Changelog

Tomcat 8.5.41 (markt)

Catalina

  • Fix: Fix a potential resource leak when executing CGI scripts from a WAR file. Identified by Coverity scan. (markt)
  • Fix: Fix a potential concurrency issue in the StringCache identifed by Coverity scan. (markt)
  • Fix: Fix a potential concurrency issue in the main Sendfile thread of the APR connector. Identified by Coverity scan. (markt)
  • Fix: Fix a potential resource leak when running a web application from a WAR file. Identified by Coverity scan. (markt)
  • Fix: Fix a potential resource leak on some exception paths in the DataSourceRealm. Identified by Coverity scan. (markt)
  • Fix: Fix a potential resource leak on an exception path when parsing JSP files. Identified by Coverity scan. (markt)
  • Fix: Fix a potential resource leak when a JNDI lookup returns an object of an in compatible class. Identified by Coverity scan. (markt)
  • Code: Refactor ManagerServlet to avoid loading classes when filtering JNDI resources for resources of a specified type. (markt)
  • Fix: Avoid OutOfMemoryErrors and ArrayIndexOutOfBoundsExceptions when accessing large files via the default servlet when resource caching has been disabled. (markt)
  • Fix: Avoid a NullPointerException when a Context is defined in server.xml with a docBase but not the optional path. (markt)
  • Fix: 63324: Refactor the CrawlerSessionManagerValve so that the object placed in the session is compatible with session serialization with mem-cached. Patch provided by Martin Lemanski. (markt)
  • Fix: 63333: Override the isAvailable() method in the JAASRealm so that only login failures caused by invalid credentials trigger account lock out when the LockOutRealm is in use. Patch provided by jchobantonov. (markt)

Coyote

  • Fix: When running on newer JREs that don't support SSLv2Hello, don't warn that it is not available unless explicitly configured. (markt)
  • Code: Refactor Hostname validation to improve performance. Patch provided by Uwe Hees. (markt)
  • Fix: Expand HTTP/2 timeout handling to include connection window exhaustion on write. (markt)

Other

  • Fix: 63335: Ensure that stack traces written by the OneLineFormatter are fully indented. The entire stack trace is now indented by an additional TAB character. (markt)
  • Fix: When using the OneLineFormatter, don't print a blank line in the log after printing a stack trace. (markt)
  • Update: Update the internal fork of Apache Commons DBCP 2 to dcdbc72 (2019-04-24) to pick up some clean-up and enhancements less the JDBC 4.2 related changes that require Java 8. (markt)
  • Update: Update the internal fork of Apache Commons Pool 2 to 0664f4d (2019-04-30) to pick up some enhancements and bug fixes. (markt)
  • Update: Update the internal fork of Apache Commons FileUpload to 41e4047 (2019-04-24) pick up some enhancements. (markt)

2019-04-12 Tomcat 8.5.40 (markt)

Catalina

  • Fix: 63196: Provide a default (X-Forwarded-Proto) for the protocolHeader attribute of the RemoteIpFilter and RemoteIpValve. (markt)
  • Fix: 63235: Refactor Charset cache to reduce start time. (markt)
  • Fix: 63249: Use a consistent log level (WARN) when logging the failure to register or deregister a JMX Bean. (markt)
  • Fix: 63249: Use a consistent log level (ERROR) when logging the LifecycleException associated with the failure to start or stop a component. (markt)
  • Fix: When the SSI directive fsize is used with an invalid target, return a file size of - rather than 1k. (markt)
  • Fix: 63251: Implement a work-around for a known JRE bug (JDK-8194653) that may cause a dead-lock when Tomcat starts. (markt)
  • Fix: 63275: When using a RequestDispatcher ensure that HttpServletRequest.getContextPath() returns an encoded path in the dispatched request. (markt)
  • Fix: 63286: Document the differences in behaviour between the LogFormat directive in httpd and the pattern attribute in the AccessLogValve for %D and %T. (markt)
  • Fix: 63311: Add support for https URLs to the local resolver within Tomcat used to resolve standard XML DTDs and schemas when Tomcat is configured to validate XML configuration files such as web.xml. (markt)
  • Fix: Encode the output of the SSI printenv command. (markt)
  • Code: Use constants for SSI encoding values. (markt)
  • Add: When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the encoded form of the individual command line arguments to those values allowed by RFC 3875. This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsEncoded. (markt)
  • Add: When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the decoded form of the individual command line arguments to known safe values when running on Windows. This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsDecoded. This is the fix for CVE-2019-0232. (markt)
  • Update: Change the default for the enableCmdLineArguments parameter of the CGI servlet from true to false as additional hardening against CVE-2019-0232. (markt)

Coyote

  • Fix: Fix bad interaction between NIO2 async read API and the regular read. (remm)
  • Fix: Refactor NIO2 write pending strategy for the classic IO API. (remm)
  • Fix: Harmonize NIO2 isReadyForWrite with isReadyForRead code. (remm)
  • Fix: When using a JSSE TLS connector that supported ALPN (Java 9 onwards) and a protocol was not negotiated, Tomcat failed to fallback to HTTP/1.1 and instead dropped the connection. (markt)
  • Fix: Correct a regression in the TLS connector refactoring in Tomcat 9.0.17 that prevented the use of PKCS#8 private keys with OpenSSL based connectors. (markt)
  • Fix: When performing an upgrade from HTTP/1.1 to HTTP/2, ensure that any query string present in the original HTTP/1.1 request is passed to the HTTP/2 request processing. (markt)
  • Fix: When Tomcat writes a final response without reading all of an HTTP/2 request, reset the stream to inform the client that the remaining request body is not required. (markt)
  • Fix: 63312: Correct a regression in the error page handling that prevented error pages from issuing redirects or taking other action that required the response status code to be changed. (markt)

Jasper

  • Add: Add support for specifying Java 11 (with the value 11) as the compiler source and/or compiler target for JSP compilation. (markt)
  • Add: Add support for specifying Java 12 (with the value 12) and Java 13 (with the value 13) as the compiler source and/or compiler target for JSP compilation. If used with an ECJ version that does not support these values, a warning will be logged and the latest supported version will used. Based on a patch by Thomas Collignon. (markt)

Web applications

  • Fix: 63184: Expand the SSI documentation to provide more information on the supported directives and their attributes. Patch provided by nightwatchcyber. (markt)
  • Add: Add a note to the documentation about the risk of DoS with poorly written regular expressions and the RewriteValve. Patch provided by salgattas. (markt)

jdbc-pool

  • Fix: 63320: Ensure that StatementCache caches statements that include arrays in arguments. (kfujino)

2019-03-19 Tomcat 8.5.39 (markt)

Catalina

  • Fix: Minor HTTP/2 push fixes. (remm)
  • Fix: Refactor how cookies are transferred from the base request to a PushBuilder so that they are accessible, and may be edited, via the standard PushBuilder methods for working with HTTP headers. (markt)
  • Add: Refactor error handling to enable errors that occur before processing is passed to the application to be handled by the application provided error handling and/or the container provided error handling (ErrorReportValve) as appropriate. (markt)
  • Add: Pass 404 errors triggered by a missing ROOT web application to the container error handling to generate the response body. (markt)
  • Add: Pass 400 errors triggered by invalid request targets to the container error handling to generate the response body. (markt)
  • Add: Pass errors triggered by invalid requests or unavailable services to the application provided error handling and/or the container provided error handling (ErrorReportValve) as appropriate. (markt)
  • Code: Refactor the MBean implementations for the internal Tomcat components to reduce code duplication. (markt)
  • Update: Simplify the value of jarsToSkip property in catalina.properties file for tomcat-i18n jar files. Use prefix pattern instead of listing each language. (kkolinko)
  • Fix: Restore the getter and setter for the access log valve attribute maxLogMessageBufferSize that were accidentally removed. (markt)
  • Add: 63206: Add a new attribute to Context - createUploadTargets which, if true enables Tomcat to create the temporary upload location used by a Servlet if the location specified by the Servlet does not already exist. The default value is false. (markt)
  • Fix: 63210: Ensure that the Apache Commons DBCP 2 based default connection pool is correctly shutdown when it is no longer required. This ensures that a non-daemon thread is not left running that will prevent Tomcat from shutting down cleanly. (markt)
  • Fix: 63213: Ensure the correct escaping of group names when searching for nested groups when the JNDIRealm is configured with roleNested set to true. (markt)
  • Fix: 63236: Use String.intern() as suggested by Phillip Webb to reduce memory wasted due to String duplication. This changes saves ~245k when starting a clean installation. With additional thanks to YourKit Java profiler for helping to track down the wasted memory and the root causes. (markt)
  • Fix: 63246: Fix a potential NullPointerException when calling AsyncContext.dispatch(). (markt)

