The Apache Tomcat Servlet/JSP Container

Apache Tomcat 6.0

Version 6.0.53, Apr 2 2017
Apache Logo

Links

User Guide

Reference

Apache Tomcat Development

Apache Tomcat 6.0

Changelog

Tomcat 6.0.53 (violetagg)
Coyote
fix Ensure that the socket is returned only once to the poller. (violetagg)
Tomcat 6.0.52 (violetagg)not released
Coyote
fix Improve sendfile handling when requests are pipelined. (markt)
Tomcat 6.0.51 (violetagg)released 2017-03-16
Jasper
fix 60613: Refactor code generated for JSPs to reduce the size of the code required for tags. (markt)
Other
update Change Realm configuration in the default conf/server.xml file to use a org.apache.catalina.realm.LockOutRealm. The LockOutRealm is available since 6.0.19, but has not been configured by default. (kkolinko)
update Update the packaged version of the Tomcat Native Library to 1.2.12 to pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg)
update Update the NSIS Installer used to build the Windows installer to version 3.01. (markt)
fix Refactor the build script and the NSIS installer script so that either NSIS 2.x or NSIS 3.x can be used to build the installer. This is primarily to re-enable building the installer on the Linux based CI system where the combination of NSIS 3.x and wine leads to failed installer builds. (markt)
Tomcat 6.0.50 (violetagg)not released
Web applications
fix Ensure the ASF logo image is correctly displayed in ROOT, docs and host-manager applications. (violetagg)
Tomcat 6.0.49 (violetagg)not released
Coyote
fix 57799: Remove useless sendfile check for NIO SSL. (remm)
fix 60409: When unable to complete sendfile request, ensure the Processor will be added to the cache only once. (markt/violetagg)
Jasper
add 44294: Add support for varargs in UEL expressions. (markt)
fix 60356: Fix pre-compilation of JSPs that depend on nested tag files packaged in a JAR. (markt)
fix 60431: Improve handling of varargs in UEL expressions. Based on a patch by Ben Wolfe. (markt)
fix 60497: Restore previous tag reuse behavior following the use of try/finally. (remm)
fix Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. (remm)
fix 60497: Follow up fix using a better variable name for the tag reuse flag. (remm)
fix Revert use of try/finally for simple tags. (remm)
Web applications
fix Correct a typo in Host Configuration Reference. Issue reported via comments.apache.org. (violetagg)
add In the documentation web application, be explicit that clustering requires a secure network for all of the cluster network traffic. (markt)
update Update the ASF logos to the new versions. (markt)
Other
update Update the ASF logos used in the Apache Tomcat installer for Windows to use the new versions. (markt)
Tomcat 6.0.48 (violetagg)released 2016-11-15
Catalina
fix Correctly test for control characters when reading the provided shutdown password. (markt)
fix When configuring the JMX remote listener, specify the allowed types for the credentials. (markt)
Coyote
fix Correct the HTTP header parser so that DEL is not treated as a valid token character. (markt)
add Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. (markt)
Web applications
fix Correct a typo in CGI How-To. Issue reported via comments.apache.org. (violetagg)
Extras
add 55017: Add the ability to configure the RMI bind address when using the JMX remote listener. Patch provided by Alexey Noskov. (markt)
fix 56039: Enable the JmxRemoteLifecycleListener to work over SSL. Patch by esengstrom. (markt)
fix 56096: When the attribute rmiBindAddress of the JMX Remote Lifecycle Listener is specified it's value will be used when constructing the address of a JMX API connector server. Patch is provided by Jim Talbut. (markt)
fix 57377: Remove the restriction that prevented the use of SSL when specifying a bind address with the JMXRemoteLifecycleListener. Also enable SSL to be configured for the registry as well as the server. (markt)
Tomcat 6.0.47 (violetagg)released 2016-10-16
Catalina
fix Fixed a warning message that is logged during Tomcat startup. (violetagg)
Tomcat 6.0.46 (violetagg)not released
Catalina
add Log a warning message if a user tries to configure the default session timeout via the deprecated (and ignored) Manager.setMaxInactiveInterval() method. (markt)
fix Correct a regression introduced in 6.0.45 where the deprecated Manager.getMaxInactiveInterval() method returned the current default session timeout in minutes rather than seconds. (markt)
fix 58486: Expand memory leak protection to include additional issues identified related to XML parsing. (markt)
fix 59123: Close NamingEnumeration objects used by the JNDIRealm once they are no longer required. (fschumacher/markt)
fix 59138: Correct a false positive warning for ThreadLocal related memory leaks when the key class but not the value class has been loaded by the web application class loader. (markt)
fix 59269: Correct the implementation of PersistentManagerBase so that minIdleSwap functions as designed and sessions are swapped out to keep the active session count below maxActiveSessions. (markt)
fix 59247: Preload ResourceEntry as a workaround for security manager issues on some JVMs. (kkolinko/remm)
fix 59310: Do not add a Content-Length: 0 header for custom responses to HEAD requests that do not set a Content-Length value. (markt)
fix 59449: In ContainerBase, ensure that the process to remove a child container is the reverse of the process to add one. Patch provided by Huxing Zhang. (markt)
fix RMI Target related memory leaks are avoidable which makes them an application bug that needs to be fixed rather than a JRE bug to work around. Therefore, start logging RMI Target related memory leaks on web application stop. Add an option that controls if the check for these leaks is made. Log a warning if running on Java 9 with this check enabled but without the command line option it requires. (markt)
fix 59708: Modify the LockOutRealm logic. Valid authentication attempts during the lock out period will no longer reset the lock out timer to zero. (markt)
fix By default, treat paths used to obtain a request dispatcher as encoded. This behaviour can be changed per web application via the dispatchersUseEncodedPaths attribute of the Context. (markt)
add Provide a mechanism that enables the container to check if a component (typically a web application) has been granted a given permission when running under a SecurityManager without the current execution stack having to have passed through the component. Use this new mechanism to extend SecurityManager protection to the system property replacement feature of the digester. (markt)
add When retrieving an object via a ResourceLink, ensure that the object obtained is of the expected type. (markt)
fix Switch the CGI servlet to the standard logging mechanism and remove support for the debug attribute. (markt)
add Add a new initialisation parameter, envHttpHeaders, to the CGI Servlet to mitigate httpoxy (CVE-2016-5388) by default and to provide a mechanism that can be used to mitigate any future, similar issues. (markt)
add When adding and removing ResourceLinks dynamically, ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be. (markt)
fix Make timing attacks against the Realm implementations harder. (schultz/markt)
fix Ensure Digester.useContextClassLoader is considered in case the class loader is used. (violetagg)
add 60151: Improve the exception error messages when a ResourceLink fails to specify the type, specifies an unknown type or specifies the wrong type. (markt)
fix Correct basePackage and PrivilegedFindResourceByName in SecurityClassLoad so that tomcat can successfully start with the Security Manager enabled. (csutherl)
fix Improve the access checks for linked global resources to handle the case where the current class loader is a child of the web application class loader. (markt)
Coyote
fix 58646: Correct a problem with sendfile that resulted in a Processor being added to the cache twice leading to broken responses. (markt)
fix Limit the default TLS ciphers for JSSE (BIO, NIO) and OpenSSL (APR) to those currently considered secure. (markt)
add Add a new environment variable JSSE_OPTS that is intended to be used to pass JVM wide configuration to the JSSE implementation. The default value is -Djdk.tls.ephemeralDHKeySize=2048 which protects against weak Diffie-Hellman keys. (markt)
fix 59451: Correct Javadoc for MessageBytes. Patch provided by Kyohei Nakamura. (markt)
fix Ensure that requests with HTTP method names that are not tokens (as required by RFC 7231) are rejected with a 400 response. (markt)
fix 59904: Add a limit (default 200) for the number of cookies allowed per request. Based on a patch by gehui. (markt)
fix 60123: Avoid potential threading issues that could cause excessively large vales to be returned for the processing time of a current request. (markt)
Jasper
fix Fix a memory leak in the expression language implementation that caused the class loader of the first web application to use expressions to be pinned in memory. (markt)
fix 59654: Enforce the requirements of section 7.3.1 of the JSP specification regarding the permitted locations for TLD files. Patch provided by Huxing Zhang. (markt)
fix Catch and log any Exceptions during calls to Servlet.destroy() when destroying the Servlet associated with a JSP page. (markt)
fix Improve the error handling for custom tags to ensure that the tag is returned to the pool or released and destroyed once used. (markt)
Web applications
fix 58935: Remove incorrect references in the documentation to using jar:file: URLs with the Manager application. (markt)
fix Correct the description of the ServletRequest.getServerPort() in Proxy How-To. Issue reported via comments.apache.org. (violetagg)
fix Fix a potential indefinite wait in the Comet Chat servlet in the examples web application. (markt)
fix Update in the documentation the link to the maven repository where Tomcat snapshot artifacts are deployed. (markt/violetagg)
fix Clarify in the documentation that calls to ServletContext.log(String, Throwable) or GenericServlet.log(String, Throwable) are logged at the SEVERE level. (violetagg)
fix Correct a typo in SSL/TLS Configuration How-To. Issue reported via comments.apache.org. (violetagg)
fix 58891: Update the SSL how-to. Based on a suggestion by Alexander Kjäll. (markt)
fix 59642: Mention the localDataSource in the DataSourceRealm section of the Realm How-To. (markt)
fix 60034: Correct a typo in the Manager How-To page of the documentation web application. (markt)
add Add an example of using the classesToInitialize attribute of the JreMemoryLeakPreventionListener to the documentation web application. Based on a patch by Cris Berneburg. (markt)
fix 60192: Correct a typo in the status output of the Manager application. Patch provided by Radhakrishna Pemmasani. (markt)
Other
fix 58283: Change the default download location for libraries during the build process from /usr/share/java to ${user.home}/temp. Patch provided by Ahmed Hosni. (markt)
fix 59031: When using the Windows uninstaller, do not remove the contents of any directories that have been symlinked into the Tomcat directory structure. (markt)
update Modify the default tomcat-users.xml file to make it harder for users to configure the entries intended for use with the examples web application for the Manager application. (markt)
update 59280: Update the NSIS Installer used to build the Windows Installers to version 2.51. (kkolinko)
fix 58626: Add support for a new environment variable (USE_NOHUP) that causes nohup to be used when starting Tomcat. It is disabled by default except on HP-UX where it is enabled by default since it is required when starting Tomcat at boot on HP-UX. (markt)
add Use the mirror network rather than the ASF master site to download the current ASF dependencies. (markt)
update Update the packaged version of the Tomcat Native Library to 1.2.10 to pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt)
Tomcat 6.0.45 (jfclere)released 2016-02-11
Catalina
fix Back-port various improvements to the AprLifecycleListener including the fix for 57021 that improves logging when the Tomcat-Native DLL fails to load. (markt)
add 57154: Add support for web applications (Context elements) that do not have a docBase. This is intended for use when embedding, such as Tomcat unit tests, when a web application is configured programmatically and does not serve any files. Based on a patch provided by Huxing Zhang. (kkolinko)
add 57741: Enable the CGI servlet to use the standard error page mechanism. Note that if the CGI servlet's debug init parameter is set to 10 or higher then the standard error page mechanism will be bypassed and a debug response generated by the CGI servlet will be returned instead. (markt)
fix 57896: Support defensive copying of "cookie" header so that unescaping double quotes in a cookie value does not corrupt original value of "cookie" header. This is an opt-in feature, enabled by org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER or org.apache.catalina.STRICT_SERVLET_COMPLIANCE system property. (kkolinko)
fix 58031: Make the (first) reason parameter parsing failed available as a request attribute and then use it to provide a better status code via the FailedRequstFilter (if configured). (markt)
fix 58313: Fix concurrent access of encoders map when clearing encoders during Comet processing. (markt)
fix 58508: Escape role names when generating associated MBeans in case the role name contains characters not permitted in an MBean name. (markt)
fix 58582: Combined realm should perform background processing on its sub-realms. Based upon a patch provided by Aidan. (kkolinko)
add Move the functionality that provides redirects for context roots and directories where a trailing / is added from the Mapper to the DefaultServlet. This enables such requests to be processed by any configured Valves and Filters before the redirect is made. This behaviour is configurable via the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled attributes of the Context which may be used to restore the previous behaviour. (markt)
fix 58635: Enable break points to be set within agent code when running Tomcat with a Java agent. Based on a patch by Huxing Zhang. (markt)
fix Add the StatusManagerServlet to the list of Servlets that can only be loaded by privileged applications. (markt)
fix Remove redundant copy of catalina.properties from o.a.c.startup. Generate this copy during the ant "compile" task. (kkolinko)
fix 58817: Fix ArrayIndexOutOfBoundsException caused by MapperListener when ROOT context is being undeployed and mapperContextRootRedirectEnabled="false". (kkolinko)
fix 58836: Correctly merge query string parameters when processing a forwarded request where the target includes a query string that contains a parameter with no value. (markt/kkolinko)
add Allow singleton server instance stored by ServerFactory to be cleared. Allow ResourceLinkFactory to be initialized more than once. This is used by unit tests when running several copies of Tomcat sequentially in the same JVM. When running with a SecurityManager the initialization method of ResourceLinkFactory is protected by requiring a RuntimePermission. (kkolinko)
add Extend the feature available in the cluster session manager implementations that enables session attribute replication to be filtered based on attribute name to all session manager implementations. Note that configuration attribute name has changed from sessionAttributeFilter to sessionAttributeNameFilter. Apply the filter on load as well as unload to ensure that configuration changes made while the web application is stopped are applied to any persisted data. (markt)
add Extend the session attribute filtering options to include filtering based on the implementation class of the value and optional WARN level logging if an attribute is filtered. These options are available for all of the Manager implementations that ship with Tomcat. When a SecurityManager is used filtering will be enabled by default. (markt)
fix 58946: Ensure that the request parameter map remains immutable when processing via a RequestDispatcher. (markt)
Coyote
add Align the Java side of the tc-native connector with the Tomcat 7 implementation to ease future maintenance. (markt)
fix 51503: Add additional validation that prevents a connector from starting if it does not have a valid port number. (kkolinko)
add 52028: Add support for automatic binding to a free port by a connector if the special value of zero is used for the port. This is mainly useful in embedded and testing scenarios. (kkolinko)
fix 52926: Avoid NPE when an NIO Comet connection times out on one thread at the same time as it is closed on another thread. (markt/kkolinko)
fix 57943: Prevent the same socket being added to the cache twice. Patch based on analysis by Ian Luo / Sun Qi. (markt/kkolinko)
fix Improve HTTP header validation. (markt)
Jasper
fix Ignore engineOptionsClass and scratchdir when running under a security manager. (markt)
Web applications
fix 57971: Correct the documentation for the cluster configuration setting recoverySleepTime. (markt)
fix 58112: Update the documentation for using the Catalina tasks in an Apache Ant build file. (markt)
fix Improve the Javadoc for some of the APR socket read functions that have inconsistent behaviour for return values. (markt)
add 58255: Document the Semaphore valve. Patch provided by Kyohei Nakamura. (markt)
fix 58631: Correct the continuation character use in the Windows Service How-To page of the documentation web application. (markt)
fix Correct some typos in the JNDI resources How-To. (markt)
fix Add a redirect to the web interface to the root of the Manager web application. (markt)
fix Don't create sessions unnecessarily in the Manager application. (markt)
fix Add a redirect to the web interface to the root of the Host Manager web application. (markt)
fix Don't create sessions unnecessarily in the Host Manager application. (markt)
Other
fix Ensure JULI adapters JAR in Tomcat extras package does not include the LogFactoryImpl[$*] classes. Based on patch provided by Benjamin Gandon. (kkolinko)
code Convert test classes to JUnit 4. (kkolinko)
update 58596: Clarify the description in RUNNING.txt of how environment variables are used. (markt)
update Update the NSIS Installer used to build the Windows Installers to version 2.50. (markt/kkolinko)
add Add framework for client-server unit tests, porting it from Tomcat 7. Add support for running the tests with Apache Ant. (kkolinko)
update Update to Tomcat Native Library version 1.1.34. (jfclere)
update Remove support for Intel Itanium CPU (i64, IA-64) in the Windows installer, as the current release of Tomcat Native does not have binaries for that processor architecture. (jfclere)
Tomcat 6.0.44 (jfclere)released 2015-05-12
Catalina
fix Correct typo in the message shown by HttpServlet for unexpected HTTP method. (kkolinko)
add Allow to configure RemoteAddrValve and RemoteHostValve to adopt behavior depending on the connector port. Implemented by optionally adding the connector port to the string compared with the patterns allow and deny. Configured using addConnectorPort attribute on valve. (rjung)
fix 56608: Fix IllegalStateException for JavaScript files when switching from Writer to OutputStream. The special handling of this case in the DefaultServlet was broken due to a MIME type change for JavaScript. (markt)
