |
| </fix> |
| <fix> |
| <bug>53456</bug>: Minor corrections and improvements to the HTTP |
| connector configuration reference. Patch provided by sebb. (markt) |
| </fix> |
| <fix> |
| <bug>53459</bug>: Correction and clarifications to the SSL Connector |
| configuration examples in the SSL how-to. (markt) |
| </fix> |
| <fix> |
| <bug>53464</bug>: Correct reference to sample init.d script for use with |
| jsvc in the documentation web application. (markt) |
| </fix> |
| <fix> |
| <bug>53473</bug>: Correct the allowed values for the SSI option |
| <code>isVirtualWebappRelative</code> which are <code>true</code> or |
| <code>false</code>. (markt) |
| </fix> |
| <fix> |
| Document <code>roleNested</code> property of <code>JNDIRealm</code> |
| in Configuration Reference. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>53445</bug> (<rev>1354173</rev>): |
| Allow configurable name for SlowQueryReportJmx (fhanik) |
| </fix> |
| <fix> |
| <bug>53416</bug> (<rev>1354641</rev>): |
| Multiple pools with the same name should register under JMX (fhanik) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Fix cleanup of temporary files in <code>TestNamingContext</code> test. |
| (kkolinko) |
| </fix> |
| <fix> |
| Remove a few files from the source distribution that are not required |
| since they are copied / generated during the build. (markt) |
| </fix> |
| <fix> |
| Add manifest files to the set of files for which the line-ending is |
| changed to match the OS defaults in the source distributions. (markt) |
| </fix> |
| <scode> |
| Align Jk Ant tasks definitions between antlib.xml and catalina.tasks |
| files, introducing <code>jkupdate</code> as synonym for |
| <code>jkstatus</code>. The latter one is deprecated. |
| Simplify <code>bin/catalina-tasks.xml</code>, replacing |
| <code>taskdef</code> with <code>typedef</code> and adding Ant condition |
| implementations used with JMX to <code>jmxaccessor.tasks</code> file. |
| (kkolinko) |
| </scode> |
| <fix> |
| <bug>53454</bug>: Return correct content-length header for HEAD requests |
| when content length is greater than 2GB. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.28 (markt)" rtext="released 2012-06-19"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>52055</bug>: An additional fix to ensure that the |
| ChunkedInputFilter is correctly recycled. (markt) |
| </fix> |
| <add> |
| <bug>52954</bug>: Make DIGEST authentication tolerant of clients (mainly |
| older Android implementations) that do not follow RFC 2617 exactly. |
| (markt) |
| </add> |
| <update> |
| <bug>52955</bug>: Implement custom thread factory for container |
| start-stop thread pool. It allows to use daemon threads and give |
| them more distinct names. (kfujino) |
| </update> |
| <fix> |
| <bug>52999</bug>: Remove synchronization bottleneck from the firing of |
| <code>Container</code> events. (markt) |
| </fix> |
| <add> |
| <bug>53008</bug>: Additional test cases for BASIC authentication and |
| RFC2617 compliance. Patch provided by Brian Burch. (markt) |
| </add> |
| <fix> |
| <bug>53021</bug>: Correct WebSocket protocol version detection. (pero) |
| </fix> |
| <add> |
| Add new attributes of <code>allow</code> and <code>deny</code> to |
| UserConfig. (kfujino) |
| </add> |
| <fix> |
| <bug>53024</bug>: Fix context reloading so requests received during the |
| reload are paused and processed when reloading completes rather than |
| receiving 404 responses. (markt) |
| </fix> |
| <add> |
| Improve the handling of watched resources so that changes trigger a |
| reload rather than a stop followed by a start which allows requests |
| received to be paused and processed when reloading completes rather than |
| receiving 404 responses. (markt) |
| </add> |
| <fix> |
| Remove potential bottleneck on creation of new WebSocket connections. |
| (markt) |
| </fix> |
| <fix> |
| <bug>53047</bug>: If a JDBC Realm or DataSource Realm is configured for |
| an all roles mode that only requires authorization (and no roles) and no |
| role table or column is defined, don't populate the Principal's roles. |
| (markt) |
| </fix> |
| <fix> |
| <bug>53056</bug>: Add APR version number to tcnative version INFO log |
| message. (schultz) |
| </fix> |
| <fix> |
| <bug>53057</bug>: Add OpenSSL version number INFO log message when |
| initializing. (schultz) |
| </fix> |
| <update> |
| Save a bit of memory in annotations cache in |
| <code>DefaultInstanceManager</code> by trimming annotation lists |
| to their size. (kkolinko) |
| </update> |
| <fix> |
| Correctly configure the parser used to process server.xml so that |
| external entities may be used to include the content of external files |
| into server.xml. (markt) |
| </fix> |
| <fix> |
| Make sure ContextMBean#findFilterDefs returns correct filter |
| definitions. (kfujino) |
| </fix> |
| <add> |
| Ensure that <code>maxParameterCount</code> applies to multi-part |
| requests handled via the Servlet 3 file upload API. (markt) |
| </add> |
| <fix> |
| <bug>53062</bug>: When constructing absolute URLs for redirects from |
| relative URLs ensure that the resulting URLs are normalized. (markt) |
| </fix> |
| <fix> |
| <bug>53067</bug>: Ensure the WebSocket Servlet continues to work when |
| requests are wrapped. (markt) |
| </fix> |
| <fix> |
| Enable host's xmlBase attribute in ContextConfig. (kfujino) |
| </fix> |
| <fix> |
| <bug>53071</bug>: Use the message from the throwable (if there is one) |
| when generating the report in the <code>ErrorReportValve</code> and no |
| message has been specified via <code>sendError()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>53074</bug>: Switch to an infinite socket timeout by default for |
| WebSocket connections. (markt) |
| </fix> |
| <fix> |
| <bug>53081</bug>: Do not always cache resources loaded by the web |
| application class loader since they may be very large which in turn |
| could trigger a memory leak. Calls to the web application class |
| loader's <code>getResourceAsStream()</code> method will now access |
| the resource directly rather than via the cache in most cases. (markt) |
| </fix> |
| <fix> |
| <bug>53090</bug>: Include superclasses when considering injection |
| targets. Patch provided by Borislav Kapukaranov. (markt) |
| </fix> |
| <fix> |
| <bug>53161</bug>: Provide a better error message if a |
| <code>ClassFormatException</code> occurs during annotation scanning and |
| do not prevent the web application from starting in this case. (markt) |
| </fix> |
| <fix> |
| <bug>53180</bug>: Improve check for setter method when processing |
| annotations. Patch provided by Violeta Georgieva. (markt) |
| </fix> |
| <fix> |
| <bug>53225</bug>: Fix an IllegalStateException due to the JAR file being |
| closed when accessing static resources in a JAR file when |
| <code>urlCacheProtection="false"</code> in the |
| <code>JreMemoryLeakPreventionListener</code>. (markt) |
| </fix> |
| <fix> |
| <bug>53230</bug>: Changed ManagerBase to throw |
| TooManyActiveSessionsException instead of IllegalStateException |
| when the maximum number of sessions has been exceeded and a new |
| session will not be created. (schultz) |
| </fix> |
| <fix> |
| <bug>53257</bug>: Ensure that resources, including JSP files, that have |
| names that include characters with special meanings in URLs (such as |
| ampersand, semicolon, plus, hash and percent) are correctly handled. |
| This bug is partially a regression caused by the original fix for |
| <bug>51584</bug> and partially an existing issue that had not previously |
| been identified. This fix reverts the original fix for <bug>51584</bug>, |
| correctly fixes that issue and fixes the additional issues identified by |
| the test cases that were also added as part of this fix. |
| (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>53266</bug>: If a class specified in a <code>@HandlesTypes</code> |
| annotation on a <code>ServletContainerInitializer</code> is missing |
| log a more helpful message and do not prevent the web application from |
| starting. (markt) |
| </fix> |
| <fix> |
| <bug>53267</bug>: Ensure that using the GC Daemon Protection feature of |
| the <code>JreMemoryLeakPreventionListener</code> does not trigger a |
| full GC every hour. (markt) |
| </fix> |
| <fix> |
| <bug>53285</bug>: Do not require <code>security-role-ref</code> elements |
| to contain a <code>role-link</code> element. (markt) |
| </fix> |
| <fix> |
| <bug>53301</bug>: Prevent double initialization of pre-created Servlet |
| instances when used in embedded mode. (markt) |
| </fix> |
| <fix> |
| <bug>53322</bug>: When processing resource injection, correctly infer |
| property name from its setter method if the name starts with several |
| uppercase characters. (kkolinko) |
| </fix> |
| <fix> |
| <bug>53333</bug>: When processing JNDI resources, take account of the |
| types of any specified injection targets to ensure that the resource |
| definition and the injection target types are consistent. Based on a |
| patch provided by Violeta Georgieva. (markt) |
| </fix> |
| <fix> |
| <bug>53337</bug>: Forwarding via a <code>RequestDispatcher</code> to an |
| asynchronous Servlet always failed. Includes a test case based on code |
| by Rossen Stoyanchev. (markt) |
| </fix> |
| <fix> |
| <bug>53339</bug>: Ensure WebSocket call backs (<code>onOpen</code> etc.) |
| are called using the web application's class loader. (markt) |
| </fix> |
| <fix> |
| <bug>53342</bug>: To avoid BindException, make startStopThreads into a |
| demon thread. (kfujino) |
| </fix> |
| <fix> |
| <bug>53353</bug>: Make the internal HTTP header parser more tolerant of |
| Content-Type values that contain invalid parameters by ignoring the |
| invalid parameters. It is a followup to bug <bug>52811</bug>. (markt) |
| </fix> |
| <fix> |
| <bug>53354</bug>: Correctly handle <code>@WebFilter</code> annotations |
| that do not include a mapping. (markt) |
| </fix> |
| <fix> |
| <bug>53356</bug>: Add support for servlets mapped explicitly to the |
| context root of a web application. (markt) |
| </fix> |
| <fix> |
| <bug>53366</bug>: Ensure new HTTP header parser works correctly when |
| running Tomcat under a security manager. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>53368</bug>: Configure the default security policy to allow web |
| applications to use WebSocket when running under a security manager. |
| (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>53373</bug>: Allow whitespace around delimiters in <Context> |
| aliases for readability. (schultz) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>52858</bug>, CVE-2012-4534: Correct fix for high CPU load. |
| (fhanik) |
| </fix> |
| <fix> |
| <bug>53138</bug>: Broken Sendfile on SSL introduced in 7.0.27 |
| (fhanik) |
| </fix> |
| <fix> |
| <bug>52055</bug>: Additional fix required to ensure that |
| <code>InputFilter</code>s are recycled between requests. (markt) |
| </fix> |
| <fix> |
| <bug>53061</bug>: Fix a problem in the NIO connector whereby if the |
| poller was under low but consistent load (>1 request/per second and |
| always less than 1 second between requests) timeouts never took place. |
| (markt) |
| </fix> |
| <fix> |
| <bug>53063</bug>: When using an Executor with BIO, use the |
| executor's maxThreads as the default for maxConnections. (markt) |
| </fix> |
| <fix> |
| <bug>53119</bug>: Prevent buffer overflow errors being reported when a |
| client disconnects before the response has been fully written from an |
| AJP connection using the APR/native connector. (markt) |
| </fix> |
| <add> |
| <bug>53169</bug>: Allow developers to avoid chunked encoding for a |
| response of unknown length by setting the <code>Connection: close</code> |
| header. Based on a patch suggested by Philippe Marschall. (markt) |
| </add> |
| <fix> |
| <bug>53173</bug>: Properly count down maxConnections (fhanik) |
| </fix> |
| <update> |
| Update default value of pollerThreadCount for the NIO connector. |
| The new default value will never go above 2 regardless of |
| available processors. (fhanik) |
| </update> |
| <add> |
| Allow to retrieve the current <code>connectionCount</code> |
| via getter from the endpoint and as JMX attribute of the ThreadPool |
| mbean. (rjung) |
| </add> |
| <fix> |
| Correct an edge case where Comet END events were not send to connected |
| clients when the Tomcat connector was stopped. (markt) |
| </fix> |
| <fix> |
| <bug>53406</bug>: Fix possible stack overflow on connection close when |
| using Comet. (fhanik) |
| </fix> |
| <fix> |
| Improve <code>InternalNioInputBuffer.parseHeaders()</code>. (kkolinko) |
| </fix> |
| <add> |
| Implement <code>maxHeaderCount</code> attribute on Connector. |
| It is equivalent of LimitRequestFields directive of |
| <a href="http://httpd.apache.org/">Apache HTTPD</a>. |
| Default value is 100. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>48097#c7</bug>, <bug>53366#c1</bug>: If JSP page unexpectedly |
| fails to initialize PageContext instance, write exception to the logs |
| instead of silent swallowing. (kkolinko) |
| </fix> |
| <fix> |
| <bug>53032</bug>: Modify <code>JspC</code> so it extends |
| <code>org.apache.tools.ant.Task</code> enabling it to work with features |
| such as namespaces within build.xml files. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Avoid NPE when reload if a state of a BackupManager is FAILED. (kfujino) |
| </fix> |
| <fix> |
| <bug>53087</bug>: In order to avoid that a backup node expire a session, |
| replicate session access time in BackupManager. (kfujino) |
| </fix> |
| <add> |
| Add support for SecureRandom to cluster manager template. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Remove obsolete bug warning from Windows service |
| documentation page. (rjung) |
| </fix> |
| <add> |
| <bug>50182</bug>: Various improvements to the Compression Filter. Patch |
| provided by David Becker. (markt) |
| </add> |
| <fix> |
| <bug>52853</bug>: Clarify how Jar Scanner handles directories. (markt) |
| </fix> |
| <fix> |
| <bug>53158</bug>: Fix documented defaults for DBCP 1.x. |
| Patch provided by ph.dezanneau at gmail.com. (rjung) |
| </fix> |
| <fix> |
| <bug>53203</bug>: Correct documentation for the default value |
| of <code>connectionTimeout</code> attribute for AJP protocol |
| connectors. (kkolinko) |
| </fix> |
| <update> |
| <bug>53289</bug>: Clarify <code>ResourceLink</code> example that |
| uses DataSource.getConnection(username, password) method. Not all |
| data source implementations support it. (kkolinko) |
| </update> |
| <fix> |
| Fix several HTML markup errors in servlets of examples web application. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>53398</bug>: Correct spelling of "received" in the |
| Manager application's XML output. (markt) |
| </fix> |
| <fix> |
| <bug>53403</bug>: Update a reference to the Servlet specification in the |
| first web application section of the documentation web application to |
| include newer versions of the specification. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>50864</bug> (<rev>1311844</rev>): |
| JMX enable most pool properties (fhanik) |
| </fix> |
| <add> |
| <bug>53254</bug> (<rev>1340160</rev>): |
| Add in the ability to purge connections from the pool (fhanik) |
| </add> |
| <update> |
| <bug>53367</bug> (<rev>1346691</rev>): |
| Prevent pool from hanging during database failure (fhanik) |
| </update> |
| <update> |
| When a connection is reconnected due to failed validation |
| make sure the ConnectionState is reset or it will assume |
| incorrect values (fhanik) |
| </update> |
| <fix> |
| <bug>53374</bug> (<rev>1348056</rev>): |
| Add support for the following properties in DataSourceFactory: |
| <code>commitOnReturn</code>, <code>rollbackOnReturn</code>, |
| <code>useDisposableConnectionFacade</code>, |
| <code>logValidationErrors</code> and |
| <code>propagateInterruptState</code>. |
| Based on patch proposed by Suresh Avadhanula. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update to Eclipse JDT Compiler 3.7.2 at maven tomcat-jasper.pom. (pero) |
| </update> |
| <update> |
| Update the native component of the Tomcat APR/native connector to |
| 1.1.24. (markt) |
| </update> |
| <fix> |
| Add missing dependencies in pom files. (markt) |
| </fix> |
| <add> |
| <bug>53034</bug>: Add <code>project.url</code> and |
| <code>project.licenses</code> sections to the POMs for the Maven |
| artifacts. (markt) |
| </add> |
| <fix> |
| Properly mention <code>jsp_2_2.xsd</code> in the main LICENSE and |
| INSTALLLICENSE files. (kkolinko) |
| </fix> |
| <fix> |
| <bug>53115</bug>: Fix using the command "<code>catalina.bat run</code>" |
| when the value of <code>%TEMP%</code> contains spaces. (kkolinko) |
| </fix> |
| <update> |
| Add dependencies and description to "validate" target in |
| <code>build.xml</code>, so that it could be run separately. |
| Improve <code>BUILDING.txt</code> and <code>RUNNING.txt</code>. |
| (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.27 (markt)" rtext="released 2012-04-05"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| Explicitly ignore empty path values in <code>virtualClasspath</code> |
| attribute of <code>VirtualWebappLoader</code> class. Document that |
| whitespace around the values is trimmed. Reformat documentation |
| examples to make them more readable. (kkolinko) |
| </update> |
| <fix> |
| Further improve fix for <bug>51197</bug> to allow an error reporting |
| Valve to write a response body if <code>sendError()</code> is called |
| during an asynchronous request on a container thread. (markt) |
| </fix> |
| <fix> |
| Correct fix for <bug>51741</bug> (<rev>1307600</rev>): |
| If <code>VirtualDirContext</code> class is configured with non-empty |
| value of <code>extraResourcePaths</code> option (a feature added |
| in 7.0.24), do not implicitly set <code>allowLinking</code> option to |
| the value of <code>true</code>. If it is really needed, it should be |
| set explicitly. (kkolinko) |
| </fix> |
| <add> |
| <bug>52500</bug>: Added configurable mechanism to retrieve user names |
| from X509 client certificates. Based on a patch provided by |
| Michael Furman. (schultz) |
| </add> |
| <fix> |
| <bug>52719</bug>: Fix a theoretical resource leak in the JAR validation |
| that checks for non-permitted classes in web application JARs. (markt) |
| </fix> |
| <scode> |
| Code clean-up identified by <bug>52723</bug>, <bug>52724</bug>, |
| <bug>52726</bug>, <bug>52727</bug>, <bug>52729</bug>, <bug>52731</bug> |
| and <bug>52732</bug>. (markt) |
| </scode> |
| <fix> |
| <bug>52792</bug>: Improve error message when a JNDI resource can not be |
| found. (markt) |
| </fix> |
| <fix> |
| <bug>52811</bug>: Fix parsing of Content-Type header in |
| <code>HttpServletResponse.setContentType()</code>. Introduces |
| a new HTTP header parser that follows RFC2616. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>52830</bug>: Correct JNDI lookups when using |
| <code>javax.naming.Name</code> to identify the resource rather than a |
| <code>java.lang.String</code>. (markt) |
| </fix> |
| <fix> |
| <bug>52833</bug>: Handle the case where the parent class loader for the |
| Catalina object does not have the system class loader in its hierarchy. |
| This may happen when embedding. Patch provided by olamy. (markt) |
| </fix> |
| <add> |
| <bug>52839</bug>: Add a unit test for DigestAuthenticator and |
| SingleSignOn. Patch provide by Brian Burch. (markt) |
| </add> |
| <fix> |
| <bug>52846</bug>: Make sure NonLoginAuthenticator registers not |
| MemoryUser but GenericPrincipal into a session when UserDatabaseRealm |
| is used. (kfujino) |
| </fix> |
| <add> |
| <bug>52850</bug>: Extend memory leak prevention and detection code to |
| work with IBM as well as Oracle JVMs. Extend unit tests to check direct |
| and indirect ThreadLocal memory leak detection. Based on a patch |
| provided by Rohit Kelapure. (markt) |
| </add> |
| <add> |
| Add support for the WebSocket protocol (RFC6455). Both streaming and |
| message based APIs are provided and the implementation currently fully |
| passes the Autobahn test suite. Also included are several examples. |
| A significant contribution to this new functionality was provided by |
| Johno Crawford — particularly the examples. Contributions were |
| also provided by Petr Praus, Jonathan Drake & Slávka. (markt) |
| </add> |
| <fix> |
| When stopping a Context, ensure that any Servlets registered with JMX |
| are unregistered. (markt) |
| </fix> |
| <scode> |
| Make the implementation of <code>Catalina.getParentClassLoader</code> |
| consistent with similar methods across the code base and have it return |
| the system class loader if no parent class loader is set. (markt) |
| </scode> |
| <fix> |
| <bug>52953</bug>: Ensure users can authenticate when using DIGEST |
| authentication with digested passwords if the digested password is |
| stored using upper case hexadecimal characters since DIGEST |
| authentication expects digests to use lower case characters. Based on a |
| patch provided by Neale Rudd. (markt) |
| </fix> |
| <fix> |
| <bug>52957</bug>: Ensure that a Valve implements Lifecycle before |
| calling any Lifecycle methods on that Valve. (markt) |
| </fix> |
| <fix> |
| <bug>52958</bug>: Fix MBean descriptors for |
| <code>org.apache.catalina.realm</code> package. (markt) |
| </fix> |
| <fix> |
| <bug>52974</bug>: Fix <code>NameNotFoundException</code> when |
| field/method is annotated with <code>@Resource</code> annotation. Patch |
| provided by Violet Agg. (markt) |
| </fix> |
| <add> |
| Add support for multi-thread deployment in UserConfig. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correctly register NIO sockets with poller after processing Comet events |
| to ensure that no read events are missed. This fixes an intermittent |
| issue observed in the unit tests. (fhanik/markt) |
| </fix> |
| <fix> |
| <bug>52770</bug>: Fix a bug in the highly unlikely circumstance that |
| an infinite timeout was specified for writing data to a client when |
| using NIO. (markt) |
| </fix> |
| <fix> |
| <bug>52858</bug>: Fix high CPU load with SSL, NIO and sendfile when |
| client breaks the connection before reading all the requested data. |
| (markt) |
| </fix> |
| <fix> |
| <bug>52926</bug>: Avoid NPE when an NIO Comet connection times out on |
| one thread at the same time as it is closed on another thread. (markt) |
| </fix> |
| <add> |
| Include port number when known in connector name when logging messages |
| from connectors that use automatic free port allocation. (markt) |
| </add> |
| <fix> |
| Don't try an unlock the acceptor thread if it is not locked. This is |
| unlikely to impact normal usage but it does fix some unit test issues. |
| (markt) |
| </fix> |
| <fix> |
| When using the APR connector ensure that any connections in a keep-alive |
| state are closed when the connector is stopped rather than when the |
| connector is destroyed. This is important when stop() followed by |
| start() is called on the connector. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>52725</bug>: Use configurable package name for tags rather than |
| hard-coded value so configuration actually works. (markt) |
| </fix> |
| <scode> |
| <bug>52758</bug>: Implement additional interface methods in Eclipse JDT |
| integration required for Jasper to correctly with the latest Eclipse |
| development code. (markt) |
| </scode> |
| <fix> |
| <bug>52772</bug>: Ensure uriRoot is fully validated before it is used. |
| Patch based on a suggestion by Eugene Chung. (markt) |
| </fix> |
| <fix> |
| <bug>52776</bug>: Refactor the code so JspFragment.invoke cleans up |
| after itself. Patch provided by Karl von Randow. (markt) |
| </fix> |
| <fix> |
| <bug>52970</bug>: Take account of coercion rules when invoking methods |
| via EL. (markt) |
| </fix> |
| <fix> |
| <bug>52998</bug>: Partial fix. Remove static references to the EL |
| expression factory and use per web application references instead. |
| (markt) |
| </fix> |
| <fix> |
| <bug>52998</bug>: Remainder of fix. Cache the class to use for the EL |
| expression factory per class loader. (kkolinko) |
| </fix> |
| <fix> |
| <bug>53001</bug>: Revert the fix for <bug>46915</bug> since the use case |
