-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
changelog.xml
7682 lines (7673 loc) · 297 KB
/
changelog.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE document [
<!ENTITY project SYSTEM "project.xml">
]>
<?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?>
<document url="changelog.html">
&project;
<properties>
<title>Changelog</title>
<no-comments />
</properties>
<body>
<!--
Subsection ordering:
General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications,
Extras, Tribes, jdbc-pool, Other
Item Ordering:
Fixes having an issue number are sorted by their number, ascending.
There is no ordering by add/update/fix/scode.
Other fixed issues are added to the end of the list, chronologically.
They eventually become mixed with the numbered issues (i.e., numbered
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 9.0.21 (markt)" rtext="in development">
<subsection name="Catalina">
<changelog>
<add>
<bug>57287</bug>: Add file sorting to DefaultServlet (schultz)
</add>
<fix>
Fix <code>--no-jmx</code> flag processing, which was called after
registry initialization. (remm)
</fix>
<fix>
Ensure that a default request character encoding set on a
<code>ServletContext</code> is used when calling
<code>ServletRequest#getReader()</code>. (markt)
</fix>
<fix>
Make a best efforts attempt to clean-up if a request fails during
processing due to an <code>OutOfMemoryException</code>. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
NIO poller seems to create some unwanted concurrency, causing rare
CI test failures. Add sync when processing async operation to avoid
this. (remm)
</fix>
<fix>
Fix concurrency issue that lead to incorrect HTTP/2 connection timeout.
(remm/markt)
</fix>
<fix>
Avoid useless exception wrapping in async IO. (remm)
</fix>
<fix>
<bug>63412</bug>: Security manager failure when using the async IO
API from a webapp. (remm)
</fix>
<fix>
Remove <code>acceptorThreadCount</code> Connector attribute,
one accept thread is sufficient. As documented, value <code>2</code>
was the only other sensible value, but without and impact beyond
certain microbenchmarks. (remm)
</fix>
<fix>
Avoid possible NPEs on connector stop. (remm)
</fix>
<update>
Remove <code>pollerThreadCount</code> Connector attribute for NIO,
one poller thread is sufficient. (remm)
</update>
<add>
Add async IO for APR connector for consistency, but disable it by
default due to low performance. (remm)
</add>
<fix>
Avoid blocking write of internal buffer for NIO when using async IO.
(remm)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Switch from FindBugs to SpotBugs. (fschumacher)
</update>
<update>
Start Graal native image compatibility. Support is initially targeted
at the tomcat-maven packaging. (remm)
</update>
<fix>
<bug>63403</bug>: Fix TestHttp2InitialConnection test failures when
running with a non-English locale. (kkolinko)
</fix>
<fix>
Add Graal JreCompat, and use it to disable JMX and URL stream handlers.
(remm)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.20 (markt)" rtext="2019-05-13">
<subsection name="Catalina">
<changelog>
<fix>
Fix some edge cases where the docBase was not being set using a canonical
path which in turn meant resource URLs were not being constructed as
expected. (markt)
</fix>
<fix>
Fix a potential resource leak when executing CGI scripts from a WAR
file. Identified by Coverity scan. (markt)
</fix>
<fix>
Fix a potential concurrency issue in the StringCache identifed by
Coverity scan. (markt)
</fix>
<fix>
Fix a potential concurrency issue in the main Sendfile thread of the APR
connector. Identified by Coverity scan. (markt)
</fix>
<fix>
Fix a potential resource leak when running a web application from a WAR
file. Identified by Coverity scan. (markt)
</fix>
<fix>
Fix a potential resource leak on some exception paths in the
<code>DataSourceRealm</code>. Identified by Coverity scan. (markt)
</fix>
<fix>
Fix a potential resource leak on an exception path when parsing JSP
files. Identified by Coverity scan. (markt)
</fix>
<fix>
Fix a potential resource leak when a JNDI lookup returns an object of an
in compatible class. Identified by Coverity scan. (markt)
</fix>
<scode>
Refactor <code>ManagerServlet</code> to avoid loading classes when
filtering JNDI resources for resources of a specified type. (markt)
</scode>
<fix>
<bug>63324</bug>: Refactor the <code>CrawlerSessionManagerValve</code>
so that the object placed in the session is compatible with session
serialization with mem-cached. Patch provided by Martin Lemanski.