fix 57675: Correctly quote strings when using the extended access log. (markt)
Coyote
fix 57234: Make SSL protocol filtering to remove insecure protocols case insensitive. Correct spelling of filterInsecureProtocols method. (kkolinko/schultz)
fix CVE-2014-0230: Add a new system property org.apache.coyote.MAX_SWALLOW_SIZE (defaults to 2MB) that limits amount of data Tomcat will swallow if request body has not been fully read during normal request processing, e.g. for an aborted upload. (Note: in Tomcat 7 and later this feature is configured by maxSwallowSize attribute on a connector). When applying the limit to a connection try to read that many bytes first before closing the connection to give the client a chance to read the response. (markt)
fix 57544: Fix a potential infinite loop when preparing a kept alive HTTP connection for the next request. (markt)
add 57570: Make the processing of chunked encoding trailing headers optional and disabled by default. (markt)
fix 57581: Change statistics byte counter in coyote Request object to be long to allow values above 2Gb. (kkolinko)
update Update the minimum recommended version of the Tomcat Native library (if used) to 1.1.33. (markt)
Jasper
fix CVE-2014-7810: Do not use a privileged code block when evaluating EL expressions when running under a security manager, which allowed to bypass code restrictions. (markt/kkolinko)
fix Fix an issue with BeanELResolver when running under a security manager. Some classes may not be accessible but may have accessible interfaces. (markt)
fix Simplify code in ProtectedFunctionMapper class of Jasper runtime. (kkolinko)
Web applications
fix Update documentation for CGI servlet. Recommend to copy the servlet declaration into web application instead of enabling it globally. Correct documentation for cgiPathPrefix. (kkolinko)
update Improve Tomcat Manager documentation. Rearrange, add section on HTML GUI, document /expire command and Server Status page. (kkolinko)
add 54143: Add display of the memory pools usage (including PermGen) to the Status page of the Manager web application. (kkolinko)
fix Fix several issues with status.xsd schema in Manager web application, testing it against actual output of StatusTransformer class. (kkolinko)
update Align algorithm that generates anchor names in Tomcat documentation with Tomcat 7/8/9. No visible changes, but may help with future updates to the documentation. (kkolinko)
fix 56058: Add links to the AccessLogValve documentation for configuring reverse proxies and/or Tomcat to ensure that the desired information is used entered in the access log when Tomcat is running behind a reverse proxy. (markt)
fix 57503: Make clear that the JULI integration for log4j only works with log4j 1.2.x. (markt)
update 57644: Update examples to use Apache Standard Taglib 1.2.5. (jboynes/kkolinko)
fix 57706: Clarify the documentation for the AJP connector to make clearer that when using tomcatAuthentication="false" the user provided by the reverse proxy will not be associated with any roles. (markt)
fix Correct the documentation for deployOnStartup to make clear that if a WAR file is updated while Tomcat is stopped and unpackWARs is true, Tomcat will not detect the changed WAR file when it starts and will not replace the unpacked WAR file with the contents of the updated WAR. (markt)
add 57759: Add information to the keyAlias documentation to make it clear that the order keys are read from the keystore is implementation dependent. (markt)
fix 57864: Update the documentation web application to make it clearer that hex values are not valid for cluster send options. Based on a patch by Kyohei Nakamura. (markt)
Other
add 57344: Provide sha1 checksum files for Tomcat downloads. (kkolinko)
fix 57558: Change catalina-tasks.xml to use all jars in ${catalina.home}/lib to define Tomcat Ant tasks. This fixes a NoClassDefFoundError with validate task. (kkolinko)
update Update to Tomcat Native Library version 1.1.33 to pick up the Windows binaries that are based on OpenSSL 1.0.1m and APR 1.5.1. (markt)
fix 57801: Improve the error message in the start script in case the PID read from the PID file is already owned by a process. (rjung)
Tomcat 6.0.43 (markt)released 2014-11-22
Catalina
fix Assert that mapping result object is empty before performing mapping work in Mapper. (kkolinko)
Coyote
fix 53952: Add support for TLSv1.1 and TLSv1.2 for APR connector. Based upon a patch by Marcel Šebek. (schultz/jfclere)
fix 56780: Enable Tomcat to start when using SSL with an IBM JRE in strict SP800-131a mode. (markt/kkolinko)
fix 57102: Fix bug that meant sslEnabledProtocols setting was not recognised for the HTTPS NIO connector. (markt)
add Disable SSLv3 by default for the APR/native HTTPS connector. (markt/schultz)
fix Do not increase remaining counter at end of stream in IdentityInputFilter. (kkolinko)
fix Disable SSLv3 by default (along with SSLv2 which was already disabled by default) in light of the recently announced POODLE vulnerability (CVE-2014-3566). (markt)
fix 57116: Do not fallback to default protocol list for HTTPS BIO connector if sslEnabledProtocols has no matches. (markt)
update Align calculation of default ciphers and default protocols for JSSE HTTPS connectors with Tomcat 7 which allows for per connector defaults based on the choice of sslProtocol. (markt/kkolinko)
fix 57703: Update the http-method definition for web applications using a Servlet 2.5 descriptor as per Servlet 2.5 MR 6. (markt)
Web applications
fix Configure the Javadoc tool to read sources as ISO-8859-1, suppress timestamp comments and enable charset header. (kkolinko)
fix Correct typos in configuration samples on SSL Configuration page of Tomcat documentation. (kkolinko)
Other
update 56079: The Apache Tomcat Windows service and the Apache Tomcat Windows service monitor application are now digitally signed. (markt/kkolinko)
update 56988: Allow to use relative path in base.path setting when building Tomcat. (kkolinko)
fix Update documentation: the minimum version of Apache Ant required to build Tomcat is 1.8.0. (kkolinko)
update 56596: Update to Tomcat Native Library version 1.1.32 to pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR 1.5.1. (markt)
fix Fix timestamps in Tomcat build to use 24-hour instead of 12-hour format and use UTC timezone. (kkolinko)
Tomcat 6.0.42 (jfclere)not released
Catalina
fix 56600: In WebdavServlet: Do not waste time generating response for broken PROPFIND request. (kkolinko)
fix 56648: Reduce scope of synchronization when adding children to a container (e.g. adding a Context to a Host) to prevent blocking requests to other children while the new child starts. (markt)
fix 56684: Ensure that Tomcat does not shut down if the socket waiting for the shutdown command experiences a SocketTimeoutException. (markt)
Coyote
fix Fix CVE-2014-0227: Various improvements to ChunkedInputFilter including clean-up, i18n for error messages and adding an error flag to allow subsequent attempts at reading after an error to fail fast. (markt)
fix 56661: Support using AJP request attribute AJP_LOCAL_ADDR to fix getLocalAddr(). (rjung)
Jasper
fix 43001: Enable the JspC Ant task to set the JspC option mappedFile. (kkolinko)
fix 56334: Fix a regression in EL parsing when quoted string follows a whitespace. (markt)
fix 56560: Fix NoClassDefFoundError when using Jasper Ant task defined by catalina-tasks.xml file. Patch provided by M Gemmell. (kkolinko)
fix 56561: Avoid NoSuchElementException while handling attributes with empty string value. (violetagg)
fix 56612: Correctly parse consecutive escaped single quotes when used in an EL expression. (markt)
code Use if { ... } else if { ... } rather than multiple if { ... } for alternative branches in the JSP parser. (kkolinko)
fix Fix a potential resource leak in JDTCompiler when checking whether a resource is a package. Reported by Coverity Scan. (fschumacher)
Other
fix 56606: When creating tomcat-users.xml in the Windows Installer, use the new attribute name for the name of the user. (markt)
add 56829: Add the ability for users to define their own values for _RUNJAVA and _RUNJDB environment variables. Be more strict with executable filename on Windows (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko)
fix 56608: When deploying an external WAR, add watched resources in the expanded directory based on whether the expanded directory is expected to exist rather than if it does exist.
fix When triggering a reload due to a modified watched resource, ensure that multiple changed watched resources only trigger one reload rather than a series of reloads.
Tomcat 6.0.41 (markt)released 2014-05-23
Jasper
fix 56529: Avoid NoSuchElementException while handling attributes with empty string value in custom tags. Based on a patch provided by Hariprasad Manchi. (violetagg/kkolinko)
Tomcat 6.0.40 (markt)not released
Catalina
fix 56027: Add more options for managing FIPS mode in the AprLifecycleListener. (schultz/kkolinko)
fix 56082: Fix a concurrency bug in JULI's LogManager implementation. (markt)
fix 56236: Enable Tomcat to work with alternative Servlet and JSP API JARs that package the XML schemas in such as way as to require a dependency on the JSP API before enabling validation for web.xml. Tomcat has no such dependency. (markt)
fix Change the default value of the xmlBlockExternal attribute of Context elements. It is now true. (kkolinko)
fix Don't log to standard out in SSLValve. (kkolinko/markt)
code Use StringBuilder in DefaultServlet. (kkolinko)
fix 56275: Allow web applications to be stopped cleanly even if filters throw exceptions when their destroy() method is called. (markt/kkolinko)
fix Fix CVE-2014-0096: Redefine the globalXsltFile initialisation parameter of the DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf. Prevent user supplied XSLTs used by the DefaultServlet from defining external entities. (markt)
fix Add a work around for validating XML documents (often TLDs) that use just the file name to refer to refer to the JavaEE schema on which they are based. (kkolinko)
fix 56369: Ensure that removing an MBean notification listener reverts all the operations performed when adding an MBean notification listener. (markt)
fix Fix CVE-2014-0119: Only create XML parsing objects if required and fix associated potential memory leak in the default Servlet. Ensure that a TLD parser obtained from the cache has the correct value of blockExternal. Extend XML factory, parser etc. memory leak protection to cover some additional locations where, theoretically, a memory leak could occur. (markt/kkolinko)
add Add the org.apache.naming package to the packages requiring code to have the defineClassInPackage permission when running under a security manager. (markt)
add Add the org.apache.naming.resources package to the packages requiring code to have the accessClassInPackage permission when running under a security manager. (markt)
fix Make the naming context tokens for containers more robust. Require RuntimePermission when introducing a new token. (markt/kkolinko)
Coyote
fix Fix CVE-2014-0075: Improve processing of chuck size from chunked headers. Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster. (markt/kkolinko)
fix Fix CVE-2014-0099: Fix possible overflow when parsing long values from a byte array. (markt)
update 56363: Update to version 1.1.30 of Tomcat Native library. The minimum required version of this library for APR connector is now 1.1.30. (kkolinko)
Jasper
fix Change the default behaviour of JspC to block XML external entities by default. (kkolinko)
fix Restore the validateXml option to Jasper that was previously renamed validateTld. Both options are now supported. validateXml controls the validation of web.xml files when Jasper parses them and validateTld controls the validation of *.tld files when Jasper parses them. (markt)
fix 54475: Add Java 8 support to SMAP generation for JSPs. Patch by Robbie Gibson. (markt)
fix 56010: Don't throw an IllegalArgumentException when JspFactory.getPageContext is used with JspWriter.DEFAULT_BUFFER. Based on a patch by Eugene Chung. (markt)
fix 56265: Do not escape values of dynamic tag attributes containing EL expressions. (kkolinko)
fix 56283: Add support for running Tomcat 6 with ecj-P20140317-1600.jar (as drop-in replacement for ecj-4.3.1.jar). Add support for value "1.8" for the compilerSourceVM and compilerTargetVM options. Note that ecj-P20140317-1600.jar can only be used when running with Java 6 or later. The "1.8" options make sense only when running with Java 8 (or later). (kkolinko)
fix 56334: Fix a regression in the handling of back-slash escaping introduced by the fix for 55735. (markt/kkolinko)
fix Correct the handling of back-slash escaping in the EL parser and no longer require that \$ or \# must be followed by { in order for the back-slash escaping to take effect. (markt)
Cluster
code Refactor AbstractReplicatedMap and related classes to enable Tomcat 6 to be compiled using Java 8. (markt)
Web applications
add 56093: Documentation for SSLValve. (markt/kkolinko)
fix Correct documentation on Windows service options, aligning it with Apache Commons Daemon documentation. (kkolinko)
add Add support for version-major, version-major-minor tags in documentation XSLT, to simplify documentation backports. (kkolinko)
fix Fix target and rel attributes on links in documentation. They were lost during XSLT transformation. (kkolinko)
Other
code Remove svn keywords (such as $Id) from source files and documentation. (kkolinko)
update Improvements to the Windows installer, to align it with installing the service with service.bat. Use explicit memory sizes (--JvmMs 128 Mb and --JvmMx 256 Mb). Specify log directory path when ininstalling, so that the log file is written to the Tomcat logs directory, instead of "%SystemRoot%\System32\LogFiles\Apache". (kkolinko)
update 49993, 56143: Improve service.bat script. Allow it to be launched from non-UAC console. The UAC prompt will be shown only once. Now there is no need to run the command shell with elevated privileges. Improve check for JAVA_HOME and add support for JRE_HOME. Warn if neither "client" nor "server" JVM is found. Align classpath, display name and other options with the exe installer. Make command names case-insensitive. Update documentation. (kkolinko)
Tomcat 6.0.39 (markt)released 2014-01-31
Catalina
fix 55166: Fix regression that broke XML validation when running on some Java 5 JVMs. (kkolinko)
Coyote
fix Make the HTTP NIO connector tolerant of whitespace in the individual values used for the ciphers attribute. (markt)
fix Remove dependency introduced on the jsp-api.jar as part of the XML validation changes introduced in 6.0.38. (markt)
Jasper
fix Correct several errors in jspxml Schema and DTD. (kkolinko)
Cluster
code Remove an empty TestTwoPhaseCommit test from Tribes. (kkolinko)
Web applications
fix Fix broken link in Jasper How-To documentation. (markt)
fix Align index.html and index.jsp in ROOT web application. Correct links to specifications and to the Tomcat mailing lists. (kkolinko)
fix Remove second copy of RUNNING.txt from the full-docs distribution. Some unpacking utilities can't handle multiple copies of a file with the same name in a directory. (kkolinko)
Other
update Update sample Eclipse IDE project: use JUnit 4 library and prefer a Java 5 JDK when several JDKs are configured. Cleanup the Ant build files. (kkolinko)
fix Correct Maven dependencies for individual JAR files. (markt)
Tomcat 6.0.38 (markt)not released
Catalina
fix Ensure that when Tomcat's anti-resource locking features are used that the temporary copy of the web application and not the original is removed when the web application stops. (markt/kkolinko)
fix 55019: Fix a potential exception when accessing JSPs while running under a SecurityManager. (jfclere)
fix 55052: Make JULI's LogManager to additionally look for logging properties without prefixes if the property cannot be found with a prefix. (kkolinko)
fix 55266: Ensure that the session ID is parsed from the request before any redirect as the session ID may need to be encoded as part of the redirect URL. (markt)
fix 55404: Log warnings about using security roles in web.xml as warnings. (markt)
fix 55268: Added optional --service-start-wait-time command-line option to change service start wait time from default of 10 seconds. (schultz)
fix Correctly associate the default resource bundle with the English locale so that requests that specify an Accept-Language of English ahead of French, Spanish or Japanese get the English messages they asked for. (markt)
fix Add missing JavaEE 5 XML schema definitions. (markt)
fix When Catalina parses TLD files, always use a namespace aware parser to be consistent with how Jasper parses TLD files. The tldNamespaceAware attribute of the Context is now ignored. (markt)
fix As per section SRV.14.4.3 of the Servlet 2.5 specification, a namespace aware, validating parser will be used when processing *.tld and web.xml files if the system property org.apache.catalina.STRICT_SERVLET_COMPLIANCE is set to true. (markt)
fix Fix CVE-2014-0033: Ensure that sessions IDs are not parsed from URLs for Contexts where disableURLRewriting is true. (markt)
add Fix CVE-2013-4590: Add an option to the Context to control the blocking of XML external entities when parsing XML configuration files and enable this blocking by default when a security manager is used. The block is implemented via a custom resolver to enable the logging of any blocked entities. (markt)
fix 56016: When loading resources for XML schema validation, take account of the possibility that servlet-api.jar and jsp-api.jar may not be loaded by the same class loader. Patch by Juan Carlos Estibariz. (markt)
Coyote
fix 52811: Fix parsing of Content-Type header in HttpServletResponse.setContentType(). Introduces a new HTTP header parser that follows RFC2616. (markt)
fix 54691: Add configuration attribute "sslEnabledProtocols" to HTTP connector and document it. (Internally this attribute has been already implemented but not documented, under names "protocols" and "sslProtocols". Those names of this attribute are now deprecated). (schultz)
fix 54947: Fix the HTTP NIO connector that incorrectly rejected a request if the CRLF terminating the request line was split across multiple packets. Patch by Konstantin Preißer. (markt)
fix 55228: Allow web applications to set a HTTP Date header. (markt)
fix Fix CVE-2013-4286: Better adherence to RFC2616 for content-length headers. (markt)
fix Fix CVE-2013-4322: Add support for limiting the size of chunk extensions when using chunked encoding. (markt)
fix 55749: Improve the error message when SSLEngine is disabled in the AprLifecycleListener and SSL is configured for an APR/native connector. (markt)
fix Avoid possible NPE if a content type is specified without a character set. (markt)
Jasper
fix 55198: Ensure attribute values in tagx files that include EL and quoted XML characters are correctly quoted in the output. (markt)
fix 55671: Consistently use the configuration option name genStringAsCharArray rather than a mixture of genStrAsCharArray and genStringAsCharArray but retain support for genStrAsCharArray as in initialisation parameter for the JSP servlet to retain backwards compatibility with existing configurations. (markt)
