| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <!DOCTYPE document [ |
| <!ENTITY project SYSTEM "project.xml"> |
| ]> |
| <?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?> |
| <document url="changelog.html"> |
| |
| &project; |
| |
| <properties> |
| <title>Changelog</title> |
| <no-comments /> |
| </properties> |
| |
| <body> |
| <!-- |
| Subsection ordering: |
| General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications, |
| Extras, Tribes, jdbc-pool, Other |
| |
| Item Ordering: |
| |
| Fixes having an issue number are sorted by their number, ascending. |
| |
| There is no ordering by add/update/fix. |
| |
| Other fixed issues are added to the end of the list, chronologically. |
| They eventually become mixed with the numbered issues. (I.e., numbered |
| issues do not "pop up" wrt. others). |
| --> |
| <section name="Tomcat 8.0.44 (violetagg)" rtext="In development"> |
| <subsection name="General"> |
| <changelog> |
| <add> |
| Allow to exclude JUnit test classes using the build property |
| <code>test.exclude</code> and document the property in |
| BUILDING.txt. (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>60940</bug>: Improve the handling of the <code>META-INF/</code> and |
| <code>META-INF/MANIFEST.MF</code> entries for Jar files located in |
| <code>/WEB-INF/lib</code> when running a web application from a packed |
| WAR file. (markt) |
| </fix> |
| <fix> |
| Pre-load the <code>ExceptionUtils</code> class. Since the class is used |
| extensively in error handling, it is prudent to pre-load it to avoid any |
| failure to load this class masking the true problem during error |
| handling. (markt) |
| </fix> |
| <fix> |
| Review those places where Tomcat re-encodes a URI or URI component and |
| ensure that that correct encoding (path differs from query string) is |
| applied and that the encoding is applied consistently. (markt) |
| </fix> |
| <fix> |
| Use a more reliable mechanism for the <code>DefaultServlet</code> when |
| determining if the current request is for custom error page or not. |
| (markt) |
| </fix> |
| <fix> |
| Ensure that when the Default or WebDAV servlets process an error |
| dispatch that the error resource is processed via the |
| <code>doGet()</code> method irrespective of the method used for the |
| original request that triggered the error. (markt) |
| </fix> |
| <fix> |
| If a static custom error page is specified that does not exist or cannot |
| be read, ensure that the intended error status is returned rather than a |
| 404 or 403. (markt) |
| </fix> |
| <fix> |
| When the WebDAV servlet is configured and an error dispatch is made to a |
| custom error page located below <code>WEB-INF</code>, ensure that the |
| target error page is displayed rather than a 404 response. (markt) |
| </fix> |
| <add> |
| <bug>61047</bug>: Add MIME mapping for woff2 fonts in the default |
| web.xml. Patch provided by Justin Williamson. (violetagg) |
| </add> |
| <fix> |
| Correct the logic that selects the encoding to use to decode the query |
| string in the <code>SSIServletExternalResolver</code> so that the |
| <code>useBodyEncodingForURI</code> attribute of the |
| <code>Connector</code> is correctly taken into account. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60925</bug>: Improve the handling of access to properties defined |
| by interfaces when a <code>BeanELResolver</code> is used under a |
| <code>SecurityManager</code>. (markt) |
| </fix> |
| <update> |
| <bug>61057</bug>: Update to Eclipse JDT Compiler 4.6.3. (violetagg) |
| </update> |
| <fix> |
| <bug>61065</bug>: Ensure that once the class is resolved by |
| <code>javax.el.ImportHandler#resolveClass</code> it will be cached with |
| the proper name. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>61003</bug>: Ensure the flags for reading/writing in |
| <code>o.a.t.websocket.AsyncChannelWrapperSecure</code> are correctly |
| reset even if some exceptions occurred during processing. (markt/violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Document <code>test.threads</code> option in BUILDING.txt. |
| (kkolinko, rjung) |
| </add> |
| <add> |
| Add documents for <code>maxIdleTime</code> attribute to Channel Receiver |
| docs. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <scode> |
| Refactor the creating a constructor for a proxy class to reduce |
| duplicate code. (kfujino) |
| </scode> |
| <fix> |
| In <code>StatementFacade</code>, the method call on the statements that |
| have been closed throw <code>SQLException</code> rather than |
| <code>NullPointerException</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Correct comments about Java 8 in <code>Jre8Compat</code>. |
| Patch provided by fibbers via Github. (violetagg) |
| </fix> |
| <fix> |
| <bug>60932</bug>: Correctly escape single quotes when used in i18n |
| messages. Based on a patch by Michael Osipov. (markt) |
| </fix> |
| <fix> |
| Update the custom Ant task that integrates with the Symantec code |
| signing service to use the now mandatory 2-factor authentication. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.43 (violetagg)" rtext="2017-04-02"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>54618</bug>: Add support to the |
| <code>HttpHeaderSecurityFilter</code> for the HSTS preload parameter. |
| (markt) |
| </add> |
| <fix> |
| <bug>60876</bug>: Ensure that <code>Set-Cookie</code> headers generated |
| by the <code>Rfc6265CookieProcessor</code> are aligned with the |
| specification. Patch provided by Jim Griswold. (markt) |
| </fix> |
| <fix> |
| <bug>60911</bug>: Ensure NPE will not be thrown when looking for SSL |
| session ID. Based on a patch by Didier Gutacker. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| When using the NIO2 connector, ensure a WebSocket close frame is |
| processed before the end of stream is processed to ensure that the end |
| of stream is processed correctly. (markt) |
| </fix> |
| <fix> |
| <bug>60852</bug>: Correctly spell compressible when used in |
| configuration attributes and internal code. Based on a patch by Michael |
| Osipov. (markt) |
| </fix> |
| <fix> |
| Improve sendfile handling when requests are pipelined. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Improve the error handling for simple tags to ensure that the tag is |
| released and destroyed once used. (remm, violetagg) |
| </fix> |
| <fix> |
| <bug>60844</bug>: Correctly handle the error when fewer parameter values |
| than required by the method are used to invoke an EL method expression. |
| Patch provided by Daniel Gray. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>60764</bug>: Implement <code>equals()</code> and |
| <code>hashCode()</code> in the <code>StatementFacade</code> in order to |
| enable these methods to be called on the closed statements if any |
| statement proxy is set. This behavior can be changed with |
| <code>useStatementFacade</code> attribute. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Refactor the build script and the NSIS installer script so that either |
| NSIS 2.x or NSIS 3.x can be used to build the installer. This is |
| primarily to re-enable building the installer on the Linux based CI |
| system where the combination of NSIS 3.x and wine leads to failed |
| installer builds. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.42 (markt)" rtext="2017-03-14"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| <bug>60596</bug>: Improve performance of DefaultServlet when sendfile |
| feature is disabled on connector. (kkolinko) |
| </update> |
| <fix> |
| Reduce the contention in the default <code>InstanceManager</code> |
| implementation when multiple threads are managing objects and need to |
| reference the annotation cache. (markt) |
| </fix> |
| <add> |
| Extend the <code>JreMemoryLeakPreventionListener</code> to provide |
| protection against <code>ForkJoinPool.commonPool()</code> related memory |
| leaks. (markt) |
| </add> |
| <scode> |
| <bug>60674</bug>: Remove <code>final</code> marker from |
| <code>CorsFilter</code> to enable sub-classing. (markt) |
| </scode> |
| <fix> |
| <bug>60683</bug>: Security manager failure causing NPEs when doing IO |
| on some JVMs. (csutherl) |
| </fix> |
| <fix> |
| <bug>60688</bug>: Update the internal fork of Apache Commons BCEL to |
| r1782855 to add early access Java 9 support to the annotation scanning |
| code. (markt) |
| </fix> |
| <fix> |
| When HTTP TRACE requests are disabled on the Connector, ensure that the |
| HTTP OPTIONS response from the WebDAV servlet does not include |
| TRACE in the returned Allow header. (markt) |
| </fix> |
| <fix> |
| <bug>60718</bug>: Improve error handling for asynchronous processing and |
| correct a number of cases where the <code>requestDestroyed()</code> |
| event was not being fired and an entry wasn't being made in the access |
| logs. (markt) |
| </fix> |
| <fix> |
| <bug>60722</bug>: Take account of the |
| <strong>dispatchersUseEncodedPaths</strong> setting on the current |
| <strong>Context</strong> when generating paths for dispatches triggered |
| by <code>AsyncContext.dispatch()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60728</bug>: Make the separator Tomcat uses in the Tomcat specific |
| <code>war:file:...</code> URL protocol customizable via a system |
| property. The separator is equivalent to the use of the <code>!</code> |
| character in <code>jar:file:...</code> URLs. The default separator of |
| <code>*</code> remains unchanged. (markt) |
| </fix> |
| <fix> |
| <bug>60798</bug>: Correct a bug in the handling of JARs in unpacked WARs |
| that meant multiple attempts to read the same entry from a JAR in |
| succession would fail for the second and subsequent attempts. (markt) |
| </fix> |
| <fix> |
| <bug>60808</bug>: Ensure that the <code>Map</code> returned by |
| <code>ServletRequest.getParameterMap()</code> is fully immutable. Based |
| on a patch provided by woosan. (markt) |
| </fix> |
| <fix> |
| <bug>60824</bug>: Correctly cache the <code>Subject</code> in the |
| session - if there is a session - when running under a |
| <code>SecurityManager</code>. Patch provided by Jan Engehausen. (markt) |
| </fix> |
| <fix> |
| Ensure request and response facades are used when firing application |
| listeners. (markt/remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that executor thread pools used with connectors pre-start the |
| configured minimum number of idle threads. (markt) |
| </fix> |
| <add> |
| <bug>60594</bug>: Allow some invalid characters that were recently |
| restricted to be processed in requests by using the system property |
| <code>tomcat.util.http.parser.HttpParser.requestTargetAllow</code>. |
| (csutherl) |
| </add> |
| <fix> |
| Modify the cookie header generated by the |
| <code>Rfc6265CookieProcessor</code> so it always sends an |
| <code>Expires</code> attribute as well as a <code>Max-Age</code> |
| attribute to avoid problems with Microsoft browsers that do not support |
| the <code>Max-Age</code> attribute. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Follow up to the fix for <bug>58178</bug>. When creating the |
| <code>ELContext</code> for a tag file, ensure that any registered |
| <code>ELContextListener</code>s are fired. (markt) |
| </fix> |
| <fix> |
| Refactor code generated for JSPs to reduce the size of the code required |
| for tags. (markt) |
| </fix> |
| <update> |
| Update to the Eclipse JDT Compiler 4.6.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| Make the <code>accessTimeout</code> configurable in |
| <code>ClusterSingleSignOn</code>. The <code>accessTimeout</code> is used |
| as a timeout period for PING in replication map. (kfujino) |
| </add> |
| <fix> |
| <bug>60806</bug>: To avoid <code>ClassNotFoundException</code>, make |
| sure that the web application class loader is passed to |
| <code>ReplicatedContext</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>60617</bug>: Correctly create a <code>CONNECT</code> request when |
| establishing a WebSocket connection via a proxy. Patch provided by |
| Svetlin Zarev. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensure that <code>NoRpcChannelReply</code> messages are not received on |
| <code>RpcCallback</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.12 to |
| pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg) |
| </update> |
| <add> |
| <bug>60784</bug>: Update all unit tests that test the HTTP status line |
| to check for the required space after the status code. Patch provided by |
| Michael Osipov. (markt) |
| </add> |
| <update> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.01. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.41 (violetagg)" rtext="2017-01-24"> |
| <subsection name="Cluster"> |
| <changelog> |
| <add> |
| Make the <code>accessTimeout</code> configurable in |
| <code>BackupManager</code>. The <code>accessTimeout</code> is used as a |
| timeout period for PING in replication map. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Ensure the ASF logo image is displayed in host-manager. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.40 (violetagg)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>53602</bug>: Add HTTP status code 451 (RFC 7725) to the list of |
| HTTP status codes recognised by Tomcat. (markt) |
| </add> |
| <fix> |
| <bug>60446</bug>: Handle the case where the stored user credential uses |
| a different key length than the length currently configured for the |
| <code>CredentialHandler</code>. Based on a patch by Niklas Holm. (markt) |
| </fix> |
| <fix> |
| <bug>60351</bug>: Delay creating <code>META-INF/war-tracker</code> file |
| until after the WAR has been expanded to address the case where the |
| Tomcat process terminates during the expansion. (markt) |
| </fix> |
| <fix> |
| Correctly handle the <code>configClass</code> attribute of a Host when |
| embedding Tomcat. (markt) |
| </fix> |
| <fix> |
| <bug>60379</bug>: Dispose of the GSS credential once it is no longer |
| required. Patch provided by Michael Osipov. (markt) |
| </fix> |
| <fix> |
| <bug>60380</bug>: Ensure that a call to |
| <code>HttpServletRequest#logout()</code> triggers a call to |
| <code>TomcatPrincipal#logout()</code>. Based on a patch by Michael |
| Osipov. (markt) |
| </fix> |
| <fix> |
| <bug>60387</bug>: Correct the javadoc for |
| <code>o.a.catalina.AccessLog.setRequestAttributesEnabled</code>. |
| The default value is different for the different implementations. |
| (violetagg) |
| </fix> |
| <scode> |
| <bug>60393</bug>: Use consistent parameter naming in implementations of |
| <code>Realm#authenticate(GSSContext, boolean)</code>. (markt) |
| </scode> |
| <fix> |
| <bug>60395</bug>: Log when an <code>Authenticator</code> passes an |
| incomplete <code>GSSContext</code> to a Realm since it indicates a bug |
| in the <code>Authenticator</code>. Patch provided by Michael Osipov. |
| (markt) |
| </fix> |
| <fix> |
| Correctly generate URLs for resources located inside JARs that are |
| themselves located inside a packed WAR file. (markt) |
| </fix> |
| <fix> |
| <bug>60410</bug>: Ensure that multiple calls to |
| <code>JarInputStreamWrapper#close()</code> do not incorrectly trigger |
| the closure of the underlying JAR or WAR file. (markt) |
| </fix> |
| <fix> |
| <bug>60411</bug>: Implement support in the <code>RewriteValve</code> for |
| symbolic names to specify the redirect code to use when returning a |
| redirect response to the user agent. Patch provided by Michael Osipov. |
| (markt) |
| </fix> |
| <fix> |
| <bug>60413</bug>: In the <code>RewriteValve</code> write empty capture |
| groups as the empty string rather than as <code>"null"</code> |
| when generating the re-written URL. Based on a patch by Michael Osipov. |
| (markt) |
| </fix> |
| <update> |
| Update the warnings that reference required options for running on Java |
| 9 to use the latest syntax for those options. (markt) |
| </update> |
| <fix> |
| <bug>60513</bug>: Fix thread safety issue with RMI cleanup code. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that the endpoint is able to unlock the acceptor thread during |
| shutdown if the endpoint is configured to listen to any local address |
| of a specific type such as <code>0.0.0.0</code> or <code>::</code>. |
| (markt) |
| </fix> |
| <fix> |
| Prevent read time out when the file is deleted while serving the |
| response. The issue was observed only with APR Connector and |
| sendfile enabled. (violetagg) |
| </fix> |
| <fix> |
| Improve the logic that selects an address to use to unlock the Acceptor |
| to take account of platforms what do not listen on all local addresses |
| when configured with an address of <code>0.0.0.0</code> or |
| <code>::</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60409</bug>: When unable to complete sendfile request, ensure the |
| Processor will be added to the cache only once. (markt/violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60431</bug>: Improve handling of varargs in UEL expressions. Based |
| on a patch by Ben Wolfe. (markt) |
| </fix> |
| <fix> |
| <bug>60497</bug>: Restore previous tag reuse behavior following the use |
| of try/finally. (remm) |
| </fix> |
| <fix> |
| Improve the error handling for simple tags to ensure that the tag is |
| released and destroyed once used. (remm) |
| </fix> |
| <fix> |
| <bug>60497</bug>: Follow up fix using a better variable name for the |
| tag reuse flag. (remm) |
| </fix> |
| <fix> |
| Revert use of try/finally for simple tags. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct a typo in Host Configuration Reference. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| <bug>60344</bug>: Add a note to BUILDING.txt regarding using the source |
| bundle with the correct line endings. (markt) |
| </fix> |
| <fix> |
| <bug>60412</bug>: Add information on the comment syntax for the |
| <code>RewriteValve</code> configuration. (markt) |
| </fix> |
| <fix> |
| <bug>60467</bug>: remove problematic characters from XML documentation. |
| Based upon a patch by Michael Osipov. (schultz) |
| </fix> |
| <add> |
| In the documentation web application, be explicit that clustering |
| requires a secure network for all of the cluster network traffic. |
| (markt) |
| </add> |
| <update> |
| Update the ASF logos to the new versions. |
| </update> |
| <fix> |
| <bug>60468</bug>: Correct the format of the sample ISO-8601 date used |
| to report the build date for the documentation. Patch provided by |
| Michael Osipov. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Reduce the warning logs for a message received from a different domain |
| in order to avoid excessive log outputs. (kfujino) |
| </fix> |
| <add> |
| Add log message that PING message has received beyond the timeout |
| period. (kfujino) |
| </add> |
| <fix> |
| When a PING message that beyond the time-out period has been received, |
| make sure that valid member is added to the map membership. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>60437</bug>: Avoid possible handshake overflows in the websocket |
| client. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <add> |
| <bug>58816</bug>: Implement the statistics of jdbc-pool. The stats infos |
| are <code>borrowedCount</code>, <code>returnedCount</code>, |
| <code>createdCount</code>, <code>releasedCount</code>, |
| <code>reconnectedCount</code>, <code>releasedIdleCount</code> and |
| <code>removeAbandonedCount</code>. (kfujino) |
| </add> |
| <fix> |
| <bug>60194</bug>: If <code>validationQuery</code> is not specified, |
| connection validation is done by calling the <code>isValid()</code> |
| method. (kfujino) |
| </fix> |
| <fix> |
| <bug>60398</bug>: Fix testcase of <code>TestSlowQueryReport</code>. |
| (kfujino) |
| </fix> |
| <add> |
| Enable reset the statistics without restarting the pool. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>60366</bug>: Change <code>catalina.bat</code> to use directly |
| <code>LOGGING_MANAGER</code> and <code>LOGGING_CONFIG</code> variables |
| in order to configure logging, instead of modifying |
| <code>JAVA_OPTS</code>. Patch provided by Petter Isberg. (violetagg) |
| </fix> |
| <add> |
| New property is added <code>test.verbose</code> in order to control |
| whether the output of the tests is displayed on the console or not. |
| Patch provided by Emmanuel Bourg. (violetagg) |
| </add> |
| <update> |
| Update the ASF logos used in the Apache Tomcat installer for Windows to |
| use the new versions. |
| </update> |
| <fix> |
| Spelling corrections provided by Josh Soref. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.39 (violetagg)" rtext="2016-11-14"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| When creating a new Connector via JMX, ensure that both HTTP/1.1 and |
| AJP/1.3 connectors can be created. (markt) |
| </fix> |
| <fix> |
| Include the Context name in the log message when an item cannot be |
| added to the cache. (markt) |
| </fix> |
| <fix> |
| Exclude JAR files in <code>/WEB-INF/lib</code> from the static resource |
| cache. (markt) |
| </fix> |
| <fix> |
| When calling <code>getResourceAsStream()</code> on a directory, ensure |
| that <code>null</code> is returned. (markt) |
| </fix> |
| <fix> |
| <bug>60161</bug>: Allow creating subcategories of the container logger, |
| and use it for the rewrite valve. (remm) |
| </fix> |
| <fix> |
| Correctly test for control characters when reading the provided shutdown |
| password. (markt) |
| </fix> |
| <fix> |
| When configuring the JMX remote listener, specify the allowed types for |
| the credentials. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct the HTTP header parser so that DEL is not treated as a valid |
| token character. (markt) |
| </fix> |
| <fix> |
| <bug>60319</bug>: When using an Executor, disconnect it from the |
| Connector attributes <code>maxThreads</code>, |
| <code>minSpareThreads</code> and <code>threadPriority</code> to enable |
| the configuration settings to be consistently reported. These Connector |
| attributes will be reported as <code>-1</code> when an Executor is in |
| use. The values used by the executor may be set and obtained via the |
| Executor. (markt) |
| </fix> |
| <fix> |
| If an I/O error occurs during async processing on a non-container |
| thread, ensure that the <code>onError()</code> event is triggered. |
| (markt) |
| </fix> |
| <fix> |
| Improve detection of I/O errors during async processing on non-container |
| threads and trigger async error handling when they are detected. (markt) |
| </fix> |
| <add> |
| Add additional checks for valid characters to the HTTP request line |
| parsing so invalid request lines are rejected sooner. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct a typo in HTTP Connector How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| Fix default value of <code>validationInterval</code> attribute in |
| jdbc-pool. (kfujino) |
| </fix> |
| <fix> |
| Correct a typo in CGI How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| When the proxy node sends a backup retrieve message, ensure that using |
| the <code>channelSendOptions</code> that has been set rather than the |
| default <code>channelSendOptions</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the ECJ compiler to version 4.5.1. (markt) |
| </update> |
| <fix> |
| Remove classes from tomcat-util-scan.jar that are duplicates of those in |
| tomcat-util.jar. (markt) |
| </fix> |
| <add> |
| Update the NSIS Installer used to build the Windows installer to version |
| 3.0. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.38 (markt)" rtext="2016-10-10"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>59961</bug>: Add an option to the <code>StandardJarScanner</code> |
| to control whether or not JAR Manifests are scanned for additional |
| class path entries. (markt) |
| </add> |
| <fix> |
| <bug>60013</bug>: Refactor the previous fix to align the behaviour of |
| the Rewrite Valve with mod_rewrite. As part of this, provide an |
| implementation for the <code>B</code> and <code>NE</code> flags and |
| improve the handling for the <code>QSA</code> flag. Includes multiple |
| test cases by Santhana Preethiand a patch by Tiago Oliveira. (markt) |
| </fix> |
| <fix> |
| <bug>60087</bug>: Refactor the web resources handling to use the Tomcat |
| specific <code>war:file:...</code> URL protocol to refer to WAR files |
| and their contents rather than the standard <code>jar:file:...</code> |
| form since some components of the JRE, such as JAR verification, give |
| unexpected results when the standard form is used. A side-effect of the |
| refactoring is that when using packed WARs, it is now possible to |
| reference a WAR and/or specific JARs within a WAR in the security policy |
| file used when running under a <code>SecurityManager</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60116</bug>: Fix a problem with the rewrite valve that caused back |
| references evaluated in conditions to be forced to lower case when using |
| the <code>NC</code> flag. (markt) |
| </fix> |
| <fix> |
| Ensure <code>Digester.useContextClassLoader</code> is considered in |
| case the class loader is used. (violetagg) |
| </fix> |
| <fix> |
| <bug>60117</bug>: Ensure that the name of <code>LogLevel</code> is |
| localized when using <code>OneLineFormatter</code>. Patch provided by |
| Tatsuya Bessho. (kfujino) |
| </fix> |
| <fix> |
| <bug>60146</bug>: Improve performance for resource retrieval by making |
| calls to WebResource.getInputStream() trigger caching if the resource is |
| small enough. Patch provided by mohitchugh. (markt) |
| </fix> |
| <add> |
| <bug>60151</bug>: Improve the exception error messages when a |
| <code>ResourceLink</code> fails to specify the type, specifies an |
| unknown type or specifies the wrong type. (markt) |
| </add> |
| <fix> |
| <bug>60167</bug>: Ignore empty lines in <code>/etc/passwd</code> files |
| when using the <code>PasswdUserDatabase</code>. (markt) |
| </fix> |
| <fix> |
| <bug>60170</bug>: Exclude the compressed test file |
| <code>index.html.br</code> from RAT analysis. Patch provided by Gavin |
| McDonald. (markt) |
| </fix> |
| <fix> |
| When starting web resources, ensure that class resources are only |
| started once. (markt) |
| </fix> |
| <fix> |
| Improve the access checks for linked global resources to handle the case |
| where the current class loader is a child of the web application class |
| loader. (markt) |
| </fix> |
| <fix> |
| <bug>60199</bug>: Log a warning if deserialization issues prevent a |
| session attribute from being loaded. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correctly handle a call to <code>AsyncContext.complete()</code> from a |
| non-container thread when non-blocking I/O is being used. (markt) |
| </fix> |
| <add> |
| Refactor the code that implements the requirement that a call to |
| <code>complete()</code> or <code>dispatch()</code> made from a |
| non-container thread before the container initiated thread that called |
| <code>startAsync()</code> completes must be delayed until the container |
| initiated thread has completed. Rather than implementing this by |
| blocking the non-container thread, extend the internal state machine to |
| track this. This removes the possibility that blocking the non-container |
| thread could trigger a deadlock. (markt) |
| </add> |
| <fix> |
| <bug>60123</bug>: Avoid potential threading issues that could cause |
| excessively large vales to be returned for the processing time of |
| a current request. (markt) |
| </fix> |
| <fix> |
| <bug>60174</bug>: Log instances of <code>HeadersTooLargeException</code> |
| during request processing. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>60101</bug>: Remove preloading of the class that was deleted. |
| (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Expand the documentation for the nested elements within a |
| <code>Resources</code> element to clarify the behaviour of different |
| configuration options with respect to the order in which resources are |
| searched. (markt) |
| </add> |
| <add> |
| Add an example of using the <code>classesToInitialize</code> attribute |
| of the <code>JreMemoryLeakPreventionListener</code> to the documentation |
| web application. Based on a patch by Cris Berneburg. (markt) |
| </add> |
| <fix> |
| <bug>60192</bug>: Correct a typo in the status output of the Manager |
| application. Patch provided by Radhakrishna Pemmasani. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Notify jmx when returning the connection that has been marked suspect. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that the <code>POOL_EMPTY</code> notification has been added to |
| the jmx notification types. (kfujino) |
| </fix> |
| <fix> |
| <bug>60099</bug>: Ensure that use all method arguments as a cache key |
| when using <code>StatementCache</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>60139</bug>: Correct Javadocs for |
| <code>PoolConfiguration.getValidationInterval</code> and |
| <code>setValidationInterval</code>. Reported by Phillip Webb. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Update the download location for Objenesis. (violetagg) |
| </fix> |
| <fix> |
| <bug>60164</bug>: Replace <code>log4j-core*.jar</code> with |
| <code>log4j-web*.jar</code> since it is <code>log4j-web*.jar</code> that |
| contains the <code>ServletContainerInitializer</code>. (markt) |
| </fix> |
| <add> |
| Add documentation to the bin/catalina.bat script to remind users that |
| environment variables don't affect the configuration of Tomcat when |
| run as a Windows Service. Based upon a documentation patch by |
| James H.H. Lampert. (schultz) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.10 to |
| pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.37 (markt)" rtext="2016-09-05"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>57705</bug>: Add debug logging for requests denied by the remote |
| host and remote address valves and filters. Based on a patch by Graham |
| Leggett. (markt) |
| </fix> |
| <add> |
| <bug>59399</bug>: Add a new option to the Realm implementations that |
| ship with Tomcat that allows the HTTP status code used for HTTP -> HTTPS |
| redirects to be controlled per Realm. (markt) |
| </add> |
| <update> |
| Change the default of the |
| <code>sessionCookiePathUsesTrailingSlash</code> attribute of the |
| <code>Context</code> element to <code>false</code> since the problems |
| caused when a Servlet is mapped to <code>/*</code> are more significant |
| than the security risk of not enabling this option by default. (markt) |
| </update> |
| <fix> |
| Do not attempt to start web resources during a web application's |
| initialisation phase since the web application is not fully configured |
| at that point and the web resources may not be correctly configured. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59708</bug>: Modify the LockOutRealm logic. Valid authentication |
| attempts during the lock out period will no longer reset the lock out |
| timer to zero. (markt) |
| </fix> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| <fix> |
| <bug>59813</bug>: Ensure that circular relations of the Class-Path |
| attribute from JAR manifests will be processed correctly. (violetagg) |
| </fix> |
| <fix> |
| Ensure that reading the <code>singleThreadModel</code> attribute of a |
| <code>StandardWrapper</code> via JMX does not trigger initialisation of |
| the associated servlet. With some frameworks this can trigger an |