Coyote

  • Fix: Ensure that the toString(), toBytes() and toChars() methods of MessageBytes behave consistently and do not throw a NullPointerException both on newly created objects and immediately after a call to recycle(). This should not impact typical Tomcat users. It may impact users who use these classes directly in their own code. (markt)
  • Fix: When performing an HTTP/1.1 upgrade to HTTP/2 (h2c) ensure that the hostname and port from the HTTP/1.1 Host header of the upgraded request are made available via the standard methods ServletRequest.getServerName() and ServletRequest.getServerPort(). (markt)
  • Fix: Make PEM file parser a public utility class. (remm)
  • Fix: Refactor the APR/Native endpoint TLS configuration code to enable JSSE style configuration - including JKS keystores - to be used with the APR/Native connector. (markt)
  • Add: With the TLS configuration refactoring, the configuration attributes sessionCacheSize and sessionTimeout are no longer limited to JSSE implementations. They may now be used with OpenSSL implementations as well. (markt)
  • Fix: Refactor NIO2 read pending strategy for the classic IO API. (remm)
  • Fix: 63182: Avoid extra read notifications for HTTP/1.1 with NIO2 when using asynchronous threads. (remm)
  • Add: 63205: Add a work-around for a known JRE KeyStore loading bug. (markt)
  • Update: Sync with NIO2 async API from Tomcat 9 branch. (remm)
  • Fix: NIO2 should try to use SocketTimeoutException everywhere rather than a mix of it and InterruptedByTimeout. (remm)
  • Fix: Correct an error in the request validation that meant that HTTP/2 push requests always resulted in a 400 response. (markt)
  • Fix: 63223: Correctly account for push requests when tracking currently active HTTP/2 streams. (markt)
  • Fix: Verify HTTP/2 stream is still writable before assuming a timeout occurred. (remm)
  • Fix: Avoid some overflow cases with OpenSSL to improve efficiency, as the OpenSSL engine has an internal buffer. (remm)
  • Fix: Harmonize HTTP/1.1 NIO2 keepalive code. (remm)

WebSocket

  • Code: Remove the STREAMS_DROP_EMPTY_MESSAGES system property that was introduced to work-around four failing TCK tests. An alternative solution has been implemented. Sending messages via getSendStream() and getSendWriter() will now only result in messages on the wire if data is written to the OutputStream or Writer. Writing zero length data will result in an empty message. Note that sending a message via an Encoder may result in the message being send via getSendStream() or getSendWriter(). (markt)

Web applications

  • Fix: Use client's preferred language for the Server Status page of the Manager web application. Review and fix several cases when the client's language preference was not respected in Manager and Host Manager web applications. (kkolinko)
  • Fix: Fix messages used by Manager and Host Manager web applications. Disambiguate message keys used when adding or removing a host. Improve display of summary values on the status page: separate terms and values with a whitespace. Improve wording of messages for expire sessions command. (kkolinko)
  • Fix: Do not add CSRF nonce parameter and suppress Referer header for external links in Manager and Host Manager web applications. (kkolinko)

Tribes

  • Fix: Ensure that members registered in the addSuspects list are static members. (kfujino)

Other

  • Add: Expand the coverage and quality of the Russian translations provided with Apache Tomcat. (kkolinko)
  • Fix: 63041: Revert the changes for 53930 that added support for the CATALINA_OUT_CMD environment variable as they prevented correct operation with systemd configurations that did not explicitly specify a PID file. (markt)

2019-02-08 Tomcat 8.5.38 (markt)

Catalina

  • Fix: 54741: Add a new method, Tomcat.addWebapp(String,URL), that allows a web application to be deployed from a URL when using Tomcat in embedded mode. (markt)
  • Fix: Ensure that the ServletOutputStream implementation is consistent with the requirements of asynchronous I/O and that all of the write methods use a single write rather than multiple writes. (markt)
  • Fix: Correct the Javadoc for Context.getDocBase() and Context.setDocBase() and remove text that indicates that a URL may be used for the docBase as this has not been the case for quite some time. (markt)
  • Add: Ensure that Tomcat is fully terminated when running as a service. (markt)
  • Code: Treat I/O errors during request body reads the same way as I/O errors during response body writes. The errors are treated as client side errors rather than server side errors and only logged at debug level. (markt)
  • Fix: 63038: Ensure that a ClassNotFoundException is thrown when attempting to load a class from a corrupted JAR file. (markt)
  • Add: Make the removal of leading and trailing whitespace from credentials passed to BASIC authentication configurable via a new attribute, trimCredentials on the BasicAuthenticator. (markt)
  • Fix: 63003: Extend the unloadDelay attribute on a Context to include in-flight asynchronous requests. (markt)
  • Add: 63026: Add a new attribute, forceDnHexEscape, to the JNDIRealm that forces escaping in the String representation of a distinguished name to use the \nn form. This may avoid issues with realms using Active Directory which appears to be more tolerant of optional escaping when the \nn form is used. (markt)
  • Fix: Avoid a swallowed (and therefore ignored) access failure during web application class loading when running under a SecurityManager. (markt)
  • Update: Update the recommended minimum Tomcat Native version to 1.2.21. (markt)
  • Fix: 63137: If the resources for a web application have been configured with multiple locations mapped to /WEB-INF/classes, ensure that all of those locations are used when building the web application class path. Patch provided by Marcin Gołębski. (markt)

Coyote

  • Add: 63009: Include the optional content-length header in HTTP/2 responses where an appropriate value is available. (markt)
  • Fix: 63022: Do not use the socket open state when using the wrapper isClosed method for NIO and NIO2, as it will disable all further processing. (remm)
  • Fix: Fix socket close discrepancies for NIO2, now the wrapper close is used everywhere except for socket accept problems. (remm)

Jasper

  • Fix: 63056: Correct a regression in the fix for 53737 that did not correctly scan the web application directory structure for JSPs. (markt)
  • Fix: Update the performance optimisation for using expressions in tags that depend on uninitialised tag attributes with implied scope to make the performance optimisation aware of the new public class (java.lang.Enum$EnumDesc) added in Java 12. (markt)

WebSocket

  • Fix: 57974: Ensure implementation of Session.getOpenSessions() returns correct value for both client-side and server-side calls. (markt)
  • Fix: 63019: Use payload remaining bytes rather than limit when writing. Submitted by Benoit Courtilly. (remm)
  • Fix: When running under a SecurityManager, ensure that the ServiceLoader look-up for the default javax.websocket.server.ServerEndpointConfig.Configurator implementation completes correctly rather than silently using the hard-coded fall-back. (markt)
  • Fix: Ensure that the network connection is closed if the client receives an I/O error trying to communicate with the server. (markt)
  • Fix: Ignore synthetic methods when scanning POJO methods. (markt)
  • Fix: Implement the requirements of section 5.2.1 of the WebSocket 1.1 specification and ensure that if the deployment of one Endpoint fails, no Endpoints are deployed for that web application. (markt)
  • Fix: Implement the requirements of section 4.3 of the WebSocket 1.1 specification and ensure that the deployment of an Endpoint fails if @PathParam is used with an invalid parameter type. (markt)
  • Fix: Ensure a DeploymentException rather than an IllegalArgumentException is thrown if a method annotated with @OnMessage does not conform to the requirements set out in the Javadoc. (markt)
  • Fix: Improve algorithm that determines if two @OnMessage annotations have been added for the same message type. Prior to this change some matches were missed. (markt)

Web applications

  • Fix: 63103: Remove the unused source.jsp file and associated tag from the examples web application as it is no longer used. (markt)
  • Fix: 63143: Ensure that the Manager web application respects the language preferences of the user as configured in the browser when the language of the default system locale is not English. (markt)

Tribes

  • Add: Add EncryptInterceptor to the portfolio of available clustering interceptors. This adds symmetric encryption of session data to Tomcat clustering regardless of the type of cluster manager or membership being used. (schultz)
  • Update: Update the packaged version of the Tomcat Native Library to 1.2.21 to pick up the memory leak fixes when using NIO/NIO2 with OpenSSL. (markt)

Other

  • Fix: 63041: Correct a regression in the fix for 53930 that prevented Tomcat from working correctly with systemd. Patch provided by Patrik S. (markt)
  • Update: Update the NSIS Installer used to build the Windows installer to version 3.04. (markt)

2018-12-18 Tomcat 8.5.37 (markt)

Catalina

  • Update: Update the recommended minimum Tomcat Native version to 1.2.19. (markt)

Other

  • Update: Update the packaged version of the Tomcat Native Library to 1.2.19 to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1a. (markt)

not released Tomcat 8.5.36 (markt)

