| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <!DOCTYPE document [ |
| <!ENTITY project SYSTEM "project.xml"> |
| ]> |
| <?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?> |
| <document url="changelog.html"> |
| |
| &project; |
| |
| <properties> |
| <title>Changelog</title> |
| <no-comments /> |
| </properties> |
| |
| <body> |
| <!-- |
| Subsection ordering: |
| General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications, |
| Extras, Tribes, jdbc-pool, Other |
| |
| Item Ordering: |
| |
| Fixes having an issue number are sorted by their number, ascending. |
| |
| There is no ordering by add/update/fix. |
| |
| Other fixed issues are added to the end of the list, chronologically. |
| They eventually become mixed with the numbered issues. (I.e., numbered |
| issues do not "pop up" wrt. others). |
| --> |
| <section name="Tomcat 8.0.50 (violetagg)"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Prevent a stack trace being written to standard out when running on Java |
| 10 due to changes in the <code>LogManager</code> implementation. (markt) |
| </fix> |
| <fix> |
| Avoid duplicate load attempts if one has been made already. (remm) |
| </fix> |
| <fix> |
| Avoid NPE in ThreadLocalLeakPreventionListener if there is no Engine. |
| (remm) |
| </fix> |
| <fix> |
| <bug>62000</bug>: When a JNDI reference cannot be resolved, ensure that |
| the root cause exception is reported rather than swallowed. (markt) |
| </fix> |
| <fix> |
| <bug>62036</bug>: When caching an authenticated user Principal in the |
| session when the web application is configured with the |
| <code>NonLoginAuthenticator</code>, cache the internal Principal object |
| rather than the user facing Principal object as Tomcat requires the |
| internal object to correctly process later authorization checks. (markt) |
| </fix> |
| <fix> |
| <bug>62067</bug>: Correctly apply security constraints mapped to the |
| context root using a URL pattern of <code>""</code>. (markt) |
| </fix> |
| <fix> |
| When using Tomcat embedded, only perform Authenticator configuration |
| once during web application start. (markt) |
| </fix> |
| <fix> |
| Process all <code>ServletSecurity</code> annotations at web application |
| start rather than at servlet load time to ensure constraints are applied |
| consistently. (markt) |
| </fix> |
| <fix> |
| Minor optimization when calling class tranformers. (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>48672</bug>: Add documentation for the Host Manager web |
| application. Patch provided by Marek Czernek. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.03. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.49 (violetagg)" rtext="2018-01-24"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>47214</bug>: Use a loop to preload anonymous inner classes |
| when running under a <code>SecurityManager</code>, to be safe for |
| future changes in the code or using a different compiler. (kkolinko) |
| </fix> |
| <add> |
| <bug>57619</bug>: Implement a small optimisation to how JAR URLs are |
| processed to reduce the storage of duplicate String objects in memory. |
| Patch provided by Dmitri Blinov. (markt) |
| </add> |
| <fix> |
| <bug>61916</bug>: Extend the <code>AddDefaultCharsetFilter</code> to add |
| a character set when the content type is set via |
| <code>setHeader()</code> or <code>addHeader()</code> as well as when it |
| is set via <code>setContentType()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>61999</bug>: maxSavePostSize set to 0 should disable saving POST |
| data during authentication. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61886</bug>: Log errors on non-container threads at |
| <code>DEBUG</code> rather than <code>INFO</code>. The exception will be |
| made available to the application via the asynchronous error handling |
| mechanism. (markt) |
| </fix> |
| <fix> |
| <bug>61932</bug>: Allow a call to <code>AsyncContext.dispatch()</code> |
| to terminate non-blocking I/O. (markt) |
| </fix> |
| <fix> |
| Fix NIO2 handshaking with a full input buffer. (remm) |
| </fix> |
| <fix> |
| <bug>61993</bug>: Improve handling for <code>ByteChunk</code> and |
| <code>CharChunk</code> instances that grow close to the maximum size |
| allowed by the JRE. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>43925</bug>: Add a new system property |
| (<code>org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE</code>) to |
| control the size of the buffer used by Jasper when buffering tag bodies. |
| (markt) |
| </add> |
| <fix> |
| <bug>61854</bug>: When using sets and/or maps in EL expressions, ensure |
| that Jasper correctly parses the expression. Patch provided by Ricardo |
| Martin Camarero. (markt) |
| </fix> |
| <fix> |
| Improve the handling of methods with varargs in EL expressions. In |
| particular, the calling of a varargs method with no parameters now works |
| correctly. Based on a patch by Nitkalya (Ing) Wiriyanuparb. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>61223</bug>: Add the mbeans-descriptors.dtd file to the custom |
| MBean documentation so users have a reference to use when constructing |
| mbeans-descriptors.xml files for custom components. (markt) |
| </add> |
| <fix> |
| Partial fix for <bug>61886</bug>. Ensure that multiple threads do not |
| attempt to complete the <code>AsyncContext</code> if an I/O error occurs |
| in the stock ticker example Servlet. (markt) |
| </fix> |
| <fix> |
| <bug>61886</bug>: Prevent <code>ConcurrentModificationException</code> |
| when running the asynchronous stock ticker in the examples web |
| application. (markt) |
| </fix> |
| <fix> |
| <bug>61886</bug>: Prevent <code>NullPointerException</code> and other |
| errors if the stock ticker example is running when the examples web |
| application is stopped. (markt) |
| </fix> |
| <fix> |
| <bug>61910</bug>: Clarify the meaning of the <code>allowLinking</code> |
| option in the documentation web application. (markt) |
| </fix> |
| <add> |
| Add OCSP configuration information to the SSL How-To. Patch provided by |
| Marek Czernek. (markt) |
| </add> |
| <fix> |
| <bug>62006</bug>: Document the new <code>JvmOptions9</code> command line |
| parameter for <code>tomcat8.exe</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>61312</bug>: Prevent <code>NullPointerException</code>n when using |
| the statement cache of connection that has been closed. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the internal fork of Commons Pool 2 to 2.4.3. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons DBCP 2 to 8a71764 (2017-10-18) to |
| pick up some bug fixes and enhancements. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons FileUpload to 6c00d57 (2017-11-23) |
| to pick up some code clean-up. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Codec to r1817136 to pick up some |
| code clean-up. (markt) |
| </update> |
| <fix> |
| The native source bundles (for Commons Daemon and Tomcat Native) are no |
| longer copied to the bin directory for the deploy target. They are now |
| only copied to the bin directory for the release target. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.48 (violetagg)" rtext="2017-12-12"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| When running under Java 9 or later, and the |
| <code>urlCacheProtection</code> option of the |
| <code>JreMemoryLeakPreventionListener</code> is enabled, use the API |
| added in Java 9 to only disable the caching for JAR URL connections. |
| (markt) |
| </add> |
| <fix> |
| <bug>61597</bug>: Extend the <code>StandardJarScanner</code> to scan |
| JARs on the module path when running on Java 9 and class path scanning |
| is enabled. (markt) |
| </fix> |
| <fix> |
| Fix the JMX descriptor for <code>Wrapper.findInitParameter()</code>. |
| (rjung) |
| </fix> |
| <fix> |
| <bug>61601</bug>: Add support for multi-release JARs in JAR scanning and |
| web application class loading. (markt) |
| </fix> |
| <add> |
| Provide the <code>SessionInitializerFilter</code> that can be used to |
| ensure that an HTTP session exists when initiating a WebSocket |
| connection. Patch provided by isapir. (markt) |
| </add> |
| <fix> |
| Avoid a possible <code>NullPointerException</code> when timing out |
| <code>AsyncContext</code> instances during shut down. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61568</bug>: Avoid a potential <code>SecurityException</code> when |
| using the NIO2 connector and a new thread is added to the pool. (markt) |
| </fix> |
| <fix> |
| <bug>61736</bug>: Improve performance of NIO connector when clients |
| leave large time gaps between network packets. Patch provided by Zilong |
| Song. (markt) |
| </fix> |
| <fix> |
| <bug>61773</bug>: Fix a connection counting bug in the NIO2 connector |
| that meant connections using the non-blocking I/O features of the |
| Servlet API (which includes the WebSocket implementation on Tomcat |
| 8.0.x) were not removed from the current connection count. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>61816</bug>: Invalid expressions in attribute values or template |
| text should trigger a translation (compile time) error, not a run time |
| error. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>61604</bug>: Add support for authentication in the websocket |
| client. Patch submitted by J Fernandez. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Enable Javadoc to be built with Java 9. (markt) |
| </fix> |
| <fix> |
| <bug>61603</bug>: Add XML filtering for the status servlet output where |
| needed. (remm) |
| </fix> |
| <fix> |
| Correct the description of how the CGI servlet maps a request to a |
| script in the CGI How-To. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Fix incorrect behavior that attempts to resend channel messages more |
| than the actual setting value of <code>maxRetryAttempts</code>. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that the remaining Sender can send channel messages by avoiding |
| unintended <code>ChannelException</code> caused by comparing the number |
| of failed members and the number of remaining Senders. (kfujino) |
| </fix> |
| <fix> |
| Ensure that remaining SelectionKeys that were not handled by throwing a |
| <code>ChannelException</code> during SelectionKey processing are |
| handled. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Improve the fix for <bug>61439</bug> and exclude the JPA, JAX-WS and EJB |
| annotations completely from the Tomcat distributions. (markt) |
| </fix> |
| <fix> |
| Improve handling of endorsed directories. The endorsed directory |
| mechanism will only be used if the <code>JAVA_ENDORSED_DIRS</code> |
| system property is explicitly set or if |
| <code>$CATALINA_HOME/endorsed</code> exists. When running on Java 9, any |
| such attempted use of the endorsed directory mechanism will trigger an |
| error and Tomcat will fail to start. (rjung) |
| </fix> |
| <scode> |
| Refactoring in preparation for Java 9. Refactor to avoid using some |
| methods that will be deprecated in Java 9 onwards. (markt) |
| </scode> |
| <add> |
| <bug>51496</bug>: When using the Windows installer, check if the |
| requested service name already exists and, if it does, prompt the user |
| to select an alternative service name. Patch provided by Ralph |
| Plawetzki. (markt) |
| </add> |
| <fix> |
| Add necessary Java 9 configuration options to the startup scripts to |
| prevent warnings being generated on web application stop. (markt) |
| </fix> |
| <fix> |
| <bug>61590</bug>: Enable <code>service.bat</code> to recognise when |
| <code>JAVA_HOME</code> is configured for a Java 9 JDK. (markt) |
| </fix> |
| <fix> |
| <bug>61598</bug>: Update the Windows installer to search the new (as of |
| Java 9) registry locations when looking for a JRE. (markt) |
| </fix> |
| <add> |
| Add generation of a SHA-512 hash for release artifacts to the build |
| script. (markt) |
| </add> |
| <fix> |
| <bug>61658</bug>: Update MIME mappings for fonts to use |
| <code>font/*</code> as per RFC8081. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.16 to |
| pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL |
| 1.0.2m. (markt) |
| </update> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.02.1. (kkolinko) |
| </update> |
| <update> |
| Update the Windows installer to use "The Apache Software Foundation" as |
| the Publisher when Tomcat is displayed in the list of installed |
| applications in Microsoft Windows. (kkolinko) |
| </update> |
| <fix> |
| <bug>61803</bug>: Remove outdated SSL information from the Security |
| documentation. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.47 (violetagg)" rtext="2017-10-03"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>60963</bug>: Add <code>ExtractingRoot</code>, a new |
| <code>WebResourceRoot</code> implementation that extracts JARs to the |
| work directory for improved performance when deploying packed WAR files. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61554</bug>: Exclude test files in unusual encodings and markdown |
| files intended for display in GitHub from RAT analysis. Patch provided |
| by Chris Thistlethwaite. (markt) |
| </fix> |
| <add> |
| <bug>61189</bug>: Add the ability to set environment variables for |
| individual CGI scripts. Based on a patch by jm009. (markt) |
| </add> |
| <fix> |
| <bug>61210</bug>: When running under a SecurityManager, do not print a |
| warning about not being able to read a logging configuration file when |
| that file does not exist. (markt) |
| </fix> |
| <add> |
| <bug>61280</bug>: Add RFC 7617 support to the |
| <code>BasicAuthenticator</code>. Note that the default configuration |
| does not change the existing behaviour. (markt) |
| </add> |
| <fix> |
| <bug>61424</bug>: Avoid a possible <code>StackOverflowError</code> when |
| running under a <code>SecurityManager</code> and using |
| <code>Subject.doAs()</code>. (markt) |
| </fix> |
| <add> |
| <bug>61489</bug>: When using the CGI servlet, make the generation of |
| command line arguments from the query string (as per section 4.4 of RFC |
| 3875) optional. The feature is enabled by default for consistency with |
| previous releases. Based on a patch by jm009. (markt) |
| </add> |
| <fix> |
| <bug>61503</bug>: This corrects a potential regression in the fix for |
| <bug>60940</bug> with an alternative solution that adds the |
| <code>JarEntry</code> objects normally skipped by a |
| <code>JarInputStream</code> only if those entries exist. (markt) |
| </fix> |
| <fix> |