| unexpected initialisation thread and if initialisation is not thread-safe |
| the initialisation can then fail. (markt) |
| </fix> |
| <fix> |
| Compatibility with rewrite from httpd for non existing headers. |
| (jfclere) |
| </fix> |
| <fix> |
| By default, treat paths used to obtain a request dispatcher as encoded. |
| This behaviour can be changed per web application via the |
| <code>dispatchersUseEncodedPaths</code> attribute of the Context. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59839</bug>: Apply <code>roleSearchAsUser</code> to all nested searches |
| in JNDIRealm. (fschumacher) |
| </fix> |
| <fix> |
| <bug>59859</bug>: Fix resource leak in WebDAV servlet. Based on patch by |
| Coty Sutherland. (fschumacher) |
| </fix> |
| <add> |
| Provide a mechanism that enables the container to check if a component |
| (typically a web application) has been granted a given permission when |
| running under a SecurityManager without the current execution stack |
| having to have passed through the component. Use this new mechanism to |
| extend SecurityManager protection to the system property replacement |
| feature of the digester. (markt) |
| </add> |
| <add> |
| When retrieving an object via a <code>ResourceLink</code>, ensure that |
| the object obtained is of the expected type. (markt) |
| </add> |
| <fix> |
| <bug>59824</bug>: Mark the <code>RewriteValve</code> as supporting async |
| processing by default. (markt) |
| </fix> |
| <fix> |
| <bug>59862</bug>: Allow nested jar files scanning to be filtered with |
| the system property |
| <code>tomcat.util.scan.StandardJarScanFilter.jarsToSkip</code>. Patch |
| is provided by Terence Bandoian. (violetagg) |
| </fix> |
| <fix> |
| <bug>59866</bug>: When scanning <code>WEB-INF/classes</code> for |
| annotations, don't scan the contents of |
| <code>WEB-INF/classes/META-INF</code> (if present) since classes will |
| never be loaded from that location. (markt) |
| </fix> |
| <fix> |
| <bug>59888</bug>: Correctly handle tabs and spaces in quoted version one |
| cookies when using the <code>Rfc6265CookieProcessor</code>. (markt) |
| </fix> |
| <fix> |
| <bug>59912</bug>: Fix an edge case in input stream handling where an |
| <code>IOException</code> could be thrown when reading a POST body. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59960</bug>: Fix Javadoc so it builds with Java 8. Patch by Coty |
| Sutherland. (markt) |
| </fix> |
| <fix> |
| <bug>59966</bug>: Do not start the web application if the error page |
| configuration in web.xml is invalid. (markt) |
| </fix> |
| <fix> |
| Switch the CGI servlet to the standard logging mechanism and remove |
| support for the debug attribute. (markt) |
| </fix> |
| <fix> |
| Changes to the <code>allowLinking</code> attribute of a |
| <code>StandardRoot</code> instance now invalidate the cache if caching |
| is enabled. (markt) |
| </fix> |
| <add> |
| Add a new initialisation parameter, <code>envHttpHeaders</code>, to |
| the CGI Servlet to mitigate <a href="https://httpoxy.org">httpoxy</a> |
| (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388" |
| >CVE-2016-5388</a>) by default and to provide a mechanism that can be |
| used to mitigate any future, similar issues. (markt) |
| </add> |
| <add> |
| When adding and removing <code>ResourceLink</code>s dynamically, ensure |
| that the global resource is only visible via the |
| <code>ResourceLinkFactory</code> when it is meant to be. (markt) |
| </add> |
| <fix> |
| <bug>60008</bug>: When processing CORs requests, treat any origin with a |
| URI scheme of <code>file</code> as a valid origin. (markt) |
| </fix> |
| <fix> |
| Improve handling of exceptions during a Lifecycle events triggered by a |
| state transition. The exception is now caught and the component is now |
| placed into the <code>FAILED</code> state. (markt) |
| </fix> |
| <fix> |
| <bug>60013</bug>: Fix encoding issues when using the RewriteValve with |
| UTF-8 query strings or UTF-8 redirect URLs. (markt) |
| </fix> |
| <fix> |
| <bug>60022</bug>: Improve handling when a WAR file and/or the associated |
| exploded directory are symlinked into the <code>appBase</code>. (markt) |
| </fix> |
| <fix> |
| Fix a file descriptor leak when reading the global web.xml. (markt) |
| </fix> |
| <fix> |
| Consistently decode URL patterns provided via web.xml using the encoding |
| of the web.xml file where specified or UTF-8 where no explicit encoding |
| is specified. (markt) |
| </fix> |
| <fix> |
| Make timing attacks against the Realm implementations harder. (schultz) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| <fix> |
| Extend synchronization for NIO2 writes to avoid |
| <code>ConcurrentModificationException</code> observed during testing. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59904</bug>: Add a limit (default 200) for the number of cookies |
| allowed per request. Based on a patch by gehui. (markt) |
| </fix> |
| <fix> |
| <bug>59925</bug>: Correct regression in r1628368 and ensure that HTTP |
| separators are handled as configured in the |
| <code>LegacyCookieProcessor</code>. Patch provided by Kyohei Nakamura. |
| (markt) |
| </fix> |
| <fix> |
| OpenSSL now disables 3DES by default so reflect this when using OpenSSL |
| syntax to select ciphers. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| <fix> |
| Improve the error handling for custom tags to ensure that the tag is |
| returned to the pool or released and destroyed once used. (markt) |
| </fix> |
| <fix> |
| <bug>60032</bug>: Fix handling of method calls that use varargs within |
| EL value expressions. (markt) |
| </fix> |
| <fix> |
| Ignore <code>engineOptionsClass</code> and <code>scratchdir</code> when |
| running under a security manager. (markt) |
| </fix> |
| <fix> |
| Fixed StringIndexOutOfBoundsException. Based on a patch provided by |
| wuwen via Github. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Improve error handling around user code prior to calling |
| <code>InstanceManager.destroy()</code> to ensure that the method is |
| executed. (markt) |
| </fix> |
| <fix> |
| <bug>59908</bug>: Ensure that a reason phrase is included in the close |
| message if a session is closed due to a timeout. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| Do not log an additional case of <code>IOException</code>s in the |
| error handler for the Drawboard WebSocket example when the root cause is |
| the client disconnecting since the logs add no value. (markt) |
| </fix> |
| <fix> |
| <bug>59642</bug>: Mention the <code>localDataSource</code> in the |
| <code>DataSourceRealm</code> section of the Realm How-To. (markt) |
| </fix> |
| <fix> |
| Follow-up to the fix for <bug>59399</bug>. Ensure that the new attribute |
| <code>transportGuaranteeRedirectStatus</code> is documented for all |
| <strong>Realm</strong>s. Also document the <code>NullRealm</code> and |
| when it is automatically created for an <strong>Engine</strong>. (markt) |
| </fix> |
| <fix> |
| Fix the description of <code>maxAge</code> attribute in jdbc-pool doc. |
| This attribute works both when a connection is returned and when a |
| connection is borrowed. (kfujino) |
| </fix> |
| <fix> |
| <bug>59774</bug>: Correct the <code>prefix</code> values in the |
| documented examples for configuring the <code>AccessLogValve</code>. |
| Patch provided by Mike Noordermeer. (markt) |
| </fix> |
| <fix> |
| <bug>59868</bug>: Clarify the documentation for the Manager web |
| application to make clearer that the host name and IP address in the |
| server section are the primary host name and IP address. (markt) |
| </fix> |
| <fix> |
| MBeans Descriptors How-To is moved to |
| <code>mbeans-descriptors-howto.html</code>. Patch provided by Radoslav |
| Husar. (violetagg) |
| </fix> |
| <fix> |
| Update NIO Connector configuration documentation with an information |
| about <code>socket.directSslBuffer</code>. (violetagg) |
| </fix> |
| <fix> |
| <bug>60034</bug>: Correct a typo in the Manager How-To page of the |
| documentation web application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add log message when the ping has timed-out. (kfujino) |
| </add> |
| <fix> |
| If the ping message has been received at the |
| <code>AbstractReplicatedMap#leftOver</code> method, ensure that notify |
| the member is alive than ignore it. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix the duplicated connection release when connection verification |
| failed. (kfujino) |
| </fix> |
| <fix> |
| Ensure that do not remove the abandoned connection that has been already |
| released. (kfujino) |
| </fix> |
| <fix> |
| In order to avoid the unintended skip of <code>PoolCleaner</code>, |
| remove the check code of the execution interval in the task that has |
| been scheduled. (kfujino) |
| </fix> |
| <fix> |
| <bug>59850</bug>: Ensure that the <code>ResultSet</code> is closed when |
| enabling the <code>StatementCache</code> interceptor. (kfujino) |
| </fix> |
| <fix> |
| <bug>59923</bug>: Reduce the default value of |
| <code>validationInterval</code> in order to avoid the potential issue |
| that continues to return an invalid connection after database restart. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that the <code>ResultSet</code> is returned as Proxy object when |
| enabling the <code>StatementDecoratorInterceptor</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>60043</bug>: Ensure that the <code>suspectTimeout</code> works |
| without removing connection when the <code>removeAbandoned</code> is |
| disabled. (kfujino) |
| </fix> |
| <fix> |
| Add log message of when returning the connection that has been marked |
| suspect. (kfujino) |
| </fix> |
| <fix> |
| Correct Javadoc for <code>ConnectionPool.suspect()</code>. Based on a |
| patch by Yahya Cahyadi. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| <bug>59276</bug>: Update optional Checkstyle library to 6.17. (kkolinko) |
| </update> |
| <add> |
| Use the mirror network rather than the ASF master site to download the |
| current ASF dependencies. (markt) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.8 to |
| pick up the latest fixes and make 1.2.8 the minimum recommended version. |
| (markt) |
| </update> |
| <fix> |
| <bug>59899</bug>: Update Tomcat's copy of the Java Persistence |
| annotations to include the changes made in 2.1 / JavaEE 7. (markt) |
| </fix> |
| <fix> |
| Fixed typos in mbeans-descriptors.xml files. (violetagg) |
| </fix> |
| <update> |
| Update the internal fork of Commons BCEL to r1757132 to align with the |
| BCEL 6 release. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons DBCP2 to r1757164 to pick up a |
| couple of bug fixes. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Codec to r1757174. Code formatting |
| changes only. (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons FileUpload to afdedc9. This pulls in |
| a fix to improve the performance with large multipart boundaries. |
| (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.36 (markt)" rtext="2016-06-13"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| RMI Target related memory leaks are avoidable which makes them an |
| application bug that needs to be fixed rather than a JRE bug to work |
| around. Therefore, start logging RMI Target related memory leaks on web |
| application stop. Add an option that controls if the check for these |
| leaks is made. Log a warning if running on Java 9 with this check |
| enabled but without the command line option it requires. (markt) |
| </fix> |
| <fix> |
| Ensure NPE will not be thrown during deployment when scanning jar files |
| without MANIFEST.MF file. (violetagg) |
| </fix> |
| <fix> |
| <bug>59604</bug>: Correct the assumption made in the URL decoding that |
| the default platform encoding is always compatible with ISO-8859-1. This |
| assumption is not always valid, e.g. on z/OS. (markt) |
| </fix> |
| <fix> |
| <bug>59608</bug>: Skip over any invalid <code>Class-Path</code> attribute |
| from JAR manifests. Log errors at debug level due to many bad libraries. |
| (remm) |
| </fix> |
| <fix> |
| Fix error message when failed to register MBean. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Ensure that requests with HTTP method names that are not tokens (as |
| required by RFC 7231) are rejected with a 400 response. (markt) |
| </fix> |
| <fix> |
| When an asynchronous request is processed by the AJP connector, ensure |
| that request processing has fully completed before starting the next |
| request. (markt) |
| </fix> |
| <fix> |
| If an async dispatch results in the completion of request processing, |
| ensure that any remaining request body is swallowed before starting the |
| processing of the next request else the remaining body may be read as the |
| start of the next request leading to a 400 response. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>59567</bug>: Fix NPE scanning webapps for TLDs when an exploded |
| JAR has an empty WEB-INF/classes/META-INF folder. (remm) |
| </fix> |
| <fix> |
| Fix a memory leak in the expression language implementation that caused |
| the class loader of the first web application to use expressions to be |
| pinned in memory. (markt) |
| </fix> |
| <fix> |
| <bug>59640</bug>: NPEs with not found TLDs. (remm) |
| </fix> |
| <fix> |
| <bug>59654</bug>: Improve error message when attempting to use a TLD |
| file from an invalid location. Patch provided by Huxing Zhang. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>58891</bug>: Update the SSL how-to. Based on a suggestion by |
| Alexander Kjäll. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix a memory leak with the pool cleaner thread that retained a reference |
| to the web application class loader for the first web application to use |
| a connection pool. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the internal fork of Commons DBCP 2 to r1743696 (2.1.1 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons Pool 2 to r1743697 (2.4.2 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus |
| additional fixes). (markt) |
| </update> |
| <update> |
| Update the option code coverage tool Cobertura to 2.1.1 so it is easier |
| to compare the change in lines of code between 8.0.x and 9.0.x. (markt) |
| </update> |
| <fix> |
| <bug>58626</bug>: Add support for a new environment variable |
| (<code>USE_NOHUP</code>) that causes <code>nohup</code> to be used when |
| starting Tomcat. It is disabled by default except on HP-UX where it is |
| enabled by default since it is required when starting Tomcat at boot on |
| HP-UX. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.35 (markt)" rtext="2016-05-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Ensure that annotated web components packed in web fragments will be |
| processed when <code>unpackWARs</code> is enabled. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.34 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>59206</bug>: Ensure NPE will not be thrown by |
| <code>o.a.tomcat.util.file.ConfigFileLoader</code> when |
| <code>catalina.base</code> is not specified. (violetagg) |
| </fix> |
| <fix> |
| <bug>59217</bug>: Remove duplication in the recycling of the path in |
| <code>o.a.tomcat.util.http.ServerCookie</code>. Patch is provided by |
| Kyohei Nakamura. (violetagg) |
| </fix> |
| <fix> |
| <bug>59213</bug>: Async dispatches should be based off a wrapped |
| request. (remm) |
| </fix> |
| <fix> |
| Ensure that <code>javax.servlet.ServletRequest</code> and |
| <code>javax.servlet.ServletResponse</code> provided during |
| <code>javax.servlet.AsyncListener</code> registration are made |
| available via <code>javax.servlet.AsyncEvent.getSuppliedRequest</code> |
| and <code>javax.servlet.AsyncEvent.getSuppliedResponse</code> |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>59219</bug>: Ensure <code>AsyncListener.onError()</code> is called |
| if an <code>Exception</code> is thrown during async processing. (markt) |
| </fix> |
| <fix> |
| <bug>59220</bug>: Ensure that <code>AsyncListener.onComplete()</code> is |
| called if the async request times out and the response is already |
| committed. (markt) |
| </fix> |
| <fix> |
| <bug>59226</bug>: Process the <code>Class-Path</code> attribute from |
| JAR manifests for JARs on the class path excluding JARs packaged in |
| <code>WEB-INF/lib</code>. (markt) |
| </fix> |
| <fix> |
| <bug>59255</bug>: Fix possible NPE in mapper. (kkolinko/remm) |
| </fix> |
| <fix> |
| <bug>59256</bug>: <code>slf4j-taglib*.jar</code> should not be excluded |
| from the standard JAR scanning by default. (violetagg) |
| </fix> |
| <fix> |
| Clarify in the log message that specifying both urlPatterns and value |
| attributes in WebServlet and WebFilter annotations is not allowed. |
| (violetagg) |
| </fix> |
| <fix> |
| Ensure the exceptions caused by Valves will be available in the log |
| files so that they can be evaluated when |
| <code>o.a.catalina.valves.ErrorReportValve.showReport</code> is |
| disabled. Patch is provided by Svetlin Zarev. (violetagg) |
| </fix> |
| <fix> |
| Fix handling of Cluster Receiver in StoreConfig. The <code>bind</code> |
| and <code>host</code> attributes define as |
| <code>TransientAttribute</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>59261</bug>: <code>ServletRequest.getAsyncContext()</code> now |
| throws an <code>IllegalStateException</code> as required by the Servlet |
| specification if the request is not in asynchronous mode when called. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59269</bug>: Correct the implementation of |
| <code>PersistentManagerBase</code> so that <code>minIdleSwap</code> |
| functions as designed and sessions are swapped out to keep the active |
| session count below <code>maxActiveSessions</code>. (markt) |
| </fix> |
| <fix> |
| <bug>59247</bug>: Preload ResourceEntry as a workaround for security |
| manager issues on some JVMs. (kkolinko/remm) |
| </fix> |
| <fix> |
| Correctly configure the base path for a resources directory provided by |
| an expanded JAR file. Patch provided by hengyunabc. (markt) |
| </fix> |
| <fix> |
| Ensure that <code>/WEB-INF/classes</code> is never processed as a web |
| fragment. (markt) |
| </fix> |
| <fix> |
| <bug>59310</bug>: Do not add a <code>Content-Length: 0</code> header for |
| custom responses to <code>HEAD</code> requests that do not set a |
| <code>Content-Length</code> value. (markt) |
| </fix> |
| <add> |
| Make a web application's CredentialHandler available through a context |
| attribute. This allows a web application to use the same algorithm |
| for validating or generating new stored credentials from cleartext |
| ones. (schultz) |
| </add> |
| <fix> |
| When normalizing paths, improve the handling when paths end with |
| <code>/.</code> or <code>/..</code> and ensure that input and output are |
| consistent with respect to whether or not they end with <code>/</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59317</bug>: Ensure that |
| <code>HttpServletRequest.getRequestURI()</code> returns an encoded URI |
| rather than a decoded URI after a dispatch. (markt) |
| </fix> |
| <fix> |
| Use the correct URL for the fragment when reporting errors processing |
| a <code>web-fragment.xml</code> file from a JAR located in an unpacked |
| WAR. (markt) |
| </fix> |
| <fix> |
| Ensure that <code>JarScanner</code> only uses the explicit call-back to |
| process <code>WEB-INF/classes</code> and only when configured to treat |
| the contents of <code>WEB-INF/classes</code> as a possible exploded JAR. |
| (markt) |
| </fix> |
| <scode> |
| Remove the <code>java2DDisposerProtection</code> option from the |
| <code>JreMemoryLeakPreventionListener</code>. The leak is fixed in Java |
| 7 onwards and Tomcat 8 requires Java 7 so the option is unnecessary. |
| (markt) |
| </scode> |
| <fix> |
| Ensure that the value for the header <code>X-Frame-Options</code> is |
| constructed correctly according to the specification when |
| <code>ALLOW-FROM</code> option is used. (violetagg) |
| </fix> |
| <fix> |
| <bug>59449</bug>: In <code>ContainerBase</code>, ensure that the process |
| to remove a child container is the reverse of the process to add one. |
| Patch provided by Huxing Zhang. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| When running on Java 7, exclude DHE ciphers from the default cipher list |
| for JSSE connectors since they use weak 768 bit DH keys and cannot be |
| configured to use more secure keys. (markt) |
| </fix> |
| <add> |
| Add a new environment variable <code>JSSE_OPTS</code> that is intended |
| to be used to pass JVM wide configuration to the JSSE implementation. |
| The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code> |
| which protects against weak Diffie-Hellman keys with Java 8. (markt) |
| </add> |
| <update> |
| Exclude ciphers that use RSA keys from the default cipher list since |
| they do not support forward secrecy. (markt) |
| </update> |
| <fix> |
| <bug>58970</bug>: Fix a connection counting bug in the NIO connector |
| that meant some dropped connections were not removed from the current |
| connection count. (markt) |
| </fix> |
| <fix> |
| <bug>59289</bug>: Do not recycle upgrade processors in unexpected close |
| situations. (remm) |
| </fix> |
| <fix> |
| <bug>59295</bug>: Use <code>Locale.toLanguageTag()</code> to construct |
| the <code>Content-Language</code> HTTP header to ensure the locale is |
| correctly represented. Patch provided by zikfat. (markt) |
| </fix> |
| <fix> |
| <bug>59451</bug>: Correct Javadoc for <code>MessageBytes</code>. Patch |
| provided by Kyohei Nakamura. (markt) |
| </fix> |
| <fix> |
| <bug>59450</bug>: Correctly handle the case where the |
| <code>LegacyCookieProcessor</code> is configured with |
| <code>allowHttpSepsInV0</code> set to <code>false</code> and |
| <code>forwardSlashIsSeparator</code> set to <code>true</code>. Patch |
| provided by Kyohei Nakamura. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| When scanning JARs for TLDs, correctly handle the (rare) case where a |
| JAR has been exploded into <code>WEB-INF/classes</code> and the web |
| application is deployed as a packed WAR. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Ensure that a client disconnection triggers the error handling for the |
| associated WebSocket end point. (markt) |
| </fix> |
| <add> |
| Make WebSocket client more robust when handling errors during the close |
| of a WebSocket session. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Update in the documentation the link to the maven repository where |
| Tomcat snapshot artifacts are deployed. (markt/violetagg) |
| </fix> |
| <fix> |
| Clarify in the documentation that calls to |
| <code>ServletContext.log(String, Throwable)</code> or |
| <code>GenericServlet.log(String, Throwable)</code> are logged at the |
| SEVERE level. (violetagg) |
| </fix> |
| <fix> |
| Correct a typo in SSL/TLS Configuration How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Avoid NPE when a proxy node failed to retrieve a backup entry. (kfujino) |
| </fix> |
| <add> |
| Add log of when received an unexpected messages. (kfujino) |
| </add> |
| <add> |
| Add the flag indicating that member is a localMember. (kfujino) |
| </add> |
| <fix> |
| Fix potential NPE that depends on the setting order of attributes of |
| static member when using the static cluster. (kfujino) |
| </fix> |
| <add> |
| Add get/set method for the channel that is related to |
| <code>ChannelInterceptorBase</code>. (kfujino) |
| </add> |
| <fix> |
| As with the multicast cluster environment, in the static cluster |
| environment, the local member inherits properties from the cluster |
| receiver. (kfujino) |
| </fix> |
| <add> |
| Add get/set method for the channel that is related to each Channel |
| services. (kfujino) |
| </add> |
| <add> |
| Add name to channel in order to identify channels. In tomcat cluster |
| environment, it is set the cluster name + "-Channel" as default value. |
| (kfujino) |
| </add> |
| <add> |
| Add the channel name to the thread which is invoked by channel services |
| in order to identify the associated channel. (kfujino) |
| </add> |
| <fix> |
| Ensure that clear the channel instance from channel services when |
| stopping channel. (kfujino) |
| </fix> |
| <add> |
| Implement map state in the replication map. (kfujino) |
| </add> |
| <fix> |
| Ensure that the ping is not executed during the start/stop of the |
| replication map. (kfujino) |
| </fix> |
| <fix> |
| In ping processing in the replication map, send not the |
| <code>INIT</code> message but the newly introduced <code>PING</code> |
| message. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>59211</bug>: Add hamcrest to Eclipse classpath. Patch is provided |
| by Huxing Zhang. (violetagg) |
| </fix> |
| <update> |
| <bug>59280</bug>: Update the NSIS Installer used to build the |
| Windows Installers to version 2.51. (kkolinko) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.7 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2h and APR |
| 1.5.2. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.33 (markt)" rtext="2016-03-24"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct a regression in the fix for <bug>58867</bug>. When configuring a |
| Context to use an external directory for the <code>docBase</code>, and |
| that directory happens to be located along side the original WAR, use |
| the directory as the <code>docBase</code> rather than expanding the |
| WAR into the <code>appBase</code> and using the newly created expanded |
| directory as the <code>docBase</code>. (markt) |
| </fix> |
| <add> |
| <bug>58351</bug>: Make the server build date and server version number |
| accessible via JMX. Patch provided by Huxing Zhang. (markt) |
| </add> |
| <add> |
| <bug>58988</bug>: Special characters in the substitutions for the RewriteValve |
| can now be quoted with a backslash. (fschumacher) |
| </add> |
| <fix> |
| <bug>58999</bug>: Fix class and resource name filtering in WebappClassLoader. |
| It throws a StringIndexOutOfBoundsException if the name is exactly |
| "org" or "javax". (rjung) |
| </fix> |
| <scode> |
| Remove unnecessary code. There is no support for context level cluster. |
| (kfujino) |
| </scode> |
| <add> |
| Make checking for var and map replacement in RewriteValve a bit stricter and |
| correct detection of colon in var replacement. (fschumacher) |
| </add> |
| <fix> |
| Fix the type of <code>InstanceManager</code> attribute of mbean |
| definition of <code>StandardContext</code>. (kfujino) |
| </fix> |
| <fix> |
| Refactor the web application class loader to reduce the impact of JAR |
| scanning on the memory footprint of the web application. (markt) |
| </fix> |
| <fix> |
| Fix some resource leaks in the error handling for accessing files from |
| JARs and WARs. (markt) |
| </fix> |
| <fix> |
| Refactor the JAR and JAR-in-WAR resource handling to reduce the memory |
| footprint of the web application. (markt) |
| </fix> |
| <fix> |
| <bug>57809</bug>: Deprecate the custom context attribute |
| <code>org.apache.tomcat.util.scan.MergedWebXml</code> which will be |
| removed in Tomcat 9. (markt) |
| </fix> |
| <fix> |
| <bug>59001</bug>: Correctly handle the case when Tomcat is installed on |
| a path where one of the segments ends in an exclamation mark. (markt) |
| </fix> |
| <fix> |
| Expand the fix for <bug>59001</bug> to cover the special sequences used |
| in Tomcat's custom jar:war: URLs. (markt) |
| </fix> |
| <fix> |
| <bug>59043</bug>: Avoid warning while expiring sessions associated with |
| a single sign on if <code>HttpServletRequest.logout()</code> is used. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59054</bug>: Ensure that using the |
| <code>CrawlerSessionManagerValve</code> in a distributed environment |
| does not trigger an error when the Valve registers itself in the |
| session. (markt) |
| </fix> |
| <fix> |
| Storeconfig handling of alternate cookie processors. (markt/remm) |
| </fix> |
| <fix> |
| Storeconfig handling for socket properties. (remm) |
| </fix> |
| <add> |
| Log a warning message if a user tries to configure the default session |
| timeout via the deprecated (and ignored) |
| <code>Manager.setMaxInactiveInterval()</code> method. (markt) |
| </add> |
| <fix> |
| Fix incorrect parsing of the NE and NC flags in rewrite rules. (remm) |
| </fix> |
| <fix> |
| <bug>59065</bug>: Correct the timing of the check for colons in paths |
| on non-Windows systems implemented in <code>catalina.sh</code> so it |
| works correctly with Cygwin. Patch provided by Ed Randall. (markt) |
| </fix> |
| <fix> |
| When a Host is configured with an appBase that does not exist, create |
| the appBase before trying to expand an external WAR file into it. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59115</bug>: When using the Servlet 3.0 file upload, the submitted |
| file name may be provided as a token or a quoted-string. If a |
| quoted-string, unquote the string before returning it to the user. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59123</bug>: Close <code>NamingEnumeration</code> objects used by |
| the <code>JNDIRealm</code> once they are no longer required. |
| (fschumacher/markt) |
| </fix> |
| <fix> |
| <bug>59138</bug>: Correct a false positive warning for ThreadLocal |
| related memory leaks when the key class but not the value class has been |
| loaded by the web application class loader. (markt) |
| </fix> |
| <fix> |
| <bug>59145</bug>: Don't log an invalid warning when a user logs out of |
| a session associated with SSO. (markt) |
| </fix> |
| <fix> |
| <bug>59151</bug>: Fix a regression in the fix for <bug>56917</bug> that |
| added additional (and arguably unnecessary) validation to the provided |
| redirect location. (markt) |
| </fix> |
| <fix> |
| <bug>59154</bug>: Fix a <code>NullPointerException</code> in the |
| <code>JASSMemoryLoginModue</code> resulting from the introduction of the |
| <code>CredentialHandler</code> to <code>Realm</code>s. (schultz/markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>58646</bug>: Correct a problem with sendfile that resulted in a |
| Processor being added to the cache twice leading to broken responses. |
| (markt) |
| </fix> |
| <fix> |
| <bug>59015</bug>: Fix potential cause of endless APR Poller loop during |
| shutdown if the Poller experiences an error during the shutdown process. |
| (markt) |
| </fix> |
| <fix> |
| Align cipher aliases for <code>kECDHE</code> and <code>ECDHE</code> with |
| the current OpenSSL implementation. (markt) |
| </fix> |
| <fix> |
| <bug>59081</bug>: Retain the user defined cipher order when defining |
| ciphers using the OpenSSL format. (markt) |
| </fix> |
| <fix> |
| <bug>59089</bug>: Correctly ignore HTTP headers that include non-token |
| characters in the header name. (markt) |
| </fix> |
| <add> |
| Add support for additional OpenSSL cipher aliases from OpenSSL master |
| when specifying ciphers using the OpenSSL syntax. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57583</bug>: Improve the performance of |
| <code>javax.servlet.jsp.el.ScopedAttributeELResolver</code> when |
| resolving attributes that do not exist. This improvement only works when |
| Jasper is used with with Tomcat's EL implementation. (markt) |
| </fix> |
| <update> |
| <bug>58111</bug>: Update to the Eclipse JDT Compiler 4.5. (markt) |
| </update> |
| <add> |