Catalina

  • Fix: 62788: Add explicit logging configuration to write log files using UTF-8 to align with Tomcat's use of UTF-8 by default elsewhere. (markt)
  • Fix: The default Servlet should not override a previously set content-type. (remm)
  • Add: 62897: Provide a property (clearReferencesThreadLocals) on the standard Context implementation that enables the check for memory leaks via ThreadLocals to be disabled because this check depends on the use of an API that has been deprecated in later versions of Java. (markt)
  • Fix: Fix more storeconfig issues with duplicated SSL attributes. (remm)
  • Fix: 62968: Avoid unnecessary (and relatively expensive) getResources() call in the Mapper when processing rule 7. (markt)
  • Fix: 62978: Update the RemoteIpValve to handle multiple values in the x-forwarded-proto header. Patch provided by Tom Groot. (markt)
  • Fix: Update the RemoteIpFilter to handle multiple values in the x-forwarded-proto header. Based on a patch provided by Tom Groot. (markt)
  • Code: 62986: Refactor the code that performs class scanning during web application start to make integration simpler for downstream users. Patch provided by rmannibucau. (markt)
  • Fix: 62988: Fix the LoadBalancerDrainingValve so it works when the session cookie configuration is not explicitly declared. Based on a patch provided by Andreas Kurth. (markt)
  • Fix: 63002: Fix setting rewrite qsdiscard flag. (remm)
  • Fix: Implement the requirements of section 8.2.2 2c of the Servlet specification and prevent a web application from deploying if it has fragments with duplicate names and is configured to use relative ordering of fragments. (markt)

Coyote

  • Fix: Avoid an exception when using Tomcat Native built with a version of OpenSSL that does not support TLSv1.3. (markt)
  • Fix: 62899: Prevent the incorrect timing out of connections when Servlet non-blocking I/O is used to read a request body over an HTTP/2 stream. (markt)
  • Fix: Avoid bad SSLHostConfig JMX registrations before init. (remm)

Jasper

  • Add: 53737: Extend JspC, the precompilation tool, to include support for resource JARs. (markt)
  • Fix: 62976: Avoid an IllegalStateException when using background compilation when tag files are packaged in JAR files. (markt)

Web applications

  • Fix: 62918: Filter out subtype mbeans to avoid breaking the connector status page. (remm)

Other

  • Fix: Prevent an error when running in a Cygwin shell and the JAVA_ENDORSED_DIRS system property is empty. Patch provided by Zemian Deng. (markt)
  • Add: 53930: Add support for the CATALINA_OUT_CMD environment variable that defines a command to which captured stdout and stderr will be redirected. Patch provided by Casey Lucas. (markt)

2018-11-07 Tomcat 8.5.35 (markt)

Catalina

  • Add: 61692: Add the ability to control which HTTP methods are handled by the CGI Servlet via a new initialization parameter cgiMethods. (markt)
  • Fix: 62687: Expose content length information for resources when using a compressed war. (remm)
  • Fix: 62737: Fix rewrite substitutions parsing of {} nesting. (remm)
  • Fix: Add rewrite flags output when getting the rewrite configuration back. (remm)
  • Fix: Add missing qsdiscard flag to the rewrite flags as a cleaner way to discard the query string. (remm)
  • Fix: Add documentation about the files context.xml.default and web.xml.default that can be used to customize conf/context.xml and conf/web.xml on a per host basis. (fschumacher)
  • Fix: Ensure that a canonical path is always used for the docBase of a Context to ensure consistent behaviour. (markt)
  • Fix: 62803: Fix SSL connector configuration processing in storeconfig. (remm)
  • Fix: 62797: Pass throwable to keep client aborts with status 200 rather than 500. Patch submitted by zikfat. (remm)
  • Fix: 62809: Correct a regression in the implementation of DIGEST authentication support for the Deployer Ant tasks (bug 45832) that prevented the DeployTask from working when authentication was required. (markt)
  • Update: Update the recommended minimum Tomcat Native version to 1.2.18. (markt)
  • Add: Ignore an attribute named source on Context elements provided by StandardContext. This is to suppress warnings generated by the Eclipse / Tomcat integration provided by Eclipse. Based on a patch by mdfst13. (markt)
  • Add: 62830: Added JniLifeCycleListener and static methods Library.loadLibrary(libraryName) and Library.load(filename) to load a native library by a shared class loader so that more than one Webapp can use it. (isapir)
  • Fix: Correct a typo in the Spanish resource files. Patch provided by Diego Agulló. (markt)
  • Fix: 62868: Order the Enumeration<URL> provided by WebappClassLoaderBase.getResources(String) according to the setting of the delegate flag. (markt)

Coyote

  • Add: Add TLSv1.3 to the default protocols and to the all alias for JSSE based TLS connectors when running on a JVM that supports TLS version 1.3. One such JVM is OpenJDK version 11. (rjung)
  • Fix: 62685: Correct an error in host name validation parsing that did not allow a fully qualified domain name to terminate with a period. Patch provided by AG. (markt)
  • Fix: 62739: Do not reject requests with an empty HTTP Host header. Such requests are unusual but not invalid. Patch provided by Michael Orr. (markt)
  • Add: 62748: Add TLS 1.3 support for the APR/Native connector and the NIO/NIO2 connector when using the OpenSSL backed JSSE implementation. (schultz/markt)
  • Fix: 62791: Remove an unnecessary check in the NIO TLS implementation that prevented from secure WebSocket connections from being established. (markt)
  • Fix: Fix server initiated TLS renegotiation to obtain a client certificate when using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation. (markt)
  • Fix: 62871: Improve MBeans for Endpoint instances (type ThreadPool in JMX) by using explicit declaration of attributes and operations rather than relying on introspection. Add a new MBean to expose the Socketproperties values. (markt)

Jasper

  • Fix: Correct parsing of XML whitespace in TLD function signatures that incorrectly only looked for the space character. (markt)
  • Fix: 62674: Correct a regression in the stand-alone JSP compiler utility, JspC, caused by the fix for 53492, that caused the JSP compiler to hang. (markt)
  • Fix: 62721: Correct generation of web.xml header when using JspC. (markt)
  • Fix: 62757: Correct a regression in the fix for 62603 that caused NullPointerExceptions when compiling tag files on first access when development mode was disabled and background compilation was enabled. Based on a patch by Jordi Llach. (markt)

WebSocket

  • Fix: 62731: Make the URI returned by HandshakeRequest.getRequestURI() and Session.getRequestURI() absolute so that the scheme, host and port are accessible. (markt)

Web applications

  • Fix: 62676: Expand the CORS filter documentation to make it clear that explicit configuration is required to enable support for cross-origin requests. (markt)
  • Fix: 62712: Correct NPE in Manager application when attempting to view configured certificates for an APR/native TLS connector. (markt)
  • Fix: 62761: Correct the advanced CORS example in the Filter documentation to use a valid configuration. (markt)
  • Fix: 62786: Add a note to the Context documentation to explain that, by default, settings for a Context element defined in server.xml will be overwritten by settings specified in a default context file such as conf/context.xml. (markt)
  • Fix: Create a little visual separation between the Undeploy button and the other buttons in the Manager application. Patch provided by Łukasz Jąder. (markt)

Other

  • Update: Update the internal fork of Apache Commons Pool 2 to d4e0e88 (2018-09-12) to pick up some bug fixes and enhancements. (markt)
  • Update: Update the packaged version of the Tomcat Native Library to 1.2.18 to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1. (markt)

2018-09-10 Tomcat 8.5.34 (markt)

Catalina

  • Add: Make the isLocked() method of the LockOutRealm public and expose the method via JMX. (markt)
  • Fix: Improve the handling of path parameters when working with RequestDispatcher objects. (markt)
  • Fix: 62664: Process requests with content type multipart/form-data to servlets with a @MultipartConfig annotation regardless of HTTP method. (markt)
  • Fix: 62667: Add recursion to rewrite substitution parsing. (remm)
  • Fix: 62669: When using the SSIFilter and a resource does not specify a content type, do not force the content type to application/x-octet-stream. (markt)
  • Fix: 62670: Adjust the memory leak protection for the DriverManager so that JDBC drivers located in $CATALINA_HOME/lib and $CATALINA_BASE/lib are loaded via the service loader mechanism when the protection is enabled. (markt)
  • Fix: When generating a redirect to a directory in the Default Servlet, avoid generating a protocol relative redirect. (markt)

Coyote

  • Fix: Fix potential deadlocks when using asynchronous Servlet processing with HTTP/2 connectors. (markt)
  • Fix: 62620: Fix corruption of response bodies when writing large bodies using asynchronous processing over HTTP/2. (markt)
  • Fix: 62628: Additional fixes for output corruption of response bodies when writing large bodies using asynchronous processing over HTTP/2. (markt)