(markt)
</fix>
<add>
<bug>63358</bug>: Expand the <code>throwOnFailure</code> support in the
<code>Connector</code> to include the adding of a <code>Connector</code>
to a running <code>Service</code>. (markt)
</add>
<add>
<bug>63361</bug>: Add a new method
(<code>Registry.disableRegistry()</code>) that can be used to disbale
JMX registration of Tomcat components providing it is called before the
first component is registered. (markt)
</add>
<fix>
Avoid <code>OutOfMemoryError</code>s and
<code>ArrayIndexOutOfBoundsException</code>s when accessing large files
via the default servlet when resource caching has been disabled. (markt)
</fix>
<fix>
Avoid a <code>NullPointerException</code> when a <code>Context</code> is
defined in <code>server.xml</code> with a <code>docBase</code> but not
the optional <code>path</code>. (markt)
</fix>
<fix>
<bug>63333</bug>: Override the <code>isAvailable()</code> method in the
<code>JAASRealm</code> so that only login failures caused by invalid
credentials trigger account lock out when the <code>LockOutRealm</code>
is in use. Patch provided by jchobantonov. (markt)
</fix>
<fix>
Add <code>--no-jmx</code> flag to allow disabling JMX in
<code>startup.Tomcat.main</code>. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
The <code>useAsyncIO</code> boolean attribute on the Connector element
value now defaults to <code>true</code>. (remm)
</fix>
<fix>
Possible HTTP/2 connection leak issue when using async with NIO. (remm)
</fix>
<fix>
Fix socket close discrepancies for NIO, now the wrapper close
is used everywhere except for socket accept problems. (remm)
</fix>
<fix>
Implement poller timeout when using async IO with NIO. (remm)
</fix>
<fix>
Avoid creating and using object caches when they are disabled. (remm)
</fix>
<fix>
When running on newer JREs that don't support SSLv2Hello, don't warn
that it is not available unless explicitly configured. (markt)
</fix>
<fix>
Change default value of <code>pollerThreadCount</code> of NIO
to <code>1</code>. (remm)
</fix>
<fix>
Associate BlockPoller thread name with its NIO connector for better
readability. (remm)
</fix>
<fix>
The async HTTP/2 frame parser should tolerate concurrency so clearing
shared buffers before attempting a read is not possible. (remm)
</fix>
<update>
Update the HTTP/2 connection preface and initial frame reading to be
asynchronous instead of blocking IO. (remm)
</update>
<scode>
Refactor Hostname validation to improve performance. Patch provided by
Uwe Hees. (markt)
</scode>
<update>
Add additional NIO2 style read and write methods closer to core NIO2,
for possible use with an asynchronous workflow like CompletableFuture.
(remm)
</update>
<fix>
Expand HTTP/2 timeout handling to include connection window exhaustion
on write. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>63359</bug>: Ensure that the type conversions used when converting
from strings for <code>jsp:setProperty</code> actions are correctly
implemented as per section JSP.1.14.2.1 of the JSP 2.3 specification.
(markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
<bug>63335</bug>: Ensure that stack traces written by the
<code>OneLineFormatter</code> are fully indented. The entire stack trace
is now indented by an additional TAB character. (markt)
</fix>
<fix>
<bug>63370</bug>: Message files (LocalStrings_*.properties) of the
examples webapp not converted to ascii. (woonsan)
</fix>
<add>
Expand the coverage and quality of the French translations provided
with Apache Tomcat. (remm)
</add>
<add>
Expand the coverage and quality of the Japanese translations provided
with Apache Tomcat. Includes contributions by motohashi.yuki. (markt)
</add>
<add>
Expand the coverage and quality of the Czech translations provided
with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt)
</add>
<fix>
When using the <code>OneLineFormatter</code>, don't print a blank line
in the log after printing a stack trace. (markt)
</fix>
<update>
Update the internal fork of Apache Commons FileUpload to 41e4047
(2019-04-24) pick up some enhancements. (markt)
</update>
<update>
Update the internal fork of Apache Commons DBCP 2 to dcdbc72
(2019-04-24) to pick up some clean-up and enhancements. (markt)
</update>
<update>
Update the internal fork of Apache Commons Pool 2 to 0664f4d
(2019-04-30) to pick up some enhancements and bug fixes. (markt)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.19 (markt)" rtext="2019-04-13">
<subsection name="Catalina">
<changelog>
<fix>
Fix wrong JMX registration regression in 9.0.18. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<update>
Add vectoring for NIO in the base and SSL channels. (remm)
</update>
<add>
Add asynchronous IO from NIO2 to the NIO connector, with support for
the async IO implementations for HTTP/2 and Websockets. The
<code>useAsyncIO</code> boolean attribute on the Connector element
allows enabling use of the asynchronous IO API. (remm)
</add>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
Ensure that the correct files are included in the source distribution
for javacc based parsers depending on whether jjtree is used or not.