| Add Java 9 support for JSPs. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>59014</bug>: Ensure that a WebSocket close message can be sent |
| after a close message has been received. (markt) |
| </fix> |
| <fix> |
| Correctly handle compression of partial messages when the final message |
| fragment has a zero length payload. (markt) |
| </fix> |
| <fix> |
| <bug>59119</bug>: Correct read logic for WebSocket client when using |
| secure connections. (markt) |
| </fix> |
| <fix> |
| <bug>59134</bug>: Correct client connect logic for secure connections |
| made through a proxy. (markt) |
| </fix> |
| <fix> |
| <bug>59189</bug>: Explicitly release the native memory held by the |
| <code>Inflater</code> and <code>Deflater</code> when using |
| PerMessageDeflate and the WebSocket session ends. Based on a patch by |
| Henrik Olsson. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct an error in the documentation of the expected behaviour for |
| automatic deployment. If a WAR is updated and an expanded directory is |
| present, the directory will always be deleted and recreated by expanding |
| the WAR if <code>unpackWARs</code> is <code>true</code>. (markt) |
| </fix> |
| <fix> |
| <bug>58935</bug>: Remove incorrect references in the documentation to |
| using <code>jar:file:</code> URLs with the Manager application. (markt) |
| </fix> |
| <fix> |
| Correct the description of the |
| <code>ServletRequest.getServerPort()</code> in Proxy How-To. |
| Issue reported via comments.apache.org. (violetagg) |
| </fix> |
| <fix> |
| Fix a potential indefinite wait in the Comet Chat servlet in the |
| examples web application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| If promoting a proxy node to a primary node when getting a session, |
| notify the change of the new primary node to the original backup node. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>58283</bug>: Change the default download location for libraries |
| during the build process from <code>/usr/share/java</code> to |
| <code>${user.home}/temp</code>. Patch provided by Ahmed Hosni. (markt) |
| </fix> |
| <fix> |
| <bug>59031</bug>: When using the Windows uninstaller, do not remove the |
| contents of any directories that have been symlinked into the Tomcat |
| directory structure. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.5 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2g and APR |
| 1.5.1. (markt) |
| </update> |
| <update> |
| Modify the default <code>tomcat-users.xml</code> file to make it harder |
| for users to configure the entries intended for use with the examples |
| web application for the Manager application. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.32 (markt)" rtext="2016-02-08"> |
| <subsection name="General"> |
| <changelog> |
| <add> |
| Allow to configure multiple JUnit test class patterns with the build |
| property <code>test.name</code> and document the property in |
| BUILDING.txt. (rjung) |
| </add> |
| <fix> |
| <bug>58768</bug>: Log a warning if a redirect fails because of an |
| invalid location. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Fix class loader decision on the delegation for class loading and |
| resource lookup and make it faster too. (rjung) |
| </fix> |
| <fix> |
| <bug>58946</bug>: Ensure that the request parameter map remains |
| immutable when processing via a RequestDispatcher. (markt) |
| </fix> |
| <fix> |
| <bug>58827</bug>: Deprecate what is left of the JSR 77 implementation. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58905</bug>: Ensure that <code>Tomcat.silence()</code> silences the |
| correct logger and respects the current setting. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| New configuration option <code>ajpFlush</code> for the AJP connectors |
| to disable the sending of AJP flush packets. (rjung) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Correct a regression in the session attribute filtering that prevented |
| clustering from starting in the default configuration. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Fix a timing issue on session close that could result in an exception |
| being thrown for an incomplete message even through the message was |
| completed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.31 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct implementation of |
| <code>validateClientProvidedNewSessionId</code> so client provided |
| session IDs may be rejected if validation is enabled. (markt) |
| </fix> |
| <fix> |
| Add path parameter handling to |
| <code>HttpServletRequest.getContextPath()</code>. This is a follow-up to |
| the fix for <bug>57215</bug>. (markt) |
| </fix> |
| <fix> |
| <bug>58692</bug>: Make <code>StandardJarScanner</code> more robust. Log |
| a warning if a class path entry cannot be scanned rather than triggering |
| the failure of the web application. Includes a test case written by |
| Derek Abdine. (markt) |
| </fix> |
| <fix> |
| <bug>58701</bug>: Reset the <code>instanceInitialized</code> field in |
| <code>StandardWrapper</code> when unloading a Servlet so that a new |
| instance may be correctly initialized. (markt) |
| </fix> |
| <fix> |
| <bug>58702</bug>: Ensure an access log entry is generated if the client |
| aborts the connection. (markt) |
| </fix> |
| <fix> |
| Fixed various issues reported by Findbugs. (violetagg) |
| </fix> |
| <fix> |
| <bug>58735</bug>: Add support for the <code>X-XSS-Protection</code> |
| header to the <code>HttpHeaderSecurityFilter</code>. Patch provided by |
| Jacopo Cappellato. (markt) |
| </fix> |
| <fix> |
| <bug>58751</bug>: Correctly handle the case where an |
| <code>AsyncListener</code> dispatches to a Servlet on an asynchronous |
| timeout and the Servlet uses <code>sendError()</code> to trigger an |
| error page. Includes a test case based on code provided by Andy |
| Wilkinson.(markt) |
| </fix> |
| <fix> |
| <bug>58765</bug>: Change default for |
| <code>mapperContextRootRedirectEnabled</code> to <code>true</code> since |
| this is required for correct session management because of the default |
| for <code>sessionCookiePathUsesTrailingSlash</code>. (markt) |
| </fix> |
| <fix> |
| Add the <code>StatusManagerServlet</code> to the list of Servlets that |
| can only be loaded by privileged applications. (markt) |
| </fix> |
| <fix> |
| Simplify code and fix messages in |
| <code>org.apache.catalina.core.DefaultInstanceManager</code> class. |
| (kkolinko) |
| </fix> |
| <scode> |
| Deprecate InstanceListener, InstanceEvent and InstanceSupport prior to |
| removal in 9.0.x. (markt) |
| </scode> |
| <fix> |
| Ensure that the proper file encoding if specified will be used when |
| a readme file is served by DefaultServlet. (violetagg) |
| </fix> |
| <fix> |
| Fix declaration of <code>localPort</code> attribute of Connector MBean: |
| it is read-only. (kkolinko) |
| </fix> |
| <fix> |
| <bug>58766</bug>: Make skipping non-class files during annotation |
| scanning faster by checking the file name first. Improve debug logging. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>58809</bug>: Correctly recycle cookies when mapping requests for |
| parallel deployment. As a side-effect of this fix, the system property |
| <code>org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER</code> |
| is no longer used. From this release, Tomcat will always preserve the |
| cookie header. (markt) |
| </fix> |
| <fix> |
| <bug>58836</bug>: Correctly merge query string parameters when |
| processing a forwarded request where the target includes a query string |
| that contains a parameter with no value. (markt/kkolinko) |
| </fix> |
| <fix> |
| Make sure that shared Digester is reset in an unlikely error case |
| in <code>HostConfig.deployWAR()</code>. (kkolinko) |
| </fix> |
| <fix> |
| <bug>58867</bug>: Improve checking on Host start for WAR files that have |
| been modified while Tomcat has stopped and re-expand them if |
| <code>unpackWARs</code> is <code>true</code>. (markt) |
| </fix> |
| <fix> |
| Fix a potential JDBC resource leak in DataSourceRealm. (schultz) |
| </fix> |
| <fix> |
| <bug>58900</bug>: Correctly undeploy symlinked resources and prevent an |
| infinite cycle of deploy / undeploy. (markt) |
| </fix> |
| <fix> |
| Protect initialization of <code>ResourceLinkFactory</code> when |
| running with a SecurityManager. (kkolinko) |
| </fix> |
| <add> |
| Extend the feature available in the cluster session manager |
| implementations that enables session attribute replication to be |
| filtered based on attribute name to all session manager implementations. |
| Note that configuration attribute name has changed from |
| <code>sessionAttributeFilter</code> to |
| <code>sessionAttributeNameFilter</code>. Apply the filter on load as |
| well as unload to ensure that configuration changes made while the web |
| application is stopped are applied to any persisted data. (markt) |
| </add> |
| <add> |
| Extend the session attribute filtering options to include filtering |
| based on the implementation class of the value and optional |
| <code>WARN</code> level logging if an attribute is filtered. These |
| options are available for all of the Manager implementations that ship |
| with Tomcat. When a <code>SecurityManager</code> is used filtering will |
| be enabled by default. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Fix handling of missing messages in |
| <code>org.apache.el.util.MessageFactory</code>. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| In order to avoid that the heartbeat thread and the background thread to |
| run <code>Channel.heartbeat</code> simultaneously, if |
| <code>heartbeatBackgroundEnabled</code> of <code>SimpleTcpCluster</code> |
| set to <code>true</code>, ensure that the heartbeat thread does not |
| start. (kfujino) |
| </fix> |
| <scode> |
| Simplify the code of <code>JvmRouteBinderValve.startInternal()</code>. |
| Avoid potential NPE when <code>JvmRouteBinderValve</code> is configured |
| directly at <code>Engine</code> element. (kfujino) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>57489</bug>: Ensure <code>onClose()</code> is called when a |
| WebSocket connection is closed even if the sending of the close message |
| fails. Includes test cases by Barry Coughlan. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <add> |
| Add a description of the default value of |
| <code>heartbeatSleeptime</code> attribute and <code>optionCheck</code> |
| attribute in the cluster channel docs. (kfujino) |
| </add> |
| <fix> |
| Correct some typos in the JNDI resources How-To. (markt) |
| </fix> |
| <fix> |
| Don't create sessions unnecessarily in the Manager application. (markt) |
| </fix> |
| <fix> |
| Don't create sessions unnecessarily in the Host Manager application. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58723</bug>: Clarify documentation and error messages for the text |
| interface of the manager to make clear that version must be used with |
| path when referencing contexts deployed using parallel deployment. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Fix potential NPE in <code>AbstractReplicatedMap.breakdown()</code>. |
| (kfujino) |
| </fix> |
| <fix> |
| Add support for the startup notification of local members in the static |
| cluster. (kfujino) |
| </fix> |
| <fix> |
| Ignore the unnecessary member remove operation from different domain. |
| (kfujino) |
| </fix> |
| <fix> |
| Add support for the shutdown notification of local members in the static |
| cluster. (kfujino) |
| </fix> |
| <fix> |
| Ensure that asynchronous session replication thread is a daemon thread. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Remove native code (Windows Service Wrapper, APR/native connector) |
| support for Windows Itanium. (markt) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.4 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.2e and APR |
| 1.5.1. (markt) |
| </update> |
| <update> |
| Update the NSIS Installer used to build the Windows Installers to |
| version 2.50. (markt/kkolinko) |
| </update> |
| <update> |
| Update optional Checkstyle library to 6.14.1. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.30 (markt)" rtext="2015-12-06"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>34319</bug>: Only load those keys in |
| <code>StoreBase.processExpire</code> from JDBCStore, that are old |
| enough, to be expired. Based on a patch by Tom Anderson. (fschumacher) |
| </fix> |
| <add> |
| <bug>56917</bug>: As per RFC7231 (HTTP/1.1), allow HTTP/1.1 and later |
| redirects to use relative URIs. This is controlled by a new attribute |
| <code>useRelativeRedirects</code> on the <strong>Context</strong> and |
| defaults to <code>true</code>. (markt) |
| </add> |
| <fix> |
| <bug>58629</bug>: Allow an embedded Tomcat instance to start when the |
| <code>Service</code> has no <code>Engine</code> configured. (markt) |
| </fix> |
| <fix> |
| <bug>58635</bug>: Enable break points to be set within agent code when |
| running Tomcat with a Java agent. Based on a patch by Huxing Zhang. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58660</bug>: Correct a regression in 8.0.29 caused by the change |
| that moved the redirection for context roots from the Mapper to the |
| Default Servlet. (markt) |
| </fix> |
| <fix> |
| Fixed potential NPE in <code>HostConfig</code> while deploying an |
| application. Issue reported by coverity scan. (violetagg) |
| </fix> |
| <fix> |
| <bug>58655</bug>: Fix an <code> IllegalStateException</code> when |
| calling <code>HttpServletResponse.sendRedirect()</code> with the |
| <code>RemoteIpFilter</code>. This was caused by trying to correctly |
| generate the absolute URI for the redirect. With the fix for |
| <bug>56917</bug>, redirects may now be relative making the |
| <code>sendRedirect()</code> implementation for the |
| <code>RemoteIpFilter</code> much simpler. This also addresses issues |
| where the redirect may not have behaved as expected when redirecting |
| from http to https to from https to http. (markt) |
| </fix> |
| <fix> |
| <bug>58657</bug>: Exceptions in a Servlet 3.1 <code>ReadListener</code> |
| or <code>WriteListener</code> do not need to be immediately fatal to the |
| connection. Allow an error response to be written. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Improve upgrade context classloader handling by using Context.bind and |
| unbind. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57136#c25</bug>: Change default value of |
| <code>quoteAttributeEL</code> setting in Jasper to be <code>true</code> |
| for better compatibility with other implementations and older versions |
| of Tomcat (8.0.26/7.0.64 and earlier). Add command line option |
| <code>-no-quoteAttributeEL</code> in JspC. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Fix potential integer overflow in <code>DeltaSession</code>. |
| Reported by coverity scan. (fschumacher) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <add> |
| <bug>55006</bug>: The WebSocket client now honors the |
| <code>java.net.java.net.ProxySelector</code> configuration (using the |
| HTTP type) when establishing WebSocket connections to servers. Based on |
| a patch by Niki Dokovski. (markt) |
| </add> |
| <fix> |
| <bug>58624</bug>: Correct a thread safety issue that meant that blocking |
| message writes could block indefinitely if the WebSocket connection was |
| closed while a message write was in progress. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| <bug>58631</bug>: Correct the continuation character use in the Windows |
| Service How-To page of the documentation web application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensure that the static member is registered to the add suspect list even |
| if the static member that is registered to the remove suspect list has |
| disappeared. (kfujino) |
| </fix> |
| <fix> |
| Correct the warning log of when the member that is not registered in the |
| membership is detected. (kfujino) |
| </fix> |
| <fix> |
| When using a static cluster, add the members that have been cached in |
| the membership service to the map members list in order to ensure that |
| the map member is a static member. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Correct evaluation of system property |
| <code>org.apache.tomcat.jdbc.pool.onlyAttemptCurrentClassLoader</code>. |
| It was basically ignored before. Reported by coverity scan. |
| (fschumacher) |
| </fix> |
| <fix> |
| Fix potential integer overflow in <code>ConnectionPool</code> and |
| <code>PooledConnection</code>. Reported by coverity scan. (fschumacher) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update optional Checkstyle library to 6.13. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.29 (markt)" rtext="2015-11-24"> |
| <subsection name="General"> |
| <changelog> |
| <update> |
| <bug>58596</bug>: Clarify the description in RUNNING.txt of how |
| environment variables are used. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Extend the fix for <bug>57136</bug> to provide a JSP Servlet |
| initialisation parameter per web application that controls whether or |
| not EL in JSP attributes is processed as if it uses JSP attribute |
| quoting. By default, EL does not use JSP attribute quoting. (markt) |
| </add> |
| <fix> |
| <bug>57799</bug>: InputStream.available() was causing an IO operation |
| to occur even in blocking mode, which caused problems with NIO2. |
| (remm) |
| </fix> |
| <add> |
| Extend the fix for <bug>58228</bug> to include |
| <code>ServletContext.getRealPath()</code>. (markt) |
| </add> |
| <add> |
| <bug>58486</bug>: Protect against two further possible memory leaks |
| associated with XML parsing. (markt) |
| </add> |
| <fix> |
| <bug>58490</bug>: Fixed NPE thrown when scanning for |
| <code>javax.servlet.ServletContainerInitializer</code> in case the web |
| application is not extracted. (violetagg) |
| </fix> |
| <scode> |
| <bug>58497</bug>: Make <code>AbstractHttp11Processor</code> easy to |
| extend. (markt) |
| </scode> |
| <fix> |
| <bug>58508</bug>: Escape role names when generating associated MBeans in |
| case the role name contains characters not permitted in an MBean name. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58518</bug>: Correct a regression in the fix for <bug>56777</bug> |
| that added support for URIs in config file locations. File paths on |
| Windows could previously be specified with <code>\</code> or |
| <code>/</code> as the separator. <bug>56777</bug> broke that. (markt) |
| </fix> |
| <fix> |
| <bug>58519</bug>: Fix ISE thrown by web application classloader in some |
| error conditions due to trying to call <code>initCause()</code> on a |
| <code>ClassNotFoundException</code> which is not permitted. (markt) |
| </fix> |
| <fix> |
| <bug>58534</bug>: Removed repeated conditional tests in |
| <code>o.a.tomcat.websocket.pojo.PojoMethodMapping</code> and |
| <code>o.a.tomcat.util.net.AprEndpoint</code> |
| Patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58535</bug>: Use <code>Collections.reverseOrder</code> |
| when a reverse ordering is needed. (violetagg) |
| </fix> |
| <fix> |
| <bug>58537</bug>, <bug>58546</bug>: Some of the inner classes in |
| <code>o.a.catalina.valves.ExtendedAccessLogValve</code> |
| and <code>o.a.tomcat.util.net.SecureNio2Channel</code> |
| are made static. |
| Patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58540</bug>: Removed unused code from |
| <code>o.a.catalina.connector.Request</code>. |
| Patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58541</bug>, <bug>58544</bug>: It is more efficient to call |
| <code>Integer.toString(int)</code> instead of |
| <code>Integer.valueOf(int).toString()</code> when only a string |
| representation of a primitive is needed. Based on a patch provided by |
| Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58541</bug>, <bug>58547</bug>: It is more efficient to call |
| <code>valueOf(...)</code> instead of Number constructor. Based on a |
| patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| <bug>58545</bug>: In some use cases it is more efficient to use |
| <code>Map.entrySet()</code> instead of <code>Map.keySet()</code> |
| Based on a patch provided by Anthony Whitford. (violetagg) |
| </fix> |
| <fix> |
| Ensure that <code>ServletRequest.getContentLengthLong</code> is used |
| instead of <code>ServletRequest.getContentLength</code> for servlets and |
| valves provided by Tomcat. The API is available since Servlet |
| specification 3.1. (violetagg) |
| </fix> |
| <add> |
| Add a new RestCsrfPreventionFilter that provides basic CSRF protection |
| for REST APIs. (violetagg) |
| </add> |
| <fix> |
| <bug>58578</bug>: Avoid NPE accessing cookies during access logging |
| for request that had no context mapping. (remm) |
| </fix> |
| <fix> |
| Avoid UnsupportedOperationException when releasing an user-provided |
| URLStreamHandlerFactory. Patch provided by Cristian Talau. (violetagg) |
| </fix> |
| <fix> |
| <bug>58581</bug>: If a custom error page fails, fall back to the |
| standard error page rather than throwing an NPE. Based on a patch by |
| Huxing Zhang. (markt) |
| </fix> |
| <fix> |
| <bug>58582</bug>: Combined realm should perform background processing |
| on its sub-realms. Based upon a patch provided by Aidan. (schultz) |
| </fix> |
| <fix> |
| Handle the unlikely case where different versions of a web application |
| are deployed with different session settings. (markt) |
| </fix> |
| <add> |
| Add a new Context option, enabled by default, that enables an additional |
| check that a client provided session ID is in use in at least one other |
| web application before allowing it to be used as the ID for a new |
| session in the current web application. (markt) |
| </add> |
| <add> |
| Add support for DIGEST authentication to the JNDIRealm. Based on a patch |
| by Alexis Hassler. (markt) |
| </add> |
| <fix> |
| <bug>58603</bug>: Ensure that |
| <code>HttpServletRequest.getRequestURL()</code> returns the correct |
| value when using the <code>RemoteIpFilter</code>. (markt) |
| </fix> |
| <fix> |
| Ensure that in an embedded Tomcat the logging configuration is |
| not lost during garbage collection. (violetagg) |
| </fix> |
| <add> |
| Move the functionality that provides redirects for context roots and |
| directories where a trailing <code>/</code> is added from the Mapper to |
| the <code>DefaultServlet</code>. This enables such requests to be |
| processed by any configured Valves and Filters before the redirect is |
| made. This behaviour is configurable via the |
| <code>mapperContextRootRedirectEnabled</code> and |
| <code>mapperDirectoryRedirectEnabled</code> attributes of the Context |
| which may be used to restore the previous behaviour. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Cancel pending blocking IO operation following a timeout in the NIO2 |
| connector. (remm) |
| </fix> |
| <fix> |
| Add instance manager support for upgrade handlers, and set context |
| class loader. (remm) |
| </fix> |
| <update> |
| Synchronize OpenSSL to JSSE cipher mapping to recent OpenSSL changes. In |
| particular, <code>TLSv1.0</code> is now an alias for those ciphers that |
| require TLSv1 and will not work with SSLv3. <code>TLSv1</code> remains |
| an alias for <code>SSLv3</code>. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Deprecate the <code>STRICT_QUOTE_ESCAPING</code> system property and |
| replace it with an initialisation parameter for the JSP Servlet. This |
| enables per web application control of this configuration setting. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Optimize the session lock range in DeltaManager.requestCompleted. |
| (kfujino) |
| </fix> |
| <fix> |
| Enable an explicit configuration of local member in the static cluster |
| membership. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <scode> |
| Distinguish the handling of the shutdown payload and member verification |
| clearly. When handling shutdown payload, verification completion message |
| is not required. (kfujino) |
| </scode> |
| <fix> |
| When starting the <code>StaticMembershipInterceptor</code>, |
| <code>StaticMembershipInterceptor</code> checks the required |
| Interceptors. If the required Interceptor does not exist, it issues |
| warning logs. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Use instance manager for server endpoint instances. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Make it clear in the documentation for the CGI servlet that the debug |
| page is not considered secure and should not be used in production. |
| (markt) |
| </add> |
| <fix> |
| The <code>domain</code> attribute of <code>StaticMember</code> is not |
| required but optional. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>58489</bug>: Correct QueryStatsComparator to hold up the |
| general contract for Comparator. (fschumacher) |
| </fix> |
| <fix> |
| When creating a <code>QueryStats</code> object, ensure that |
| <code>maxQueries</code> is checked. If <code>maxQueries</code> is a |
| value less than or equal to 0, <code>QueryStats</code> are never |
| created. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update optional Checkstyle library to 6.12.1. (kkolinko) |
| </update> |
| <add> |
| Add support for creating a FindBugs report when building Tomcat. It |
| is disabled by default. (violetagg) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.28 (markt)" rtext="2015-10-12"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Add support for the custom <code>classpath</code> protocol in URLs. It |
| an be used anywhere Tomcat accepts a URL for a configuration parameter. |
| (markt) |
| </add> |
| <fix> |
| <bug>56777</bug>: Allow file based configuration resources (user |
| database, certificate revocation lists, keystores and trust stores) to |
| be configured using URLs as well as files. (markt) |
| </fix> |
| <fix> |
| Perform null-checking on input and stored credentials in all Realms |
| before passing credentials off to CredentialHandlers for matching. |
| (schultz) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <update> |
| Add the new ciphers from RFC6655 and RFC7251 to the OpenSSL to JSSE |
| cipher mapping. (markt) |
| </update> |
| <update> |
| Remove DES, RC2 and RC4 from DEFAULT for the OpenSSL to JSSE cipher |
| mapping to align with the OpenSSL development branch. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Improve the error message when JSP parser encounters an error parsing an |
| attribute value. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <update> |
| <bug>58474</bug>: Provide a reference to the differences between |
| <code>CATALINA_HOME</code> and <code>CATALINA_BASE</code> in the sample |
| application that is part of the documentation web application. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Extras"> |
| <changelog> |
| <fix> |
| Ensure JULI adapters does not include the LogFactoryImpl class. Patch |
| provided by Benjamin Gandon. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.27 (markt)" rtext="2015-10-01"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>58187</bug>: Correct a regression in the fix for <bug>57765</bug> |
| that meant that deployment of web applications deployed via the Manager |
| application was delayed until the next execution of the automatic |
| deployment background process. (markt) |
| </fix> |
| <fix> |
| <bug>58284</bug>: Correctly implement session serialization so |
| non-serializable attributes are skipped with a warning. Patch provided |
| by Andrew Shore. (markt) |
| </fix> |
| <fix> |
| <bug>58313</bug>: Fix concurrent access of encoders map when clearing |
| encoders prior to switch to async. (markt) |
| </fix> |
| <fix> |
| <bug>58320</bug>: Fix concurrent access of request attributes which is |
| possible during asynchronous processing. (markt) |
| </fix> |
| <fix> |
| <bug>58352</bug>: Always trigger a thread dump if Tomcat fails to stop |
| gracefully from <code>catalina.sh</code> even if using |
| <code>-force</code>. Patch provided by Alexandre Garnier. (markt) |
| </fix> |
| <fix> |
| <bug>58368</bug>: Fix a rare data race in the code that obtains the |
| <code>ApplicationFilterFactory</code> instance. (markt) |
| </fix> |
| <fix> |
| <bug>58369</bug>: Fix a rare data race in the code that obtains the |
| CookieProcessor for a StandardContext instance. (markt) |
| </fix> |
| <fix> |
| Ensure the JAASRealm uses the configured CredentialHandler. (markt) |
| </fix> |
| <fix> |
| <bug>58372</bug>: Fix rare data races closed and suspended flags that |
| could be triggered by async and/or comet processing. (markt) |
| </fix> |
| <fix> |
| <bug>58373</bug>: Fix rare data race with the application event |
| listeners for StandardContext. (markt) |
| </fix> |
| <fix> |
| <bug>58374</bug>: Fix a rare data race in the AsyncContext |
| implementation for access to the internal Tomcat request object to which |
| it holds a reference. (markt) |
| </fix> |
| <fix> |
| <bug>58380</bug>: Fix two rare data races in the standard session |
| implementation on the flag that tracks if the session is new and on the |
| field that tracks the maximum inactive period. (markt) |
| </fix> |
| <fix> |
| <bug>58385</bug>: Fix a rare data race in the internal flag Tomcat uses |
| to keep track of whether or not a request is being used for Comet |
| processing. (markt) |
| </fix> |
| <fix> |
| <bug>58394</bug>: Fix a rare data race in Mapper when adding or removing |
| a host. (markt) |
| </fix> |
| <fix> |
| <bug>58398</bug>: Fix a rare data race in <code>LifecycleSupport</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58412</bug>: Ensure that the <code>AsyncFileHandler</code> has the |
| source class and method name available for logging. (fschumacher) |
| </fix> |
| <fix> |
| <bug>58416</bug>: Correctly detect when a forced stop fails to stop |
| Tomcat because the Tomcat process is waiting on some system call or is |
| uninterruptible. (markt) |
| </fix> |
| <fix> |
| <bug>58436</bug>: Fix some rare data races in JULI's |
| <code>ClassLoaderLogManager</code> during shutdown. (markt) |
| </fix> |
| <fix> |
| <bug>58845</bug>: Fix off-by one error in calculation of valid |
| characters in a cookie domain. Patch provided by Thorsten Ehlers. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct some edge cases in <code>RequestUtil.normalize()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>58275</bug>: The IBM JREs accept cipher suite names starting with |
| <code>TLS_</code> or <code>SSL_</code> but when listing the supported |
| cipher suites only the <code>SSL_</code> version is reported. This can |
| break Tomcat's check that at least one requested cipher suite is |
| supported. Tomcat now includes a work-around so either form of the |
| cipher suite name can be used when running on an IBM JRE. (markt) |
| </fix> |
| <fix> |
| <bug>58357</bug>: For reasons not currently understood when the |
| APR/native connector is used with OpenSSL reads can return an error code |
| when there is no apparent error. This was work-around for HTTP upgrade |
| connections by treating this as <code>EAGAIN</code>. The same fix has |
| now been applied to the standard HTTP connector. (markt) |
| </fix> |
| <scode> |
| Minor clean-up in NIO2 SSL handshake code to address some theoretical |
| concurrency issues. (markt) |
| </scode> |
| <fix> |
| <bug>58367</bug>: Fix a rare data race in the code that obtains the |
| reason phrase for a given HTTP response code. (markt) |
| </fix> |
| <fix> |