Jasper

  • Fix: Correct the JSP version in the X-PoweredBy HTTP header generated when the xpoweredBy option is enabled. (markt)
  • Fix: 62662: Fix the corruption of web.xml output during JSP compilation caused by the fix for 53492. Patch provided by Bernhard Frauendienst. (markt)

Web applications

  • Add: Expand the information in the documentation web application regarding the use of CATALINA_HOME and CATALINA_BASE. Patch provided by Marek Czernek. (markt)
  • Fix: 62652: Make it clearer that the version of DBCP that is packaged in Tomcat 8.5.x is DBCP 2. Correct the names of some DBCP 2 configuration attributes that changed between 1.x and 2.x. (markt)
  • Add: 62666: Expand internationalisation support in the Manager application to include the server status page and provide Russian translations in addition to English. Patch provided by Artem Chebykin. (markt)

Other

  • Fix: Switch the build script to use http for downloads from an ASF mirror using the closer.lua script to avoid failures due to HTTPS to HTTP redirects. (rjung)

2018-08-17 Tomcat 8.5.33 (markt)

Catalina

  • Fix: Ensure that the HTTP Vary header is set correctly when using the CORS filter and improve the cacheability of requests that pass through the COPRS filter. (markt)
  • Fix: 62527: Revert restriction of JNDI to the java: namespace. (remm)
  • Add: Introduce a new class - MultiThrowable - to report exceptions when multiple actions are taken where each action may throw an exception but all actions are taken before any errors are reported. Use this new class when reporting multiple container (e.g. web application) failures during start. (markt)
  • Fix: Correctly decode URL paths (+ should not be decoded to a space in the path) in the RequestDispatcher and the web application class loader. (markt)
  • Add: Make logout more robust if JASPIC subject is unexpectedly unavailable. (markt)
  • Fix: 62547: JASPIC cleanSubject() was not called on logout when the authenticator was configured to cache the authenticated Principal. Patch provided by Guillermo González de Agüero. (markt)
  • Add: 62559: Add jaxb-*.jar to the list of JARs ignored by StandardJarScanner. (markt)
  • Add: 62560: Add oraclepki.jar to the list of JARs ignored by StandardJarScanner. (markt)
  • Add: 62607: Return a non-zero exit code from catalina.[bat|sh] run if Tomcat fails to start. (markt)
  • Code: Remove ServletException from declaration of Tomcat.addWebapp(String,String) since it is never thrown. Patch provided by Tzafrir. (markt)
  • Fix: Use short circuit logic to prevent potential NPE in CorsFilter. (fschumacher)
  • Code: Simplify construction of appName from container name in JAASRealm. (fschumacher)

Coyote

  • Update: 60560: Add support for using an inherited channel to the NIO connector. Based on a patch submitted by Thomas Meyer with testing and suggestions by Coty Sutherland. (remm)
  • Fix: 62507: Ensure that JSSE based TLS connectors work correctly with a DKS keystore. Note: DKS keystores require Java 8 or later. (markt)
  • Fix: Refactor code that adds an additional header name to the Vary HTTP response header to use a common utility method that addresses several additional edge cases. (markt)
  • Fix: 62515: When a connector is configured (via setting bindOnInit to false) to bind/unbind the server socket during start/stop, close the socket earlier in the stop process so new connections do not sit in the TCP backlog during the shutdown process only to be dropped as stop completes. In this scenario new connections will now be refused immediately. (markt)
  • Fix: 62526: Correctly handle PKCS12 format key stores when the key store password is configured to be the empty string. (markt)
  • Fix: Fix error in back-port of HTTP/2 compression that meant compression was never enabled. (markt)
  • Fix: 62605: Ensure ReadListener.onDataAvailable() is called when the initial request body data arrives after the request headers when using asynchronous processing over HTTP/2. (markt)
  • Fix: 62614: Ensure that WriteListener.onWritePossible() is called after isReady() returns false and the window size is subsequently incremented when using asynchronous processing over HTTP/2. (markt)

Jasper

  • Fix: 53011: When pre-compiling with JspC, report all compilation errors rather than stopping after the first error. A new option -failFast can be used to restore the previous behaviour of stopping after the first error. Based on a patch provided by Marc Pompl. (markt)
  • Add: 53492: Make the Java file generation process multi-threaded. By default, one thread will be used per core. Based on a patch by Dan Fabulich. (markt)
  • Add: 62453: Add a performance optimisation for using expressions in tags that depend on uninitialised tag attributes with implied scope. Generally, using an explicit scope with tag attributes in EL is the best way to avoid various potential performance issues. (markt)
  • Fix: Correctly decode URL paths (+ should not be decoded to a space in the path) in the Jasper class loader. (markt)
  • Fix: 62603: Fix a potential race condition when development mode is disabled and background compilation checks are enabled. It was possible that some updates would not take effect and/or ClassNotFoundExceptions would occur. (markt)

WebSocket

  • Fix: 62596: Remove the limit on the size of the initial HTTP upgrade request used to establish the web socket connection. (markt)

Web applications

  • Add: 61565: Add the ability to trigger a reloading of TLS host configuration (certificate and key files, server.xml is not re-parsed) via the Manager web application. (markt)
  • Add: 62558: Add Russian translations for the Manager and Host Manager web applications. Based on a patch by Ivan Krasnov. (markt)
  • Add: 62561: Add advanced class loader configuration information regarding the use of the Server and Shared class loaders to the documentation web application. (markt)

Tribes

  • Fix: Ensures that the specified rxBufSize is correctly set to receiver buffer size. (kfujino)

Other

  • Update: Support building with Java 9+ while preserving the Java 7 compatibility at runtime (requires Ant 1.9.8 or later). (ebourg)
  • Update: Update WSDL4J library to version 1.6.3 (from 1.6.2). (kkolinko)
  • Update: Update JUnit library to version 4.12 (from 4.11). (kkolinko)
  • Update: Downgrade CGLib library used for testing with EasyMock to version 2.2.2 (from 2.2.3) as version 2.2.3 is not available from Maven Central. (markt/kkolinko)
  • Add: Implement checksum checks when downloading dependencies that are used to build Tomcat. (kkolinko)
  • Fix: Fixed spelling. Patch provided by Jimmy Casey via GitHub. (violetagg)
  • Update: Update the internal fork of Apache Commons Pool 2 to 3e02523 (2018-08-09) to pick up some bug fixes and enhancements. (markt)
  • Update: Update the internal fork of Apache Commons DBCP 2 to abc0484 (2018-08-09) to pick up some bug fixes and enhancements. (markt)
  • Fix: Correct various spelling errors throughout the source code and documentation. Patch provided by Kazuhiro Sera. (markt)

2018-06-25 Tomcat 8.5.32 (markt)

Catalina

  • Fix: Treat the <mapped-name> element of a <env-entry> in web.xml in the same way as the mappedName element of the equivalent @Resource annotation. Both now attempt to set the mappedName property of the resource. (markt)
  • Fix: Correct the processing of resources with <injection-target>s defined in web.xml. First look for a match using JavaBean property names and then, only if a match is not found, look for a match using fields. (markt)
  • Fix: When restoring a saved request with a request body after FORM authentication, ensure that calls to the HttpServletRequest methods getRequestURI(), getQueryString() and getProtocol() are not corrupted by the processing of the saved request body. (markt)
  • Fix: JNDI resources that are defined with injection targets but no value are now treated as if the resource is not defined. (markt)
  • Fix: Ensure that JNDI names used for <lookup-name> entries in web.xml and for lookup elements of @Resource annotations specify a name with an explicit java: namespace. (markt)
  • Code: Refactor the org.apache.naming package to reduce duplicate code. Duplicate code identified by the Simian tool. (markt)
  • Fix: 50019: Add support for <lookup-name>. Based on a patch by Gurkan Erdogdu. (markt)
  • Add: 51953: Add the RemoteCIDRFilter and RemoteCIDRValve that can be used to allow/deny requests based on IPv4 and/or IPv6 client address where the IP ranges are defined using CIDR notation. Based on a patch by Francis Galiegue. (markt)
  • Fix: 62343: Make CORS filter defaults more secure. This is the fix for CVE-2018-8014. (markt)
  • Fix: Ensure that the web application resources implementation does not incorrectly cache results for resources that are only visible as class loader resources. (markt)
  • Fix: Make all loggers associated with Tomcat provided Filters non-static to ensure that log messages are not lost when a web application is reloaded. (markt)
  • Fix: Correct the manifest for the annotations-api.jar. The JAR implements the Common Annotations API 1.2 and the manifest should reflect that. (markt)
  • Fix: Switch to non-static loggers where there is a possibility of a logger becoming associated with a web application class loader causing log messages to be lost if the web application is stopped. (markt)
  • Add: 62389: Add the IPv6 loopback address to the default internalProxies regular expression. Patch by Craig Andrews. (markt)
  • Fix: In the RemoteIpValve and RemoteIpFilter, correctly handle the case when the request passes through one or more trustedProxies but no internalProxies. Based on a patch by zhanhb. (markt)
  • Fix: Correct the logic in MBeanFactory.removeConnector() to ensure that the correct Connector is removed when there are multiple Connectors using different addresses but the same port. (markt)
  • Fix: Make JAASRealm mis-configuration more obvious by requiring the authenticated Subject to include at least one Principal of a type specified by userClassNames. (markt)
  • Fix: 62476: Use GMT timezone for the value of Expires header as required by HTTP specification (RFC 7231, 7234). (kkolinko)