(markt)
</fix>
<fix>
Ensure that text files in the source distribution have the correct line
endings for the target platform. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.18 (markt)" rtext="not released">
<subsection name="Catalina">
<changelog>
<fix>
<bug>63196</bug>: Provide a default (<code>X-Forwarded-Proto</code>) for
the <code>protocolHeader</code> attribute of the
<code>RemoteIpFilter</code> and <code>RemoteIpValve</code>. (markt)
</fix>
<fix>
<bug>63235</bug>: Refactor Charset cache to reduce start time. (markt)
</fix>
<fix>
<bug>63249</bug>: Use a consistent log level (<code>WARN</code>) when
logging the failure to register or deregister a JMX Bean. (markt)
</fix>
<fix>
<bug>63249</bug>: Use a consistent log level (<code>ERROR</code>) when
logging the <code>LifecycleException</code> associated with the failure
to start or stop a component. (markt)
</fix>
<fix>
When the SSI directive <code>fsize</code> is used with an invalid
target, return a file size of <code>-</code> rather than
<code>1k</code>. (markt)
</fix>
<fix>
<bug>63251</bug>: Implement a work-around for a known JRE bug (<a
href="https://bugs.openjdk.java.net/browse/JDK-8194653">JDK-8194653</a>)
that may cause a dead-lock when Tomcat starts. (markt)
</fix>
<fix>
<bug>63275</bug>: When using a <code>RequestDispatcher</code> ensure
that <code>HttpServletRequest.getContextPath()</code> returns an encoded
path in the dispatched request. (markt)
</fix>
<update>
Add optional listeners for Server/Listener, as a slight variant of
a standard listener. The difference is that loading is not fatal when
it fails. This would allow adding example configuration to the standard
server.xml if deemed useful. Storeconfig will not attempt to persist
the new listener. (remm)
</update>
<fix>
<bug>63286</bug>: Document the differences in behaviour between the
<code>LogFormat</code> directive in httpd and the <code>pattern</code>
attribute in the <code>AccessLogValve</code> for <code>%D</code> and
<code>%T</code>. (markt)
</fix>
<fix>
<bug>63287</bug>: Make logging levels more consistent for similar issues
of similar severity. (markt)
</fix>
<fix>
<bug>63311</bug>: Add support for https URLs to the local resolver within
Tomcat used to resolve standard XML DTDs and schemas when Tomcat is
configured to validate XML configuration files such as web.xml. (markt)
</fix>
<fix>
Encode the output of the SSI <code>printenv</code> command. (markt)
</fix>
<scode>
Use constants for SSI encoding values. (markt)
</scode>
<add>
When the CGI Servlet is configured with
<code>enableCmdLineArguments</code> set to true, limit the encoded form
of the individual command line arguments to those values allowed by RFC
3875. This restriction may be relaxed by the use of the new
initialisation parameter <code>cmdLineArgumentsEncoded</code>. (markt)
</add>
<add>
When the CGI Servlet is configured with
<code>enableCmdLineArguments</code> set to true, limit the decoded form
of the individual command line arguments to known safe values when
running on Windows. This restriction may be relaxed by the use of the
new initialisation parameter <code>cmdLineArgumentsDecoded</code>. This
is the fix for CVE-2019-0232. (markt)
</add>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Fix bad interaction between NIO2 async read API and the regular read.