fix 55691: Fix javax.el.ArrayELResolver to correctly handle the case where the base object is an array of primitives. (markt)
fix 55973: Fix processing of XML schemas when validation is enabled in Jasper. (kkolinko)
Web applications
add Add documentation for o.a.c.tribes.group.interceptors.TcpFailureDetector. (kfujino)
add Complete the documentation for MessageDispatch15Interceptor. (kfujino)
add Add to cluster document a description of notifyLifecycleListenerOnFailure and heartbeatBackgroundEnabled. (kfujino)
fix 55746: Add documentation on the allRolesMode to the CombinedRealm and LockOutRealm. Patch by Cédric Couralet. (markt)
fix Fix the sample configuration of StaticMembershipInterceptor in order to prevent warning log. uniqueId must be 16 bytes. (kfujino)
fix 55119: Avoid CVE-2013-1571 when generating Javadoc. (markt)
Other
update Update Maven Central location used to download dependencies at build time to be repo.maven.apache.org. (kkolinko)
fix 55663: Minor correction to the wording of the NOTICE files to align them with the requirements for NOTICE files. (violetagg)
fix Add @since markers to the common annotations classes and fix a few specification compliance issues. (markt)
update Update to Eclipse JDT Compiler 4.3.1. (markt)
update Update the Apache Jakarta JSTL implementation used by the examples web application to 1.1.2. (markt)
Tomcat 6.0.37 (jfclere)released 2013-05-03
Catalina
fix 52055: Ensure that filters are recycled. (markt/kkolinko)
fix 52184: Reduce log level for invalid cookies. (markt)
fix 53481: Added support for SSLHonorCipherOrder to allow the server to impose its cipher order on the client. Based on a patch provided by Marcel Šebek. (schultz)
fix 54044: Correct bug in timestamp cache used by logging (including the access log valve) that meant entries could be made with an earlier timestamp than the true timestamp. (markt)
fix Fix CVE-2013-2067: In FormAuthenticator: If it is configured to change Session IDs, do the change before displaying the login form. (kkolinko)
fix 54054: Do not share shell environment variables between multiple instances of the CGI servlet. (markt)
fix 54087: Correctly handle (ignore) invalid If-Modified-Since header rather than throwing an exception. (markt/kkolinko)
fix 54220: Ensure the ErrorReportValve only generates an error report if the error flag on the response has been set. (markt)
fix Fix memory leak of servlet instances when running with a SecurityManager and either init() or destroy() methods fail or the servlet is a SingleThreadModel one, and of filter instances if their destroy() method fails with an Error. (kkolinko)
fix 54382: Fix NPE when SSI processing is enabled and an empty SSI directive is present. (markt)
fix 54483: Correct one of the Spanish translations. Based on a suggestion from adinamita. (kkolinko)
update 54527: Synchronize conf/web.xml mime mapping with Tomcat 7. (markt)
Coyote
fix 54248: Ensure that byte order marks are swallowed when using a Reader to read a request body with a BOM for those encodings that require byte order marks. (markt)
fix 54324: Allow APR connector to disable TLS compression if OpenSSL supports it. (schultz)
fix 54456: Ensure that if a client aborts a request when sending a chunked request body that this is communicated correctly to the client reading the request body. (markt)
update Update the native component of the APR/native connector to 1.1.27 and make that version the recommended minimum version. (kkolinko)
Jasper
fix 54615: Tomcat 6 doesn't build against ecj 4.x (kkolinko)
Cluster
fix 54045: Make sure getMembers() returns available member when TcpFailureDetector works in static cluster. (kfujino)
Web applications
update 22278: Add a commented out sample configuration of RemoteAddrValve to META-INF/context.xml files of the Manager and Host Manager applications. (kkolinko)
fix 54080: Clarify documentation for initial value of internalProxies attribute of RemoteIpValve. (schultz/kkolinko)
fix 54198: Clarify that HttpServletResponse.sendError(int) results in an HTML response by default. (markt)
fix 54207: Correct JNDI factory package name in Javadoc for org.apache.naming.java.javaURLContextFactory. (markt)
Other
update Add sample Apache Commons Daemon JSVC wrapper script bin/daemon.sh that can be used with /etc/init.d. (kkolinko)
update In the build configuration: introduce property "tomcat.output" that is used to specify location of the build output directory. This simplifies configuration if someone wants to move the output directory elsewhere (e.g. out of the source tree). (kkolinko)
fix 54390: Use 'java_home' on Mac OS X to auto-detect JAVA_HOME. (schultz)
update 54601: Change catalina.sh to consistently use LOGGING_MANAGER variable to configure logging, instead of modifying JAVA_OPTS one. (kkolinko)
update 54890: Update to Apache Commons Daemon 1.0.15. (mturk)
Tomcat 6.0.36 (jfclere)released 2012-10-19
Catalina
update 48692: Provide option to parse application/x-www-form-urlencoded PUT requests. (schultz)
add 50306: New StuckThreadDetectionValve to detect requests that take a long time to process, which might indicate that their processing threads are stuck. Based on a patch provided by TomLu. (kkolinko)
fix 50570: Enable FIPS mode to be set in AprLifecycleListener. Based upon a patch from Chris Beckey. Note that this mode requires tomcat-native 1.1.23 or later linked to a FIPS-capable OpenSSL library, which one has to build by themselves. (schultz/kkolinko)
fix Improve synchronization and error handling in AprLifecycleListener. Do not allow to change SSL options if SSL has already been initialized. (schultz/kkolinko)
fix 52225: Fix ClassCastException when adding an alias for an existing host via JMX. (kkolinko)
fix 52293: Correctly handle the case when antiResourceLocking is enabled at the Context level when unpackWARs is disabled at the Host level. Correctly handle multi-level contexts when antiResourceLocking is enabled. Patch by Justin Miller. (kkolinko)
fix Do not throw IllegalArgumentException from parseParameters() call when chunked POST request is too large, but treat it like an IO error. The FailedRequestFilter filter can be used to detect this condition. (kkolinko)
fix 52384: Do not fail with parameter parsing when debug logging is enabled. (kkolinko)
fix Do not flag extra '&' characters in parameters as parse errors. (kkolinko)
fix 52488: Correct typos: exipre -> expire. Based on a patch by prockter. (markt)
fix Reduce log level for the message about hitting maxParameterCount limit from WARN to INFO. Fix limit comparison to allow exactly maxParameterCount parameters, as documentation says, instead of (maxParameterCount-1). (kkolinko)
fix Slightly improve performance of UDecoder.convert(). Align %2f handling between implementations. (kkolinko)
add Add denyStatus attribute to RequestFilterValve (RemoteAddrValve, RemoteHostValve valves). It allows to use different HTTP response code when rejecting denied request. E.g. 404 instead of 403. (kkolinko)
add Add SetCharacterEncodingFilter (similar to the one contained in the examples web application) to the org.apache.catalina.filters package so that it is available for all web applications. (kkolinko)
add 52500: Added configurable mechanism to retrieve user names from X509 client certificates. Based on a patch provided by Michael Furman. (schultz/kkolinko)
fix 52719: Fix a theoretical resource leak in the JAR validation that checks for non-permitted classes in web application JARs. (markt)
fix 52830: Correct JNDI lookups when using javax.naming.Name to identify the resource rather than a java.lang.String. (markt)
add 52850: Extend memory leak prevention and detection code to work with IBM as well as Oracle JVMs. Based on a patch provided by Rohit Kelapure. (kkolinko)
add 52996: In StandardThreadExecutor: Add the ability to configure a job queue size (maxQueueSize attribute). Add a variant of execute method that allows to specify a timeout for how long we want to try to add something to the queue. Based on a patch by Rüdiger Plüm. (kkolinko)
fix 53047: If a JDBCRealm or DataSourceRealm is configured for an all roles mode that only requires authorization (and no roles) and no role table or column is defined, don't populate the Principal's roles. (markt/kkolinko)
fix 53050: Fix handling of entropy value when initializing session id generator in session manager. Based on proposal by Andras Rozsa. (kkolinko)
fix 53056: Add APR version number to tcnative version INFO log message. (schultz)
fix 53057: Add OpenSSL version number INFO log message when initializing. (schultz)
fix 53071: Use the message from the Throwable for the error report generated by the ErrorReportValve if none was specified via sendError(). Use the standard text for HTTP error codes. (markt/rjung)
update 53230: Change session managers to throw TooManyActiveSessionsException instead of IllegalStateException when the maximum number of sessions has been exceeded and a new session will not be created. (schultz/kkolinko)
fix 53267: Ensure that using the GC Daemon Protection feature of the JreMemoryLeakPreventionListener does not trigger a full GC every hour. (markt/kkolinko)
fix 53531: Fix ExpandWar.expand to check the return value of File.mkdir and File.mkdirs. (schultz)
fix Make the CSRF nonce cache in CsrfPreventionFilter serializable so that it can be replicated across a cluster and/or persisted across Tomcat restarts. (markt)
fix 53584: Ignore path parameters when comparing URIs for FORM authentication. This prevents users being prompted twice for passwords when logging in when session IDs are being encoded as path parameters. (markt)
fix CVE-2012-3439: Various improvements to the DIGEST authenticator including 52954, the disabling caching of an authenticated user in the session by default, tracking server rather than client nonces and better handling of stale nonce values. (markt)
fix CVE-2012-3546: Fix bypass of security constraint checks with FORM authentication. Remove unneeded processing in RealmBase. (kkolinko)
fix 53800: FileDirContext.list() did not provide correct paths for subdirectories. Patch provided by Kevin Wooten. (kkolinko)
fix 53830: Better handling of Manager.randomFile default value on Windows. (kkolinko)
fix CVE-2012-4431: Fix bypass of CsrfPreventionFilter when there is no session. Improve session management in the filter. (kkolinko)
Coyote
fix 42181: Better handling of edge conditions in chunk header processing. (kkolinko)
update 51477: Support all SSL protocol combinations in the APR/native connector. This only works when using the native library version 1.1.21 or later. (rjung)
fix 52055 (comment 14): Correctly reset ChunkedInputFilter.needCRLFParse flag when the filter is recycled. (kkolinko)
fix 52606: Ensure replayed POST bodies are available when using AJP. (markt)
fix 52858, CVE-2012-4534: Fix high CPU load with SSL, NIO and sendfile when client breaks the connection before reading all the requested data. (fhanik/kkolinko)
fix 53119: Prevent buffer overflow errors being reported when a client disconnects before the response has been fully written from an AJP connection using the APR/native connector. (kkolinko)
fix CVE-2012-2733: Improve InternalNioInputBuffer.parseHeaders(). (kkolinko)
add Implement maxHeaderCount attribute on Connector. It is equivalent of LimitRequestFields directive of Apache HTTPD. Default value is 100. (kkolinko)
fix In JkCoyoteHandler connector for AJP/1.3 protocol (in JkMain.setProperty()): Fix setting of properties when connector has already started for properties that have aliases. E.g. it now allows to change maxHeaderCount attribute on Connector MBean via JMX. (kkolinko)
fix 53725: Fix possible corruption of GZIP'd output. (kkolinko)
Jasper
fix 48097 (comment 7), 53366 (comment 1): If JSP page unexpectedly fails to initialize PageContext instance, write exception to the logs instead of silent swallowing. (kkolinko)
fix 52335: Only handle <\% and not \% as escaped in template text. (markt)
fix 52666: Correct coercion order in EL when processing the equality and inequality operators. (markt)
fix 53001: Revert the fix for 46915 since the use case described in the bug is invalid since it breaks the EL specification. (markt)
fix 53032: Modify JspC so it extends org.apache.tools.ant.Task enabling it to work with features such as namespaces within build.xml files. (markt)
Cluster
fix Replicate principal in ClusterSingleSignOn. (kfujino)
fix 53513: Fix race condition between the processing of session sync message and transfer complete message. (kfujino)
fix 53606: Fix potential NPE in TcpPingInterceptor. Based on a patch by F. Arnoud. (markt)
fix 53607: To avoid NPE, set TCP PING data to ChannelMessage. Patch provided by F.Arnoud (kfujino)
fix Fix a behavior of TcpPingInterceptor#useThread. Do not start a ping thread when useThread is set to false. (kfujino)
Web applications
fix 52243: Improve windows service documentation to clarify how to include # and/or ; in the value of an environment variable that is passed to the service. (markt)
fix 52515: Make it clear in the Realm how-to in the documentation web application that digested password storage when using DIGEST authentication requires that MD5 digests are used. (markt)
fix 52641: Remove mentioning of ldap.jar from docs. Patch provided by Felix Schumacher. (rjung)
fix Remove obsolete bug warning from windows service documentation page. (rjung)
fix 52983: Remove unnecessary code that makes switching to other authentication methods difficult. (markt)
fix 53158: Fix documented defaults for DBCP. Patch provided by ph.dezanneau at gmail.com. (rjung)
update Update JavaSE documentation links to point to the current docs.oracle.com site, instead of obsolete ones (download.oracle.com, java.sun.com). (kkolinko)
update 53289: Clarify ResourceLink example that uses DataSource.getConnection(username, password) method. Not all data source implementations support it. (kkolinko)
fix Prevent the custom error pages for the Manager and Host Manager applications from being accessed directly. Configure custom pages for error codes 401 and 403 in Host Manager application. (markt/kkolinko)
fix Correct documentation for enableLookups attribute of a Connector. By default DNS lookups are disabled. (kkolinko)
fix Fix several HTML markup errors in servlets of examples web application. (kkolinko)
update Change the index page of ROOT webapp to mention "manager-gui" role instead of "manager" one. (kkolinko)
fix 53473: Correct the allowed values for the SSI option isVirtualWebappRelative which are true or false. (markt)
fix 53664: Minor JNDI Howto document enhancement concerning mail properties. Patch provided by Mark Eggers. (schultz)
fix 53601: Clarify that to build Apache Tomcat 6 from sources a Java 5 JDK is recommended. (kkolinko)
fix 53793: Change links on the list of applications in the Manager to point to /appname/ instead of /appname. (kkolinko)
Other
fix 49402, 52124: Fix Maven publishing script: make sure it finds tomcat-juli.jar and use later version of wagon-ssh. (jfclere)
fix Update Apache Commons Daemon to 1.0.10. It resolves 52548 which meant that services created with service.bat did not set the catalina.home and catalina.base system properties. (markt, kkolinko)
update Update Apache Commons Pool to 1.5.7. (kkolinko)
update 52579: Add a note about Sun's Charset.decode() bug to the RELEASE-NOTES file. (kkolinko)
update 52805: Update to Eclipse JDT Compiler 3.7.2. (kkolinko)
update Update the native component of the APR/native connectors to 1.1.23 and take advantage of the simplified distribution. (kkolinko)
fix When building a Windows installer do not copy whole "res" folder to output/dist, but only the files that we need. Apply fixcrlf filter only after the files are copied, so that INSTALLLICENSE file had correct line ends. (kkolinko)
update Remove res/License.rtf. The file that is actually shown by the Windows installer is res/INSTALLLICENSE. (kkolinko)
update Improve RUNNING.txt. (kkolinko)
update Align the script that deploys Maven jars for Tomcat (res/maven/mvn-pub.xml) with the Tomcat 7 version, making full use of Nexus. (markt)
add 53034: Add project.url and project.licenses sections to the POMs for the Maven artifacts. (kkolinko)
fix 53454: Return correct content-length header for HEAD requests when content length is greater than 2GB. (markt)
Tomcat 6.0.35 (jfclere)released 2011-12-05
Catalina
fix Fix regression in decoding of parameters that contain spaces. Patch by Willem Fibbe. (kkolinko)
Tomcat 6.0.34 (jfclere)not released
Catalina
fix 51550: Display an error page rather than an empty response for an IllegalStateException caused by too many active sessions. (markt)
add 51640: Improve the memory leak prevention for leaks triggered by java.sql.DriverManager. (markt/kkolinko)
fix 51688: JreMemoryLeakPreventionListener now protects against AWT thread creation. (schultz)
fix 51758: The digester (used for processing XML files) used the logger name org.apache.commons.digester.Digester rather than the expected org.apache.tomcat.util.digester.Digester. The digester has been changed to use the expected logger name. (kkolinko)
add 51862: Added a classesToInitialize attribute to JreMemoryLeakPreventionListener to allow pre-loading of configurable classes to avoid some classloader leaks. (slaurent)
fix 51872: Ensure that the access log always uses the correct value for the remote IP address associated with the request and that requests with multiple errors do not result in multiple entries in the access log. (markt)
add Allow to overwrite the check for distributability of session attributes by session implementations. (rjung)
add Provide the log format "OneLineFormatter" for JULI that provides the same information as the default plus thread name but on a single line. (markt/rjung)
fix Ensure that the memory leak protection for the HttpClient keep-alive always operates even if the thread has already stopped. (markt)
fix 51940: Do not limit saving of request bodies during FORM authentication to POST requests since any HTTP method may include a request body. Based on a patch by Nicholas Sushkin. (kkolinko)
fix 52091: Address performance issues related to lock contention in StandardWrapper. Based on patch provided by Taiki Sugawara. (kkolinko)
update In GenericPrincipal, SerializablePrincipal: Do not sort lists of roles that have only one element. (kkolinko)
add Make configuration issue for CsrfPreventionFilter result in the failure of the filter rather than just a warning message. (kkolinko)
fix Ensure changes to the configuration of RemoteAddrValve and RemoteHostValve via JMX are thread-safe. (kkolinko)
add Make configuration issue for RemoteAddrValve and RemoteHostValve result in the failure of the valve rather than just a warning message. (kkolinko)
update In RequestFilterValve (RemoteAddrValve, RemoteHostValve): refactor value matching logic into separate method and expose this new method isAllowed through JMX. (kkolinko)
add Improve performance of parameter processing for GET and POST requests. Also add an option to limit the maximum number of parameters processed per request. This defaults to 10000. Excessive parameters are ignored. Note that FailedRequestFilter can be used to reject the request if some parameters were ignored. (markt/kkolinko)