| described in the bug is invalid since it breaks the EL specification. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Replicate principal in ClusterSingleSignOn. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>52760</bug>: Fix expires filter mime type in javascript examples. |
| (rjung) |
| </fix> |
| <fix> |
| <bug>52842</bug>: Exception in MBeanDumper when dumping MBean for |
| StandardThreadExecutor. (rjung) |
| </fix> |
| <update> |
| Bring built-in mime types for embedded Tomcat more in line with the |
| ones defined in the default web.xml configuration file. (rjung) |
| </update> |
| <add> |
| Add support to the JMXProxyServlet which is part of the Manager |
| application for fetching a specific key from a |
| <code>CompositeData</code> value. Updated documentation, so that |
| the entire 'get' command for the JMX proxy servlet is documented, |
| including the new optional 'key' parameter. (schultz/markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <update> |
| Pool cleaner thread should be created using the classloader |
| that loaded the pool, not the context loader (fhanik) |
| </update> |
| <fix> |
| <bug>52804</bug>: Make pool properties serializable and cloneable. |
| (fhanik) |
| </fix> |
| <fix> |
| <bug>51237</bug> (<rev>1302902</rev>): |
| Slow Query Report should log using WARN level when queries are slow |
| and within the threshold of caching it. (fhanik) |
| </fix> |
| <fix> |
| <bug>52002</bug> (<rev>1302948</rev>): |
| Add in configuration option to disallow connection reuse. |
| (<rev>1305862</rev>): |
| useDisposableConnectionFacade is by default enabled (fhanik) |
| </fix> |
| <fix> |
| <bug>52493</bug> (<rev>1302969</rev>): |
| Java 7 DataSource method addition. (fhanik) |
| </fix> |
| <fix> |
| <bug>51893</bug> (<rev>1302990</rev>): |
| Throw an error and notification when pool is exhausted. (fhanik) |
| </fix> |
| <fix> |
| <bug>50860</bug> (<rev>1303031</rev>): |
| Add in option to configure logging for validation errors. (fhanik) |
| </fix> |
| <fix> |
| <bug>52066</bug> (<rev>1305931</rev>): |
| Add in configuration option, progagateInterruptState, to allow threads to |
| retain the interrupt state. (fhanik) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>52750</bug>: Fix the way how daemon.sh parses command options so |
| that more then one can be provided. (mturk) |
| </fix> |
| <update> |
| Rearrange <code>validate-eoln</code> target in <code>build.xml</code> |
| so that it could be run ahead of compilation. (kkolinko) |
| </update> |
| <update> |
| Update Apache Commons Daemon to 1.0.10. (mturk) |
| </update> |
| <update> |
| Update the native component of the Tomcat APR/native connector to |
| 1.1.23 and take advantage of the simplified distribution. (mturk) |
| </update> |
| <update> |
| Update to Eclipse JDT Compiler 3.7.2. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.26 (markt)" rtext="released 2012-02-21"> |
| <subsection name="Catalina"> |
| <changelog> |
| <scode> |
| Provide constants for commonly used <code>Charset</code> objects and use |
| these constants where appropriate. (markt) |
| </scode> |
| <fix> |
| Refactor the fix for <bug>52184</bug> to correct two issues (a missing |
| class and incorrect class/method names) when using the extras logging |
| packages. (markt) |
| </fix> |
| <fix> |
| <bug>52444</bug>: Only load classes during HandlesTypes processing if |
| the class is a match. Previously, every class in the web application was |
| loaded regardless of whether it was a match or not. (markt) |
| </fix> |
| <fix> |
| <bug>52488</bug>: Correct typo: exipre -> expire. (markt) |
| </fix> |
| <add> |
| Add a unit test for SSO authentication. Patch provided by Brian Burch. |
| (markt) |
| </add> |
| <fix> |
| <bug>52511</bug>: Correct regression in the fix for <bug>51741</bug> |
| that caused a harmless exception to be logged when scanning for |
| annotations and <code>WEB-INF/classes</code> did not exist. (markt) |
| </fix> |
| <scode> |
| Refactor to remove a circular dependency between |
| <code>org.apache.catalina</code> and <code>org.apache.naming</code>. |
| (markt) |
| </scode> |
| <scode> |
| Remove some initialisation code from the standard start process (i.e. |
| via the scripts) that was intended for embedding but is not required |
| when performing a standard start.(markt) |
| </scode> |
| <add> |
| Add new method to <code>MBeanFactory</code> that allows any Valve to be |
| created and deprecate the methods to create specific Valves. (markt) |
| </add> |
| <add> |
| Partial sync of MIME type mapping with mime.types from the Apache web |
| server. (rjung) |
| </add> |
| <fix> |
| <bug>52577</bug>: Fix a regression in the fix for <bug>52328</bug>. |
| Prevent output truncation when <code>reset()</code> is called on a |
| response. (markt) |
| </fix> |
| <fix> |
| <bug>52586</bug>: Remove an old and now unnecessary hack that modified |
| the path info reported via the |
| <code>javax.servlet.forward.path_info</code> request attribute when |
| forwarding to an error page. (markt) |
| </fix> |
| <fix> |
| <bug>52587</bug>: Ensure that if it is necessary to fall back to the |
| default NullRealm, the NullRealm instance is created early enough for it |
| to be correctly initialised. (markt) |
| </fix> |
| <fix> |
| Fix millisecond output in AccessLogValve when using a |
| SimpleDateFormat based time pattern. (rjung) |
| </fix> |
| <fix> |
| <bug>52591</bug>: When dumping MBean data, skip attributes where getters |
| throw <code>UnsupportedOperationException</code>. (markt) |
| </fix> |
| <fix> |
| <bug>52607</bug>: Ensure that the extension validator checks the JARs in |
| the shared and common class loaders for extensions. (markt) |
| </fix> |
| <fix> |
| Correct a threading issue in the generation of the list of standard |
| authenticators during Context initialization that could lead to a web |
| application failing to start if Contexts were started in parallel. |
| (markt) |
| </fix> |
| <fix> |
| <bug>52669</bug>: Correct regression that broke annotation processing in |
| <code>/WEB-INF/classes</code> for web applications deployed as WARs, |
| packageless classes and some embedding scenarios. The regression was |
| introduced by the invalid assumptions made in the fix for |
| <bug>51741</bug>. (markt) |
| </fix> |
| <fix> |
| <bug>52671</bug>: When dumping MBean data, skip attributes where getters |
| throw <code>NullPointerException</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>51543</bug>: Provide a meaningful error message when writing more |
| response headers than permitted. (markt) |
| </add> |
| <fix> |
| <bug>52547</bug>: Ensure that bytes written (which is used by the access |
| log) is correctly reset after an HTTP 1.0 request has been processed. |
| (markt) |
| </fix> |
| <scode> |
| Minor refactoring to reduce code duplication in the HTTP connectors. |
| (markt) |
| </scode> |
| <fix> |
| <bug>52606</bug>: Ensure that POST bodies are available for reply after |
| FORM authentication when using the AJP connectors. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>52474</bug>: Ensure that leading and trailing white space is |
| removed from listener class names when parsing TLD files. (markt) |
| </fix> |
| <fix> |
| <bug>52480</bug>: When converting class path entries from URLs to |
| files/directories, ensure that any URL encoded characters are converted. |
| Fixes JSP compilation with javac when Tomcat is installed at a path that |
| includes spaces. (markt) |
| </fix> |
| <fix> |
| <bug>52666</bug>: Correct coercion order in EL when processing the |
| equality and inequality operators. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <update> |
| Improve <code>BUILDING.txt</code>. Update instructions for |
| building. Add instructions for using Checkstyle and running the |
| tests. (kkolinko) |
| </update> |
| <add> |
| <bug>38216</bug>: Improve handling of <code>null</code> return values in |
| the JMX proxy servlet which is part of the Manager application. |
| (kkolinko) |
| </add> |
| <fix> |
| <bug>52515</bug>: Make it clear in the Realm how-to in the documentation |
| web application that digested password storage when using DIGEST |
| authentication requires that MD5 digests are used. (markt) |
| </fix> |
| <fix> |
| <bug>52634</bug>: Fix typos in JSP examples. Patch provided by |
| Felix Schumacher. (rjung) |
| </fix> |
| <fix> |
| <bug>52641</bug>: Remove mentioning of ldap.jar from docs. |
| Patch provided by Felix Schumacher. (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix code style issues and enable Checkstyle checks for jdbc-pool when |
| it is built within Tomcat. (kkolinko) |
| </fix> |
| <fix> |
| <bug>51582</bug> Correct set and reset the query cache to avoid NPE (fhanik) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Update Commons Daemon to 1.0.9 to resolve <bug>52548</bug> which meant |
| that services created with service.bat did not set the |
| <code>catalina.home</code> and <code>catalina.base</code> system |
| properties. (markt) |
| </fix> |
| <add> |
| Implement check for correct end-of-line characters in the source |
| files. It is run as separate target in <code>build.xml</code>. |
| (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.25 (markt)" rtext="released 2012-01-21"> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Restore format of the first line of error message for JMX proxy |
| servlet in case scripts were depending on it. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| When building a Windows installer do not copy whole "res" folder to |
| output/dist, but only the files that we need. Apply fixcrlf filter |
| only after the files are copied, so that <code>INSTALLLICENSE</code> |
| file had correct line ends. (kkolinko) |
| </fix> |
| <update> |
| Remove <code>res/License.rtf</code>. The file that is actually shown |
| by the Windows installer is <code>res/INSTALLLICENSE</code>. |
| (kkolinko) |
| </update> |
| <add> |
| Automate the OpenPGP signature generation for the release process. |
| (markt) |
| </add> |
| <fix> |
| Don't exclude directories named target from the build process. |
| (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.24 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>52184</bug>: Provide greater control over the logging of errors |
| triggered by invalid input data (i.e. data over which Tomcat has no |
| control). (markt/kkolinko) |
| </add> |
| <fix> |
| <bug>52225</bug>: Fix ClassCastException in an Alias added to |
| existing host through JMX. (kkolinko) |
| </fix> |
| <fix> |
| Do not throw IllegalArgumentException from parseParameters() call |
| when chunked POST request is too large, but treat it like an IO error. |
| The <code>FailedRequestFilter</code> filter can be used to detect this |
| condition. (kkolinko) |
| </fix> |
| <fix> |
| <bug>52245</bug>: Don't allow web applications to package classes from |
| the <code>javax.el</code> package. Patch provided by pid. (markt) |
| </fix> |
| <fix> |
| <bug>52259</bug>: Fix regression caused by the addition of the threaded |
| component start (<bug>46264</bug>) that triggered a deadlock on startup |
| if no Realm was configured. (markt) |
| </fix> |
| <fix> |
| <bug>52293</bug>: Correctly handle the case when |
| <code>antiResourceLocking</code> is enabled at the Context level when |
| <code>unpackWARs</code> is disabled at the Host level. Based on a patch |
| by Justin Miller. (markt) |
| </fix> |
| <fix> |
| In <code>ExtendedAccessLogValve</code> when printing %-encoded value of |
| a parameter, use UTF-8 encoding to convert parameter value to bytes |
| instead of platform default encoding. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>52303</bug>: Allow web applications that do not have a login |
| configuration to participate in a SSO session. Patch provided by Brian |
| Burch. (markt) |
| </fix> |
| <fix> |
| <bug>52316</bug>: When using sendfile, use the number of bytes requested |
| to be written to the response in the access log valve for bytes written |
| rather than recording a value of zero. (markt) |
| </fix> |
| <fix> |
| <bug>52326</bug>: Reduce log level for class loading errors during |
| <code>@HandlesTypes</code> processing to debug. (markt) |
| </fix> |
| <fix> |
| <bug>52328</bug>: Improve performance when large numbers of single |
| characters and/or small strings are written to the response via a |
| Writer. (markt) |
| </fix> |
| <fix> |
| <bug>52384</bug>: Do not fail with parameter parsing when debug logging |
| is enabled. (kkolinko) |
| </fix> |
| <fix> |
| Do not flag extra '&' characters in parameters as parse errors. |
| (kkolinko) |
| </fix> |
| <fix> |
| Reduce log level for the message about hitting |
| <code>maxParameterCount</code> limit from WARN to INFO. (kkolinko) |
| </fix> |
| <fix> |
| <bug>52387</bug>: Ensure that the correct host is used when configuring |
| logging when Tomcat is embedded. Patch provided by David Calavera. |
| (markt) |
| </fix> |
| <update> |
| <bug>52405</bug>: Align the Servlet 3.0 implementation with the changes |
| defined in the first maintenance release (also know as Rev. A). See the |
| <a href="http://jcp.org/aboutJava/communityprocess/maintenance/jsr315/servlet3-mr-reva.html" |
| rel="nofollow">JCP documentation</a> for a detailed list of changes |
| (markt) |
| </update> |
| <fix> |
| Improve JMX names for objects related to Connectors that have the |
| address attribute set. (markt) |
| </fix> |
| <fix> |
| Remove some stale attributes from MBeans. (rjung) |
| </fix> |
| <scode> |
| Move destruction of <code>ContainerBase</code> objects to |
| <code>ContainerBase</code> to ensure that they are destroyed. (markt) |
| </scode> |
| <fix> |
| <bug>52443</bug>: Change the behaviour of the default Realm in the |
| embedded use case so it is set once on the Engine rather than on every |
| Context thereby avoiding the Lifecycle issues with having the same Realm |
| set on multiple Contexts. (markt) |
| </fix> |
| <add> |
| Provide a new Realm implementation, the NullRealm, that does not contain |
| any users and is used as the default Realm implementation (rather than |
| the JAAS Realm which was used prior to this change) if no Realm is |
| specified. (markt) |
| </add> |
| <fix> |
| <bug>52461</bug>: Don't assume file based URLs when checking last |
| modified times for global and host level web.xml files. Patch provided |
| by violetagg. (markt) |
| </fix> |
| <add> |
| Add test cases for the BASIC and NonLogin Authenticators when not using |
| SSO. Patch provided by Brian Burch. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>52028</bug>: Add support for automatic binding to a free port by a |
| connector if the special value of zero is used for the port. This is |
| mainly useful in embedded and testing scenarios. (markt) |
| </add> |
| <update> |
| Remove obsolete <code>emptySessionPath</code> JMX attribute. (rjung) |
| </update> |
| <fix> |
| Correct error in fix for <bug>49683</bug>. (markt) |
| </fix> |
| <fix> |
| Ensure that the process of unlocking the acceptor thread does not |
| trigger processing of the connection as if it were a valid request. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>52450</bug>: Add setter for entityResolver in ParserUtils. |
| This is mainly useful when jasper and dtds are in different |
| class loaders. (mturk) |
| </fix> |
| <fix> |
| <bug>52321</bug>: Ensure that the order of multiple prelude/coda values |
| for JSP pages is respected. (markt) |
| </fix> |
| <fix> |
| <bug>52335</bug>: Only handle <code><\%</code> and not |
| <code>\%</code> as escaped in template text. (markt) |
| </fix> |
| <fix> |
| <bug>52440</bug>: Ensure that when using |
| <code>ValueExpression.getValueReference()</code> if the expression is an |
| EL variable that the value returned is the <code>ValueReference</code> |
| for the <code>ValueExpression</code> associated with the EL variable. |
| (markt) |
| </fix> |
| <fix> |
| <bug>52445</bug>: Don't assume that EL method expressions have |
| exactly three components (identifier, method name, parameters). (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>38216</bug>: Add the ability to invoke MBean operations to the JMX |
| proxy servlet in the Manager application. Based on a patch by |
| Christopher Hlubek. (markt) |
| </add> |
| <update> |
| Further clarify the relation between values used by |
| <code>RemoteIpValve</code> and <code>RemoteIpFilter</code> |
| and their use by <code>AccessLogValve</code>. (kkolinko) |
| </update> |
| <fix> |
| <bug>52243</bug>: Improve windows service documentation to clarify how |
| to include <code>#</code> and/or <code>;</code> in the value of an |
| environment variable that is passed to the service. (markt) |
| </fix> |
| <fix> |
| <bug>52366</bug>: Fix typo in VirtualWebappLoader documentation |
| (configuration example). (rjung) |
| </fix> |
| <update> |
| Replace Bugzilla search link on <code>ROOT/index.jsp</code> page with |
| one pointing to the bug reporting page of Tomcat site. (kkolinko) |
| </update> |
| <update> |
| Move MBean dump code from JMXProxyServlet into a utility class. (rjung) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| <bug>52208</bug>: Fix threading issue that may lead to harmless NPE |
| during shutdown that has occasionally been observed when running the |
| unit tests. (markt) |
| </fix> |
| <fix> |
| <bug>52213</bug>, <bug>52354</bug>, <bug>52355</bug> and |
| <bug>52356</bug>: Fix some potential concurrency issues in |
| <code>FastQueue</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <add> |
| <rev>1207712</rev>: Pool cleaner should be a global thread, not spawn |
| one thread per connection pool. (fhanik) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update Apache Commons Daemon to 1.0.8. (mturk) |
| </update> |
| <update> |
| Update Apache Commons Pool to 1.5.7. (kkolinko) |
| </update> |
| <fix> |
| Fix line ends in <code>.gitignore</code> files contained in source |
| distributions. (rjung) |
| </fix> |
| <fix> |
| Run Mapper performance test twice if the first run took too long, |
| to ignore occasional failures. (kkolinko) |
| </fix> |
| <fix> |
| Align <code>.gitignore</code> and <code>build.xml</code> |
| exclude patterns with <code>svn:ignore</code>. (kkolinko) |
| </fix> |
| <fix> |
| Configure <code>defaultexcludes</code> for Ant 1.8.1/1.8.2. |
| The <code>.git</code> and <code>.gitignore</code> patterns are |
| in since Ant 1.8.2, but we include <code>.gitignore</code> in |
| src distributions. (kkolinko) |
| </fix> |
| <add> |
| <bug>52237</bug>: Allow JUnit logs to be generated in formats other than |
| plain text. Patch provided by M Hasko. (markt/kkolinko) |
| </add> |
| <fix> |
| Fix build condition for tomcat-dbcp to always rebuild when a new version |
| of commons-pool or commons-dbcp is downloaded. (kkolinko) |
| </fix> |
| <update> |
| Add example of configuration for <code>SetCharacterEncodingFilter</code> |
| to the default <code>web.xml</code> file. (kkolinko) |
| </update> |
| <update> |
| Switch unit tests to bind Connectors to localhost rather than all |
| available IP addresses. (markt) |
| </update> |
| <update> |
| Update to Eclipse JDT Compiler 3.7.1. (markt) |
| </update> |
| <update> |
| Add Netbeans <code>nbproject</code> folder to <code>svn:ignore</code> |
| and <code>.gitignore</code>. (rjung) |
| </update> |
| <update> |
| Align <code>.gitignore</code> with trunk. (rjung) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.23 (markt)" rtext="released 2011-11-25"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>46264</bug>: Add the ability to start and stop containers |
| (primarily Contexts) using a thread pool rather than a single thread. |
| This can significantly improve start and stop time. Based on patches |
| by Joe Kislo and Felix Schumacher. (markt) |
| </add> |
| <fix> |
| <bug>50570</bug>: Enable FIPS mode to be set in AprLifecycleListener. |
| Based upon a patch from Chris Beckey. (schultz/kkolinko) |
| </fix> |
| <fix> |
| <bug>51744</bug>: Throw the correct exception if an application attempts |
| to modify the associated JNDI context. (markt) |
| </fix> |
| <add> |
| <bug>51744</bug>: Add an option to the StandardContext that allows |
| exception throwing when an application attempts to modify the associated |
| JNDI context to be disabled. (markt) |
| </add> |
| <fix> |
| <bug>51910</bug>: Prevent NPE on connector stop if Comet applications |
| are being used without the CometConnectionManagerValve. (markt) |
| </fix> |
| <fix> |
| <bug>51940</bug>: Do not limit saving of request bodies during FORM |
| authentication to POST requests since any HTTP method may include a |
| request body. Based on a patch by Nicholas Sushkin. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>51956</bug>: RemoteAddrFilter used getRemoteHost instead of |
| getRemoteAddr when filtering Comet events. (schultz) |
| </fix> |
| <fix> |
| <bug>51952</bug>: Make the inclusion of a response body with a redirect |
| response introduced to address <bug>41718</bug> optional and disabled by |
| default due to the side-effects of including a body with the response in |
| this case. (markt) |
| </fix> |
| <fix> |
| <bug>51972</bug>: Correctly handle protocol relative URLs when used with |
| <code>sendRedirect()</code>. (markt) |
| </fix> |
| <scode> |
| Simplify the deployment code and use full paths in log messages to |
| remove any ambiguity in where a context is being deployed from. (markt) |
| </scode> |
| <fix> |
| <bug>52009</bug>: Fix a NPE during access log entry recording when an |
| error occurred during the processing of a Comet request. (markt) |
| </fix> |
| <fix> |
| In <code>OneLineFormatter</code> log formatter in JULI always use |
| the US locale to format the date (esp. the month names). (rjung) |
| </fix> |
| <add> |
| Cache the results of parsing the global and host level web.xml files to |
| improve web application start time. (markt) |
| </add> |
| <fix> |
| <bug>52042</bug>: Correct threading issue in annotation caching that |
| could lead to an NPE if multiple threads were processing the same class |
| hierarchy for annotations. (markt) |
| </fix> |
| <fix> |
| Correct additional threading and premature clearance issues with the |
| annotation cache. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the fix for <bug>49779</bug> that |
| parameters POSTed by an unauthenticated user to a page that required |
| FORM authentication were lost during the authentication process. |
| (markt) |
| </fix> |
| <fix> |
| <bug>52055</bug>: Ensure that the input and output buffers are correctly |
| reset between keep-alive requests when using Servlet 3.0 asynchronous |
| request processing. (markt) |
| </fix> |
| <fix> |
| Ensure changes to the configuration of the RemoteHostValve and the |
| RemoteAddrValve via JMX are thread-safe. (markt) |
| </fix> |
| <fix> |
| Ensure that the memory leak protection for the HttpClient keep-alive |
| always operates even if the thread has already stopped. (markt) |
| </fix> |
| <scode> |
| Remove the Java 1.2 specific error handling around the adding of the |
| shutdown hook. (markt) |
| </scode> |
| <fix> |
| Correct errors in i18n resources and resource usage that meant some |
| messages were either not used or were incorrectly formatted. (markt) |
| </fix> |
| <scode> |
| Replace the use of deprecated auth method names from |
| <code>authenticator.Constants</code> with the auth method names from |
| <code>HttpServletRequest</code>. (kkolinko) |
| </scode> |
| <add> |
| Make configuration issues for security related Valves and Filters result |
| in the failure of the valve or filter rather than just a warning |
| message. (markt) |
| </add> |
| <add> |
| Improve performance of parameter processing for GET and POST requests. |
| Also add an option to limit the maximum number of parameters processed |
| per request. This defaults to 10000. Excessive parameters are ignored. |
| Note that <code>FailedRequestFilter</code> can be used to reject the |
| request if some parameters were ignored. (markt/kkolinko) |
| </add> |
| <fix> |
| <bug>52091</bug>: Address performance issues related to lock contention |
| in StandardWrapper. Patch provided by Taiki Sugawara. (markt) |
| </fix> |
| <scode> |
| Switch to using Collections.enumeration() rather than custom code that |