Coyote

  • Fix: Consistent exception propagation for NIO2 SSL close. (remm)
  • Fix: Log an error message if the AJP connector detects that the reverse proxy is sending AJP messages that are too large for the configured packetSize. (markt)
  • Fix: Relax Host validation by removing the requirement that the final component of a FQDN must be alphabetic. (markt)
  • Fix: 62371: Improve logging of Host validation failures. (markt)
  • Fix: Add missing handshake timeout for NIO2. (remm)
  • Fix: Correctly handle a digest authorization header when the user name contains an escaped character. (markt)
  • Fix: Correctly handle a digest authorization header when one of the hex field values ends the header with in an invalid character. (markt)
  • Fix: Correctly handle an invalid quality value in an Accept-Language header. (markt)
  • Docs: 62423: Fix SSL docs CRL attribute typo. (remm)
  • Fix: Improve IPv6 validation by ensuring that IPv4-Mapped IPv6 addresses do not contain leading zeros in the IPv4 part. Based on a patch by Katya Stoycheva. (markt)
  • Fix: Fix NullPointerException thrown from replaceSystemProperties() when trying to log messages. (csutherl)
  • Fix: Avoid unnecessary processing of async timeouts. (markt)

Jasper

  • Add: 50234: Add the capability to generate a web-fragment.xml file to JspC. (markt)
  • Fix: 62080: Ensure that all reads of the current thread's context class loader made by the UEL API and implementation are performed via a PrivilegedAction to ensure that a SecurityException is not triggered when running under a SecurityManager. (mark)
  • Fix: 62350: Refactor org.apache.jasper.runtime.BodyContentImpl so a SecurityException is not thrown when running under a SecurityManger and additional permissions are not required in the catalina.policy file. This is a follow-up to the fix for 43925. (kkolinko/markt)
  • Fix: Update web.xml, web-fragment.xml and web.xml extracts generated by JspC to use the Servlet 3.1 version of the relevant schemas. (markt)

Cluster

  • Fix: Remove duplicate calls when creating a replicated session to reduce the time taken to create the session and thereby reduce the chances of a subsequent session update message being ignored because the session does not yet exist. (markt)

WebSocket

  • Fix: When decoding of path parameter failed, make sure to throw DecodeException instead of throwing ArrayIndexOutOfBoundsException. (kfujino)
  • Fix: Enable host name verification when using TLS with the WebSocket client. (markt)

Web applications

62395: Clarify the meaning of the connector attribute minSpareThreads in the documentation web application. (markt) Correct the documentation for the allowHostHeaderMismatch attribute of the standard HTTP Connector implementations. (markt)

Tribes

  • Fix: Ensure that the correct default value is returned when retrieve unset properties in McastService. (kfujino)

jdbc-pool

  • Fix: When logValidationErrors is set to true, the connection validation error is logged as SEVERE instead of WARNING. (kfujino)

Other

  • Fix: 62391: Remove references to javaw.exe as this file is not required by Tomcat and the references prevent the use of the Server JRE. (markt)
  • Update: Update the packaged version of the Tomcat Native Library to 1.2.17 to pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL 1.0.2o. (markt)
  • Update: 62458: Update the internal fork of Commons Pool 2 to dfef97b (2018-06-18) to pick up some bug fixes and enhancements. (markt)
  • Update: Update the internal fork of Commons DBCP 2 to 2.4.0. (markt)

2018-05-03 Tomcat 8.5.31 (markt)

Catalina

  • Fix: 62263: Avoid a NullPointerException when the RemoteIpValve processes a request for which no Context can be found. (markt)
  • Fix: Fix a rare edge case that is unlikely to occur in real usage. This edge case meant that writing long streams of UTF-8 characters to the HTTP response that consisted almost entirely of surrogate pairs could result in one surrogate pair being dropped. (markt)
  • Fix: Register MBean when DataSource Resource type="javax.sql.XADataSource". Patch provided by Masafumi Miura. (csutherl)
  • Add: Update the internal fork of Apache Commons BCEL to r1829827 to add early access Java 11 support to the annotation scanning code. (markt)
  • Fix: 62297: Enable the CrawlerSessionManagerValve to correctly handle bots that crawl multiple hosts and/or web applications when the Valve is configured on a Host or an Engine. (fschumacher)
  • Fix: 62309: Fix a SecurityException when using JASPIC under a SecurityManager when authentication is not mandatory. (markt)
  • Fix: 62329: Correctly list resources in JAR files when directories do not have dedicated entries. Patch provided by Meelis Müür. (markt)
  • Add: Collapse multiple leading / characters to a single / in the return value of HttpServletRequest#getContextPath() to avoid issues if the value is used with HttpServletResponse#sendRedirect(). This behaviour is enabled by default and configurable via the new Context attribute allowMultipleLeadingForwardSlashInPath. (markt)
  • Fix: Improve handing of overflow in the UTF-8 decoder with supplementary characters. (markt)

Coyote

  • Fix: Correct off-by-one error in thread pool that allowed thread pools to increase in size to one more than the configured limit. Patch provided by usc. (markt)
  • Fix: Prevent unexpected TLS handshake failures caused by errors during a previous handshake that were not correctly cleaned-up when using the NIO or NIO2 connector with the OpenSSLImplementation. (markt)
  • Add: Enable strict validation of the provided host name and port for all connectors. Requests with invalid host names and/or ports will be rejected with a 400 response. (markt)
  • Add: 62273: Implement configuration options to work-around specification non-compliant user agents (including all the major browsers) that do not correctly %nn encode URI paths and query strings as required by RFC 7230 and RFC 3986. (markt)

Jasper

  • Fix: Enable ECJ version 4.7 and later to be used as a drop in replacement for the ECJ version that ships with Apache Tomcat. (markt)
  • Fix: Enable Java 10 to be specified as a JSP source and/or target if a newer ECJ version is used. (markt)
  • Fix: 62287: Do not rely on hash codes to test instances of ValueExpressionImpl for equality. Patch provided by Mark Struberg. (markt)

WebSocket

  • Fix: 62301: Correct a regression in the fix for 61491 that didn't correctly handle a final empty message part in all circumstances when using PerMessageDeflate. (markt)
  • Fix: 62332: Ensure WebSocket connections are closed after an I/O error is experienced reading from the client. (markt)

Other

  • Fix: Avoid warning when running under Cygwin when the JAVA_ENDORSED_DIRS environment variable is not set. Patch provided by Zemian Deng. (markt)

2018-04-07 Tomcat 8.5.30 (markt)

Catalina

  • Fix: 51195: Avoid a false positive report of a web application memory leak by clearing ObjectStreamClass$Caches of classes loaded by the web application when the web application is stopped. (markt)
  • Fix: 52688: Add support for the maxDays attribute to the AccessLogValve and ExtendedAccessLogValve. This allows the maximum number of days for which rotated access logs should be retained before deletion to be defined. (markt)
  • Fix: Ensure the MBean names for the SSLHostConfig and SSLHostConfigCertificate are correctly formed when the Connector is bound to a specific IP address. (markt)
  • Fix: 62168: When using the PersistentManager honor a value of -1 for minIdleSwap and do not swap out sessions to keep the number of active sessions under maxActive. Patch provided by Holger Sunke. (markt)
  • Fix: 62172: Improve Javadoc for org.apache.catalina.startup.Constants and ensure that the constants are correctly used. (markt)
  • Fix: 62175: Avoid infinite recursion, when trying to validate a session while loading it with PersistentManager. (fschumacher)
  • Fix: Ensure that NamingContextListener instances are only notified once of property changes on the associated naming resources. (markt)
  • Add: Add LoadBalancerDrainingValve, a Valve designed to reduce the amount of time required for a node to drain its authenticated users. (schultz)
  • Add: 62224: Disable the forkJoinCommonPoolProtection of the JreMemoryLeakPreventionListener when running on Java 9 and above since the underlying JRE bug has been fixed. (markt)