add New filter FailedRequestFilter that will reject a request if there were errors during HTTP parameter parsing. (kkolinko)
Coyote
fix 50394: Return -1 from read operation instead of throwing an exception when encountering an EOF with the HTTP APR connector. (kkolinko)
fix 51698: Fix CVE-2011-3190. Prevent AJP message injection. (markt)
fix Detect incomplete AJP messages and reject the associated request if one is found. (markt)
fix 51794: Fix race condition in NioEndpoint selector. Patch provided by dlord. (fhanik)
fix 51905: Fix infinite loop in AprEndpoint shutdown if acceptor unlock fails. Reduce timeout before forcefully closing the socket from 30s to 10s. (kkolinko)
fix 52121: Fix possible output corruption when compression is enabled for a connector and the response is flushed. Test case provided by David Marcks. (kkolinko)
fix Replace unneeded call that iterated events queue in NioEndpoint.Poller. (kkolinko)
fix Improve MimeHeaders.toString(). (kkolinko)
fix Allow the BIO HTTP connector to be used with SSL when running under Java 7. (markt)
fix Improve multi-byte character handling in all connectors. (rjung)
Jasper
fix 51220: Correct copy/paste error in original commit for this issue. (markt)
fix 52091: Address performance issues related to log creation in TagHandlerPool. Patch provided by Taiki Sugawara. (markt)
Cluster
add 51736: Make rpcTimeout configurable in BackupManager. (kfujino)
add New cluster manager attribute sessionAttributeFilter allows to filter which session attributes are replicated using a regular expression applied to the attribute name. (rjung)
fix Avoid an unnecessary session ID change notice. Notice of changed session ID by JvmRouteBinderValve is unnecessary to BackupManager. In BackupManager, change of session ID is replicated by the call of a setId() method. (kfujino)
fix Fix unneeded duplicate resetDeltaRequest() call in DeltaSession.setId(String). (kkolinko)
add When Context manager does not exist, no context manager message is replied in order to avoid timeout (default 60 sec) of GET_ALL_SESSIONS sync phase. (kfujino)
Web applications
fix Correct the documentation for the connectionLinger attribute of the HTTP connector. (markt)
add Show build date and version in the header on every documentation page. (kkolinko)
fix 52049: Improve setup instructions for running as a Windows service: correct information on how a JRE is identified and selected. (markt)
update 52172: Clarify Tomcat build instructions. Patch provided by bmargulies. (kkolinko)
Other
update Update the native component of the APR/native connectors to 1.1.22. (markt)
update Update the recommended version of the native component of the APR/native connectors to 1.1.22. (kkolinko)
update Update the Eclipse compiler (used for JSPs) to 3.7. (markt)
fix Correct two typos in the Windows installer. (kkolinko)
fix 52059: In Windows uninstaller: Do not forget to remove Tomcat keys from 32-bit registry on deinstallation. (kkolinko)
Tomcat 6.0.33 (jfclere)released 2011-08-18
Catalina
add Allow to search the virtual paths before the webapp or after it. (rjung)
fix 27988: Improve reporting of missing files. (markt)
fix 28852: Add URL encoding where missing to parameters in URLs presented by Ant tasks to the Manager application. Based on a patch by Stephane Bailliez. (markt)
add 46252: Allow to specify character set to be used to write the access log in AccessLogValve. (kkolinko)
add 48863: Provide an warning if there is a problem with a class path entry but use debug level logging if it is expected due to catalina home/base split. (kkolinko)
add 49180: Add an option to disable file rotation in JULI FileHandler. (kkolinko)
fix 50189: Once the application has finished writing to the response, prevent further reads from the request since this causes various problems in the connectors which do not expect this. (markt)
fix 50700: Ensure that the override attribute of context parameters is correctly followed. (markt)
fix 50734: Return 404 rather than 400 for requests to the ROOT context when no ROOT context is deployed. Patch provided by Violeta Georgieva. (markt)
fix 50751: When authenticating with the JNDI Realm, only attempt to read user attributes from the directory if attributes are required. (markt)
fix 50752: Fix typo in debug message in org.apache.catalina.startup.Embedded. (markt)
fix 50855: Fix NPE on AuthenticatorBase.register() when debug logging is enabled. (markt)
fix Correctly format the timestamp reported by version.[sh|bat]. (markt)
fix Remove unnecessary whitespace from MIME mapping entries in global web.xml file. (markt)
fix 51042: Don't trigger session creation listeners when a session ID is changed as part of the authentication process. (markt)
add 51119: Add JAAS authentication support to the JMXRemoteLifecycleListener. Patch provided by Neil Laurance. (markt)
update Implement display of multiple request headers in AccessLogValve: print not just the value of the first header, but of the all of them, separated by commas. (kkolinko)
fix Correct the SSLValve so it returns the SSL key size as an Integer rather than as a String. (markt)
fix 51162: Prevent possible NPE when removing a web application. (markt)
fix 51249: Improve system property replacement code in ClassLoaderLogManager of Tomcat JULI to cover some corner cases. (kkolinko)
fix 51315: Fix IAE when removing an authenticator valve from a container. Patch provided by Violeta Georgieva. (markt)
fix 51324: Improve handling of exceptions when flushing the response buffer to ensure that the doFlush flag does not get stuck in the enabled state. Patch provided by Jeremy Norris. (kkolinko)
fix 51348: Fix possible NPE when processing WebDAV locks. (markt)
add Add a container event that is fired when a session's ID is changed, e.g. on authentication. (markt)
fix Fix CVE-2011-2204. Prevent user passwords appearing in log files if a runtime exception (e.g. OOME) occurs while creating a new user for a MemoryUserDatabase via JMX. (markt)
fix 51400: Avoid jvm bottleneck on String/byte[] conversion triggered by a JVM bug. Based on patches by Dave Engberg and Konstantin Preißer. (markt)
add 51403: Avoid NPE in JULI FileHandler if formatter is misconfigured. (kkolinko)
update Create a directory for access log or error log (in AccessLogValve and in JULI FileHandler) automatically when it is specified as a part of the file name, e.g. in the prefix attribute. Earlier this happened only if it was specified with the directory attribute. (kkolinko)
fix Log a failure if access log file cannot be opened. Improve i18n of messages. (kkolinko)
fix Improve handling of URLs with path parameters and prevent incorrect 404 responses that could occur when path parameters were present. The method getRequestURI() was fixed to comply with specification (chapter SRV.3.1 of Servlet Spec. 2.5, javadoc) and now returns original request URI line from a HTTP request including any path parameters (such as jsessionid). See issues 51833 and 53584. (kkolinko/markt)
fix 51473: Fix concatenation of values in SecurityConfig.setSecurityProperty(). (kkolinko)
fix 51509: Fix potential concurrency issue in CSRF prevention filter that may lead to some requests failing that should not. (markt)
fix 51588: Make it easier to extend the AccessLogValve to add support for custom elements. (markt)
fix Unregister DataSource MBeans when web application stops. (kfujino)
add CVE-2011-1184: Add additional configuration options to the DIGEST authenticator. (markt)
Coyote
fix Reduce level of log message for invalid URL parameters from WARNING to INFO. (kkolinko)
add 48208: Provide an option to specify a custom trust manager for BIO and NIO HTTP connectors using SSL. Based on a patch by Luciana Moreira. (markt)
fix 49595: Protect against crashes when using the APR/native connector. (jfclere)
fix 49929: Make sure flush packet is not send after END_RESPONSE packet. (mturk/markt)
add 50887: Enable the provider to be configured when generating SSL certs. Based on a patch by pknopp. (markt)
fix 51073: Throw an exception and do not start the APR connector if it is configured for SSL and an invalid value is provided for SSLProtocol. (markt)
fix Fix CVE 2011-2526. Protect against infinite loops (HTTP NIO) and crashes (HTTP APR) if sendfile is configured to send more data than is available in the file. (markt)
fix Prevent NPEs when a socket is closed in non-error conditions after sendfile processing when using the HTTP NIO connector. (markt)
fix 51515: Prevent immediate socket close when comet is used over HTTPS. (markt)
Jasper
fix 36362: Handle the case where tag file attributes (which can use any valid XML name) have a name which is not a Java identifier. (markt)
fix 47371: Correctly coerce the empty string to zero when used as an operand in EL arithmetic. Patch provided by gbt. (markt)
fix 50726: Ensure that the use of the genStringAsCharArray does not result in String constants that are too long for valid Java code. (markt)
fix 50895: Don't initialize classes created during the compilation stage. (markt)
add 51124: Make Tomcat more robust if an OOME occurs. Usually after an OOME all bets are off but this change appears to help some users and the description of a 'recoverable' OOME in the bug is a plausible one. Based on a patch by Ramiro. (markt)
fix 51177: Ensure Tomcat's MapELResolver and ListELResolver always return Object.class for getType() as required by the EL specification. (markt)
fix Correct possible threading issue in JSP compilation when development mode is used. (markt)
add 51220: Add a system property to enable tag pooling with JSPs that use a custom base class. Based on a patch by Dan Mikusa. (markt)
add Broaden the exception handling in the EL Parser so that more failures to parse an expression include the failed expression in the exception message. Hopefully, this will help track down the cause of 51088. (markt)
add Improve error reporting of Jasper compilation. (schultz)
Cluster
fix 50646: Fix cluster message data corruption if message size exceeds the underlying buffer size. Patch provided by Olivier Costet. (markt)
fix 50771: Ensure HttpServletRequest#getAuthType() returns the name of the authentication scheme if request has already been authenticated. (kfujino)
fix 50950: Correct possible NotSerializableException for an authenticated session when running with a security manager. (markt)
fix 51306: Avoid NPE when handleSESSION_EXPIRED is processed while handleSESSION_CREATED is being processed. (kfujino)
fix The change in session ID is notified to the container event listener on the backup node in cluster. This notification is controlled by notifyContainerListenersOnReplication. (kfujino)
Web applications
fix 41498: Add the allRolesMode attribute to the Realm configuration page in the documentation web application. (markt)
fix 48997: Fixed some typos and improve cross-referencing to the HTTP Connector and APR documentation with the SSL How-To page of the documentation web application. (markt)
fix 50804: Update links for Servlet 2.5 and JSP 2.1 Javadoc. (markt)
update Improve class loading documentation and logging documentation. (kkolinko)
update Configure Security Manager How-To to include a copy of the actual conf/catalina.policy file when the documentation is built, rather than maintaining a copy of its content. (kkolinko)
fix 51147: Fix deployment via HTML Manager that was broken by addition of CRSF protection. Patch provided by Alexis Hassler. (markt)
fix 51156: Ensure session expiration option is available in Manager application was running web applications that were defined in server.xml. (markt)
fix Correct the log4j configuration settings when defining conversion patterns in the documentation web application. (markt)
fix Update Maven repository information in the documentation to reflect current usage. (markt)
fix 51346: Update the documentation web application to make clear the circumstances in which the RequestDumperValve will consume the request's InputStream. Based on a patch by pid. (markt)
fix 51443: Document the notifySessionListenersOnReplication attribute for the DeltaManager. (markt)
fix 51516: Correct documentation web application to show correct system property name for changing the name of the SSO session cookie. (markt)
update Update documentation to be even more explicit about the implications of setting the path attribute on a Context element in server.xml. (markt/kkolinko)
Other
update Clarify error messages in *.sh files to mention that if a script is not found it might be because execute permission is needed. (kkolinko)
add 33262, 40510, 50949, 51135: Various improvements to the Windows installer to be able to install several copies of Tomcat 6 side by side. Allow to configure service name, connector and shutdown ports. Allow to choose whether to install Start menu shortcuts and Apache Tomcat monitor application for all users or for the current one only. Improve auto-detection of JAVA_HOME for 64-bit Windows platforms: autoselect 32-bit JRE if it exists and 64-bit one is not available. Improve server.xml file handling. Fix uninstallation icon. (markt/kkolinko)
fix 50854: Add additional entries to the default catalina.policy file to support running the manager web application from CATALINA_HOME or CATALINA_BASE. (markt)
fix Update default download sources to use the central Apache Maven 2 repository as some libraries have been removed from the central Apache Maven 1 repository. (kkolinko)
fix 51155: Add comments to @deprecated tags that have none. Patch provided by sebb. (kkolinko)
fix 51309: Correct logic in catalina.sh stop when using a PID file to ensure the correct message is shown. Patch provided by Caio Cezar. (markt)
update Update Apache Commons Pool to 1.5.6. (kkolinko)
update Update Apache Commons Daemon to 1.0.7. (kkolinko)
update At build time use two alternative download locations for components downloaded from apache.org. (kkolinko)
Tomcat 6.0.32 (jfclere)released 2011-02-03
Catalina
update 48822: Include context name in reload and stop log statements. Based on the patch provided by Marc Guillemot. (kkolinko)
fix 50673: Improve Catalina shutdown when running as a service. Do not call System.exit(). (kkolinko)
fix 50689: Provide 100 Continue responses at appropriate points during FORM authentication if client indicates that they are expected. (kkolinko)
fix Improve HTTP specification compliance in support of Accept-Language header. This protects from known exploit of the Oracle JVM bug that triggers a DoS, CVE-2010-4476. (kkolinko)
Coyote
fix 49795: Backport AprEndpoint shutdown improvements, to make it more robust. (mturk/kkolinko)
fix 50325: When the JVM indicates support for RFC 5746, disable Tomcat's allowUnsafeLegacyRenegotiation configuration attribute and use the JVM configuration to control renegotiation. (markt)
fix 50631: InternalNioInputBuffer should honor maxHttpHeadSize. (kkolinko)
fix 50651: Fix NPE in InternalNioOutputBuffer.recycle(). (kkolinko)
Cluster
fix Be consistent with locks on sessionCreationTiming, sessionExpirationTiming in DeltaManager.resetStatistics(). (kkolinko)
Tomcat 6.0.31 (jfclere)not released
Catalina
fix 49543: Allow Tomcat to use shared data sources with per application credentials. (fhanik)
add 50205: Add the deployIgnorePaths attribute to the Host element. Based on a patch by Jim Riggs. (markt/kkolinko)
fix 50413: Additional fix that ensures the error page is served regardless of any Range headers in the original request. (kkolinko)
fix 50550: When a new directory is created (e.g. via WebDAV) ensure that a subsequent request for that directory does not result in a 404 response. (markt/kkolinko)
add Provide session creation and destruction rate metrics in the session managers. (markt)
fix 50606: Improve CGIServlet: Provide support for specifying empty value for the executable init-param. Provide support for explicit additional arguments for the executable. Those were broken when implementing fix for bug 49657. (kkolinko)
fix 50620: Stop exceptions that occur during Session.endAccess() from preventing the normal completion of Request.recycle(). (markt)
Coyote
fix Remove a huge memory leak in the NIO connector introduced by the fix for 49884. (markt)
Cluster
fix 50600: Prevent a ConcurrentModificationException when removing a WAR file via the FarmWarDeployer. (markt)
Tomcat 6.0.30 (jfclere)released 2011-01-13
General
fix Filter input of manager app servlets. (kkolinko)
fix 43960: Expose available property of StandardWrapper via JMX. (markt)
update Update to Commons Daemon 1.0.5. (mturk)
update Switch to using the Eclipse compiler JAR directly rather than creating it from the larger JDT download. (markt)
add Allow the off-line building of the extras package. (markt)
update Update to Commons Pool 1.5.5. (markt)
fix 49728, 50084: Improve PID file handling when another process is managing the PID file and Tomcat does not have write access. (markt)
fix 49909, 50201: Provide a mechanism to log requests rejected before they reach the AccessLogValve to appear in the access log. (markt/kkolinko)
Catalina
fix 38113: Provide a system property that enables a strict interpretation of the specification for getQueryString() when an empty query string is provided by the user agent. (markt)
fix Return a copy of the current URLs for the WebappClassLoader to prevent modification. This facilitated, although it wasn't the root cause, CVE-2010-1622. (markt)
add 48837: Extend thread local memory leak detection to include classes loaded by subordinate class loaders to the web application's class loader such as the Jasper class loader. Patch provided by Sylvain Laurent. (kkolinko)
add 48973: Avoid creating a SESSIONS.ser file when stopping an application if there's no session. Patch provided by Marc Guillemot. (slaurent)
fix 49030: Failure during start of one connector should not leave some connectors started and some ignored. (kkolinko)
fix 49195: Don't report an error when shutting down a Windows service for a Tomcat instance that has a disabled shutdown port. (markt)
fix 49209: Fix problem with JDBC driver memory leak prevention when running under a security manager. Patch provided by Sylvain Laurent. (markt)
fix 49613: Improve performance when using SSL for applications that make multiple class to Request.getAttributeNames(). Patch provided by Sampo Savolainen. (markt)
fix 49657: Handle CGI executables with spaces in the path. (markt)
fix 49667: Ensure that using the JDBC driver memory leak prevention code does not cause a one of the memory leaks it is meant to avoid. (markt)
fix 49749: Respect httpOnly setting of Context when creating SSO cookie. (markt)
add Provide better web application state information via JMX. (markt)
add 49811: Add an option to disable URL rewriting on a per Context basis. The option name is disableURLRewriting. (markt)
add 49856: Expose the executor name for the connector via JMX. (markt)
fix 49915: Make error more obvious, particularly when accessed via JConsole, if StandardServer.storeConfig() is called when there is no StoreConfig implementation present. (markt)
fix 49965: Use correct i18n resources for StringManager in JAASRealm. (kkolinko)
fix 49987: Fix potential data race in the population of the Servlet Context initialisation parameters. (markt)