| does the same thing. (markt) |
| </scode> |
| <fix> |
| <bug>52113</bug>: Don't assume presence of context.xml file with JMX |
| deployment. (markt) |
| </fix> |
| <update> |
| In <code>RequestFilterValve</code> (<code>RemoteAddrValve</code>, |
| <code>RemoteHostValve</code>): refactor value matching logic into |
| separate method and expose this new method <code>isAllowed</code> |
| through JMX. (kkolinko) |
| </update> |
| <fix> |
| <bug>52156</bug>: Ensure that |
| <code>getServletContext().getResource(path)</code> returns the correct |
| resource when path contains <code>/../</code> sequences or any other |
| sequences that require normalization. (markt) |
| </fix> |
| <add> |
| Report existence of HTTP request parameter parsing errors via new |
| special ServletRequest attribute, |
| <code>org.apache.catalina.parameter_parse_failed</code>. (kkolinko) |
| </add> |
| <add> |
| New filter <code>FailedRequestFilter</code> that will reject a request |
| if there were errors during HTTP parameter parsing. (kkolinko) |
| </add> |
| <update> |
| Improve special attributes handling in Request object by using hash |
| table lookup instead of series of string comparisons. (kkolinko) |
| </update> |
| <scode> |
| Deprecate unused methods in <code>IntrospectionUtils</code> class. |
| (kkolinko) |
| </scode> |
| <fix> |
| Improve processing of errors that are wrapped in |
| <code>InvocationTargetException</code>. Rethrow fatal errors that must |
| be rethrown. (kkolinko) |
| </fix> |
| <fix> |
| Improve handling of failed web application deployments during automatic |
| deployment. Once deployment of a web application fails in one form (e.g. |
| WAR), no further attempt (e.g. directory) will be made to deploy that |
| web application. The base Lifecycle implementation has been improved to |
| allow failed web applications to be started once the configuration |
| issues have been resolved. Any changes to a context.xml file (global, |
| per host or web application specific) will now result in a redeploy |
| of the affected web application(s) that ensures that any changes are |
| correctly applied rather than a reload which ignores changes in |
| context.xml files. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>52173</bug>: Improve Javadoc for <code>delegate</code> attribute |
| of WebappClassLoader. Based on a patch by bmargulies. (markt) |
| </fix> |
| <add> |
| Add <code>denyStatus</code> attribute to <code>RequestFilterValve</code> |
| (<code>RemoteAddrValve</code>, <code>RemoteHostValve</code> valves) and |
| <code>RequestFilter</code> (<code>RemoteAddrFilter</code>, |
| <code>RemoteHostFilter</code> filters). It allows to use different |
| HTTP response code when rejecting denied request. E.g. 404 instead |
| of 403. (kkolinko) |
| </add> |
| <fix> |
| Slightly improve performance of UDecoder.convert(). Align |
| <code>%2f</code> handling between implementations. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>51881</bug>: Correctly complete Comet requests when the Comet END |
| event is triggered asynchronously. (markt) |
| </fix> |
| <fix> |
| <bug>51905</bug>: Fix infinite loop in AprEndpoint shutdown if |
| acceptor unlock fails. Reduce timeout before forcefully closing |
| the socket from 30s to 10s. (kkolinko) |
| </fix> |
| <fix> |
| <bug>51912</bug>: Fix HTTP header processing in NIO HTTP connector. |
| (kkolinko) |
| </fix> |
| <fix> |
| Improve MimeHeaders.toString(). (kkolinko) |
| </fix> |
| <fix> |
| Fix threading issue in NIO connectors during shutdown that meant Comet |
| connections were not always shut down cleanly. (markt) |
| </fix> |
| <add> |
| In HTTP connectors: self-guard against using a non-recycled input |
| buffer. Requests will be rejected with response status 400. (kkolinko) |
| </add> |
| <fix> |
| <bug>52121</bug>: Fix possible output corruption when compression is |
| enabled for a connector and the response is flushed. Includes a test |
| case provided by David Marcks. (kkolinko/markt) |
| </fix> |
| <fix> |
| Improve multi-byte character handling in Coyote output for HTTP |
| and AJP. (rjung) |
| </fix> |
| <add> |
| Refactor acceptor unlock code to reduce waiting time during connector |
| pause and stop. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Correct possible (but very small) memory leak when using maxLoadedJsps |
| to limit the number of JSPs loaded at any one time. (markt) |
| </fix> |
| <fix> |
| <bug>52051</bug>: Better handling of missing resource problems with |
| non-standard Servlet mappings so that a 404 response is returned to the |
| client rather than a 500 response. (markt) |
| </fix> |
| <fix> |
| <bug>52091</bug>: Address performance issues related to log creation |
| in TagHandlerPool. Patch provided by Taiki Sugawara. (markt) |
| </fix> |
| <scode> |
| Switch to using Collections.enumeration() rather than custom code that |
| does the same thing. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Avoid an unnecessary session ID change notice. |
| Notice of changed session ID by JvmRouteBinderValve is unnecessary to |
| BackupManager. In BackupManager, change of session ID is replicated by |
| the call of a setId() method. (kfujino) |
| </fix> |
| <fix> |
| Fix duplicate <code>resetDeltaRequest()</code> call in |
| <code>DeltaSession.setId(String)</code>. (kkolinko) |
| </fix> |
| <fix> |
| Work around a <a href="http://bugs.sun.com/view_bug.do?bug_id=6427854" |
| rel="nofollow">known JVM bug</a> that is fixed in 1.7.0_01 but still |
| present in 1.6.0_29 and was triggering intermittent unit test failure |
| for <code>org.apache.catalina.tribes.group. |
| TestGroupChannelMemberArrival.testMemberArrival</code>. |
| The bug affects any components that use NIO although it was more likely |
| to be observed in the clustering module than the HTTP or AJP NIO |
| connector. (markt) |
| </fix> |
| <add> |
| When Context manager does not exist, no context manager message is |
| replied in order to avoid timeout (default 60sec) of |
| GET_ALL_SESSIONS sync phase. (kfujino) |
| </add> |
| <fix> |
| Fix setting maxInactiveInterval, sessionIdLength and |
| processExpiresFrequency for cluster managers. Use setter |
| when setting maxActiveSessions. (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>50923</bug>: Use distinct background color for <code>code</code> |
| tag in Tomcat documentation, for better readability. (kkolinko) |
| </add> |
| <fix> |
| <bug>51630</bug>: Fix bug in async0 example that triggered an |
| IllegalStateException in the application log. (markt) |
| </fix> |
| <add> |
| <bug>52025</bug>: Add additional information regarding DriverManager, |
| the service provider mechanism and memory leaks. (markt) |
| </add> |
| <fix> |
| <bug>52049</bug>: Improve setup instructions for running as a Windows |
| service: remove references to specific Windows operating systems - it |
| easily becomes dated; correct information on how a JRE is identified and |
| selected. (markt) |
| </fix> |
| <update> |
| <bug>52172</bug>: Clarify Tomcat build instructions. Patch provided |
| by bmargulies. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>52015</bug>: In jdbc-pool: JdbcInterceptor passes not 'this' but |
| 'proxy' to <code>getNext().invoke</code>. (kfujino) |
| </fix> |
| <fix> |
| In jdbc-pool: Improve handling of Errors that originate from methods |
| invoked through reflection. In <code>TrapException</code> interceptor: |
| rethrow Error as is, without wrapping it in a RuntimeException. |
| (kkolinko) |
| </fix> |
| <fix> |
| In jdbc-pool: Unwrap InvocationTargetException if it is caught in |
| <code>ResultSetProxy</code>, like we do it elsewhere. (kkolinko) |
| </fix> |
| <fix> |
| When building jdbc-pool from within Tomcat, use Tomcat's |
| <code>output</code> directory location. This allows to move all build |
| output away from the source tree. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the package re-named copy of Commons BCEL (formerly Jakarta BCEL) |
| to the latest code from Commons BCEL trunk. (markt) |
| </update> |
| <scode> |
| Remove some unused code from the packaged renamed Commons BCEL. (markt) |
| </scode> |
| <fix> |
| <bug>52059</bug>: In Windows uninstaller: Do not forget to remove |
| Tomcat keys from 32-bit registry on deinstallation. (kkolinko) |
| </fix> |
| <scode> |
| Start the process of deprecating unused and unnecessary code that will |
| be removed in the next major release (8.0.x). (markt) |
| </scode> |
| <update> |
| Ignore <code>.git</code> directory when building the source |
| distributive. (markt) |
| </update> |
| <update> |
| Remove trailing whitespace from the default configuration files. |
| (kkolinko) |
| </update> |
| <update> |
| Improve <code>RUNNING.txt</code>. (kkolinko) |
| </update> |
| <update> |
| Update optional Checkstyle library to 5.5. (kkolinko) |
| </update> |
| <add> |
| In test suite: add <code>LoggingBaseTest</code> class to allow |
| use of Tomcat logging configuration in tests that do not start Tomcat. |
| (kkolinko) |
| </add> |
| <fix> |
| In test suite: speed up <code>TestGroupChannelSenderConnections</code>. |
| Remove 48 seconds worth of waits. (kkolinko) |
| </fix> |
| <fix> |
| <bug>52148</bug>: Add tomcat-coyote.jar to catalina-tasks.xml as this |
| JAR is now required by the Ant tasks. Patch provided by Volker Krebs. |
| (markt) |
| </fix> |
| <add> |
| Add sample Apache Commons Daemon JSVC wrapper script |
| <code>bin/daemon.sh</code> that can be used with <code>/etc/init.d</code>. |
| (mturk) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.22 (markt)" rtext="released 2011-10-01"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>51550</bug>: An additional change that ensures any exceptions |
| thrown by an Authenticator (or any other Valve configured for the |
| Context) will be handled by the custom error pages for the Context if an |
| appropriate error page is configured. (markt) |
| </fix> |
| <fix> |
| <bug>51580</bug>: Added a nicer error message when a WAR file contains |
| filenames not properly encoded in UTF-8. (schultz) |
| </fix> |
| <fix> |
| <bug>51687</bug>: Added (optional) protection against |
| sun.java2d.Disposer thread pinning a WebappClassLoader into memory |
| in the JreMemoryLeakPreventionListener. (schultz) |
| </fix> |
| <add> |
| <bug>51741</bug>: Fixes a problem with Eclipse WTP "Serve modules |
| without publishing" feature where applications failed to access |
| resources when using getResource() on the classloader. (slaurent) |
| </add> |
| <fix> |
| <bug>51744</bug>: Prevent application code from closing the associated |
| JNDI context while the application is running. (markt) |
| </fix> |
| <fix> |
| Correct a regression with the fix for <bug>51653</bug> that broke custom |
| error pages for 4xx responses from the Authenticators. Error handling |
| and request listeners are now handled in the StandardHostValve to ensure |
| they wrap all Context level activity. (markt) |
| </fix> |
| <fix> |
| <bug>51758</bug>: The digester (used for processing XML files) used the |
| logger name <code>org.apache.commons.digester.Digester</code> rather |
| than the expected <code>org.apache.tomcat.util.digester.Digester</code>. |
| The digester has been changed to use the expected logger name. |
| (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>51774</bug>: Fix incorrect cached method signature that prevented |
| session tracking modes from being defined in web.xml when running under |
| a security manager. (markt) |
| </fix> |
| <add> |
| Add an annotation cache to the <code>DefaultInstanceManager</code> that |
| improves performance for applications that make use of a lot of |
| non-poolable objects (e.g. tag files) that need to be scanned for |
| annotations when created. (markt) |
| </add> |
| <fix> |
| Use the specification compliant request attribute of |
| <code>javax.servlet.request.ssl_session_id</code> to access the SSL |
| session ID and deprecated the Tomcat specific request attribute. (markt) |
| </fix> |
| <add> |
| Allow to overwrite the check for distributability |
| of session attributes by session implementations. (rjung) |
| </add> |
| <update> |
| Add Java 7 sunec.jar and zipfs.jar to the list of JARs |
| to skip when scanning for TLDs and web fragments. (rjung) |
| </update> |
| <add> |
| <bug>51862</bug>: Added a <code>classesToInitialize</code> attribute to |
| <code>JreMemoryLeakPreventionListener</code> to allow pre-loading of configurable |
| classes to avoid some classloader leaks. (slaurent) |
| </add> |
| <fix> |
| Reduce visibility of static field <code>ManagerBase.name</code> and |
| make it final. (kkolinko) |
| </fix> |
| <update> |
| Add thread name to juli OneLineFormatter. (rjung) |
| </update> |
| <fix> |
| Ensure Servlets that implement ContainerServlet always get treated as |
| restricted. (markt) |
| </fix> |
| <fix> |
| <bug>51872</bug>: Ensure that the access log always uses the correct |
| value for the remote IP address associated with the request and that |
| requests with multiple errors do not result in multiple entries in |
| the access log. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <scode> |
| Remove unused and undocumented socketCloseDelay attribute from NIO |
| connector. (markt) |
| </scode> |
| <fix> |
| <bug>49683</bug>: Support separate connection and keep-alive timeouts |
| for the APR/native connector HTTP and AJP connectors. (markt) |
| </fix> |
| <scode> |
| Further re-factoring of the HTTP connectors to align the BIO, NIO and |
| APR implementations. (markt) |
| </scode> |
| <fix> |
| <bug>51794</bug>: Fix race condition in NioEndpoint. (fhanik) |
| </fix> |
| <fix> |
| <bug>51811</bug>: Correct SSL configuration property name from |
| sslImplemenationName to sslImplementationName. (rjung) |
| </fix> |
| <fix> |
| Fix a timing issue in NIO connector that meant that stopping a connector |
| did not trigger a Comet END event if the associated processor was |
| processing a READ event when the connector was stopped. (markt) |
| </fix> |
| <fix> |
| Replace unneeded call that iterated events queue in NioEndpoint.Poller. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>51860</bug>: Fix issues if using NIO with a custom |
| SSLImplementation. Based on a suggestion by Roman Tsirulnikov. (markt) |
| </fix> |
| <fix> |
| Allow the BIO HTTP connector to be used with SSL when running under Java |
| 7. (markt) |
| </fix> |
| <update> |
| Don't send AJP CPONG if endpoint is already paused. (rjung) |
| </update> |
| <update> |
| Align APR AJP connector with NIO one. Send 503 if endpoint is paused. |
| (rjung) |
| </update> |
| <update> |
| Accept AJP request even if endpoint is paused, if CPING was successful. |
| (rjung) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| When unloading JSPs due to configuration of the |
| <code>maxLoadedJsps</code> initialisation parameter, the unloading code |
| was retaining a reference to the unloaded JSP preventing the |
| associated class from being unloaded until the JSP that replaced it was |
| itself unloaded. (markt) |
| </fix> |
| <fix> |
| <bug>51852</bug>: Correct two problems in the handling of varargs |
| methods with the BeanELResolver. The first meant the wrong method was |
| sometimes called and the second that an ArrayIndexOutOfBoundsExceptions |
| could be thrown. Patch (including a test case) provided by Matt Benson. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <update> |
| Refactor cluster manager configuration: move handling of common |
| attributes to base class. (kfujino, rjung) |
| </update> |
| <add> |
| New cluster manager attribute <code>sessionAttributeFilter</code> |
| allows to filter which session attributes are replicated using a |
| regular expression applied to the attribute name. (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the documentation for <code>connectionLinger</code> attribute |
| for the AJP and HTTP connectors. (markt) |
| </fix> |
| <update> |
| Document caveat of using <code>RemoteAddrValve</code> with IPv6 |
| addresses. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| In jdbc-pool: Avoid IllegalArgumentException when setting maxActive |
| less than or equal to 0. |
| ArrayBlockingQueue doesn't allow capacity of 0 or less. (kfujino) |
| </fix> |
| <fix> |
| <bug>48392</bug> (<rev>1169796</rev>): Fix typo in |
| <code>StatementDecoratorInterceptor</code>. (fhanik) |
| </fix> |
| <fix> |
| <bug>51139</bug>: |
| In jdbc-pool: validatorClassName and suspectTimeout are ignored. |
| In order to support them correctly, validatorClassName and |
| suspectTimeout are added to a property list. (kfujino) |
| </fix> |
| <fix> |
| <bug>51786</bug>: |
| In jdbc-pool: Discarded connection is not active in a pool any longer. |
| It removes from the active connection list. (kfujino) |
| </fix> |
| <fix> |
| <bug>51871</bug>: Fix dependency in Maven POM file of |
| tomcat-jbdc. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the "test" target in the default build file to report a test |
| failure only after all available connector variants (bio, nio, apr) |
| have been tested. Do not stop after first connector that fails. |
| (kkolinko) |
| </update> |
| <update> |
| <bug>51887</bug>: When running the unit tests, use a fast but insecure |
| random number source for session ID generation to reduce the delays |
| caused by waiting for entropy. (kkolinko/markt) |
| </update> |
| <scode> |
| Code clean-up to further reduce the number of warnings reported by |
| Eclipse, FindBugs and CheckStyle. (markt/kkolinko) |
| </scode> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.21 (markt)" rtext="released 2011-09-01"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>41718</bug>: Include a response body when sending a redirect. |
| (markt) |
| </add> |
| <add> |
| <bug>51640</bug>: Improve the memory leak prevention for leaks triggered |
| by java.sql.DriverManager. (markt) |
| </add> |
| <fix> |
| <bug>51644</bug>: Fix annotation scanning for contexts with a |
| multi-level context path such as /a/b. (markt) |
| </fix> |
| <fix> |
| Unregisters MBean of DataSource when web application stops. (kfujino) |
| </fix> |
| <fix> |
| <bug>51650</bug>: Code clean-up. Patch provided by Felix Schumacher. |
| (markt) |
| </fix> |
| <fix> |
| <bug>51653</bug>: Move application level error page handling from the |
| Host to the Context. This ensures that application error page handling |
| is completed before the requestDestroyed event of any |
| ServletRequestListener is fired. (markt) |
| </fix> |
| <fix> |
| <bug>51654</bug>: Improve handling of invalid appBase settings for Host |
| elements. (markt) |
| </fix> |
| <fix> |
| <bug>51658</bug>: Fix possible NPE when logging a failed request. Based |
| on a suggestion by Felix Schumacher. (markt) |
| </fix> |
| <fix> |
| <bug>51688</bug>: JreMemoryLeakPreventionListener now protects against |
| AWT thread creation. (schultz) |
| </fix> |
| <fix> |
| <bug>51712</bug>: Ensure cache control headers are sent when appropriate |
| even if the request is secure. Patch provided by Michael Zampani. |
| (markt) |
| </fix> |
| <fix> |
| <bug>51713</bug>: Improve message that is logged if there is an error |
| in the value of <code>protocol</code> in a <code>Connector</code>. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>51739</bug>: When using a landing page with FORM authentication |
| ensure that the request has a valid HTTP method. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>51641</bug>: Use correct key when removing processor instances from |
| the connections map during clean-up. Patch provided by zhh. (markt) |
| </fix> |
| <fix> |
| More changes to align the code between the different HTTP connectors. |
| (markt) |
| </fix> |
| <fix> |
| Ensure AjpMessage headers are correct for the direction of the message. |
| (markt) |
| </fix> |
| <scode> |
| Code clean-up and re-factoring to reduce duplicate code in the AJP |
| processor implementations. (markt) |
| </scode> |
| <add> |
| Detect incomplete AJP messages and reject the associated request if one |
| is found. (markt) |
| </add> |
| <fix> |
| <bug>51698</bug>: Fix CVE-2011-3190. Prevent AJP message injection. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>41673</bug>: Use platform line-endings when reporting compilation |
| errors. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| <bug>51736</bug>: Make rpcTimeout configurable in BackupManager. |
| (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>51649</bug>: Update the documentation web application to include |
| the ThreadLocal leak prevention listener. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <add> |
| <bug>51583</bug> (<rev>1157874</rev>, <rev>1162102</rev>): Fix |
| shutdown delay in jdbc-pool. (fhanik/kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>51558</bug>: Don't force the use of StandardManager when using |
| any of the <code>Tomcat#addWebapp()</code> methods. (markt) |
| </fix> |
| <fix> |
| <bug>51704</bug>: Make use of <code>File#mkdirs()</code> more robust. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.20 (markt)" rtext="released 2011-08-11"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Corrected missing comma in the value of <code>jarsToSkip</code> |
| property in <code>conf/catalina.properties</code> file, which |
| caused tomcat-jdbc.jar and commons-beanutils*.jar to be not |
| ignored when scanning jars for tag libraries. (kkolinko) |
| </fix> |
| <fix> |
| <bug>41709</bug>: Provide exception messages where no message is |
| provided currently for IllegalStateExcpetions triggered by calling |
| HttpServletResponse methods when the response is committed. (markt) |
| </fix> |
| <fix> |
| <bug>51509</bug>: Fix potential concurrency issue in CSRF prevention |
| filter that may lead to some requests failing that should not. (markt) |
| </fix> |
| <fix> |
| <bug>51518</bug>: Correct error in web.xml parsing rules for the |
| <others/> tag when using absolute ordering. (markt) |
| </fix> |
| <add> |
| Move the SetCharacterEncoding filter from the examples web application |
| to the <code>org.apache.catalina.filters</code> package so it is |
| available for all web applications. (markt) |
| </add> |
| <fix> |
| <bug>51550</bug>: Internal errors in Tomcat components that process |
| requests before they are passed to a web application, such as |
| Authenticators, now return a 500 response rather than a 200 response. |
| (markt) |
| </fix> |
| <fix> |
| <bug>51555</bug>: Allow destroy() to be called on Lifecycle components |
| that are in the initialized state. (markt) |
| </fix> |
| <add> |
| Add x-threadname pattern format token to ExtendedAccessLogValve to log |
| the current request thread name. Based on a patch from Felix Schumacher. |
| (timw) |
| </add> |
| <fix> |
| <bug>51584</bug>: Ensure file paths are encoded/decoded when translated |
| to/from URLs when working with resources from a Context so special |
| characters don't cause issues. (markt) |
| </fix> |
| <fix> |
| <bug>51586</bug>: Expand error handling to cover anything that is |
| recoverable (or might be recoverable) when loading classes during |
| HandlesTypes processing. (markt) |
| </fix> |
| <fix> |
| <bug>51588</bug>: Make it easier to extend the AccessLogValve to add |
| support for custom elements. (markt) |
| </fix> |
| <fix> |
| Ensure that calls to StandardWrapper methods() that may trigger creation |
| of a Servlet instance always do so in way that correctly instantiates a |
| Servlet instance. (markt) |
| </fix> |
| <fix> |
| In JDBCStore: Committing connection if autoCommit is false. |
| Make sure committed connection is returned to the pool if datasource is |
| enabled. (kfujino) |
| </fix> |
| <add> |
| Split <code>condition</code> attribute of AccessLogValve into two, |
| <code>conditionIf</code> and <code>conditionUnless</code>. Implement |
| conditional logging that logs only if a request attribute is present. |
| (kkolinko) |
| </add> |
| <fix> |
| Allow to have several AccessLogValve instances in the same scope (e.g. |
| in the same Context). (kkolinko) |
| </fix> |
| <fix> |
| <bug>51610</bug>: If an unchecked exception occurs during a lifecycle |
| transition (e.g. web application start) ensure that the component is |
| put into the failed state. (markt) |
| </fix> |
| <fix> |