| <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being |
| uploaded via a specially crafted request when HTTP PUT was enabled. |
| (markt) |
| </fix> |
| <fix> |
| Use the correct path when loading the JVM <code>logging.properties</code> |
| file for Java 9. (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix possible race condition when setting IO listeners on an upgraded |
| connection. (remm) |
| </fix> |
| <fix> |
| <bug>48655</bug>: Enable Tomcat to shutdown cleanly when using sendfile, |
| the APR/native connector and a multi-part download is in progress. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58244</bug>: Handle the case when OpenSSL resumes a TLS session |
| using a ticket and the full client certificate chain is not available. |
| In this case the client certificate without the chain will be presented |
| to the application. (markt) |
| </fix> |
| <fix> |
| Fix random <code>SocketTimeoutException</code>s when reading the request |
| <code>InputStream</code>. Based on a patch by Peter Major. (markt) |
| </fix> |
| <fix> |
| <bug>60900</bug>: Avoid a <code>NullPointerException</code> in the APR |
| Poller if a connection is closed at the same time as new data arrives on |
| that connection. (markt) |
| </fix> |
| <add> |
| Add an option to reject requests that contain HTTP headers with invalid |
| (non-token) header names with a 400 response. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>61491</bug>: When using the <code>permessage-deflate</code> |
| extension, correctly handle the sending of empty messages after |
| non-empty messages to avoid the <code>IllegalArgumentException</code>. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Show connector cipher list in the manager web application in the |
| correct cipher order. (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| To avoid unexpected session timeout notification from backup session, |
| update the access time when receiving the map member notification |
| message. (kfujino) |
| </fix> |
| <fix> |
| Add member info to the log message when the failure detection check |
| fails in <code>TcpFailureDetector</code>. (kfujino) |
| </fix> |
| <fix> |
| Avoid Ping timeout until the added map member by receiving |
| <code>MSG_START</code> message is completely started. (kfujino) |
| </fix> |
| <fix> |
| When sending a channel message, make sure that the Sender has connected. |
| (kfujino) |
| </fix> |
| <fix> |
| Correct the backup node selection logic that node 0 is returned twice |
| consecutively. (kfujino) |
| </fix> |
| <fix> |
| Fix race condition of <code>responseMap</code> in |
| <code>RpcChannel</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>61391</bug>: Ensure that failed queries are logged if the |
| <code>SlowQueryReport</code> interceptor is configured to do so and the |
| connection has been abandoned. Patch provided by Craig Webb. (markt) |
| </fix> |
| <fix> |
| <bug>61425</bug>: Ensure that transaction of idle connection has |
| terminated when the <code>testWhileIdle</code> is set to |
| <code>true</code> and <code>defaultAutoCommit</code> is set to |
| <code>false</code>. Patch provided by WangZheng. (kfujino) |
| </fix> |
| <fix> |
| <bug>61545</bug>: Correctly handle invocations of methods defined in the |
| <code>PooledConnection</code> interface when using pooled XA |
| connections. Patch provided by Nils Winkler. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>61439</bug>: Remove the Java Annotation API classes from |
| tomcat-embed-core.jar and package them in a separate JAR in the |
| embedded distribution to provide end users with greater flexibility to |
| handle potential conflicts with the JRE and/or other JARs. (markt) |
| </fix> |
| <fix> |
| <bug>61441</bug>: Improve the detection of <code>JAVA_HOME</code> by the |
| <code>daemon.sh</code> script when running on a platform where Java has |
| been installed from an RPM. (rjung) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.14 to |
| pick up the latest Windows binaries built with APR 1.6.2 and OpenSSL |
| 1.0.2l. (markt) |
| </update> |
| <fix> |
| Update fix for <bug>59904</bug> so that values less than zero are accepted |
| instead of throwing a NegativeArraySizeException. (remm) |
| </fix> |
| <fix> |
| <bug>61563</bug>: Correct typos in Spanish translation. Patch provided by |
| Gonzalo Vásquez. (csutherl) |
| </fix> |
| <update> |
| <bug>61599</bug>: Update to Commons Daemon 1.1.0 for improved Java 9 |
| support. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.46 (violetagg)" rtext="2017-08-18"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Additional permission for deleting files is granted to JULI as it is |
| required by FileHandler when running under a Security Manager. The |
| thread that cleans the log files is marked as daemon thread. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>61229</bug>: Correct a regression in 8.0.44 that broke WebDAV |
| handling for resources with names that included a <code>&</code> |
| character. (markt) |
| </fix> |
| <fix> |
| <bug>61232</bug>: When log rotation is disabled only one separator will |
| be used when generating the log file name. For example if the prefix is |
| <code>catalina.</code> and the suffix is <code>.log</code> then the log |
| file name will be <code>catalina.log</code> instead of |
| <code>catalina..log</code>. Patch provided by Katya Stoycheva. |
| (violetagg) |
| </fix> |
| <fix> |
| Performance improvements for service loader look-ups (and look-ups of |
| other class loader resources) when the web application is deployed in a |
| packed WAR file. (markt) |
| </fix> |
| <fix> |
| <bug>61253</bug>: Add warn message when Digester.updateAttributes |
| throws an exception instead of ignoring it. (csutherl) |
| </fix> |
| <fix> |
| <bug>61313</bug>: Make the read timeout configurable in the |
| <code>JNDIRealm</code> and ensure that a read timeout will result in an |
| attempt to fail over to the alternateURL. Based on patches by Peter |
| Maloney and Felix Schumacher. (markt) |
| </fix> |
| <add> |
| <bug>61366</bug>: Add a new attribute, <code>localDataSource</code>, to |
| the <code>JDBCStore</code> that allows the Store to be configured to use |
| a DataSource defined by the web application rather than the default of |
| using a globally defined DataSource. Patch provided by Jonathan |
| Horowitz. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61086</bug>: Ensure to explicitly signal an empty request body for |
| HTTP 205 responses. Additional fix to r1795278. Based on a patch |
| provided by Alexandr Saperov. (violetagg) |
| </fix> |
| <fix> |
| <bug>61322</bug>: Correct two regressions caused by the fix for |
| <bug>60319</bug> when using BIO with an external Executor. Firstly, use |
| the <code>maxThreads</code> setting from the Executor as the default for |
| <code>maxConnections</code> if none is specified. Secondly, use |
| <code>maxThreads</code> from the Executor when calculating the point at |
| which to disable keep-alive. (markt) |
| </fix> |
| <fix> |
| Prevent exceptions being thrown during normal shutdown of NIO |
| connections. This enables TLS connections to close cleanly. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| <bug>53031</bug>: Add support for the <code>fork</code> option when |
| compiling JSPs with the Jasper Ant task and javac. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <add> |
| <bug>57767</bug>: Add support to the WebSocket client for following |
| redirects when attempting to establish a WebSocket connection. Patch |
| provided by J Fernandez. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Remove references to the Loader attribute |
| <code>searchExternalFirst</code> from the documentation since the |
| attribute is no longer supported. (markt) |
| </fix> |
| <fix> |
| Correct the documentation for how <code>StandardRoot</code> is |
| configured. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>52791</bug>: Add the ability to set the defaults used by the |
| Windows installer from a configuration file. Patch provided by Sandra |
| Madden. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.45 (violetagg)" rtext="2017-07-01"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>61101</bug>: CORS filter should set Vary header in response. |
| Submitted by Rick Riemer. (remm) |
| </fix> |
| <add> |
| <bug>61105</bug>: Add a new JULI FileHandler configuration for |
| specifying the maximum number of days to keep the log files. |
| (violetagg) |
| </add> |
| <fix> |
| <bug>61125</bug>: Ensure that <code>WarURLConnection</code> returns the |
| correct value for calls to <code>getLastModified()</code> as this is |
| required for the correct detection of JSP modifications when the JSP is |
| packaged in a WAR file. (markt) |
| </fix> |
| <fix> |
| Improve the <code>SSLValve</code> so it is able to handle client |
| certificate headers from Nginx. Based on a patch by Lucas Ventura Carro. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61154</bug>: Allow the Manager and Host Manager web applications to |
| start by default when running under a security manager. This was |
| accomplished by adding a custom permission, |
| <code>org.apache.catalina.security.DeployXmlPermission</code>, that |
| permits an application to use a <code>META-INF/context.xml</code> file |
| and then granting that permission to the Manager and Host Manager. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61173</bug>: Polish the javadoc for |
| <code>o.a.catalina.startup.Tomcat</code>. Patch provided by |
| peterhansson_se. (violetagg) |
| </fix> |
| <add> |
| A new configuration property <code>crawlerIps</code> is added to the |
| <code>o.a.catalina.valves.CrawlerSessionManagerValve</code>. Using this |
| property one can specify a regular expression that will be used to |
| identify crawlers based on their IP address. Based on a patch provided |
| by Tetradeus. (violetagg) |
| </add> |
| <fix> |
| <bug>61180</bug>: Log a warning message rather than an information |
| message if it takes more than 100ms to initialised a |
| <code>SecureRandom</code> instance for a web application to use to |
| generate session identifiers. Patch provided by Piotr Chlebda. (markt) |
| </fix> |
| <fix> |
| <bug>61185</bug>: When an asynchronous request is dispatched via |
| <code>AsyncContext.dispatch()</code> ensure that |
| <code>getRequestURI()</code> for the dispatched request matches that of |
| the original request. (markt) |
| </fix> |
| <fix> |
| <bug>61201</bug>: Ensure that the <code>SCRIPT_NAME</code> environment |
| variable for CGI executables is populated in a consistent way regardless |
| of how the CGI servlet is mapped to a request. (markt) |
| </fix> |
| <fix> |
| <bug>61215</bug>: Correctly define <code>addConnectorPort</code> and |
| <code>invalidAuthenticationWhenDeny</code> in the |
| <code>mbean-descriptors.xml</code> file for the |
| <code>org.apache.catalina.valves</code> package so that the attributes |
| are accessible via JMX. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>61086</bug>: Explicitly signal an empty request body for HTTP 205 |
| responses. (markt) |
| </fix> |
| <fix> |
| Revert a change introduced in the fix for bug <bug>60718</bug> that |
| changed the status code recorded in the access log when the client |
| dropped the connection from 200 to 500. (markt) |
| </fix> |
| <fix> |
| Make asynchronous error handling more robust. In particular ensure that |
| <code>onError()</code> is called for any registered |
| <code>AsyncListener</code>s after an I/O error on a non-container |
| thread. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>44787</bug>: Improve error message when JSP compiler configuration |
| options are not valid. (markt) |
| </fix> |
| <fix> |
| <bug>61137</bug>: <code>j.s.jsp.tagext.TagLibraryInfo#uri</code> and |
| <code>j.s.jsp.tagext.TagLibraryInfo#prefix</code> fields should not be |
| final. Patch provided by Katya Todorova. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Correct the log message when a <code>MessageHandler</code> for |
| <code>PongMessage</code> does not implement |
| <code>MessageHandler.Whole</code>. (rjung) |
| </fix> |
| <fix> |
| Improve thread-safety of <code>Future</code>s used to report the result |
| of sending WebSocket messages. (markt) |
| </fix> |
| <fix> |
| <bug>61183</bug>: Correct a regression in the previous fix for |
| <bug>58624</bug> that could trigger a deadlock depending on the locking |
| strategy employed by the client code. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Better document the meaning of the trimSpaces option for Jasper. (markt) |
| </fix> |
| <fix> |
| <bug>61150</bug>: Configure the Manager and Host-Manager web |
| applications to permit serialization and deserialization of |
| CRSFPreventionFilter related session objects to avoid warning messages |
| and/or stack traces on web application stop and/or start when running |
| under a security manager. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>45832</bug>: Add HTTP DIGEST authentication support to the Catalina |
| Ant tasks used to communicate with the Manager application. (markt) |
| </add> |
| <fix> |
| <bug>45879</bug>: Add the <code>RELEASE-NOTES</code> file to the root of |
| the installation created by the Tomcat installer for Windows to make it |
| easier for users to identify the installed Tomcat version. (markt) |
| </fix> |
| <fix> |
| <bug>61055</bug>: Clarify the code comments in the rewrite valve to make |
| clear that there are no plans to provide proxy support for this valve |
| since Tomcat does not have proxy capbilities. (markt) |
| </fix> |
| <fix> |
| <bug>61076</bug>: Document the <code>altDDName</code> attribute for the |
| <code>Context</code> element. (markt) |
| </fix> |
| <fix> |
| Correct typo in Jar Scan Filter Configuration Reference. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| <bug>61145</bug>: Add missing <code>@Documented</code> annotation to |
| annotations in the annotations API. Patch provided by Katya Todorova. |
| (markt) |
| </fix> |
| <fix> |
| <bug>61146</bug>: Add missing <code>lookup()</code> method to |
| <code>@EJB</code> annotation in the annotations API. Patch provided by |
| Katya Todorova. (markt) |
| </fix> |
| <fix> |
| Correct typo in Context Container Configuration Reference. |
| Patch provided by Katya Todorova. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.44 (violetagg)" rtext="2017-05-16"> |
| <subsection name="General"> |
| <changelog> |
| <add> |