fix Code clean-up. Avoid some casts in StandardContext. (markt)
add Add security policy and token poller protection to the JRE memory leak protection provided in Tomcat 6. (markt/kkolinko)
add 50026: Add support for mapping the default servlet to URLs other than /. (timw)
fix 50128: Improve exception handling in PersistentManagerBase when running with a security manager. (kkolinko)
fix 50131: Avoid possible NPE in debug output in PersistentValve. Patch provided by sebb. (kkolinko)
fix 50138: Fix threading issues in org.apache.catalina.security.SecurityUtil. (markt)
add Add a new filter, org.apache.catalina.filters.CsrfPreventionFilter, to provide generic cross-site request forgery (CSRF) protection for web applications. (markt)
fix Make sure Contexts defined in server.xml pick up any configClass setting from the parent Host. (markt)
add 50222: Modify memory leak prevention code so it pins the system class loader in memory rather than than the common class loader, which is better for embedded systems. (schultz)
add Make memory leak prevention code that clears ThreadLocal instances more robust against objects with toString() methods that throw exceptions. (markt)
add 50282: Load javax.security.auth.login.Configuration with JreMemoryLeakPreventionListener to avoid memory leak when stopping a webapp that would use JAAS. (slaurent)
fix 50413: Ensure 304s are not returned when using static files as error pages. (markt)
fix 50453: Correctly handle multiple X-Forwarded-For headers in the RemoteIpValve. Patch provided by Jim Riggs. (markt)
fix 50459: Fix thread/classloader binding issues in StandardContext. (slaurent)
update 50527: Improve an error message shown by HttpServlet. (markt)
add 50556: Improve JreMemoryLeakPreventionListener to prevent a potential class loader leak caused by a thread spawned when the class com.sun.jndi.ldap.LdapPoolManager is initialized and the system property com.sun.jndi.ldap.connect.pool.timeout is set to a value greater than 0. (slaurent)
fix 50642: Move the sun.net.www.http.HttpClient keep-alive thread memory leak protection from the JreMemoryLeakPreventionListener to the WebappClassLoader since the thread that triggers the memory leak is created on demand. (markt)
Coyote
fix 47913: Return the IP address rather than null for getRemoteHost() with the APR connector if the IP address does not resolve. (markt)
fix Avoid a NPE for APR connector unlockAccept with default soTimeout. (mturk)
add 48545: Allow JSSE trust stores to be used without providing a password. Based on a patch by smmwpf54. (kkolinko)
add 48738: Add support for flushing gzipped output. Based on a patch by Jiong Wang. (markt)
fix Avoid a NPE in the DeltaManager when a parallel request invalidates the session before the current request has a chance to send the replication message. (markt)
fix 48925: request.getLocalAddr() returns null when using the default Jk AJP/1.3 connector. (rjung)
fix 49497: Stop accepting new requests (inc keep-alive) once the BIO connector is paused and the current request has finished processing. (markt)
fix 49521: Disable scanning for a free port in Jk AJP/1.3 connector by default. Do not change maxPort field value of ChannelSocket in its setPort() and init() methods. Add support for maxPort attribute on a Connector element as a synonym for channelSocket.maxPort. (kkolinko)
fix 49625: Ensure Vary header is set if response may be compressed rather than only setting it if it is compressed. (markt)
fix 49730: Fix race condition in StandardThreadExecutor that can lead to long delays in processing requests. Patch provided by Sylvain Laurent. (markt)
fix 49860: Add support for trailing headers in chunked HTTP requests. The header length is limited to 8192 by default and the limit can be changed via a system property. (markt/kkolinko)
fix 49972: Fix potential thread safe issue when formatting dates for use in HTTP headers. (markt)
fix 50072: NIO connector can mis-read request line if not sent in a single packet. (markt/kkolinko)
fix Improve recycling of processors in Http11NioProtocol. (kkolinko)
add 50273: Provide a workaround for an HP-UX issue that can result in large numbers of SEVERE log messages appearing in the logs as a result of normal operation. (markt)
fix Make SSL certificate encoding algorithm consistent between connectors by using the JVM default for all connectors. This also fixes an issue with the NIO connector on IBM JVMs. (markt)
fix 50467: Protected against NPE triggered by a race condition that causes the NIO poller to fail, preventing the processing of further requests. (markt)
Jasper
update 49217: Ensure that identifiers used in EL meet the requirements of the Java Language Specification. This check is off by default and can be enabled by setting a system property. (markt)
fix 49555: Correctly handled Tag Libraries where functions are defined in static inner classes. (markt)
fix 49665: Provide better information including JSP file name and location when a missing file is detected during TLD handling. Patch provided by Ted Leung. (markt)
fix 49985: Fix thread safety issue in EL parser. (markt)
fix 49986: Fix thread safety issue in JSP reloading. (timw))
fix 49998: Make jsp:root detection work with single quoted attributes as well. (timw)
fix 50066: Compile a recursive tag file if it depends on a JAR. Patch provided by Sylvain Laurent. (markt)
fix 50078: Fix threading issues in EL caches and make cache sizes configurable. Threading patch provided by Takayoshi Kimura. (markt)
fix 50105: When processing composite EL expressions use Enum.name() rather than Enum.toString() as required by the EL specification. (markt)
fix 50228: Improve recycling of BodyContentImpl. This avoids keeping a cached reference to a webapp-provided Writer used in JspFragment.invoke() calls. (kkolinko)
fix 50460: Fix memory leak in JspDocumentParser triggered by first access to a jspx page. (kkolinko)
fix 50500: Use correct coercions (as per the EL spec) for arithmetic operations involving string values containing '.', 'e' or 'E'. Based on a patch by Brian Weisleder. (markt)
Cluster
fix 49343: When ChannelException is thrown, remove listener from channel. (kfujino)
fix Add Null check when CHANGE_SESSION_ID message received. (kfujino)
fix When a cluster node disappears when using the backup manager, handle the failed ping message rather than propagating the exception (which just logs the stack trace but doesn't do anything to deal with the failure). (markt)
fix 49905: Fix potential memory leak when using asynchronous session replication. (markt)
fix 49924: When non-primary node changes into a primary node, make sure isPrimarySession is changed to true. (kfujino)
fix Add support for maxActiveSessions attribute to BackupManager. (kfujino)
fix Improve sending an access message in DeltaManager. Use maxInactiveInterval not of the Manager, but of the session. If maxInactiveInterval is negative, the access message is not being sent. (kfujino)
fix 50547: Add time stamp for CHANGE_SESSION_ID message and SESSION_EXPIRED message. (kfujino)
Web applications
fix 49585: Update JSVC documentation to reflect new packaging of Commons Daemon. (markt)
add Configure the Manager web application to use the new CSRF protection. To take advantage of this protection, the manager role must be removed from all users and the new manager-gui and manager-script roles used instead. (markt)
add Configure the Host Manager web application to use the new CSRF protection. To take advantage of this protection, the admin role must be removed from all users and the new admin-gui and admin-script roles used instead. (markt)
fix 50303: Update JNDI how-to to reflect new JavaMail and JAF download locations and that JAF is now included in Java SE 6. (markt)
fix CVE-2010-4172: Multiple XSS in Manager application. (markt/kkolinko)
update Improve Tomcat Logging documentation. (kkolinko)
add 50242: Provide a sample log4j configuration that more closely matches the default JULI configuration. Patch provided by Christopher Schultz. (kkolinko)
add 50294: Add more information to documentation regarding format of configuration files. Patch provided by Luke Meyer. (markt)
update Configure the Manager and Host-Manager web applications to use HttpOnly flag for their session cookies. (kkolinko)
fix 50316: Fix display of negative values in the Manager web application. (kkolinko)
update Improve documentation of database connection factory. (rjung)
Other
update 48716: Do not call reset if the default LogManager is in use. (markt)
fix Use native line endings for example Eclipse configuration files in source distribution. (markt)
fix 49428: Add a work-around for the known namespace issues for some Microsoft WebDAV clients. Based on the patch provided by Panagiotis Astithas. (kkolinko)
fix 49861: Fix formatting of log messages in JXM remote listener. Do not use commas when printing RMI port numbers. (markt)
fix 50140: Don't ignore a user specified install directory on 64-bit platforms when using the Windows installer. (markt)
fix 50552: Avoid NPE that hides error message when using Ant tasks. (schultz)
update Numerous improvements to the Windows installer: update install/uninstall icons, create an installation log, allow 32-bit JVMs to be selected when installing on a 64-bit platform, replace the .ini files with the script equivalents, use the new manager and host-manager roles, provide the ability to edit the roles for the added user, add support for the /? command line switch, clean up fully after installation, add DetailPrint statements for operations that may take time and improve the descriptions of the components. (kkolinko, mturk, markt)
Tomcat 6.0.29 (jfclere)released 2010-07-22
Catalina
add 48960: Add a new option to the SSI Servlet and SSI Filter to allow the disabling of the exec command. This is now disabled by default. Based on a patch by Yair Lenga. (markt)
fix 49551: Allow default context.xml location to be specified using an absolute path. (markt)
fix 49598: When session is changed and the session cookie is replaced, ensure that the new Set-Cookie header overwrites the old Set-Cookie header. (markt)
fix Fix order when listing Webapp loader search URLs. (rjung)
add Add support for *.jar pattern in VirtualWebappLoader. (kkolinko)
Tomcat 6.0.28 (jfclere)released 2010-07-09
Catalina
fixArrange filter logic. (jfclere)
fix 49230: Enhance JRE leak prevention listener with protection for the keep-alive thread started by sun.net.www.http.HttpClient. Patch provided by Rob Kooper. (markt)
fix 49351: Fix possible NPE when embedding and no name is specified for the Service. (markt)
fix 49424: Avoid NPE if client provides no data with a chunked POST request. (markt)
fix 49414: Improve diagnostic of memory leaks. Differentiate between request threads and application created threads when warning about still running threads when an application stops. (markt)
fix 49443: Fix RemoteIpValve documentation. Use remoteIpHeader rather than remoteIPHeader consistently. (markt)
add Add property searchExternalFirst to WebappLoader. If set, the external repositories will be searched before the WEB-INF ones. (rjung)
Cluster
fix 49445: When session ID is changed after authentication, ensure the DeltaManager replicates the change in ID to the other nodes in the cluster. (kfujino)
Web applications
fix 49213: Grant permissions required by manager application when running under a security manager. (markt/kkolinko)
fix 49436: Correct documented default for readonly attribute of the UserDatabase component. (markt)
Tomcat 6.0.27 (jfclere)not released
General
update Update DBCP to 1.3. (markt)
Catalina
fix Fix CVE-2010-1157. Prevent possible disclosure of host name or IP address via the HTTP WWW-Authenticate header when using BASIC or DIGEST authentication. (markt)
add Include context name when reporting memory leaks to aid root cause identification. (markt)
fix Improve exception handling on session de-serialization to assist in identifying the root cause of 48007. (kkolinko)
add 48379: Make session cookie name, domain and path configurable per context. (markt)
fix 48589: Make JNDIRealm easier to extend. Based on a patch by Candid Dauth. (markt/kkolinko)
fix 48629: Allow user names as well as DNs to be used with the nested role search. Add roleNested to the documentation. Patch provided by Felix Schumacher. (markt)
fix 48661: Make error page behavior consistent, regardless of how the error page is defined. If a response has been committed, always include the error page. (markt)
fix 48729: Return roles defined by both userRoleName and roleName mechanisms. Patch provided by 'eric'. Also make user's role list immutable.(markt)
fix 48760: Fix potential multi-threading issue in static resource serving where multiple threads could try to use the same InputStream. (markt)
fix 48790: Fix thread safety issue in the count of the maximum number of active session. (markt/kkolinko)
fix 48793: Make catalina.sh more robust to different return values on different platforms. Patch provided by Thomas GL. (markt)
fix 48840: Swallow output (if any) from use of cd when determining $CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts. Based on patch provided by mdietze. (markt/kkolinko)
fix 48895: Make clearing of ThreadLocals that are causing memory leaks on web application stop, reload or undeploy configurable since the process of clearing them is not thread-safe. (markt)
fix 48903: Fix deadlock in webapp class loader. (rjung)
fix 48971: Make stopping of leaking Timer threads optional and disabled by default. (markt)
fix 48976: Document JAVA_ENDORSED_DIRS in start-up scripts. Patch provided by Laurent Vaills. (markt)
fix 48983: Improve debug logging for situations when RemoteIpValve is bypassed. Patch provided by Cyrille Le Clerc. (markt)
fix 49018: Fix processing of time argument in the Expire sessions action in the Manager web application. (kkolinko)
fix 49116: If session is already invalid, expire session to prevent memory leak. (kfujino)
fix 49158: Ensure only one session cookie is returned for a single request. (markt/fhanik)
fix 49245: Fix session expiration check in cross-context requests. (markt)
fix 49398: ByteChunk.indexOf(String, int, int, int) could not find a string of length 1. (kkolinko)
fix Fix possible overflows when calculating session statistics. (kkolinko)
add Log unexpected exceptions when providing access to web application resources in ApplicationContext. (kkolinko)
fix Improve exception handling in CatalinaShutdownHook. (kkolinko)
add Expose properties of VirtualWebappLoader and WebappClassLoader via JMX. (rjung)
Coyote
fix 48839: Correctly handle HTTP header folding in the NIO connector. Patch suggested by Richa Baronia. (markt)
fix 48843: Prevent possible deadlock for worker allocation in connectors. (kkolinko)
fix 48843: Fix handling of add queues in AprEndpoint.Poller and AprEndpoint.Sendfile. Do not miss wakeups. (kkolinko)
add 48862: Add support for the backlog parameter to the AJP connector. (pero/markt)
fix 48917: Correct name of mod_jk module in ApacheConfig. Patch provided by Todd Hicks. (markt)
fix 49095: AprEndpoint did not wakeup acceptors during shutdown when deferAccept option was enabled. Based on a patch provided by Ruediger Pluem. (kkolinko)
add Use chunked encoding for http 1.1 requests with no content-length (regardless of keep-alive) so client can differentiate between complete and partial responses. (markt)
fix Correct the SSL session timeout attribute name so the code agrees with the documentation. (markt)
add CoyotePrincipal now implements Serializable. (fhanik)
fix Enable the BIO AJP connector to run under a security manager. (markt)
Jasper
fix 45015: Correct a regression in quote handling caused by the re-factoring of attribute parsing. (markt)
fix 48701: Add a system property to allow disabling enforcement of JSP.5.3. The specification recommends, but does not require, this enforcement. (kkolinko)
fix 48737: Don't assume paths that start with /META-INF/... are always in JARs. This is not true for some IDEs. Patch provided by Fabrizio Giustina. (markt)
fix 49081: Correctly handle EL expressions of the form #${...}. (markt)
fix 49196: Avoid NullPointerException in PageContext.getErrorData() if an error-handling JSP page is called directly. (markt)
Cluster
fix 48717: When a node joins a cluster and it receives all the current sessions, ensure the sessionCreated event is fired if the Manager is configured to replicate session events. (markt)
fix 48934: Previous fix to handle dropped connections incorrectly permanently disabled session replication. (fhanik)
fix 49051: memberAlive is not called if member has not already existed in membership. (kfujino)
fix 49151: Avoid ClassCastException in BackupManager#stop. (kfujino)
fix 49170: Do not send duplicated session. (kfujino)
fix Add missing messages and ensure cluster listeners log messages to correct logger. (markt)
Web applications
add Use underscores instead of spaces in anchor names in Tomcat documentation. (kkolinko)
add Add support for displaying the Spring Security user name (if present) in the Manager application. (markt)
update Improve the ChatServlet Comet example (/examples/jsp/chat/). (kkolinko)
Other
updateUpdate to Commons Daemon 1.0.2. Use service launcher (procrun) from the Commons Daemon release. Do not keep a copy of it in our source tree. (mturk/kkolinko)
update Update to NSIS 2.46. (kkolinko)
fix 48990: Fix the skip.installer build property so if set, only the Windows installer is skipped. (markt)
fix 49178: Provide in catalina.policy an example of additional permissions that might be needed for code located in $CATALINA_BASE/lib. (markt)
fix 49236: Do not use indexing when packing Tomcat JARs. (kkolinko)
fix Remove unused code from org.apache.tomcat.util.buf classes. (kkolinko)
update Rearrange tomcat-juli.jar permissions and wrap long lines in the conf/catalina.policy file, to make the text more readable when cited in documentation. (kkolinko)
fix Do not evaluate the execute.installer property when building a release. The skip.installer property is used instead. (kkolinko)
Tomcat 6.0.26 (jfclere)released 2010-03-11
Catalina
fix Close security hole in unreleased 6.0.25 by ensuring new find leaks functionality is protected by a security constraint. (kkolinko)
fix 48831: Improve logging shutdown behaviour. Use Catalina's shutdown hook to shutdown JULI. This enables them to be shutdown in the correct order. Do not shutdown global handlers several times. (markt/kkolinko)
Coyote
fix 48584: Prevent the APR connector logging an error if the acceptor fails during shutdown since this is expected. (mturk)
fix 48660: Using compression should not overwrite any Vary header set by a web application. (markt)
Jasper
fix 48371: Ensure generated servlet mappings are inserted at the correct location when using JspC and allow the option that controls this to be configured on the command line. Also allow the encoding of web.xml to be configured when using JspC and deprecate some unused JspC methods. (markt/kkolinko)
fix 48498: Avoid ArrayIndexOutOfBoundsException triggered by a Java 6/7 XML parser bug. (markt/kkolinko)
fix 48668: Additional fixes to ensure deferred syntax is handled correctly. (kkolinko)
fix 48827: Correct a regression in the fix for 47977 that caused an incorrect non-empty body error to be reported for valid JSP documents. (markt)