| <bug>51614</bug>: Avoid calling store.load() and session.expire() |
| twice in PersistentManager when expiring sessions. (kfujino) |
| </fix> |
| <fix> |
| Prevent spurious log warnings on container stop if a child component has |
| previously failed. (markt) |
| </fix> |
| <fix> |
| Add missing getter and setter for the alwaysUseSession attribute of the |
| authenticators. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>49595</bug>: Prevent JVM crash with the AJP APR connector when |
| flushing a closed socket. (jfclere) |
| </fix> |
| <fix> |
| <bug>50394</bug>: Return -1 instead of throwing an exception when |
| encountering an EOF while processing an input stream with the HTTP APR |
| connector. (jfclere) |
| </fix> |
| <fix> |
| Correctly handle a connectionTimeout value of -1 (no timeout) for the |
| HTTP NIO and AJP NIO connectors. (markt) |
| </fix> |
| <fix> |
| <bug>51503</bug>: Add additional validation that prevents a connector |
| from starting if it does not have a port > 0. (markt) |
| </fix> |
| <fix> |
| <bug>51557</bug>: Ignore HTTP headers that do not comply with RFC 2616 |
| and use header names that are not tokens. (markt) |
| </fix> |
| <add> |
| Improve error handling for HTTP APR if an error occurs while using |
| sendfile. (markt) |
| </add> |
| <fix> |
| Ensure that when using sendfile, HTTP APR sockets are not added to |
| multiple pollers. This may cause errors during shutdown. (markt) |
| </fix> |
| <update> |
| Set <code>reuse</code> flag of final AJP <code>END_RESPONSE</code> |
| packet to <code>0</code> if we plan to close the connection. (rjung) |
| </update> |
| <update> |
| Correctly indicate if socket is closing when calling recycle for the AJP |
| NIO processor. Note since the flag is unused in this case there were no |
| bugs triggered by the re-factoring error. (rjung) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>51532</bug>: JSP files with dependencies in JARs were recompiled on |
| every access leading to poor performance. (markt) |
| </fix> |
| <fix> |
| <bug>51544</bug>: Correctly resolve bean methods in EL so accessible |
| methods that are overridden by inaccessible methods do not cause an |
| IllegalAccessException. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>41498</bug>: Add the allRolesMode attribute to the Realm |
| configuration page in the documentation web application. (markt) |
| </fix> |
| <fix> |
| <bug>48997</bug>: Fixed some typos and correct cross-referencing to the |
| HTTP Connector documentation with the SSL How-To page of the |
| documentation web application. (markt) |
| </fix> |
| <fix> |
| <bug>49122</bug>: Improvements and fixes for index page for ROOT web |
| application. Based on a patch provided by pidster. (markt) |
| </fix> |
| <fix> |
| <bug>51516</bug>: Correct documentation web application to show correct |
| system property name for changing the name of the SSO session cookie. |
| (markt) |
| </fix> |
| <update> |
| Configure the Manager and Host Manager web applications with the Set |
| Character Encoding Filter to make the default request character encoding |
| UTF-8 to improve i18n support. Note that best results will be obtained |
| if the connector is also configured with |
| <code>URIEncoding="UTF-8"</code>.(markt) |
| </update> |
| <update> |
| Update the documentation web application to be even more explicit about |
| the implications of setting the path attribute on a Context element in |
| server.xml. (markt) |
| </update> |
| <fix> |
| <bug>51561</bug>: Update the Realm page within the documentation web |
| application to recommend the use of digest.[bat|sh] to generate digests |
| rather than calling RealmBase directly. (markt) |
| </fix> |
| <fix> |
| <bug>51567</bug>: Update the class loading page of the documentation |
| web application to include information on the search order for the |
| common class loader when separate values are used for $CATALINA_HOME and |
| $CATALINA_BASE. (markt) |
| </fix> |
| <update> |
| Improve class loading documentation and logging documentation. |
| (kkolinko) |
| </update> |
| <add> |
| Add information to the security page of the documentation web |
| application for the ciphers attribute of the Connector element. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>51503</bug>: Add additional validation to Windows installer that |
| ensure that the shutdown port, HTTP port and AJP port are all specified |
| during the install process. (markt) |
| </fix> |
| <fix> |
| <bug>51531</bug>: Update sample Eclipse classpath file to reflect |
| updated ECJ jar. Patch provided by Ian Brandt. (markt) |
| </fix> |
| <update> |
| Convert Tomcat unit tests to JUnit 4. (kkolinko) |
| </update> |
| <update> |
| Update optional CheckStyle library to 5.4. (kkolinko) |
| </update> |
| <update> |
| Remove <code>resolveHosts</code> attribute from AccessLogValve |
| configuration in the default <code>server.xml</code>. It was documented |
| in 7.0.19 that it has no effect. (kkolinko) |
| </update> |
| <update> |
| Simplify mapping for <code>jsp</code> servlet in the default |
| <code>web.xml</code>. (kkolinko) |
| </update> |
| <fix> |
| Correctly handle uninstall with the Windows installer if the service is |
| installed with a name that contains a '-' character. (markt) |
| </fix> |
| <fix> |
| <bug>51598</bug>: Prevent direct invocation of the Windows uninstaller |
| without a service name from executing since the uninstall will not be |
| complete. (markt) |
| </fix> |
| <fix> |
| Use Tomcat icon (cat) instead of Apache Commons Daemon (feather) one |
| in the list of uninstallable programs on Windows. (kkolinko) |
| </fix> |
| <update> |
| Update to Apache Commons Daemon 1.0.7. (markt) |
| </update> |
| <fix> |
| <bug>51621</bug>: Add additional required JARs to the deployer |
| distribution. (markt) |
| </fix> |
| <fix> |
| Fix a small number of warnings reported by FindBugs. (markt) |
| </fix> |
| <update> |
| Update to version 1.1.22 of the native component for the AJP APR/native |
| and HTTP APR/native connectors. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.19 (markt)" rtext="released 2011-07-19"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Add option to activate access log for unit tests. (rjung) |
| </add> |
| <fix> |
| Fix regression in year number formatting for AccessLogValve. (rjung) |
| </fix> |
| <add> |
| <bug>46252</bug>: Allow to specify character set to be used to write |
| the access log in AccessLogValve. (kkolinko) |
| </add> |
| <fix> |
| <bug>51494</bug>: Prevent an NPE when a long running request completes |
| if the associated web application was destroyed while the request was |
| processing. (markt) |
| </fix> |
| <update> |
| Allow choosing a locale for timestamp formatting in AccessLogValve. |
| (rjung) |
| </update> |
| <fix> |
| When generating access logs for errors, log at the Context/Host level if |
| a Context or Host can be identified for the failed request. (markt) |
| </fix> |
| <update> |
| Create a directory for access log or error log (in AccessLogValve and |
| in JULI FileHandler) automatically when it is specified as a part of |
| the file name, e.g. in the <code>prefix</code> attribute. Earlier this |
| happened only if it was specified with the <code>directory</code> |
| attribute. (kkolinko) |
| </update> |
| <fix> |
| Log a failure if access log file cannot be opened. (kkolinko) |
| </fix> |
| <fix> |
| Use en_US as locale for timestamps in ExtendedAccessLogValve. |
| (rjung) |
| </fix> |
| <fix> |
| Use en_US as locale for creationdate in WebdavServlet. (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| <bug>51477</bug>: Support all SSL protocol combinations in the |
| APR/native connector. This only works when using the native library |
| version 1.1.21 or later, which is not yet released. (rjung) |
| </update> |
| <update> |
| Various refactorings to reduce code duplication and unnecessary code in |
| the connectors. (markt) |
| </update> |
| <fix> |
| Correct regression introduced in 7.0.17 that triggered 400 entries in |
| the AccessLog when using the AJP/BIO connector. (markt) |
| </fix> |
| <fix> |
| Fix regression producing invalid MBean names when using IPV6 |
| addresses for connectors. (rjung) |
| </fix> |
| <fix> |
| Add missing thread name in RequestProcessor when Servlet 3 Async |
| is used. Fixes null thread name in access log and JMX MBean. (rjung) |
| </fix> |
| <fix> |
| Fix CVE-2011-2526. Protect against infinite loops (HTTP NIO) and crashes |
| (HTTP APR) if sendfile is configured to send more data than is available |
| in the file. (markt) |
| </fix> |
| <fix> |
| Prevent NPEs when a socket is closed in non-error conditions after |
| sendfile processing when using the HTTP NIO connector. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <update> |
| Remove unnecessary server.xml parsing code for old cluster |
| implementation that does not ship as part of Tomcat 7. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Add additional information to the documentation web application on the |
| benefits and remaining risks when running under a security manager. |
| (markt) |
| </add> |
| <fix> |
| <bug>51490</bug>: Correct broken HTML in JSP tag plugin examples and |
| improve the <c:if> example to make failures more obvious. Based on |
| suggestions by Charles. (markt) |
| </fix> |
| <add> |
| Document ExtendedAccessLogValve. (rjung) |
| </add> |
| <fix> |
| Correct default value of <code>enableLookups</code> for connectors |
| and mention, that <code>resolveHosts</code> for the AccessLogValve |
| is replaced by <code>enableLookups</code>. (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <add> |
| Include jdbc-pool into Tomcat release. (fhanik) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update to Apache Commons Daemon 1.0.6. (markt) |
| </update> |
| <update> |
| Update to Eclipse JDT Compiler 3.7. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.18 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct regression introduced in 7.0.17 that triggered an NPE if a |
| CrawlerSessionManagerValve was used without setting crawlerUserAgents. |
| (markt) |
| </fix> |
| <fix> |
| <bug>51466</bug>: Correct comment typos in HostManagerServlet. Patch |
| provided by Felix Schumacher. (markt) |
| </fix> |
| <fix> |
| <bug>51467</bug>: Invoke Thread.start() rather than Thread.run() so that |
| listeners and filters are stopped in a separate thread rather than the |
| current thread. Patch provided by Felix Schumacher. (markt) |
| </fix> |
| <fix> |
| <bug>51473</bug>: Fix concatenation of values in |
| <code>SecurityConfig.setSecurityProperty()</code>. (kkolinko) |
| </fix> |
| <fix> |
| Fix response.encodeURL() for the special case of an absolute URL |
| with no path segment (http://name). (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct regression caused by connector re-factoring that made AJP |
| APR/native connector very unstable on Windows platforms. (markt) |
| </fix> |
| <fix> |
| Correct regression caused by connector re-factoring that meant that |
| sendfile data was not reset between pipe-lined HTTP requests. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <update> |
| Re-factor tests to align packages for tests with the classes under test. |
| Start to convert non-JUnit tests to JUnit. Remove unnecessary code. |
| (markt) |
| </update> |
| <fix> |
| Add synchronization to receiver socket binding to prevent test failures |
| on Linux. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| More code clean-up to remove unused code and reduce IDE warnings. |
| (markt/kkolinko) |
| </fix> |
| <update> |
| Further improvements to the Windows installer. (markt/kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.17 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>48956</bug>: Add regular expression support for SSI. (markt) |
| </add> |
| <add> |
| <bug>49165</bug>: Allow any time stamp formats supported by |
| SimpleDateFormat in AccessLogValve. Support logging begin and/or end of |
| request. (rjung) |
| </add> |
| <add> |
| <bug>50677</bug>: Allow system property variables to be used in the |
| values of "common.loader" and other "*.loader" properties in the |
| <code>catalina.properties</code> file. (kkolinko) |
| </add> |
| <fix> |
| <bug>51376</bug>: When adding a Servlet via |
| ServletContext#addServlet(String, Servlet), the Servlet was not |
| initialized when the web application started and a load on startup value |
| was set. (markt) |
| </fix> |
| <fix> |
| <bug>51386</bug>: Correct code for processing @HandlesTypes annotations |
| so only types of interest are reported to a ServletContainerInitializer. |
| (markt) |
| </fix> |
| <update> |
| Add the Tomcat extras, ant-junit and Java Help Jars to the list of JARs |
| to skip when scanning for TLDs and web fragments. (rjung) |
| </update> |
| <fix> |
| The fix for bug <bug>51310</bug> caused a regression that re-introduced |
| bug <bug>49957</bug> and deleted the contents of the work directory |
| when Tomcat was shutdown. This fix ensures that the work directory for |
| an application is not deleted when Tomcat is shutdown. (markt) |
| </fix> |
| <fix> |
| Correct issues with JULI's OneLineFormatter including: correctly |
| re-using formatted timestamps when possible; thread-safety issues in |
| timestamp formatting; correcting the output of any milliseconds to |
| include leading zeros and formatting any parameters present. |
| (kkolinko/markt/rjung) |
| </fix> |
| <fix> |
| <bug>51395</bug>: Fix memory leak triggered when an application that |
| includes a SAXParserFactory is the first web application to be loaded. |
| (markt) |
| </fix> |
| <fix> |
| <bug>51396</bug>: Correctly handle jsp-file entries in web.xml when the |
| JSP servlet has been configured via code when embedding Tomcat. (markt) |
| </fix> |
| <fix> |
| <bug>51400</bug>: Avoid known bottleneck in JVM when converting between |
| Strings and bytes by always providing a Charset rather than an encoding |
| name. Based on a patch by Dave Engberg. (markt) |
| </fix> |
| <fix> |
| <bug>51401</bug>: Correctly initialise shared WebRuleSet instance used |
| by the digesters that parse web.xml and prevent incorrect warnings about |
| multiple occurrences of elements that are only allowed to appear once in |
| web.xml and web-fragment.xml. (kfujino) |
| </fix> |
| <add> |
| <bug>51403</bug>: Avoid NPE in JULI FileHandler if formatter is |
| misconfigured. (kkolinko) |
| </add> |
| <fix> |
| Previous improvements in JAR scanning performance introduced a start-up |
| performance penalty for some use cases. This fix addresses those |
| performance penalties while retaining the original improvements. (markt) |
| </fix> |
| <add> |
| <bug>51418</bug>: Provide more control over Context creation when |
| embedding Tomcat. Based on a patch by Benson Margulies. (markt/kkolinko) |
| </add> |
| <fix> |
| Remove redundant copy of catalina.properties from o.a.c.startup. |
| Generate this copy for inclusion in bin and src jars during the |
| ant "compile" task. (rjung) |
| </fix> |
| <fix> |
| Use system properties loaded from catalina.properties via the class |
| path in unit tests. (rjung) |
| </fix> |
| <update> |
| Improve JMX unit test. (rjung) |
| </update> |
| <fix> |
| Fix IllegalStateException for JavaScript files when switching from |
| Writer to OutputStream. The special handling of this case in the |
| DefaultServlet was broken due to a MIME type change for JavaScript. |
| (funkman) |
| </fix> |
| <fix> |
| Fix CVE-2011-2204. Prevent user passwords appearing in log files if a |
| runtime exception (e.g. OOME) occurs while creating a new user for a |
| MemoryUserDatabase via JMX. (markt) |
| </fix> |
| <fix> |
| Fix an issue with the CrawlerSessionManagerValve that meant sessions |
| were not always correctly tracked. (markt) |
| </fix> |
| <fix> |
| <bug>51436</bug>: Send 100 (Continue) response earlier to enable |
| ServletRequestListener implementations to read the request body. Based |
| on a patch by Simon Olofsson. (markt) |
| </fix> |
| <fix> |
| Ensure an access log entry is made if an error occurs during |
| asynchronous request processing and the socket is immediately closed. |
| (markt) |
| </fix> |
| <fix> |
| Ensure that if asyncDispatch() is called during an onTimeout event and |
| the target Servlet does not call startAsync() or complete() that Tomcat |
| calls complete() once the target Servlet exits. (markt) |
| </fix> |
| <fix> |
| Improve the handling for Servlets that implement the deprecated |
| SingleThreadModel when embedding Tomcat. (markt) |
| </fix> |
| <fix> |
| <bug>51445</bug>: Correctly initialise all instances of Servlets that |
| implement SingleThreadModel. Based on a patch by Felix Schumacher. |
| (markt) |
| </fix> |
| <fix> |
| <bug>51453</bug>: Fix a regression in the preemptive authentication |
| support (enhancement <bug>12428</bug>) that could trigger authentication |
| even if preemptive authentication was disabled. (markt) |
| </fix> |
| <fix> |
| Prevent possible NPE when serving Servlets that implement the |
| SingleThreadModel interface. (markt) |
| </fix> |
| <fix> |
| In launcher for embedded Tomcat: do not change <code>catalina.home</code> |
| system property if it had a value. (kkolinko) |
| </fix> |
| <fix> |
| When using Servlets that implement the SingleThreadModel interface, add |
| the single instance created to the pool when it is determined that a |
| pool of servlets is required rather than throwing it away. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix unit test for bindOnInit which was failing for APR on some |
| platforms. (rjung) |
| </fix> |
| <fix> |
| Remove superfluous quotes from thread names for connection pools. |
| (rjung) |
| </fix> |
| <fix> |
| Fix crash observed during pausing the connector when using APR. |
| Only add socket to poller if we are sure we don't close it later. |
| (rjung) |
| </fix> |
| <update> |
| Various refactorings to reduce code duplication and unnecessary code in |
| the connectors. (markt) |
| </update> |
| <fix> |
| Correct a regression introduced in Apache Tomcat 7.0.11 that broke |
| certificate revocation list handling. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Improve the message printed by TldLocationsCache and add configuration |
| example to the <code>logging.properties</code> file. (kkolinko) |
| </update> |
| <fix> |
| <bug>33453</bug>: Recompile JSPs if last modified time of the source or |
| any of its dependencies changes either forwards or backwards. Note that |
| this introduces an incompatible change to the code generated for JSPs. |
| Tomcat will automatically re-compile any JSPs and tag files found in the |
| work directory when upgrading from 7.0.16 or earlier to 7.0.17 or later. |
| If you later downgrade from 7.0.17 or later to 7.0.16 or earlier, you |
| must empty the work directory as part of the downgrade process. (markt) |
| </fix> |
| <fix> |
| <bug>36362</bug>: Handle the case where tag file attributes (which can |
| use any valid XML name) have a name which is not a Java identifier. |
| (markt/kkolinko) |
| </fix> |
| <add> |
| Broaden the exception handling in the EL Parser so that more failures to |
| parse an expression include the failed expression in the exception |
| message. Hopefully, this will help track down the cause of |
| <bug>51088</bug>. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| <bug>51306</bug>: Avoid NPE when handleSESSION_EXPIRED is processed |
| while handleSESSION_CREATED is being processed. (kfujino) |
| </fix> |
| <fix> |
| Notifications of changes in session ID to other nodes in the cluster |
| should be controlled by notifySessionListenersOnReplication rather than |
| notifyListenersOnReplication. (markt) |
| </fix> |
| <fix> |
| The change in session ID is notified to the container event listener on |
| the backup node in cluster. |
| This notification is controlled by |
| notifyContainerListenersOnReplication.(kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Update Maven repository information in the documentation to reflect |
| current usage. (markt) |
| </fix> |
| <add> |
| <bug>43538</bug>: Add host name and IP address to the HTML Manager |
| application. Patch by Dennis Lundberg. (markt) |
| </add> |
| <fix> |
| Add <code>session="false"</code> directive to the index page of the |
| ROOT web application. (kkolinko) |
| </fix> |
| <fix> |
| <bug>51443</bug>: Document the notifySessionListenersOnReplication |
| attribute for the DeltaManager. (markt) |
| </fix> |
| <fix> |
| <bug>51447</bug>: Viewing a back up session in the HTML Manager web |
| application no longer changes the session to a primary session. Based on |
| a patch provided by Eiji Takahashi. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>33262</bug>: Install monitor to auto-start for current user only |
| rather than all users to be consistent with menu item creation. (markt) |
| </fix> |
| <add> |
| <bug>40510</bug>: Provide an option to install shortcuts for the current |
| user or all users. Also ensure registry is correctly cleaned on |
| uninstall for 64-bit platforms. (markt) |
| </add> |
| <add> |
| <bug>50949</bug>: Provide the ability to specify the AJP port and |
| service name when installing Tomcat using the Windows installer. This |
| permits multiple instances of the same Tomcat version to be installed |
| side-by-side. (markt) |
| </add> |
| <update> |
| Clean up shell and batch scripts (improve consistency, |
| clarify comments, add <code>configtest</code> command support for |
| Windows). (rjung) |
| </update> |
| <fix> |
| <bug>51206</bug>: Make CATALINA_BASE visible for setenv.sh. (rjung) |
| </fix> |
| <update> |
| Remove unnecessary variable BASEDIR from scripts. (rjung) |
| </update> |
| <fix> |
| <bug>51425</bug>, <bug>51450</bug>: Update Spanish translations. Based |
| on patches provided by Jesus Marin. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.16 (markt)" rtext="released 2011-06-17"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>51249</bug>: Further improve system property replacement code |
| in ClassLoaderLogManager of Tomcat JULI to cover some corner cases. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>51264</bug>: Improve the previous fix for this issue by returning |
| the connection to the pool when not in use so it does not appear to be |
| an abandoned connection. Patch provided by Felix Schumacher. (markt) |
| </fix> |
| <fix> |
| <bug>51324</bug>: Improve handling of exceptions when flushing the |
| response buffer to ensure that the doFlush flag does not get stuck in |
| the enabled state. Patch provided by Jeremy Norris. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the fix for <bug>51278</bug> that prevented any |
| web application from being marked as distributable. (kfujino/markt) |
| </fix> |
| <fix> |
| Correct a regression in the fix for <bug>51278</bug> that prevented a |
| web application from overriding the default welcome files. (markt) |
| </fix> |
| <fix> |
| Enable remaining valves for Servlet 3 asynchronous processing support. |
| (markt) |
| </fix> |
| <fix> |
| Avoid possible NPE when logging requests received during embedded Tomcat |
| shutdown. (markt) |
| </fix> |
| <fix> |
| <bug>51340</bug>: Fix thread-safety issue when parsing multiple web.xml |
| files in parallel. Apache Tomcat does not do this but products that |
| embed it may. (markt) |
| </fix> |
| <fix> |
| <bug>51344</bug>: Fix problem with Lifecycle re-factoring for deprecated |
| embedded class that prevented events being triggered. (markt) |
| </fix> |
| <fix> |
| <bug>51348</bug>: Prevent possible NPE when processing WebDAV locks. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| When parsing the port in the HTTP host header, restrict the value to be |
| base 10 integer digits rather than hexadecimal ones. |
| (rjung/markt/kkolinko) |
| </fix> |
| <update> |
| Various refactorings to reduce code duplication and unnecessary code in |
| the connectors. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Change JAR scanning log messages where no TLDs are found to DEBUG level |
| and replace the multiple messages with a single INFO level message that |
| indicates that at least one JAR was scanned needlessly and how to obtain |