| Allow to exclude JUnit test classes using the build property |
| <code>test.exclude</code> and document the property in |
| BUILDING.txt. (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>60940</bug>: Improve the handling of the <code>META-INF/</code> and |
| <code>META-INF/MANIFEST.MF</code> entries for Jar files located in |
| <code>/WEB-INF/lib</code> when running a web application from a packed |
| WAR file. (markt) |
| </fix> |
| <fix> |
| Pre-load the <code>ExceptionUtils</code> class. Since the class is used |
| extensively in error handling, it is prudent to pre-load it to avoid any |
| failure to load this class masking the true problem during error |
| handling. (markt) |
| </fix> |
| <fix> |
| Review those places where Tomcat re-encodes a URI or URI component and |
| ensure that that correct encoding (path differs from query string) is |
| applied and that the encoding is applied consistently. (markt) |
| </fix> |
| <fix> |
| Use a more reliable mechanism for the <code>DefaultServlet</code> when |
| determining if the current request is for custom error page or not. |
| (markt) |
| </fix> |
| <fix> |
| Ensure that when the Default or WebDAV servlets process an error |
| dispatch that the error resource is processed via the |
| <code>doGet()</code> method irrespective of the method used for the |
| original request that triggered the error. (markt) |
| </fix> |
| <fix> |
| If a static custom error page is specified that does not exist or cannot |
| be read, ensure that the intended error status is returned rather than a |
| 404 or 403. (markt) |
| </fix> |
| <fix> |
| When the WebDAV servlet is configured and an error dispatch is made to a |
| custom error page located below <code>WEB-INF</code>, ensure that the |
| target error page is displayed rather than a 404 response. (markt) |
| </fix> |
| <add> |
| <bug>61047</bug>: Add MIME mapping for woff2 fonts in the default |
| web.xml. Patch provided by Justin Williamson. (violetagg) |
| </add> |
| <fix> |
| Correct the logic that selects the encoding to use to decode the query |
| string in the <code>SSIServletExternalResolver</code> so that the |
| <code>useBodyEncodingForURI</code> attribute of the |
| <code>Connector</code> is correctly taken into account. (markt) |
| </fix> |
| <fix> |
| <bug>61072</bug>: Respect the documentation statements that allow |
| using the platform default secure random for session id generation. |
| (remm) |
| </fix> |
| <fix> |
| Correct the javadoc for |
| <code>o.a.c.connector.CoyoteAdapter#parseSessionCookiesId</code>. |
| Patch provided by John Andrew (XUZHOUWANG) via Github. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60925</bug>: Improve the handling of access to properties defined |
| by interfaces when a <code>BeanELResolver</code> is used under a |
| <code>SecurityManager</code>. (markt) |
| </fix> |
| <update> |
| <bug>61057</bug>: Update to Eclipse JDT Compiler 4.6.3. (violetagg) |
| </update> |
| <fix> |
| <bug>61065</bug>: Ensure that once the class is resolved by |
| <code>javax.el.ImportHandler#resolveClass</code> it will be cached with |
| the proper name. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>61003</bug>: Ensure the flags for reading/writing in |
| <code>o.a.t.websocket.AsyncChannelWrapperSecure</code> are correctly |
| reset even if some exceptions occurred during processing. (markt/violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Document <code>test.threads</code> option in BUILDING.txt. |
| (kkolinko, rjung) |
| </add> |
| <add> |
| Add documents for <code>maxIdleTime</code> attribute to Channel Receiver |
| docs. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <scode> |
| Refactor the creating a constructor for a proxy class to reduce |
| duplicate code. (kfujino) |
| </scode> |
| <fix> |
| In <code>StatementFacade</code>, the method call on the statements that |
| have been closed throw <code>SQLException</code> rather than |
| <code>NullPointerException</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Correct comments about Java 8 in <code>Jre8Compat</code>. |
| Patch provided by fibbers via Github. (violetagg) |
| </fix> |
| <fix> |
| <bug>60932</bug>: Correctly escape single quotes when used in i18n |
| messages. Based on a patch by Michael Osipov. (markt) |
| </fix> |
| <fix> |
| Update the custom Ant task that integrates with the Symantec code |
| signing service to use the now mandatory 2-factor authentication. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.43 (violetagg)" rtext="2017-04-02"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>54618</bug>: Add support to the |
| <code>HttpHeaderSecurityFilter</code> for the HSTS preload parameter. |
| (markt) |
| </add> |
| <fix> |
| <bug>60876</bug>: Ensure that <code>Set-Cookie</code> headers generated |
| by the <code>Rfc6265CookieProcessor</code> are aligned with the |
| specification. Patch provided by Jim Griswold. (markt) |
| </fix> |
| <fix> |
| <bug>60911</bug>: Ensure NPE will not be thrown when looking for SSL |
| session ID. Based on a patch by Didier Gutacker. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| When using the NIO2 connector, ensure a WebSocket close frame is |
| processed before the end of stream is processed to ensure that the end |
| of stream is processed correctly. (markt) |
| </fix> |
| <fix> |
| <bug>60852</bug>: Correctly spell compressible when used in |
| configuration attributes and internal code. Based on a patch by Michael |
| Osipov. (markt) |
| </fix> |
| <fix> |
| Improve sendfile handling when requests are pipelined. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Improve the error handling for simple tags to ensure that the tag is |
| released and destroyed once used. (remm, violetagg) |
| </fix> |
| <fix> |
| <bug>60844</bug>: Correctly handle the error when fewer parameter values |
| than required by the method are used to invoke an EL method expression. |
| Patch provided by Daniel Gray. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>60764</bug>: Implement <code>equals()</code> and |
| <code>hashCode()</code> in the <code>StatementFacade</code> in order to |
| enable these methods to be called on the closed statements if any |
| statement proxy is set. This behavior can be changed with |
| <code>useStatementFacade</code> attribute. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Refactor the build script and the NSIS installer script so that either |
| NSIS 2.x or NSIS 3.x can be used to build the installer. This is |
| primarily to re-enable building the installer on the Linux based CI |
| system where the combination of NSIS 3.x and wine leads to failed |
| installer builds. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.42 (markt)" rtext="2017-03-14"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| <bug>60596</bug>: Improve performance of DefaultServlet when sendfile |
| feature is disabled on connector. (kkolinko) |
| </update> |
| <fix> |
| Reduce the contention in the default <code>InstanceManager</code> |
| implementation when multiple threads are managing objects and need to |
| reference the annotation cache. (markt) |
| </fix> |
| <add> |
| Extend the <code>JreMemoryLeakPreventionListener</code> to provide |
| protection against <code>ForkJoinPool.commonPool()</code> related memory |
| leaks. (markt) |
| </add> |
| <scode> |
| <bug>60674</bug>: Remove <code>final</code> marker from |
| <code>CorsFilter</code> to enable sub-classing. (markt) |
| </scode> |
| <fix> |
| <bug>60683</bug>: Security manager failure causing NPEs when doing IO |
| on some JVMs. (csutherl) |
| </fix> |
| <fix> |
| <bug>60688</bug>: Update the internal fork of Apache Commons BCEL to |
| r1782855 to add early access Java 9 support to the annotation scanning |
| code. (markt) |
| </fix> |
| <fix> |
| When HTTP TRACE requests are disabled on the Connector, ensure that the |
| HTTP OPTIONS response from the WebDAV servlet does not include |
| TRACE in the returned Allow header. (markt) |
| </fix> |
| <fix> |
| <bug>60718</bug>: Improve error handling for asynchronous processing and |
| correct a number of cases where the <code>requestDestroyed()</code> |
| event was not being fired and an entry wasn't being made in the access |
| logs. (markt) |
| </fix> |
| <fix> |
| <bug>60722</bug>: Take account of the |
| <strong>dispatchersUseEncodedPaths</strong> setting on the current |
| <strong>Context</strong> when generating paths for dispatches triggered |
| by <code>AsyncContext.dispatch()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60728</bug>: Make the separator Tomcat uses in the Tomcat specific |
| <code>war:file:...</code> URL protocol customizable via a system |
| property. The separator is equivalent to the use of the <code>!</code> |
| character in <code>jar:file:...</code> URLs. The default separator of |
| <code>*</code> remains unchanged. (markt) |
| </fix> |
| <fix> |
| <bug>60798</bug>: Correct a bug in the handling of JARs in unpacked WARs |
| that meant multiple attempts to read the same entry from a JAR in |
| succession would fail for the second and subsequent attempts. (markt) |
| </fix> |
| <fix> |
| <bug>60808</bug>: Ensure that the <code>Map</code> returned by |
| <code>ServletRequest.getParameterMap()</code> is fully immutable. Based |
| on a patch provided by woosan. (markt) |
| </fix> |
| <fix> |
| <bug>60824</bug>: Correctly cache the <code>Subject</code> in the |
| session - if there is a session - when running under a |
| <code>SecurityManager</code>. Patch provided by Jan Engehausen. (markt) |
| </fix> |
| <fix> |
| Ensure request and response facades are used when firing application |
| listeners. (markt/remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that executor thread pools used with connectors pre-start the |
| configured minimum number of idle threads. (markt) |
| </fix> |
| <add> |
| <bug>60594</bug>: Allow some invalid characters that were recently |
| restricted to be processed in requests by using the system property |
| <code>tomcat.util.http.parser.HttpParser.requestTargetAllow</code>. |
| (csutherl) |
| </add> |
| <fix> |
| Modify the cookie header generated by the |
| <code>Rfc6265CookieProcessor</code> so it always sends an |
| <code>Expires</code> attribute as well as a <code>Max-Age</code> |
| attribute to avoid problems with Microsoft browsers that do not support |
| the <code>Max-Age</code> attribute. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Follow up to the fix for <bug>58178</bug>. When creating the |
| <code>ELContext</code> for a tag file, ensure that any registered |
| <code>ELContextListener</code>s are fired. (markt) |
| </fix> |
| <fix> |
| Refactor code generated for JSPs to reduce the size of the code required |
| for tags. (markt) |
| </fix> |
| <update> |
| Update to the Eclipse JDT Compiler 4.6.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| Make the <code>accessTimeout</code> configurable in |
| <code>ClusterSingleSignOn</code>. The <code>accessTimeout</code> is used |
| as a timeout period for PING in replication map. (kfujino) |
| </add> |
| <fix> |
| <bug>60806</bug>: To avoid <code>ClassNotFoundException</code>, make |
| sure that the web application class loader is passed to |
| <code>ReplicatedContext</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>60617</bug>: Correctly create a <code>CONNECT</code> request when |
| establishing a WebSocket connection via a proxy. Patch provided by |
| Svetlin Zarev. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensure that <code>NoRpcChannelReply</code> messages are not received on |
| <code>RpcCallback</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.12 to |
| pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg) |
| </update> |
| <add> |
| <bug>60784</bug>: Update all unit tests that test the HTTP status line |
| to check for the required space after the status code. Patch provided by |
| Michael Osipov. (markt) |
| </add> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.01. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.41 (violetagg)" rtext="2017-01-24"> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| Make the <code>accessTimeout</code> configurable in |
| <code>BackupManager</code>. The <code>accessTimeout</code> is used as a |
| timeout period for PING in replication map. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Ensure the ASF logo image is displayed in host-manager. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.40 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>53602</bug>: Add HTTP status code 451 (RFC 7725) to the list of |
| HTTP status codes recognised by Tomcat. (markt) |
| </add> |
| <fix> |
| <bug>60446</bug>: Handle the case where the stored user credential uses |
| a different key length than the length currently configured for the |
| <code>CredentialHandler</code>. Based on a patch by Niklas Holm. (markt) |
| </fix> |
| <fix> |
| <bug>60351</bug>: Delay creating <code>META-INF/war-tracker</code> file |
| until after the WAR has been expanded to address the case where the |
| Tomcat process terminates during the expansion. (markt) |
| </fix> |
| <fix> |
| Correctly handle the <code>configClass</code> attribute of a Host when |
| embedding Tomcat. (markt) |
| </fix> |
| <fix> |
| <bug>60379</bug>: Dispose of the GSS credential once it is no longer |
| required. Patch provided by Michael Osipov. (markt) |
| </fix> |
| <fix> |
| <bug>60380</bug>: Ensure that a call to |
| <code>HttpServletRequest#logout()</code> triggers a call to |
| <code>TomcatPrincipal#logout()</code>. Based on a patch by Michael |
| Osipov. (markt) |
| </fix> |
| <fix> |
| <bug>60387</bug>: Correct the javadoc for |
| <code>o.a.catalina.AccessLog.setRequestAttributesEnabled</code>. |
| The default value is different for the different implementations. |
| (violetagg) |
| </fix> |
| <scode> |
| <bug>60393</bug>: Use consistent parameter naming in implementations of |
| <code>Realm#authenticate(GSSContext, boolean)</code>. (markt) |
| </scode> |
| <fix> |
| <bug>60395</bug>: Log when an <code>Authenticator</code> passes an |
| incomplete <code>GSSContext</code> to a Realm since it indicates a bug |
| in the <code>Authenticator</code>. Patch provided by Michael Osipov. |
| (markt) |
| </fix> |
| <fix> |
| Correctly generate URLs for resources located inside JARs that are |
| themselves located inside a packed WAR file. (markt) |
| </fix> |
| <fix> |
| <bug>60410</bug>: Ensure that multiple calls to |
| <code>JarInputStreamWrapper#close()</code> do not incorrectly trigger |