| <bug>58370</bug>: Fix a rare data race in the connector shutdown code. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58371</bug>: Fix a rare data race when accessing request URI in |
| String form when switching from non-async to async due to early |
| triggering of the gathering of request statistics. (markt) |
| </fix> |
| <fix> |
| <bug>58375</bug>: Fix a rare data race on the internal flag Tomcat uses |
| to mark a response as committed. (markt) |
| </fix> |
| <fix> |
| <bug>58377</bug>: Fix a rare data race on the internal flag Tomcat uses |
| to mark a request as using HTTP keep-alive when switching to |
| asynchronous processing. (markt) |
| </fix> |
| <fix> |
| <bug>58379</bug>: Fix a rare data race on the internal reference Tomcat |
| retains to the socket when switching to asynchronous processing. (markt) |
| </fix> |
| <fix> |
| <bug>58387</bug>: Fix a rare data race when closing Comet connections. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58388</bug>: Fix a data race when determining if Comet processing |
| is occurring on a container or non-container thread. (markt) |
| </fix> |
| <fix> |
| <bug>58389</bug>: Fix a rare data race while shutting down the thread |
| pools on Connector stop. (markt) |
| </fix> |
| <scode> |
| Clean up use of error flag on socket wrapper prompted by |
| <bug>58390</bug>. (markt) |
| </scode> |
| <scode> |
| Remove some unnecessary code from the NIO Poller and fix |
| <bug>58396</bug> as a side-effect. (markt) |
| </scode> |
| <fix> |
| <bug>57799</bug>: Remove useless sendfile check for NIO SSL. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57136</bug>: Correct a regression in the previous fix for this |
| issue. <code>\${</code> should only be an escape for <code>${</code> |
| within an EL expression. Within a JSP page <code>\$</code> should be an |
| escape for <code>$</code>. The EL specification applies when parsing the |
| expression delimited by <code>${</code> and <code>}</code>. Parsing of |
| the delimiting <code>${</code> and <code>}</code> is the responsibility |
| of the JSP specification. (markt) |
| </fix> |
| <fix> |
| <bug>58296</bug>: Fix a memory leak in the JSP unloading feature that |
| meant that using a value other than <code>-1</code> for |
| <code>maxLoadedJsps</code> triggered a memory leak once the limit was |
| reached. (markt) |
| </fix> |
| <fix> |
| <bug>58327</bug>: Cache the expression string for value expression |
| literals since it is frequently used and may be expensive to evaluate. |
| Patch provided by Andreas Kohn. (markt) |
| </fix> |
| <fix> |
| <bug>58340</bug>: Improve error reporting for tag files packaged in |
| JARs. (markt) |
| </fix> |
| <fix> |
| <bug>58424</bug>: When parsing TLD files, allow whitespace around |
| boolean configuration values. (schultz) |
| </fix> |
| <fix> |
| Fix a possible resource leak reported by coverity scan. (fschumacher) |
| </fix> |
| <fix> |
| <bug>58427</bug>: Enforce the JSP specification defined limitations of |
| which elements are allowed in an implicit.tld file. (markt) |
| </fix> |
| <fix> |
| <bug>58444</bug>: Ensure that JSPs work with any custom base class that |
| meets the requirements defined in the JSP specification without |
| requiring that base class to implement Tomcat specific code. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Fix a default clusterListeners in <code>SimpleTcpCluster</code>. The |
| optimal default value is different for each session manager. |
| <code>ClusterSessionListener</code> is never used in |
| <code>BackupManager</code>. (kfujino) |
| </fix> |
| <fix> |
| Correct log messages in case of using <code>BackupManager</code>. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>58342</bug>: Fix a copy and paste error that meant MessageHandler |
| removal could fail for binary and pong MessageHandlers. Patch provided |
| by DJ. (markt) |
| </fix> |
| <fix> |
| Data races detected by RV-Predict, mostly caused by completion handlers |
| running in separate threads. (markt) |
| </fix> |
| <fix> |
| <bug>58414</bug>: Correctly handle sending zero length messages when |
| using per message deflate. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct documentation for cluster-howto. (kfujino) |
| </fix> |
| <fix> |
| Add missing documentation for property <code>alwaysAddExpires</code> for |
| the <code>LegacyCookieProcessor</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <add> |
| Add support for configurations of <code>ChannelListener</code> and |
| <code>MembershipListener</code> in server.xml. (kfujino) |
| </add> |
| <fix> |
| Correct log messages in case of using <code>ReplicatedMap</code>. |
| (kfujino) |
| </fix> |
| <fix> |
| <bug>58381</bug>: Fix a rare data race in the <code>NioReceiver</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58382</bug>: Fix multiple rare data races in the default membership |
| implementation. (markt) |
| </fix> |
| <fix> |
| <bug>58383</bug>: Fix a data race in <code>SenderState</code>. (markt) |
| </fix> |
| <fix> |
| <bug>58386</bug>: Fix a data race in <code>ObjectReader</code>. (markt) |
| </fix> |
| <fix> |
| <bug>58391</bug>: Fix multiple data races in |
| <code>NonBlockingCoordinator</code>, most of which were associated with |
| ensuring that log messages contained the correct information. (markt) |
| </fix> |
| <fix> |
| <bug>58392</bug>: Fix a data race in |
| <code>DomainFilterInterceptor</code>. (markt) |
| </fix> |
| <fix> |
| <bug>58393</bug>: Fix a data race on the listener in |
| <code>McastService</code>. (markt) |
| </fix> |
| <fix> |
| <bug>58395</bug>: Fix multiple data races in <code>MemberImpl</code> |
| that were likely to cause issues if certain properties were updated |
| concurrently (such updates are unlikely in normal usage). (markt) |
| </fix> |
| <scode> |
| Remove some unnecessary code from <code>PooledParallelSender</code> and |
| fix <bug>58397</bug>. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Make sure the pool has been properly configured when attributes that |
| related to the pool size are changed via JMX. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Ensure logging works for all tests in a class rather than just the first |
| one executed. (markt) |
| </fix> |
| <add> |
| <bug>58344</bug>: Add build properties to enable tests to be executed |
| against alternative binaries. Based on a patch by Petr Sumbera. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.26 (markt)" rtext="2015-08-21"> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>58255</bug>: Document the Semaphore valve. Patch provided by |
| Kyohei Nakamura. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.25 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Make the WAR manifest file available for WebResource instances from an |
| unpacked WAR in the same way the manifest is available if the WAR is not |
| unpacked. (markt) |
| </fix> |
| <fix> |
| Ensure that only <code>/WEB-INF/classes/</code> and |
| <code>/WEB-INF/lib/</code> are excluded from the web resource caching. |
| (Resources loaded from these locations are cached by the web application |
| class loader.) (markt) |
| </fix> |
| <add> |
| <bug>57741</bug>: Enable the CGI servlet to use the standard error page |
| mechanism. Note that if the CGI servlet's debug init parameter is |
| set to 10 or higher then the standard error page mechanism will be |
| bypassed and a debug response generated by the CGI servlet will be |
| returned instead. (markt) |
| </add> |
| <fix> |
| <bug>58031</bug>: Make the (first) reason parameter parsing failed |
| available as a request attribute and then use it to provide a better |
| status code via the FailedRequstFilter (if configured). (markt) |
| </fix> |
| <fix> |
| <bug>58086</bug>: Correct a regression in the fix for 58086 that |
| incorrectly handled WAR URLs. (violetagg) |
| </fix> |
| <fix> |
| <bug>58096</bug>: Classes loaded from <code>/WEB-INF/classes/</code> |
| should use that directory as their code base. (markt) |
| </fix> |
| <fix> |
| Fix possible resource leaks by closing streams properly. |
| Issues reported by Coverity Scan. (violetagg) |
| </fix> |
| <fix> |
| <bug>58116</bug>: Fix regression in the fix for <bug>57281</bug> that |
| broke Comet support when running under a security manager. Based on a |
| patch provided by Johno Crawford. (markt) |
| </fix> |
| <fix> |
| <bug>58125</bug>: Avoid a possible <code>ClassCircularityError</code> |
| when running under a security manager. (markt) |
| </fix> |
| <fix> |
| <bug>58179</bug>: Fix a thread safety issues that could mean concurrent |
| threads setting the same attribute on a <code>ServletContext</code> |
| could both see <code>null</code> as the old value. (markt) |
| </fix> |
| <fix> |
| Allow web archives bigger than 2G to be deployed using ANT tasks. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>58192</bug>: Correct a regression in the previous fix for |
| <bug>58023</bug>. Ensure that classes are associated with their manifest |
| even if the class file is first read (and cached) without the manifest. |
| (markt) |
| </fix> |
| <fix> |
| Fix thread safety issue in the <code>AsyncContext</code> implementation |
| that meant a sequence of <code>start();dispatch();</code> calls using |
| non-container threads could result in a previous dispatch interfering |
| with a subsequent start. (markt) |
| </fix> |
| <fix> |
| <bug>58228</bug>: Make behaviour of |
| <code>ServletContext.getResource()</code> and |
| <code>ServletContext.getResourceAsStream()</code> consistent with each |
| other and the expected behaviour of the GET_RESOURCE_REQUIRE_SLASH |
| system property. (markt) |
| </fix> |
| <fix> |
| <bug>58230</bug>: Fix input stream corruption if non-blocking I/O is |
| used and the first read is made immediately after the switch to async |
| mode rather than in response to <code>onDataAvaiable()</code> and that |
| read does not read all the available data. (markt) |
| </fix> |
| <fix> |
| Ensure that <code>log4javascript*.jar</code> was not excluded from the |
| standard JAR scanning by default. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>57943</bug>: Prevent the same socket being added to the cache |
| twice. Patch based on analysis by Ian Luo / Sun Qi. (markt) |
| </fix> |
| <fix> |
| Add <code>text/javascript,application/javascript</code> to the default |
| list of compressable MIME types. (violetagg) |
| </fix> |
| <fix> |
| <bug>58103</bug>: When pipelining requests, and the previous request was |
| an async request, ensure that the socket is removed from the waiting |
| requests so that the async timeout thread doesn't process it during the |
| next request. (markt) |
| </fix> |
| <fix> |
| <bug>58151</bug>: Correctly handle EOF in the AJP APR/native connector |
| to prevent the connector entering a loop and generate excessive CPU |
| load. (markt) |
| </fix> |
| <fix> |
| In the AJP and HTTP NIO connectors, ensure that the socket timeout is |
| correctly set before adding the socket back to the poller for read. |
| (markt) |
| </fix> |
| <fix> |
| <bug>58157</bug>: Ensure that the handling of async timeouts does not |
| result in an unnecessary dispatch to a container thread that could |
| result in the current socket being added to the Poller multiple times |
| with multiple attempts to process the same event for the same socket. |
| (markt) |
| </fix> |
| <fix> |
| Correct a couple of edge cases in <code>RequestUtil.normalize()</code>. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>58110</bug>: Like scriptlet sections, declaration sections of JSP |
| pages have a one-to-one mapping of lines to the generated .java file. |
| Use this information to provide more accurate error messages if a |
| compilation error occurs in a declaration section. (markt) |
| </fix> |
| <fix> |
| <bug>58119</bug>: When tags are compiled they must be placed in the |
| org/apache/jsp/tag/web directory. Correct a regression in the fix for |
| 52725. (violetagg) |
| </fix> |
| <fix> |
| Fix a resource leak in JspC identified by Eclipse. (markt) |
| </fix> |
| <fix> |
| <bug>58178</bug>: Expressions in a tag file should use the tag |
| file's <code>PageContext</code> rather than that of the containing |
| page. (markt) |
| </fix> |
| <fix> |
| Following on from the fix for <bug>58178</bug>, expressions in a tag |
| file should use the tag file's imports rather than those of the |
| containing page. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>58166</bug>: Allow applications to send close codes in the range |
| 3000-4999 inclusive. (markt) |
| </fix> |
| <fix> |
| <bug>58232</bug>: Avoid possible NPE when adding endpoints |
| programmatically to the |
| <code>javax.websocket.server.ServerContainer</code>. |
| Based on a patch provided by bastian.(violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the incorrect document of <code>QueryTimeoutInterceptor</code>. |
| The setting value is not in milliseconds but in seconds. (kfujino) |
| </fix> |
| <fix> |
| <bug>58112</bug>: Update the documentation for using the Catalina tasks |
| in an Apache Ant build file. (markt) |
| </fix> |
| <fix> |
| Improve the Javadoc for some of the APR socket read functions that have |
| inconsistent behaviour for return values. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>58042</bug>: The default value of <code>logFailed</code> attribute |
| of <code>SlowQueryReport</code> is changed to <code>false</code> so that |
| the failed queries are not logged by default. (kfujino) |
| </fix> |
| <fix> |
| Fix potential NPE in <code>QueryTimeoutInterceptor</code>. (kfujino) |
| </fix> |
| <fix> |
| Add support for stopping the pool cleaner via JMX. (kfujino) |
| </fix> |
| <fix> |
| The <code>fairness</code> attribute and |
| <code>ignoreExceptionOnPreLoad</code> attribute do not allow a change |
| via JMX. (kfujino) |
| </fix> |
| <fix> |
| If the <code>timeBetweenEvictionRunsMillis</code> attribute is changed |
| via jmx, it should restart the pool cleaner because this attribute |
| affects the execution interval of the pool cleaner. (kfujino) |
| </fix> |
| <fix> |
| Eliminate the dependence on <code>maxActive</code> of busy queues and |
| idle queue in order to enable the expansion of the pool size via JMX. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update optional Checkstyle library to 6.8.1. (kkolinko) |
| </update> |
| <fix> |
| Update sample Eclipse IDE configuration to exclude test/webapp* and |
| similar paths from compiler sourcepath. (kkolinko) |
| </fix> |
| <update> |
| Update package renamed Apache Commons Pool to Commons Pool 2.4.2. |
| (markt) |
| </update> |
| <update> |
| Update package renamed Apache Commons DBCP to Commons DBCP 2.1.1. |
| (markt) |
| </update> |
| <add> |
| Support the use of the <code>threads</code> attribute on Ant's |
| junit task. Note that using this with a value of greater than one will |
| disable Cobertura code coverage. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.24 (markt)" rtext="2015-07-06"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>57938</bug>: Correctly handle empty form fields when a form is |
| submitted as <code>multipart/form-data</code>, the |
| <code>maxPostSize</code> attribute of the Connector has been set to a |
| negative value and the Context has been configured with a value of |
| <code>true</code> for <code>allowCasualMultipartParsing</code>. The |
| meaning of the value zero for the <code>maxPostSize</code> has also been |
| changed to mean a limit of zero rather than no limit to align it with |
| <code>maxSavePostSize</code> and to be more intuitive. (markt) |
| </fix> |
| <fix> |
| <bug>57977</bug>: Correctly bind and unbind the web application class |
| loader during execution of the PersistentValve. (markt) |
| </fix> |
| <fix> |
| Remove some unnecessary code from the web application class loader and |
| deprecate the now unused <code>validate()</code> method since the |
| requirements of SRV.10.7.2 are met using cleaner code in |
| <code>loadClass(String, boolean)</code> and <code>filter()</code>. |
| (markt) |
| </fix> |
| <fix> |
| Correct a bug that prevented the web application class loader's |
| <code>filter()</code> from working correctly. It only returned |
| <code>true</code> for classes in sub-packages of the listed packages, |
| but not classes located in the packages themselves. (markt) |
| </fix> |
| <fix> |
| Add the WebSocket API classes to the list of classes that the web |
| application class loader will always delegate to its parent for loading |
| first. (markt) |
| </fix> |
| <fix> |
| <bug>58015</bug>: Ensure that whenever the web application class loader |
| checks to see if it should delegate first, it also checks the result |
| of the <code>filter()</code> method which may indicate that it should |
| always delegate first for the current class/resource regardless of the |
| value of the delegate configuration option. (markt) |
| </fix> |
| <fix> |
| <bug>58023</bug>: Fix potentially excessive memory usage due to |
| unnecessary caching of JAR manifests in the web application class |
| loader. (markt) |
| </fix> |
| <fix> |
| <bug>57700</bug>: Ensure that Container event |
| <code>ADD_CHILD_EVENT</code> will be sent in all cases. (violetagg) |
| </fix> |
| <fix> |
| <bug>58086</bug>: Ensure that WAR URLs are handled properly when using |
| ANT for web application deployment. Based on a patch provided by Lukasz |
| Jader. (violetagg) |
| </fix> |
| <fix> |
| Fix CredentialHandler element handling in storeconfig. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>57265</bug>: Further fix to address a potential threading issue |
| when sendfile is used in conjunction with TLS. (markt) |
| </fix> |
| <fix> |
| <bug>57936</bug>: Improve robustness of the acceptor thread count |
| parameter for NIO2, since it must be set to 1. Submitted by |
| Oliver Kant. (remm) |
| </fix> |
| <add> |
| <bug>57943</bug>: Added a work-around to catch |
| <code>ConcurrentModificationException</code>s during Poller timeout |
| processing that were causing the Poller thread to stop. The root cause |
| of these exceptions is currently unknown. (markt) |
| </add> |
| <fix> |
| <bug>57944</bug>: Ensure that if non-blocking I/O listeners are set on |
| a non-container thread that the expected listener events are still |
| triggered. (markt) |
| </fix> |
| <fix> |
| Fix possible very long (1000 seconds) timeout with APR/native connector. |
| (markt) |
| </fix> |
| <add> |
| Support "-" separator in the SSLProtocol configuration of the |
| APR/native connector for protocol exclusion. (rjung) |
| </add> |
| <fix> |
| <bug>58004</bug>: Fix AJP buffering output data even in blocking mode. |
| (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>57969</bug>: Provide path parameters to POJO via per session |
| <code>javax.websocket.server.ServerEndpointConfig</code> as they vary |
| between different requests. (violetagg) |
| </fix> |
| <fix> |
| <bug>57974</bug>: Session.getOpenSessions should return all sessions |
| associated with a given endpoint instance, rather than all sessions |
| from the endpoint class. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>57282</bug>: Update request processing sequence diagrams. Updated |
| diagrams provided by Stephen Chen. (markt) |
| </fix> |
| <fix> |
| <bug>57971</bug>: Correct the documentation for the cluster |
| configuration setting <code>recoverySleepTime</code>. (markt) |
| </fix> |
| <add> |
| <bug>57758</bug>: Add document of <code>testOnConnect</code> attribute |
| in jdbc-pool doc. (kfujino) |
| </add> |
| <add> |
| Add description of <code>validatorClassName</code> attribute to testXXXX |
| attributes in jdbc-pool docs. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <scode> |
| Use <code>StringManager</code> to provide i18n support in the |
| <code>org.apache.catalina.tribes</code> packages. (kfujino) |
| </scode> |
| <fix> |
| Do not set the nodes that failed to replication to the backup nodes. |
| Ensure that the nodes that the data has been successfully replicated are |
| set to the backup node. (kfujino) |
| </fix> |
| <fix> |
| When failed to replication, rather than all member is handled as a |
| failed member, exclude the failure members from backup members. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Refactoring of the <code>removeOldest</code> method in |
| <code>SlowQueryReport</code> to behave as expected. (kfujino) |
| </fix> |
| <fix> |
| <bug>57783</bug>: Fix <code>NullPointerException</code> in |
| <code>SlowQueryReport</code>. To avoid this NPE, Refactor |
| <code>SlowQueryReport#removeOldest</code> and handle the abandoned |
| connection properly. (kfujino) |
| </fix> |
| <fix> |
| <bug>58042</bug>: In <code>SlowQueryReportJmx</code>, the |
| <code>LogSlow</code> and <code>logFailed</code> attributes that |
| inherited from <code>SlowQueryReport</code> are used as a condition of |
| whether JMX notifications are sent. (kfujino) |
| </fix> |
| <fix> |
| Ensure that specified <code>Boolean</code> attribute values of |
| <code>SlowQueryReport</code> reflect correctly. The <code>LogSlow</code> |
| and the <code>logFailed</code> are not system property, these are |
| attributes of <code>SlowQueryReport</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update package renamed Apache Commons BCEL to r1682271 to pick up some |
| some code clean up. (markt) |
| </update> |
| <update> |
| Update package renamed Apache Commons DBCP to r1682314 to pick up the |
| DBCP 2.1 release and additional fixes since then. (markt) |
| </update> |
| <update> |
| Update package renamed Apache Commons Pool to the 2.4 release. (markt) |
| </update> |
| <update> |
| Update package renamed Apache Commons File upload to r1682322 to pick up |
| the post 1.3.1 fixes. (markt) |
| </update> |
| <update> |
| Update package renamed Apache Commons Codec to r1682326. No functional |
| changes. Javadoc only. (markt) |
| </update> |
| <update> |
| Update optional Checkstyle library to 6.7. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.23 (markt)" rtext="2015-05-22"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>54618</bug>: Add a new <code>HttpHeaderSecurityFilter</code> that |
| adds the <code>Strict-Transport-Security</code>, |
| <code>X-Frame-Options</code> and <code>X-Content-Type-Options</code> |
| HTTP headers to the response. (markt) |
| </add> |
| <fix> |
| <bug>57875</bug>: Add <code>javax.websocket.*</code> to the classes for |
| which the web application class loader always delegates first. (markt) |
| </fix> |
| <fix> |
| <bug>57871</bug>: Ensure that setting the |
| <code>allowHttpSepsInV0</code> property of a |
| <code>LegacyCookieProcessor</code> to false only prevents HTTP |
| separators from being used without quotes. (markt) |
| </fix> |
| <fix> |
| Add a workaround for issues with SPNEGO authentication when running on |
| Java 8 update 40 and later. The workaround should be safe for earlier |
| Java versions but it can be disabled with the |
| <code>applyJava8u40Fix</code> attribute of the SPNEGO authenticator if |
| necessary. (markt) |
| </fix> |
| <fix> |
| <bug>57926</bug>: Restore the original <code>X-Forwarded-By</code> and |
| <code>X-Forwarded-For</code> headers after processing by the |
| <code>RemoteIPValve </code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Follow up to previous fix that removed the behavior difference between |
| NIO and NIO2 for SSL, which caused corruption with NIO2. |
| (remm) |
| </fix> |
| <fix> |
| <bug>57931</bug>: Ensure that TLS connections with the NIO or NIO2 HTTP |
| connectors that experience issues during the handshake (e.g. missing or |
| invalid client certificate) are closed cleanly and that the client |
| receives the correct error code rather than simply closing the |
| connection. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>56438</bug>: Add debug logging to TLD discovery that logs positive |
| and negative results for JARs, resource paths and directories. Patch |
| provided by VIN. (markt) |
| </fix> |
| <fix> |
| <bug>57802</bug>: Correct the default implementation of |
| <code>convertToType()</code> provided by |
| <code>javax.el.ELResolver</code>. (markt) |
| </fix> |
| <fix> |
| <bug>57887</bug>: Fix compilation of recursive tag files packaged in a |
| JAR. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Make sure that stream is closed after using it in |
| <code>DeltaSession.applyDiff()</code>. (kfujino) |
| </fix> |
| <scode> |
| Use <code>StringManager</code> to provide i18n support in the |
| <code>org.apache.catalina.ha packages</code>. (kfujino) |
| </scode> |
| <scode> |
| Add the context name to log messages when replication context failed to |
| start. (kfujino) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>57875</bug>: Update the web application class loader documentation |
| to reflect the more relaxed approach to SRV.10.7.2 in Tomcat 8 onwards. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57896</bug>: Document system property |
| <code>org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER</code> |
| that was introduced in Tomcat 8.0.0. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Ensure that the state transfer flag is updated to true only when the map |
| states have been transferred correctly from existing map members. |
| (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update optional Checkstyle library to 6.6. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.22 (markt)" rtext="2015-05-05"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>57736</bug>: Change the format of the Tomcat specific URLs for |
| resources inside JARs that are in turn packed in a WAR. The |
| <code>^/</code> sequence has been replaced by <code>*/</code> so that |
| the resulting URLs are compliant with RFC 2396 and do not trigger |
| exceptions when converted to URIs. The old format will continue to be |
| accepted. (markt) |
| </fix> |
| <fix> |
| <bug>57752</bug>: Exclude non-cached resources from the Cache statistics |
| for resource lookups. Patch provided by Adam Mlodzinski. (markt) |
| </fix> |
| <add> |
| Allow logging of the remote port in the access log using the format |
| pattern <code>%{remote}p</code>. (rjung) |
| </add> |
| <fix> |
| <bug>57556</bug>: Refine the previous fix for this issue so that the |
| real path returned only has a trailing separator if the requested path |
| ended with <code>/</code>. (markt) |
| </fix> |
| <fix> |
| <bug>57765</bug>: When checking last modified times as part of the |
| automatic deployment process, account for the fact that |
| <code>File.lastModified()</code> has a resolution of one second to |
| ensure that if a file has been modified within the last second, the |
| latest version of the file is always used. Note that a side-effect of |
| this change is that files with modification times in the future are |
| treated as if they are unmodified. (markt) |
| </fix> |
| <fix> |
| Align redeploy resource modification checking with reload modification |
| checking so that now, in both cases, a change in modification time |
| rather than an increase in modification time is used to determine if the |
| resource has changed. (markt) |
| </fix> |
| <fix> |
| Cleanup <code>o.a.tomcat.util.digester.Digester</code> from debug |
| messages that do not give any valuable information. Patch provided |
| by Polina Genova. (violetagg) |
| </fix> |
| <fix> |
| <bug>57772</bug>: When reloading a web application and a directory |
| representing an expanded WAR needs to be deleted, delete the directory |
| after the web application has been stopped rather than before to avoid |
| potential ClassNotFoundExceptions. (markt) |
| </fix> |
| <fix> |
| Fix wrong logger name of |
| <code>org.apache.catalina.webresources.StandardRoot</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>57801</bug>: Improve the error message in the start script in case |
| the PID read from the PID file is already owned by a process. (rjung) |
| </fix> |
| <fix> |
| <bug>57841</bug>: Improve error logging during web application start. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57856</bug>: Ensure that any scheme/port changes implemented by the |
| <code>RemoteIpFilter</code> also affect |
| <code>HttpServletResponse.sendRedirect()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>57863</bug>: Fix the RewriteMap support in RewriteValve that did |
| not use the correct key value to look up entries. Based on a patch |
| provided by Tatsuya Bessho. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>57779</bug>: When an I/O error occurs on a non-container thread |
| only dispatch to a container thread to handle the error if using Servlet |
| 3+ asynchronous processing. This avoids potential deadlocks if an |
| application is performing I/O on a non-container thread without using |
| the Servlet 3+ asynchronous API. (markt) |
| </fix> |
| <scode> |
| Remove the experimental support for SPDY. No current user agent supports |
| the version of SPDY that the experiment targeted. Note: HTTP/2 support |
| is under development for Tomcat 9 and may be back-ported to Tomcat 8 |
| once complete. (markt) |
| </scode> |
| <fix> |
| Possible incomplete writes with SSL NIO2. (remm) |
| </fix> |
| <fix> |
| Incorrect reads with SSL NIO2 caused by a bad strategy for handling IO |
| differences between NIO and NIO2 that don't seem to be justified. |
| (remm) |
| </fix> |
| <fix> |
| After some errors, the pending flags could remain set when using SSL |
| NIO2. (remm) |
| </fix> |
| <fix> |
| <bug>57833</bug>: When using JKS based keystores for NIO or NIO2, ensure |
| that the key alias is always converted to lower case since that is what |
| JKS key stores expect. Based on a patch by Santosh Giri Govind M. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57837</bug>: Add <code>text/css</code> to the default list of |
| compressable MIME types. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57845</bug>: Ensure that, if the same JSP is accessed directly and |
| via a <code><jsp-file></code> declaration in web.xml, updates to |
| the JSP are visible (subject to the normal rules on re-compilation) |
| regardless of how the JSP is accessed. (markt) |
| </fix> |
| <fix> |
| <bug>57855</bug>: Explicitly handle the case where a |
| <code>MethodExpression</code> is invoked with null or the wrong number |
| of parameters. Rather than failing with an |
| <code>ArrayIndexOutOfBoundsException</code> or a |
| <code>NullPointerException</code> throw an |
| <code>IllegalArgumentException</code> with a useful error message. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Avoid unnecessary call of <code>DeltaRequest.addSessionListener()</code> |
| in non-primary nodes. (kfujino) |
| </fix> |
| <add> |
| Add new attribute that send all actions for session across Tomcat |
| cluster nodes. (kfujino) |
| </add> |
| <fix> |
| Remove unused <code>pathname</code> attribute in mbean definition of |
| <code>BackupManager</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>57761</bug>: Ensure that the opening HTTP request is correctly |
| formatted when the WebSocket client connects to a server root. (remm) |
| </fix> |
| <fix> |
| <bug>57762</bug>: Ensure that the WebSocket client correctly detects |
| when the connection to the server is dropped. (markt) |
| </fix> |
| <fix> |
| <bug>57776</bug>: Revert the 8.0.21 fix for the |
| <code>permessage-deflate</code> implementation and incorrect op-codes |
| since the fix was unnecessary (the bug only affected trunk) and the fix |