| more info. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Enable Servlet 3 asynchronous processing support when using clustering. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the log4j configuration settings when defining conversion |
| patterns in the documentation web application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.15 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>27122</bug>: Remove a workaround for a very old and since fixed |
| Mozilla bug and change the default value of the securePagesWithPragma |
| attribute of the Authenticator Valves to false. These changes should |
| reduce the likelihood of issues when downloading files with IE. (markt) |
| </fix> |
| <fix> |
| <bug>35054</bug>: Check that a file is not specified for a Host's |
| appBase and log an error if it is. (markt) |
| </fix> |
| <fix> |
| <bug>51197</bug>: Fix possible dropped connection when sendError or |
| sendRedirect are used during async processing. (markt) |
| </fix> |
| <fix> |
| <bug>51221</bug>: Correct Spanish translation of text used in a 302 |
| response. Patch provided by Paco Soberón. (markt) |
| </fix> |
| <fix> |
| <bug>51249</bug>: Correct ClassLoaderLogManager system property |
| replacement code so properties of the form "}${...}" can be used |
| without error. (markt) |
| </fix> |
| <fix> |
| <bug>51264</bug>: Allow the JDBC persistent session store to use a |
| JNDI datasource to define the database in which sessions are persisted. |
| Patch provided by Felix Schumacher. (markt) |
| </fix> |
| <fix> |
| <bug>51274</bug>: Add missing i18n strings in PersistentManagerBase. |
| Patch provided by Eiji Takahashi. (markt) |
| </fix> |
| <fix> |
| <bug>51276</bug>: Provide an abstraction for accessing content in JARs |
| so the most efficient method can be selected depending on the type of |
| URL used to identify the JAR. This improves startup time when JARs are |
| located in $CATALINA_BASE/lib. (markt) |
| </fix> |
| <fix> |
| <bug>51277</bug>: Improve error message if an application is deployed |
| with an incomplete FORM authentication configuration. (markt) |
| </fix> |
| <fix> |
| <bug>51278</bug>: Allow ServletContainerInitializers to override |
| settings in the global default web.xml and the host web.xml. (markt) |
| </fix> |
| <fix> |
| <bug>51310</bug>: When stopping the Server object on shutdown call |
| destroy() after calling stop(). (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>51145</bug>: Add an AJP-NIO connector. (markt/rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>51220</bug>: Add a system property to enable tag pooling with JSPs |
| that use a custom base class. Based on a patch by Dan Mikusa. (markt) |
| </add> |
| <add> |
| Include a comment header in generated java files that indicates when the |
| file was generated and which version of Tomcat generated it. (markt) |
| </add> |
| <fix> |
| <bug>51240</bug>: Ensure that maxConnections limit is enforced when |
| multiple acceptor threads are configured. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| <bug>51230</bug>: Add missing attributes to JMX for ReplicationValve and |
| JvmRouteBinderValve. Patch provided by Eiji Takahashi. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Add documentation for AJP-NIO connector. (markt/rjung) |
| </add> |
| <fix> |
| <bug>51182</bug>: Document JAAS supported added in <bug>51119</bug>. |
| Patch provided by Neil Laurance. (markt) |
| </fix> |
| <fix> |
| <bug>51225</bug>: Fix broken documentation links for non-English locales |
| in the HTML Manager application. Patch provided by Eiji Takahashi. |
| (markt) |
| </fix> |
| <fix> |
| <bug>51229</bug>: Fix bugs in the Servlet 3.0 asynchronous examples. |
| Patch provided by Eiji Takahashi. (markt) |
| </fix> |
| <fix> |
| <bug>51251</bug>: Add web application version support to the Ant tasks. |
| Based on a patch provided by Eiji Takahashi. (markt) |
| </fix> |
| <fix> |
| <bug>51294</bug>: Clarify behaviour of unpackWAR attribute of |
| StandardContext components. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>46451</bug>: Configure svn:bugtraq properties for Tomcat trunk. |
| Based on a patch provided by Marc Guillemot. (markt) |
| </fix> |
| <fix> |
| <bug>51309</bug>: Correct logic in catalina.sh stop when using a PID |
| file to ensure the correct message is shown. Patch provided by Caio |
| Cezar. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.14 (markt)" rtext="released 2011-05-12"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| Stylistic improvements to MIME type sync script. |
| Based on a patch provided by Felix Schumacher. (rjung) |
| </update> |
| <fix> |
| Ensure that the SSLValve provides the SSL key size as an Integer rather |
| than a String. (markt) |
| </fix> |
| <fix> |
| Ensure that the RemoteIpValve works correctly with Servlet 3.0 |
| asynchronous requests. (markt) |
| </fix> |
| <fix> |
| Use safe equality test when determining event type in the |
| MapperListener. (markt) |
| </fix> |
| <fix> |
| Use correct class loader when loading Servlet classes in |
| StandardWrapper. (markt) |
| </fix> |
| <add> |
| Provide additional configuration options for the RemoteIpValve and |
| RemoteIpFilter to allow greater control over the values returned by |
| ServletRequest#getServerPort() and ServletRequest#getLocalPort() when |
| Tomcat is behind a reverse proxy. (markt) |
| </add> |
| <fix> |
| Ensure session cookie paths end in <code>/</code> so that session |
| cookies created for a context with a path of <code>/foo</code> do not |
| get returned with requests mapped to a context with a path of |
| <code>/foobar</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>51177</bug>: Ensure Tomcat's MapElResolver always returns |
| <code>Object.class</code> for <code>getType()</code> as required by the |
| EL specification. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.13 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct mix-up in Realm Javadoc. (markt) |
| </fix> |
| <fix> |
| Fix display of response headers in AccessLogValve. (kkolinko) |
| </fix> |
| <update> |
| Implement display of multiple request headers in AccessLogValve: |
| print not just the value of the first header, but of the all of them, |
| separated by commas. (kkolinko) |
| </update> |
| <add> |
| <bug>50306</bug>: New StuckThreadDetectionValve to detect requests that |
| take a long time to process, which might indicate that their processing |
| threads are stuck. Based on a patch provided by TomLu. (slaurent) |
| </add> |
| <fix> |
| <bug>51038</bug>: Ensure that asynchronous requests are included in |
| access logs. (markt) |
| </fix> |
| <fix> |
| <bug>51042</bug>: Don't trigger session creation listeners when a |
| session ID is changed as part of the authentication process. (markt) |
| </fix> |
| <fix> |
| <bug>51050</bug>: Add additional common but non-standard file extension |
| to MIME type mappings for MPEG 4 files. Based on a patch by Cédrik Lime. |
| (markt) |
| </fix> |
| <add> |
| Add some additional common JARs that do not contain TLDs or web |
| fragments to the list of JARs to skip when scanning for TLDs and web |
| fragments. (markt) |
| </add> |
| <fix> |
| While scanning JARs for TLDs and fragments, avoid using JarFile and use |
| JarInputStream as in most circumstances where JARs are scanned, JarFile |
| will create a temporary copy of the JAR rather than using the resource |
| directly. This change significantly improves startup performance for |
| applications with lots of JARs to be scanned. (markt) |
| </fix> |
| <fix> |
| Ensure response is committed when <code>AsyncContext#complete()</code> |
| is called. (markt) |
| </fix> |
| <add> |
| Add a container event that is fired when a session's ID is changed, |
| e.g. on authentication. (markt) |
| </add> |
| <fix> |
| <bug>51099</bug>: Correctly implement non-default login configurations |
| (configured via the loginConfigName attribute) for the SPNEGO |
| authenticator. (fhanik/markt) |
| </fix> |
| <add> |
| <bug>51119</bug>: Add JAAS authentication support to the |
| JMXRemoteLifecycleListener. Patch provided by Neil Laurance. (markt) |
| </add> |
| <add> |
| <bug>51136</bug>: Provide methods that enable the name of a Context on |
| Context creation when using Tomcat in an embedded scenario. Based on a |
| patch provided by David Calavera. (markt) |
| </add> |
| <fix> |
| <bug>51137</bug>: Add additional Microsoft Office MIME type mappings. |
| (rjung) |
| </fix> |
| <add> |
| Partial sync of MIME type mapping with mime.types from the Apache web |
| server. About 600 MIME types added, some changed. (rjung) |
| </add> |
| <fix> |
| Make access logging more robust when logging requests that generate 400 |
| responses since the request object is unlikely to be fully/correctly |
| populated in that case. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>50957</bug>: Fix regression in HTTP BIO connector that triggered |
| errors when processing pipe-lined requests. (markt) |
| </fix> |
| <fix> |
| <bug>50158</bug>: Ensure the asynchronous requests never timeout if the |
| timeout is set to zero or less. Based on a patch provided by Chris. |
| (markt) |
| </fix> |
| <fix> |
| <bug>51073</bug>: Throw an exception and do not start the APR connector |
| if it is configured for SSL and an invalid value is provided for |
| SSLProtocol. (markt) |
| </fix> |
| <fix> |
| Align all the connector implementations with the documented default |
| setting for processorCache of 200. This changes the default from -1 |
| (unlimited) for the AJP-BIO, AJP-APR and HTTP-APR connectors. Additional |
| information was also added to the documentation on how to select an |
| appropriate value. |
| </fix> |
| <fix> |
| Take account of time spent waiting for a processing thread when |
| calculating connection and keep-alive timeouts for the HTTP BIO |
| connector. (markt) |
| </fix> |
| <fix> |
| <bug>51095</bug>: Don't trigger a NullPointerException when the SSL |
| handshake fails with the HTTP-APR connector. Patch provided by Mike |
| Glazer. (markt) |
| </fix> |
| <fix> |
| Improve handling in AJP connectors of the case where too large a AJP |
| packet is received. (markt) |
| </fix> |
| <fix> |
| Restore the automatic disabling of HTTP keep-alive with the BIO |
| connector once 75% of the processing threads are in use and make the |
| threshold configurable. (markt) |
| </fix> |
| <fix> |
| Make pollerSize and maxConnections synonyms for the APR connectors since |
| they perform the same function. (markt) |
| </fix> |
| <fix> |
| Use maxThreads rather than 10000 as the default maxConnections for the |
| BIO connectors. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>47371</bug>: Correctly coerce the empty string to zero when used as |
| an operand in EL arithmetic. Patch provided by gbt. (markt) |
| </fix> |
| <add> |
| Label JSP/tag file line and column numbers when reporting errors since |
| it may not be immediately obvious what the numbers represent. (markt) |
| </add> |
| <fix> |
| Correct a regression in the fix for <bug>49916</bug> that resulted in |
| JSPs being compiled twice rather than just once. (markt) |
| </fix> |
| <add> |
| Log JARs that are scanned for TLDs where no TLD is found so that users |
| can easily identify JARs that can be added to the list of JARs to skip. |
| (markt) |
| </add> |
| <update> |
| Use a single TLD location cache for a web application rather than one |
| per JSP compilation to speed up JSP compilation. (markt) |
| </update> |
| <add> |
| <bug>51124</bug>: Refactor BodyContentImpl to assist in determining the |
| root cause of this bug. Based on a patch by Ramiro. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| <bug>50950</bug>: Correct possible NotSerializableException for an |
| authenticated session when running with a security manager. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <update> |
| Configure Security Manager How-To to include a copy of the actual |
| conf/catalina.policy file when the documentation is built, rather |
| than maintaining a copy of its content. (kkolinko) |
| </update> |
| <fix> |
| Fix broken stylesheet URL in XML based manager status output. (rjung) |
| </fix> |
| <fix> |
| <bug>51156</bug>: Ensure session expiration option is available in |
| Manager application was running web applications that were defined in |
| server.xml. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Clarify error messages in *.sh files to mention that if a script is |
| not found it might be because execute permission is needed. (kkolinko) |
| </update> |
| <update> |
| Update Apache Commons Pool to 1.5.6. (markt) |
| </update> |
| <fix> |
| <bug>51135</bug>: Fix auto-detection of JAVA_HOME for 64-bit Windows |
| platforms that only have a 32-bit JVM installed. (markt) |
| </fix> |
| <fix> |
| <bug>51154</bug>: Remove duplicate @deprecated tags in ServletContext |
| Javadoc. Patch provided by sebb. (markt) |
| </fix> |
| <fix> |
| <bug>51155</bug>: Add comments to @deprecated tags that have none. Patch |
| provided by sebb. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.12 (markt)" rtext="released 2011-04-06"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Automatically correct invalid paths when specified for Context elements |
| inside server.xml and log a warning that the configuration has been |
| corrected. (markt) |
| </add> |
| <fix> |
| Don't unpack WAR files if they are not located in the Host's |
| appBase. (markt) |
| </fix> |
| <fix> |
| Don't log to standard out in SSLValve. (markt) |
| </fix> |
| <fix> |
| Handle the case where a web crawler provides an invalid session ID in |
| the CrawlerSessionManagerValve. (markt) |
| </fix> |
| <update> |
| Update pattern used in CrawlerSessionManagerValve to that used by the |
| ASF infrastructure team. (markt) |
| </update> |
| <fix> |
| Remove unnecessary whitespace from MIME mapping entries in global |
| web.xml file. (markt) |
| </fix> |
| <fix> |
| When using parallel deployment, correctly handle the scenario when the |
| client sends multiple JSESSIONID cookies. (markt) |
| </fix> |
| <add> |
| <bug>12428</bug>: Add support (disabled by default) for preemptive |
| authentication. This can be configured per context. Based on a patch |
| suggested by Werner Donn. (markt) |
| </add> |
| <fix> |
| Make the CSRF nonce cache serializable so that it can be replicated |
| across a cluster and/or persisted across Tomcat restarts. (markt) |
| </fix> |
| <update> |
| Resolve some refactoring TODOs in the implementation of the new Context |
| attribute "swallowAbortedUploads". (markt) |
| </update> |
| <fix> |
| Include the seed time when calculating the time taken to create |
| SecureRandom instances for session ID generation, report excessive times |
| (greater than 100ms) at INFO level and provide a value for the message |
| key so a meaningful message appears in the logs. (markt) |
| </fix> |
| <fix> |
| Don't register Contexts that fail to start with the Mapper. (markt) |
| </fix> |
| <add> |
| <bug>48685</bug>: Add initial support for SPNEGO/Kerberos authentication |
| also referred to as integrated Windows authentication. This includes |
| user authentication, authorisation via the directory using the |
| user's delegated credentials and exposing the user's delegated |
| credentials via a request attribute so applications can make use of them |
| to impersonate the current user when accessing third-party systems that |
| use a compatible authentication mechanism. Based on a patch provided by |
| Michael Osipov. (markt) |
| </add> |
| <fix> |
| HTTP range requests cannot be reliably served when a Writer is in use so |
| prevent the DefaultServlet from attempting to do so. (kkolinko) |
| </fix> |
| <fix> |
| Protect the DefaultServlet from Valves, Filters and Wrappers that write |
| content to the response. Prevent partial responses to partial GET |
| requests in this case since the range cannot be reliably determined. |
| Also prevent the DefaultServlet from setting a content length header |
| since this too cannot be reliably determined. (markt) |
| </fix> |
| <fix> |
| <bug>50929</bug>: When wrapping an exception, include the root cause. |
| Patch provided by sebb. (markt) |
| </fix> |
| <fix> |
| <bug>50991</bug>: Fix regression in fix for <bug>25060</bug> that called |
| close on a JNDI resource while it was still available to the |
| application. (markt) |
| </fix> |
| <add> |
| Provide a configuration option that lets the close method to be used for |
| a JNDI Resource to be defined by the user. This change also disables |
| using the close method unless one is explicitly defined for the |
| resource and limits it to singleton resources. (markt) |
| </add> |
| <fix> |
| Correctly track changes to context.xml files and trigger redeployment |
| when copyXML is set to false. (markt) |
| </fix> |
| <fix> |
| <bug>50997</bug>: Relax the requirement that directories must have a |
| name ending in <code>.jar</code> to be treated as an expanded JAR file |
| by the default JarScanner. Based on patch by Rodion Zhitomirsky. (markt) |
| </fix> |
| <fix> |
| Don't append the jvmRoute to a session ID if the jvmRoute is a zero |
| length string. (markt) |
| </fix> |
| <fix> |
| Don't register non-singleton DataSource resources with JMX. (markt) |
| </fix> |
| <add> |
| CVE-2011-1184: Provide additional configuration options for the DIGEST |
| authenticator. (markt) |
| </add> |
| <fix> |
| Provide a workaround for Tomcat hanging during shutdown when running the |
| unit tests. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>50887</bug>: Add support for configuring the JSSE provider used to |
| convert client certificates. Based on a patch by pknopp. (markt) |
| </add> |
| <fix> |
| <bug>50903</bug>: When a connector is stopped, ensure that requests that |
| are currently in a keep-alive state and waiting for client data are not |
| processed. Requests where processing has started will continue to |
| completion. (markt) |
| </fix> |
| <fix> |
| <bug>50927</bug>: Improve error message when SSLCertificateFile is not |
| specified when using APR with SSL. Based on a patch provided by sebb. |
| (markt) |
| </fix> |
| <fix> |
| <bug>50928</bug>: Don't ignore keyPass attribute for HTTP BIO and |
| NIO connectors. Based on a patch provided by sebb. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Securely seed the SecureRandom instance used for UUID generation and |
| report excessive creation time (greater than 100ms) at INFO level. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>50924</bug>: Clean-up HTTP connector comparison table. (markt) |
| </fix> |
| <add> |
| Slightly expanded the documentation of the Host element to clarify the |
| relationship between host name and DNS name. (markt) |
| </add> |
| <fix> |
| <bug>50925</bug>: Update SSL how-to to take account of |
| <code>keyPass</code> connector attribute. (markt) |
| </fix> |
| <update> |
| Improve Tomcat Logging documentation. (kkolinko) |
| </update> |
| <fix> |
| Align the authenticator documentation and MBean descriptors with the |
| implementation. (markt) |
| </fix> |
| <fix> |
| Prevent the custom error pages for the Manager and Host Manager |
| applications from being accessed directly. (markt) |
| </fix> |
| <fix> |
| <bug>50984</bug>: When using the Manager application ensure that |
| undeployment fails if a file cannot be deleted. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update Eclipse JDT complier to 3.6.2. (markt) |
| </update> |
| <update> |
| Update WSDL4J library to 1.6.2 (used by JSR 109 support in the extras |
| package). (markt) |
| </update> |
| <update> |
| Update optional CheckStyle library to 5.3. (markt) |
| </update> |
| <fix> |
| <bug>50911</bug>: Reduce noise generated during the build of the Windows |
| installer so warnings are more obvious. Patch provided by sebb. (markt) |
| </fix> |
| <fix> |
| Further work to reduce compiler and validation warnings across the code |
| base. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.11 (markt)" rtext="released 2011-03-11"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| CVE-2011-1088: Completed fix. Don't ignore @ServletSecurity |
| annotations. (markt) |
| </fix> |
| <add> |
| <bug>25060</bug>: Close Apache Commons DBCP 1.x datasources when the |
| associated JNDI naming context is stopped (e.g. for a non-global |
| DataSource resource on web application reload) to close remaining |
| database connections immediately rather than waiting for garbage |
| collection. (markt) |
| </add> |
| <add> |
| <bug>26701</bug>: Provide a mechanism for users to register their own |
| <code>URLStreamHandlerFactory</code> objects. (markt) |
| </add> |
| <fix> |
| <bug>50855</bug>: Fix NPE on HttpServletRequest.logout() when debug |
| logging is enabled. (markt) |
| </fix> |
| <add> |
| New context attribute "swallowAbortedUploads" allows |
| to make request data swallowing configurable for requests |
| that are too large. (rjung) |
| </add> |
| <fix> |
| <bug>50854</bug>: Add additional permissions required by the Manager |
| application when running under a security Manager and support a shared |
| Manager installation when $CATALINA_HOME != CATALINA_BASE. (markt) |
| </fix> |
| <fix> |
| <bug>50893</bug>: Add additional information to the download README for |
| the extras components. (markt) |
| </fix> |
| <fix> |
| Calling <code>stop()</code> and then <code>destroy()</code> on a |
| connector incorrectly triggered an exception. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>48208</bug>: Allow the configuration of a custom trust manager for |
| use in CLIENT-CERT authentication. (markt) |
| </add> |
| <fix> |
| Fix issues that prevented asynchronous servlets from working when used |
| with the HTTP APR connector on platforms that support TCP_DEFER_ACCEPT. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Correct possible threading issue in JSP compilation when development |
| mode is used. (markt) |
| </fix> |
| <fix> |
| <bug>50895</bug>: Don't initialize classes created during the |
| compilation stage. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.10 (markt)" rtext="released 2011-03-08"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| CVE-2011-1088: Partial fix. Don't ignore @ServletSecurity |
| annotations. (markt) |
| </fix> |
| <fix> |
| <bug>27988</bug>: Improve reporting of missing files. (markt) |
| </fix> |
| <fix> |
| <bug>28852</bug>: Add URL encoding where missing to parameters in URLs |
| presented by Ant tasks to the Manager application. Based on a patch by |
| Stephane Bailliez. (markt) |
| </fix> |
| <fix> |
| Improve handling of SSL renegotiation by failing earlier when the |
| request body contains more bytes than maxSavePostSize. (markt) |
| </fix> |
| <fix> |
| Improve shut down speed by not renewing threads during shut down when |
| the <code>ThreadLocalLeakPreventionListener</code> is enabled. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>49284</bug>: Add SSL re-negotiation support to the HTTP NIO |
| connector and extend test cases to cover CLIENT-CERT authentication. |
| (fhanik/markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.9 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>19444</bug>: Add an option to the JNDI realm to allow role searches |
| to be performed by the authenticated user. (markt) |
| </add> |
| <add> |
| <bug>21669</bug>: Add the ability to specify the roleBase for the JNDI |
| Realm as relative to the users DN. Based on a patch by Art W. (markt) |
| </add> |
| <add> |
| <bug>22405</bug>: Add a new Lifecycle listener, |
| <code>org.apache.catalina.security.SecurityListener</code> that prevents |
| Tomcat from starting insecurely. It requires that Tomcat is not started |
| as root and that a umask at least as restrictive as 0007 is used. This |
| new listener is not enabled by default. |
| (markt) |
| </add> |
| <fix> |
| <bug>48863</bug>: Better logging when specifying an invalid directory |
| for a class loader. Based on a patch by Ralf Hauser. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>48870</bug>: Refactor to remove use of parallel arrays. (markt) |
| </fix> |
| <add> |
| Enhance the RemoteIpFilter and RemoteIpValve so that the modified remote |
| address, remote host, protocol and server port may be used in an access |