Web applications
add Make changelog.xml be directly rendered as HTML by certain browsers. (kkolinko)
add Add support for automated generation of TOC tables and for links to svn revisions to tomcat-docs.xsl in documentation. (kkolinko/fhanik)
add Move Manager application JSPs that are not intended to be accessed directly under the WEB-INF directory. (kkolinko)
fix Improve the messages displayed by the find leaks diagnostic in the Manager application. (kkolinko)
Other
fix Encode all property files using ascii escaped UTF-8. Also fixes deployment problem when using French locale. (jfclere/rjung)
Tomcat 6.0.25 (jfclere)not released
Catalina
fix 48039: Return immediately if start() is called on an already started StandardService. (markt)
fix 48109: Ensure InputStream is closed on error condition in web application class loader. (markt)
fix 48179: Clean up dead code that was used to read tldCache file. (kkolinko)
fix 48318: Handle case where WebDAV resource is in directory listing but is not accessible. (markt)
add 48384: Add a per context xslt option for directory listings. Make the fallback options work as described in the documentation. (markt)
fix 48577: Filter URL when displaying missing included page. (markt)
fix 48612: Prevent exception on shutdown if the address attribute is specified for a connector. (markt)
fix 48613: Further fixes to ensure APRLifecycleListener is only used if defined in server.xml. (fhanik)
fix 48614: Correct JULI log file buffering so default behaviour is no buffering. (fhanik)
fix 48625: Provide an option to exit if an error occurs during the initialization phase. (fhanik)
fix 48645: Use specified encoding rather than null in calls to RequestUtil.URLDecode(byte[] bytes, String enc) (markt)
fix 48653: Force request.secure and request.scheme to false and http if the X-Forwarded-Proto header has the value http. Patch provided by Cyrille Le Clerc. (markt)
fix 48678: Remove duplicate server field from org.apache.catalina.startup.Catalina. (markt)
fix 48694: Remove potential deadlock in web application class loader. (markt)
add 48716: Provide additional configuration options for JULI. (markt)
fix 48726: Prevent OOME when uploading large WAR files with the deployer. Patch provided by adam. (markt)
add Improve memory leak protection by safely stopping threads started via java.util.Timer that an application starts but fails to stop and by clearing references retained due to the use of java.util.ResourceBundle. (markt)
update Modify ThreadLocal memory leak detection to not report false positives and to simplify implementation. (markt/kkolinko)
add Basic memory leak detection was added to the standard Host implementation and exposed via JMX to detect memory leaks on web application reload. (markt/kkolinko)
Coyote
update Update the native/APR library version bundled with Tomcat to 1.1.20. (kkolinko)
Jasper
add Add some debug logging to the compiler where exceptions were previously swallowed. (markt)
fix 48170: Remove unnecessary synchronization that is causing issues under load. (markt)
fix 48580: Prevent AccessControlException if first access is to a JSP that uses a FunctionMapper. (markt)
fix 48582: Avoid NPE on background compilation failure. (markt)
fix 48616: Don't declare or synchronize scripting variables for JSP fragments since they are scriptless. This is an alternative fix for 42390 that avoids both the original problem and the regression in the first fix. (kkolinko)
fix 48627: Fix regression in re-factored EL parsing. Keep literals as literals and handle deferredSyntaxAllowedAsLiteral. (kkolinko)
fix 48668: When parsing JSPs only parse EL as EL if EL is enabled else strings such as ${ will be silently dropped. (markt)
fix Various EL TCK failures. (markt)
Cluster
fix Force a disconnect if an error occurs during replication such as a firewall dropping the connection. (fhanik)
Web applications
add Add new "Find leaks" command to the Manager application. It allows to detect web applications that have caused memory leaks on stop, reload or undeploy. (markt/kkolinko)
Other
fix Ensure files in conf directory have CRLF line endings when using the Windows installer. (kkolinko)
fix Allow special characters recognized by the Windows command-line shell to be present in the names of CATALINA_HOME/_BASE and the current directory used to call the Tomcat scripts. (kkolinko)
fix Don't use @Deprecated annotations in javax.servlet.jsp.JspContext since the specification does not include them in the API definition. (markt)
add Improve the information in the JAR manifest files. (markt)
Tomcat 6.0.24 (jfclere)released 2010-01-21
Catalina
fix Correct TCK failures with security manager caused by the original fix for 47774. (markt)
Other
fix Remove broken link in README.html. (jfclere)
fix Add .notice files to the set of files that have their line endings changed. (markt)
fix .zip distributions should have windows line endings. (markt)
Tomcat 6.0.23 (jfclere)not released
Catalina
fix 47774: Ensure web application class loader is used when calling session listeners. (markt)
add 48006: Add additional information to the optional X-Powered-By header to align with the content suggested in the Servlet specification. (markt)
fix 48345: Sessions timed out too early when using PersistentManager. Patch provided by Keiichi Fujino. (markt)
fix 48398: Make objects used as locks final to ensure correct operation. Patch provided by sebb. (markt)
fix 48417: Update French translations. Patch provided by André Warnier. (markt/kkolinko)
fix 48421: Fix file descriptor and potential memory leak when a web application uses a local logging.properties file. Allow a web application's log files to be deleted once the web application has been stopped. (markt)
fix 48454: Ensure stderr is completely read before terminating the CGI process. Patch provided by Markus Grieder. (markt)
fix 48516: Prevent NPE in JNDIRealm if requested user does not exist. Patch provided by Kevin Conaway. (markt)
fix Fix implementation of log buffer size and provide a cleaner interface. (fhanik/kkolinko)
Coyote
update Update version of native bundled in Windows installer to 1.1.19. (mturk)
update Update recommended version for native to 1.1.19. (rjung)
fix 48004: All web applications to set the http Server header. (markt)
fix 48470: Ensure Tomcat does not lock up if shut down under load. (markt)
Jasper
fix 47977: Using a body with a tag that has an empty body should cause an error. (markt)
fix 48112: Correct handling of } character in literals when parsing expressions. This also improves the fix for 47413. (markt)
Web applications
add 48530: Add information on the Manager Server Status page to the Manager How-To in the documentation webapp. Based on a patch by Arnaud Espy. (markt)
add 48532: Add information to the BIO/NIO SSL configuration page in the documentation web application to specify how the defaults for the various trust store attributes are determined. (markt)
Other
fix Remove hard coded version numbers and instead apply version filter already defined in ant scripts. (rjung)
fix 47609: Correct regression in previous fix. (markt)
add 48464: Provide an option to specify the command window title in catalina.bat on Windows. Patch provided by LiuYan. (markt)
fix Add some missing deprecation markers for javax.servlet.jsp.JspContext. (markt/kkolinko)
Tomcat 6.0.22 (jfclere)not released
Catalina
add Log errors if a web application starts a thread but fails to stop the thread when the web application stops or is reloaded. Failure to stop a thread is very likely to result in a memory leak. (markt)
add Provide an option to stop any threads a web application starts but fails to stop when the web application stops or is reloaded. Using this option is very likely to result in instability and should be viewed as a last resort in development and is not recommended at all in production. (markt)
add Log errors if a web application creates a ThreadLocal but fails to clear it when the web application stops or is reloaded. Failure to clear a ThreadLocal is very likely to result in a memory leak. (markt)
add Clear any unintentional references remaining in sun.rmi.transport.Target when the web application stops or is reloaded. Failure to clear these is very likely to result in a memory leak. (markt)
Coyote
fix Remove unneeded line from the method that normalizes decodedURI. (kkolinko)
Other
fix Correct MD5 generation in the build process. (jfclere/kkolinko)
fix 47609: Provide fail-safe EOL conversion for build process. Based on patches by sebb/kkolinko. (markt)
Tomcat 6.0.21 (jfclere)not released
Catalina
fix Fix issues with expression language when running under a SecurityManager. (markt)
fix Remove duplicate mime-mapping entries in web.xml. Re-order entries alphabetically to make it easier to identify duplicates. (markt)
update Use a more sensible default (webapps) for a Host's appBase. (markt/idarwin)
fix 37794: Support the parsing of parameters from chunked POSTs. (markt)
fix 37984: Strip {MD5} as well as {SHA} if present in digest passwords in LDAP directories. (markt)
fix 38352: Allow JSPs to write to the directory defined by javax.servlet.context.tempdir when running under a security manager. (markt)
fix 39231: Call LoginContext.logout() when using JAAS realm and session expires. (markt/kkolinko)
fix 40380: Fix potential synchronization issue in StandardSession.expire(). (markt)
fix 41059: Reduce chances of errors when ENABLE_CLEAR_REFERENCES is used. Patch provided by Curt Arnold. (markt)
fix 43343: Fix additional concurrency issues identified with the persistent session manager. (markt)
fix 44041: Fix threading issue in WebappClassLoader that can lead to duplicate class definition under high load. (markt/fhanik)
fix 44943: Use the same engine name in server.xml comments to reduce copy and pastes issues. (markt/kkolinko)
fix 45255: Provide protection against session fixation by changing session ID automatically on authentication. (markt/kkolinko)
fix 45403: Add additional checks on web application deployment and do not swallow IO errors. (kkolinko)
fix 45785: Additional fix required for the extension validator. Based on a patch by Rolf Wojtech. (markt)
fix 46908: Try and support java encoding names when using an xml parser provided via the endorsed mechanism. (markt)
fix 46967: Better handling of errors when trying to use Manager.randomFile. Based on a patch by Kirk Wolf. (markt)
fix 47046: Unregister all MBeans, including when non-default engine names are used. (markt)
fix Use native2ascii to ensure non-ASCII characters in property files are handled correctly in all circumstances. (markt)
fix 47050: Remove unnecessary filtering of error messages. (markt)
fix 47080: Fix NPE in RealmBase when uri is null. (markt)
fix 47158: Fix some thread safety issues in the AccessLogValve. (markt)
fix 47228: Correct French translations. Patch provided by sebb. (markt)
fix 47299: Simplify code and make embedding easier. (markt)
fix 47316: Allow different values for Service name and Engine name. This corrects a regression introduced by the fix for 42707. (markt)
fix 47343: Editing context.xml for a directory should not delete the directory. This was a regression caused by the fix for 42747. (markt)
fix 47364: Improve Javadoc for org.apache.catalina.connector.Request.getAttributeNames() to include information on the handling of Tomcat's internal request attributes. (markt)
fix 47451: Don't throw an NPE if the various response.setHeader() methods are called with null header name, zero length header name or null value. Silently ignore the calls in the same way they are ignored if the response has already been committed. (markt)
fix 47462: Allow individual web applications to override metadata complete if set in the global web.xml. Patch provided by Keiichi Fujino. (markt)
fix 47495: Provide a more meaningful error message is server.xml is not readable and exit immediately if a server cannot be created. (funkman/kkolinko)
fix 47518: Correct reference in Valve Javadoc that referred to an old method. Patch provided by Christopher Schultz. (markt)
fix 47537: Return an error page rather than a zero length 200 response if the forward to the login or error page fails during FORM authentication. (markt)
fix 47718: Fix file descriptor leak on context stop/reload. Patch provided by George Sexton. (markt)
fix 47796: Fix OpenEJB integration. Reset annotation processor on context stop. (markt)
fix 47826: Correct error in debug message in org.apache.catalina.Bootstrap (markt)
fix 47836: Clear cached TLD information on context reload. (markt)
fix 47841: When using the CombinedRealm, if one of the nested Realms fails to start, skip that Realm rather than preventing the CombinedRealm from starting. (markt)
fix 47881: Fix processing of startd and stopd arguments. Patch provided by Qingyang Xu. (kkolinko)
fix 47918: Correct mbean descriptors for the host deployer. Patch provided by Uwe Günther. (markt)
fix 47930: Fix thread safety issues on session swap-in in the persistent session manager. (markt/kkolinko)
fix 47976: Correct usage message and Javadoc for org.apache.catalina.startup.Catalina. (markt)
fix 47997: Ensure the NamingContextListener applies to all naming contexts, not just the global one. Patch provided by Michael Allman. (markt)
fix 48049: Fix copy and paste error so NamingContext.destroySubContext() works correctly. Patch provided by gingyang.xu (markt)
update 48097: Make WebappClassLoader to do not swallow AccessControlException. (kkolinko)
fix 48097: Avoid throwing an AccessControlException which can lead to a NoClassDefFoundError on first access of first jsp. (kkolinko/markt)
fix 48257: Correct error in Spanish translations. Patch provided by Guillermo Gutiérrez. (markt)
fix 48306, 48307: Correct French translations. Patches provided by Marc Paquette. (markt)
fix 48322: Single quote characters are not HTTP separators and should not be treated as such in the cookie handling. (markt)
fix 48413: Correct some French translations. Patch provided by André Warnier. (markt)
update Deprecate the caseSensitive option on the StandardContext which will be removed in Tomcat 7 onwards. (markt)
fix Log deployments consistently for WAR, directory and descriptor deployments. (markt)
add Better logging for parameter decoding issues to help identify broken requests. (markt)
update Update Apache Commons Pool from 1.4 to 1.5.4. This update includes various fixes to prevent deadlocks, reduces synchronization and makes object allocation occur fairly - i.e. objects are allocated to threads in the order that the threads request them. This update fixes a number of issues in Tomcat's built-in copy of DBCP. (markt)
add Allow log file encoding to be configured for JULI FileHandler. (kkolinko)
add Provide debug logging for JNDI lookups. (markt)
fix Correct JDBC driver de-registration on web application stop and fix NPE that is exposed by the fix. (markt)
fix Ensure JDBC driver de-registration works with a security manager. (markt)
fix 48214: Ensure JDBC driver de-registration is not too zealous. (markt)
update Various JNDI realm improvements for Active Directory. These include the ability to specify a default role, optional handling for nested roles and an option to ignore PartialResultExceptions (markt).
add Expose Servlet Filters via JMX. Based on a patch by Xie Xiaodong as part of GSOC2009. (markt)
update Tomcat now uses the Platform MBean server by default so all MBeans registered by Tomcat will be exposed via JMX (eg via JConsole) without requiring any additional configuration. (markt)
add The JMX Remote Lifecycle Listener allows the ports used by JMX to be fixed, making it easier to configure firewalls to all JMX traffic to pass through. Part of the extras package. (markt)
fix Make context deployment error message for fixDocBase() more meaningful. (markt)
fix Add an additional permission required by JULI when running under newer JDKs and a security manager. (markt)
fix Remove unnecessary reference to tomcat-coyote.jar from the bootstrap JAR manifest. (kkolinko)
fix Use correct method to create URLs in VirtualWebappLoader. (kkolinko)
fix Provide a new listener to protect against a memory leak caused by a change in the Sun JRE from version 1.6.0_15 onwards. Also include protection against locked JAR files, memory leaks triggered by XML parsing and the GC Daemon. (markt)
fix Don't swallow exceptions in ApplicationContextFacade.doPrivileged() (kkolinko)
fix Close resource stream in WebappClassLoader after read error. (pero)
update Include attribute name into the text of Non-serializable exception that might be thrown by Session.setAttribute() in distributable applications. (mturk)
add Add RemoteIpValve, a port of mod_remoteip. Patch provided by Cyrille Le Clerc. (markt)
update Allow per instance configuration of JULI or log4j for core Tomcat logging when using CATALINA_BASE. (markt/kkolinko)
fix Prevent NPE in JULI during shutdown when resources try to log messages after JULI has been shutdown. (fhanik/kkolinko)
add Make the JULI FileHandler easier to extend. (fhanik)
add Make buffer size for FileHandler configurable. (fhanik)
fix Make JULI FileHandler thread safe. (fhanik)
add Provide an option to disable buffering in the JULI FileHandler. (kkolinko)
fix Ensure log messages are not lost on shutdown. (markt)
add 44679: Provide an option to allow the equals character in unquoted cookie values. (markt)
add Add support for a connectionTimeout parameter to the JNDIRealm. (markt)
fix Various (un)deployment related improvements including better handling of failed (un)deployment, additional checking for valid zip entries that don't make sense in a WAR and improved validation of WAR file names. (markt)
Coyote
updateImplement socket.unlockTimeout attribute for NIO connector.
update Update version of native bundled in Windows installer to 1.1.18. (kkolinko)
update Update minimum required version for native to 1.1.17. (rjung)
fix 46950: Fix doing SSL renegotiation when a resource with CLIENT-CERT auth is requested. (markt)
fix Align tcnative native and Java method names. (rjung)
updateDont report thread count from connector if an external executor is used.
fix 39637: Enable the AJP connectors to correctly handle client certificate chains. Patch by Patrik Schnellmann. (markt)
fix 46985: Clean up code and remove impossible condition. (markt/kkolinko)
fix 47225: Fix error in calculation of a buffer length in the mapper. (markt)
fix 47320: Don't rely on the platform default encoding being suitable to parse the session ID. (markt)
fix 47499: Don't swallow bind exceptions. (markt)
fix 47744: Prevent a medium term memory leak if using SSL with the JSSE provider and also using a security manager. Based on a patch by Greg Vanore. (markt)
fix 47963: Ensure that any HTTP status messages are compliant with RFC2616. (markt/kkolinko)
fix 47987: Limit size of not found resources cache. (markt)
fix 48009: Protect against the situation where editing a context.xml file may result in the file disappearing for a very short time. (markt)
fix Use correct connector attribute (SSLEnabled) rather than secure to determine if SSL should be used. (fhanik)
fix Provide a workaround for CVE-2009-3555, the TLS renegotiation issue, for the default Blocking IO Java connector.