| broke rather than fixed <code>permessage-deflate</code> if an |
| uncompressed message was converted into more than one compressed |
| message. (markt) |
| </fix> |
| <fix> |
| Fix log name typo in <code>WsRemoteEndpointImplServer</code> class, |
| caused by a copy-paste. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>57788</bug>: Avoid NPE when looking up a class hierarchy without |
| finding anything. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| <bug>57759</bug>: Add information to the keyAlias documentation to make |
| it clear that the order keys are read from the keystore is |
| implementation dependent. (markt) |
| </add> |
| <fix> |
| <bug>57864</bug>: Update the documentation web application to make it |
| clearer that hex values are not valid for cluster send options. Based on |
| a patch by Kyohei Nakamura. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Fix a concurrency issue when a backup message that has all session data |
| and a backup message that has diff data are processing at the same time. |
| This fix ensures that <code>MapOwner</code> is set to |
| <code>ReplicatedMapEntry</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Add missing pom for tomcat-storeconfig. (remm) |
| </fix> |
| <update> |
| Update optional Checkstyle library to 6.5. (kkolinko) |
| </update> |
| <fix> |
| <bug>57707</bug>: Improve error message when trying to run a release |
| build on a non-Windows platform and Wine is not available. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.21 (markt)" rtext="2015-03-26"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>49785</bug>: Enable StartTLS connections for JNDIRealm. |
| (fschumacher) |
| </add> |
| <fix> |
| When docBase refers internal war and unpackWARs is set to false, avoid |
| registration of the invalid redeploy resource that has been added ".war" |
| extension in duplicate. (kfujino) |
| </fix> |
| <fix> |
| If WAR exists, it is not necessary to trigger a reload when adding a |
| Directory. (kfujino) |
| </fix> |
| <fix> |
| <bug>55988</bug>: Add support for Java 8 JSSE server-preferred TLS |
| cipher suite ordering. This feature requires Java 8 |
| and is controlled by <code>useServerCipherSuitesOrder</code> |
| attribute on an HTTP connector. |
| Based upon a patch provided by Ognjen Blagojevic. (schultz) |
| </fix> |
| <fix> |
| <bug>56608</bug>: When deploying an external WAR, add watched resources |
| in the expanded directory based on whether the expanded directory is |
| expected to exist rather than if it does exist. (markt) |
| </fix> |
| <fix> |
| When triggering a reload due to a modified watched resource, ensure |
| that multiple changed watched resources only trigger one reload rather |
| than a series of reloads. (markt) |
| </fix> |
| <fix> |
| <bug>57601</bug>: Ensure that HEAD requests return the correct content |
| length (i.e. the same as for a GET) when the requested resource includes |
| a resource served by the Default servlet. (jboynes/markt) |
| </fix> |
| <fix> |
| <bug>57602</bug>: Ensure that HEAD requests return the correct content |
| length (i.e. the same as for a GET) when the requested resource includes |
| a resource served by a servlet that extends <code>HttpServlet</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57621</bug>: When an async request completes, ensure that any |
| remaining request body data is swallowed. (markt) |
| </fix> |
| <fix> |
| <bug>57637</bug>: Do not create unnecessary sessions when using |
| PersistentValve. (jboynes/fschumacher) |
| </fix> |
| <fix> |
| <bug>57645</bug>: Correct a regression in the fix for |
| <bug>57190</bug> that incorrectly required the path passed to |
| <code>ServletContext.getContext(String)</code> to be an exact match to a |
| path to an existing context. (markt) |
| </fix> |
| <fix> |
| Make sure that <code>unpackWAR</code> attribute of <code>Context</code> |
| is handled correctly in <code>HostConfig</code>. (kfujino) |
| </fix> |
| <fix> |
| When deploying a WAR file that contains a context.xml file and |
| <code>unpackWARs</code> is <code>false</code> ignore any context.xml |
| file that may exist in an expanded directory associated with the WAR. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57675</bug>: Correctly quote strings when using the extended |
| access log. (markt) |
| </fix> |
| <add> |
| Enable Tomcat to detect when a WAR file has been changed while Tomcat is |
| not running. Tomcat does this by adding a META-INF/war-tracking file to |
| the expanded directory and setting the last modified time of this file |
| to the last modified time of the WAR. If Tomcat detects a modified WAR |
| via this mechanism the web application will be redeployed (i.e. the |
| expanded directory will be removed and the modified WAR expanded in its |
| place). (markt) |
| </add> |
| <fix> |
| <bug>57704</bug>: Fix potential NPEs during web application start/stop |
| when <code>org.apache.tomcat.InstanceManager</code> is not initialized. |
| (violetagg) |
| </fix> |
| <add> |
| Use the simplified digest output for digest.bat|sh when generating |
| digests with no salt and a single iteration to make it easier to use |
| with DIGEST authentication. (markt) |
| </add> |
| <fix> |
| Add support for <code>LAST_ACCESS_AT_START</code> system property to |
| <code>SingleSignOn</code>. (kfujino) |
| </fix> |
| <scode> |
| Refactor Authenticator implementations to reduce code duplication. |
| (markt) |
| </scode> |
| <fix> |
| <bug>57724</bug>: Handle the case in the CORS filter where a user agent |
| includes an origin header for a non-CORS request. (markt) |
| </fix> |
| <fix> |
| When searching for SCIs |
| <code>o.a.catalina.Context.getParentClassLoader</code> will be used |
| instead of <code>java.lang.ClassLoader.getParent</code>. Thus one can |
| provide the correct parent class loader when running embedded Tomcat in |
| other environments such as OSGi. (violetagg) |
| </fix> |
| <fix> |
| <bug>57743</bug>: Fix a locked file / resource leak issue when a JAR is |
| accessed just before or during web application undeploy. Patch provided |
| by Pavel Avgustinov. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>57540</bug>: Make TLS/SSL protocol available in a new request |
| attribute |
| (<code>org.apache.tomcat.util.net.secure_protocol_version</code>). |
| (Note that AJP connectors will require <tt>mod_jk</tt> 1.2.41 or later, |
| or an as-yet-unknown version of mod_proxy_ajp, or configure the proxy |
| to send the AJP_SSL_PROTOCOL request attribute to Tomcat. Please see |
| the bug comments for details.) |
| Based upon a patch provided by Ralf Hauser. (schultz) |
| </add> |
| <fix> |
| Fix a cipher ordering issue when using the OpenSSL syntax for JSSE |
| cipher configuration to ensure that ephemeral ECDH with AES is preferred |
| to ephemeral ECDH with anything else. (markt) |
| </fix> |
| <fix> |
| <bug>57570</bug>: Make the processing of trailer headers with chunked |
| input optional and disabled by default. (markt) |
| </fix> |
| <fix> |
| <bug>57592</bug>: Correctly handle the case where an |
| <code>AsyncContext</code> is used for non-blocking I/O and is completed |
| during a write operation. (markt) |
| </fix> |
| <fix> |
| <bug>57638</bug>: Avoid an IllegalArgumentException when an AJP request |
| body chunk larger than the socket read buffer is being read. This |
| typically requires a larger than default AJP packetSize. (markt) |
| </fix> |
| <fix> |
| <bug>57674</bug>: Avoid a BufferOverflowException when an AJP response |
| body chunk larger than the socket write buffer is being written. This |
| typically requires a larger than default AJP packetSize. (markt) |
| </fix> |
| <update> |
| Align the OpenSSL syntax cipher configuration with the OpenSSL 1.0.2 |
| branch. (markt) |
| </update> |
| <fix> |
| Numerous fixes to the APR/native connector to improve robustness. |
| (markt) |
| </fix> |
| <fix> |
| Stop caching and re-using SocketWrapper instances. With the introduction |
| of upgrade and non-blocking I/O, I/O can occur on non-container threads. |
| This makes it nearly impossible to track whether a SocketWrapper is |
| still being referenced or not, making re-use a risky proposition. |
| (markt) |
| </fix> |
| <scode> |
| Refactor Connector authentication (only used by AJP) into a separate |
| method. (markt) |
| </scode> |
| <add> |
| <bug>57708</bug>: Implement a new feature for AJP connectors - Tomcat |
| Authorization. If the new tomcatAuthorization attribute is set to |
| <code>true</code> (it is disabled by default) Tomcat will take an |
| authenticated user name from the AJP protocol and use the appropriate |
| Realm for the request to authorize (i.e. add roles) to that user. |
| (markt) |
| </add> |
| <fix> |
| Fix an issue that meant that any pipe-lined data read by Tomcat before |
| an asynchronous request completed was lost during the completion of the |
| asynchronous request. This mean that the pipe-lined request(s) would be |
| lost and/or corrupted. (markt) |
| </fix> |
| <update> |
| Update the minimum recommended version of the Tomcat Native library (if |
| used) to 1.1.33. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57135</bug>: Package imports via |
| <code>javax.el.ImportHandler</code> should only import public, concrete |
| classes. (markt) |
| </fix> |
| <fix> |
| <bug>57583</bug>: Cache 'Not Found' results in |
| <code>javax.el.ImportHandler.resolveClass()</code> to save repeated |
| attempts to load classes that are known not to exist to improve |
| performance. (markt) |
| </fix> |
| <fix> |
| <bug>57626</bug>: Correct a regression introduced in the 8.0.16 fix for |
| ensuring Jars were closed after use, that broke recompilation of |
| modified JSPs that depended on a tag file packaged in a Jar. (markt) |
| </fix> |
| <fix> |
| <bug>57627</bug>: Correctly determine last modified times for |
| dependencies when a tag file packaged in a JAR depends on a tag file |
| packaged in a second JAR. (markt) |
| </fix> |
| <fix> |
| <bug>57647</bug>: Ensure INFO message is logged when scanning jars for |
| TLDs if the scan does not find a TLD in any jar. Previously a message |
| would only be logged if a TLD was not found in all scanned jars. (jboynes) |
| </fix> |
| <update> |
| <bug>57662</bug>: Update all references to the ECJ compiler to version |
| 4.4.2. (violetagg) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Remove unnecessary method that always returns true. The domain filtering |
| works on <code>DomainFilterInterceptor</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Correct a bug in the <code>permessage-deflate</code> implementation that |
| meant that the incorrect op-codes were used if an uncompressed message |
| was converted into more than one compressed message. (markt) |
| </fix> |
| <add> |
| <bug>57676</bug>: List conflicting WebSocket endpoint classes when |
| there is a path conflict. Based upon a patch proposed by yangkun. |
| (schultz) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>56058</bug>: Add links to the AccessLogValve documentation for |
| configuring reverse proxies and/or Tomcat to ensure that the desired |
| information is used entered in the access log when Tomcat is running |
| behind a reverse proxy. (markt) |
| </fix> |
| <fix> |
| <bug>57587</bug>: Update the JNDI Datasource HOWTO for DBCP2. Patch |
| provided by Phil Steitz. (markt) |
| </fix> |
| <fix> |
| Remove incorrect note from context configuration page in the |
| documentation web application that stated WAR files located outside the |
| appBase were never unpacked. (markt) |
| </fix> |
| <update> |
| <bug>57644</bug>: Update examples to use Apache Standard Taglib 1.2.5. |
| (jboynes) |
| </update> |
| <fix> |
| <bug>57683</bug>: Ensure that if a client aborts their connection to the |
| stock ticker example (the only way a client can disconnect), the example |
| continues to work for existing and new clients. (markt) |
| </fix> |
| <fix> |
| Make it clear that when using digested passwords with DIGEST |
| authentication that no salt and only a single iteration must be used |
| when generating the digest. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Extras"> |
| <changelog> |
| <fix> |
| <bug>57377</bug>: Remove the restriction that prevented the use of SSL |
| when specifying a bind address with the JMXRemoteLifecycleListener. Also |
| enable SSL to be configured for the registry as well as the server. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| When a map member has been added to <code>ReplicatedMap</code>, make |
| sure to add it to backup nodes list of all other members. (kfujino) |
| </fix> |
| <fix> |
| Make sure that refuse the messages from a different domain in |
| <code>DomainFilterInterceptor</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update optional Checkstyle library to 6.4.1. (kkolinko) |
| </update> |
| <fix> |
| <bug>57703</bug>: Update the <code>http-method</code> definition for |
| web applications using a Servlet 2.5 descriptor as per Servlet 2.5 MR 6. |
| (markt) |
| </fix> |
| <update> |
| Update to Tomcat Native Library version 1.1.33 to pick up the Windows |
| binaries that are based on OpenSSL 1.0.1m and APR 1.5.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.20 (markt)" rtext="2015-02-20"> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix a concurrency issue that meant that a change in socket timeout (e.g. |
| when switching to asynchronous I/O) did not always take effect |
| immediately. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.19 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Clarify threaded usage of variables by removing volatile marker |
| in NonceInfo. Issue reported by Coverity Scan. (fschumacher) |
| </fix> |
| <fix> |
| <bug>57180</bug>: Further fixes to support the use of arbitrary HTTP |
| methods with the CORS filter. (markt) |
| </fix> |
| <fix> |
| <bug>57472</bug>: Fix performance regression in resources implementation |
| when signed JARs are used in a web application. (markt) |
| </fix> |
| <add> |
| Warn about problematic setting of appBase. (fschumacher) |
| </add> |
| <fix> |
| Fix exception while authentication in JDBCRealm. (fschumacher) |
| </fix> |
| <fix> |
| <bug>57534</bug>: CORS Filter should only look at media type component of |
| Content-Type request header. (markt) |
| </fix> |
| <fix> |
| <bug>57556</bug>: Align <code>getRealPath()</code> behaviour with that |
| of earlier versions and include a trailing separator if the real path |
| refers to a directory. (markt) |
| </fix> |
| <fix> |
| Ensure that Servlet 3.0 async requests where <code>startAsync()</code> |
| is called in one container thread and <code>dispatch()</code> is called |
| in a different container thread complete correctly. (markt) |
| </fix> |
| <fix> |
| Ensure that user name checking in the optional SecurityListener is |
| case-insensitive (as documented) and than the case-insensitive |
| comparison is performed using the system default Locale. (markt) |
| </fix> |
| <add> |
| <bug>57021</bug>: Improve logging in AprLifecycleListener and |
| jni.Library when Tomcat-Native DLL fails to load. Based on a patch by |
| Pravallika Peddi. (markt/kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix several bugs that could cause multiple registrations for write |
| events for a single socket when using Servlet 3.0 async. Typically, the |
| side effects of these multiple registrations would be exceptions |
| appearing in the logs. (markt) |
| </fix> |
| <fix> |
| <bug>57432</bug>: Align <code>SSL_OP_NO_TLSv1_1</code> and |
| <code>SSL_OP_NO_TLSv1_2</code> constant values with OpenSSL (they had |
| been swapped). (markt) |
| </fix> |
| <fix> |
| <bug>57509</bug>: Improve length check when writing HTTP/1.1 |
| response headers: reserve space for 4 extra bytes. (kkolinko) |
| </fix> |
| <fix> |
| <bug>57544</bug>: Fix potential infinite loop when preparing a kept |
| alive HTTP connection for the next request. (markt) |
| </fix> |
| <fix> |
| <bug>57546</bug>: Ensure that a dropped network connection does not |
| leave references to the UpgradeProcessor associated with the connection |
| in memory. (markt) |
| </fix> |
| <fix> |
| When applying the <code>maxSwallowSize</code> limit to a connection read |
| that many bytes first before closing the connection to give the client a |
| chance to read the response. (markt) |
| </fix> |
| <fix> |
| Prevent an async timeout being processed multiple times for the same |
| socket when running on slow and/or heavily loaded systems. (markt) |
| </fix> |
| <fix> |
| <bug>57581</bug>: Change statistics byte counter in coyote Request |
| object to be long to allow values above 2Gb. (kkolinko) |
| </fix> |
| <update> |
| Use the data that supports cipher definition using OpenSSL syntax to |
| improve the quality of values provided for the |
| <code>javax.servlet.request.key_size</code> request attribute. (markt) |
| </update> |
| <fix> |
| Fix a concurrency issue in the APR Poller that meant it was possible |
| under low load for a socket queued to be added to the Poller not to be |
| added for 10 seconds. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| <bug>57123</bug>: Update all references to the ECJ compiler to version |
| 4.4.1. With thanks to Ralph Schaer for uploading the 4.4.1 JAR to Maven |
| Central. (markt) |
| </update> |
| <add> |
| <bug>57564</bug>: Make JspC amenable to subclassing. Patch provided by |
| Jan Bartel. (markt) |
| </add> |
| <fix> |
| Simplify code in <code>ProtectedFunctionMapper</code> class of |
| Jasper runtime. (kkolinko) |
| </fix> |
| <fix> |
| <bug>57574</bug>: Do not check existence of a Java package in |
| <code>javax.el.ImportHandler.importPackage()</code>. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>57490</bug>: Make it possible to use Tomcat's WebSocket client |
| within a web application when running under a SecurityManager. Based on |
| a patch by Mikael Sterner. (markt) |
| </fix> |
| <add> |
| Add some debug logging to the WebSocket session to track session |
| creation and session closure. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <update> |
| Clarify documentation for <code>useBodyEncodingForURI</code> |
| attribute of a connector. (kkolinko) |
| </update> |
| <fix> |
| Fix possible resource leaks by closing streams properly. Issues |
| reported by Coverity Scan. (fschumacher) |
| </fix> |
| <fix> |
| <bug>57503</bug>: Make clear that the JULI integration for log4j only |
| works with log4j 1.2.x. (markt) |
| </fix> |
| <fix> |
| <bug>57496</bug>: Remove hard-coded URL in JSP SVG example. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Fix a possible deadlock when receiver thread invokes |
| <code>mapMemberAdded()</code> while ping thread invokes |
| <code>memberAlive()</code>. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Enhance bean factory used for JNDI resources. New attribute |
| <code>forceString</code> allows to support non-standard |
| string argument property setters. (rjung) |
| </add> |
| <fix> |
| Assign newly created stream to field instead of leaking it uselessly. |
| Issue reported by Coverity Scan. (fschumacher) |
| </fix> |
| <update> |
| Update optional Checkstyle library to 6.3. (kkolinko) |
| </update> |
| <fix> |
| Guard the digester from MbeansDescriptorsDigesterSource with its own |
| lock object. (fschumacher) |
| </fix> |
| <fix> |
| Refactor the unit tests and add some new test properties to make it |
| easier to exclude performance tests and relax timing tests. This is |
| primarily for the ASF CI system where these tests frequently fail. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57558</bug>: Add missing JAR in Ant task definition required by |
| the validate task. (markt) |
| </fix> |
| <add> |
| List names of Testsuites that have failed or skipped tests when |
| running the tests with Ant. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.18 (markt)" rtext="2015-01-26"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>57178</bug>: The CORS filter now treats <code>null</code> as a |
| valid origin that matches <code>*</code>. Patch provided by Gregor |
| Zurowski. (markt) |
| </fix> |
| <fix> |
| <bug>57425</bug>: Don't add attributes with null value or name to the |
| replicated context. (fschumacher) |
| </fix> |
| <add> |
| <bug>57431</bug>: Enable usage of custom class for context creation when |
| using embedded tomcat. (fschumacher) |
| </add> |
| <fix> |
| <bug>57446</bug>: Ensure that <code>ServletContextListener</code>s that |
| have limited access to <code>ServletContext</code> methods are called |
| with the same <code>ServletContext</code> instance for both |
| <code>contextInitialized()</code> and <code>contextDestroyed()</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57455</bug>: Explicitly block the use of the double-quote character |
| when configuring the common, server and shared class loaders since |
| double-quote is used to quote values that contain commas. (markt) |
| </fix> |
| <fix> |
| <bug>57461</bug>: When an instance of |
| <code>org.apache.catalina.startup.VersionLoggerListener</code> logs the |
| result of <code>System.getProperty("java.home")</code> don't report it |
| in a manner that makes it look like the <code>JAVA_HOME</code> |
| environment variable. (markt) |
| </fix> |
| <fix> |
| <bug>57476</bug>: Ensure the responses written as part of a forward are |
| fully written. This fixes a regression in 8.0.15 caused by the fix for |
| <bug>57252</bug>. (markt) |
| </fix> |
| <fix> |
| While closing streams for given resources ensure that if an exception |
| happens it will be handled properly. Issue is reported by Coverity Scan. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>57481</bug>: Fix <code>IllegalStateException</code> at the end of |
| the request when using non-blocking reads with the HTTP BIO connector. |
| (markt) |
| </fix> |
| <fix> |
| Change Response to use UEncoder instances with shared safeChars. |
| (fschumacher) |
| </fix> |
| <fix> |
| Ensure that when static resources are served from JARs, only static |
| resources are served. (markt) |
| </fix> |
| <add> |
| Allow <code>VersionLoggerListener</code> to log all system properties. |
| This feature is off by default. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Ensure that classes imported via the page directive are made available |
| to the EL environment via the ImportHandler. Issue is reported by |
| Coverity Scan. (violetagg) |
| </fix> |
| <fix> |
| <bug>57441</bug>: Do not trigger an error when using functions defined |
| by lambdas or imported via an ImportHandler in an EL expression in a |
| JSP. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Fix mbean descriptor of <code>ClusterSingleSignOn</code>. (kfujino) |
| </fix> |
| <fix> |
| <bug>57473</bug>: Add sanity check to FarmWebDeployer's WarWatcher to |
| detect suspected incorrect permissions on the watch directory. (schultz) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Clarify the handling of Copy message and Copy nodes. (kfujino) |
| </fix> |
| <fix> |
| Copy node does not need to send the entry data. It is enough to send |
| only the node information of the entry. (kfujino) |
| </fix> |
| <fix> |
| ReplicatedMap should send the Copy message when replicating. (kfujino) |
| </fix> |
| <fix> |
| Fix behavior of ReplicatedMap when member has disappeared. If map entry |
| is primary, rebuild the backup members. If primary node of map entry has |
| disappeared, backup node is promoted to primary. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.17 (markt)" rtext="2015-01-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Correct a regression in the previous fix for <bug>57252</bug> that broke |
| request listeners for non-async requests that triggered an error that |
| was handled by the ErrorReportingValve. (markt/violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Add flushing to send ack in the NIO2 connector. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.16 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>57172</bug>: Provide a better error message if something attempts to |
| access a resource through a web application class loader that has been |
| stopped. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>57173</bug>: Revert the fix for <bug>56953</bug> that broke |
| annotation scanning in some cases. (markt) |
| </fix> |
| <fix> |
| <bug>57180</bug>: Do not limit the CORS filter to only accepting |
| requests that use an HTTP method defined in RFC 7231. (markt) |
| </fix> |
| <fix> |
| <bug>57190</bug>: Fix <code>ServletContext.getContext(String)</code> |
| when parallel deployment is used so that the correct ServletContext is |
| returned. (markt) |
| </fix> |
| <fix> |
| <bug>57208</bug>: Prevent NPE in JNDI Realm when no results are found |
| in a directory context for a user with specified user name. Based on |
| a patch provided by Jason McIntosh. (violetagg) |
| </fix> |
| <add> |
| <bug>57209</bug>: Add a new attribute, userSearchAsUser to the JNDI |
| Realm. (markt) |
| </add> |
| <fix> |
| <bug>57215</bug>: Ensure that the result of calling |
| <code>HttpServletRequest.getContextPath()</code> is neither decoded nor |
| normalized as required by the Servlet specification. (markt) |
| </fix> |
| <fix> |
| <bug>57216</bug>: Improve handling of invalid context paths. A context |
| path should either be an empty string or start with a |
| <code>'/'</code> and do not end with a |
| <code>'/'</code>. Invalid context path are automatically |
| corrected and a warning is logged. The <code>null</code> and |
| <code>"/"</code> values are now correctly changed to |
| <code>""</code>. (markt/kkolinko) |
| </fix> |
| <fix> |
| Update storeconfig with the CredentialHandler element. (remm) |
| </fix> |
| <fix> |
| Correct message that is logged when load-on-startup servlet fails |
| to load. It was logging a wrong name. (kkolinko) |
| </fix> |
| <fix> |
| <bug>57239</bug>: Correct several message typos. Includes patch by |
| vladk. (kkolinko) |
| </fix> |
| <fix> |
| Fix closing of Jars during annotation scanning. (schultz/kkolinko) |
| </fix> |
| <fix> |
| Fix a concurrency issue in async processing. Ensure that a non-container |
| thread can not change the async state until the container thread has |
| completed. (markt) |
| </fix> |
| <fix> |
| <bug>57252</bug>: Provide application configured error pages with a |
| chance to handle an async error before the built-in error reporting. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57281</bug>: Enable non-public Filter and Servlet classes to be |
| configured programmatically via the Servlet 3.0 API and then used |
| without error when running under a SecurityManager. (markt) |
| </fix> |
| <fix> |
| <bug>57308</bug>: Remove unnecessary calls to |
| <code>System.getProperty()</code> where more suitable API calls are |
| available. (markt) |
| </fix> |
| <add> |
| Add unit tests for RemoteAddrValve and RemoteHostValve. (rjung) |
| </add> |
| <add> |
| Allow to configure RemoteAddrValve and RemoteHostValve to |
| adopt behavior depending on the connector port. Implemented |
| by optionally adding the connector port to the string compared |
| with the patterns <code>allow</code> and <code>deny</code>. Configured |
| using <code>addConnectorPort</code> attribute on valve. (rjung) |
| </add> |
| <add> |
| Optionally trigger authentication instead of denial in |
| RemoteAddrValve and RemoteHostValve. This only works in |
| combination with <code>preemptiveAuthentication</code> |
| on the application context. Configured using |
| <code>invalidAuthenticationWhenDeny</code> attribute on valve. (rjung) |
| </add> |
| <fix> |
| Remove the obsolete <code>jndi</code> protocol usage from the scanning |
| process performed by StandardJarScanner. (violetagg) |
| </fix> |
| <fix> |
| Prevent file descriptors leak and ensure that files are closed after |
| retrieving the last modification time. (violetagg) |
| </fix> |
| <update> |
| Make <code>o.a.catalina.webresources.StandardRoot</code> easier for |
| extending. (violetagg) |
| </update> |
| <fix> |
| <bug>57326</bug>: Enable <code>AsyncListener</code> implementations to |
| re-register themselves during <code>AsyncListener.onStartAsync</code>. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57331</bug>: Allow ExpiresFilter to use "year" as synonym for |
| "years" in its configuration. (kkolinko) |
| </fix> |
| <fix> |
| Ensure that if the RewriteValve rewrites a request that subsequent calls |
| to <code>HttpServletRequest.getRequestURI()</code> return the undecoded |
| URI. (markt) |
| </fix> |
| <fix> |
| Ensure that if the RewriteValve rewrites a request to a non-normalized |
| URI that the URI is normalized before the URI is mapped to ensure that |
| the correct mapping is applied. (markt) |
| </fix> |
| <fix> |
| Prevent NPEs being logged during post-processing for requests that have |
| been re-written by the RewriteValve. (markt) |
| </fix> |
| <fix> |
| Various StoreConfig improvements including removing a dependency on the |
| <code>StandardServer</code> implementation, improve consistency of |
| behaviour when MBean is not registered and improve error messages when |
| accessed via the Manager application. (markt) |
| </fix> |
| <update> |
| Improve SnoopServlet in unit tests. (rjung) |
| </update> |
| <add> |
| Add RequestDescriptor class to unit tests. |
| Adjust TestRewriteValve to use RequestDescriptor. (rjung) |
| </add> |
| <update> |
| Add more AJP unit tests. (rjung) |
| </update> |
| <fix> |
| <bug>57363</bug>: Log to stderr if LogManager is unable to read |
| configuration files rather than swallowing the exception silently. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Allow HTTP upgrade process to complete without data corruption when |
| additional content is sent along with the upgrade header. (remm) |
| </fix> |
| <fix> |
| <bug>57187</bug>: Regression handling the special * URL. (remm) |
| </fix> |
| <fix> |
| <bug>57234</bug>: Make SSL protocol filtering to remove insecure |
| protocols case insensitive. (markt) |
| </fix> |
| <fix> |
| <bug>57265</bug>: Fix some potential concurrency issues with sendFile |
| and the NIO connector. (markt) |
| </fix> |
| <fix> |
| <bug>57324</bug>: If the client uses <code>Expect: 100-continue</code> |
| and Tomcat responds with a non-2xx response code, Tomcat also closes the |
| connection. If Tomcat knows the connection is going to be closed when |
| committing the response, Tomcat will now also send the |
| <code>Connection: close</code> response header. (markt) |
| </fix> |
| <fix> |
| <bug>57340</bug>: When using Comet, ensure that Socket and SocketWrapper |
| are only returned to their respective caches once on socket close (it is |
| possible for multiple threads to call close concurrently). (markt) |
| </fix> |
| <fix> |
| <bug>57347</bug>: AJP response contains wrong status reason phrase |
| (rjung) |
| </fix> |
| <add> |
| <bug>57391</bug>: Allow TLS Session Tickets to be disabled when using |
| the APR/native HTTP connector. Patch provided by Josiah Purtlebaugh. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57142</bug>: As per the clarification from the JSP specification |
| maintenance lead, classes and packages imported via the page directive |
| must be made available to the EL environment via the ImportHandler. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57247</bug>: Correct the default Java source and target versions in |