| log if desired. (markt) |
| </add> |
| <fix> |
| Restore access to Environments, Resources and ResourceLinks via JMX |
| which was lost in early 7.0.x re-factoring. (markt) |
| </fix> |
| <update> |
| Remove ServerLifecycleListener. This was already removed from server.xml |
| and with the Lifecycle re-factoring is no longer required. (markt) |
| </update> |
| <add> |
| Add additional checks to ensure that sub-classes of |
| <code>org.apache.catalina.util.LifecycleBase</code> correctly implement |
| the expected state transitions. (markt) |
| </add> |
| <fix> |
| <bug>50189</bug>: Once the application has finished writing to the |
| response, prevent further reads from the request since this causes |
| various problems in the connectors which do not expect this. (markt) |
| </fix> |
| <fix> |
| <bug>50700</bug>: Ensure that the override attribute of context |
| parameters is correctly followed. (markt) |
| </fix> |
| <fix> |
| <bug>50721</bug>: Correctly handle URL decoding where the URL ends in |
| %nn. Patch provided by Christof Marti. (markt) |
| </fix> |
| <add> |
| <bug>50737</bug>: Add additional information when an invalid WAR file is |
| detected. (markt) |
| </add> |
| <fix> |
| <bug>50748</bug>: Allow the content length header to be set up to the |
| point the response is committed when a writer is being used. (markt) |
| </fix> |
| <fix> |
| <bug>50751</bug>: When authenticating with the JNDI Realm, only attempt |
| to read user attributes from the directory if attributes are required. |
| (markt) |
| </fix> |
| <fix> |
| <bug>50752</bug>: Fix typo in debug message in deprecated Embedded |
| class. (markt) |
| </fix> |
| <fix> |
| <bug>50789</bug>: Provide an option to enable ServletRequestListeners |
| for forwards as required by some CDI frameworks. (markt) |
| </fix> |
| <fix> |
| <bug>50793</bug>: When processing Servlet 3.0 async requests, ensure |
| that the requestInitialized and requestDestroyed events are only fired |
| once per request at the correct times. (markt) |
| </fix> |
| <fix> |
| <bug>50802</bug>: Ensure that |
| <code>ServletContext.getResourcePaths()</code> includes static resources |
| packaged in JAR files in its output. (markt) |
| </fix> |
| <add> |
| Web crawlers can trigger the creation of many thousands of sessions as |
| they crawl a site which may result in significant memory consumption. |
| The new Crawler Session Manager Valve ensures that crawlers are |
| associated with a single session - just like normal users - regardless |
| of whether or not they provide a session token with their requests. |
| (markt) |
| </add> |
| <fix> |
| Don't attempt to start NamingResources for Contexts multiple times. |
| (markt) |
| </fix> |
| <fix> |
| <bug>50826</bug>: Avoid <code>IllegalArgumentException</code> if an |
| embedded Tomcat instance that includes at least one Context is destroyed |
| without ever being started. (markt) |
| </fix> |
| <fix> |
| Ensure a web application is taken out of service if the web.xml file is |
| not valid. (kkolinko/markt) |
| </fix> |
| <fix> |
| Ensure Servlet 2.2 jspFile elements are correctly converted to use a |
| leading '/' if missing. (markt) |
| </fix> |
| <fix> |
| <bug>50836</bug>: Better documentation of the meaning of |
| <code>Lifecycle.isAvailable()</code> and correct a couple of cases where |
| this could incorrectly return true. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>50780</bug>: Fix memory leak in APR implementation of AJP |
| connector introduced by the refactoring for <bug>49884</bug>. (markt) |
| </fix> |
| <fix> |
| If server configuration errors and/or faulty applications caused the |
| ulimit for open files to be reached, the acceptor threads for all |
| connectors could enter a tight loop. This loop consumed CPU and also |
| logged an error message for every iteration of the loop which lead to |
| large log files being generated. The acceptors have been enhanced to |
| better handle this situation. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>50720</bug>: Ensure that the use of non-ISO-8859-1 character sets |
| for web.xml does not trigger an error when Jasper parses the web.xml |
| file. (markt) |
| </fix> |
| <fix> |
| <bug>50726</bug>: Ensure that the use of the genStringAsCharArray does |
| not result in String constants that are too long for valid Java code. |
| (markt) |
| </fix> |
| <fix> |
| <bug>50790</bug>: Improve method resolution in EL expressions. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| <bug>50771</bug>: Ensure HttpServletRequest#getAuthType() returns the |
| name of the authentication scheme if request has already been |
| authenticated. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>50713</bug>: Remove roles command from the Manager application. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| <bug>50667</bug> (<rev>1068549</rev>): Allow RPC callers to get |
| confirmation when sending a reply. (fhanik) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>50743</bug>: Cache CheckStyle results between builds to speed up |
| validation. Patch provided by Oliver. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.8 (markt)" rtext="released 2011-02-05"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Fix NPE in CoyoteAdapter when postParseRequest() call fails. (kkolinko) |
| </fix> |
| <fix> |
| <bug>50709</bug>: Make <code>ApplicationContextFacade</code> non-final to |
| enable extension. (markt) |
| </fix> |
| <fix> |
| When running under a security manager, user requests may fail with a |
| security exception. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Reduce level of log message for invalid URL parameters from WARNING to |
| INFO. (markt) |
| </fix> |
| <fix> |
| Fix hanging Servlet 3 asynchronous requests when using the APR based AJP |
| connector. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Align server.xml installed by the Windows installer with the one |
| bundled in zip/tar.gz files. The differences are LockOutRealm being |
| used and AccessLogValve being enabled by default. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.7 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>18462</bug>: Don't merge <code>stdout</code> and |
| <code>stderr</code> internally so users retain the option to treat them |
| separately. (markt) |
| </fix> |
| <add> |
| <bug>18797</bug>: Provide protection against <code>null</code> or zero |
| length names being provided for users, roles and groups in the |
| <code>MemoryRealm</code> and <code>UserDatabaseRealm</code>. (markt) |
| </add> |
| <update> |
| Improve fix for <bug>50205</bug> to trigger an error earlier if invalid |
| configuration is used. (markt) |
| </update> |
| <add> |
| Provide additional control over component class loaders, primarily for |
| use when embedding. (markt) |
| </add> |
| <fix> |
| Fix NPE in RemoteAddrFilter, RemoteHostFilter. (kkolinko) |
| </fix> |
| <fix> |
| <bug>49711</bug>: HttpServletRequest#getParts will work in a filter |
| or servlet without an @MultipartConfig annotation or |
| MultipartConfigElement if the new "allowCasualMultipartParsing" |
| context attribute is set to "true". (schultz) |
| </fix> |
| <fix> |
| <bug>49978</bug>: Correct another instance where deployment incorrectly |
| failed if a directory in the work area already existed. (markt) |
| </fix> |
| <fix> |
| <bug>50582</bug>: Refactor access logging so chunked encoding is not |
| forced for all requests if bytes sent is logged. (markt) |
| </fix> |
| <fix> |
| <bug>50597</bug>: Don't instantiate a new instance of a Filter if |
| an instance was provided via the |
| <code>ServletContext.addFilter(String, Filter)</code> method. Patch |
| provided by Ismael Juma. (markt) |
| </fix> |
| <fix> |
| <bug>50598</bug>: Correct URL for Manager text interface. (markt) |
| </fix> |
| <fix> |
| <bug>50620</bug>: Stop exceptions that occur during |
| <code>Session.endAccess()</code> from preventing the normal completion |
| of <code>Request.recycle()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>50629</bug>: Make <code>StandardContext.bindThread()</code> and |
| <code>StandardContext.unbindThread()</code> protected to allow use by |
| sub-classes. (markt) |
| </fix> |
| <update> |
| Use getName() instead of logName() in error messages in StandardContext. |
| (kkolinko) |
| </update> |
| <fix> |
| <bug>50642</bug>: Move the <code>sun.net.www.http.HttpClient</code> |
| keep-alive thread memory leak protection from the |
| JreMemoryLeakPreventionListener to the WebappClassLoader since the |
| thread that triggers the memory leak is created on demand. (markt) |
| </fix> |
| <fix> |
| <bug>50673</bug>: Improve Catalina shutdown when running as a service. |
| Do not call System.exit(). (kkolinko) |
| </fix> |
| <fix> |
| <bug>50683</bug>: Ensure annotations are scanned when |
| <code>unpackWARs</code> is set to <code>false</code> in the Host |
| where a web application is deployed. (markt) |
| </fix> |
| <fix> |
| Improve HTTP specification compliance in support of |
| <code>Accept-Language</code> header. This protects from known exploit |
| of the Oracle JVM bug that triggers a DoS, CVE-2010-4476. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Prevent possible thread exhaustion if a Comet timeout event takes a |
| while to complete. (markt) |
| </fix> |
| <fix> |
| Prevent multiple Comet END events if the CometServlet calls |
| <code>event.close()</code> during an END event. (markt) |
| </fix> |
| <fix> |
| <bug>50325</bug>: When the JVM indicates support for RFC 5746, disable |
| Tomcat's <code>allowUnsafeLegacyRenegotiation</code> configuration |
| attribute and use the JVM configuration to control renegotiation. |
| (markt) |
| </fix> |
| <fix> |
| <bug>50405</bug>: Fix occasional NPE when using NIO connector and |
| Comet. (markt) |
| </fix> |
| <fix> |
| Ensure correct recycling of NIO input filters when processing Comet |
| events. (markt) |
| </fix> |
| <fix> |
| <bug>50627</bug>: Correct interaction of NIO socket and Poller when |
| processing Comet events. (markt) |
| </fix> |
| <fix> |
| Correct interaction of APR socket and Poller when processing Comet |
| events. (markt) |
| </fix> |
| <fix> |
| <bug>50631</bug>: InternalNioInputBuffer should honor |
| <code>maxHttpHeadSize</code>. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Improve special case handling of |
| <code>javax.servlet.jsp.el.ScopedAttributeELResolver</code> in |
| <code>javax.el.CompositeELResolver</code> to handle sub-classes. (markt) |
| </fix> |
| <update> |
| <bug>15688</bug>: Use fully-qualified class names in generated jsp files |
| to avoid naming conflicts with user imports. (markt) |
| </update> |
| <fix> |
| <bug>46819</bug>: Remove redundant object instantiations in |
| JspRuntimeLibrary. Patch provided by Anthony Whitford. (markt) |
| </fix> |
| <update> |
| Improve error message when EL identifiers are not valid Java identifiers |
| and use i18n for the error message. (markt) |
| </update> |
| <fix> |
| <bug>50680</bug>: Prevent an NPE when using tag files from an exploded |
| JAR file, e.g. from within an IDE. Patch provided by Larry Isaacs. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| <bug>50591</bug>: Fix NPE in ReplicationValve. (kkolinko) |
| </fix> |
| <add> |
| Internationalise the log messages for the FarmWarDeployer. (markt) |
| </add> |
| <fix> |
| <bug>50600</bug>: Prevent a <code>ConcurrentModificationException</code> |
| when removing a WAR file via the FarmWarDeployer. (markt) |
| </fix> |
| <fix> |
| Be consistent with locks on sessionCreationTiming, |
| sessionExpirationTiming in DeltaManager.resetStatistics(). (kkolinko) |
| </fix> |
| <fix> |
| <bug>50648</bug>: Correctly set the interrupt status if a thread using |
| <code>RpcChannel</code> is interrupted waiting for a message reply. |
| Based on a patch by Olivier Costet. (markt) |
| </fix> |
| <fix> |
| <bug>50646</bug>: Ensure larger Tribes messages are fully read. Patch |
| provided by Olivier Costet. (markt) |
| </fix> |
| <fix> |
| <bug>50679</bug>: Update the FarmWarDeployer to support parallel |
| deployment. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>22278</bug>: Add a commented out <code>RemoteAddrValve</code> that |
| limits access to the Manager and Host Manager applications to localhost. |
| Based on a patch by Yann Cébron. (markt) |
| </fix> |
| <fix> |
| Correct a handful of Javadoc warnings. (markt) |
| </fix> |
| <add> |
| Provide additional detail about how web application version order is |
| determined when using parallel deployment. (markt) |
| </add> |
| <fix> |
| Correct the documentation for the recoveryCount count attribute of the |
| the default cluster membership. (markt) |
| </fix> |
| <fix> |
| <bug>50441</bug>: Clarify when it is valid to set the docBase attribute |
| in a Context element. (markt) |
| </fix> |
| <fix> |
| <bug>50526</bug>: Provide additional documentation on configuring |
| JavaMail resources. (markt) |
| </fix> |
| <fix> |
| <bug>50599</bug>: Use correct names of roles required to access the |
| Manager application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Extend the Checkstyle tests to check for license headers. (markt) |
| </add> |
| <fix> |
| Modify the build script so a release build always rebuilds the |
| dependencies to ensure that the correct Tomcat version appears in the |
| manifest. (markt) |
| </fix> |
| <fix> |
| Code clean-up to remove unused code and reduce IDE warnings. (markt) |
| </fix> |
| <fix> |
| <bug>50601</bug>: Code clean-up. Patch provided by sebb. (markt) |
| </fix> |
| <fix> |
| <bug>50606</bug>: Improve CGIServlet: Provide support for specifying |
| empty value for the <code>executable</code> init-param. Provide support |
| for explicit additional arguments for the executable. Those were |
| broken when implementing fix for bug <bug>49657</bug>. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.6 (markt)" rtext="released 2011-01-14"> |
| <subsection name="General"> |
| <changelog> |
| <update> |
| Update to Apache Commons Daemon 1.0.5. (mturk) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>8705</bug>: <code>org.apache.catalina.SessionListener</code> now |
| extends <code>java.util.EventListener</code>. (markt) |
| </fix> |
| <add> |
| <bug>10526</bug>: Add an option to the <code>Authenticator</code>s to |
| force the creation of a session on authentication which may offer some |
| performance benefits. (markt) |
| </add> |
| <update> |
| <bug>10972</bug>: Improve error message if the className attribute is |
| missing on an element in server.xml where it is required. (markt) |
| </update> |
| <update> |
| <bug>48692</bug>: Provide option to parse |
| <code>application/x-www-form-urlencoded</code> PUT requests. (schultz) |
| </update> |
| <update> |
| <bug>48822</bug>: Include context name in case of error while stopping |
| or starting a context during its reload. Patch provided by Marc |
| Guillemot. (slaurent) |
| </update> |
| <add> |
| <bug>48837</bug>: Extend thread local memory leak detection to include |
| classes loaded by subordinate class loaders to the web |
| application's class loader such as the Jasper class loader. Based |
| on a patch by Sylvain Laurent. (markt) |
| </add> |
| <add> |
| <bug>48973</bug>: Avoid creating a SESSIONS.ser file when stopping an |
| application if there's no session. Patch provided by Marc Guillemot. |
| (slaurent) |
| </add> |
| <fix> |
| <bug>49000</bug>: No longer accept specification invalid name only |
| cookies by default. This behaviour can be restored using a system |
| property. (markt) |
| </fix> |
| <add> |
| <bug>49159</bug>: Improve memory leak protection by renewing threads of |
| the pool when a web application is stopped. (slaurent) |
| </add> |
| <fix> |
| <bug>49372</bug>: Re-fix after connector re-factoring. If connector |
| initialisation fails (e.g. if a port is already in use) do not trigger |
| an <code>LifecycleException</code> for an invalid state transition. |
| (markt) |
| </fix> |
| <fix> |
| <bug>49543</bug>: Allow Tomcat to use shared data sources with per |
| application credentials. (fhanik) |
| </fix> |
| <fix> |
| <bug>49650</bug>: Remove unnecessary entries package.access property |
| defined in catalina.properties. Patch provided by Owen Farrell. (markt) |
| </fix> |
| <fix> |
| <bug>50106</bug>: Correct several MBean descriptors. Patch provided by |
| Eiji Takahashi. (markt) |
| </fix> |
| <update> |
| Further performance improvements to session ID generation. Remove legacy |
| configuration options that are no longer required. Provide additional |
| options to control the <code>SecureRandom</code> instances used to |
| generate session IDs. (markt) |
| </update> |
| <fix> |
| <bug>50201</bug>: Update the access log reference in |
| <code>StandardEngine</code> when the ROOT web application is redeployed, |
| started, stopped or defaultHost is changed. (markt/kkolinko) |
| </fix> |
| <add> |
| <bug>50282</bug>: Load |
| <code>javax.security.auth.login.Configuration</code> with |
| <code>JreMemoryLeakPreventionListener</code> to avoid memory leak when |
| stopping a web application that would use JAAS. (slaurent) |
| </add> |
| <fix> |
| <bug>50351</bug>: Fix the regression that broke BeanFactory resources |
| caused by the previous fix for <bug>50159</bug>. (markt) |
| </fix> |
| <fix> |
| <bug>50352</bug>: Ensure that <code>AsyncListener.onComplete()</code> is |
| fired when <code>AsyncContext.complete()</code> is called. (markt) |
| </fix> |
| <fix> |
| <bug>50358</bug>: Set the correct LifecycleState when stopping instances |
| of the deprecated Embedded class. (markt) |
| </fix> |
| <fix> |
| Further Lifecycle refactoring for Connectors and associated components. |
| (markt) |
| </fix> |
| <fix> |
| Correct handling of versioned web applications in deployer. (markt) |
| </fix> |
| <fix> |
| Correct removal of <code>LifeCycleListener</code>s from |
| <code>Container</code>s via JMX. (markt) |
| </fix> |
| <fix> |
| Don't use <code>null</code>s to construct log messages. (markt) |
| </fix> |
| <fix> |
| Code clean-up. Replace use of inefficient constructors with more |
| efficient alternatives. (markt) |
| </fix> |
| <fix> |
| <bug>50411</bug>: Ensure sessions are removed from the |
| <code>Store</code> associated with a <code>PersistentManager</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>50413</bug>: Ensure 304 responses are not returned when using |
| static files as error pages. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>50448</bug>: Fix possible <code>IllegalStateException</code> |
| caused by recent session management refactoring. (markt) |
| </fix> |
| <fix> |
| Ensure aliases settings for a context are retained after a context is |
| reloaded. (markt) |
| </fix> |
| <fix> |
| Log a warning if context.xml files define values for properties that do |
| not exist (e.g. if there is a typo in a property name). (markt) |
| </fix> |
| <fix> |
| <bug>50453</bug>: Correctly handle multiple <code>X-Forwarded-For</code> |
| headers in the RemoteIpFilter and RemoteIpValve. Patch provided by Jim |
| Riggs. (markt) |
| </fix> |
| <add> |
| <bug>50541</bug>: Add support for setting the size limit and time limit |
| for LDAP searches when using the JNDI Realm with <code>userSearch</code>. |
| (markt) |
| </add> |
| <update> |
| All configuration options that use regular expression now require a |
| single regular expression (using <code>java.util.regex</code>) rather |
| than a list of comma-separated or semi-colon-separated expressions. |
| (markt) |
| </update> |
| <fix> |
| <bug>50496</bug>: Bytes sent in the access log are now counted after |
| compression, chunking etc rather than before. (markt) |
| </fix> |
| <fix> |
| <bug>50550</bug>: When a new directory is created (e.g. via WebDAV) |
| ensure that a subsequent request for that directory does not result in a |
| 404 response. (markt) |
| </fix> |
| <fix> |
| <bug>50554</bug>: Code clean up. (markt) |
| </fix> |
| <add> |
| <bug>50556</bug>: Improve JreMemoryLeakPreventionListener to prevent |
| a potential class loader leak caused by a thread spawned when the class |
| <code>com.sun.jndi.ldap.LdapPoolManager</code> is initialized and the |
| system property <code>com.sun.jndi.ldap.connect.pool.timeout</code> is |
| set to a value greater than 0. (slaurent) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>47319</bug>: Return the client's IP address rather than null |
| for calls to <code>getRemoteHost()</code> when the APR connector is |
| used with <code>enableLookups="true"</code> but the IP address |
| is not resolveable. (markt) |
| </fix> |
| <add> |
| <bug>50108</bug>: Add get/set methods for Connector property |
| minSpareThreads. Patch provided by Eiji Takahashi. (markt) |
| </add> |
| <fix> |
| <bug>50360</bug>: Provide an option to control when the socket |
| associated with a connector is bound. By default, the socket is bound on |
| <code>Connector.init()</code> and released on |
| <code>Connector.destroy()</code> as per the current behaviour but this |
| can be changed so that the socket is bound on |
| <code>Connector.start()</code> and released on |
| <code>Connector.stop()</code>. This fix also includes further Lifecycle |
| refactoring for Connectors and associated components. (markt) |
| </fix> |
| <fix> |
| Remove a huge memory leak in the NIO connector introduced by the fix |
| for <bug>49884</bug>. (markt) |
| </fix> |
| <fix> |
| <bug>50467</bug>: Protected against NPE triggered by a race condition |
| that causes the NIO poller to fail, preventing the processing of further |
| requests. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>13731</bug>: Make variables in <code>_jspService()</code> method |
| final where possible. (markt) |
| </add> |
| <fix> |
| <bug>50408</bug>: Fix <code>NoSuchMethodException</code> when using |
| scoped variables with EL method invocation. (markt) |
| </fix> |
| <fix> |
| <bug>50460</bug>: Avoid a memory leak caused by using a cached exception |
| instance in <code>JspDocumentParser</code> and |
| <code>ProxyDirContext</code>. (kkolinko) |
| </fix> |
| <fix> |
| <bug>50500</bug>: Use correct coercions (as per the EL spec) for |
| arithmetic operations involving string values containing '.', |
| 'e' or 'E'. Based on a patch by Brian Weisleder. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| <bug>50185</bug>: Add additional trace level logging to Tribes to assist |
| with fault diagnosis. Based on a patch by Ariel. (markt) |
| </add> |
| <fix> |
| Don't try and obtain session data from the cluster if the current |
| node is the only node in the cluster. Log requesting session data as |
| INFO rather than WARNING. (markt) |
| </fix> |
| <fix> |
| <bug>50503</bug>: When web application has a version, Engine level |
| Clustering works correctly. (kfujino) |
| </fix> |
| <fix> |
| <bug>50547</bug>: Add time stamp for CHANGE_SESSION_ID message and |
| SESSION_EXPIRED message. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>21157</bug>: Ensure cookies are written before the response is |
| committed in the Cookie example. Patch provided by Stefan Radzom. (markt) |
| </fix> |
| <add> |
| <bug>50294</bug>: Add more information to documentation regarding format |
| of configuration files. Patch provided by Luke Meyer. (markt) |
| </add> |
| <fix> |
| Correctly validate provided context path so sessions for the ROOT web |
| application can be viewed through the HTML Manager. (markt) |
| </fix> |
| <update> |
| Improve documentation of database connection factory. (rjung) |
| </update> |
| <fix> |
| <bug>50488</bug>: Update classpath required when using jsvc and add a |
| note regarding server VMs. (markt) |
| </fix> |
| <fix> |
| Further filtering of Manager display output. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Don't configure Windows installer to use PID file since it is not |
| removed when the service stops which prevents the service from starting. |
| (markt) |
| </fix> |
| <fix> |
| <bug>14416</bug>: Make <code>TagLibraryInfo.getTag()</code> more robust |
| at handling <code>null</code>s. (markt) |
| </fix> |
| <fix> |
| <bug>50552</bug>: Avoid NPE that hides error message when using Ant |
| tasks. (schultz) |
| </fix> |
| <add> |
| Provide two alternative locations for the libraries downloaded from |