fix 48252: Fix stack overflow exception when setting jkHome on NIO connector. (fhanik)
fix 48311: Only the APR lifecycle listener should try and initialise APR. (markt)
Jasper
fix 38797: Fix a regression in the previous patch for 37933. (markt)
fix 38897: Add uri of broken TLD to error message to aid debugging. (markt)
fix 41661: Fix thread safety issue with JspConfig.init() (markt)
fix 41824: Need to use canonical rather than binary form when writing code. (markt)
fix 42390: Fix compilation issue with some nested tag files and simple tags. (kkolinko/markt)
fix 43656: Correctly coerce null to zero when the target type is Number. (markt)
fix 46907: Don't swallow input stream when debug logging is enabled. (markt)
fix 47318: Process directives found in include preludes and codas. (markt)
fix 47331: Treat uninterpreted tags as template text for JSP.2.2. (markt)
fix 47413: Ensure expressions of the form "${a}${b}" are correctly coerced to String. (kkolinko)
fix 47453: Handle void return types for deferred methods. (funkman)
update Remove the code that auto-detects the value for compilerSourceVM, compilerTargetVM options of Jasper, because we know that this version of Tomcat cannot run on JDK 1.4 and thus the value is always "1.5". (kkolinko)
update Change default values for JDK version compliance options of JspC (-source and -target when running from command line) to be "1.5", to be the same as the ones used by Jasper servlet. (kkolinko)
fix Make constants in the TagHandlerPool really constant. (markt)
fix When development mode is enabled and a JSP is deleted, ensure next request for that JSP is consistent with the JSP having been removed. (markt/kkolinko)
fix 48019: Be more careful about skipping content that does not need to be parsed. (markt)
fix Better handling of exception in JSP if parsed JSP source is not available. (markt)
Cluster
fix DeltaSession needs endAccess so that CrossContext replication works. (pero)
fix DeltaManager needs to replicate changed attributes even if session gets invalidated. Otherwise session listeners will not see the right data on the secondary nodes. (rjung)
fix Spurious startup errors during session transfer. Sessions get transferred, but node still waits until timeout. (rjung)
update Perform deserialization events with context class loader. (fhanik)
fix 47515: Correctly replicate timestamp during startup. (fhanik)
fix 47478: Call replication listeners when using BackupManager. (fhanik)
fix 47369: Reset data diff after replication. (fhanik)
fix 40551: Enable the JvmRouteBinderValve to work with PersistentManagers as well as clustering. Based on a patch by Chris Chandler. (markt)
fix 47342: Fix potential NPE on replicated context start. Patch provided by Keiichi Fujino. (markt)
fix 47389: DeltaManager doesn't do session replication if notifySessionListenersOnReplication=false. Patch by Keiichi Fujino. (fhanik)
fix 47502: Don't replicate session attributes known not to be serializable. (funkman)
fix 47554: Include httpOnly attribute when re-writing session cookie after fail over. (markt)
fix 47799: Enable the domain to be configured for Membership and DomainFilterInterceptor. Patch provided by Keiichi Fujino. (markt)
fix 48113: Display IP addresses using 0 to 255 rather than -128 to +127. Based on a patch by Quintin Beukes. (fhanik/kkolinko)
Web applications
fix 41564: Add some documentation on installing Tomcat as a service on operating systems with User Account Control, e.g. Vista. (markt)
fix 47161: Report thread count correctly in Manager when executors are used and return -1 when it can not easily be determined. (markt)
fix 47235: Remove use of autoReconnect from MySQL examples. (markt)
fix 47324: Fix submit URL for session list page so it works behind a reverse proxy. Patch provided by Maik Jablonski. (markt)
fix 47425: Add crlFile attribute to the SSL configuration documentation. (markt)
fix 47444: Remove Jakarta references from the documentation. (markt)
fix 47656: Add information to documentation on system property replacement in configuration files. (markt)
fix 47705: Fix division by zero error in the manager when trying to expire sessions when the session timeout is set to infinite. (funkman)
fix Fix display of session information pages of Manager application in Internet Explorer. (kkolinko)
update Do not reuse windows (tabs) for session detail pages in Manager application. (kkolinko)
fix 47769: Clarify the JNDI docs with respect to use of <resource-ref> and related elements, specifically when they are required and when they may be omitted. (markt)
fix 48381: Add information on how Tomcat treats host names to the host configuration documentation. (markt)
Other
add 37847: Make location and filename of catalina.out configurable in catalina.sh. (fhanik)
fix 37848: Re-fix not outputting info messages when there is no terminal. (markt)
fix 39194: Make classpath configuration consistent in the startup scripts. (markt/kkolinko)
update Update Tomcat Windows service application (procrun) to version 2.0.5. It contains a fix for issue 41538 (mturk)
fix 40786: Include 64-bit Windows service wrapper in distributions. Update the Windows installer to automatically use the correct binary on 64-bit machines. (markt)
update Update Windows Installer to use NSIS 2.45. They say that this version provides support for the upcoming Microsoft Windows 7. (kkolinko)
fix Don't add blank lines to end of files when fixing line-endings for tar.gz distribution. (markt)
fix Use explicit encoding during filtering operations when building Tomcat for distribution. (kkolinko)
update Remove references to unused commons-collections from the build scripts. (markt)
fix Fix download task check for commons-pool and commons-dbcp in the build scripts. (kkolinko)
add Include deployer-howto.html into the deployer distributive. (kkolinko)
fix 47149: Build scripts: Explicitly specify encoding when compiling. (kkolinko)
fix 47267: Ensure release notes displayed by Windows installer have CRLF line-endings regardless of which OS the install package is built on. (markt/kkolinko)
add Include NOTICE, LICENSE and manifest files in all Tomcat JARs and add a mechanism to the build process to enable these files to be customised per JAR as required. (markt)
fix 47699: Provide better handling of PID files. (markt)
fix 47824: Make Servlet API an optional dependency for JULI when using Maven. (markt)
add Add support for per instance (using $CATALINA_BASE) log4j.properties files, JDBC drivers etc by adding ${catalina.base}/lib and ${catalina.base}/lib/*.jar to the start of the common loader class path. (markt)
fix Correct CVE-2009-3548. When installed via the Windows installer and using defaults, don't create an administrative user with a blank password. Additionally, the administrative user is only created if the manager or host-manager web applications are selected for installation. (markt)
update Further improvements to the administrative user name and password handling in the Windows installer. (kkolinko)
Tomcat 6.0.20 (remm)released 2009-06-03
Catalina
fix 42579: Handle both relative and absolute search results in the JNDIRealm. Patch provided by Brandon DuRette. (markt)
fix 46562: Close shtml files after processing to allow other processes to modify the files. (markt)
fix 46815: Make the MemoryUserDatabase read-only by default. (markt)
fix 46816: Align session manager mbean descriptor with implementation. (markt)
fix Fix a typo in the OPTIONS response from the default servlet. (markt)
fix 46822: Remove unnecessary object creation from StandardContext. Patch provided by Anthony Whitford. (markt)
fix 46866: Better initialisation of Random objects. (markt)
fix 46875: Catch and handle possible IllegalStateExceptions in CometConnectionManagerValve related to session expiration. (markt)
fix Correct some errors reported when testing the WebDAV servlet with the Litmus test suite. (markt)
update 46933: Update StringManager to use Java 5 features. Patch provided by Jens Kapitza. (markt)
fix 46990: Fix synchronization issues reported by FindBugs. Patch provided by Sebb. (markt)
Coyote
update Allow huge request body packets for AJP13. (rjung)
fix 45026: Never return an empty HTTP status reason phrase. mod_jk and httpd 2.x do not like that. (rjung)
update Set remote port for AJP connectors from the optional request attribute AJP_REMOTE_PORT. (rjung)
update Update tc-native to 1.1.16 (markt)
fix 46982: Correct reporting of DST offset in access logs. (markt)
fix 46984: Invalid characters in HTTP request method now result in a 400 response. (markt)
fix 46991: Fix AJP connector always reporting bytes received as zero. (markt)
Jasper
fix 37929: Fix invalidated session causing pageContext methods to fail. (markt)
fix 41606: Prevent double initialisation of JSPs. Patch provided by Chris Halstead. (markt)
fix 46354: ArrayIndexOutOfBoundsException when using org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true Patch provided by Konstantin Kolinko. (markt)
fix 46909: Only include semi-colon in type attribute for <jsp:plugin> when it is required. (markt)
fix 47013: Use system property rather than hard-coded string for pre-compilation flag. (markt)
Cluster
fix A node should ignore its own heartbeat messages. (rjung)
Web applications
fix 46509: Use correct link on error page in JSP security example. Patch provided by Michael Moody. (markt)
fix 46599: Document known DAEMON issue. (markt)
fix 46807: Correct docs for configuration of tag pooling. (markt)
fix 46924: Clarify behaviour when auto deployment is enabled and a WAR, directory or context file is deleted or updated. (markt)
fix 46958: All xml manager status output to work regardless of context path. (markt)
Other
fix 46351: Refactor the build script. Patch provided by Marc Guillemot. (markt)
fix 46910: Properties files corrupted by build process. (remm)
fix 46915: When resolving ResourceBundle properties, don't claim to have resolved the property unless we really have resolved it. (markt)
fix Fix .pdf and .exe corruption in -src.tar.gz distribution. (markt)
add Enable running Tomcat directly from the build directory on linux systems. (markt)
Tomcat 6.0.19 (remm)not released
Catalina
update Manager application prints FAIL if application was deployed but failed to start (fhanik)
update When shutdown port is disabled, print user friendly message and not a stack trace. (fhanik)
fix 37458: Correct sync issue that leads to NPE in rare circumstances. Patch provided by Konstantin Kolinko. (markt)
fix 38553: Return 401 rather than 400 if client does not present a certificate CLIENT-CERT authentication. (markt)
fix 38570: When checking docBase against appBase, make sure we check for an exact match against the appBase. (markt)
fix 39013: When testing for invalid docBase, test for an exact match with the appBase dir. (markt)
fix 39396: Don't include TRACE in OPTIONS response unless we know it hasn't been disabled in the connector. (markt)
fix 42747: Ensure context.xml takes effect on first deployment for WAR and DIR deployments. context.xml is now copied to CATALINA_BASE/<engine name>/<host name> for DIR as well as WAR deployments. (markt)
fix43071: Start poller before acceptor (r719267)
update Fix read/write timeout of async comet operations (r719264)
update Implement async close behaviour for Comet/NIO. No-op for APR (same behavior as before) (r719262)
fix Default thread count for HTTP connectors is 200. (r713186)
fix Comet should always invoke END and properly invoke READ (r713174)
fix Fix class cast exception when shutting down a replicated context but no cluster has been configured in server.xml (r713177)
fix Dererence socket when its no longer used. Frees up socket buffers and memory. No functional change. (r713175)
fix Correct wrong "No role found" debug message, logged in RealmBase even if a role was found. (rjung)
fix44809: Improve AprLifecycleListener Error Messages. (jfclere)
fix Log AccessControlException for context specific logging.properties during startup with security manager. (rjung)
add 41407: Add CLIENT-CERT support to the JAAS Realm. (markt)
fix 42409: Make custom and standard error page handling consistent by using resetBuffer() which will not alter previously set headers. (markt)
fix 42673: Fix SSI virtual includes for multi-level contexts. Patch provided by Peter Jodeleit. (markt)
fix 42707: Make adding a host alias via JMX take effect immediately. (markt)
fix 43656: Correct regression in previous fix for this bug. Patch provided by Nils Eckert. (markt)
fix 45419: Set Accept-Ranges for static resources served by DefaultServlet. (markt)
fix 45441: Correctly map filters for FORWARD and INCLUDE. (markt)
fix 45447: Convert Spanish resource files to use UTF-8 and provide translations where previously missing. Patch provided by Jesus Marin. (markt)
fix 45453: Remove potential race condition in JDBC Realm. Based on a patch by Santtu Hyrkk. (markt)
add 45576: Add DIGEST support to the JAAS Realm. (markt)
fix 45585: Allow Tomcat to start if using $CATALINA_BASE but not JULI. Patch based on a suggestion by Ian Ward Comfort. (markt)
fix The JAAS Realm did not assign roles to authenticated users. (markt)
add Provide full stacktrace and message when the ErrorReportValveClass can't be instantiated. (funkman)
fix 45608: Make allocated servlet count synchronized to ensure the correct allocated servlet count is available during shutdown. (markt)
fix 45628: When checking MANIFEST dependencies, JARs without dependencies should allows be considered to be full-filled. (markt)
fix 45735: Improve ETag handling. (remm)
fix 45785: Ignore directories named xxx.jar in WEB-INF/lib. (markt)
fix 45823: Log missing request headers as '-' not 'null'. Based on a patch by Per Landberg. (markt)
fix 45825: Correctly handle annotations in parent classes. Based on a patch by Florent Benoit. (markt)
fix 45906: Further ETag handling improvements. Patch provided by Chris Hubick. (markt)
add Add the CombinedRealm that enables authentication to be attempted against multiple realms. (markt)
add Add the LockOutRealm that enables a standard Realm to be wrapped with the functionality to lock out a user after too many failed logins. (markt)
add Make the upper size limit of the static resource cache configurable since the default of cacheMaxSize/20 gave too high a value for large caches. (markt)
fix Fix HTML decoding error in SSI processing. (markt)
fix Fix cast error in JULI log factory. (markt)
fix Fix some thread safety issues in date formatting. (markt)
fix Fix a String comparison bug in the digester property replacement that resulted in non-optimal operation. (markt)
fix Correct handle multi-level contexts defined using context.xml files. (markt)
fix 45933: Don't use xml parser from web-app to process tld files. (markt)
add 45951: Support changing of JSESSIONID cookie name and jsessionid path parameter name. Based on a patch by Jean-frederic Clere. (markt)
fix 46011: Make Principal accessible (if set) via Subject.getSubject(AccessController.getContext()) when processing filters. Based on a patch by tsveg1. (markt)
fix 46075: When uploading files, don't create buffers at the maximum configured size. Use the default size and let the buffers grow to the maximum size if necessary. (markt)
fix 46085: Fix a rare thread safety issue with session expiration. (markt)
fix 46096: Support annotation processing whilst running under a security manager. (markt)
fix The invoker servlet has been deprecated and will be removed in Tomcat 7 onwards. (markt)
fix 46105: Correctly set URI encoding when replaying a request after FORM authentication. (markt)
fix Remove unnecessary reference to commons-logging from the bootstrap JAR manifest. (markt)
fix 46232: Enabled the XMl parser to be over-ridden using the standard endorsed mechanism. (markt)
fix 46261: Treat %2F in a context name literally rather than converting it (inconsistently) to '/' - that is what '#' is for. (markt)
fix 46298: Throw an SQLException with a useful message rather than a NPE if the URL for the JDBCRealm is invalid. Based on a patch by Owen Jacobson. (markt)
fix 46304: Further fixes to make Principal accessible (if set) via Subject.getSubject(AccessController.getContext()) when processing filters. (markt)
fix 46403: Provide a workaround for an IE and Safari bug that means the Max-Age attribute of a cookie is ignored. (markt)
fix 46408: Fix invalid cast in security utility package. (markt)
fix Remove duplicate normalisation implementations and make normalise behaviour consistent throughout code base. (markt)
fix 46683: Fix typo in French localisation file name for the org.apache.catalina.loader package. (markt)
fix 46606: Make the max DEPTH for a WebDAV request configurable. The default is still 3. (markt)
add 44382: Add support for using httpOnly for session cookies. This is disabled by default. (markt/fhanik)
fix Fix possible NCDFE when using FORM authentication. (jfclere)
fix Fix possible synchronisation bottleneck in cookie creation. (markt)
fix Fix various spelling errors reported on the mailing lists. (markt)
add Make the logging manager and properties file configurable via environment variables. (fhanik)
Coyote
fix45154: Implement SEND_FILE behavior for SSL connections using NIO (fhanik)
update Fix file descriptor leak during NIO send file behavior. (fhanik)
update Implement usage of keyAlias attribute for NIO, previously attribute was ignored. (fhanik)
update Prevent server from calling close on an already closed NIO socket. One that had timed out. (fhanik)
update Fix bug with SEND_FILE behavior in NIO. Send file would delay until selector timed out, even though socket was ready to be written. (fhanik)
update Fix possible NPE in NioEndpoint.java (fhanik)
update Update tc-native to 1.1.15 in build.properties.default (jfclere)
fix 43327: Socket bind fails when using APR on a system with IPv6 enabled but no explicit IPv6 address configured. (markt/jfclere)
add 44285: Make the SSL session cache size and timeout configurable. (markt)
fix 45074: Add configuration parameters to enable the tuning of sendfile and poller thread count in the APR HTTP connector. Patch provided by Alex Barclay. (jfclere/markt)
fix 45528: Add detection for invalid SSL configuration to prevent infinite logging loop on start-up. (markt)
fix 45591: NPE on start-up failure in some cases. Based on a patch by Matt Passell. (markt)
fix 46077: Expose deferAccept for configuration. Patch provided by Michael Leinartas. (markt)
add Don't swallow input if we know the connection is going to be closed. (billbarker)
fix 46125: Return a status code of 400 if the request headers are too large. (markt)
fix Make certain that classes are first loaded by trusted code when working in a sandbox. (billbarker)
add Log a message if we reach maxThreads in a connector thread pool. (markt)
add Enable the thread pool limits to be modified via JMX. (markt)
fix Fix HTTP/1.0 redirects handling with APR AJP connector. (remm)
fix 46666: keepAliveTimeout should be used regardless of setting of disableUploadTimeout. (markt)
Jasper
fix 36923: Treat EL expressions as template text if EL expressions are disabled. (markt)
fix 37515: Support 1.6 and 1.7 as source and target for compilation. (markt)
fix ClassCastException in EL ExpressionBuilder. (rjung)
update Use more generics in EL to improve type safety. (rjung)
fix Use a lookahead to remove potential ambiguity in EL parsing. (markt)
fix Correct typo in JSP EL examples. (markt)
fix 38197: Take account of jsp:attribute elements when pooling tags. (markt)
fix 42077: Ensure the iterator returned by javax.el.CompositeELResolver#getFeatureDescriptor() skips any null FeatureDescriptors. Patch provided by Mathias Broekelmann. (markt)
fix 42693: Fix JSP generation error with recursive tag file structure. (markt)
fix 45427: Correctly handle unmatched quotes in EL expressions. (markt)
fix 45511: The failure of the empty keyword was a regression caused by the previous fix for 42565. The original fix for 42565 has been reverted and a new fix applied. (markt)
fix 45648: Don't trim the last character when parsing the EL namespace. (markt)
fix 45666: Prevent infinite loop on include. (markt)
fix 45691: Prevent generation of duplicate variable names when generating code for JSPs. (markt)
fix Correct signed/unsigned conversion error in ASCII parsing. (markt)
fix Fix various edge-cases when parsing EL, particularly inside attribute values. Note that the Expert Group has confirmed that JSP.1.6 takes precedence over JSP.1.3.10. Therefore EL in attributes must be escaped twice. (markt)
fix 46047: Include the path to the JAR when recording dependencies that are located inside a JAR file. Patch provided by Cédric Mailleux. (markt)
fix 46381: Composite expressions used for attribute values must be coerced to Strings. (markt)
fix 46397: Don't pool tag instances that implement JspIdConsumer. (markt)
fix 46462: Limit package test to just the o.a.jsp package to allow use of packages such as o.a.jspwiki. (markt)
fix 46471: Fix naming clash when tags in different libraries have the same name. (markt)
fix 46564: Make page encoding check for tagx compilation case-insensitive. (markt)
Cluster
add Prevent NPE for ReplicationValve (pero)
add Provide TCP only start-up option when using static membership. (fhanik)
add Document the multicast recovery options. (fhanik)
add 45261: Add a new SimpleCoordinator for tribes provided by Robert Newson. (markt)
fix 45618: Make sure NIO selector is closed when no longer used. Unlikely to be an issue in normal usage. (markt)
fix 45851: Fix out of order message processing issues with the FarmWarDeployer. (markt)
fix Fix small memory leak in FarmWarDeployer. (markt)
fix 46357: Corrected test for host's parent must be an engine. (markt)
fix Fix so that JvmrouteBinderValve can rewrite session suffix with parallel requests from same client. (pero)
Web applications
fix 45940: Correct name of username attribute for JDBC resources in JNDI how to. (markt)
fix 46035: Fix multiple typos in monitoring how to. (markt)
fix 46067: Fix typos in Advanced IO how to. (markt)
fix 46115: Correct Manager UI to show that path is required when using the deploy command. (markt)
fix 46121: Add note to manager documentation regarding possible naming clash with new Ant 1.7 resources datatype and how to avoid it. (markt)
fix Remove unsed parameters from Native/APR example connector configuration in docs. (markt)
fix Use CSS based solution for printer-friendly docs. Patch provided by vitezslav.smid as part of GSoc with additional work by Tim Funk. (markt)
fix Update the FAQ linsk in the docs to refer to the wiki. Use xlst task rather than style task to generate docs. (funkman/markt)
fix Document the LifecycleListeners. (markt)
fix Fix broken URL mapping in the examples. (markt)
fix 46563: Update doc for correct default for pollerThreadCount. (markt)
fix 46600: Document maxKeepAliveRequests for the NIO connector. (markt)
fix Fix CVE-2009-0781. XSS in calendar example. (markt)
Other
fix 41861: Update service name to Apache Tomcat 6 to prevent conflicts with previous major Tomcat versions. (markt/rjung)
fix 45852: Add special handling for cp932 (aka ms932) when creating tomcat-users.xml with Windows installer. (markt)
fix 45878: Restore manifest, licence and notice files to the jsp and servlet jars. (markt)
fix 45879: Move NOTICE file from documentation webapp to the installation directory. (markt)
fix Add a workaround for DBCP-191. Tomcat will now build without error on a 1.6 JDK but because it does this by skipping DBCP, release builds must be generated with a 1.5 JDK. (costin/markt)
fix 46366: Correct information in RUNNING.txt regarding use of CATALINA_HOME and CATALINA_BASE. (markt)
fix Use more useful JPDA defaults in catalina.bat. (markt)
fix Correct error in 2.5 web-app XSD.