| the closure of the underlying JAR or WAR file. (markt) |
| </fix> |
| <fix> |
| <bug>60411</bug>: Implement support in the <code>RewriteValve</code> for |
| symbolic names to specify the redirect code to use when returning a |
| redirect response to the user agent. Patch provided by Michael Osipov. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60413</bug>: In the <code>RewriteValve</code> write empty capture |
| groups as the empty string rather than as <code>"null"</code> |
| when generating the re-written URL. Based on a patch by Michael Osipov. |
| (markt) |
| </fix> |
| <update> |
| Update the warnings that reference required options for running on Java |
| 9 to use the latest syntax for those options. (markt) |
| </update> |
| <fix> |
| <bug>60513</bug>: Fix thread safety issue with RMI cleanup code. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that the endpoint is able to unlock the acceptor thread during |
| shutdown if the endpoint is configured to listen to any local address |
| of a specific type such as <code>0.0.0.0</code> or <code>::</code>. |
| (markt) |
| </fix> |
| <fix> |
| Prevent read time out when the file is deleted while serving the |
| response. The issue was observed only with APR Connector and |
| sendfile enabled. (violetagg) |
| </fix> |
| <fix> |
| Improve the logic that selects an address to use to unlock the Acceptor |
| to take account of platforms what do not listen on all local addresses |
| when configured with an address of <code>0.0.0.0</code> or |
| <code>::</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60409</bug>: When unable to complete sendfile request, ensure the |
| Processor will be added to the cache only once. (markt/violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60431</bug>: Improve handling of varargs in UEL expressions. Based |
| on a patch by Ben Wolfe. (markt) |
| </fix> |
| <fix> |
| <bug>60497</bug>: Restore previous tag reuse behavior following the use |
| of try/finally. (remm) |
| </fix> |
| <fix> |
| Improve the error handling for simple tags to ensure that the tag is |
| released and destroyed once used. (remm) |
| </fix> |
| <fix> |
| <bug>60497</bug>: Follow up fix using a better variable name for the |
| tag reuse flag. (remm) |
| </fix> |
| <fix> |
| Revert use of try/finally for simple tags. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct a typo in Host Configuration Reference. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| <bug>60344</bug>: Add a note to BUILDING.txt regarding using the source |
| bundle with the correct line endings. (markt) |
| </fix> |
| <fix> |
| <bug>60412</bug>: Add information on the comment syntax for the |
| <code>RewriteValve</code> configuration. (markt) |
| </fix> |
| <fix> |
| <bug>60467</bug>: remove problematic characters from XML documentation. |
| Based upon a patch by Michael Osipov. (schultz) |
| </fix> |
| <add> |
| In the documentation web application, be explicit that clustering |
| requires a secure network for all of the cluster network traffic. |
| (markt) |
| </add> |
| <update> |
| Update the ASF logos to the new versions. |
| </update> |
| <fix> |
| <bug>60468</bug>: Correct the format of the sample ISO-8601 date used |
| to report the build date for the documentation. Patch provided by |
| Michael Osipov. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Reduce the warning logs for a message received from a different domain |
| in order to avoid excessive log outputs. (kfujino) |
| </fix> |
| <add> |
| Add log message that PING message has received beyond the timeout |
| period. (kfujino) |
| </add> |
| <fix> |
| When a PING message that beyond the time-out period has been received, |
| make sure that valid member is added to the map membership. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>60437</bug>: Avoid possible handshake overflows in the websocket |
| client. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <add> |
| <bug>58816</bug>: Implement the statistics of jdbc-pool. The stats infos |
| are <code>borrowedCount</code>, <code>returnedCount</code>, |
| <code>createdCount</code>, <code>releasedCount</code>, |
| <code>reconnectedCount</code>, <code>releasedIdleCount</code> and |
| <code>removeAbandonedCount</code>. (kfujino) |
| </add> |
| <fix> |
| <bug>60194</bug>: If <code>validationQuery</code> is not specified, |
| connection validation is done by calling the <code>isValid()</code> |
| method. (kfujino) |
| </fix> |
| <fix> |
| <bug>60398</bug>: Fix testcase of <code>TestSlowQueryReport</code>. |
| (kfujino) |
| </fix> |
| <add> |
| Enable reset the statistics without restarting the pool. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>60366</bug>: Change <code>catalina.bat</code> to use directly |
| <code>LOGGING_MANAGER</code> and <code>LOGGING_CONFIG</code> variables |
| in order to configure logging, instead of modifying |
| <code>JAVA_OPTS</code>. Patch provided by Petter Isberg. (violetagg) |
| </fix> |
| <add> |
| New property is added <code>test.verbose</code> in order to control |
| whether the output of the tests is displayed on the console or not. |
| Patch provided by Emmanuel Bourg. (violetagg) |
| </add> |
| <update> |
| Update the ASF logos used in the Apache Tomcat installer for Windows to |
| use the new versions. |
| </update> |
| <fix> |
| Spelling corrections provided by Josh Soref. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.39 (violetagg)" rtext="2016-11-14"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| When creating a new Connector via JMX, ensure that both HTTP/1.1 and |
| AJP/1.3 connectors can be created. (markt) |
| </fix> |
| <fix> |
| Include the Context name in the log message when an item cannot be |
| added to the cache. (markt) |
| </fix> |
| <fix> |
| Exclude JAR files in <code>/WEB-INF/lib</code> from the static resource |
| cache. (markt) |
| </fix> |
| <fix> |
| When calling <code>getResourceAsStream()</code> on a directory, ensure |
| that <code>null</code> is returned. (markt) |
| </fix> |
| <fix> |
| <bug>60161</bug>: Allow creating subcategories of the container logger, |
| and use it for the rewrite valve. (remm) |
| </fix> |
| <fix> |
| Correctly test for control characters when reading the provided shutdown |
| password. (markt) |
| </fix> |
| <fix> |
| When configuring the JMX remote listener, specify the allowed types for |
| the credentials. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct the HTTP header parser so that DEL is not treated as a valid |
| token character. (markt) |
| </fix> |
| <fix> |
| <bug>60319</bug>: When using an Executor, disconnect it from the |
| Connector attributes <code>maxThreads</code>, |
| <code>minSpareThreads</code> and <code>threadPriority</code> to enable |
| the configuration settings to be consistently reported. These Connector |
| attributes will be reported as <code>-1</code> when an Executor is in |
| use. The values used by the executor may be set and obtained via the |
| Executor. (markt) |
| </fix> |
| <fix> |
| If an I/O error occurs during async processing on a non-container |
| thread, ensure that the <code>onError()</code> event is triggered. |
| (markt) |
| </fix> |
| <fix> |
| Improve detection of I/O errors during async processing on non-container |
| threads and trigger async error handling when they are detected. (markt) |
| </fix> |
| <add> |
| Add additional checks for valid characters to the HTTP request line |
| parsing so invalid request lines are rejected sooner. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct a typo in HTTP Connector How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| Fix default value of <code>validationInterval</code> attribute in |
| jdbc-pool. (kfujino) |
| </fix> |
| <fix> |
| Correct a typo in CGI How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| When the proxy node sends a backup retrieve message, ensure that using |
| the <code>channelSendOptions</code> that has been set rather than the |
| default <code>channelSendOptions</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the ECJ compiler to version 4.5.1. (markt) |
| </update> |
| <fix> |
| Remove classes from tomcat-util-scan.jar that are duplicates of those in |
| tomcat-util.jar. (markt) |
| </fix> |
| <add> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.0. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.38 (markt)" rtext="2016-10-10"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>59961</bug>: Add an option to the <code>StandardJarScanner</code> |
| to control whether or not JAR Manifests are scanned for additional |
| class path entries. (markt) |
| </add> |
| <fix> |
| <bug>60013</bug>: Refactor the previous fix to align the behaviour of |
| the Rewrite Valve with mod_rewrite. As part of this, provide an |
| implementation for the <code>B</code> and <code>NE</code> flags and |
| improve the handling for the <code>QSA</code> flag. Includes multiple |
| test cases by Santhana Preethiand a patch by Tiago Oliveira. (markt) |
| </fix> |
| <fix> |
| <bug>60087</bug>: Refactor the web resources handling to use the Tomcat |
| specific <code>war:file:...</code> URL protocol to refer to WAR files |
| and their contents rather than the standard <code>jar:file:...</code> |
| form since some components of the JRE, such as JAR verification, give |
| unexpected results when the standard form is used. A side-effect of the |
| refactoring is that when using packed WARs, it is now possible to |
| reference a WAR and/or specific JARs within a WAR in the security policy |
| file used when running under a <code>SecurityManager</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60116</bug>: Fix a problem with the rewrite valve that caused back |
| references evaluated in conditions to be forced to lower case when using |
| the <code>NC</code> flag. (markt) |
| </fix> |
| <fix> |
| Ensure <code>Digester.useContextClassLoader</code> is considered in |
| case the class loader is used. (violetagg) |
| </fix> |
| <fix> |
| <bug>60117</bug>: Ensure that the name of <code>LogLevel</code> is |
| localized when using <code>OneLineFormatter</code>. Patch provided by |
| Tatsuya Bessho. (kfujino) |
| </fix> |
| <fix> |
| <bug>60146</bug>: Improve performance for resource retrieval by making |
| calls to WebResource.getInputStream() trigger caching if the resource is |
| small enough. Patch provided by mohitchugh. (markt) |
| </fix> |
| <add> |
| <bug>60151</bug>: Improve the exception error messages when a |
| <code>ResourceLink</code> fails to specify the type, specifies an |
| unknown type or specifies the wrong type. (markt) |
| </add> |
| <fix> |
| <bug>60167</bug>: Ignore empty lines in <code>/etc/passwd</code> files |
| when using the <code>PasswdUserDatabase</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60170</bug>: Exclude the compressed test file |
| <code>index.html.br</code> from RAT analysis. Patch provided by Gavin |
| McDonald. (markt) |
| </fix> |
| <fix> |
| When starting web resources, ensure that class resources are only |
| started once. (markt) |
| </fix> |
| <fix> |
| Improve the access checks for linked global resources to handle the case |
| where the current class loader is a child of the web application class |
| loader. (markt) |
| </fix> |
| <fix> |
| <bug>60199</bug>: Log a warning if deserialization issues prevent a |
| session attribute from being loaded. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correctly handle a call to <code>AsyncContext.complete()</code> from a |
| non-container thread when non-blocking I/O is being used. (markt) |
| </fix> |
| <add> |
| Refactor the code that implements the requirement that a call to |
| <code>complete()</code> or <code>dispatch()</code> made from a |
| non-container thread before the container initiated thread that called |
| <code>startAsync()</code> completes must be delayed until the container |
| initiated thread has completed. Rather than implementing this by |
| blocking the non-container thread, extend the internal state machine to |
| track this. This removes the possibility that blocking the non-container |
| thread could trigger a deadlock. (markt) |
| </add> |
| <fix> |
| <bug>60123</bug>: Avoid potential threading issues that could cause |
| excessively large vales to be returned for the processing time of |
| a current request. (markt) |
| </fix> |
| <fix> |
| <bug>60174</bug>: Log instances of <code>HeadersTooLargeException</code> |
| during request processing. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60101</bug>: Remove preloading of the class that was deleted. |
| (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Expand the documentation for the nested elements within a |
| <code>Resources</code> element to clarify the behaviour of different |
| configuration options with respect to the order in which resources are |
| searched. (markt) |
| </add> |
| <add> |
| Add an example of using the <code>classesToInitialize</code> attribute |
| of the <code>JreMemoryLeakPreventionListener</code> to the documentation |
| web application. Based on a patch by Cris Berneburg. (markt) |
| </add> |
| <fix> |
| <bug>60192</bug>: Correct a typo in the status output of the Manager |
| application. Patch provided by Radhakrishna Pemmasani. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Notify jmx when returning the connection that has been marked suspect. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that the <code>POOL_EMPTY</code> notification has been added to |
| the jmx notification types. (kfujino) |
| </fix> |
| <fix> |
| <bug>60099</bug>: Ensure that use all method arguments as a cache key |
| when using <code>StatementCache</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>60139</bug>: Correct Javadocs for |
| <code>PoolConfiguration.getValidationInterval</code> and |
| <code>setValidationInterval</code>. Reported by Phillip Webb. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Update the download location for Objenesis. (violetagg) |
| </fix> |
| <fix> |
| <bug>60164</bug>: Replace <code>log4j-core*.jar</code> with |
| <code>log4j-web*.jar</code> since it is <code>log4j-web*.jar</code> that |
| contains the <code>ServletContainerInitializer</code>. (markt) |
| </fix> |
| <add> |
| Add documentation to the bin/catalina.bat script to remind users that |
| environment variables don't affect the configuration of Tomcat when |
| run as a Windows Service. Based upon a documentation patch by |
| James H.H. Lampert. (schultz) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.10 to |
| pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.37 (markt)" rtext="2016-09-05"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>57705</bug>: Add debug logging for requests denied by the remote |
| host and remote address valves and filters. Based on a patch by Graham |
| Leggett. (markt) |
| </fix> |
| <add> |
| <bug>59399</bug>: Add a new option to the Realm implementations that |
| ship with Tomcat that allows the HTTP status code used for HTTP -> HTTPS |
| redirects to be controlled per Realm. (markt) |
| </add> |
| <update> |
| Change the default of the |
| <code>sessionCookiePathUsesTrailingSlash</code> attribute of the |
| <code>Context</code> element to <code>false</code> since the problems |
| caused when a Servlet is mapped to <code>/*</code> are more significant |
| than the security risk of not enabling this option by default. (markt) |
| </update> |
| <fix> |
| Do not attempt to start web resources during a web application's |
| initialisation phase since the web application is not fully configured |
| at that point and the web resources may not be correctly configured. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59708</bug>: Modify the LockOutRealm logic. Valid authentication |
| attempts during the lock out period will no longer reset the lock out |
| timer to zero. (markt) |
| </fix> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| <fix> |
| <bug>59813</bug>: Ensure that circular relations of the Class-Path |
| attribute from JAR manifests will be processed correctly. (violetagg) |
| </fix> |
| <fix> |
| Ensure that reading the <code>singleThreadModel</code> attribute of a |
| <code>StandardWrapper</code> via JMX does not trigger initialisation of |
| the associated servlet. With some frameworks this can trigger an |
| unexpected initialisation thread and if initialisation is not thread-safe |
| the initialisation can then fail. (markt) |
| </fix> |
| <fix> |
| Compatibility with rewrite from httpd for non existing headers. |
| (jfclere) |
| </fix> |
| <fix> |
| By default, treat paths used to obtain a request dispatcher as encoded. |
| This behaviour can be changed per web application via the |
| <code>dispatchersUseEncodedPaths</code> attribute of the Context. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59839</bug>: Apply <code>roleSearchAsUser</code> to all nested searches |
| in JNDIRealm. (fschumacher) |
| </fix> |
| <fix> |
| <bug>59859</bug>: Fix resource leak in WebDAV servlet. Based on patch by |
| Coty Sutherland. (fschumacher) |
| </fix> |
| <add> |
| Provide a mechanism that enables the container to check if a component |
| (typically a web application) has been granted a given permission when |
| running under a SecurityManager without the current execution stack |
| having to have passed through the component. Use this new mechanism to |
| extend SecurityManager protection to the system property replacement |
| feature of the digester. (markt) |
| </add> |
| <add> |
| When retrieving an object via a <code>ResourceLink</code>, ensure that |
| the object obtained is of the expected type. (markt) |
| </add> |
| <fix> |
| <bug>59824</bug>: Mark the <code>RewriteValve</code> as supporting async |
| processing by default. (markt) |
| </fix> |
| <fix> |
| <bug>59862</bug>: Allow nested jar files scanning to be filtered with |
| the system property |
| <code>tomcat.util.scan.StandardJarScanFilter.jarsToSkip</code>. Patch |
| is provided by Terence Bandoian. (violetagg) |
| </fix> |
| <fix> |
| <bug>59866</bug>: When scanning <code>WEB-INF/classes</code> for |
| annotations, don't scan the contents of |
| <code>WEB-INF/classes/META-INF</code> (if present) since classes will |
| never be loaded from that location. (markt) |
| </fix> |
| <fix> |
| <bug>59888</bug>: Correctly handle tabs and spaces in quoted version one |
| cookies when using the <code>Rfc6265CookieProcessor</code>. (markt) |
| </fix> |
| <fix> |
| <bug>59912</bug>: Fix an edge case in input stream handling where an |
| <code>IOException</code> could be thrown when reading a POST body. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59960</bug>: Fix Javadoc so it builds with Java 8. Patch by Coty |
| Sutherland. (markt) |
| </fix> |
| <fix> |
| <bug>59966</bug>: Do not start the web application if the error page |
| configuration in web.xml is invalid. (markt) |
| </fix> |
| <fix> |
| Switch the CGI servlet to the standard logging mechanism and remove |
| support for the debug attribute. (markt) |
| </fix> |
| <fix> |
| Changes to the <code>allowLinking</code> attribute of a |
| <code>StandardRoot</code> instance now invalidate the cache if caching |
| is enabled. (markt) |
| </fix> |
| <add> |
| Add a new initialisation parameter, <code>envHttpHeaders</code>, to |
| the CGI Servlet to mitigate <a href="https://httpoxy.org">httpoxy</a> |
| (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388" |
| >CVE-2016-5388</a>) by default and to provide a mechanism that can be |
| used to mitigate any future, similar issues. (markt) |
| </add> |
| <add> |
| When adding and removing <code>ResourceLink</code>s dynamically, ensure |
| that the global resource is only visible via the |
| <code>ResourceLinkFactory</code> when it is meant to be. (markt) |
| </add> |
| <fix> |
| <bug>60008</bug>: When processing CORs requests, treat any origin with a |
| URI scheme of <code>file</code> as a valid origin. (markt) |
| </fix> |
| <fix> |
| Improve handling of exceptions during a Lifecycle events triggered by a |
| state transition. The exception is now caught and the component is now |
| placed into the <code>FAILED</code> state. (markt) |
| </fix> |
| <fix> |
| <bug>60013</bug>: Fix encoding issues when using the RewriteValve with |
| UTF-8 query strings or UTF-8 redirect URLs. (markt) |
| </fix> |
| <fix> |
| <bug>60022</bug>: Improve handling when a WAR file and/or the associated |
| exploded directory are symlinked into the <code>appBase</code>. (markt) |
| </fix> |
| <fix> |
| Fix a file descriptor leak when reading the global web.xml. (markt) |
| </fix> |
| <fix> |
| Consistently decode URL patterns provided via web.xml using the encoding |
| of the web.xml file where specified or UTF-8 where no explicit encoding |
| is specified. (markt) |
| </fix> |
| <fix> |
| Make timing attacks against the Realm implementations harder. (schultz) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| <fix> |
| Extend synchronization for NIO2 writes to avoid |
| <code>ConcurrentModificationException</code> observed during testing. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59904</bug>: Add a limit (default 200) for the number of cookies |
| allowed per request. Based on a patch by gehui. (markt) |
| </fix> |
| <fix> |
| <bug>59925</bug>: Correct regression in r1628368 and ensure that HTTP |
| separators are handled as configured in the |
| <code>LegacyCookieProcessor</code>. Patch provided by Kyohei Nakamura. |
| (markt) |
| </fix> |
| <fix> |
| OpenSSL now disables 3DES by default so reflect this when using OpenSSL |
| syntax to select ciphers. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| <fix> |
| Improve the error handling for custom tags to ensure that the tag is |
| returned to the pool or released and destroyed once used. (markt) |
| </fix> |
| <fix> |
| <bug>60032</bug>: Fix handling of method calls that use varargs within |
| EL value expressions. (markt) |
| </fix> |
| <fix> |
| Ignore <code>engineOptionsClass</code> and <code>scratchdir</code> when |
| running under a security manager. (markt) |
| </fix> |
| <fix> |
| Fixed StringIndexOutOfBoundsException. Based on a patch provided by |
| wuwen via Github. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| <fix> |
| <bug>59908</bug>: Ensure that a reason phrase is included in the close |
| message if a session is closed due to a timeout. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| Do not log an additional case of <code>IOException</code>s in the |
| error handler for the Drawboard WebSocket example when the root cause is |
| the client disconnecting since the logs add no value. (markt) |
| </fix> |
| <fix> |
| <bug>59642</bug>: Mention the <code>localDataSource</code> in the |
| <code>DataSourceRealm</code> section of the Realm How-To. (markt) |
| </fix> |
| <fix> |
| Follow-up to the fix for <bug>59399</bug>. Ensure that the new attribute |
| <code>transportGuaranteeRedirectStatus</code> is documented for all |
| <strong>Realm</strong>s. Also document the <code>NullRealm</code> and |
| when it is automatically created for an <strong>Engine</strong>. (markt) |
| </fix> |
| <fix> |
| Fix the description of <code>maxAge</code> attribute in jdbc-pool doc. |
| This attribute works both when a connection is returned and when a |
| connection is borrowed. (kfujino) |
| </fix> |
| <fix> |
| <bug>59774</bug>: Correct the <code>prefix</code> values in the |
| documented examples for configuring the <code>AccessLogValve</code>. |
| Patch provided by Mike Noordermeer. (markt) |
| </fix> |
| <fix> |
| <bug>59868</bug>: Clarify the documentation for the Manager web |
| application to make clearer that the host name and IP address in the |
| server section are the primary host name and IP address. (markt) |
| </fix> |
| <fix> |
| MBeans Descriptors How-To is moved to |
| <code>mbeans-descriptors-howto.html</code>. Patch provided by Radoslav |
| Husar. (violetagg) |
| </fix> |
| <fix> |
| Update NIO Connector configuration documentation with an information |
| about <code>socket.directSslBuffer</code>. (violetagg) |
| </fix> |
| <fix> |
| <bug>60034</bug>: Correct a typo in the Manager How-To page of the |
| documentation web application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add log message when the ping has timed-out. (kfujino) |
| </add> |
| <fix> |
| If the ping message has been received at the |
| <code>AbstractReplicatedMap#leftOver</code> method, ensure that notify |
| the member is alive than ignore it. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix the duplicated connection release when connection verification |
| failed. (kfujino) |
| </fix> |
| <fix> |
| Ensure that do not remove the abandoned connection that has been already |
| released. (kfujino) |
| </fix> |
| <fix> |
| In order to avoid the unintended skip of <code>PoolCleaner</code>, |
| remove the check code of the execution interval in the task that has |
| been scheduled. (kfujino) |
| </fix> |
| <fix> |
| <bug>59850</bug>: Ensure that the <code>ResultSet</code> is closed when |
| enabling the <code>StatementCache</code> interceptor. (kfujino) |
| </fix> |
| <fix> |
| <bug>59923</bug>: Reduce the default value of |
| <code>validationInterval</code> in order to avoid the potential issue |
| that continues to return an invalid connection after database restart. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that the <code>ResultSet</code> is returned as Proxy object when |
| enabling the <code>StatementDecoratorInterceptor</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>60043</bug>: Ensure that the <code>suspectTimeout</code> works |
| without removing connection when the <code>removeAbandoned</code> is |
| disabled. (kfujino) |
| </fix> |
| <fix> |
| Add log message of when returning the connection that has been marked |
| suspect. (kfujino) |
| </fix> |
| <fix> |
| Correct Javadoc for <code>ConnectionPool.suspect()</code>. Based on a |
| patch by Yahya Cahyadi. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| <bug>59276</bug>: Update optional Checkstyle library to 6.17. (kkolinko) |
| </update> |
| <add> |
| Use the mirror network rather than the ASF master site to download the |
| current ASF dependencies. (markt) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.8 to |
| pick up the latest fixes and make 1.2.8 the minimum recommended version. |
| (markt) |
| </update> |
| <fix> |
| <bug>59899</bug>: Update Tomcat's copy of the Java Persistence |
| annotations to include the changes made in 2.1 / JavaEE 7. (markt) |
| </fix> |
| <fix> |
| Fixed typos in mbeans-descriptors.xml files. (violetagg) |
| </fix> |
| <update> |
| Update the internal fork of Commons BCEL to r1757132 to align with the |
| BCEL 6 release. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons DBCP2 to r1757164 to pick up a |
| couple of bug fixes. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Codec to r1757174. Code formatting |
| changes only. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons FileUpload to afdedc9. This pulls in |
| a fix to improve the performance with large multipart boundaries. |
| (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.36 (markt)" rtext="2016-06-13"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| RMI Target related memory leaks are avoidable which makes them an |
| application bug that needs to be fixed rather than a JRE bug to work |
| around. Therefore, start logging RMI Target related memory leaks on web |
| application stop. Add an option that controls if the check for these |
| leaks is made. Log a warning if running on Java 9 with this check |
| enabled but without the command line option it requires. (markt) |
| </fix> |
| <fix> |
| Ensure NPE will not be thrown during deployment when scanning jar files |
| without MANIFEST.MF file. (violetagg) |
| </fix> |
| <fix> |
| <bug>59604</bug>: Correct the assumption made in the URL decoding that |
| the default platform encoding is always compatible with ISO-8859-1. This |
| assumption is not always valid, e.g. on z/OS. (markt) |
| </fix> |
| <fix> |
| <bug>59608</bug>: Skip over any invalid <code>Class-Path</code> attribute |
| from JAR manifests. Log errors at debug level due to many bad libraries. |
| (remm) |
| </fix> |
| <fix> |
| Fix error message when failed to register MBean. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that requests with HTTP method names that are not tokens (as |
| required by RFC 7231) are rejected with a 400 response. (markt) |
| </fix> |
| <fix> |
| When an asynchronous request is processed by the AJP connector, ensure |
| that request processing has fully completed before starting the next |
| request. (markt) |
| </fix> |
| <fix> |
| If an async dispatch results in the completion of request processing, |
| ensure that any remaining request body is swallowed before starting the |
| processing of the next request else the remaining body may be read as the |
| start of the next request leading to a 400 response. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>59567</bug>: Fix NPE scanning webapps for TLDs when an exploded |