Coyote

  • Fix: Avoid potential loop in APR/Native poller. (markt)
  • Fix: Ensure streams that are received but not processed are excluded from the tracking of maximum ID of processed streams. (markt)
  • Fix: Refactor the check for a paused connector to consistently prevent new streams from being created after the connector has been paused. (markt)
  • Fix: Improve debug logging for HTTP/2 pushed streams. (markt)
  • Fix: The OpenSSL engine SSL session will now ignore invalid accesses. (remm)
  • Fix: 62177: Correct two protocol errors with HTTP/2 PUSH_PROMISE frames. Firstly, the HTTP/2 protocol only permits pushes to be sent on peer initiated requests. Secondly, pushes must be sent in order of increasing stream ID. These restriction were not being enforced leading to protocol errors at the client. (markt)

Web applications

  • Add: Add document for FragmentationInterceptor. (kfujino)
  • Add: Document how the roles for an authenticated user are determined when the CombinedRealm is used. (markt)

Tribes

  • Fix: Add JMX support for FragmentationInterceptor in order to prevent warning of startup. (kfujino)

jdbc-pool

  • Fix: Ensure that SQLWarning has been cleared when connection returns to the pool. (kfujino)
  • Add: Enable clearing of SQLWarning via JMX. (kfujino)
  • Fix: Ensure that parameters have been cleared when PreparedStatement and/or CallableStatement are cached. (kfujino)
  • Fix: Enable PoolCleaner to be started even if validationQuery is not set. (kfujino)

Other

  • Fix: 62164: Switch the build script to use TLS for downloads from SourceForge and Maven Central to avoid failures due to HTTP to HTTPS redirects. (markt)
  • Add: Always report the OS's umask when launching the JVM. (schultz)

2018-03-08 Tomcat 8.5.29 (markt)

Catalina

  • Fix: Minor optimization when calling class transformers. (rjung)
  • Fix: Prevent Tomcat from applying gzip compression to content that is already compressed with brotli compression. Based on a patch provided by burka. (markt)
  • Fix: 62090: Null container names are not allowed. (remm)
  • Fix: 62104: Fix programmatic login regression as the NonLoginAuthenticator has to be set for it to work (if no login method is specified). (remm)
  • Fix: 62117: Improve error message in catalina.sh when calling kill -0 <pid> fails. Based on a suggestion from Mark Morschhaeuser. (markt)
  • Fix: 62118: Correctly create a JNDI ServiceRef using the specified interface rather than the concrete type. Based on a suggestion by Ángel Álvarez Páscua. (markt)
  • Fix: Fix for RequestDumperFilter log attribute. Patch provided by Kirill Romanov via Github. (violetagg)
  • Fix: 62123: Avoid ConcurrentModificationException when attempting to clean up application triggered RMI memory leaks on web application stop. (markt)
  • Fix: Correct a regression in the fix for 60276 that meant that compression was applied to all MIME types. Patch provided by Stefan Knoblich. (markt)

Coyote

  • Fix: Add minor HPACK fixes, based on fixes by Stuart Douglas. (remm)
  • Fix: 61751: Follow up fix so that OpenSSL engine returns underflow when unwrapping if no bytes were produced and the input is empty. (remm)
  • Fix: Minor OpenSSL engine cleanups. (remm)
  • Fix: NIO SSL handshake should throw an exception on overflow status, like NIO2 SSL. (remm)

Web applications

  • Add: 48672: Add documentation for the Host Manager web application. Patch provided by Marek Czernek. (markt)
  • Add: Work-around a known, non-specification compliant behaviour in some versions of IE that can allow XSS when the Manager application generates a plain text response. Based on a suggestion from Muthukumar Marikani. (markt)

Other

  • Update: Update the build script so MD5 hashes are no longer generated for releases as per the change in the ASF distribution policy. (markt)

2018-02-11 Tomcat 8.5.28 (markt)

Catalina

  • Fix: Prevent a stack trace being written to standard out when running on Java 10 due to changes in the LogManager implementation. (markt)
  • Fix: 62000: When a JNDI reference cannot be resolved, ensure that the root cause exception is reported rather than swallowed. (markt)
  • Fix: 62036: When caching an authenticated user Principal in the session when the web application is configured with the NonLoginAuthenticator, cache the internal Principal object rather than the user facing Principal object as Tomcat requires the internal object to correctly process later authorization checks. (markt)
  • Fix: Avoid duplicate load attempts if one has been made already. (remm)
  • Fix: Avoid NPE in ThreadLocalLeakPreventionListener if there is no Engine. (remm)
  • Fix: 62067: Correctly apply security constraints mapped to the context root using a URL pattern of "". (markt)
  • Fix: When using Tomcat embedded, only perform Authenticator configuration once during web application start. (markt)
  • Fix: Process all ServletSecurity annotations at web application start rather than at servlet load time to ensure constraints are applied consistently. (markt)

Coyote

  • Fix: 61751: Fix truncated request input streams when using NIO2 with TLS. (markt)
  • Fix: 62023: Log error reporting multiple SSLHostConfig elements when using the APR Connector instead of crashing Tomcat. (csutherl)
  • Fix: 62032: Fix NullPointerException when certificateFile is not defined on an SSLHostConfig and unify the behavior when a certificateFile is defined but the file does not exist for both JKS and PEM file types. (csutherl)

WebSocket

  • Fix: 62024: When closing a connection with an abnormal close, close the socket immediately rather than waiting for a close message from the client that may never arrive. (markt)

Webapps

  • Fix: 62049: Fix missing class from manager 404 JSP error page. (remm)

jdbc-pool

  • Add: Enhance the JMX support for jdbc-pool in order to expose PooledConnection and JdbcInterceptors. (kfujino)
  • Add: Add MBean for PooledConnection. (kfujino)
  • Add: 62011: Add MBean for StatementCache. (kfujino)
  • Add: Expose the cache size for each connection via JMX in StatementCache. (kfujino)
  • Add: Add MBean for ResetAbandonedTimer. (kfujino)

Other

  • Update: Update the NSIS Installer used to build the Windows installer to version 3.03. (kkolinko)

2018-01-22 Tomcat 8.5.27 (markt)

Catalina

  • Fix: Correct a regression in the previous fix for 61916 that meant that any call to addHeader() would have been replaced with a call to setHeader() for all requests mapped to the AddDefaultCharsetFilter. (markt)

Coyote

  • Fix: 61993: Improve handling for ByteChunk and CharChunk instances that grow close to the maximum size allowed by the JRE. (markt)

Jasper

  • Add: 43925: Add a new system property (org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE) to control the size of the buffer used by Jasper when buffering tag bodies. (markt)

Web applications

  • Fix: 62006: Document the new JvmOptions9 command line parameter for tomcat8.exe. (markt)

not released Tomcat 8.5.26 (markt)

Catalina

  • Fix: Correct Javadoc errors in release build.

not released Tomcat 8.5.25 (markt)

Catalina

  • Fix: 47214: Use a loop to preload anonymous inner classes when running under a SecurityManager, to be safe for future changes in the code or using a different compiler. (kkolinko)
  • Add: 57619: Implement a small optimisation to how JAR URLs are processed to reduce the storage of duplicate String objects in memory. Patch provided by Dmitri Blinov. (markt)
  • Fix: Add some missing NPEs to ServletContext. (remm)
  • Fix: 61916: Extend the AddDefaultCharsetFilter to add a character set when the content type is set via setHeader() or addHeader() as well as when it is set via setContentType(). (markt)
  • Fix: 61999: maxSavePostSize set to 0 should disable saving POST data during authentication. (remm)

Coyote

  • Add: 60276: Implement GZIP compression support for responses served over HTTP/2. (markt)
  • Fix: Do not call onDataAvailable without any data to read. (remm)
  • Fix: 61886: Log errors on non-container threads at DEBUG rather than INFO. The exception will be made available to the application via the asynchronous error handling mechanism. (markt)
  • Fix: 61914: Possible NPE with Java 9 when creating a SSL engine. Patch submitted by Evgenij Ryazanov. (remm)
  • Fix: 61918: Fix connectionLimitLatch counting when closing an already closed socket. Based on a patch by Ryan Fong. (remm)
  • Add: Add support for the OpenSSL ARIA ciphers to the OpenSSL to JSSE cipher mapping. (markt)
  • Fix: 61932: Allow a call to AsyncContext.dispatch() to terminate non-blocking I/O. (markt)
  • Fix: 61948: Improve the handling of malformed ClientHello messages in the code that extracts the SNI information from a TLS handshake for the JSSE based NIO and NIO2 connectors. (markt)
  • Fix: Fix NIO2 handshaking with a full input buffer. (remm)
  • Add: Return a simple, plain text error message if a client attempts to make a plain text HTTP connection to a TLS enabled NIO or NIO2 Connector. (markt)
  • Fix: Correctly handle EOF when ServletInputStream.isReady() is called. (markt)