(remm)
</fix>
<fix>
Refactor NIO2 write pending strategy for the classic IO API. (remm)
</fix>
<fix>
Restore original maxConnections default for NIO2 as the underlying
close issues have been fixed. (remm)
</fix>
<fix>
Harmonize NIO2 isReadyForWrite with isReadyForRead code. (remm)
</fix>
<fix>
When using a JSSE TLS connector that supported ALPN (Java 9 onwards) and
a protocol was not negotiated, Tomcat failed to fallback to HTTP/1.1 and
instead dropped the connection. (markt)
</fix>
<fix>
Correct a regression in the TLS connector refactoring in Tomcat 9.0.17
that prevented the use of PKCS#8 private keys with OpenSSL based
connectors. (markt)
</fix>
<fix>
Fix NIO2 SSL edge cases. (remm)
</fix>
<fix>
When performing an upgrade from HTTP/1.1 to HTTP/2, ensure that any
query string present in the original HTTP/1.1 request is passed to the
HTTP/2 request processing. (markt)
</fix>
<fix>
When Tomcat writes a final response without reading all of an HTTP/2
request, reset the stream to inform the client that the remaining
request body is not required. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<add>
Add support for specifying Java 11 (with the value <code>11</code>) as
the compiler source and/or compiler target for JSP compilation. (markt)
</add>
<add>
Add support for specifying Java 12 (with the value <code>12</code>) and
Java 13 (with the value <code>13</code>) as the compiler source and/or
compiler target for JSP compilation. If used with an ECJ version that
does not support these values, a warning will be logged and the latest
supported version will used. Based on a patch by Thomas Collignon.
(markt)
</add>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
<bug>63184</bug>: Expand the SSI documentation to provide more
information on the supported directives and their attributes. Patch
provided by nightwatchcyber. (markt)
</fix>
<add>
Add a note to the documentation about the risk of DoS with poorly
written regular expressions and the <code>RewriteValve</code>. Patch
provided by salgattas. (markt)
</add>
</changelog>
</subsection>
<subsection name="jdbc-pool">
<changelog>
<fix>
Improved maxAge handling. Add support for age check on idle connections.
Connection that expired reconnects rather than closes it. Patch provided
by toby1984. (kfujino)
</fix>
<fix>
<bug>63320</bug>: Ensure that <code>StatementCache</code> caches
statements that include arrays in arguments. (kfujino)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Update to the Eclipse JDT compiler 4.10. (markt)
</update>
<add>
Expand the coverage and quality of the Spanish translations provided
with Apache Tomcat. Includes contributions by Ulises Gonzalez Horta.
(markt)
</add>
<add>
Expand the coverage and quality of the Czech translations provided
with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt)
</add>
<add>
Expand the coverage and quality of the Chinese translations provided
with Apache Tomcat. Includes contributions by winsonzhao and wjt.
(markt)
</add>
<add>
Expand the coverage and quality of the Russian translations provided
with Apache Tomcat. (kkolinko)
</add>
<add>
Expand the coverage and quality of the Japanese translations provided
with Apache Tomcat. (kfujino)
</add>
<add>
Expand the coverage and quality of the Korean translations provided
with Apache Tomcat. (woonsan)
</add>
<add>
Expand the coverage and quality of the German translations provided
with Apache Tomcat. (fschumacher)
</add>
<add>
Expand the coverage and quality of the French translations provided
with Apache Tomcat. (remm)
</add>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.17 (markt)" rtext="2019-03-18">
<subsection name="Catalina">
<changelog>
<fix>
Refactor how cookies are transferred from the base request to a
<code>PushBuilder</code> so that they are accessible, and may be edited,
via the standard <code>PushBuilder</code> methods for working with HTTP
headers. (markt)
</fix>
<update>
Simplify the value of <code>jarsToSkip</code> property in
<code>catalina.properties</code> file for tomcat-i18n jar files.
Use prefix pattern instead of listing each language. (kkolinko)
</update>
<fix>
Restore the getter and setter for the access log valve attribute
<code>maxLogMessageBufferSize</code> that were accidentally removed.
(markt)
</fix>
<add>
<bug>63206</bug>: Add a new attribute to <code>Context</code> -
<code>createUploadTargets</code> which, if <code>true</code> enables
Tomcat to create the temporary upload location used by a Servlet if the
location specified by the Servlet does not already exist. The default
value is <code>false</code>. (markt)
</add>
<fix>
<bug>63210</bug>: Ensure that the Apache Commons DBCP 2 based default
connection pool is correctly shutdown when it is no longer required.