| the JspC usage message to <code>1.7</code> for Java 7. (markt) |
| </fix> |
| <fix> |
| <bug>57309</bug>: Ensure that the current EL Resolver is given an |
| opportunity to perform type coercion before applying the default EL |
| coercion rules. (markt) |
| </fix> |
| <fix> |
| Improve the calculation of the resource's last-modified, performed by |
| JspCompilationContext, in a way to support URLs with protocol different |
| than <code>jar:file</code>. (violetagg) |
| </fix> |
| <fix> |
| CVE-2014-7810: |
| Do not use a privileged code block when evaluating EL expressions |
| when running under a security manager, which allowed to bypass code |
| restrictions. (markt) |
| </fix> |
| <fix> |
| Fix an issue with BeanELResolver when running under a security |
| manager. Some classes may not be accessible but may have accessible |
| interfaces. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| In order to enable define in <code>Cluster</code> element, |
| <code>ClusterSingleSignOn</code> implements <code>ClusterValve</code>. |
| (kfujino) |
| </fix> |
| <fix> |
| <bug>57338</bug>: Improve the ability of the |
| <code>ClusterSingleSignOn</code> valve to handle nodes being added and |
| removed from the Cluster at run time. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Correct multiple issues with the flushing of batched messages that could |
| lead to duplicate and/or corrupt messages. (markt) |
| </fix> |
| <fix> |
| Correctly implement headers case insensitivity. (markt/remm) |
| </fix> |
| <fix> |
| Allow optional use of user extensions. (remm) |
| </fix> |
| <fix> |
| Allow using partial binary message handlers. (remm) |
| </fix> |
| <fix> |
| Limit ping/pong message size. (remm) |
| </fix> |
| <fix> |
| Allow configuration of the time interval for the periodic event. (remm) |
| </fix> |
| <fix> |
| More accurate annotations processing. (remm) |
| </fix> |
| <fix> |
| Allow optional default for origin header in the client. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Update documentation for CGI servlet. Recommend to copy the servlet |
| declaration into web application instead of enabling it globally. |
| Correct documentation for cgiPathPrefix. (kkolinko) |
| </fix> |
| <update> |
| Improve HTML version of build instructions and align with |
| BUILDING.txt. (kkolinko) |
| </update> |
| <update> |
| Improve Tomcat Manager documentation. Rearrange, add section on |
| HTML GUI, document /expire command and Server Status page. (kkolinko) |
| </update> |
| <update> |
| <bug>57238</bug>: Update information on SSL/TLS on Security and SSL |
| documentation pages. Patch by Glen Peterson. (kkolinko) |
| </update> |
| <fix> |
| <bug>57245</bug>: Correct the reference to <code>allowLinking</code> in |
| the security configuration guide since that attribute has moved from the |
| Context element to the nested Resources element. (markt) |
| </fix> |
| <fix> |
| Fix ambiguity of section links on Valves configuration reference page. |
| (kkolinko) |
| </fix> |
| <fix> |
| <bug>57261</bug>: Fix vminfo and threaddump Manager commands to start |
| their output with an "OK" line. Document them. Based on a patch by |
| Oleg Trokhov. (kkolinko) |
| </fix> |
| <fix> |
| <bug>57267</bug>: Document the <code>StoreConfigLifecycleListener</code> |
| and the <code>/save</code> command for the Manager application. (markt) |
| </fix> |
| <fix> |
| <bug>57323</bug>: Correct display of outdated sessions in sessions |
| count listing in Manager application. (kkolinko) |
| </fix> |
| <add> |
| Add document of <code>ClusterSingleSignOn</code>. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| When downloading required libraries at build time, use random name |
| for temporary file and automatically create destination directory |
| (<code>base.path</code>). (kkolinko) |
| </update> |
| <update> |
| Update optional Checkstyle library to 6.2. (kkolinko) |
| </update> |
| <update> |
| Simplify <code>setproxy</code> task in <code>build.xml</code>. |
| Taskdef there is not needed since Ant 1.8.2. (kkolinko) |
| </update> |
| <fix> |
| Update "ide-eclipse" target in <code>build.xml</code> to create Eclipse |
| project that uses Java 7 compliance settings instead of workspace-wide |
| defaults. (kkolinko) |
| </fix> |
| <fix> |
| Update the package renamed copy of Apache Commons Pool 2 to the 2.3 |
| release to pick up various fixes since the 2.2 release including one for |
| a possible infinite loop. (markt) |
| </fix> |
| <fix> |
| <bug>57285</bug>: Restore the manifest entry that marks the Windows |
| uninstaller application as requiring elevated privileges. (markt) |
| </fix> |
| <add> |
| <bug>57344</bug>: Provide sha1 checksum files for Tomcat downloads. |
| Correct filename patterns for apache-tomcat-*-embed.tar.gz archive |
| to exclude an *.asc file. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.15 (markt)" rtext="2014-11-07"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>43548</bug>: Add an XML schema for the tomcat-users.xml file. |
| (markt) |
| </add> |
| <add> |
| <bug>43682</bug>: Add support for referring to the current context, host |
| and service name in per Context logging.properties files by using the |
| properties <code>${classloader.webappName}</code>, |
| <code>${classloader.hostName}</code> and |
| <code>${classloader.serviceName}</code>. (markt) |
| </add> |
| <add> |
| <bug>47919</bug>: Extend the information logged when Tomcat starts to |
| optionally log the values of command line arguments (enabled by |
| default) and environment variables (disabled by default). Note that |
| the values added to CATALINA_OPTS and JAVA_OPTS environment variables |
| will be logged, as they are used to build up the command line. (markt) |
| </add> |
| <add> |
| <bug>49939</bug>: Expose the method that clears the static resource |
| cache for a web application via JMX. (markt) |
| </add> |
| <fix> |
| <bug>55951</bug>: Allow cookies to use UTF-8 encoded values in HTTP |
| headers. This requires the use of the RFC6265 |
| <strong>CookieProcessor</strong>. (markt) |
| </fix> |
| <fix> |
| <bug>55984</bug>: Using the allow separators in version 0 cookies option |
| with the legacy cookie processor should only apply to version 0 cookies. |
| Version 1 cookies with values that contain separators should not be |
| affected and should continue to be quoted. (markt) |
| </fix> |
| <add> |
| <bug>56393</bug>: Add support for RFC6265 cookie parsing and generation. |
| This is currently disabled by default and may be enabled via the |
| <strong>CookieProcessor</strong> element of a <strong>Context</strong>. |
| (markt) |
| </add> |
| <add> |
| <bug>56394</bug>: Introduce new configuration element CookieProcessor in |
| Context to allow context-specific configuration of cookie processing |
| options. Attributes of Context element that were added in Tomcat 8.0.13 |
| to allow configuration of a new experimental RFC6265 based cookie parser |
| (<code>useRfc6265</code> and <code>cookieEncoding</code>) are |
| replaced by this new configuration element. (markt) |
| </add> |
| <fix> |
| Improve the previous fix for <bug>56401</bug>. Avoid logging version |
| information in the constructor since it then gets logged at undesirable |
| times such as when using <code>StoreConfig</code>. (markt) |
| </fix> |
| <fix> |
| <bug>56403</bug>: Add pluggable password derivation support to the |
| Realms via the new <code>CredentialHandler</code> interface. |
| (markt/schultz) |
| </fix> |
| <fix> |
| <bug>57016</bug>: When using the <code>PersistentValve</code> do not |
| remove sessions from the store when persisting them. (markt) |
| </fix> |
| <add> |
| Deprecate the use of system properties to control cookie parsing and |
| replace them with attributes on the new <code>CookieProcessor</code> |
| that may be configured on a per context basis. (markt) |
| </add> |
| <fix> |
| Correct an edge case and allow a cookie if the value starts with an |
| equals character and the <code>CookieProcessor</code> is not configured |
| to allow equals characters in cookie values but is configured to allow |
| name only cookies. (markt) |
| </fix> |
| <fix> |
| <bug>57022</bug>: Ensure SPNEGO authentication continues to work with |
| the JNDI Realm using delegated credentials with recent Oracle JREs. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57027</bug>: Add additional validation for stored credentials used |
| by Realms when the credential is stored using hex encoding. (markt) |
| </fix> |
| <fix> |
| <bug>57038</bug>: Add a <code>WebResource.getCodeBase()</code> method, |
| implement for all <code>WebResource</code> implementations and then use |
| it in the web application class loader to set the correct code base for |
| resources loaded from JARs and WARs. (markt) |
| </fix> |
| <fix> |
| Correct a couple of NPEs in the JNDI Realm that could be triggered with |
| when not specifying a roleBase and enabling roleSearchAsUser. (markt) |
| </fix> |
| <fix> |
| Correctly handle relative values for the docBase attribute of a Context. |
| (markt) |
| </fix> |
| <fix> |
| Ensure that log messages generated by the web application class loader |
| correctly identify the associated Context when multiple versions of a |
| Context with the same path are present. (markt) |
| </fix> |
| <fix> |
| Remove the unnecessary registration of context.xml as a redeploy |
| resource. The context.xml having an external docBase has already been |
| registered as a redeploy resource at first. (kfujino) |
| </fix> |
| <fix> |
| <bug>57089</bug>: Ensure that configuration of a session ID generator is |
| not lost when a web application is reloaded. (markt) |
| </fix> |
| <fix> |
| <bug>57105</bug>: When parsing web.xml do not limit the buffer element |
| of the jsp-property-group element to integer values as the allowed |
| values are <code><number>kb</code> or <code>none</code>. (markt) |
| </fix> |
| <update> |
| Update the minimum required version of the Tomcat Native library (if |
| used) to 1.1.32. (markt) |
| </update> |
| <fix> |
| Update storeconfig with newly introduced elements: SessionIdGenerator, |
| CookieProcessor, JarScanner and JarScanFilter. (remm) |
| </fix> |
| <fix> |
| Throw a <code>NullPointerException</code> if a null string is passed to |
| the <code>write(String,int,int)</code> method of the |
| <code>PrintWriter</code> obtained from the <code>ServletResponse</code>. |
| (markt) |
| </fix> |
| <fix> |
| Cookie rewrite flag abbreviation should be CO rather than C. (remm) |
| </fix> |
| <fix> |
| <bug>57153</bug>: When the StandardJarScanner is configured to scan the |
| full class path, ensure that class path entries added directly to the |
| web application class loader are scanned. (markt) |
| </fix> |
| <fix> |
| AsyncContext should remain usable until fireOnComplete is called. (remm) |
| </fix> |
| <fix> |
| AsyncContext createListener should wrap any instantiation exception |
| using a ServletException. (remm) |
| </fix> |
| <fix> |
| <bug>57155</bug>: Allow a web application to be configured that does not |
| have a docBase on the file system. This is primarily intended for use |
| when embedding. (markt) |
| </fix> |
| <fix> |
| Propagate header ordering from fileupload to the part implementation. |
| (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>53952</bug>: Add support for TLSv1.1 and TLSv1.2 for APR connector. |
| Based upon a patch by Marcel Šebek. This feature requires |
| Tomcat Native library 1.1.32 or later. (schultz/jfclere) |
| </add> |
| <scode> |
| Cache the <code>Encoder</code> instances used to convert Strings to byte |
| arrays in the Connectors (e.g. when writing HTTP headers) to improve |
| throughput. (markt) |
| </scode> |
| <add> |
| Disable SSLv3 by default for JSSE based HTTPS connectors (BIO, NIO and |
| NIO2). The change also ensures that SSLv2 is disabled for these |
| connectors although SSLv2 should already be disabled by default by the |
| JRE. (markt) |
| </add> |
| <add> |
| Disable SSLv3 by default for the APR/native HTTPS connector. (markt) |
| </add> |
| <fix> |
| Do not increase remaining counter at end of stream in |
| IdentityInputFilter. (kkolinko) |
| </fix> |
| <fix> |
| Trigger an error if an invalid attempt is made to use non-blocking IO. |
| (markt) |
| </fix> |
| <fix> |
| <bug>57157</bug>: Allow calls to |
| <code>AsyncContext.start(Runnable)</code> during non-blocking IO reads |
| and writes. (markt) |
| </fix> |
| <fix> |
| Async state MUST_COMPLETE should still be started. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>57099</bug>: Ensure that semi-colons are not permitted in JSP |
| import page directives. (markt) |
| </fix> |
| <fix> |
| <bug>57113</bug>: Fix broken package imports in Expression Language when |
| more than one package was imported and the desired class was not in the |
| last package imported. (markt) |
| </fix> |
| <fix> |
| <bug>57132</bug>: Fix import conflicts reporting in Expression Language. |
| (kkolinko) |
| </fix> |
| <fix> |
| When coercing an object to a given type, only attempt coercion to an |
| array if both the object type and the target type are an array type. |
| (violetagg/markt) |
| </fix> |
| <fix> |
| Improve handling of invalid input to |
| <code>javax.el.ImportHandler.resolveClass()</code>. (markt) |
| </fix> |
| <fix> |
| Allow the same class to be added to an instance of |
| <code>javax.el.ImportHandler</code> more than once without triggering |
| an error. The second and subsequent calls for the same class will be |
| ignored. (markt) |
| </fix> |
| <fix> |
| <bug>57136</bug>: Ensure only <code>\${</code> and <code>\#{</code> are |
| treated as escapes for <code>${</code> and <code>#{</code> rather than |
| <code>\$</code> and <code>\#</code> being treated as escapes for |
| <code>$</code> and <code>#</code> when processing literal expressions in |
| expression language. (markt) |
| </fix> |
| <fix> |
| When coercing an object to an array type in Expression Language, handle |
| the case where the source object is an array of primitives. |
| (markt/kkolinko) |
| </fix> |
| <fix> |
| Do not throw an exception on missing JSP file servlet initialization. |
| (remm) |
| </fix> |
| <fix> |
| <bug>57148</bug>: When coercing an object to a given type and a |
| <code>PropertyEditor</code> has been registered for the type correctly |
| coerce the empty string to <code>null</code> if the |
| <code>PropertyEditor</code> throws an exception. (kkolinko/markt) |
| </fix> |
| <fix> |
| <bug>57153</bug>: Correctly scan for TLDs located in directories that |
| represent expanded JARs files that have been added to the web application |
| class loader's class path. (markt) |
| </fix> |
| <fix> |
| <bug>57141</bug>: Enable EL in JSPs to refer to static fields of |
| imported classes including the standard <code>java.lang.*</code> |
| imports. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Add support for the <code>SessionIdGenerator</code> to cluster manager |
| template. (kfujino) |
| </fix> |
| <fix> |
| Avoid possible integer overflows reported by Coverity Scan. (fschumacher) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>57054</bug>: Correctly handle the case in the WebSocket client |
| when the HTTP response to the upgrade request can not be read in a |
| single pass; either because the buffer is too small or the server sent |
| the response in multiple packets. (markt) |
| </fix> |
| <add> |
| Extend support for the <code>permessage-deflate</code> extension to the |
| client implementation. (markt) |
| </add> |
| <fix> |
| Fix client subprotocol handling. (remm) |
| </fix> |
| <fix> |
| Add null checks for arguments in remote endpoint. (remm/kkolinko) |
| </fix> |
| <fix> |
| <bug>57091</bug>: Work around the behaviour of the Oracle JRE when |
| creating new threads in an applet environment that breaks the WebSocket |
| client implementation. Patch provided by Niklas Hallqvist. (markt) |
| </fix> |
| <fix> |
| <bug>57118</bug>: Ensure that that an <code>EncodeException</code> is |
| thrown by <code>RemoteEndpoint.Basic.sendObject(Object)</code> rather |
| than an <code>IOException</code> when no suitable <code>Encoder</code> |
| is configured for the given Object. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct a couple of broken links in the Javadoc. (markt) |
| </fix> |
| <fix> |
| Correct documentation for <code>ServerCookie.ALLOW_NAME_ONLY</code> |
| system property. (kkolinko) |
| </fix> |
| <fix> |
| <bug>57049</bug>: Clarified that <code>jvmRoute</code> can be set in |
| <code><Engine></code>'s <code>jvmRoute</code> or in a system |
| property. (schultz) |
| </fix> |
| <fix> |
| Correct version of Java WebSocket mentioned in documentation |
| (s/1.0/1.1/). (markt/kkolinko) |
| </fix> |
| <update> |
| Suppress timestamp comments in Javadoc. (kkolinko) |
| </update> |
| <fix> |
| <bug>57147</bug>: Various corrections to the JDBC Store section of the |
| session manager configuration page of the documentation web application. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| <bug>45282</bug>: Improve shutdown of NIO receiver so that sockets are |
| closed cleanly. (fhanik/markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>57005</bug>: Fix javadoc errors when building with Java 8. Patch |
| provided by Pierre Viret. (markt) |
| </fix> |
| <fix> |
| <bug>57079</bug>: Use Tomcat version number for jdbc-pool module when |
| building and shipping the module as part of Tomcat. (markt) |
| </fix> |
| <fix> |
| Fix broken overview page in javadoc generated via "javadoc" task in |
| jdbc-pool build.xml file. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>56079</bug>: The uninstaller packaged with the Apache Tomcat |
| Windows installer is now digitally signed. (markt) |
| </fix> |
| <fix> |
| Fix timestamps in Tomcat build and jdbc-pool to use 24-hour format |
| instead of 12-hour one and use UTC timezone. (markt/kkolinko) |
| </fix> |
| <fix> |
| Update the package renamed copy of Apache Commons DBCP 2 to revision |
| 1631450 to pick up additional fixes since the 2.0.1 release including |
| Javadoc corrections to fix errors when compiling with Java 8. (markt) |
| </fix> |
| <update> |
| <bug>56596</bug>: Update to Tomcat Native Library version 1.1.32 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR |
| 1.5.1. (markt) |
| </update> |
| <scode> |
| In Tomcat tests: log name of the current test method at start time. |
| (kkolinko) |
| </scode> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.14 (markt)" rtext="2014-09-29"> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>56079</bug>: The Apache Tomcat Windows installer, the Apache Tomcat |
| Windows service and the Apache Tomcat Windows service monitor |
| application are now digitally signed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.13 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>55917</bug>: Allow bytes in the range 0x80 to 0xFF to appear in |
| cookie values if the cookie is a V1 (RFC2109) cookie and the value is |
| correctly quoted. The new RFC6265 based cookie parser must be enabled to |
| correctly handle these cookies. (markt) |
| </fix> |
| <fix> |
| <bug>55918</bug>: Do not permit control characters to appear in quoted |
| V1 (RFC2109) cookie values. The new RFC6265 based cookie parser must be |
| enabled to correctly handle these cookies. (markt) |
| </fix> |
| <fix> |
| <bug>55921</bug>: Correctly handle (ignore the cookie) unescaped JSON in |
| a cookie value. The new RFC6265 based cookie parser must be enabled to |
| correctly handle these cookies. (markt) |
| </fix> |
| <add> |
| <bug>56401</bug>: Log version information when Tomcat starts. |
| (markt/kkolinko) |
| </add> |
| <add> |
| <bug>56530</bug>: Add a web application class loader implementation that |
| supports the parallel loading of web application classes. (markt) |
| </add> |
| <fix> |
| <bug>56900</bug>: Fix some potential resource leaks when reading |
| property files reported by Coverity Scan. Based on patches provided by |
| Felix Schumacher. (markt) |
| </fix> |
| <fix> |
| <bug>56902</bug>: Fix a potential resource leak in the Default Servlet |
| reported by Coverity Scan. Based on a patch provided by Felix |
| Schumacher. (markt) |
| </fix> |
| <fix> |
| <bug>56903</bug>: Correct the return value for |
| <code>StandardContext.getResourceOnlyServlets()</code> so that multiple |
| names are separated by commas. Identified by Coverity Scan and fixed |
| based on a patch by Felix Schumacher. (markt) |
| </fix> |
| <add> |
| Add an additional implementation of a RFC6265 based cookie parser along |
| with new Context options to select and configure it. This parser is |
| currently considered experimental and is not used by default. (markt) |
| </add> |
| <fix> |
| Fixed the multipart elements merge operation performed during web |
| application deployment. Identified by Coverity Scan. (violetagg) |
| </fix> |
| <fix> |
| Correct the information written by |
| <code>ExtendedAccessLogValve</code> when a format token x-O(XXX) is |
| used so that multiple values for a header XXX are separated by commas. |
| Identified by Coverity Scan. (violetagg) |
| </fix> |
| <fix> |
| Fix a potential resource leak when reading MANIFEST.MF file for |
| extension dependencies reported by Coverity Scan. (violetagg) |
| </fix> |
| <fix> |
| Fix some potential resource leaks when reading properties, files and |
| other resources. Reported by Coverity Scan. (violetagg) |
| </fix> |
| <fix> |
| Correct the previous fix for <bug>56825</bug> that enabled pre-emptive |
| authentication to work with the SSL authenticator. (markt) |
| </fix> |
| <scode> |
| Refactor to reduce code duplication identified by Simian. (markt) |
| </scode> |
| <fix> |
| When using parallel deployment and <code>undeployOldVersions</code> |
| feature is enabled on a Host, correctly undeploy context of old |
| version. Make sure that Tomcat does not undeploy older Context if |
| current context is not running. (kfujino) |
| </fix> |
| <fix> |
| Fix a rare threading issue when locking resources via WebDAV. |
| (markt) |
| </fix> |
| <fix> |
| Fix a rare threading issue when using HTTP digest authentication. |
| (markt) |
| </fix> |
| <fix> |
| When deploying war, add XML file in the config base to the redeploy |
| resources if war does not have META-INF/context.xml or |
| <code>deployXML</code> is false. If XML file is created in the config |
| base, redeploy will occur. (kfujino) |
| </fix> |
| <scode> |
| Various changes to reduce unnecessary code in Tomcat's copy of |
| Apache Commons BCEL to reduce the time taken for annotation scanning |
| when web applications start. Includes contributions from kkolinko and |
| hzhang9. (markt) |
| </scode> |
| <fix> |
| <bug>56938</bug>: Ensure web applications that have mixed case context |
| paths and are deployed as directories are correctly removed on undeploy |
| when running on a case sensitive file system. (markt) |
| </fix> |
| <add> |
| <bug>57004</bug>: Add <code>stuckThreadCount</code> property to |
| <code>StuckThreadDetectionValve</code>'s JMX bean. Patch provided by |
| Jiří Pejchal. (schultz) |
| </add> |
| <fix> |
| <bug>57011</bug>: Ensure that the request and response are correctly |
| recycled when processing errors during async processing. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>56910</bug>: Prevent the invalid value of <code>-1</code> being |
| used for <code>maxConnections</code> with APR connectors. (markt) |
| </fix> |
| <fix> |
| Ensure that AJP connectors enable the <code>KeepAliveTimeout</code>. |
| (kfujino) |
| </fix> |
| <fix> |
| Reduce duplicated code. All AJP connectors use common method to |
| configuration of processor. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>43001</bug>: Enable the JspC Ant task to set the JspC option |
| <code>mappedFile</code>. (markt) |
| </fix> |
| <fix> |
| Ensure that the implementation of |
| <code>javax.servlet.jsp.PageContext.include(String)</code> |
| and |
| <code>javax.servlet.jsp.PageContext.include(String, boolean)</code> |
| will throw <code>IOException</code> when an I/O error occur during |
| the operation. (violetagg) |
| </fix> |
| <fix> |
| <bug>56908</bug>: Fix some potential resource leaks when reading |
| jar files. Reported by Coverity Scan. Patch provided by Felix |
| Schumacher. (violetagg) |
| </fix> |
| <fix> |
| Fix a potential resource leak in JDTCompiler when checking whether |
| a resource is a package. Reported by Coverity Scan. (fschumacher) |
| </fix> |
| <fix> |
| <bug>56991</bug>: Deprecate the use of a request attribute to pass a |
| <jsp-file> declaration to Jasper and prevent an infinite loop |
| if this technique is used in conjunction with an include. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>56905</bug>: Make destruction on web application stop of thread |
| group used for WebSocket connections more robust. (kkolinko/markt) |
| </fix> |
| <fix> |
| <bug>56907</bug>: Ensure that client IO threads are stopped if a secure |
| WebSocket client connection fails. (markt) |
| </fix> |
| <fix> |
| <bug>56982</bug>: Return the actual negotiated extensions rather than an |
| empty list for <code>Session.getNegotiatedExtensions()</code>. (markt) |
| </fix> |
| <update> |
| Update the WebSocket implementation to support the Java WebSocket |
| specification version 1.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Add <code>JarScanner</code> to the nested components listed for a |
| Context. (markt) |
| </add> |
| <update> |
| Update the Windows authentication documentation after some additional |
| testing to answer the remaining questions. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>56895</bug>: Correctly compose <code>JAVA_OPTS</code> in |
| <code>catalina.bat</code> so that escape sequences are preserved. Patch |
| by Lucas Theisen. (markt) |
| </fix> |
| <update> |
| <bug>56988</bug>: Allow to use relative path in <code>base.path</code> |
| setting when building Tomcat. (kkolinko) |
| </update> |
| <fix> |
| <bug>56990</bug>: Ensure that the <code>ide-eclipse</code> build target |
| downloads all the libraries required by the default Eclipse |
| configuration files. (markt) |
| </fix> |
| <fix> |
| Update the package renamed copy of Apache Commons DBCP 2 to revision |
| 1626988 to pick up the fixes since the 2.0.1 release including support |
| for custom eviction policies. (markt) |
| </fix> |
| <fix> |
| Update the package renamed copy of Apache Commons Pool 2 to revision |
| 1627271 to pick up the fixes since the 2.2 release including some memory |
| leak fixes and support for application provided eviction policies. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.12 (markt)" rtext="2014-09-03"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Make the session id generator extensible by adding a |
| <code>SessionIdGenerator</code> interface, an abstract |
| base class and a standard implementation. (rjung) |
| </add> |
| <fix> |
| <bug>56882</bug>: Fix regression in processing of includes and forwards |
| when Context have been reloaded. Tomcat was responding with HTTP Status |
| 503 (Servlet xxx is currently unavailable). (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| When building a list of JSSE ciphers from an OpenSSL cipher definition, |
| ignore unknown criteria rather than throwing a |
| <code>NullPointerException</code>. (markt) |
| </fix> |
| <add> |
| Add support for the EECDH alias when using the OpenSSL cipher syntax to |
| define JSSE ciphers. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Correct a logic error in the <code>JasperElResolver</code>. There was no |
| functional impact but the code was less efficient as a result of the |
| error. Based on a patch by martinschaef. (markt) |
| </fix> |
| <fix> |
| <bug>56568</bug>: Enable any HTTP method to be used to request a JSP |
| page that has the <code>isErrorPage</code> page directive set to |
| <code>true</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <add> |
| Extend support for the <code>permessage-deflate</code> extension to |
| compression of outgoing messages on the server side. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>56323</bug>: Include the <code>*.bat</code> files when installing |
| Tomcat via the Windows installer. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.11 (markt)" rtext="2014-08-22"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>56658</bug>: Fix regression that a context was inaccessible after |
| reload. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56710</bug>: Do not map requests to servlets when context is |
| being reloaded. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56712</bug>: Fix session idle time calculations in |
| <code>PersistenceManager</code>. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56717</bug>: Fix duplicate registration of |
| <code>MapperListener</code> during repeated starts of embedded Tomcat. |
| (kkolinko) |
| </fix> |
| <add> |
| <bug>56724</bug>: Write an error message to Tomcat logs if container |
| background thread is aborted unexpectedly. (kkolinko) |
| </add> |
| <fix> |
| When scanning class files (e.g. for annotations) and reading the number |
| of parameters in a <code>MethodParameters</code> structure only read a |
| single byte (rather than two bytes) as per the JVM specification. Patch |
| provided by Francesco Komauli. (markt) |
| </fix> |
| <fix> |
| Allow the JNDI Realm to start even if the directory is not available. |
| The directory not being available is not fatal once the Realm is started |
| and it need not be fatal when the Realm starts. Based on a patch by |
| Cédric Couralet. (markt) |
| </fix> |
| <fix> |
| <bug>56736</bug>: Avoid an incorrect <code>IllegalStateException</code> |
| if the async timeout fires after a non-container thread has called |
| <code>AsyncContext.dispatch()</code> but before a container thread |
| starts processing the dispatch. (markt) |
| </fix> |
| <fix> |
| <bug>56739</bug>: If an application handles an error on an application |
| thread during asynchronous processing by calling |
| <code>HttpServletResponse.sendError()</code>, then ensure that the |
| application is given an opportunity to report that error via an |
| appropriate application defined error page if one is configured. (markt) |
| </fix> |
| <fix> |
| <bug>56784</bug>: Fix a couple of rare but theoretically possible |
| atomicity bugs. (markt) |
| </fix> |
| <fix> |
| <bug>56785</bug>: Avoid <code>NullPointerException</code> if directory |
| exists on the class path that is not readable by the Tomcat user. |
| (markt) |
| </fix> |
| <fix> |
| <bug>56796</bug>: Remove unnecessary sleep when stopping a web |
| application. (markt) |
| </fix> |
| <fix> |
| <bug>56801</bug>: Improve performance of |
| <code>org.apache.tomcat.util.file.Matcher</code> which is to filter JARs |
| for scanning during web application start. Based on a patch by Sheldon |
| Shao. (markt) |
| </fix> |
| <fix> |
| <bug>56815</bug>: When the <code>gzip</code> option is enabled for the |
| <code>DefaultServlet</code> ensure that a suitable <code>Vary</code> |
| header is returned for resources that might be returned directly in |
| compressed form. (markt) |
| </fix> |
| <fix> |
| Do not mark threads from the container thread pool as container threads |
| when being used to process <code>AsyncContext.start(Runnable)</code> so |
| processing is correctly transferred back to a genuine container thread |
| when necessary. (markt) |
| </fix> |
| <add> |