| the ASF web site at build time. Use the main distribution site as |
| default and the archive one as fallback. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.5 (markt)" rtext="beta, 2010-12-01"> |
| <subsection name="General"> |
| <changelog> |
| <update> |
| Update to Apache Commons Daemon 1.0.4. (mturk) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>3839</bug>: Provide a mechanism to gracefully handle the case where |
| users book-mark the form login page or otherwise misuse the FORM |
| authentication process. Based on a suggestion by Mark Morris. (markt) |
| </fix> |
| <fix> |
| <bug>49180</bug>: Add option to disable log rotation in |
| juli FileHandler. Patch provided by Pid (pidster at apache). (funkman) |
| </fix> |
| <fix> |
| <bug>49991</bug>: Ensure servlet request listeners are fired for |
| the login and error pages during FORM authentication. (markt) |
| </fix> |
| <fix> |
| <bug>50107</bug>: When removing a Host via JMX, do not attempt to |
| destroy the host's pipeline twice. Patch provided by Eiji |
| Takahashi. (markt) |
| </fix> |
| <fix> |
| <bug>50138</bug>: Fix threading issues in |
| <code>org.apache.catalina.security.SecurityUtil</code>. (markt) |
| </fix> |
| <fix> |
| <bug>50157</bug>: Ensure MapperListener is only added to a container |
| object once. (markt) |
| </fix> |
| <fix> |
| <bug>50159</bug>: Add a new attribute for <code><Resource></code> |
| elements, <code>singleton</code>, that controls whether or not a new |
| object is created every time a JNDI lookup is performed to obtain the |
| resource. The default value is <code>true</code>, which will return the |
| same instance of the resource in every JNDI lookup. (markt) |
| </fix> |
| <fix> |
| <bug>50168</bug>: Separate the <code>Lifecycle.DESTROY_EVENT</code> into |
| <code>Lifecycle.BEFORE_DESTROY_EVENT</code> and |
| <code>Lifecycle.AFTER_DESTROY_EVENT</code>. Use the additional state to |
| ensure that <code>Context</code> objects are only destroyed once. |
| (markt) |
| </fix> |
| <fix> |
| <bug>50169</bug>: Ensure that when a Container is started that it |
| doesn't try and register with the mapper unless its parent has |
| already started. Patch provided by Eiji Takahashi. (markt) |
| </fix> |
| <add> |
| <bug>50222</bug>: Modify memory leak prevention code so it pins the |
| system class loader in memory rather than the common class loader, |
| which is better for embedded systems. Patch provided by Christopher |
| Schultz. (markt) |
| </add> |
| <add> |
| Improve debug logging for MapperListener registration. (markt) |
| </add> |
| <add> |
| Expose names of LifecycleListeners and ContainerListeners for |
| StandardContext via JMX. (markt) |
| </add> |
| <add> |
| Add a new option, <code>resourceOnlyServlets</code>, to Context elements |
| that provides a mechanism for working around the issues caused by new |
| requirements for welcome file mapping introduced in Servlet 3.0. By |
| default, the existing Tomcat 6.0.x welcome file handling is used. |
| (markt) |
| </add> |
| <fix> |
| Make Tomcat more tolerant of <code>null</code> when generating JMX names |
| for Valves. (markt) |
| </fix> |
| <fix> |
| Make AccessLogValve attribute <code>enabled</code> changeable via JMX. |
| (pero) |
| </fix> |
| <fix> |
| Correct infinite loop if <code>ServletRequest.startAsync(ServletRequest, |
| ServletResponse)</code> was called. (markt) |
| </fix> |
| <fix> |
| <bug>50232</bug>: Remove dependency between StoreBase and |
| PersistentManager and associated code clean-up. Patch provided by |
| Tiago Batista. (markt) |
| </fix> |
| <fix> |
| <bug>50252</bug>: Prevent ClassCastException when using a |
| <ResourceLink>. Patch provided by Eiji Takahashi. (markt) |
| </fix> |
| <add> |
| Reduce synchronization in session managers to improve performance of |
| session creation. (markt) |
| </add> |
| <fix> |
| If starting children automatically when adding them to a container (e.g. |
| when adding a Context to a Host) don't lock the parent's set |
| of children whilst the new child is being started since this can block |
| other threads and cause issues such as lost cluster messages. (markt) |
| </fix> |
| <add> |
| Implement support for parallel deployment. This allows multiple versions |
| of the same web application to be deployed to the same context path at |
| the same time. Users without a current session will be mapped to the |
| latest version of the web application. Users with a current session will |
| continue to use the version of the web application with which the |
| session is associated until the session expires. (markt) |
| </add> |
| <fix> |
| <bug>50308</bug>: Allow asynchronous request processing to call |
| <code>AsyncContext.dispatch()</code> once the asynchronous request has |
| timed out. (markt) |
| </fix> |
| <add> |
| Make memory leak prevention code that clears ThreadLocal instances more |
| robust against objects with toString() methods that throw exceptions. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>49860</bug>: Complete support for handling trailing headers in |
| chunked HTTP requests. (markt) |
| </fix> |
| <add> |
| Impose a limit on the length of the trailing headers. The limit |
| is configurable with a system property and is <code>8192</code> |
| by default. (kkolinko) |
| </add> |
| <fix> |
| <bug>50207</bug>: Ensure Comet timeout events are triggered. This bug |
| was a regression triggered by the fix for <bug>49884</bug>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>49297</bug>: Enforce the rules in the JSP specification for parsing |
| the attributes of custom and standard actions that require that |
| the attribute names are unique within an element and that there is |
| whitespace before the attribute name. The whitespace test can be |
| disabled by setting the system property |
| <code>org.apache.jasper.compiler.Parser.STRICT_WHITESPACE</code> to |
| <code>false</code>. Attributes of the page directive have slightly |
| different rules. The implementation of that part of the fix is based on |
| a patch by genspring. (markt) |
| </fix> |
| <fix> |
| <bug>50105</bug>: When processing composite EL expressions use |
| <code>Enum.name()</code> rather than <code>Enum.toString()</code> as |
| required by the EL specification. (markt) |
| </fix> |
| <fix> |
| Fix minor thread-safety and performance issues in the implementation |
| of <code>maxLoadedJsps</code>. (rjung) |
| </fix> |
| <add> |
| Add support for unloading JSPs that have not been requested for a |
| long time using the new parameter <code>jspIdleTimeout</code>. (rjung) |
| </add> |
| <add> |
| Add logging and JMX support to JSP unloading. (rjung) |
| </add> |
| <fix> |
| <bug>50192</bug>: Improve performance for EL when running under a |
| security manager. Based on a patch by Robert Goff. (markt) |
| </fix> |
| <fix> |
| <bug>50228</bug>: Improve recycling of <code>BodyContentImpl</code>. |
| This avoids keeping a cached reference to a webapp-provided Writer |
| used in JspFragment.invoke() calls. (kkolinko) |
| </fix> |
| <add> |
| <bug>50273</bug>: Provide a workaround for an HP-UX issue that can |
| result in large numbers of SEVERE log messages appearing in the logs as |
| a result of normal operation. (markt) |
| </add> |
| <fix> |
| <bug>50293</bug>: Increase the size of internal ELResolver array from 2 |
| to 8 since in typical usage there are at least 5 resolvers. Based on a |
| patch by Robert Goff. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Add support for maxActiveSessions attribute to BackupManager. (kfujino) |
| </fix> |
| <fix> |
| Improve sending an access message in DeltaManager. |
| maxInactiveInterval of not Manager but the session is used. |
| If maxInactiveInterval is negative, an access message is not sending. |
| (kfujino) |
| </fix> |
| <fix> |
| <bug>50183</bug>: BIO sender was not scheduling tasks to the executor |
| during normal operation. Patch provided by Ariel. (markt) |
| </fix> |
| <fix> |
| <bug>50184</bug>: Add an option to the RpcChannel to enable the Channel |
| send options to be set for the reply message. Based on a patch by Ariel. |
| (markt) |
| </fix> |
| <fix> |
| Ensure that a new Context waiting for session data from other nodes in |
| the cluster does not block the processing of clustering messages for |
| other Contexts. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>49426</bug>: Localize messages in the Manager application based on |
| the Locale of the user rather than the default Locale of the server. |
| (markt) |
| </fix> |
| <fix> |
| Localize messages in the Host Manager application based on the Locale of |
| the user rather than the default Locale of the server. (markt) |
| </fix> |
| <add> |
| <bug>50242</bug>: Provide a sample log4j configuration that more |
| closely matches the default JULI configuration. Patch provided by |
| Christopher Schultz. (markt) |
| </add> |
| <add> |
| Restore the ability to edit the contents of /WEB-INF and /META-INF via |
| WebDAV via the provision of a new configuration option, |
| allowSpecialPaths. (markt) |
| </add> |
| <fix> |
| Correct broken links for on-line JavaDocs. (markt) |
| </fix> |
| <fix> |
| <bug>50230</bug>: Add new DistributedManager interface that is |
| implemented by the Backup Manager to remove circular dependency between |
| tomcat-catalina-ha and tomcat-catalina modules. Also allows third-party |
| distributed Manager implementations to report full session information |
| through the HTML Manager. (markt) |
| </fix> |
| <update> |
| Improve Tomcat Logging documentation. (kkolinko) |
| </update> |
| <fix> |
| <bug>50303</bug>: Update JNDI how-to to reflect the new JavaMail |
| download location and that JAF is now included in Java SE 6. (markt) |
| </fix> |
| <fix> |
| Fix ordering functionality on sessions page for the HTML Manager |
| application. (markt) |
| </fix> |
| <fix> |
| Fix primary sessions not always being treated as such in the HTML |
| Manager application. (markt) |
| </fix> |
| <fix> |
| Fix message not being displayed after session attribute removal in the |
| HTML Manager application. (markt) |
| </fix> |
| <fix> |
| <bug>50310</bug>: Fix display of Servlet information in the Manager |
| application. (markt) |
| </fix> |
| <fix> |
| CVE-2010-4172: Multiple XSS in the Manager application. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>50316</bug>: Fix display of negative values in the Manager |
| application. (kkolinko) |
| </fix> |
| <fix> |
| <bug>50318</bug>: Avoid NPE when trying to view session detail for an |
| expired session in the Manager application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Correct a handful of Javadoc warnings. (markt) |
| </fix> |
| <fix> |
| <bug>22965</bug>: Fix some typos and formatting issues in the global |
| web.xml file. Based on a patch by Yann Cébron. (markt) |
| </fix> |
| <add> |
| Extend Checkstyle validation checks to check for unused imports. (markt) |
| </add> |
| <fix> |
| General code clean-up to reduce (not eliminate) the number of warnings |
| reported by IDEs. (markt) |
| </fix> |
| <fix> |
| <bug>50140</bug>: Don't ignore a user specified installation |
| directory when performing a silent install with the Windows installer on |
| 64-bit platforms. (markt) |
| </fix> |
| <update> |
| Reimplemented Windows installer dialogs, using modern libraries |
| (nsDialogs, MUI2). (kkolinko) |
| </update> |
| <add> |
| When installing with the Windows installer on 64-bit platforms, allow |
| the user to select either a 32-bit JDK or a 64-bit JDK. If a 32-bit JDK |
| is selected, the 32-bit service wrapper and the 32-bit native DLL will |
| be installed. If a 64-bit JDK is selected, the 64-bit service wrapper |
| and the 64-bit native DLL will be installed. (markt/kkolinko) |
| </add> |
| <add> |
| Create Windows shortcuts for the Manager and Host Manager webapps. |
| (kkolinko) |
| </add> |
| <add> |
| Support /? command line option in the Windows Installer. (kkolinko) |
| </add> |
| <add> |
| Display and allow to change roles for the Tomcat admin user in the |
| Windows installer. (kkolinko) |
| </add> |
| <fix> |
| In the Windows installer: do not leave stale <code>server.xml</code> |
| and <code>tomcat-users.xml</code> fragments in the $TEMP folder. |
| (kkolinko) |
| </fix> |
| <update> |
| <bug>49819</bug>: Redesign of home page by Pid (pidster at apache). |
| (timw) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.4 (markt)" rtext="beta, 2010-10-21"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>49428</bug>: Re-implement the fix for bug <bug>49428</bug> – |
| namespace issues for some Microsoft WebDAV clients. (kkolinko) |
| </fix> |
| <fix> |
| <bug>49669</bug>: Fix memory leak triggered by using the deprecated |
| javax.security.auth.Policy class. (markt) |
| </fix> |
| <fix> |
| <bug>49922</bug>: Don't add filter twice to filter chain if the |
| filter matches more than one URL pattern and/or Servlet name. Patch |
| provided by heyoulin. (markt) |
| </fix> |
| <fix> |
| <bug>49937</bug>: Use an InstanceManager when creating an AsyncListener |
| through the AsyncContext to ensure annotations are processed. Based on a |
| patch by David Jencks. (markt) |
| </fix> |
| <fix> |
| To avoid NoSuchMethodException, xmlValidation and xmlNamespaceAware are |
| removed from the createStandardHost definition |
| of mbeans-descriptors.xml. (kfujino) |
| </fix> |
| <fix> |
| <bug>49945</bug>: Continue improvements to JMX. Fix a handful of |
| attributes that were showing as Unavailable in JConsole. Patch provided |
| by Chamith Buddhika. (markt) |
| </fix> |
| <fix> |
| <bug>49952</bug>: Allow ServletContainerInitializers to add listeners to |
| a web application. Patch provided by David Jencks. (markt) |
| </fix> |
| <fix> |
| <bug>49956</bug>: Handle case when @Resource annotation uses the full |
| JNDI name for a resource. Based on a patch by Gurkan Erdogdu. (markt) |
| </fix> |
| <fix> |
| <bug>49557</bug>: Correct regression due to Lifecycle refactoring that |
| cleared all work directories (with compiled JSPs and persisted sessions) |
| when Tomcat was stopped. (markt) |
| </fix> |
| <fix> |
| <bug>49978</bug>: Correctly handle the case when a directory expected |
| to be created during web application start is already present. Rather |
| than throwing an exception and failing to start, allow the web |
| application to start normally. (markt) |
| </fix> |
| <fix> |
| <bug>49987</bug>: Fix thread safety issue with population of servlet |
| context initialization parameters. (markt) |
| </fix> |
| <fix> |
| <bug>49994</bug>: As per the Java EE 6 specification, return a new |
| object instance for each JNDI look up of a resource reference. (markt) |
| </fix> |
| <fix> |
| <bug>50015</bug>: Re-factor dynamic servlet security implementation to |
| make extensions, such as JACC implementations, simpler. Patch provided |
| by David Jencks. (markt) |
| </fix> |
| <fix> |
| <bug>50016</bug>: Re-factor <code>isUserInRole()</code> and |
| <code>login()/logout()</code> methods to support JACC implementations |
| and to improve encapsulation. Patch provided by David Jencks. (markt) |
| </fix> |
| <update> |
| <bug>50017</bug>: Code clean-up. No functional change. Patch provided by |
| sebb. (markt) |
| </update> |
| <fix> |
| <bug>50027</bug>: Avoid NPE on start when a Context is defined in |
| server.xml with one or more JNDI resources. (markt) |
| </fix> |
| <fix> |
| <bug>50059</bug>: JARs should always be searched for static resources |
| even if the web application is marked as meta-data complete. (markt) |
| </fix> |
| <fix> |
| <bug>50063</bug>: Correct regression in fix for <bug>50059</bug> that |
| causes applications marked as meta-data complete to return 404s for all |
| requests. Patch provided by heyoulin. (markt) |
| </fix> |
| <fix> |
| <bug>50087</bug>: Catch ClassFormatErrors when scanning for annotations. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>49923</bug>: Avoid using negative timeouts during acceptor unlock |
| to ensure APR connector shuts down properly. (mturk) |
| </fix> |
| <fix> |
| <bug>49972</bug>: Fix potential thread safe issue when formatting dates |
| for use in HTTP headers. (markt) |
| </fix> |
| <fix> |
| <bug>50003</bug>: Set not maxThreads but minSpareThreads to |
| corePoolSize, if AbstractEndpoint.setMinSpareThreads is called. |
| (kfujino) |
| </fix> |
| <fix> |
| <bug>50044</bug>: Fix issue when using comet where socket remained in |
| long poll after the comet request has ended. (markt) |
| </fix> |
| <fix> |
| <bug>50054</bug>: Correctly handle the setting of minSpareThreads in |
| AJP connector. (kfujino) |
| </fix> |
| <fix> |
| <bug>50072</bug>: Fix issues when using a non-blocking read for the |
| request line with the NIO connector that could result in the request |
| line being mis-read. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>49986</bug>: Fix thread safety issue for JSP reload. (timw) |
| </fix> |
| <fix> |
| <bug>49998</bug>: Make jsp:root detection work with single quoted |
| attributes as well. (timw) |
| </fix> |
| <fix> |
| Correctly handle the setting of primitive bean values via expression |
| language. (markt) |
| </fix> |
| <fix> |
| Don't swallow exceptions when processing TLD files and handle the |
| case when there is no web.xml file. (markt) |
| </fix> |
| <fix> |
| <bug>50066</bug>: Fix building of recursive tag files when the file |
| depends on a JAR file. Patch provided by Sylvain Laurent. (markt) |
| </fix> |
| <fix> |
| <bug>50078</bug>: Fix threading problem in EL caches. Patch provided by |
| Takayoshi Kimura. (markt) |
| </fix> |
| <add> |
| Make EL cache sizes configurable. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Apply filters to default home page so copyright year is correctly |
| displayed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| <bug>48716</bug>: Do not call reset if the default LogManager is in use. |
| (markt) |
| </update> |
| <fix> |
| <bug>50013</bug>: Correctly package classes from |
| <code>org.apache.tomcat.util.file</code> and add the tomcat-util.jar to |
| the class path for the Ant tasks. Based on a patch provided by |
| Sylvain Laurent. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.3 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>48644</bug>: Review all instances of catching Throwable and |
| re-throw where appropriate. (markt) |
| </fix> |
| <update> |
| Allow glob patterns in the <code>jarsToSkip</code> configuration and add |
| some debug logging to the jar scanner. (rjung) |
| </update> |
| <fix> |
| <bug>48738</bug>: Workaround a couple of long standing JDK bugs to |
| enable GZIP compressed output streams to be flushed. Based on a patch |
| provided by Jiong Wang. (markt) |
| </fix> |
| <update> |
| <bug>48967</bug>: Replace strings "catalina.base" and "catalina.home" |
| by globally defined constants. Patch provided by Marc Guillemot. (rjung) |
| </update> |
| <fix> |
| <bug>49195</bug>: Don't report an error when shutting down a Windows |
| service for a Tomcat instance that has a disabled shutdown port. (markt) |
| </fix> |
| <fix> |
| <bug>49209</bug>: Prevent possible AccessControlException during |
| undeployment when running with a security manager. Patch provided by |
| Sylvain Laurent. (markt) |
| </fix> |
| <fix> |
| <bug>49657</bug>: Handle CGI executables with spaces in the path. |
| (markt) |
| </fix> |
| <fix> |
| <bug>49667</bug>: Ensure that using the JDBC driver memory leak |
| prevention code does not cause a one of the memory leaks it is meant to |
| avoid. (markt) |
| </fix> |
| <fix> |
| <bug>49670</bug>: Restore SSO functionality that was broken by Lifecycle |
| refactoring. (markt) |
| </fix> |
| <fix> |
| <bug>49698</bug>: Allow a listener to complete an asynchronous request |
| if it times out. (markt) |
| </fix> |
| <fix> |
| <bug>49714</bug>: The annotation process of Jar doesn't influence |
| distributable element of web.xml. (kfujino) |
| </fix> |
| <fix> |
| <bug>49721</bug>: Alls JAR in a web application should be searched for |
| resources, not just those with a web-fragment.xml that is going to be |
| processed. (markt) |
| </fix> |
| <fix> |
| <bug>49728</bug>: Improve PID file handling when another process is |
| managing the PID file and Tomcat does not have write access. (markt) |
| </fix> |
| <fix> |
| <bug>49730</bug>: Fix a race condition in StandardThreadExector that can |
| cause requests to experience large delays. Patch provided by Sylvain |
| Laurent. (markt) |
| </fix> |
| <fix> |
| <bug>49749</bug>: Single sign on cookies should have httpOnly flag set |
| using same rules as session cookies. (markt) |
| </fix> |
| <fix> |
| <bug>49750</bug>: Align <code>WebappClassLoader.validate()</code> |
| implementation with Javadoc and ensure that <code>javax.servlet.*</code> |
| classes can not be loaded by a <code>WebappClassLoader</code> instance. |
| Patch provided by pid. (markt) |
| </fix> |
| <fix> |
| <bug>49757</bug>: Correct some generics warnings. Based on a patch |
| provided by Gábor. (markt) |
| </fix> |
| <fix> |
| <bug>49779</bug>: Improve handling of POST requests and FORM |
| authentication, particularly when the user agent responds to the 302 |
| response by repeating the POST request including a request body. Any |
| request body provided at this point is now swallowed. (markt) |
| </fix> |
| <fix> |
| CSRF prevention filter did not correctly handle URLs that used anchors. |
| (markt) |
| </fix> |
| <fix> |
| Fix memory leak on web application stopped caused by failed to |
| de-register the web application's Servlets with the MBean server. |
| (markt) |
| </fix> |
| <update> |
| More tweaks to the Lifecycle refactoring to ensure that when a component |
| is being destroyed, the destroy method is only called once on each |
| child component. (markt) |
| </update> |
| <fix> |
| Keep the MBean names for web applications consistent between Tomcat 6 |
| and Tomcat 7. (markt) |
| </fix> |
| <fix> |
| <bug>49856</bug>: Add an executorName attribute to Connectors so it is |
| possible to trace ThreadPool to Connector to Executor via the JMX |
| interface. (markt) |
| </fix> |
| <fix> |
| <bug>49865</bug>: Tomcat failed to start if catalina.properties was not |
| present. (markt) |
| </fix> |
| <fix> |
| <bug>49876</bug>: Fix the generics warnings in the copied Apache Jakarta |
| BCEL code. Based on a patch by Gábor. (markt) |
| </fix> |
| <fix> |
| <bug>49883</bug>: Ensure that the CombinedRealm and LockOutRealm return |
| a name for use in log messages rather than throwing an |
| <code>UnsupportedOperationException</code>. (markt) |
| </fix> |
| <fix> |
| <bug>49884</bug>: Fix occasional NullPointerException on async |
| complete(). This resulted in a major refactoring of the async |
| implementation to address a number of threading issues. (markt) |
| </fix> |
| <fix> |
| Update the version numbers in ServerInfo defaults to Tomcat 7.0.x. |
| (markt) |
| </fix> |
| <fix> |
| <bug>49892</bug>: Correct JNDI name for method resource injections. |
| Based on a patch by Gurkan Erdogdu. (markt) |
| </fix> |
| <fix> |
| Ensure that Context elements defined in server.xml use any configClass |
| setting specified in the parent Host element. (markt) |
| </fix> |
| <fix> |
| GSOC 2010. Enable the creation of Services, Engines, Connectors, Hosts |
| and Contexts via JMX from a minimal server.xml that contains only a |
| Server element. Based on a patch by Chamith Buddhika. (markt) |
| </fix> |
| <fix> |
| <bug>49909</bug>: Fix a regression introduced with the fix for |
| <bug>47950</bug> that prevented JSTL classes being loaded. (markt) |
| </fix> |
| <fix> |
| <bug>49915</bug>: Make error more obvious, particularly when accessed |
| via JConsole, if StandardServer.storeConfig() is called when there is |
| no StoreConfig implementation present. (markt) |
| </fix> |
| <fix> |
| <bug>50018</bug>: Fix some minor Javadoc errors in Jasper source. |
| Based on a patch by sebb. (timw) |
| </fix> |
| <fix> |
| <bug>50021</bug>: Correct a regression in the fix for <bug>46844</bug> |
| that may have caused additional problems during a failure at start up. |
| (markt) |
| </fix> |
| <fix> |
| <bug>50026</bug>: Prevent serving of resources from WEB-INF and |
| META-INF directories when DefaultServlet or WebdavServlet is mapped |
