Update to 8.5.37
Changelog:
Tomcat 8.5.37 (markt)
Catalina
Update: Update the recommended minimum Tomcat Native version to 1.2.19. (markt)
Other
Update: Update the packaged version of the Tomcat Native Library to 1.2.19 to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1a. (markt)
not released Tomcat 8.5.36 (markt)
Catalina
Fix: 62788: Add explicit logging configuration to write log files using UTF-8 to align with Tomcat's use of UTF-8 by default elsewhere. (markt)
Fix: The default Servlet should not override a previously set content-type. (remm)
Add: 62897: Provide a property (clearReferencesThreadLocals) on the standard Context implementation that enables the check for memory leaks via ThreadLocals to be disabled because this check depends on the use of an API that has been deprecated in later versions of Java. (markt)
Fix: Fix more storeconfig issues with duplicated SSL attributes. (remm)
Fix: 62968: Avoid unnecessary (and relatively expensive) getResources() call in the Mapper when processing rule 7. (markt)
Fix: 62978: Update the RemoteIpValve to handle multiple values in the x-forwarded-proto header. Patch provided by Tom Groot. (markt)
Fix: Update the RemoteIpFilter to handle multiple values in the x-forwarded-proto header. Based on a patch provided by Tom Groot. (markt)
Code: 62986: Refactor the code that performs class scanning during web application start to make integration simpler for downstream users. Patch provided by rmannibucau. (markt)
Fix: 62988: Fix the LoadBalancerDrainingValve so it works when the session cookie configuration is not explicitly declared. Based on a patch provided by Andreas Kurth. (markt)
Fix: 63002: Fix setting rewrite qsdiscard flag. (remm)
Fix: Implement the requirements of section 8.2.2 2c of the Servlet specification and prevent a web application from deploying if it has fragments with duplicate names and is configured to use relative ordering of fragments. (markt)
Coyote
Fix: Avoid an exception when using Tomcat Native built with a version of OpenSSL that does not support TLSv1.3. (markt)
Fix: 62899: Prevent the incorrect timing out of connections when Servlet non-blocking I/O is used to read a request body over an HTTP/2 stream. (markt)
Fix: Avoid bad SSLHostConfig JMX registrations before init. (remm)
Jasper
Add: 53737: Extend JspC, the precompilation tool, to include support for resource JARs. (markt)
Fix: 62976: Avoid an IllegalStateException when using background compilation when tag files are packaged in JAR files. (markt)
Web applications
Fix: 62918: Filter out subtype mbeans to avoid breaking the connector status page. (remm)
Other
Fix: Prevent an error when running in a Cygwin shell and the JAVA_ENDORSED_DIRS system property is empty. Patch provided by Zemian Deng. (markt)
Add: 53930: Add support for the CATALINA_OUT_CMD environment variable that defines a command to which captured stdout and stderr will be redirected. Patch provided by Casey Lucas. (markt)
2018-11-07 Tomcat 8.5.35 (markt)
Catalina
Add: 61692: Add the ability to control which HTTP methods are handled by the CGI Servlet via a new initialization parameter cgiMethods. (markt)
Fix: 62687: Expose content length information for resources when using a compressed war. (remm)
Fix: 62737: Fix rewrite substitutions parsing of {} nesting. (remm)
Fix: Add rewrite flags output when getting the rewrite configuration back. (remm)
Fix: Add missing qsdiscard flag to the rewrite flags as a cleaner way to discard the query string. (remm)
Fix: Add documentation about the files context.xml.default and web.xml.default that can be used to customize conf/context.xml and conf/web.xml on a per host basis. (fschumacher)
Fix: Ensure that a canonical path is always used for the docBase of a Context to ensure consistent behaviour. (markt)
Fix: 62803: Fix SSL connector configuration processing in storeconfig. (remm)
Fix: 62797: Pass throwable to keep client aborts with status 200 rather than 500. Patch submitted by zikfat. (remm)
Fix: 62809: Correct a regression in the implementation of DIGEST authentication support for the Deployer Ant tasks (bug 45832) that prevented the DeployTask from working when authentication was required. (markt)
Update: Update the recommended minimum Tomcat Native version to 1.2.18. (markt)
Add: Ignore an attribute named source on Context elements provided by StandardContext. This is to suppress warnings generated by the Eclipse / Tomcat integration provided by Eclipse. Based on a patch by mdfst13. (markt)
Add: 62830: Added JniLifeCycleListener and static methods Library.loadLibrary(libraryName) and Library.load(filename) to load a native library by a shared class loader so that more than one Webapp can use it. (isapir)
Fix: Correct a typo in the Spanish resource files. Patch provided by Diego Agulló. (markt)
Fix: 62868: Order the Enumeration<URL> provided by WebappClassLoaderBase.getResources(String) according to the setting of the delegate flag. (markt)
Coyote
Add: Add TLSv1.3 to the default protocols and to the all alias for JSSE based TLS connectors when running on a JVM that supports TLS version 1.3. One such JVM is OpenJDK version 11. (rjung)