| Add simple caching for calls to <code>StandardRoot.getResources()</code> |
| in the new (for 8.0.x) resources implementation. (markt) |
| </add> |
| <fix> |
| <bug>56825</bug>: Enable pre-emptive authentication to work with the |
| SSL authenticator. Based on a patch by jlmonteiro. (markt) |
| </fix> |
| <fix> |
| <bug>56840</bug>: Avoid NPE when the rewrite valve is mapped to |
| a context. (remm) |
| </fix> |
| <fix> |
| Correctly handle multiple <code>accept-language</code> headers rather |
| than just using the first header to determine the user's preferred |
| Locale. (markt) |
| </fix> |
| <fix> |
| <bug>56848</bug>: Improve handling of <code>accept-language</code> |
| headers. (markt) |
| </fix> |
| <fix> |
| <bug>56857</bug>: Fix thread safety issue when calling ServletContext |
| methods while running under a security manager. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix NIO2 sendfile state tracking and error handling to fix |
| various corruption issues. (remm) |
| </fix> |
| <fix> |
| Missing timeout for NIO2 sendfile writes. (remm) |
| </fix> |
| <fix> |
| Allow inline processing for NIO2 sendfile and optimize keepalive |
| behavior. (remm) |
| </fix> |
| <fix> |
| Fix excessive NIO2 sendfile direct memory use in some cases, sendfile |
| will now instead use the regular socket write buffer as configured. |
| (remm) |
| </fix> |
| <fix> |
| <bug>56661</bug>: Fix <code>getLocalAddr()</code> for AJP connectors. |
| The complete fix is only available with a recent AJP forwarder like |
| the forthcoming mod_jk 1.2.41. (rjung) |
| </fix> |
| <fix> |
| Use default ciphers defined as |
| <code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5</code> so |
| that no weak ciphers are enabled by default. (remm) |
| </fix> |
| <fix> |
| <bug>56780</bug>: Enable Tomcat to start when using SSL with an IBM JRE |
| in strict SP800-131a mode. (markt) |
| </fix> |
| <fix> |
| <bug>56810</bug>: Remove use of Java 8 specific API calls in unit tests |
| for OpenSSL to JSSE cipher conversion. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>56709</bug>: Fix system property name in a log message. Submitted |
| by Robert Kish. (remm) |
| </fix> |
| <fix> |
| <bug>56797</bug>: When matching a method in an EL expression, do not |
| treat bridge methods as duplicates of the method they bridge to. In this |
| case always call the target of the bridge method. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>56746</bug>: Allow secure WebSocket client threads to use the |
| current context class loader rather than explicitly setting it to the |
| class loader that loaded the WebSocket implementation. This allows |
| WebSocket client connections from within web applications to access, |
| amongst other things, the JNDI resources associated with the web |
| application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the label in the list of sessions by idle time for the bin that |
| represents the idle time immediately below the maximum permitted idle |
| time when using the expire command of the Manager application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>53088</bug>: More identifiable thread name. (fhanik) |
| </fix> |
| <fix> |
| <bug>53200</bug>: Selective logging for slow versus failed queries. |
| (fhanik) |
| </fix> |
| <fix> |
| <bug>53853</bug>: More flexible classloading. (fhanik) |
| </fix> |
| <fix> |
| <bug>54225</bug>: Disallow empty init SQL. (fhanik) |
| </fix> |
| <fix> |
| <bug>54227</bug>: Evaluate max age upon borrow. (fhanik) |
| </fix> |
| <fix> |
| <bug>54235</bug>: Disallow nested pools exploitating using data source. |
| (fhanik) |
| </fix> |
| <fix> |
| <bug>54395</bug>: Fix JDBC interceptor parsing bug. (fhanik) |
| </fix> |
| <fix> |
| <bug>54537</bug>: Performance improvement in |
| <code>StatementFinalizer</code>. (fhanik) |
| </fix> |
| <fix> |
| <bug>54978</bug>: Make sure proper connection validation always happens, |
| regardless of config. (fhanik) |
| </fix> |
| <fix> |
| <bug>56318</bug>: Ability to trace statement creation in |
| <code>StatementFinalizer</code>. (fhanik) |
| </fix> |
| <fix> |
| <bug>56789</bug>: getPool() returns the actual pool, always. (fhanik) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>56788</bug>: Display the full version in the list of installed |
| applications when installed via the Windows installer package. Patch |
| provided by Alexandre Garnier. (markt) |
| </add> |
| <add> |
| <bug>56829</bug>: Add the ability for users to define their own values |
| for <code>_RUNJAVA</code> and <code>_RUNJDB</code> environment |
| variables. Be more strict with executable filename on Windows |
| (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.10 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>44312</bug>: Log an error if there is a conflict between Host and |
| Alias names. Improve host management methods in <code>Mapper</code> |
| to avoid occasionally removing a wrong host. Check that host management |
| operations are performed on the host and not on an alias. (kkolinko) |
| </fix> |
| <scode> |
| <bug>56611</bug>: Refactor code to remove inefficient calls to |
| <code>Method.isAnnotationPresent()</code>. Based on a patch by Jian Mou. |
| (markt/kkolinko) |
| </scode> |
| <fix> |
| Fix regression in |
| <code>StandardContext.removeApplicationListener()</code>, introduced by |
| the fix for bug <bug>56588</bug>. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56653</bug>: Fix concurrency issue with lists of contexts in |
| <code>Mapper</code> when stopping Contexts. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56657</bug>: When using parallel deployment, if the same session id |
| matches different versions of a web application, prefer the latest |
| version. Ensure that remapping selects the version that we expect. |
| (kkolinko) |
| </fix> |
| <fix> |
| Assert that mapping result object is empty before performing mapping |
| work in <code>Mapper</code>. (kkolinko) |
| </fix> |
| <scode> |
| Remove <code>context</code> and <code>wrapper</code> fields in |
| <code>Request</code> class and deprecate their setters. (kkolinko) |
| </scode> |
| <fix> |
| <bug>56658</bug>: Avoid delay between registrations of mappings for |
| context and for its servlets. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56665</bug>: Correct the generation of the effective web.xml when |
| elements contain an empty string as value. (violetagg) |
| </fix> |
| <fix> |
| Fix storeconfig exception routing issues, so that a major problem |
| should avoid configuration overwrite. (remm) |
| </fix> |
| <fix> |
| Add configuration fields for header names in SSLValve. (remm) |
| </fix> |
| <fix> |
| <bug>56666</bug>: When clearing the SSO cookie use the same values for |
| domain, path, httpOnly and secure as were used to set the SSO cookie. |
| (markt) |
| </fix> |
| <fix> |
| <bug>56677</bug>: Ensure that |
| <code>HttpServletRequest.getServletContext()</code> returns the correct |
| value during a cross-context dispatch. (markt) |
| </fix> |
| <fix> |
| <bug>56684</bug>: Ensure that Tomcat does not shut down if the socket |
| waiting for the shutdown command experiences a |
| <code>SocketTimeoutException</code>. (markt) |
| </fix> |
| <fix> |
| <bug>56693</bug>: Fix various issues in the static resource cache |
| implementation where the cache retained a stale entry after the |
| successful completion of an operation that always invalidates the cache |
| entry such as a delete operation. |
| (markt) |
| </fix> |
| <fix> |
| When the current PathInfo is modified as a result of dispatching a |
| request, ensure that a call to |
| <code>HttpServletRequest.getPathTranslated()</code> returns a value that |
| is based on the modified PathInfo. (markt) |
| </fix> |
| <fix> |
| <bug>56698</bug>: When persisting idle sessions, only persist newly idle |
| sessions. Patch provided by Felix Schumacher. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>56663</bug>: Fix edge cases demonstrated by ByteCounter relating |
| to data available, remaining and extra write events, mostly occurring |
| with non blocking Servlet 3.1. (remm) |
| </fix> |
| <fix> |
| Avoid possible NPE stopping endpoints that are not started (stop |
| shouldn't do anything in that case). (remm) |
| </fix> |
| <add> |
| <bug>56704</bug>: Add support for OpenSSL syntax for ciphers when |
| using JSSE SSL connectors. Submitted by Emmanuel Hugonnet. (remm) |
| </add> |
| <update> |
| Allow to configure <code>maxSwallowSize</code> attribute of an HTTP |
| connector via JMX. (kkolinko) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>56543</bug>: Update to the Eclipse JDT Compiler 4.4. (violetagg) |
| </fix> |
| <fix> |
| <bug>56652</bug>: Add support for method parameters that use arrays and |
| varargs to <code>ELProcessor.defineFunction()</code>.(markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <add> |
| Add support for the <code>permessage-deflate</code> extension. This is |
| currently limited to decompressing incoming messages on the server side. |
| It is expected that support will be extended to outgoing messages and to |
| the client side shortly. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Attempt to obfuscate session cookie values associated with other web |
| applications when viewing HTTP request headers with the Cookies example |
| from the examples web application. This reduces the opportunity to use |
| this example for malicious purposes should the advice to remove the |
| examples web application from security sensitive systems be ignored. |
| (markt) |
| </fix> |
| <fix> |
| <bug>56694</bug>: Remove references to <code>Manager</code> attribute |
| <code>checkInterval</code> from documentation and Javadoc since it no |
| longer exists. Based on a patch by Felix Schumacher. Also remove other |
| references to <code>checkInterval</code> that are no longer valid. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the API stability section of the release notes now that Tomcat 8 |
| has had its first stable release. (markt) |
| </update> |
| <update> |
| Improve <code>build.xml</code> so that when Eclipse JDT Compiler is |
| updated, it will delete the old JAR from <code>build/lib</code> |
| directory. (kkolinko) |
| </update> |
| <scode> |
| Simplify implementation of "setproxy" target in <code>build.xml</code>. |
| (kkolinko) |
| </scode> |
| <update> |
| Update optional Checkstyle library to 5.7. (kkolinko) |
| </update> |
| <update> |
| <bug>56596</bug>: Update to Tomcat Native Library version 1.1.31 to |
| pick up the Windows binaries that are based on OpenSSL 1.0.1h. (markt) |
| </update> |
| <fix> |
| <bug>56685</bug>: Add quotes necessary for <code>daemon.sh</code> to |
| work correctly on Solaris. Based on a suggestion by lfuka. (markt) |
| </fix> |
| <update> |
| Update package renamed Apache Commons Pool2 to r1609323 to pick various |
| bug fixes. (markt) |
| </update> |
| <update> |
| Update package renamed Apache Commons DBCP2 to r1609329 to pick up a |
| minor bug fix. (markt) |
| </update> |
| <update> |
| Update package renamed Apache Commons FileUpload to r1596086 to pick |
| various bug fixes. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.9 (markt)" rtext="2014-06-24"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>55282</bug>: Ensure that one and the same application listener is |
| added only once when starting the web application. (violetagg) |
| </fix> |
| <fix> |
| <bug>55975</bug>: Apply consistent escaping for double quote and |
| backslash characters when escaping cookie values. (markt) |
| </fix> |
| <scode> |
| <bug>56387</bug>: Improve the code that handles an attempt to load a |
| class after a web application has been stopped. Use common code to handle |
| this case regardless of the access path and don't throw an exception |
| purely to log a stack trace. (markt) |
| </scode> |
| <scode> |
| <bug>56399</bug>: Improve implementation of CoyoteAdapter.checkRecycled() |
| to do not use an exception for flow control. (kkolinko) |
| </scode> |
| <add> |
| <bug>56461</bug>: New <code>failCtxIfServletStartFails</code> attribute |
| on Context and Host configuration to force the context startup to fail |
| if a load-on-startup servlet fails its startup. (slaurent) |
| </add> |
| <add> |
| <bug>56526</bug>: Improved the <code>StuckThreadDetectionValve</code> to |
| optionally interrupt stuck threads to attempt to unblock them. |
| (slaurent) |
| </add> |
| <fix> |
| <bug>56545</bug>: Pre-load two additional classes, the loading of which |
| may otherwise be triggered by a web application which in turn would |
| trigger an exception when running under a security manager. (markt) |
| </fix> |
| <update> |
| <bug>56546</bug>: Reduce logging level for stack traces of stuck web |
| application threads printed by WebappClassLoader.clearReferencesThreads() |
| from error to info. (kkolinko) |
| </update> |
| <scode> |
| Refactor and simplify common code in object factories in |
| <code>org.apache.catalina.naming</code> package, found thanks to Simian |
| (Similarity Analyser) tool. Improve handling of Throwable. |
| (markt/kkolinko) |
| </scode> |
| <fix> |
| Relax cookie naming restrictions. Cookie attribute names used in the |
| <code>Set-Cookie</code> header may be used unambiguously as cookie |
| names. The restriction that prevented such usage has been removed. |
| (jboynes/markt) |
| </fix> |
| <fix> |
| Further relax cookie naming restrictions. Version 0 (a.k.a Netscape |
| format) cookies may now use names that start with the <code>$</code> |
| character. (jboynes/markt) |
| </fix> |
| <fix> |
| Restrict cookie naming so that the <code>=</code> character is no longer |
| permitted in a version 0 (a.k.a. Netscape format) cookie name. While |
| Tomcat allowed this, browsers always truncated the name at the |
| <code>=</code> character leading to a mis-match between the cookie the |
| server set and the cookie returned by the browser. (jboynes/markt) |
| </fix> |
| <add> |
| Add a simple <code>ServiceLoader</code> based discovery mechanism to the |
| JULI <code>LogFactory</code> to make it easier to use JULI and Tomcat |
| components that depend on JULI (such as Jasper) independently from |
| Tomcat. Patch provided by Greg Wilkins. (markt) |
| </add> |
| <fix> |
| <bug>56578</bug>: Correct regression in the fix for <bug>56339</bug> |
| that prevented sessions from expiring when using clustering. (markt) |
| </fix> |
| <fix> |
| <bug>56588</bug>: Remove code previously added to enforce the |
| requirements of section 4.4 of the Servlet 3.1 specification. The code |
| is no longer required now that Jasper initialization has been refactored |
| and TLD defined listeners are added via a different code path that |
| already enforces the specification requirements. (markt) |
| </fix> |
| <fix> |
| <bug>56600</bug>: In WebdavServlet: Do not waste time generating |
| response for broken PROPFIND request. (kkolinko) |
| </fix> |
| <fix> |
| Provide a better error message when asynchronous operations are not |
| supported by a filter or servlet. Patch provided by Romain Manni-Bucau. |
| (violetagg) |
| </fix> |
| <fix> |
| <bug>56606</bug>: User entries in <code>tomcat-users.xml</code> file |
| are recommended to use "username" attribute rather than legacy "name" |
| attribute. Fix inconsistencies in Windows installer, examples. Update |
| digester rules and documentation for <code>MemoryRealm</code>. |
| (markt/kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>56518</bug>: When using NIO, do not attempt to write to the socket |
| if the thread is marked interrupted as this will lead to a connection |
| limit leak. This fix was based on analysis of the issue by hanyong. |
| (markt) |
| </fix> |
| <fix> |
| <bug>56521</bug>: Re-use the asynchronous write buffer between writes to |
| reduce allocation and GC overhead. Based on a patch by leonzhx. Also |
| make the buffer size configurable and remove copying of data within |
| buffer when the buffer is only partially written on a subsequent write. |
| (markt) |
| </fix> |
| <fix> |
| Ensure that a request without a body is correctly handled during Comet |
| processing. This fixes the Comet chat example. (markt) |
| </fix> |
| <fix> |
| Fix input concurrency issue in NIO2 upgrade. (remm) |
| </fix> |
| <fix> |
| Correct a copy/paste error and return a 500 response rather than a 400 |
| response when an internal server error occurs on early stages of |
| request processing. (markt) |
| </fix> |
| <scode> |
| <bug>56582</bug>: Use switch(actionCode) in processors instead of a |
| chain of "elseif"s. (kkolinko) |
| </scode> |
| <fix> |
| <bug>56582#c1</bug>: Implement DISPATCH_EXECUTE action for AJP |
| connectors. (kkolinko) |
| </fix> |
| <fix> |
| Fix CVE-2014-0227: |
| Various improvements to ChunkedInputFilter including clean-up, i18n for |
| error messages and adding an error flag to allow subsequent attempts at |
| reading after an error to fail fast. (markt) |
| </fix> |
| <fix> |
| If request contains an unrecognized Expect header, respond with error |
| 417 (Expectation Failed), according to RFC2616 chapter 14.20. (markt) |
| </fix> |
| <fix> |
| When an error occurs after the response has been committed close the |
| connection immediately rather than attempting to finish the response to |
| make it easier for the client to differentiate between a complete |
| response and one that failed part way though. (markt) |
| </fix> |
| <scode> |
| Remove the beta tag from the NIO2 connectors. (remm) |
| </scode> |
| <fix> |
| <bug>56620</bug>: Avoid bogus access log entries when pausing the NIO |
| HTTP connector and ensure that access log entries generated by error |
| conditions use the correct request start time. (markt) |
| </fix> |
| <fix> |
| Improve configuration of cache sizes in the endpoint. (markt) |
| </fix> |
| <add> |
| Fix CVE-2014-0230: |
| Add a new limit, defaulting to 2MB, for the amount of data Tomcat will |
| swallow for an aborted upload. The limit is configurable by |
| <code>maxSwallowSize</code> attribute of an HTTP connector. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>56334#c15</bug>: Fix a regression in EL parsing when quoted string |
| follows a whitespace. (kkolinko/markt) |
| </fix> |
| <update> |
| <bug>56543</bug>: Update to the Eclipse JDT Compiler 4.4RC4 to pick up |
| some fixes for Java 8 support. (markt/kkolinko) |
| </update> |
| <fix> |
| <bug>56561</bug>: Avoid <code>NoSuchElementException</code> while |
| handling attributes with empty string value. (violetagg) |
| </fix> |
| <scode> |
| Do not configure a <code>JspFactory</code> in the |
| <code>JasperInitializer</code> if one has already been set as might be |
| the case in some embedding scenarios. (markt) |
| </scode> |
| <add> |
| Add a simple implementation of <code>InstanceManager</code> and have |
| Jasper use it if no other <code>InstanceManager</code> is provided. This |
| makes it easier to use Jasper independently from Tomcat. Patch provided |
| by Greg Wilkins. (markt) |
| </add> |
| <fix> |
| <bug>56568</bug>: Allow any HTTP method when a JSP is being used as an |
| error page. (markt) |
| </fix> |
| <update> |
| <bug>56581</bug>: If an error on a JSP page occurs when response has |
| already been committed, do not clear the buffer of JspWriter, but flush |
| it. It will make more clear where the error occurred. (kkolinko) |
| </update> |
| <fix> |
| <bug>56612</bug>: Correctly parse two consecutive escaped single quotes |
| when used in UEL expression in a JSP. (markt) |
| </fix> |
| <update> |
| Move code that parses EL expressions within JSP template text from |
| <code>Parser</code> to <code>JspReader</code> class for better |
| performance. (kkolinko) |
| </update> |
| <fix> |
| <bug>56636</bug>: Correctly identify the required method when specified |
| via <code>ELProcessor.defineFunction(String,String,String,String)</code> |
| when using Expression Language. (markt) |
| </fix> |
| <fix> |
| <bug>56638</bug>: When using |
| <code>ELProcessor.defineFunction(String,String,String,String)</code> and |
| no function name is specified, use the method name as the function name |
| as required by the specification. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <scode> |
| <bug>56446</bug>: Clearer handling of exceptions when calling a method |
| on a POJO based WebSocket endpoint. Based on a suggestion by Eugene |
| Chung. (markt) |
| </scode> |
| <fix> |
| When a WebSocket client attempts to write to a closed connection, handle |
| the resulting <code>IllegalStateException</code> in a manner consistent |
| with the handling of an <code>IOException</code>. (markt) |
| </fix> |
| <fix> |
| Add more varied endpoints for echo testing. (remm) |
| </fix> |
| <fix> |
| <bug>56577</bug>: Improve the executor configuration used for the |
| callbacks associated with asynchronous writes. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Set the path for cookies created by the examples web application so they |
| only returned to the examples application. This reduces the opportunity |
| for using such cookies for malicious purposes should the advice to |
| remove the examples web application from security sensitive systems be |
| ignored. (markt/kkolinko) |
| </fix> |
| <fix> |
| Attempt to obfuscate session cookie values associated with other web |
| applications when viewing HTTP request headers with the Request Header |
| example from the examples web application. This reduces the opportunity |
| to use this example for malicious purposes should the advice to remove |
| the examples web application from security sensitive systems be ignored. |
| (markt) |
| </fix> |
| <add> |
| Add options for all of the WebSocket echo endpoints to the WebSocket |
| echo example in the examples web application. (markt) |
| </add> |
| <fix> |
| Ensure that the asynchronous WebSocket echo endpoint in the examples |
| web application always waits for the previous message to complete before |
| it sends the next. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update package renamed Apache Commons DBCP2 to r1596858. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.8 (markt)" rtext="beta, 2014-05-21"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>56536</bug>: Ensure that |
| <code>HttpSessionBindingListener.valueUnbound()</code> uses the correct |
| class loader when the <code>SingleSignOn</code> valve is used. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>56529</bug>: Avoid <code>NoSuchElementException</code> while handling |
| attributes with empty string value in custom tags. Patch provided by |
| Hariprasad Manchi. (violetagg) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.7 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>56523</bug>: When using SPNEGO authentication, log the exceptions |
| associated with failed user logins at debug level rather than error |
| level. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>56399</bug>: Assert that both Coyote and Catalina request objects |
| have been properly recycled. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>56522</bug>: When setting a value for a |
| <code>ValueExpression</code>, ensure that the expected coercions take |
| place such as a <code>null</code> string being coerced to an empty |
| string. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Copy missing resources file from Apache Commons DBCP 2 to packaged |
| renamed copy of DBCP 2. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.6 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Fix extension validation which was broken by refactoring for new |
| resources implementation. (markt) |
| </fix> |
| <fix> |
| Fix custom UTF-8 decoder so that a byte of value 0xC1 is always rejected |
| immediately as it is never valid in a UTF-8 byte sequence. Update UTF-8 |
| decoder tests to account for UTF-8 decoding improvements in Java 8. |
| The custom UTF-8 decoder is still required due to bugs in the UTF-8 |
| decoder provided by Java. Java 8's decoder is better than Java |
| 7's but it is still buggy. (markt) |
| </fix> |
| <fix> |
| <bug>56027</bug>: Add more options for managing FIPS mode in the |
| AprLifecycleListener. (schultz/kkolinko) |
| </fix> |
| <fix> |
| <bug>56320</bug>: Fix a file descriptor leak in the default servlet when |
| sendfile is used. (markt) |
| </fix> |
| <fix> |
| <bug>56321</bug>: When a WAR is modified, undeploy the web application |
| before deleting any expanded directory as the undeploy process may |
| refer to classes that need to be loaded from the expanded directory. If |
| the expanded directory is deleted first, any attempt to load a new class |
| during undeploy will fail. (markt) |
| </fix> |
| <fix> |
| <bug>56327</bug>: Enable AJP as well as HTTP connectors to be created |
| via JMX. Patch by kiran. (markt) |
| </fix> |
| <fix> |
| <bug>56339</bug>: Avoid an infinite loop if an application calls |
| <code>session.invalidate()</code> from the session destroyed event for |
| that session. (markt) |
| </fix> |
| <scode> |
| <bug>56365</bug>: Simplify file name pattern matching code in |
| <code>StandardJarScanner</code>. Improve documentation. (kkolinko) |
| </scode> |
| <fix> |
| Ensure that the static resource cache is able to detect when a cache |
| entry is invalidated by being overridden by a new resource in a |
| different <code>WebResourceSet</code>. (markt) |
| </fix> |
| <fix> |
| <bug>56369</bug>: Ensure that removing an MBean notification listener |
| reverts all the operations performed when adding an MBean notification |
| listener. (markt) |
| </fix> |
| <scode> |
| Improve implementation of <code>Lifecycle</code> for |
| <code>WebappClassLoader</code>. State is now correctly reported rather |
| than always reporting as <code>NEW</code>. (markt) |
| </scode> |
| <add> |
| <bug>56382</bug>: Information about finished deployment and its execution |
| time is added to the log files. Patch is provided by Danila Galimov. |
| (violetagg) |
| </add> |
| <add> |
| <bug>56383</bug>: Properties for disabling server information and error |
| report are added to the <code>org.apache.catalina.valves.ErrorReportValve</code>. |
| Based on the patch provided by Nick Bunn. (violetagg/kkolinko) |
| </add> |
| <fix> |
| <bug>56390</bug>: Fix JAR locking issue with JARs containing TLDs and |
| the TLD cache that prevented the undeployment of web applications when |
| the WAR was deleted. (markt) |
| </fix> |
| <fix> |
| Fix CVE-2014-0119: |
| Only create XML parsing objects if required and fix associated potential |
| memory leak in the default Servlet. |
| Extend XML factory, parser etc. memory leak protection to cover some |
| additional locations where, theoretically, a memory leak could occur. |
| (markt) |
| </fix> |
| <fix> |
| Modify generic exception handling so that |
| <code>StackOverflowError</code> is not treated as a fatal error and can |
| handled and/or logged as required. (markt) |
| </fix> |
| <fix> |
| <bug>56409</bug>: Avoid <code>StackOverflowError</code> on non-Windows |
| systems if a file named <code>\</code> is encountered when scanning for |
| TLDs. (markt) |
| </fix> |
| <add> |
| <bug>56430</bug>: Extend checks for suspicious URL patterns to include |
| patterns of the form <code>*.a.b</code> which are not valid patterns for |
| extension mappings. (markt) |
| </add> |
| <fix> |
| <bug>56441</bug>: Raise the visibility of exceptions thrown when a |
| problem is encountered calling a getter or setter on a component |
| attribute. The logging level is raised from debug to warning. (markt) |
| </fix> |
| <add> |
| <bug>56463</bug>: Property for disabling server information is added to |
| the <code>DefaultServlet</code>. Server information is presented in the |
| response sent to the client when directory listings is enabled. |
| (violetagg) |
| </add> |
| <fix> |
| <bug>56472</bug>: Allow NamingContextListener to clean up on stop if its |
| start failed. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56481</bug>: Work around case insensitivity issue in |
| <code>URLClassLoader</code> exposed by some recent refactoring. (markt) |
| </fix> |
| <add> |
| <bug>56492</bug>: Avoid eclipse debugger pausing on uncaught exceptions |
| when tomcat renews its threads. (slaurent) |
| </add> |
| <add> |
| Add the <code>org.apache.naming</code> package to the packages requiring |
| code to have the <code>defineClassInPackage</code> permission when |
| running under a security manager. (markt) |
| </add> |
| <fix> |
| Make the naming context tokens for containers more robust by using a |
| separate object. Require RuntimePermission when introducing a new token. |
| (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>56501</bug>: <code>HttpServletRequest.getContextPath()</code> |
| should return the undecoded context path used by the user agent. (markt) |
| </fix> |
| <fix> |
| Minor fixes to <code>ThreadLocalLeakPreventionListener</code>. Do not |
| trigger threads renewal for failed contexts. Do not ignore |
| <code>threadRenewalDelay</code> setting. Improve documentation. (kkolinko) |
| </fix> |
| <fix> |
| Correct regression introduced in <rev>1239520</rev> that broke loading |
| of users from <code>tomcat-users.xml</code> when using the |
| <code>JAASMemoryLoginModule</code>. (markt) |
| </fix> |
| <fix> |
| Correct regression introduced in <rev>797162</rev> that broke |
| authentication of users when using the |
| <code>JAASMemoryLoginModule</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| More cleanup of NIO2 endpoint shutdown. (remm) |
| </fix> |
| <fix> |
| <bug>56336</bug>: AJP output corruption and errors. (remm) |
| </fix> |
| <fix> |
| Handle various cases of incomplete writes in NIO2. (remm) |
| </fix> |
| <scode> |
| Code cleanups and i18n in NIO2. (remm) |
| </scode> |
| <fix> |
| Fix extra onDataAvailable calls in the NIO2 connector. (remm) |
| </fix> |
| <fix> |
| Fix gather writes in NIO2 SSL. (remm) |
| </fix> |
| <scode> |
| Upgrade the NIO2 connectors to beta, but still not ready for production. (remm) |
| </scode> |
| <scode> |
| Fix code duplication between NIO and NIO2. (remm) |
| </scode> |
| <fix> |
| <bug>56348</bug>: Fix slow asynchronous read when read was performed on |
| a non-container thread. (markt) |
| </fix> |
| <fix> |
| <bug>56416</bug>: Correct documentation for default value of socket |
| linger for the AJP and HTTP connectors. (markt) |
| </fix> |
| <fix> |
| Fix possible corruption if doing keepalive after a comet request. (remm) |
| </fix> |
| <fix> |
| <bug>56518</bug>: Fix connection limit latch leak when a non-container |
| thread is interrupted during asynchronous processing. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>56334</bug>: Fix a regression in the handling of back-slash |
| escaping introduced by the fix for <bug>55735</bug>. (markt/kkolinko) |
| </fix> |
| <fix> |
| <bug>56425</bug>: Improve method matching for EL expressions. When |
| looking for matching methods, an exact match between parameter types is |
| preferred followed by an assignable match followed by a coercible match. |
| (markt) |
| </fix> |
| <fix> |
| Correct the handling of back-slash escaping in the EL parser and no |
| longer require that <code>\$</code> or <code>\#</code> must be followed |
| by <code>{</code> in order for the back-slash escaping to take effect. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <scode> |
| Remove the implementation of |
| <code>org.apache.catalina.LifecycleListener</code> from |
| <code>org.apache.catalina.ha.tcp.SimpleTcpCluster</code>. |