This ensures that a non-daemon thread is not left running that will
prevent Tomcat from shutting down cleanly. (markt)
</fix>
<fix>
<bug>63213</bug>: Ensure the correct escaping of group names when
searching for nested groups when the JNDIRealm is configured with
<code>roleNested</code> set to <code>true</code>. (markt)
</fix>
<fix>
<bug>63236</bug>: Use <code>String.intern()</code> as suggested by
Phillip Webb to reduce memory wasted due to String duplication. This
changes saves ~245k when starting a clean installation. With additional
thanks to YourKit Java profiler for helping to track down the wasted
memory and the root causes. (markt)
</fix>
<fix>
<bug>63246</bug>: Fix a potential <code>NullPointerException</code> when
calling <code>AsyncContext.dispatch()</code>. (markt)
</fix>
<fix>
Always use the absolute path of the <code>docBase</code> during the
deployment process to determine the Context name, deployment type,
whether the <code>docBase</code> is located within the
<code>appBase</code> etc. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
When performing an HTTP/1.1 upgrade to HTTP/2 (h2c) ensure that the hostname
and port from the HTTP/1.1 Host header of the upgraded request are made
available via the standard methods
<code>ServletRequest.getServerName()</code> and
<code>ServletRequest.getServerPort()</code>. (markt)
</fix>
<fix>
Refactor the APR/Native endpoint TLS configuration code to enable JSSE
style configuration - including JKS keystores - to be used with the
APR/Native connector. (markt)
</fix>
<add>
With the TLS configuration refactoring, the configuration attributes
<code>sessionCacheSize</code> and <code>sessionTimeout</code> are no
longer limited to JSSE implementations. They may now be used with
OpenSSL implementations as well. (markt)
</add>
<fix>
Refactor NIO2 read pending strategy for the classic IO API. (remm)
</fix>
<fix>
<bug>63182</bug>: Avoid extra read notifications for HTTP/1.1 with
NIO2 when using asynchronous threads. (remm)
</fix>
<add>
<bug>63205</bug>: Add a work-around for a known
<a href="https://bugs.openjdk.java.net/browse/JDK-8157404">JRE KeyStore
loading bug</a>. (markt)
</add>
<fix>
NIO2 should try to use SocketTimeoutException everywhere rather than a
mix of it and InterruptedByTimeout. (remm)
</fix>
<fix>
Correct an error in the request validation that meant that HTTP/2 push
requests always resulted in a 400 response. (markt)
</fix>
<fix>
<bug>63223</bug>: Correctly account for push requests when tracking
currently active HTTP/2 streams. (markt)
</fix>
<fix>
Ensure enough buffer space when using TLS with NIO2 by using the main
read buffer to store additional decrypted data. (remm)
</fix>
<fix>
Verify HTTP/2 stream is still writable before assuming a timeout
occurred. (remm)
</fix>
<fix>
Avoid some overflow cases with OpenSSL to improve efficiency, as the
OpenSSL engine has an internal buffer. (remm)
</fix>
<fix>
Harmonize HTTP/1.1 NIO2 keepalive code. (remm)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<scode>
Remove the <code>STREAMS_DROP_EMPTY_MESSAGES</code> system property that
was introduced to work-around four failing TCK tests. An alternative
solution has been implemented. Sending messages via
<code>getSendStream()</code> and <code>getSendWriter()</code> will now
only result in messages on the wire if data is written to the
<code>OutputStream</code> or <code>Writer</code>. Writing zero length
data will result in an empty message. Note that sending a message via an
<code>Encoder</code> may result in the message being send via
<code>getSendStream()</code> or <code>getSendWriter()</code>. (markt)
</scode>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
Fix messages used by Manager and Host Manager web applications.
Disambiguate message keys used when adding or removing a host.
Improve display of summary values on the status page: separate
terms and values with a whitespace. Improve wording of messages
for expire sessions command. (kkolinko)
</fix>
<fix>
Do not add CSRF nonce parameter and suppress Referer header for external
links in Manager and Host Manager web applications. (kkolinko)
</fix>
</changelog>
</subsection>
<subsection name="Tribes">
<changelog>
<add>
Add feature that discover local member from the static member list.