| JAR has an empty WEB-INF/classes/META-INF folder. (remm) |
| </fix> |
| <fix> |
| Fix a memory leak in the expression language implementation that caused |
| the class loader of the first web application to use expressions to be |
| pinned in memory. (markt) |
| </fix> |
| <fix> |
| <bug>59640</bug>: NPEs with not found TLDs. (remm) |
| </fix> |
| <fix> |
| <bug>59654</bug>: Improve error message when attempting to use a TLD |
| file from an invalid location. Patch provided by Huxing Zhang. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>58891</bug>: Update the SSL how-to. Based on a suggestion by |
| Alexander Kjäll. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix a memory leak with the pool cleaner thread that retained a reference |
| to the web application class loader for the first web application to use |
| a connection pool. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the internal fork of Commons DBCP 2 to r1743696 (2.1.1 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Pool 2 to r1743697 (2.4.2 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the option code coverage tool Cobertura to 2.1.1 so it is easier |
| to compare the change in lines of code between 8.0.x and 9.0.x. (markt) |
| </update> |
| <fix> |
| <bug>58626</bug>: Add support for a new environment variable |
| (<code>USE_NOHUP</code>) that causes <code>nohup</code> to be used when |
| starting Tomcat. It is disabled by default except on HP-UX where it is |
| enabled by default since it is required when starting Tomcat at boot on |
| HP-UX. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.35 (markt)" rtext="2016-05-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Ensure that annotated web components packed in web fragments will be |
| processed when <code>unpackWARs</code> is enabled. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.34 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>59206</bug>: Ensure NPE will not be thrown by |
| <code>o.a.tomcat.util.file.ConfigFileLoader</code> when |
| <code>catalina.base</code> is not specified. (violetagg) |
| </fix> |
| <fix> |
| <bug>59217</bug>: Remove duplication in the recycling of the path in |
| <code>o.a.tomcat.util.http.ServerCookie</code>. Patch is provided by |
| Kyohei Nakamura. (violetagg) |
| </fix> |
| <fix> |
| <bug>59213</bug>: Async dispatches should be based off a wrapped |
| request. (remm) |
| </fix> |
| <fix> |
| Ensure that <code>javax.servlet.ServletRequest</code> and |
| <code>javax.servlet.ServletResponse</code> provided during |
| <code>javax.servlet.AsyncListener</code> registration are made |
| available via <code>javax.servlet.AsyncEvent.getSuppliedRequest</code> |
| and <code>javax.servlet.AsyncEvent.getSuppliedResponse</code> |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>59219</bug>: Ensure <code>AsyncListener.onError()</code> is called |
| if an <code>Exception</code> is thrown during async processing. (markt) |
| </fix> |
| <fix> |
| <bug>59220</bug>: Ensure that <code>AsyncListener.onComplete()</code> is |
| called if the async request times out and the response is already |
| committed. (markt) |
| </fix> |
| <fix> |
| <bug>59226</bug>: Process the <code>Class-Path</code> attribute from |
| JAR manifests for JARs on the class path excluding JARs packaged in |
| <code>WEB-INF/lib</code>. (markt) |
| </fix> |
| <fix> |
| <bug>59255</bug>: Fix possible NPE in mapper. (kkolinko/remm) |
| </fix> |
| <fix> |
| <bug>59256</bug>: <code>slf4j-taglib*.jar</code> should not be excluded |
| from the standard JAR scanning by default. (violetagg) |
| </fix> |
| <fix> |
| Clarify in the log message that specifying both urlPatterns and value |
| attributes in WebServlet and WebFilter annotations is not allowed. |
| (violetagg) |
| </fix> |
| <fix> |
| Ensure the exceptions caused by Valves will be available in the log |
| files so that they can be evaluated when |
| <code>o.a.catalina.valves.ErrorReportValve.showReport</code> is |
| disabled. Patch is provided by Svetlin Zarev. (violetagg) |
| </fix> |
| <fix> |
| Fix handling of Cluster Receiver in StoreConfig. The <code>bind</code> |
| and <code>host</code> attributes define as |
| <code>TransientAttribute</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>59261</bug>: <code>ServletRequest.getAsyncContext()</code> now |
| throws an <code>IllegalStateException</code> as required by the Servlet |
| specification if the request is not in asynchronous mode when called. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59269</bug>: Correct the implementation of |
| <code>PersistentManagerBase</code> so that <code>minIdleSwap</code> |
| functions as designed and sessions are swapped out to keep the active |
| session count below <code>maxActiveSessions</code>. (markt) |
| </fix> |
| <fix> |
| <bug>59247</bug>: Preload ResourceEntry as a workaround for security |
| manager issues on some JVMs. (kkolinko/remm) |
| </fix> |
| <fix> |
| Correctly configure the base path for a resources directory provided by |
| an expanded JAR file. Patch provided by hengyunabc. (markt) |
| </fix> |
| <fix> |
| Ensure that <code>/WEB-INF/classes</code> is never processed as a web |
| fragment. (markt) |
| </fix> |
| <fix> |
| <bug>59310</bug>: Do not add a <code>Content-Length: 0</code> header for |
| custom responses to <code>HEAD</code> requests that do not set a |
| <code>Content-Length</code> value. (markt) |
| </fix> |
| <add> |
| Make a web application's CredentialHandler available through a context |
| attribute. This allows a web application to use the same algorithm |
| for validating or generating new stored credentials from cleartext |
| ones. (schultz) |
| </add> |
| <fix> |
| When normalizing paths, improve the handling when paths end with |
| <code>/.</code> or <code>/..</code> and ensure that input and output are |
| consistent with respect to whether or not they end with <code>/</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59317</bug>: Ensure that |
| <code>HttpServletRequest.getRequestURI()</code> returns an encoded URI |
| rather than a decoded URI after a dispatch. (markt) |
| </fix> |
| <fix> |
| Use the correct URL for the fragment when reporting errors processing |
| a <code>web-fragment.xml</code> file from a JAR located in an unpacked |
| WAR. (markt) |
| </fix> |
| <fix> |
| Ensure that <code>JarScanner</code> only uses the explicit call-back to |
| process <code>WEB-INF/classes</code> and only when configured to treat |
| the contents of <code>WEB-INF/classes</code> as a possible exploded JAR. |
| (markt) |
| </fix> |
| <scode> |
| Remove the <code>java2DDisposerProtection</code> option from the |
| <code>JreMemoryLeakPreventionListener</code>. The leak is fixed in Java |
| 7 onwards and Tomcat 8 requires Java 7 so the option is unnecessary. |
| (markt) |
| </scode> |
| <fix> |
| Ensure that the value for the header <code>X-Frame-Options</code> is |
| constructed correctly according to the specification when |
| <code>ALLOW-FROM</code> option is used. (violetagg) |
| </fix> |
| <fix> |
| <bug>59449</bug>: In <code>ContainerBase</code>, ensure that the process |
| to remove a child container is the reverse of the process to add one. |
| Patch provided by Huxing Zhang. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| When running on Java 7, exclude DHE ciphers from the default cipher list |
| for JSSE connectors since they use weak 768 bit DH keys and cannot be |
| configured to use more secure keys. (markt) |
| </fix> |
| <add> |
| Add a new environment variable <code>JSSE_OPTS</code> that is intended |
| to be used to pass JVM wide configuration to the JSSE implementation. |
| The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code> |
| which protects against weak Diffie-Hellman keys with Java 8. (markt) |
| </add> |
| <update> |
| Exclude ciphers that use RSA keys from the default cipher list since |
| they do not support forward secrecy. (markt) |
| </update> |
| <fix> |
| <bug>58970</bug>: Fix a connection counting bug in the NIO connector |
| that meant some dropped connections were not removed from the current |
| connection count. (markt) |
| </fix> |
| <fix> |
| <bug>59289</bug>: Do not recycle upgrade processors in unexpected close |
| situations. (remm) |
| </fix> |
| <fix> |
| <bug>59295</bug>: Use <code>Locale.toLanguageTag()</code> to construct |
| the <code>Content-Language</code> HTTP header to ensure the locale is |
| correctly represented. Patch provided by zikfat. (markt) |
| </fix> |
| <fix> |
| <bug>59451</bug>: Correct Javadoc for <code>MessageBytes</code>. Patch |
| provided by Kyohei Nakamura. (markt) |
| </fix> |
| <fix> |
| <bug>59450</bug>: Correctly handle the case where the |
| <code>LegacyCookieProcessor</code> is configured with |
| <code>allowHttpSepsInV0</code> set to <code>false</code> and |
| <code>forwardSlashIsSeparator</code> set to <code>true</code>. Patch |
| provided by Kyohei Nakamura. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| When scanning JARs for TLDs, correctly handle the (rare) case where a |
| JAR has been exploded into <code>WEB-INF/classes</code> and the web |
| application is deployed as a packed WAR. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Ensure that a client disconnection triggers the error handling for the |
| associated WebSocket end point. (markt) |
| </fix> |
| <add> |
| Make WebSocket client more robust when handling errors during the close |
| of a WebSocket session. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Update in the documentation the link to the maven repository where |
| Tomcat snapshot artifacts are deployed. (markt/violetagg) |
| </fix> |
| <fix> |
| Clarify in the documentation that calls to |
| <code>ServletContext.log(String, Throwable)</code> or |
| <code>GenericServlet.log(String, Throwable)</code> are logged at the |
| SEVERE level. (violetagg) |
| </fix> |
| <fix> |
| Correct a typo in SSL/TLS Configuration How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Avoid NPE when a proxy node failed to retrieve a backup entry. (kfujino) |
| </fix> |
| <add> |
| Add log of when received an unexpected messages. (kfujino) |
| </add> |
| <add> |
| Add the flag indicating that member is a localMember. (kfujino) |
| </add> |
| <fix> |
| Fix potential NPE that depends on the setting order of attributes of |
| static member when using the static cluster. (kfujino) |
| </fix> |
| <add> |
| Add get/set method for the channel that is related to |
| <code>ChannelInterceptorBase</code>. (kfujino) |
| </add> |
| <fix> |
| As with the multicast cluster environment, in the static cluster |
| environment, the local member inherits properties from the cluster |
| receiver. (kfujino) |
| </fix> |
| <add> |
| Add get/set method for the channel that is related to each Channel |
| services. (kfujino) |
| </add> |
| <add> |
| Add name to channel in order to identify channels. In tomcat cluster |
| environment, it is set the cluster name + "-Channel" as default value. |
| (kfujino) |
| </add> |
| <add> |
| Add the channel name to the thread which is invoked by channel services |
| in order to identify the associated channel. (kfujino) |
| </add> |
| <fix> |
| Ensure that clear the channel instance from channel services when |
| stopping channel. (kfujino) |
| </fix> |
| <add> |
| Implement map state in the replication map. (kfujino) |
| </add> |
| <fix> |
| Ensure that the ping is not executed during the start/stop of the |
| replication map. (kfujino) |
| </fix> |
| <fix> |
| In ping processing in the replication map, send not the |
| <code>INIT</code> message but the newly introduced <code>PING</code> |
| message. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>59211</bug>: Add hamcrest to Eclipse classpath. Patch is provided |
| by Huxing Zhang. (violetagg) |
| </fix> |
| <update> |
| <bug>59280</bug>: Update the NSIS Installer used to build the |
| Windows Installers to version 2.51. (kkolinko) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.7 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2h and APR |
| 1.5.2. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.33 (markt)" rtext="2016-03-24"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct a regression in the fix for <bug>58867</bug>. When configuring a |
| Context to use an external directory for the <code>docBase</code>, and |
| that directory happens to be located along side the original WAR, use |
| the directory as the <code>docBase</code> rather than expanding the |
| WAR into the <code>appBase</code> and using the newly created expanded |
| directory as the <code>docBase</code>. (markt) |
| </fix> |
| <add> |
| <bug>58351</bug>: Make the server build date and server version number |
| accessible via JMX. Patch provided by Huxing Zhang. (markt) |
| </add> |
| <add> |
| <bug>58988</bug>: Special characters in the substitutions for the RewriteValve |
| can now be quoted with a backslash. (fschumacher) |
| </add> |
| <fix> |
| <bug>58999</bug>: Fix class and resource name filtering in WebappClassLoader. |
| It throws a StringIndexOutOfBoundsException if the name is exactly |
| "org" or "javax". (rjung) |
| </fix> |
| <scode> |
| Remove unnecessary code. There is no support for context level cluster. |
| (kfujino) |
| </scode> |
| <add> |
| Make checking for var and map replacement in RewriteValve a bit stricter and |
| correct detection of colon in var replacement. (fschumacher) |
| </add> |
| <fix> |
| Fix the type of <code>InstanceManager</code> attribute of mbean |
| definition of <code>StandardContext</code>. (kfujino) |
| </fix> |
| <fix> |
| Refactor the web application class loader to reduce the impact of JAR |
| scanning on the memory footprint of the web application. (markt) |
| </fix> |
| <fix> |
| Fix some resource leaks in the error handling for accessing files from |
| JARs and WARs. (markt) |
| </fix> |
| <fix> |
| Refactor the JAR and JAR-in-WAR resource handling to reduce the memory |
| footprint of the web application. (markt) |
| </fix> |
| <fix> |
| <bug>57809</bug>: Deprecate the custom context attribute |
| <code>org.apache.tomcat.util.scan.MergedWebXml</code> which will be |
| removed in Tomcat 9. (markt) |
| </fix> |
| <fix> |
| <bug>59001</bug>: Correctly handle the case when Tomcat is installed on |
| a path where one of the segments ends in an exclamation mark. (markt) |
| </fix> |
| <fix> |
| Expand the fix for <bug>59001</bug> to cover the special sequences used |
| in Tomcat's custom jar:war: URLs. (markt) |
| </fix> |
| <fix> |