Jasper

  • Fix: 61854: When using sets and/or maps in EL expressions, ensure that Jasper correctly parses the expression. Patch provided by Ricardo Martin Camarero. (markt)
  • Fix: Improve the handling of methods with varargs in EL expressions. In particular, the calling of a varargs method with no parameters now works correctly. Based on a patch by Nitkalya (Ing) Wiriyanuparb. (markt)

Web applications

  • Fix: Remove the Servlet 4.0 early preview example from the examples web application as the early preview is now deprecated in favour of Tomcat 9 which provides a full Servlet 4.0 implementation. (markt)
  • Add: 61223: Add the mbeans-descriptors.dtd file to the custom MBean documentation so users have a reference to use when constructing mbeans-descriptors.xml files for custom components. (markt)
  • Add: 61566: Expose the currently in use certificate chain and list of trusted certificates for all virtual hosts configured using the JSSE style (keystore) TLS configuration via the Manager web application. (markt)
  • Fix: Partial fix for 61886. Ensure that multiple threads do not attempt to complete the AsyncContext if an I/O error occurs in the stock ticker example Servlet. (markt)
  • Fix: 61886: Prevent ConcurrentModificationException when running the asynchronous stock ticker in the examples web application. (markt)
  • Fix: 61886: Prevent NullPointerException and other errors if the stock ticker example is running when the examples web application is stopped. (markt)
  • Fix: 61910: Clarify the meaning of the allowLinking option in the documentation web application. (markt)
  • Add: Add OCSP configuration information to the SSL How-To. Patch provided by Marek Czernek. (markt)

jdbc-pool

  • Fix: 61312: Prevent NullPointerException when using the statement cache of connection that has been closed. (kfujino)

Other

  • Fix: Add an additional system property for the system property replacement. (remm)
  • Fix: Add missing SHA-512 hash for release artifacts to the build script. (markt)
  • Update: Update the internal fork of Commons Pool 2 to 2.4.3. (markt)
  • Update: Update the internal fork of Commons DBCP 2 to 8a71764 (2017-10-18) to pick up some bug fixes and enhancements. (markt)
  • Update: Update the internal fork of Commons FileUpload to 6c00d57 (2017-11-23) to pick up some code clean-up. (markt)
  • Update: Update the internal fork of Commons Codec to r1817136 to pick up some code clean-up. (markt)
  • Fix: The native source bundles (for Commons Daemon and Tomcat Native) are no longer copied to the bin directory for the deploy target. They are now only copied to the bin directory for the release target. (markt)

2017-11-30 Tomcat 8.5.24 (markt)

Catalina

  • Add: When running under Java 9 or later, and the urlCacheProtection option of the JreMemoryLeakPreventionListener is enabled, use the API added in Java 9 to only disable the caching for JAR URL connections. (markt)
  • Fix: Fix possible SecurityException when using TLS related request attributes. (markt)
  • Fix: 61597: Extend the StandardJarScanner to scan JARs on the module path when running on Java 9 and class path scanning is enabled. (markt)
  • Fix: 61601: Add support for multi-release JARs in JAR scanning and web application class loading. (markt)
  • Fix: 61681: Allow HTTP/2 push when using request wrapping. (remm)
  • Add: Provide the SessionInitializerFilter that can be used to ensure that an HTTP session exists when initiating a WebSocket connection. Patch provided by isapir. (markt)
  • Fix: 61682: When re-prioritising HTTP/2 streams, ensure that both parent and children fields are correctly updated to avoid a possible StackOverflowError. (markt)
  • Fix: Improve concurrency by reducing the scope of the synchronisation for javax.security.auth.message.config.AuthConfigFactory in the JASPIC API implementation. Based on a patch by Pavan Kumar. (markt)
  • Fix: Avoid a possible NullPointerException when timing out AsyncContext instances during shut down. (markt)
  • Fix: 61777: Avoid a NullPointerException when detaching a JASPIC RegistrationListener. Patch provided by Lazar. (markt)
  • Fix: 61778: Correct the return value when detaching a JASPIC RegistrationListener. Patch provided by Lazar. (markt)
  • Fix: 61779: Avoid a NullPointerException when a null RegistrationListener is passed to AuthConfigFactory.getConfigProvider(). Patch provided by Lazar. (markt)
  • Fix: 61780: Only include the default JASPIC registration ID in the return value for a call to AuthConfigFactory.getRegistrationIDs() if a RegistrationContext has been registered using the default registration ID. Patch provided by Lazar. (markt)
  • Fix: 61781: Enable JASPIC provider registrations to be persisted when the layer and/or application context are null. Patch provided by Lazar. (markt)
  • Fix: 61782: When calling AuthConfigFactory.doRegisterConfigProvider() and the requested JASPIC config provider class is found by the web application class loader, do not attempt to load the class with the class loader that loaded the JASPIC API. Patch provided by Lazar. (markt)
  • Fix: 61783: When calling AuthConfigFactory.removeRegistration() and the registration is persistent, it should be removed from the persistent store. Patch provided by Lazar. (markt)
  • Fix: 61784: Correctly handle the case when AuthConfigFactoryImpl.registerConfigProvider() is called with a provider name of null. Patch provided by Lazar. (markt)
  • Add: 61795: Add a property to the Authenticator implementations to enable a custom JASPIC CallbackHandler to be specified. Patch provided by Lazar. (markt)

Coyote

  • Add: Enable ALPN and also, therefore, HTTP/2 for the NIO and NIO2 HTTP connectors when using the JSSE implementation for TLS when running on Java 9. (markt)
  • Add: 60762: Add the ability to make changes to the TLS configuration of a connector at runtime without having to restart the Connector. (markt)
  • Fix: 61568: Avoid a potential SecurityException when using the NIO2 connector and a new thread is added to the pool. (markt)
  • Fix: 61583: Correct a further regression in the fix to enable the use of Java key stores that contained multiple keys that did not all have the same password. This fixes PKCS11 key store handling with multiple keys selected with an alias. (markt)
  • Fix: Reduce default HTTP/2 stream concurrent execution within a connection from 200 to 20. (remm)
  • Fix: 61668: Avoid a possible NPE when calling AbstractHttp11Protocol.getSSLProtocol(). (markt)
  • Fix: 61673: Avoid a possible ConcurrentModificationException when working with the streams associated with a connection. (markt)
  • Fix: 61719: Avoid possible NPE calling InputStream.setReadListener with HTTP/2. (remm)
  • Fix: 61736: Improve performance of NIO connector when clients leave large time gaps between network packets. Patch provided by Zilong Song. (markt)
  • Fix: 61740: Correct an off-by-one error in the Hpack header index validation that caused intermittent request failures when using HTTP/2. (markt)

Jasper

  • Fix: 61816: Invalid expressions in attribute values or template text should trigger a translation (compile time) error, not a run time error. (markt)

WebSocket

  • Fix: 61604: Add support for authentication in the websocket client. Patch submitted by J Fernandez. (remm)

Web applications

  • Fix: Enable Javadoc to be built with Java 9. (markt)
  • Fix: 61603: Add XML filtering for the status servlet output where needed. (remm)
  • Fix: Correct the description of how the CGI servlet maps a request to a script in the CGI How-To. (markt)

Tribes

  • Fix: Fix incorrect behavior that attempts to resend channel messages more than the actual setting value of maxRetryAttempts. (kfujino)
  • Fix: Ensure that the remaining Sender can send channel messages by avoiding unintended ChannelException caused by comparing the number of failed members and the number of remaining Senders. (kfujino)
  • Fix: Ensure that remaining SelectionKeys that were not handled by throwing a ChannelException during SelectionKey processing are handled. (kfujino)