| <code>SimpleTcpCluster</code> does not work as |
| <code>LifecycleListener</code>, it works as nested components of Host or |
| Engine. (kfujino) |
| </scode> |
| <fix> |
| Remove cluster and replicationValve from cluster manager template. These |
| instance are not necessary to template. (kfujino) |
| </fix> |
| <fix> |
| Add support for cross context session replication to |
| <code>org.apache.catalina.ha.session.BackupManager</code>. (kfujino) |
| </fix> |
| <fix> |
| Remove the unnecessary cross context check. It does not matter whether |
| the context that is referenced by other context is set to |
| <code>crossContext</code>=true. The context that refers to the different |
| context must be set to <code>crossContext</code>=true. (kfujino) |
| </fix> |
| <scode> |
| Move to <code>org.apache.catalina.ha.session.ClusterManagerBase</code> |
| common logics of |
| <code>org.apache.catalina.ha.session.BackupManager</code> and |
| <code>org.apache.catalina.ha.session.DeltaManager</code>. (kfujino) |
| </scode> |
| <scode> |
| Simplify the code of <code>o.a.c.ha.tcp.SimpleTcpCluster</code>. In |
| order to add or remove cluster valve to Container, use pipeline instead |
| of <code>IntrospectionUtils</code>. (kfujino) |
| </scode> |
| <fix> |
| There is no need to set cluster instance when |
| <code>SimpleTcpCluster.unregisterClusterValve</code> is called. |
| Set null than cluster instance for cleanup. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>56343</bug>: Avoid a NPE if Tomcat's Java WebSocket 1.0 |
| implementation is used with the Java WebSocket 1.0 API JAR from the |
| reference implementation. (markt) |
| </fix> |
| <fix> |
| Increase the default maximum size of the executor used by the WebSocket |
| implementation for call backs associated with asynchronous writes from |
| 10 to 200. (markt) |
| </fix> |
| <add> |
| Add a warning if the thread group created for WebSocket asynchronous |
| write call backs can not be destroyed when the web application is |
| stopped. (markt) |
| </add> |
| <fix> |
| Ensure that threads created to support WebSocket clients are stopped |
| when no longer required. This will happen automatically for WebSocket |
| client connections initiated by web applications but stand alone clients |
| must call <code>WsWebSocketContainer.destroy()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>56449</bug>: When creating a new session, add the message handlers |
| to the session before calling <code>Endpoint.onOpen()</code> so the |
| message handlers are in place should the <code>onOpen()</code> method |
| trigger the sending of any messages. (markt) |
| </fix> |
| <fix> |
| <bug>56458</bug>: Report WebSocket sessions that are created over secure |
| connections as secure rather than as not secure. (markt) |
| </fix> |
| <fix> |
| Stop threads used for secure WebSocket client connections when they are |
| no longer required and give them better names for easier debugging while |
| they are running. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Add Support for <code>copyXML</code> attribute of Host to Host Manager. |
| (kfujino) |
| </fix> |
| <fix> |
| Ensure that "name" request parameter is used as a application base of |
| host if "webapps" request parameter is not set when adding host in |
| HostManager Application. (kfujino) |
| </fix> |
| <fix> |
| Correct documentation on Windows service options, aligning it with |
| Apache Commons Daemon documentation. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56418</bug>: Ensure that the Manager web application does not |
| report success for a web application deployment that fails. (slaurent) |
| </fix> |
| <update> |
| Improve valves documentation. Split valves into groups. (kkolinko) |
| </update> |
| <fix> |
| <bug>56513</bug>: Make the documentation crystal clear that using |
| sendfile will disable any compression that Tomcat may otherwise have |
| applied to the response. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <scode> |
| Review source code and take advantage of Java 7's |
| try-with-resources syntax where possible. (markt) |
| </scode> |
| <fix> |
| Align DisplayName of Tomcat installed by <code>service.bat</code> with |
| one installed by the *.exe installer. Print a warning in case if neither |
| server nor client jvm is found by <code>service.bat</code>. (kkolinko) |
| </fix> |
| <update> |
| <bug>56363</bug>: Update to version 1.1.30 of Tomcat Native library. |
| (schultz) |
| </update> |
| <update> |
| Update package renamed Apache Commons BCEL to r1593495 to pick up some |
| additional changes for Java 7 support and some code clean up. (markt) |
| </update> |
| <update> |
| Update package renamed Apache Commons FileUpload to r1569132 to pick up |
| some small improvements (e.g. better <code>null</code> protection) and |
| some code clean up. (markt) |
| </update> |
| <update> |
| Update package renamed Apache Commons Codec to r1586336 to pick up some |
| Javadoc fixes and some code clean up. (markt) |
| </update> |
| <scode> |
| Switch to including Apache Commons DBCP via a package renamed svn copy |
| rather than building from a source release for consistency with other |
| Commons packages and to allow faster releases to fix DBCP related |
| issues. (markt) |
| </scode> |
| <update> |
| Update package renamed Apache Commons Pool2 and DBCP2 to r1593563 to |
| pick various bug fixes. (markt) |
| </update> |
| <add> |
| In tests: allow to configure directory where JUnit reports and access |
| log are written to. (kkolinko) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.5 (markt)" rtext="beta, 2014-03-27"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Rework the fix for <bug>56190</bug> as the previous fix did not recycle |
| the request in all cases leading to mis-routing of requests. (markt) |
| </fix> |
| <fix> |
| Allow web applications to package tomcat-jdbc.jar and their JDBC driver |
| of choice in the web application. (markt) |
| </fix> |
| <fix> |
| <bug>56293</bug>: Cache resources loaded by the class loader from |
| <code>/META-INF/services/</code> for better performance for repeated |
| look ups. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix possibly incomplete final flush with NIO2 when using non blocking |
| mode. (remm) |
| </fix> |
| <fix> |
| Cleanup NIO2 endpoint shutdown. (remm) |
| </fix> |
| <fix> |
| Fix rare race condition notifying onWritePossible in the NIO2 |
| HTTP/1.1 connector. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>54475</bug>: Add Java 8 support to SMAP generation for JSPs. Patch |
| by Robbie Gibson. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>56273</bug>: If the Manager web application does not perform an |
| operation because the web application is already being serviced, report |
| an error rather than reporting success. (markt) |
| </fix> |
| <fix> |
| <bug>56304</bug>: Add a note to the documentation about not using |
| WebSocket with BIO HTTP in production. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.4 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Restore the ability to use the <code>addURL()</code> method of the |
| web application class loader to add external resources to the web |
| application. (markt) |
| </fix> |
| <fix> |
| Improve the robustness of web application undeployment based on some |
| code analysis triggered by the report for <bug>54315</bug>. (markt) |
| </fix> |
| <fix> |
| <bug>56125</bug>: Correctly construct the URL for a resource that |
| represents the root of a JAR file. (markt) |
| </fix> |
| <fix> |
| Generate a valid root element for the effective web.xml for a web |
| application for all supported versions of web.xml. (markt) |
| </fix> |
| <add> |
| Make it easier for applications embedding and/or extending Tomcat to |
| modify the <code>javaseClassLoader</code> attribute of the |
| <code>WebappClassLoader</code>. (markt) |
| </add> |
| <fix> |
| Add missing support for <code><deny-uncovered-http-methods></code> |
| element when merging web.xml files. (markt) |
| </fix> |
| <fix> |
| Improve merging process for web.xml files to take account of the |
| elements and attributes supported by the Servlet version of the merged |
| file. (markt) |
| </fix> |
| <fix> |
| Avoid <code>NullPointerException</code> in resource cache when making an |
| invalid request for a resource outside of the web application. (markt) |
| </fix> |
| <fix> |
| Remove an unnecessary null check identified by FindBugs. (markt) |
| </fix> |
| <add> |
| In WebappClassLoader, when reporting threads that are still running |
| while web application is being stopped, print their stack traces to |
| the log. (kkolinko) |
| </add> |
| <fix> |
| <bug>56190</bug>: The response should be closed (i.e. no further output |
| is permitted) when a call to <code>AsyncContext.complete()</code> takes |
| effect. (markt) |
| </fix> |
| <fix> |
| <bug>56236</bug>: Enable Tomcat to work with alternative Servlet and |
| JSP API JARs that package the XML schemas in such as way as to require |
| a dependency on the JSP API before enabling validation for web.xml. |
| Tomcat has no such dependency. (markt) |
| </fix> |
| <fix> |
| <bug>56244</bug>: Fix MBeans descriptor for WebappClassLoader MBean. |
| (kkolinko) |
| </fix> |
| <add> |
| Add a work around for validating XML documents (often TLDs) that use |
| just the file name to refer to the JavaEE schema on which they |
| are based. (markt) |
| </add> |
| <add> |
| Add methods of get the idle time from last client access time to |
| <code>org.apache.catalina.Session</code>. (kfujino) |
| </add> |
| <fix> |
| <bug>56246</bug>: Fix NullPointerException in MemoryRealm when |
| authenticating an unknown user. (markt) |
| </fix> |
| <fix> |
| <bug>56248</bug>: Allow the deployer to update an existing WAR file |
| without undeploying the existing application if the update flag is set. |
| This allows any existing custom context.xml for the application to be |
| retained. To update an application and remove any existing context.xml |
| simply undeploy the old version of the application before deploying the |
| new version. (markt) |
| </fix> |
| <fix> |
| <bug>56253</bug>: When listing resources that are provided by a JAR, fix |
| possible <code>StringIndexOutOfBoundsException</code>s. Add some unit |
| tests for this and similar scenarios and fix the additional issues those |
| unit tests identified. Based on a patch by Larry Isaacs. (markt) |
| </fix> |
| <fix> |
| Fix CVE-2014-0096: |
| Redefine the <code>globalXsltFile</code> initialisation parameter of the |
| DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf. |
| Prevent user supplied XSLTs used by the DefaultServlet from defining |
| external entities. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| In some circumstances asynchronous requests could time out too soon. |
| (markt) |
| </fix> |
| <fix> |
| <bug>56172</bug>: Avoid possible request corruption when using the AJP |
| NIO connector and a request is sent using more than one AJP message. |
| Patch provided by Amund Elstad. (markt) |
| </fix> |
| <add> |
| Add experimental NIO2 connector. Based on code developed by |
| Nabil Benothman. (remm) |
| </add> |
| <fix> |
| Fix CVE-2014-0075: |
| Improve processing of chuck size from chunked headers. Avoid overflow |
| and use a bit shift instead of a multiplication as it is marginally |
| faster. (markt/kkolinko) |
| </fix> |
| <fix> |
| Fix CVE-2014-0095: |
| Correct regression introduced in 8.0.0-RC2 as part of the Servlet 3.1 |
| non-blocking IO support that broke handling of requests with an explicit |
| content length of zero. (markt/kkolinko) |
| </fix> |
| <fix> |
| Fix CVE-2014-0099: |
| Fix possible overflow when parsing long values from a byte array. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Change the default compiler source and compiler target versions to 1.7 |
| since Tomcat 8 requires a minimum of Java 7. (markt) |
| </fix> |
| <fix> |
| <bug>56179</bug>: Fix parsing of EL expressions that contain unnecessary |
| parentheses. (markt) |
| </fix> |
| <fix> |
| <bug>56177</bug>: Handle dependency tracking for TLDs when using JspC |
| with a tag library JAR that is located outside of the web application. |
| (markt) |
| </fix> |
| <fix> |
| Remove an unnecessary null check identified by FindBugs. (markt) |
| </fix> |
| <fix> |
| <bug>56199</bug>: Restore validateXml option for JspC which determines |
| if web.xml will be parsed with a validating parser. (markt) |
| </fix> |
| <fix> |
| <bug>56223</bug>: Throw an <code>IllegalStateException</code> if a call |
| is made to <code>ServletContext.setInitParameter()</code> after the |
| ServletContext has been initialized. (markt) |
| </fix> |
| <fix> |
| <bug>56265</bug>: Do not escape values of dynamic tag attributes |
| containing EL expressions. (kkolinko) |
| </fix> |
| <fix> |
| Make the default compiler source and target versions for JSPs Java 7 |
| since Tomcat 8 requires Java 7 as a minimum. (markt) |
| </fix> |
| <update> |
| <bug>56283</bug>: Update to the Eclipse JDT Compiler P20140317-1600 |
| which adds support for Java 8 syntax to JSPs. Add support for value |
| "1.8" for the <code>compilerSourceVM</code> and |
| <code>compilerTargetVM</code> options. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Avoid a possible deadlock when one thread is shutting down a connection |
| while another thread is trying to write to it. (markt) |
| </fix> |
| <fix> |
| Avoid NPE when flushing batched messages. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <add> |
| <bug>56093</bug>: Add the SSL Valve to the documentation web |
| application. (markt) |
| </add> |
| <fix> |
| <bug>56217</bug>: Improve readability by using left alignment for the |
| table cell containing the request information on the Manager application |
| status page. (markt) |
| </fix> |
| <fix> |
| Fixed <code>java.lang.NegativeArraySizeException</code> when using |
| "Expire sessions" command in the manager web application on a |
| context where the session timeout is disabled. (kfujino) |
| </fix> |
| <fix> |
| Add support for <code>LAST_ACCESS_AT_START</code> system property to |
| Manager web application. (kfujino) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>56115</bug>: Expose the <code>httpusecaches</code> property of |
| Ant's <code>get</code> task as some users may need to change the |
| default. Based on a suggestion by Anthony. (markt) |
| </fix> |
| <fix> |
| <bug>56143</bug>: Improve <code>service.bat</code> so that it can be |
| launched from a non-UAC console. This includes using a single call to |
| <code>tomcat8.exe</code> to install the Windows service rather than |
| three calls, and using command line arguments instead of environment |
| variables to pass the settings. (markt/kkolinko) |
| </fix> |
| <scode> |
| Simplify Windows *.bat files: remove %OS% checks, as current java does |
| not run on ancient non-NT operating systems. (kkolinko) |
| </scode> |
| <fix> |
| Align options between <code>service.bat</code> and <code>exe</code> |
| Windows installer. For <code>service.bat</code> the changes are in |
| --Classpath, --DisplayName, --StartPath, --StopPath. For |
| <code>exe</code> installer the changes are in --JvmMs, --JvmMx options, |
| which are now 128 Mb and 256 Mb respectively instead of being empty. |
| Explicitly specify --LogPath path when uninstalling Windows service, |
| avoiding default value for that option. (kkolinko) |
| </fix> |
| <fix> |
| <bug>56137</bug>: Explicitly use NIO connector in SSL example in |
| server.xml so it doesn't break if APR is enabled. (markt) |
| </fix> |
| <fix> |
| <bug>56139</bug>: Avoid a web application class loader leak in some unit |
| tests when running on Windows. (markt) |
| </fix> |
| <fix> |
| Correct build script to avoid building JARs with empty packages. (markt) |
| </fix> |
| <add> |
| Allow to limit JUnit test run to a number of selected test case |
| methods. (kkolinko) |
| </add> |
| <update> |
| Update Commons Pool 2 to 2.2. (markt) |
| </update> |
| <update> |
| Update Commons DBCP 2 to the 2.0 release. (markt) |
| </update> |
| <fix> |
| <bug>56189</bug>: Remove used file cpappend.bat from the distribution. |
| (markt) |
| </fix> |
| <fix> |
| <bug>56204</bug>: Remove unnecessary dependency between tasks in the |
| build script. (markt) |
| </fix> |
| <fix> |
| Add definition of <code>org.apache.catalina.ant.FindLeaksTask</code>. |
| (kfujino) |
| </fix> |
| <fix> |
| Implement <code>org.apache.catalina.ant.VminfoTask</code>, |
| <code>org.apache.catalina.ant.ThreaddumpTask</code> and |
| <code>org.apache.catalina.ant.SslConnectorCiphersTask</code>. (kfujino) |
| </fix> |
| <add> |
| Add the option to the Apache Ant tasks to ignore the constraint of the |
| first line of the response message that must be "OK -" |
| (<code>ignoreResponseConstraint</code> in <code>AbstractCatalinaTask</code>). |
| Default is false. (kfujino) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.3 (markt)" rtext="beta, 2014-02-11"> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Fix build of Apache Commons DBCP2 classes. (kkolinko) |
| </fix> |
| <update> |
| Update Commons DBCP 2 to snapshot 170 dated 07 Feb 2014. This enables |
| DBCP to work with a SecurityManager such that only DBCP needs to be |
| granted the necessary permissions to communicate with the database. |
| (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.2 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>56082</bug>: Fix a concurrency bug in JULI's LogManager |
| implementation. (markt) |
| </fix> |
| <fix> |
| <bug>56085</bug>: <code>ServletContext.getRealPath(String)</code> should |
| return <code>null</code> for invalid input rather than throwing an |
| <code>IllegalArgumentException</code>. (markt) |
| </fix> |
| <fix> |
| Fix WebDAV support that was broken by the refactoring for the new |
| resources implementation. (markt) |
| </fix> |
| <scode> |
| Simplify Catalina.initDirs(). (kkolinko) |
| </scode> |
| <fix> |
| <bug>56096</bug>: When the attribute <code>rmiBindAddress</code> of the |
| JMX Remote Lifecycle Listener is specified it's value will be used when |
| constructing the address of a JMX API connector server. Patch is |
| provided by Jim Talbut. (violetagg) |
| </fix> |
| <fix> |
| When environment entry with one and the same name is defined in the web |
| deployment descriptor and with annotation then the one specified in the |
| web deployment descriptor is with priority. (violetagg) |
| </fix> |
| <fix> |
| Fix passing the value of false for <code>xmlBlockExternal</code> option |
| of Context to Jasper, as the default was changed in 8.0.1. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Enable non-blocking reads to take place on non-container threads. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <scode> |
| Simplify the code of |
| <code>o.a.c.ha.tcp.SimpleTcpCluster.createManager(String)</code>. |
| Remove unnecessary class cast. (kfujino) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| In Manager web application improve handling of file upload errors. |
| Display a message instead of error 500 page. Simplify. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>56104</bug>: Correct the version number on the welcome page of the |
| Windows installer. (markt) |
| </fix> |
| <update> |
| Update Commons DBCP 2 to snapshot 168 dated 05 Feb 2014. (markt) |
| </update> |
| <fix> |
| Fix CVE-2014-0050, a denial of service with a malicious, malformed |
| Content-Type header and multipart request processing. Fixed by merging |
| latest code (r1565159) from Commons FileUpload. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.1 (markt)" rtext="beta, 2014-02-02"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Change default value of <code>xmlBlockExternal</code> attribute of |
| Context. It is <code>true</code> now. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct regression in the fix for <bug>55996</bug> that meant that |
| asynchronous requests might timeout too early. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Change default value of the <code>blockExternal</code> attribute of |
| JspC task. The default value is <code>true</code>. Add support for |
| <code>-no-blockExternal</code> switch when JspC is run as a |
| standalone application. (kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Do not return an empty string for the |
| <code>Sec-WebSocket-Protocol</code> HTTP header when no sub-protocol has |
| been requested or no sub-protocol could be agreed as RFC6455 requires |
| that no <code>Sec-WebSocket-Protocol</code> header is returned in this |
| case. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 8.0.0 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Implement JSR 340 - Servlet 3.1. The JSR 340 implementation includes |
| contributions from Nick Williams and Jeremy Boynes. (markt) |
| </add> |
| <add> |
| Implement JSR 245 MR2 - JSP 2.3. (markt) |
| </add> |
| <add> |
| Implement JSR 341 - Unified Expression Language 3.0. (markt) |
| </add> |
| <add> |
| Implement JSR 356 - WebSockets. The JSR 356 implementation includes |
| contributions from Nick Williams, Rossen Stoyanchev and Niki Dokovski. |
| (markt) |
| </add> |
| <update> |
| <bug>46727</bug>: Refactor default servlet to make it easier to |
| sub-class to implement finer grained control of the file encoding. Based |
| on a patch by Fred Toth. (markt) |
| </update> |
| <add> |
| <bug>45995</bug>: Align Tomcat with Apache httpd and perform MIME type |
| mapping based on file extension in a case insensitive manner. (markt) |
| </add> |
| <scode> |
| Remove duplicate code that converted a Host's appBase attribute to |
| a canonical file. (markt) |
| </scode> |
| <scode> |
| <bug>51408</bug>: Replace calls to <code>Charset.defaultCharset()</code> |
| with an explicit reference to the ISO-8859-1 Charset. (markt) |
| </scode> |
| <scode> |
| Refactor initialization code to use a single, consistent approach to |
| determining the Catalina home (binary) and base (instance) directories. |
| The search order for home is <code>catalina.home</code> system property, |
| parent of current directory if boootstrap.jar is present and finally |
| current working directory. The search order for Catalina base is |
| <code>catalina.base</code> system property falling back to the value for |
| Catalina home. (markt) |
| </scode> |
| <update> |
| <bug>52092</bug>: JULI now uses the <code>OneLineFormatter</code> and |
| <code>AsyncFileHandler</code> by default. (markt) |
| </update> |
| <fix> |
| <bug>52558</bug>: Refactor <code>CometConnectionManagerValve</code> so |
| that it does not prevent the session from being serialized in when |
| running in a cluster. (markt) |
| </fix> |
| <fix> |
| <bug>52767</bug>: Remove reference to MySQL specific autoReconnect |
| property in <code>JDBCAccessLogValve</code>. (markt) |
| </fix> |
| <scode> |
| Make the Mapper type-safe. Hosts, Contexts and Wrappers are no |
| longer handled as plain objects, instead they keep their type. |
| Code using the Mapper doesn't need to cast objects returned by |
| the mapper. (rjung) |
| </scode> |
| <scode> |
| Move Manager, Loader and Resources from Container to Context since |
| Context is the only place they are used. The documentation already |
| states (and has done for some time) that Context is the only valid |
| location for these nested components. (markt) |
| </scode> |
| <scode> |
| Move the Mapper from the Connector to the Service since the Mapper is |
| identical for all Connectors of a given Service and it is common for |
| there to be multiple Connectors for a Service (http, https and ajp). |
| This means there is now only ever one Mapper per Service rather than |
| possibly multiple identically configured Mapper objects. (markt) |
| </scode> |
| <scode> |
| Remove the per Context Mapper objects and use the Mapper from the |
| Service. This removes the need to maintain two copies of the mappings |
| for Servlets and Filters. (markt) |
| </scode> |
| <add> |
| Implement a new Resources implementation that merges Aliases, |
| VirtualLoader, VirtualDirContext, JAR resources and external |
| repositories into a single framework rather than a separate one for each |
| feature. (markt) |
| </add> |
| <add> |
| URL rewrite valve, similar in functionality to mod_rewrite. (remm) |
| </add> |
| <add> |
| Port storeconfig functionality, which can persist to server.xml and |
| context.xml runtime container configuration changes. (remm) |
| </add> |
| <add> |
| <bug>54095</bug>: Add support to the Default Servlet for serving |
| gzipped versions of static resources directly from disk as an |
| alternative to Tomcat compressing them on each request. Patch by |
| Philippe Marschall. (markt) |
| </add> |
| <fix> |
| <bug>54708</bug>: Change the name of the working directory for the ROOT |
| application (located under $CATALINA_BASE/work by default) from _ to |
| ROOT. (markt) |
| </fix> |
| <add> |
| Change default configuration so that a change to the global web.xml file |
| will trigger a reload of all web applications. (markt) |
| </add> |
| <fix> |
| <bug>55101</bug>: Make BASIC authentication more tolerant of whitespace. |
| Patch provided by Brian Burch. (markt) |
| </fix> |
| <fix> |
| <bug>55166</bug>: Move JSP descriptor and tag library descriptor schemas |
| to servlet-api.jar to enable relative references between the schemas to |
| be correctly resolved. (markt) |
| </fix> |
| <scode> |
| Refactor the descriptor parsing code into a separate module that can be |
| used by both Catalina and Jasper. Includes patches provided by Jeremy |
| Boynes. (violetagg/markt) |
| </scode> |
| <scode> |
| <bug>55246</bug>: Move TLD scanning to a ServletContainerInitializer |
| provided by Jasper. Includes removal of TldConfig lifecycle listener and |
| associated Context properties. (jboynes) |
| </scode> |
| <add> |
| <bug>55317</bug>: Facilitate weaving by allowing ClassFileTransformer to |
| be added to WebappClassLoader. Patch by Nick Williams. (markt) |
| </add> |
| <fix> |
| <bug>55620</bug>: Enable Tomcat to start when either $CATALINA_HOME |
| and/or $CATALINA_BASE contains a comma character. Prevent Tomcat from |
| starting when $CATALINA_HOME and/or $CATALINA_BASE contains a semi-colon |
| on Windows. Prevent Tomcat from starting when $CATALINA_HOME and/or |
| $CATALINA_BASE contains a colon on Linux/FreeBSD/etc. (markt) |
| </fix> |
| <scode> |
| Initialize the JSP runtime in Jasper's initializer to avoid need for a |
| Jasper-specific lifecycle listener. <code>JasperListener</code> has been |
| removed. (jboynes) |
| </scode> |
| <fix> |
| Change ordering of elements of JMX objects names so components are |
| grouped more logically in JConsole. Generally, components are now |
| grouped by Host and then by Context. (markt) |
| </fix> |
| <add> |
| Context listener to allow better EE and framework integration. (remm) |
| </add> |
| <fix> |
| <bug>57896</bug>: Support defensive copying of "cookie" header so that |
| unescaping double quotes in a cookie value does not corrupt original |
| value of "cookie" header. This is an opt-in feature, enabled by |
| <code>org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER</code> |
| system property. (remm/kkolinko) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Experimental support for SPDY. Includes contributions from Sheldon Shao. |
| (costin) |
| </add> |
| <scode> |
| The default connector is now the Java NIO connector even when specifying |
| HTTP/1.1 as protocol (fhanik) |
| </scode> |
| <scode> |
| Update default value of pollerThreadCount for the NIO connector. The new |
| default value will never go above 2 regardless of available processors. |
| (fhanik) |
| </scode> |
| <fix> |
| <bug>54010</bug>: Remove some unnecessary code (duplicate calls to |
| configure the scheme as https for AJP requests originally received over |
| HTTPS). (markt) |
| </fix> |
| <scode> |
| Refactor char encoding/decoding using NIO APIs. (remm) |
| </scode> |
| <update> |
| Change the default URIEncoding for all connectors from ISO-8859-1 to |
| UTF-8. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <scode> |
| Simplify API of <code>ErrorDispatcher</code> class by using varargs. |
| (kkolinko) |
| </scode> |
| <scode> |
| Update Jasper to use the new common web.xml parsing code. Includes |
| patches by Jeremy Boynes. (markt/violetagg) |
| </scode> |
| <add> |
| Create test cases for JspC. Patch by Jeremy Boynes. (markt) |
| </add> |
| <scode> |
| <bug>55246</bug>: TLD scanning is now performed by JasperInitializer |
| (a ServletContainerInitializer) removing the need for support within the |
| Servlet container itself. The scan is now performed only once rather than |
| in two passes reducing startup time. (jboynes) |
| </scode> |
| <fix> |
| <bug>55251</bug>: Do not allow JspC task to fail silently if the web.xml |
| or web.xml fragment can not be generated. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <scode> |
| Remove unused JvmRouteSessionIDBinderListener and SessionIDMessage. |
| (kfujino) |
| </scode> |
| <scode> |
| Modify method signature in ReplicationValve. Cluster instance is not |
| necessary to argument of method. (kfujino) |
| </scode> |
| <scode> |
| Remove unused <code>expireSessionsOnShutdown</code> attribute in |
| <code>org.apache.catalina.ha.session.BackupManager</code>. (kfujino) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Extend the diagnostic information provided by the Manager web |
| application to include details of the configured SSL ciphers suites for |
| each connector. (markt) |
| </add> |
| <update> |
| <bug>48550</bug>: Update examples web application to use UTF-8. (markt) |
| </update> |
| <update> |
| <bug>55383</bug>: Improve the design and correct the HTML markup of |
| the documentation web application. Patches provided by Konstantin |
| Preißer. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <scode> |
| Refactor <code>AbstractReplicatedMap</code> to use generics. A key |
| side-effect of this is that the class now implements |
| <code>Map<K,V></code> rather than extends |
| <code>ConcurrentMap</code>. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <scode> |
| Remove unused, deprecated code. (markt) |
| </scode> |
| <scode> |
| Remove static info String and associated getInfo() method where present. |
| (markt) |
| </scode> |
| <update> |
| (<rev>1353242</rev>, <rev>1353410</rev>): |
| Remove Ant tasks <code>jasper2</code> and <code>jkstatus</code>. |
| The correct names are <code>jasper</code> and <code>jkupdate</code>. |
| (kkolinko) |
| </update> |
| <fix> |
| <bug>53529</bug>: Clean-up the handling of |
| <code>InterruptedException</code> throughout the code base. (markt) |
| </fix> |
| <add> |
| <bug>54899</bug>: Provide an initial implementation of NetBeans support. |
| Patch provided by Brian Burch. (markt) |
| </add> |
| <fix> |
| <bug>55166</bug>: Move the JSP descriptor and tag library descriptor |
| schema definition files from jsp-api.jar to servlet-api.jar so relative |
| includes between the J2EE, Servlet and JSP schemas are correctly |
| resolved. (markt) |
| </fix> |
| <fix> |
| <bug>55372</bug>: When starting Tomcat with the <code>jpda</code> option |
| to enable remote debugging, by default only listen on localhost for |
| connections from a debugger. Prior to this change, Tomcat listened on |
| all known addresses. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| </body> |
| </document> |