| to a sub-path of the context. This changes DefaultServlet to always |
| serve resources with paths relative to the root of the context |
| regardless of where it is mapped, which is a breaking change for |
| current servlet-mappings that map the default servlet to a subpath. |
| (timw) |
| </fix> |
| <fix> |
| <bug>50689</bug>: Provide 100 Continue responses at appropriate points |
| during FORM authentication if client indicates that they are expected. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| Wait for the connectors to exit before closing them down. (mturk) |
| </update> |
| <add> |
| Follow up to <bug>48545</bug>. Make JSSE connectors more tolerant of a |
| incorrect trust store password. (markt) |
| </add> |
| <fix> |
| Fix some edge cases in the NIO connector when handling requests that are |
| not received all at the same time and the socket needs to be returned to |
| the poller. (markt) |
| </fix> |
| <update> |
| Further work to reduce the code duplication in the HTTP connectors. |
| (markt) |
| </update> |
| <fix> |
| Make sure acceptor threads are stopped when the connector is stopped. |
| (markt) |
| </fix> |
| <fix> |
| Make sure async timeout thread is stopped when the connector is stopped. |
| (markt) |
| </fix> |
| <fix> |
| <bug>49625</bug>: Ensure Vary header is set if response may be |
| compressed rather than only setting it if it is compressed. (markt) |
| </fix> |
| <fix> |
| <bug>49802</bug>: Re-factor connector pause, stop and destroy methods so |
| that calling any of those methods has the expected results. (markt) |
| </fix> |
| <update> |
| Various refactorings to reduce code duplication and unnecessary code in |
| the connectors. (markt) |
| </update> |
| <fix> |
| <bug>49860</bug>: Add partial support for trailing headers in chunked |
| HTTP requests. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>49665</bug>: Provide better information including JSP file name and |
| location when a missing file is detected during TLD handling. Patch |
| provided by Ted Leung. (markt) |
| </fix> |
| <fix> |
| <bug>49726</bug>: Specifying a default content type via a JSP property |
| group should not prevent a page from setting some other content type. |
| (markt) |
| </fix> |
| <fix> |
| <bug>49799</bug>: The new <code>omit</code> attribute for |
| <code>jsp:attribute</code> elements now supports the use of expressions |
| and expression language. (markt) |
| </fix> |
| <fix> |
| <bug>49916</bug>: Switch to using an initialisation parameter to pass |
| JSP file information from Catalina to Jasper. This simplifies the |
| Catalina code as well as making it easier for Geronimo and others to |
| integrate Jasper. Patch provided by David Jencks. (markt) |
| </fix> |
| <fix> |
| <bug>49985</bug>: Fix thread safety issue in EL parser. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Remove domainReplication attribute from ClusterManager. |
| If you send session to only same domain, use DomainFilterInterceptor. |
| (kfujino) |
| </fix> |
| <fix> |
| Add Null check when CHANGE_SESSION_ID message received. (kfujino) |
| </fix> |
| <fix> |
| Add support for LAST_ACCESS_AT_START system property to DeltaSession. |
| (kfujino) |
| </fix> |
| <fix> |
| Avoid a NPE in the DeltaManager when a parallel request invalidates the |
| session before the current request has a chance to send the replication |
| message. (markt) |
| </fix> |
| <fix> |
| <bug>49905</bug>: Prevent memory leak when using asynchronous session |
| replication. (markt) |
| </fix> |
| <fix> |
| <bug>49924</bug>: When non-primary node changes into a primary node, |
| make sure isPrimarySession is changed to true. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the class name of the default JAR scanner in the documentation |
| web application. (rjung) |
| </fix> |
| <fix> |
| <bug>49585</bug>: Update JSVC documentation to reflect new packaging |
| of Commons Daemon. (markt) |
| </fix> |
| <update> |
| Update the Servlet, JSP and EL Javadoc links to link to the |
| specifications and the relevant part of the Java EE 6 Javadoc. (markt) |
| </update> |
| <fix> |
| Update a few places in the docs where the Manager documentation referred |
| to the old role name of manager rather than the new manager-script. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Extras"> |
| <changelog> |
| <fix> |
| <bug>49861</bug>: Don't log RMI ports formatted with commas for the |
| JMX remote listener. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Correct the user names created by the Windows installer for the Manager |
| and Host Manager applications. (mturk) |
| </fix> |
| <fix> |
| Correct the Eclipse compiler dependency in the Jasper POM. (markt) |
| </fix> |
| <add> |
| Extend Checkstyle validation checks to check import order. (markt) |
| </add> |
| <fix> |
| <bug>49758</bug>: Fix generics warnings exposed by a fix in Eclipse 3.6. |
| Patch provided by sebb. (markt) |
| </fix> |
| <update> |
| Update Apache Commons Pool to 1.5.5. (markt) |
| </update> |
| <update> |
| <bug>49955</bug>: Improvement and correction of Building Tomcat guide. |
| Based on a patch from Wesley Acheson. (timw) |
| </update> |
| <update> |
| <bug>49993</bug>: Improve check for <code>JAVA_HOME</code> and add |
| support for <code>JRE_HOME</code> in <code>service.bat</code>. (mturk) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.2 (markt)" rtext="beta, 2010-08-11"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Fix regression that prevented running with a security manager enabled. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct Javadoc errors. (markt) |
| </fix> |
| <add> |
| Provide Javadoc for Servlet 3.0 API, JSP 2.2 API and EL 2.2 API. |
| (markt) |
| </add> |
| <fix> |
| Remove second copy of RUNNING.txt from the full-docs distribution. Some |
| unpacking utilities can't handle multiple copies of a file with the same |
| name in a directory. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Extend Checkstyle validation checks to check for tabs in nearly all text |
| files. (markt) |
| </add> |
| <update> |
| Update Apache Commons Daemon from 1.0.2 to 1.0.3. (markt) |
| </update> |
| <update> |
| Update Eclipse JDT Core Batch Compiler (ecj.jar) from 3.5.1 to 3.6. |
| (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.1 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| GSOC 2010. Continue work to align MBean descriptors with reality. Patch |
| provided by Chamith Buddhika. (markt) |
| </fix> |
| <fix> |
| When running under a security manager, enforce package access and |
| package definition restrictions defined in the catalina.properties file. |
| (markt) |
| </fix> |
| <fix> |
| When using a Loader configured with |
| <code>searchExternalFirst="true"</code> failure to find the |
| class in an external repository should not prevent searching of the |
| local repositories. (markt) |
| </fix> |
| <add> |
| Add entryPoint support to the CSRF prevention filter. (markt) |
| </add> |
| <fix> |
| <bug>48297</bug>: Correctly initialise handler chain for web services |
| resources. (markt) |
| </fix> |
| <add> |
| <bug>48960</bug>: Add a new option to the SSI Servlet and SSI Filter to |
| allow the disabling of the <code>exec</code> command. This is now |
| disabled by default. Based on a patch by Yair Lenga. (markt) |
| </add> |
| <add> |
| <bug>48998</bug>, <bug>49617</bug>: Add the ExpiresFilter, a port of the |
| httpd mod_expires module. Patch provided by Cyrille Le Clerc. (markt) |
| </add> |
| <fix> |
| <bug>49030</bug>: When initializing/starting/stopping connectors and |
| one of them fails, do not ignore the others. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>49128</bug>: Don't swallow exceptions unnecessarily in |
| <code>WebappClassLoader.start()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>49182</bug>: Align comments in setclasspath.[sh|bat] with |
| behaviour. Based on a patch provided by sebb. (markt) |
| </fix> |
| <fix> |
| <bug>49230</bug>: Enhance JRE leak prevention listener with protection |
| for the keep-alive thread started by |
| <code>sun.net.www.http.HttpClient</code>. Based on a patch provided by |
| Rob Kooper. (markt) |
| </fix> |
| <fix> |
| <bug>49414</bug>: When reporting threads that may have triggered a |
| memory leak on web application stop, attempt to differentiate between |
| request processing threads and threads started by the application. |
| (markt) |
| </fix> |
| <fix> |
| <bug>49428</bug>: Add a work-around for the known namespace issues for |
| some Microsoft WebDAV clients. Patch provided by Panagiotis Astithas. |
| (markt) |
| </fix> |
| <add> |
| Add support for <code>*.jar</code> pattern in VirtualWebappLoader. |
| (kkolinko) |
| </add> |
| <add> |
| Use a LockOutRealm in the default configuration to prevent attempts to |
| guess user passwords by brute-force. (markt) |
| </add> |
| <add> |
| <bug>49478</bug>: Add support for user specified character sets to the |
| <code>AddDefaultCharsetFilter</code>. Based on a patch by Felix |
| Schumacher. (markt) |
| </add> |
| <fix> |
| <bug>49503</bug>: Make sure connectors bind to their associated ports |
| sufficiently early to allow jsvc and the |
| org.apache.catalina.startup.EXIT_ON_INIT_FAILURE system property to |
| operate correctly. (markt) |
| </fix> |
| <fix> |
| <bug>49525</bug>: Ensure cookies for the ROOT context have a path of / |
| rather than an empty string. (markt) |
| </fix> |
| <fix> |
| <bug>49528</bug>, <bug>49567</bug>: Ensure that |
| <code>AsyncContext.isAsyncStarted()</code> returns the correct value |
| after <code>AsyncContext.start()</code> and that if |
| <code>AsyncContext.complete()</code> is called on a separate thread that |
| it is handled correctly. (markt) |
| </fix> |
| <fix> |
| <bug>49530</bug>: Contexts and Servlets not stopped when Tomcat is shut |
| down. (markt) |
| </fix> |
| <fix> |
| <bug>49536</bug>: If no ROOT context is deployed, ensure a 404 rather |
| than a 200 is returned for requests that don't map to any other context. |
| (markt) |
| </fix> |
| <add> |
| Additional debug logging in StandardContext to provide information on |
| Manager selection. (markt) |
| </add> |
| <fix> |
| <bug>49550</bug>: Suppress deprecation warning where deprecated code is |
| required to be used. No functional change. Patch provided by Sebb. |
| (markt) |
| </fix> |
| <fix> |
| <bug>49551</bug>: Allow default context.xml location to be specified |
| using an absolute path. (markt) |
| </fix> |
| <add> |
| Improve logging of unhandled exceptions in servlets by including the |
| path of the context where the error occurred. (markt) |
| </add> |
| <add> |
| Include session ID in error message logged when trying to set an |
| attribute on an invalid session. (markt) |
| </add> |
| <fix> |
| Improve the CSRF protection filter by using SecureRandom rather than |
| Random to generate nonces. Also make the implementation class used user |
| configurable. (markt) |
| </fix> |
| <fix> |
| Avoid NullPointerException, when copyXML=true and META-INF/context.xml |
| does not exist. (kfujino) |
| </fix> |
| <fix> |
| <bug>49598</bug>: When session is changed and the session cookie is |
| replaced, ensure that the new Set-Cookie header overwrites the old |
| Set-Cookie header. (markt) |
| </fix> |
| <fix> |
| Create a thread to trigger asynchronous timeouts when using the BIO |
| connector, change the default timeout to 10s (was infinite) and make the |
| default timeout configurable using the <code>asyncTimeout</code> |
| attribute on the connector. (pero/markt) |
| </fix> |
| <fix> |
| <bug>49600</bug>: Make exceptions returned by the |
| <code>ProxyDirContext</code> consistent for resources that weren't found |
| by checking the <code>DirContext</code> or the cache. Test case based on |
| a patch provided by Marc Guillemot. (markt) |
| </fix> |
| <fix> |
| <bug>49613</bug>: Improve performance when using SSL for applications |
| that make multiple class to <code>Request.getAttributeNames()</code>. |
| Patch provided by Sampo Savolainen. (markt) |
| </fix> |
| <fix> |
| Handle the edge cases where resources packaged in JARs have names that |
| start with a single quote character or a double quote character. (markt) |
| </fix> |
| <fix> |
| Correct copy and paste typo in web.xml parsing rules that mixed up |
| <code>local-ejb-ref</code> and <code>resource-env-ref</code>. (markt) |
| </fix> |
| <update> |
| Refactor session managers to remove unused code and to reduce code |
| duplication. Also, all session managers used for session replication now |
| extend <code>org.apache.catalina.ha.session.ClusterManagerBase</code>. |
| (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Remove references to Jikes since it does not support Java 6. (markt) |
| </update> |
| <fix> |
| Correct over zealous type checking for EL in attributes that broke the |
| use of JSF converters. (markt) |
| </fix> |
| <fix> |
| Correct algorithm used to identify correct method to use when a |
| MethodExpressions is used in EL. (markt) |
| </fix> |
| <fix> |
| <bug>49217</bug>: Ensure that identifiers used in EL meet the |
| requirements of the Java Language Specification. (markt) |
| </fix> |
| <add> |
| Improve logging of JSP exceptions by including JSP snippet (if enabled) |
| rather than just the root cause in the host log. (markt) |
| </add> |
| <fix> |
| <bug>49555</bug>: Correctly handled Tag Libraries where functions are |
| defined in static inner classes. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| <bug>49127</bug>: Don't swallow exceptions unnecessarily in |
| <code>SimpleTcpReplicationManager.startInternal()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>49407</bug>: Change the BackupManager so it is consistent with |
| DeltaManager and reports both primary and backup sessions when active |
| sessions are requested. (markt) |
| </fix> |
| <fix> |
| <bug>49445</bug>: When session ID is changed after authentication, |
| ensure the DeltaManager replicates the change in ID to the other nodes |
| in the cluster. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>49112</bug>: Update the ROOT web application's index page. Patch |
| provided by pid. (markt) |
| </fix> |
| <fix> |
| <bug>49213</bug>: Add the permissions necessary to enable the Manager |
| application to operate currently when running with a security manager. |
| (markt) |
| </fix> |
| <fix> |
| <bug>49436</bug>: Correct documented default for readonly attribute of |
| the UserDatabase component. (markt) |
| </fix> |
| <fix> |
| <bug>49475</bug>: Use new role name for manager application access on |
| the ROOT web application's index page. (markt) |
| </fix> |
| <fix> |
| <bug>49476</bug>: CSRF protection was preventing access to the session |
| expiration features. Also switch the manager application to the generic |
| CSRF protection filter. (markt) |
| </fix> |
| <fix> |
| Better handle failure to create directories required for new hosts in |
| the Host Manager application. (markt) |
| </fix> |
| <fix> |
| Switch the Host Manager application to the generic CSRF protection for |
| the HTML interface and prevent started hosts from being started and |
| stopped hosts from being stopped. (markt) |
| </fix> |
| <fix> |
| <bug>49518</bug>: Fix typo in extras documentation. (markt) |
| </fix> |
| <fix> |
| <bug>49522</bug>: Fix regression due to change of name for MBeans for |
| naming resources that broke the complete server status page in the |
| manager application. Note these MBeans now have a new name. (markt) |
| </fix> |
| <fix> |
| <bug>49570</bug>: When using the example compression filter, set the |
| Vary header on compressed responses. (markt) |
| </fix> |
| <add> |
| Add redirects for the root of the manager and host-manager web |
| applications that redirect users to the html interface rather than |
| returning a 404. (markt) |
| </add> |
| <add> |
| Provide the HTML Manager application with the ability to differentiate |
| between primary, backup and proxy sessions. Note that proxy sessions are |
| only shown if enabled in web.xml. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>49130</bug>: Better describe the core package in the Windows |
| installer, making it clear that the service will be installed. Patch |
| provided by sebb. (markt) |
| </fix> |
| <add> |
| Re-factor unit tests to enable them to be run once with each of the HTTP |
| connector implementations (BIO, NIO and APR/native). (markt) |
| </add> |
| <add> |
| <bug>49268</bug>: Add the necessary plumbing to include CheckStyle in |
| the build process. Start with no checks. Additional checks will be |
| added as they are agreed. (markt) |
| </add> |
| <update> |
| Updated to Ant 1.8.1. The build now requires a minimum of Ant 1.8.x. |
| (markt) |
| </update> |
| <update> |
| Update the re-packaged version of commons-fileupload from 1.2.1 to |
| 1.2.2. The layout of re-packaged version was also restored to the |
| original commons-fileupload layout to make merging of future updates |
| easier. (markt) |
| </update> |
| <update> |
| Update the re-packaged version of Jakarta BCEL from trunk revision |
| 880760 to trunk revision 978831. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 7.0.0 (markt)" rtext="beta, 2010-06-29"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| Update Servlet support to the Servlet 3.0 specification. (all) |
| </update> |
| <update> |
| Improve and document VirtualWebappLoader. (rjung) |
| </update> |
| <add> |
| <bug>43642</bug>: Add prestartminSpareThreads attribute for Executor. |
| (jfclere) |
| </add> |
| <update> |
| Switch from AnnotationProcessor to InstanceManager. Patch provided by |
| David Jecks with modifications by Remy. (remm/fhanik) |
| </update> |
| <update> |
| <rev>620845</rev> and <rev>669119</rev>. Make shutdown address |
| configurable. (jfclere) |
| </update> |
| <fix> |
| <rev>651977</rev> Add some missing control checks to |
| <code>ThreadWithAttributes</code>. (markt) |
| </fix> |
| <add> |
| <rev>677640</rev> Add a startup class that does not require any |
| configuration files. (costin) |
| </add> |
| <fix> |
| <rev>700532</rev> Log if temporary file operations within the CGI |
| servlet fail. Make sure header Reader is closed on failure. (markt) |
| </fix> |
| <fix> |
| <rev>708541</rev> Delete references to DefaultContext which was removed |
| in 6.0.x. (markt) |
| </fix> |
| <add> |
| <rev>709018</rev> Initial implementation of an asynchronous file handler |
| for JULI. (fhanik) |
| </add> |
| <fix> |
| Give session thisAccessedTime and lastAccessedTime clear semantics. |
| (rjung) |
| </fix> |
| <add> |
| Expose thisAccessedTime via Session interface. (rjung) |
| </add> |
| <add> |
| Provide a log format for JULI that provides the same information as the |
| default but on a single line. (markt) |
| </add> |
| <add> |
| <rev>723889</rev> Provide the ability to configure the Executor job |
| queue size and a timeout for adding jobs to the queue. (fhanik) |
| </add> |
| <add> |
| Add support for aliases to StandardContext. This allows content from |
| other directories and/or WAR files to be mapped to paths within the |
| context. (markt) |
| </add> |
| <update> |
| Provide clearer definition of Lifecycle interface, particularly start |
| and stop, and align components that implement Lifecycle with this |
| definition. (markt) |
| </update> |
| <add> |
| <bug>48662</bug>: Provide a new option to control the copying of context |
| XML descriptors from web applications to the host's xmlBase. Copying of |
| XML descriptors is now disabled by default. (markt) |
| </add> |
| <fix> |
| Move comet classes from the org.apache.catalina package to the |
| org.apache.catalina.comet package to allow comet to work under a |
| security manager. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| Port SSLInsecureRenegotiation from mod_ssl. This requires |
| to use tomcat-native 1.2.21 that have option to detect this |
| support from OpenSSL library. (mturk) |
| </update> |
| <update> |
| Allow bigger AJP packets also for request bodies and responses |
| using the packetSize attribute of the Connector. (rjung) |
| </update> |
| <update><rev>703017</rev> Make Java socket options consistent between NIO |
| and JIO connector. Expose all the socket options available on |
| <code>java.net.Socket</code> (fhanik) |
| </update> |
| <fix> |
| <bug>46051</bug>: The writer returned by <code>getWriter()</code> now |
| conforms to the <code>PrintWriter</code> specification and uses platform |
| dependent line endings rather than always using <code>\r\n</code>. |
| (markt) |
| </fix> |
| <update> |
| Use tc-native 1.2.x which is based on APR 1.3.3+ (mturk) |
| </update> |
| <update> |
| <rev>724239</rev> NIO connector now always uses an Executor. (fhanik) |
| </update> |
| <update> |
| <rev>724393</rev> Implement keepAliveCount for NIO connector in a thread |
| safe manner. (fhanik) |
| </update> |
| <update> |
| <rev>724849</rev> Implement keep alive timeout for NIO connector. |
| (fhanik) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Update JSP support to the JSP 2.2 specification. (markt) |
| </update> |
| <update> |
| Update EL support to the EL 2.2 specification. (markt) |
| </update> |
| <update> |
| <rev>787978</rev> Use "1.6" as the default value for compilerSourceVM |
| and compilerTargetVM options of Jasper. (kkolinko) |
| </update> |
| <add> |
| <bug>48358</bug>: Add support for limiting the number of JSPs that are |
| loaded at any one time. Based on a patch by Isabel Drost. (markt) |
| </add> |
| <add> |
| <bug>48689</bug>: Access TLD files through a new JarResource interface |
| to make extending Jasper simpler, particularly in OSGi environments. |
| Patch provided by Jarek Gawor. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="High Availability"> |
| <changelog> |
| <add> |
| Add support for UDP and secure communication to tribes. (fhanik) |
| </add> |
| <add> |
| Add versioning to the tribes communication protocol to support future |
| developments. (fhanik) |
| </add> |
| <add> |
| Add a demo on how to use the payload. (fhanik) |
| </add> |
| <add> |
| Started to add JMX support to the cluster implementation. (markt) |
| </add> |
| <fix> |
| <rev>609778</rev> Minor fixes to the throughput interceptor and the |
| NIO receiver. (fhanik) |
| </fix> |
| <fix> |
| <rev>630234</rev> Additional checks for the NIO receiver. (fhanik) |
| </fix> |
| <update> |
| <rev>671650</rev> Improve error message when multicast is not enabled. |
| (fhanik) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <update> |
| <rev>631321</rev> Update changelog to support the <rev> element |
| in the documentation. (fhanik) |
| </update> |
| <add> |
| A number of additional roles were added to the Manager and Host Manager |
| applications to separate out permissions for the HTML interface, the |
| text interface and the JMX proxy. (markt) |
| </add> |
| <add> |
| CSRF protection was added to the Manager and Host Manager applications. |
| (markt) |
| </add> |
| <add> |
| List array elements in the JMX proxy output of the Manager application. |
| (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Extras"> |
| <changelog> |
| <add> |
| A new JmxRemoteLifecycleListener that can be used to fix the ports used |
| for remote JMX connections, e.g. when using JConsole. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Numerous code clean-up changes including the use of generics and |
| removing unused imports, fields, parameters and methods. (markt) |
| </fix> |
| <fix> |
| All deprecated internal code has been removed. <b>Warning:</b> If you |
| have custom components for a previous Tomcat version that extend |
| internal Tomcat classes and override deprecated methods it is highly |
| likely that they will no longer work. (markt) |
| </fix> |
| <update> |
| Parameterize version number throughout build scripts and source. (rjung) |
| </update> |
| <add> |
| <rev>766526</rev> Add support for setting up an additional PropertySource |
| that is used to lookup parameters referenced as <code>${..}</code> in |
| XML files parsed by Tomcat. It is configured via |
| <code>org.apache.tomcat.util.digester.PROPERTY_SOURCE</code> |
| system property. (fhanik) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| </body> |
| </document> |