| <bug>59043</bug>: Avoid warning while expiring sessions associated with |
| a single sign on if <code>HttpServletRequest.logout()</code> is used. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59054</bug>: Ensure that using the |
| <code>CrawlerSessionManagerValve</code> in a distributed environment |
| does not trigger an error when the Valve registers itself in the |
| session. (markt) |
| </fix> |
| <fix> |
| Storeconfig handling of alternate cookie processors. (markt/remm) |
| </fix> |
| <fix> |
| Storeconfig handling for socket properties. (remm) |
| </fix> |
| <add> |
| Log a warning message if a user tries to configure the default session |
| timeout via the deprecated (and ignored) |
| <code>Manager.setMaxInactiveInterval()</code> method. (markt) |
| </add> |
| <fix> |
| Fix incorrect parsing of the NE and NC flags in rewrite rules. (remm) |
| </fix> |
| <fix> |
| <bug>59065</bug>: Correct the timing of the check for colons in paths |
| on non-Windows systems implemented in <code>catalina.sh</code> so it |
| works correctly with Cygwin. Patch provided by Ed Randall. (markt) |
| </fix> |
| <fix> |
| When a Host is configured with an appBase that does not exist, create |
| the appBase before trying to expand an external WAR file into it. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59115</bug>: When using the Servlet 3.0 file upload, the submitted |
| file name may be provided as a token or a quoted-string. If a |
| quoted-string, unquote the string before returning it to the user. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59123</bug>: Close <code>NamingEnumeration</code> objects used by |
| the <code>JNDIRealm</code> once they are no longer required. |
| (fschumacher/markt) |
| </fix> |
| <fix> |
| <bug>59138</bug>: Correct a false positive warning for ThreadLocal |
| related memory leaks when the key class but not the value class has been |
| loaded by the web application class loader. (markt) |
| </fix> |
| <fix> |
| <bug>59145</bug>: Don't log an invalid warning when a user logs out of |
| a session associated with SSO. (markt) |
| </fix> |
| <fix> |
| <bug>59151</bug>: Fix a regression in the fix for <bug>56917</bug> that |
| added additional (and arguably unnecessary) validation to the provided |
| redirect location. (markt) |
| </fix> |
| <fix> |
| <bug>59154</bug>: Fix a <code>NullPointerException</code> in the |
| <code>JASSMemoryLoginModue</code> resulting from the introduction of the |
| <code>CredentialHandler</code> to <code>Realm</code>s. (schultz/markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>58646</bug>: Correct a problem with sendfile that resulted in a |
| Processor being added to the cache twice leading to broken responses. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59015</bug>: Fix potential cause of endless APR Poller loop during |
| shutdown if the Poller experiences an error during the shutdown process. |
| (markt) |
| </fix> |
| <fix> |
| Align cipher aliases for <code>kECDHE</code> and <code>ECDHE</code> with |
| the current OpenSSL implementation. (markt) |
| </fix> |
| <fix> |
| <bug>59081</bug>: Retain the user defined cipher order when defining |
| ciphers using the OpenSSL format. (markt) |
| </fix> |
| <fix> |
| <bug>59089</bug>: Correctly ignore HTTP headers that include non-token |
| characters in the header name. (markt) |
| </fix> |
| <add> |
| Add support for additional OpenSSL cipher aliases from OpenSSL master |
| when specifying ciphers using the OpenSSL syntax. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57583</bug>: Improve the performance of |
| <code>javax.servlet.jsp.el.ScopedAttributeELResolver</code> when |
| resolving attributes that do not exist. This improvement only works when |
| Jasper is used with with Tomcat's EL implementation. (markt) |
| </fix> |
| <update> |
| <bug>58111</bug>: Update to the Eclipse JDT Compiler 4.5. (markt) |
| </update> |
| <add> |
| Add Java 9 support for JSPs. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>59014</bug>: Ensure that a WebSocket close message can be sent |
| after a close message has been received. (markt) |
| </fix> |
| <fix> |
| Correctly handle compression of partial messages when the final message |
| fragment has a zero length payload. (markt) |
| </fix> |
| <fix> |
| <bug>59119</bug>: Correct read logic for WebSocket client when using |
| secure connections. (markt) |
| </fix> |
| <fix> |
| <bug>59134</bug>: Correct client connect logic for secure connections |
| made through a proxy. (markt) |
| </fix> |
| <fix> |
| <bug>59189</bug>: Explicitly release the native memory held by the |
| <code>Inflater</code> and <code>Deflater</code> when using |
| PerMessageDeflate and the WebSocket session ends. Based on a patch by |
| Henrik Olsson. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct an error in the documentation of the expected behaviour for |
| automatic deployment. If a WAR is updated and an expanded directory is |
| present, the directory will always be deleted and recreated by expanding |
| the WAR if <code>unpackWARs</code> is <code>true</code>. (markt) |
| </fix> |
| <fix> |
| <bug>58935</bug>: Remove incorrect references in the documentation to |
| using <code>jar:file:</code> URLs with the Manager application. (markt) |
| </fix> |
| <fix> |
| Correct the description of the |
| <code>ServletRequest.getServerPort()</code> in Proxy How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| Fix a potential indefinite wait in the Comet Chat servlet in the |
| examples web application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| If promoting a proxy node to a primary node when getting a session, |
| notify the change of the new primary node to the original backup node. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>58283</bug>: Change the default download location for libraries |
| during the build process from <code>/usr/share/java</code> to |
| <code>${user.home}/temp</code>. Patch provided by Ahmed Hosni. (markt) |
| </fix> |
| <fix> |
| <bug>59031</bug>: When using the Windows uninstaller, do not remove the |
| contents of any directories that have been symlinked into the Tomcat |
| directory structure. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.5 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2g and APR |
| 1.5.1. (markt) |
| </update> |
| <update> |
| Modify the default <code>tomcat-users.xml</code> file to make it harder |
| for users to configure the entries intended for use with the examples |
| web application for the Manager application. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.32 (markt)" rtext="2016-02-08"> |
| <subsection name="General"> |
| <changelog> |
| <add> |
| Allow to configure multiple JUnit test class patterns with the build |
| property <code>test.name</code> and document the property in |
| BUILDING.txt. (rjung) |
| </add> |
| <fix> |
| <bug>58768</bug>: Log a warning if a redirect fails because of an |
| invalid location. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Fix class loader decision on the delegation for class loading and |
| resource lookup and make it faster too. (rjung) |
| </fix> |
| <fix> |
| <bug>58946</bug>: Ensure that the request parameter map remains |
| immutable when processing via a RequestDispatcher. (markt) |
| </fix> |
| <fix> |
| <bug>58827</bug>: Deprecate what is left of the JSR 77 implementation. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58905</bug>: Ensure that <code>Tomcat.silence()</code> silences the |
| correct logger and respects the current setting. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| New configuration option <code>ajpFlush</code> for the AJP connectors |
| to disable the sending of AJP flush packets. (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Correct a regression in the session attribute filtering that prevented |
| clustering from starting in the default configuration. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Fix a timing issue on session close that could result in an exception |
| being thrown for an incomplete message even through the message was |
| completed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.31 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct implementation of |
| <code>validateClientProvidedNewSessionId</code> so client provided |
| session IDs may be rejected if validation is enabled. (markt) |
| </fix> |
| <fix> |
| Add path parameter handling to |
| <code>HttpServletRequest.getContextPath()</code>. This is a follow-up to |
| the fix for <bug>57215</bug>. (markt) |
| </fix> |
| <fix> |
| <bug>58692</bug>: Make <code>StandardJarScanner</code> more robust. Log |
| a warning if a class path entry cannot be scanned rather than triggering |
| the failure of the web application. Includes a test case written by |
| Derek Abdine. (markt) |
| </fix> |
| <fix> |
| <bug>58701</bug>: Reset the <code>instanceInitialized</code> field in |
| <code>StandardWrapper</code> when unloading a Servlet so that a new |
| instance may be correctly initialized. (markt) |
| </fix> |
| <fix> |
| <bug>58702</bug>: Ensure an access log entry is generated if the client |
| aborts the connection. (markt) |
| </fix> |
| <fix> |
| Fixed various issues reported by Findbugs. (violetagg) |
| </fix> |
| <fix> |
| <bug>58735</bug>: Add support for the <code>X-XSS-Protection</code> |
| header to the <code>HttpHeaderSecurityFilter</code>. Patch provided by |
| Jacopo Cappellato. (markt) |
| </fix> |
| <fix> |
| <bug>58751</bug>: Correctly handle the case where an |
| <code>AsyncListener</code> dispatches to a Servlet on an asynchronous |
| timeout and the Servlet uses <code>sendError()</code> to trigger an |
| error page. Includes a test case based on code provided by Andy |
| Wilkinson.(markt) |
| </fix> |
| <fix> |
| <bug>58765</bug>: Change default for |
| <code>mapperContextRootRedirectEnabled</code> to <code>true</code> since |
| this is required for correct session management because of the default |
| for <code>sessionCookiePathUsesTrailingSlash</code>. (markt) |
| </fix> |
| <fix> |
| Add the <code>StatusManagerServlet</code> to the list of Servlets that |
| can only be loaded by privileged applications. (markt) |
| </fix> |
| <fix> |
| Simplify code and fix messages in |
| <code>org.apache.catalina.core.DefaultInstanceManager</code> class. |
| (kkolinko) |
| </fix> |
| <scode> |
| Deprecate InstanceListener, InstanceEvent and InstanceSupport prior to |
| removal in 9.0.x. (markt) |
| </scode> |
| <fix> |
| Ensure that the proper file encoding if specified will be used when |
| a readme file is served by DefaultServlet. (violetagg) |
| </fix> |
| <fix> |
| Fix declaration of <code>localPort</code> attribute of Connector MBean: |
| it is read-only. (kkolinko) |
| </fix> |
| <fix> |
| <bug>58766</bug>: Make skipping non-class files during annotation |
| scanning faster by checking the file name first. Improve debug logging. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>58809</bug>: Correctly recycle cookies when mapping requests for |
| parallel deployment. As a side-effect of this fix, the system property |
| <code>org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER</code> |
| is no longer used. From this release, Tomcat will always preserve the |
| cookie header. (markt) |
| </fix> |
| <fix> |
| <bug>58836</bug>: Correctly merge query string parameters when |
| processing a forwarded request where the target includes a query string |
| that contains a parameter with no value. (markt/kkolinko) |
| </fix> |
| <fix> |
| Make sure that shared Digester is reset in an unlikely error case |
| in <code>HostConfig.deployWAR()</code>. (kkolinko) |
| </fix> |
| <fix> |
| <bug>58867</bug>: Improve checking on Host start for WAR files that have |
| been modified while Tomcat has stopped and re-expand them if |
| <code>unpackWARs</code> is <code>true</code>. (markt) |
| </fix> |
| <fix> |
| Fix a potential JDBC resource leak in DataSourceRealm. (schultz) |
| </fix> |
| <fix> |
| <bug>58900</bug>: Correctly undeploy symlinked resources and prevent an |
| infinite cycle of deploy / undeploy. (markt) |
| </fix> |
| <fix> |
| Protect initialization of <code>ResourceLinkFactory</code> when |
| running with a SecurityManager. (kkolinko) |
| </fix> |
| <add> |
| Extend the feature available in the cluster session manager |
| implementations that enables session attribute replication to be |
| filtered based on attribute name to all session manager implementations. |
| Note that configuration attribute name has changed from |
| <code>sessionAttributeFilter</code> to |
| <code>sessionAttributeNameFilter</code>. Apply the filter on load as |
| well as unload to ensure that configuration changes made while the web |
| application is stopped are applied to any persisted data. (markt) |
| </add> |
| <add> |
| Extend the session attribute filtering options to include filtering |
| based on the implementation class of the value and optional |
| <code>WARN</code> level logging if an attribute is filtered. These |
| options are available for all of the Manager implementations that ship |
| with Tomcat. When a <code>SecurityManager</code> is used filtering will |
| be enabled by default. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Fix handling of missing messages in |
| <code>org.apache.el.util.MessageFactory</code>. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| In order to avoid that the heartbeat thread and the background thread to |
| run <code>Channel.heartbeat</code> simultaneously, if |
| <code>heartbeatBackgroundEnabled</code> of <code>SimpleTcpCluster</code> |
| set to <code>true</code>, ensure that the heartbeat thread does not |
| start. (kfujino) |
| </fix> |
| <scode> |
| Simplify the code of <code>JvmRouteBinderValve.startInternal()</code>. |
| Avoid potential NPE when <code>JvmRouteBinderValve</code> is configured |
| directly at <code>Engine</code> element. (kfujino) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>57489</bug>: Ensure <code>onClose()</code> is called when a |
| WebSocket connection is closed even if the sending of the close message |
| fails. Includes test cases by Barry Coughlan. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <add> |
| Add a description of the default value of |
| <code>heartbeatSleeptime</code> attribute and <code>optionCheck</code> |
| attribute in the cluster channel docs. (kfujino) |
| </add> |
| <fix> |
| Correct some typos in the JNDI resources How-To. (markt) |
| </fix> |
| <fix> |
| Don't create sessions unnecessarily in the Manager application. (markt) |