Fix: 62685: Correct an error in host name validatin parsing that did not allow a fully qualified domain name to terminate with a period. Patch provided by AG. (markt)
Fix: 62739: Do not reject requests with an empty HTTP Host header. Such requests are unusual but not invalid. Patch provided by MichaeNIO2 connector when using the OpenSSL backed JSSE implementation. (schultz/markt)
Fix: 62791: Remove an unnecessary check in the NIO TLS implementation that prevented from secure WebSocket connections from being established. (markt)
Fix: Fix servesed by the fix for 53492, that caused the JSP compiler to hang. (markt)
Fix: 62721: Correct generation of web.xml header when using JspC. (markt)
Fix: 62757: Correct a regression in the fix for 62603 that caused NullPointerExceptions when compiling tag files on first access when development mode was disabled and background compilation was enabled. Based on a patch by Jordi Llach. (markt)
WebSocket
Fix: 62731: Make the URI returned by HandshakeRequest.getRequestURI() and Session.getRequestURI() absolute so that the scheme, host and port are accessible. (markt)
Web applications
Fix: 62676: Expand the CORS filter documentation to make it clear that explicit configuration is required to enable support for cross-origin requests. (markt)
Fix: 62712: Correct NPE in Manager application when attempting to view configured certificates for an APR/native TLS connector. (markt)
Fix: 62761: Correct the advanced CORS example in the Filter documentation to use a valid configuration. (markt)
Fix: 62786: Add a note to the Context documentation to explain that, by default, settings for a Context element defined in server.xml will be overwritten by settings specified in a default context file such as conf/context.xml. (markt)
Fix: Create a little visual separation between the Undeploy button and the other buttons in the Manager application. Patch provided by Łukasz Jąder. (markt)
Other
Update: Update the internal fork of Apache Commons Pool 2 to d4e0e88 (2018-09-12) to pick up some bug fixes and enhancements. (markt)
Update: Update the packaged version of the Tomcat Native Library to 1.2.18 to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1. (markt)
2018-09-10 Tomcat 8.5.34 (markt)
Catalina
Add: Make the isLocked() method of the LockOutRealm public and expose the method via JMX. (markt)
Fix: Improve the handling of path parameters when working with RequestDispatcher objects. (markt)
Fix: 62664: Process requests with content type multipart/form-data to servlets with a @MultipartConfig annotation regardless of HTTP method. (markt)
Fix: 62667: Add recursion to rewrite substitution parsing. (remm)
Fix: 62669: When using the SSIFilter and a resource does not specify a content type, do not force the content type to application/x-octet-stream. (markt)
Fix: 62670: Adjust the memory leak protection for the DriverManager so that JDBC drivers located in $CATALINA_HOME/lib and $CATALINA_BASE/lib are loaded via the service loader mechanism when the protection is enabled. (markt)
Fix: When generating a redirect to a directory in the Default Servlet, avoid generating a protocol relative redirect. (markt)
Coyote
Fix: Fix potential deadlocks when using asynchronous Servlet processing with HTTP/2 connectors. (markt)
Fix: 62620: Fix corruption of response bodies when writing large bodies using asynchronous processing over HTTP/2. (markt)
Fix: 62628: Additional fixes for output corruption of response bodies when writing large bodies using asynchronous processing over HTTP/2. (markt)
Jasper
Fix: Correct the JSP version in the X-PoweredBy HTTP header generated when the xpoweredBy option is enabled. (markt)
Fix: 62662: Fix the corruption of web.xml output during JSP compilation caused by the fix for 53492. Patch provided by Bernhard Frauendienst. (markt)
Web applications
Add: Expand the information in the documentation web application regarding the use of CATALINA_HOME and CATALINA_BASE. Patch provided by Marek Czernek. (markt)
Fix: 62652: Make it clearer that the version of DBCP that is packaged in Tomcat 8.5.x is DBCP 2. Correct the names of some DBCP 2 configuration attributes that changed between 1.x and 2.x. (markt)
Add: 62666: Expand internationalisation support in the Manager application to include the server status page and provide Russian translations in addition to English. Patch provided by Artem Chebykin. (markt)
Other
Fix: Switch the build script to use http for downloads from an ASF mirror using the closer.lua script to avoid failures due to HTTPS to HTTP redirects. (rjung)
2018-08-17 Tomcat 8.5.33 (markt)
Catalina
Fix: Ensure that the HTTP Vary header is set correctly when using the CORS filter and improve the cacheability of requests that pass through the COPRS filter. (markt)
Fix: 62527: Revert restriction of JNDI to the java: namespace. (remm)
Add: Introduce a new class - MultiThrowable - to report exceptions when multiple actions are taken where each action may throw an exception but all actions are taken before any errors are reported. Use this new class when reporting multiple container (e.g. web application) failures during start. (markt)
Fix: Correctly decode URL paths (+ should not be decoded to a space in the path) in the RequestDispatcher and the web application class loader. (markt)