Other

  • Fix: Improve the fix for 61439 and exclude the JPA, JAX-WS and EJB annotations completely from the Tomcat distributions. (markt)
  • Fix: Improve handling of endorsed directories. The endorsed directory mechanism will only be used if the JAVA_ENDORSED_DIRS system property is explicitly set or if $CATALINA_HOME/endorsed exists. When running on Java 9, any such attempted use of the endorsed directory mechanism will trigger an error and Tomcat will fail to start. (rjung)
  • Code: Refactoring in preparation for Java 9. Refactor to avoid using some methods that will be deprecated in Java 9 onwards. (markt)
  • Add: 51496: When using the Windows installer, check if the requested service name already exists and, if it does, prompt the user to select an alternative service name. Patch provided by Ralph Plawetzki. (markt)
  • Fix: Add necessary Java 9 configuration options to the startup scripts to prevent warnings being generated on web application stop. (markt)
  • Fix: 61590: Enable service.bat to recognise when JAVA_HOME is configured for a Java 9 JDK. (markt)
  • Fix: 61598: Update the Windows installer to search the new (as of Java 9) registry locations when looking for a JRE. (markt)
  • Add: Add generation of a SHA-512 hash for release artifacts to the build script. (markt)
  • Fix: 61658: Update MIME mappings for fonts to use font/* as per RFC8081. (markt)
  • Update: Update the packaged version of the Tomcat Native Library to 1.2.16 to pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL 1.0.2m. (markt)
  • Update: Update the NSIS Installer used to build the Windows installer to version 3.02.1. (kkolinko)
  • Update: Update the Windows installer to use "The Apache Software Foundation" as the Publisher when Tomcat is displayed in the list of installed applications in Microsoft Windows. (kkolinko)
  • Fix: 61803: Remove outdated SSL information from the Security documentation. (remm)

2017-10-01 Tomcat 8.5.23 (markt)

Catalina

  • Fix: Use the correct path when loading the JVM logging.properties file for Java 9. (rjung)
  • Fix: Add additional validation to the resource handling required to fix CVE-2017-12617 on Windows. The checks were being performed elsewhere but adding them to the resource handling ensures that the checks are always performed. (markt)
  • Fix: 61554: Exclude test files in unusual encodings and markdown files intended for display in GitHub from RAT analysis. Patch provided by Chris Thistlethwaite. (markt)

Other

  • Fix: 61563: Correct typos in Spanish translation. Patch provided by Gonzalo Vásquez. (csutherl)

not released Tomcat 8.5.22 (markt)

Catalina

  • Fix: 60963: Add ExtractingRoot, a new WebResourceRoot implementation that extracts JARs to the work directory for improved performance when deploying packed WAR files. (markt)
  • Add: Add an option to reject requests that contain HTTP headers with invalid (non-token) header names with a 400 response. (markt)
  • Fix: 61542: Fix CVE-2017-12617 and prevent JSPs from being uploaded via a specially crafted request when HTTP PUT was enabled. (markt)
  • Fix: Implement the requirements of RFC 7230 (and RFC 2616) that HTTP/1.1 requests must include a Host header and any request that does not must be rejected with a 400 response. (markt)
  • Fix: Implement the requirements of RFC 7230 that any HTTP/1.1 request that specifies a host in the request line, must specify the same host in the Host header and that any such request that does not, must be rejected with a 400 response. This check is optional but disabled by default. It may be enabled with the allowHostHeaderMismatch attribute of the Connector. (markt)
  • Fix: Implement the requirements of RFC 7230 that any HTTP/1.1 request that contains multiple Host headers is rejected with a 400 response. (markt)

Coyote

  • Update: Add a way to set the property source in embedded mode. (remm)
  • Fix: 61557: Correct a further regression in the fix to enable the use of Java key stores that contain multiple keys that do not all have the same password. The regression broke support for some FIPS compliant key stores. (markt)

jdbc-pool

  • Fix: 61545: Correctly handle invocations of methods defined in the PooledConnection interface when using pooled XA connections. Patch provided by Nils Winkler. (markt)

Other

  • Fix: Update fix for 59904 so that values less than zero are accepted instead of throwing a NegativeArraySizeException. (remm)

2017-09-19 Tomcat 8.5.21 (markt)

Catalina

  • Fix: Before generating an error page in the ErrorReportValve, check to see if I/O is still permitted for the associated connection before generating the error page so that the page generation can be skipped if the page is never going to be sent. (markt)
  • Add: 61189: Add the ability to set environment variables for individual CGI scripts. Based on a patch by jm009. (markt)
  • Fix: 61210: When running under a SecurityManager, do not print a warning about not being able to read a logging configuration file when that file does not exist. (markt)
  • Add: 61280: Add RFC 7617 support to the BasicAuthenticator. Note that the default configuration does not change the existing behaviour. (markt)
  • Fix: 61424: Avoid a possible StackOverflowError when running under a SecurityManager and using Subject.doAs(). (markt)

Coyote

  • Update: The minimum required Tomcat Native version has been increased to 1.2.14. This version includes a new API needed for correct client certificate support when using a Java connector with OpenSSL TLS implementation and support for the SSL_CONF OpenSSL API. (rjung)
  • Add: Add support for the OpenSSL SSL_CONF API when using TLS with OpenSSL implementation. It can be used by adding OpenSSLConf elements underneath SSLHostConfig. The new element contains a list of OpenSSLConfCmd elements, each with the attributes name and value. (rjung)
  • Fix: When using a Java connector in combination with the OpenSSL TLS implementation, do not configure each SSL connection object via the OpenSSLEngine. For OpenSSL the SSL object inherits its settings from the SSL_CTX which we have already configured. (rjung)
  • Fix: When using JSSE TLS configuration with the OpenSSL implementation and client certificates: include client CA subjects in the TLS handshake so that the client can choose an appropriate client certificate to present. (rjung)
  • Fix: If an invalid option is specified for the certificateVerification attribute of an SSLHostConfig element, treat it as required which is the most secure / restrictive option in addition to reporting the configuration error. (markt)
  • Fix: Improve the handling of client disconnections during the TLS renegotiation handshake. (markt)
  • Fix: Prevent exceptions being thrown during normal shutdown of NIO connections. This enables TLS connections to close cleanly. (markt)
  • Fix: Fix possible race condition when setting IO listeners on an upgraded connection. (remm)
  • Fix: 48655: Enable Tomcat to shutdown cleanly when using sendfile, the APR/native connector and a multi-part download is in progress. (markt)
  • Fix: 58244: Handle the case when OpenSSL resumes a TLS session using a ticket and the full client certificate chain is not available. In this case the client certificate without the chain will be presented to the application. (markt)
  • Fix: Improve the warning message when JSSE and OpenSSL configuration styles are mixed on the same SSLHostConfig. (markt)
  • Fix: 61415: Fix TLS renegotiation with OpenSSL based connections and session caching. (markt)
  • Fix: Delay checking that the configured attributes for an SSLHostConfig instance are consistent with the configured SSL implementation until Connector start to avoid incorrect warnings when the SSL implementation changes during initialisation. (markt)
  • Fix: 61450: Fix default key alias algorithm. (remm)
  • Fix: 61451: Correct a regression in the fix to enable the use of Java key stores that contained multiple keys that did not all have the same password. The regression broke support for any key store that did not store keys in PKCS #8 format such as hardware key stores and Windows key stores. (markt)

WebSocket

  • Fix: 60523: Reduce the number of packets used to send WebSocket messages by not flushing between the header and the payload when the two are written together. (markt)
  • Fix: 61491: When using the permessage-deflate extension, correctly handle the sending of empty messages after non-empty messages to avoid the IllegalArgumentException. (markt)

Web applications

  • Fix: Show connector cipher list in the manager web application in the correct cipher order. (rjung)

Tribes

  • Fix: To avoid unexpected session timeout notification from backup session, update the access time when receiving the map member notification message. (kfujino)
  • Fix: Add member info to the log message when the failure detection check fails in TcpFailureDetector. (kfujino)
  • Fix: Avoid Ping timeout until the added map member by receiving MSG_START message is completely started. (kfujino)
  • Fix: When sending a channel message, make sure that the Sender has connected. (kfujino)
  • Fix: Correct the backup node selection logic that node 0 is returned twice consecutively. (kfujino)
  • Fix: Fix race condition of responseMap in RpcChannel. (kfujino)

jdbc-pool

  • Fix: 61391: Ensure that failed queries are logged if the SlowQueryReport interceptor is configured to do so and the connection has been abandoned. Patch provided by Craig Webb. (markt)
  • Fix: 61425: Ensure that transaction of idle connection has terminated when the testWhileIdle is set to true and defaultAutoCommit is set to false. Patch provided by WangZheng. (kfujino)

Other

  • Fix: 61439: Remove the Java Annotation API classes from tomcat-embed-core.jar and package them in a separate JAR in the embedded distribution to provide end users with greater flexibility to handle potential conflicts with the JRE and/or other JARs. (markt)
  • Fix: 61441: Improve the detection of JAVA_HOME by the daemon.sh script when running on a platform where Java has been installed from an RPM. (rjung)
  • Update: Update the packaged version of the Tomcat Native Library to 1.2.14 to pick up the latest Windows binaries built with APR