(kfujino)
</add>
<fix>
Ensure that members registered in the addSuspects list are static
members. (kfujino)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<add>
Expand the coverage and quality of the French translations provided
with Apache Tomcat. (remm)
</add>
<fix>
<bug>63041</bug>: Revert the changes for <bug>53930</bug> that added
support for the <code>CATALINA_OUT_CMD</code> environment variable as
they prevented correct operation with systemd configurations that did
not explicitly specify a PID file. (markt)
</fix>
<add>
Expand the coverage and quality of the Russian translations provided
with Apache Tomcat. (kkolinko)
</add>
<fix>
Fix the artifactId of <code>tomcat-i18n-cs</code>. (rjung)
</fix>
<add>
Expand the coverage and quality of the Korean translations provided
with Apache Tomcat. (woonsan)
</add>
<add>
Expand the coverage and quality of the Chinese translations provided
with Apache Tomcat. Includes contributions by winsonzhao. (markt)
</add>
<add>
Expand the coverage and quality of the Czech translations provided
with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt)
</add>
<add>
Expand the coverage and quality of the Spanish translations provided
with Apache Tomcat. Includes contributions by Ulises Gonzalez Horta.
(markt)
</add>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.16 (markt)" rtext="2019-02-08">
<subsection name="Web applications">
<changelog>
<fix>
Use client's preferred language for the Server Status page of the
Manager web application. Review and fix several cases when the
client's language preference was not respected in Manager and
Host Manager web applications. (kkolinko)
</fix>
<fix>
<bug>63141</bug>: Ensure that translated manager response strings still
start with <code>OK -</code> where expected by the associated Ant tasks.
(markt)
</fix>
<fix>
<bug>63143</bug>: Ensure that the Manager web application respects the
language preferences of the user as configured in the browser when the
language of the default system locale is not English. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Tribes">
<changelog>
<fix>
Remove unnecessary shutdown for executor. (kfujino)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Update the NSIS Installer used to build the Windows installer to version
3.04. (markt)
</update>
<add>
Add Czech translations to Apache Tomcat. Includes contributions from
Arnošt Havelka and Alice. (markt)
</add>
<add>
Expand the coverage and quality of the Spanish translations provided
with Apache Tomcat. Includes contributions from Ulises Gonzalez Horta.
(markt)
</add>
<add>
Expand the coverage and quality of the French translations provided
with Apache Tomcat. (remm)
</add>
<add>
Expand the coverage and quality of the Korean translations provided
with Apache Tomcat. (woonsan)
</add>
<add>
Expand the coverage and quality of the Japanese translations provided
with Apache Tomcat. Includes contributions from Yujiorama. (markt)
</add>
<add>
Expand the coverage and quality of the Chinese translations provided
with Apache Tomcat. Includes contributions from zheng. (markt)
</add>
<add>
Expand the coverage and quality of the Russian translations provided
with Apache Tomcat. (kkolinko)
</add>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.15 (markt)" rtext="not released">
<subsection name="Catalina">
<changelog>
<fix>
<bug>54741</bug>: Add a new method,
<code>Tomcat.addWebapp(String,URL)</code>, that allows a web application
to be deployed from a URL when using Tomcat in embedded mode. (markt)
</fix>
<fix>
<bug>63002</bug>: Fix setting rewrite qsdiscard flag. (remm)
</fix>
<fix>
Implement the requirements of section 8.2.2 2c of the Servlet
specification and prevent a web application from deploying if it has
fragments with duplicate names and is configured to use relative
ordering of fragments. (markt)
</fix>
<fix>
Ensure that the HEAD response is consistent with the GET response when
<code>HttpServlet</code> is relied upon to generate the HEAD response
and the GET response uses chunking. (markt)
</fix>
<fix>
Ensure that the <code>ServletOutputStream</code> implementation is
consistent with the requirements of asynchronous I/O and that all of the
write methods use a single write rather than multiple writes. (markt)
</fix>
<fix>
Correct the Javadoc for <code>Context.getDocBase()</code> and
<code>Context.setDocBase()</code> and remove text that indicates that a
URL may be used for the <code>docBase</code> as this has not been the
case for quite some time. (markt)
</fix>
<update>
Add basic health check valve. (remm)
</update>
<fix>
Correct a bug exposed in 9.0.14 and ensure that the Tomcat terminates in
a timely manner when running as a service. (markt)
</fix>
<fix>
Log a message when using a Connector that requires Apr without enabling
the AprLifecycleListener first. (csutherl)
</fix>
<fix>
Utility thread count for special negative or zero values will again be
based on Runtime.getRuntime().availableProcessors(). (remm)
</fix>
<scode>
Treat I/O errors during request body reads the same way as I/O errors
during response body writes. The errors are treated as client side
errors rather than server side errors and only logged at debug level.