| </fix> |
| <fix> |
| Don't create sessions unnecessarily in the Host Manager application. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58723</bug>: Clarify documentation and error messages for the text |
| interface of the manager to make clear that version must be used with |
| path when referencing contexts deployed using parallel deployment. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Fix potential NPE in <code>AbstractReplicatedMap.breakdown()</code>. |
| (kfujino) |
| </fix> |
| <fix> |
| Add support for the startup notification of local members in the static |
| cluster. (kfujino) |
| </fix> |
| <fix> |
| Ignore the unnecessary member remove operation from different domain. |
| (kfujino) |
| </fix> |
| <fix> |
| Add support for the shutdown notification of local members in the static |
| cluster. (kfujino) |
| </fix> |
| <fix> |
| Ensure that asynchronous session replication thread is a daemon thread. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Remove native code (Windows Service Wrapper, APR/native connector) |
| support for Windows Itanium. (markt) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.4 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2e and APR |
| 1.5.1. (markt) |
| </update> |
| <update> |
| Update the NSIS Installer used to build the Windows Installers to |
| version 2.50. (markt/kkolinko) |
| </update> |
| <update> |
| Update optional Checkstyle library to 6.14.1. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.30 (markt)" rtext="2015-12-06"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>34319</bug>: Only load those keys in |
| <code>StoreBase.processExpire</code> from JDBCStore, that are old |
| enough, to be expired. Based on a patch by Tom Anderson. (fschumacher) |
| </fix> |
| <add> |
| <bug>56917</bug>: As per RFC7231 (HTTP/1.1), allow HTTP/1.1 and later |
| redirects to use relative URIs. This is controlled by a new attribute |
| <code>useRelativeRedirects</code> on the <strong>Context</strong> and |
| defaults to <code>true</code>. (markt) |
| </add> |
| <fix> |
| <bug>58629</bug>: Allow an embedded Tomcat instance to start when the |
| <code>Service</code> has no <code>Engine</code> configured. (markt) |
| </fix> |
| <fix> |
| <bug>58635</bug>: Enable break points to be set within agent code when |
| running Tomcat with a Java agent. Based on a patch by Huxing Zhang. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58660</bug>: Correct a regression in 8.0.29 caused by the change |
| that moved the redirection for context roots from the Mapper to the |
| Default Servlet. (markt) |
| </fix> |
| <fix> |
| Fixed potential NPE in <code>HostConfig</code> while deploying an |
| application. Issue reported by coverity scan. (violetagg) |
| </fix> |
| <fix> |
| <bug>58655</bug>: Fix an <code> IllegalStateException</code> when |
| calling <code>HttpServletResponse.sendRedirect()</code> with the |
| <code>RemoteIpFilter</code>. This was caused by trying to correctly |
| generate the absolute URI for the redirect. With the fix for |
| <bug>56917</bug>, redirects may now be relative making the |
| <code>sendRedirect()</code> implementation for the |
| <code>RemoteIpFilter</code> much simpler. This also addresses issues |
| where the redirect may not have behaved as expected when redirecting |
| from http to https to from https to http. (markt) |
| </fix> |
| <fix> |
| <bug>58657</bug>: Exceptions in a Servlet 3.1 <code>ReadListener</code> |
| or <code>WriteListener</code> do not need to be immediately fatal to the |
| connection. Allow an error response to be written. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Improve upgrade context classloader handling by using Context.bind and |
| unbind. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57136#c25</bug>: Change default value of |
| <code>quoteAttributeEL</code> setting in Jasper to be <code>true</code> |
| for better compatibility with other implementations and older versions |
| of Tomcat (8.0.26/7.0.64 and earlier). Add command line option |
| <code>-no-quoteAttributeEL</code> in JspC. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Fix potential integer overflow in <code>DeltaSession</code>. |
| Reported by coverity scan. (fschumacher) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <add> |
| <bug>55006</bug>: The WebSocket client now honors the |
| <code>java.net.java.net.ProxySelector</code> configuration (using the |
| HTTP type) when establishing WebSocket connections to servers. Based on |
| a patch by Niki Dokovski. (markt) |
| </add> |
| <fix> |
| <bug>58624</bug>: Correct a thread safety issue that meant that blocking |
| message writes could block indefinitely if the WebSocket connection was |
| closed while a message write was in progress. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| <bug>58631</bug>: Correct the continuation character use in the Windows |
| Service How-To page of the documentation web application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensure that the static member is registered to the add suspect list even |
| if the static member that is registered to the remove suspect list has |
| disappeared. (kfujino) |
| </fix> |
| <fix> |
| Correct the warning log of when the member that is not registered in the |
| membership is detected. (kfujino) |
| </fix> |
| <fix> |
| When using a static cluster, add the members that have been cached in |
| the membership service to the map members list in order to ensure that |
| the map member is a static member. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Correct evaluation of system property |
| <code>org.apache.tomcat.jdbc.pool.onlyAttemptCurrentClassLoader</code>. |
| It was basically ignored before. Reported by coverity scan. |
| (fschumacher) |
| </fix> |
| <fix> |
| Fix potential integer overflow in <code>ConnectionPool</code> and |
| <code>PooledConnection</code>. Reported by coverity scan. (fschumacher) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update optional Checkstyle library to 6.13. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.29 (markt)" rtext="2015-11-24"> |
| <subsection name="General"> |
| <changelog> |
| <update> |
| <bug>58596</bug>: Clarify the description in RUNNING.txt of how |
| environment variables are used. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Extend the fix for <bug>57136</bug> to provide a JSP Servlet |
| initialisation parameter per web application that controls whether or |
| not EL in JSP attributes is processed as if it uses JSP attribute |
| quoting. By default, EL does not use JSP attribute quoting. (markt) |
| </add> |
| <fix> |
| <bug>57799</bug>: InputStream.available() was causing an IO operation |
| to occur even in blocking mode, which caused problems with NIO2. |
| (remm) |
| </fix> |
| <add> |
| Extend the fix for <bug>58228</bug> to include |
| <code>ServletContext.getRealPath()</code>. (markt) |
| </add> |
| <add> |
| <bug>58486</bug>: Protect against two further possible memory leaks |
| associated with XML parsing. (markt) |
| </add> |
| <fix> |
| <bug>58490</bug>: Fixed NPE thrown when scanning for |
| <code>javax.servlet.ServletContainerInitializer</code> in case the web |
| application is not extracted. (violetagg) |
| </fix> |
| <scode> |
| <bug>58497</bug>: Make <code>AbstractHttp11Processor</code> easy to |
| extend. (markt) |
| </scode> |
| <fix> |
| <bug>58508</bug>: Escape role names when generating associated MBeans in |
| case the role name contains characters not permitted in an MBean name. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58518</bug>: Correct a regression in the fix for <bug>56777</bug> |
| that added support for URIs in config file locations. File paths on |
| Windows could previously be specified with <code>\</code> or |
| <code>/</code> as the separator. <bug>56777</bug> broke that. (markt) |
| </fix> |
| <fix> |
| <bug>58519</bug>: Fix ISE thrown by web application classloader in some |
| error conditions due to trying to call <code>initCause()</code> on a |
| <code>ClassNotFoundException</code> which is not permitted. (markt) |
| </fix> |
| <fix> |
| <bug>58534</bug>: Removed repeated conditional tests in |
| <code>o.a.tomcat.websocket.pojo.PojoMethodMapping</code> and |
| <code>o.a.tomcat.util.net.AprEndpoint</code> |
| Patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58535</bug>: Use <code>Collections.reverseOrder</code> |
| when a reverse ordering is needed. (violetagg) |
| </fix> |
| <fix> |
| <bug>58537</bug>, <bug>58546</bug>: Some of the inner classes in |
| <code>o.a.catalina.valves.ExtendedAccessLogValve</code> |
| and <code>o.a.tomcat.util.net.SecureNio2Channel</code> |
| are made static. |
| Patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58540</bug>: Removed unused code from |
| <code>o.a.catalina.connector.Request</code>. |
| Patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58541</bug>, <bug>58544</bug>: It is more efficient to call |
| <code>Integer.toString(int)</code> instead of |
| <code>Integer.valueOf(int).toString()</code> when only a string |
| representation of a primitive is needed. Based on a patch provided by |
| Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58541</bug>, <bug>58547</bug>: It is more efficient to call |
| <code>valueOf(...)</code> instead of Number constructor. Based on a |
| patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58545</bug>: In some use cases it is more efficient to use |
| <code>Map.entrySet()</code> instead of <code>Map.keySet()</code> |
| Based on a patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| Ensure that <code>ServletRequest.getContentLengthLong</code> is used |
| instead of <code>ServletRequest.getContentLength</code> for servlets and |
| valves provided by Tomcat. The API is available since Servlet |
| specification 3.1. (violetagg) |
| </fix> |
| <add> |
| Add a new RestCsrfPreventionFilter that provides basic CSRF protection |
| for REST APIs. (violetagg) |
| </add> |
| <fix> |
| <bug>58578</bug>: Avoid NPE accessing cookies during access logging |
| for request that had no context mapping. (remm) |
| </fix> |
| <fix> |
| Avoid UnsupportedOperationException when releasing an user-provided |
| URLStreamHandlerFactory. Patch provided by Cristian Talau. (violetagg) |
| </fix> |
| <fix> |
| <bug>58581</bug>: If a custom error page fails, fall back to the |
| standard error page rather than throwing an NPE. Based on a patch by |
| Huxing Zhang. (markt) |
| </fix> |
| <fix> |
| <bug>58582</bug>: Combined realm should perform background processing |
| on its sub-realms. Based upon a patch provided by Aidan. (schultz) |
| </fix> |
| <fix> |
| Handle the unlikely case where different versions of a web application |
| are deployed with different session settings. (markt) |
| </fix> |
| <add> |
| Add a new Context option, enabled by default, that enables an additional |
| check that a client provided session ID is in use in at least one other |
| web application before allowing it to be used as the ID for a new |
| session in the current web application. (markt) |
| </add> |
| <add> |
| Add support for DIGEST authentication to the JNDIRealm. Based on a patch |
| by Alexis Hassler. (markt) |
| </add> |
| <fix> |
| <bug>58603</bug>: Ensure that |
| <code>HttpServletRequest.getRequestURL()</code> returns the correct |
| value when using the <code>RemoteIpFilter</code>. (markt) |
| </fix> |
| <fix> |
| Ensure that in an embedded Tomcat the logging configuration is |
| not lost during garbage collection. (violetagg) |
| </fix> |
| <add> |
| Move the functionality that provides redirects for context roots and |
| directories where a trailing <code>/</code> is added from the Mapper to |
| the <code>DefaultServlet</code>. This enables such requests to be |
| processed by any configured Valves and Filters before the redirect is |
| made. This behaviour is configurable via the |
| <code>mapperContextRootRedirectEnabled</code> and |
| <code>mapperDirectoryRedirectEnabled</code> attributes of the Context |
| which may be used to restore the previous behaviour. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Cancel pending blocking IO operation following a timeout in the NIO2 |
| connector. (remm) |
| </fix> |
| <fix> |
| Add instance manager support for upgrade handlers, and set context |
| class loader. (remm) |
| </fix> |
| <update> |
| Synchronize OpenSSL to JSSE cipher mapping to recent OpenSSL changes. In |
| particular, <code>TLSv1.0</code> is now an alias for those ciphers that |
| require TLSv1 and will not work with SSLv3. <code>TLSv1</code> remains |
| an alias for <code>SSLv3</code>. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Deprecate the <code>STRICT_QUOTE_ESCAPING</code> system property and |
| replace it with an initialisation parameter for the JSP Servlet. This |
| enables per web application control of this configuration setting. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Optimize the session lock range in DeltaManager.requestCompleted. |
| (kfujino) |
| </fix> |
| <fix> |
| Enable an explicit configuration of local member in the static cluster |
| membership. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <scode> |
| Distinguish the handling of the shutdown payload and member verification |
| clearly. When handling shutdown payload, verification completion message |
| is not required. (kfujino) |
| </scode> |
| <fix> |
| When starting the <code>StaticMembershipInterceptor</code>, |
| <code>StaticMembershipInterceptor</code> checks the required |
| Interceptors. If the required Interceptor does not exist, it issues |
| warning logs. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Use instance manager for server endpoint instances. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Make it clear in the documentation for the CGI servlet that the debug |
| page is not considered secure and should not be used in production. |
| (markt) |
| </add> |
| <fix> |
| The <code>domain</code> attribute of <code>StaticMember</code> is not |
| required but optional. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>58489</bug>: Correct QueryStatsComparator to hold up the |
| general contract for Comparator. (fschumacher) |
| </fix> |
| <fix> |
| When creating a <code>QueryStats</code> object, ensure that |
| <code>maxQueries</code> is checked. If <code>maxQueries</code> is a |
| value less than or equal to 0, <code>QueryStats</code> are never |
| created. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection<
|