Add: Make logout more robust if JASPIC subject is unexpectedly unavailable. (markt)
Fix: 62547: JASPIC cleanSubject() was not called on logout when the authenticator was configured to cache the authenticated Principal. Patch provided by Guillermo González de Agüero. (markt)
Add: 62559: Add jaxb-*.jar to the list of JARs ignored by StandardJarScanner. (markt)
Add: 62560: Add oraclepki.jar to the list of JARs ignored by StandardJarScanner. (markt)
Add: 62607: Return a non-zero exit code from catalina.[bat|sh] run if Tomcat fails to start. (markt)
Code: Remove ServletException from declaration of Tomcat.addWebapp(String,String) since it is never thrown. Patch provided by Tzafrir. (markt)
Fix: Use short circuit logic to prevent potential NPE in CorsFilter. (fschumacher)
Code: Simplify construction of appName from container name in JAASRealm. (fschumacher)
Coyote
Update: 60560: Add support for using an inherited channel to the NIO connector. Based on a patch submitted by Thomas Meyer with testing and suggestions by Coty Sutherland. (remm)
Fix: 62507: Ensure that JSSE based TLS connectors work correctly with a DKS keystore. Note: DKS keystores require Java 8 or later. (markt)
Fix: Refactor code that adds an additional header name to the Vary HTTP response header to use a common utility method that addresses several additional edge cases. (markt)
Fix: 62515: When a connector is configured (via setting bindOnInit to false) to bind/unbind the server socket during start/stop, close the socket earlier in the stop process so new connections do not sit in the TCP backlog during the shutdown process only to be dropped as stop completes. In this scenario new connections will now be refused immediately. (markt)
Fix: 62526: Correctly handle PKCS12 format key stores when the key store password is configured to be the empty string. (markt)
Fix: Fix error in back-port of HTTP/2 compression that meant compression was never enabled. (markt)
Fix: 62605: Ensure ReadListener.onDataAvailable() is called when the initial request body data arrives after the request headers when using asynchronous processing over HTTP/2. (markt)
Fix: 62614: Ensure that WriteListener.onWritePossible() is called after isReady() returns false and the window size is subsequently incremented when using asynchronous processing over HTTP/2. (markt)
Jasper
Fix: 53011: When pre-compiling with JspC, report all compilation errors rather than stopping after the first error. A new option -failFast can be used to restore the previous behaviour of stopping after the first error. Based on a patch provided by Marc Pompl. (markt)
Add: 53492: Make the Java file generation process multi-threaded. By default, one thread will be used per core. Based on a patch by Dan Fabulich. (markt)
Add: 62453: Add a performance optimisation for using expressions in tags that depend on uninitialised tag attributes with implied scope. Generally, using an explicit scope with tag attributes in EL is the best way to avoid various potential performance issues. (markt)
Fix: Correctly decode URL paths (+ should not be decoded to a space in the path) in the Jasper class loader. (markt)
Fix: 62603: Fix a potential race condition when development mode is disabled and background compilation checks are enabled. It was possible that some updates would not take effect and/or ClassNotFoundExceptions would occur. (markt)
WebSocket
Fix: 62596: Remove the limit on the size of the initial HTTP upgrade request used to establish the web socket connection. (markt)
Web applications
Add: 61565: Add the ability to trigger a reloading of TLS host configuration (certificate and key files, server.xml is not re-parsed) via the Manager web application. (markt)
Add: 62558: Add Russian translations for the Manager and Host Manager web applications. Based on a patch by Ivan Krasnov. (markt)
Add: 62561: Add advanced class loader configuration information regarding the use of the Server and Shared class loaders to the documentation web application. (markt)
Tribes
Fix: Ensures that the specified rxBufSize is correctly set to receiver buffer size. (kfujino)
Other
Update: Support building with Java 9+ while preserving the Java 7 compatibility at runtime (requires Ant 1.9.8 or later). (ebourg)
Update: Update WSDL4J library to version 1.6.3 (from 1.6.2). (kkolinko)
Update: Update JUnit library to version 4.12 (from 4.11). (kkolinko)
Update: Downgrade CGLib library used for testing with EasyMock to version 2.2.2 (from 2.2.3) as version 2.2.3 is not available from Maven Central. (markt/kkolinko)
Add: Implement checksum checks when downloading dependencies that are used to build Tomcat. (kkolinko)
Fix: Fixed spelling. Patch provided by Jimmy Casey via GitHub. (violetagg)
Update: Update the internal fork of Apache Commons Pool 2 to 3e02523 (2018-08-09) to pick up some bug fixes and enhancements. (markt)
Update: Update the internal fork of Apache Commons DBCP 2 to abc0484 (2018-08-09) to pick up some bug fixes and enhancements. (markt)
Fix: Correct various spelling errors throughout the source code and documentation. Patch provided by Kazuhiro Sera. (markt)
UnifiedSplitRaw