(markt)
</scode>
<fix>
<bug>63038</bug>: Ensure that a <code>ClassNotFoundException</code> is
thrown when attempting to load a class from a corrupted JAR file.
(markt)
</fix>
<fix>
<bug>63078</bug>: Ensure the utility thread pool is at least two, as the
deployer uses a blocking pattern. (remm, markt)
</fix>
<add>
Make the removal of leading and trailing whitespace from credentials
passed to BASIC authentication configurable via a new attribute,
<code>trimCredentials</code> on the <code>BasicAuthenticator</code>.
(markt)
</add>
<fix>
<bug>63003</bug>: Extend the <code>unloadDelay</code> attribute on a
<code>Context</code> to include in-flight asynchronous requests. (markt)
</fix>
<add>
<bug>63026</bug>: Add a new attribute, <code>forceDnHexEscape</code>, to
the <code>JNDIRealm</code> that forces escaping in the String
representation of a distinguished name to use the <code>\nn</code> form.
This may avoid issues with realms using Active Directory which appears
to be more tolerant of optional escaping when the <code>\nn</code> form
is used. (markt)
</add>
<fix>
Avoid a swallowed (and therefore ignored) access failure during web
application class loading when running under a
<code>SecurityManager</code>. (markt)
</fix>
<update>
Add SSL configuration options to the JMX remote listener using the
<code>SSLHostConfig</code> framework. (remm)
</update>
<update>
Update the recommended minimum Tomcat Native version to 1.2.21. (markt)
</update>
<fix>
<bug>63137</bug>: If the resources for a web application have been
configured with multiple locations mapped to
<code>/WEB-INF/classes</code>, ensure that all of those locations are
used when building the web application class path. Patch provided by
Marcin Gołębski. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<add>
<bug>63009</bug>: Include the optional <code>content-length</code>
header in HTTP/2 responses where an appropriate value is available.
(markt)
</add>
<fix>
<bug>63022</bug>: Do not use the socket open state when using the
wrapper isClosed method for NIO and NIO2, as it will disable all
further processing. (remm)
</fix>
<fix>
Fix socket close discrepancies for NIO2, now the wrapper close
is used everywhere except for socket accept problems. (remm)
</fix>
<fix>
Fix use of write timeout instead of read timeout for HTTP/2 NIO2
frame read. (remm)
</fix>
<fix>
Fix incorrect APR sendfile thread stop. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>63056</bug>: Correct a regression in the fix for <bug>53737</bug>
that did not correctly scan the web application directory structure for
JSPs. (markt)
</fix>
<fix>
Update the performance optimisation for using expressions in tags that
depend on uninitialised tag attributes with implied scope to make the
performance optimisation aware of the new public class
(<code>java.lang.Enum$EnumDesc</code>) added in Java 12. (markt)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
<bug>57974</bug>: Ensure implementation of
<code>Session.getOpenSessions()</code> returns correct value for both
client-side and server-side calls. (markt)
</fix>
<fix>
<bug>63019</bug>: Use payload remaining bytes rather than limit when
writing. Submitted by Benoit Courtilly. (remm)
</fix>
<fix>
When running under a <code>SecurityManager</code>, ensure that the
<code>ServiceLoader</code> look-up for the default
<code>javax.websocket.server.ServerEndpointConfig.Configurator</code>
implementation completes correctly rather than silently using the
hard-coded fall-back. (markt)
</fix>
<fix>
Ensure that the network connection is closed if the client receives an
I/O error trying to communicate with the server. (markt)
</fix>
<fix>
Ignore synthetic methods when scanning POJO methods. (markt)
</fix>
<fix>
Implement the requirements of section 5.2.1 of the WebSocket 1.1
specification and ensure that if the deployment of one Endpoint fails,
no Endpoints are deployed for that web application. (markt)
</fix>
<fix>
Implement the requirements of section 4.3 of the WebSocket 1.1
specification and ensure that the deployment of an Endpoint fails if
<code>@PathParam</code> is used with an invalid parameter type. (markt)
</fix>
<fix>
Ensure a <code>DeploymentException</code> rather than an
<code>IllegalArgumentException</code> is thrown if a method annotated
with <code>@OnMessage</code> does not conform to the requirements set
out in the Javadoc. (markt)