Tomcat 6.0.18 (remm)released 2008-07-31
Catalina
fix 42727: Correctly handle request lines that are exact multiples of 4096 in length. Patch provided by Will Pugh. (markt)
fix 42678: Only ignore docBase if it really is a subdir of appBase. Patch provided by juergen. (markt)
fix 42722: Possible NPE in CGI Servlet. (markt)
update 45285: Look for annotations in class hierarchy. (markt)
fix Add additional checks for URI normalization. (remm)
Jasper
fix 42565: Make EL ternary expression without space before colon work. Patch provided by Lucas Galfaso. (markt)
Web applications
update 45323: Add note that context.xml files can only contain a single Context element. (markt)
Cluster
update 45317: Properly document and log the value of the state transfer timeout flag (fhanik)
Other
update 45332: Specify the correct encoding (the current Windows code page) rather than assuming UTF-8 when creating tomcat-users.xml with the Windows installer. (markt)
Tomcat 6.0.17 (remm)not released
General
update 45315: Add Unix support for NSIS. (remm)
Catalina
fix45272: Put in work around for Internet Explorer not accepting a quoted Path: value using the Set-Cookie header (fhanik)
fix APR connector now adds connection to poller after using send file. (remm)
update Add ManagerBase session getLastAccessedTimestamp and getCreationTimestamp for better remote JMX access. (pero)
update Expose alwaysSend flag for message dispatch interceptor. (fhanik)
fix 29936: Create digesters and parsers earlier so we aren't using the webapp class loader when we create them. (markt)
fix 42662: Properly resolve reflection proxies during session replication. (fhanik)
fix 42750: Request line should be tolerant of multiple whitespaces. (markt/fhanik)
fix 42934: Change the order of events on context start so contextInitialized() event is fired before sessionDidActivate(). The spec isn't 100% clear on the required order but this seems more logical than the current behaviour. (markt)
fix 43079: Fix identification of suspicious URL patterns. Patch provided by John Kew. (markt)
fix 43080: Log suspicious URL patterns to the correct web app. (markt)
fix 43117: Setting an empty workDir could result in all of CATALINA_HOME being deleted. Patch provided by Takayuki Kaneko. (markt)
fix 43142: Don't assume a directory named xxx.war is a war file. (markt)
fix 43150: Allow Tomcat to start correctly when installed on a path that contains a # character. (markt)
add The fix for 43285 had the side-effect of coercing null values to zero. This side-effect has been made configurable with a system property, org.apache.el.parser.COERCE_TO_ZERO which defaults to true. Patch provided by Nils Eckert. (markt)
fix 43343: Correctly handle requesting a session we are in the middle of persisting. Based on a suggestion by Wade Chandler. (markt)
fix 43425: Make annotations spec compliant. Patch provided by Dain Sundstrom. (markt)
fix 43470: Fix various class cast exceptions. Based on a patch by Lucas Galfaso. (markt)
fix 43578: Fix startup when installation path contains a space. Patch provided by Ray Sauers. (markt)
fix 43683: Fix 404 that could occur if a Servlet is accessed while the context is reloading. (markt)
fixExtendedAccessLogValve cs-uri not print empty querystring. (pero)
update ServletContext.getResource("noslash/resource") only requires forward slash if STRICT_SERVLET_COMPLIANCE flag is set to true. This mimics the behavior of 6.0.15 and earlier. (fhanik)
fix 44021: Add support for using the # character to define multi-level contexts in WARs and directories in the appBase. (markt)
fix 44282: Fix TRACE level class loader logging message when a security manager is used. (markt)
fix 44337: Dir listing crashes if no readme-file present. (funkman)
fix If listener declared in web.xml, only add it once. (funkman)
fix Fix NPE when iterating through sessions for expiration. (fhanik/jim)
fix 44380: Don't scan non-file URLs for TLDs. Patch provided by Florent Benoit. (markt)
fix 44389: Fix memory leak that occurred if using a RequestDispatcher. Patch provided by Arto Huusko. (markt)
fix 44529: Correct handling of resource constraints so no roles (deny all) overrides no aoth-constraint (allow all). (markt)
fix 44562: HEAD requests cannot use includes. Patch provided by David Jencks. (markt)
fix 44595: Add possibility to request the QueueSize of an executor via JMX. (jfclere)
fix Fix CGI Servlet so it correctly reads the environment variables on Vista. (markt)
fix 44611: DirContextURLConnection didn't implement getHeaderFields(), getHeaderField(String name) was case sensitive and returned "" rather than null for header values that did not exist. Patch provided by Chris Hubick. (markt)
fix 44633: Provide a more helpful error message if a class can't be loaded due to a version error. (rjung/markt)
fix 44646: Correct various issues, including an ISE, in CometConnectionManagerValve. (markt)
fix 44673: ServletInputStream is no longer readable once closed. (markt)
fix Better handling of lack of permission for context specific logging. (markt)
fix Add permission required to read JDK logging config. (markt)
fix Update web.xml to reflect packaging of SSI and CGI. (markt)
fix Add missing access check for ThreadWithAttributes. (markt)
fix 44833: Correctly override StandardSession methods from DeltaSession. (fhanik)
fix 44943: Use the same engine name in server.xml comments to reduce copy and pastes issues. (markt)
fix 44988: Use Java5 syntax for debug options. Patch provided by Cédrik Lime. (markt)
fix 45101: Format header dates obtained from DirContextURLConnection as per the HTTP spec. Patch provided by Chris Hubick. (markt)
add A new valve, org.apache.catalina.valves.WebdavFixValve, that forces MS clients connecting to the WebDAV Servlet on port 80 to use a client that works rather than the default broken one. (markt)
fix 45195: Passing in null into setAttribute or removeAttribute cause NPE. (markt)
Coyote
update NIO: Fix bug in NIO sendfile, symptoms during heavy traffic is that connection don't get closed. For previous versions, one can disable sendfile to work around the problem. (fhanik)
update APR: Allow to specify the "random device" to use to collect the entropy. (jfclere)
update Fix NIO/SSL live lock during client disconnect. (fhanik)
fix Fix possible ArrayIndexOutOfBoundsException. Patch provided by Charles R Caldarale. (markt/jim)
update Add support for keystore types that do not need a file. Based on a patch by Bruno Harbulot. (markt)
update 43094: Allow specification of keystore providers. Based on a patch by Bruno Harbulot. (markt)
fix 43191: Make it possible to override the defaults with the compressableMimeType attribute. Based on a patch by Len Popp. (markt)
fix 44391: Correct handling of escaped values in SSI processing. (markt)
fix 44392: HTML entities now handled correctly in SSI processing. (markt)
fix 44558: Improve error message so address is included if binding fails. (markt)
fix 44494: Character input limited to 8KB. (remm)
fix 44620: Infinite loop in NIO connector. (markt)
fix 44785: Correctly document default maxThreads for AJP connector. (markt)
update Log errors for AJP signoffs at DEBUG level, since it is harmless if mod_jk has hung up the phone. (billbarker)
fix 44968: Provide more information when the load of a keystore fails. (markt)
Jasper
fix 31257: Quote endorsed dirs if they contain a space. (markt)
fix 42943: Make sure nested element is inside <jsp:text> element before throwing exception. (markt)
fix 43617: Correctly escape attribute values in tag files. Based on a patch by Lucas Galfaso. (markt)
fix 43656: Fix various numeric coercion bugs. Includes a patch by Nils Eckert and fixes related issues identified in a test case provided by Konstantin Kolinko. (markt)
fix 43741: Correctly handle dependencies for tag files in JARs. (markt)
fix 44408: Reduce synchronisation when evaluating EL expressions. Patch provided by Robert Andersson. (markt)
fix 44428: Fix possible NPE during serialization. (markt)
fix 44766: EL doesn't coerce custom Number subclasses. (markt)
fix 44877: Prevent collisions on tag pool names. (markt)
fix 44986: Make page encoding consistency checks case-insensitive. (markt)
fix 44994: Enable nested conditional expressions in JSP EL. Patch provided by James Manger. (markt)
fix 45015: You can't use an unescaped quote if you quote the value with that character. (markt/fhanik)
add Add HTML filtering of error messages for included resources in case the app has tried to include an unsafe URL that does not exist. This is really an app responsibility but the filtering has been added for XSS safety. (markt)
Web applications
update Update documentation to use correct version number, correct file paths and to use $CATALINA_BASE rather than $CATALINA_HOME where applicable. (markt/jim)
add Add a section on available system property configuration options. (markt)
fix Amend the JNDI datasource doc to reflect new value for no limit used by updated commons-pool and commons-DBCP. (markt)
fix 43333: Fix errors in sendfile documentation. (markt)
fix 43366: Provide backwards compatibility for manager sessions command. (markt)
fix 44541: Document packetSize attribute for AJP connector. (markt)
fix 44715: Document secret attribute for AJP connector. (markt)
fix Fix some links in the ROOT application that are broken if ROOT is renamed. (markt)
fix Align the Realm documentation so that both the configuration and the how-to are consistent. (markt)
fix 45277: Fix typo in logging docs. (markt)
Cluster
fix 45212: AbstractReplicatedMap.entrySet() now returns entries rather than vaules. (markt)
fix45279: Properly close multicast socket.
update Fix session replication dead lock during non sticky load balancing. (fhanik)
Other
add Improve the Tests for unit tests for the cookie issues. (jfclere)
fix Fix build for JavaDoc. Patch provided by Stephen Bannasch. (markt)
fix 44955: Use correct location for endorsed directory in Windows installer. (markt)
Tomcat 6.0.16 (remm)released 2008-02-08
General
update Update commons-logging to version 1.1.1 and the NSIS installer to 2.34. (markt)
update Update to commons-pool version 1.4, native version 1.1.12 and update the download location for the commons libraries. (markt)
update Change chunked input parsing, always parse CRLF directly after a chunk has been received, except if data is not available. If data is not available for CRLF parsing, we run into BZ 11117, and must defer the parsing of CRLF to the next read event. This fixes the incorrect blocking when using CometProcessor and the draining data during the READ event where it before would block incorrectly waiting for the next chunk (fhanik)
update The CometProcessor interface now extends the javax.servlet.Servlet interface(fhanik)
fix Fix CVE-2007-5342 by limiting permissions granted to JULI. (markt)
update Fix handling of CometEvent.close when called during BEGIN event (fhanik)
fix 43594: Use setenv from CATALINA_BASE (if set) in preference to the one in CATALINA_HOME. Patch provided by Shaddy Baddah. (markt/jim)
fix 43692: Clean up unused entries from build scripts. Patch provided by Paul Shemansky. (markt)
fix 43775: Don't try to change line endings of binary files in the source distribution. (markt)
fix43846: Fix block simulated read and writes causing timeouts. Add non blocking parsing of HTTP request headers. Perf improvements(fhanik)
fix 43957: Service.bat doesn't configure logging correctly. Patch provided by Richard Fearn. (markt/jim)
update Cookie handling/parsing changes! The following behavior has been changed with regards to Tomcat's cookie handling a) Cookies containing control characters, except 0x09(HT), are rejected using an InvalidArgumentException
b) If cookies are not quoted, they will be quoted if they contain tspecials(ver0), tspecials2(ver1) characters
c) Escape character '\\' is allowed and respected as a escape character, will be unescaped during parsing
fix Cookie parsing of $Version regression from 6.0.15 has been fixed
fix The script that builds the windows installer was including additional files due to the way it processes recurrsive file selectors. The selectors have been modified to only include the intended files. (markt)
Catalina
fix Fix ManagerServlet.expireSessions throws Exceptions as iterate longer session lists at production servers. (pero)
fix38131: WatchedResource doesn't work if app is outside host appbase webapps. Patch provided by Peter Lynch (pero)
updateAdd -Dorg.apache.catalina.tribes.dns_lookups=false as default. The ability to turn off reverse DNS lookups for membership.(fhanik)
fix Set correct StandardManager.sessionCounter after reload/restart. (pero)
fix 42503: ServletContext.getResourceAsStream() could return stale data. Patch provided by Arvind Srinivasan. (funkman/jim)
fix 43236: When resetting the response, also reset the flags associated with using a writer or an output stream to allow the user to change character set after the reset. (markt)
fix 43241: Make ServletContext.getResourceAsStream() conform to the specification. Patch provided by John Kew. (markt)
fix 43530: doc link fixes provided by Paul Shemansky (funkman)
fix 43675: Fix a possible logging related classloader leak. (markt)
fix43687: Remove conditional headers on Form Auth replay, since the UA (esp. FireFox) isn't expecting it.
fix 43706: WebDAV copy/move now returns 201 on success. Based on a patch by Panagiotis Astithas. (markt)
fix 43840: Include user principal if possible when serializing / de-serializing sessions. (markt)
fix 43868: MBean methods getInvoke and getSetter were broken. (markt)
fix 43887: Make error messages much more helpful when illegal Servlet names are used. Based on a patch provided by Mike Baranczak. (markt)
fix Fix a bug that causes CGI Servlet to fail when it is included. (markt)
update Improve the webDAV Servlet Javadocs to make clear that the WebDAV Servlet can not be used as the default servlet. (markt)
fix 43993: mime mapping for WS-Policy. Patch by Fabian Ritzmann (funkman)
fix 44041: Fix duplicate class definition under load. (markt)
fix 44084: JASSRealm was broken for application provided Principals. Patch provided by Noah Levitt. (markt)
fix 44223: Use the javax.net.ssl.trustStoreType setting if no explicit connector configuration is provided and the property is set. (markt/jim)
update 44268: Log a warning if a duplicate listener configuration is ignored. (markt/jim)
Coyote
fix 43622: Don't overwrite the min compression size set by the compression attribute with the default. (markt/jim)
fix 43839: URL based session tracking failed when a session cookie from a parent context was present. Based on a patch by Yuan Qingyun. (markt)
fix 43914: URLs in location headers should be encoded. Patch provided by Ivan Todoroski. (markt)
Jasper
fix 43285: Missing EL Coercion causes argument type mismatch. Patch provided by Bernhard Huemer. (funkman/jim)
fix 43675: Fix a possible logging related classloader leak. (markt)
fix 43702: Inner class files have unnecessarily long names. (markt)
fix 43743: Fix NPE when compiling nest tag files packaged in a JAR. (markt)
fix 43757: Rather than use string matching to work out the line in the JSP with the error, use the SMAP info and the knowledge that for a scriptlet there is a one to one line mapping. (markt/jim)
fix 43758: Fix NPE when scripting elements are empty. (markt)
fix 43909: Make sure locale maps to wrapped ELContext. Patch provided by Tuomas Kiviaho. (markt)
fix 43944: Fix a missing resource exception. (markt)
fix Improve docs for Jasper configuration. Put options in alphabetical order, add some missing options, deprecate an unused one and address feedback about the page provided on the users list.
Web applications
fix 43173: Fix typo in logging documentation regarding location of logging.properties. (markt)
fix 43344: Fix typo in if.jsp example. Patch provided by Tim Nowaczyk. (markt)
fix 43468: Fix possible NPE when listing contexts in the Manager application. (markt)
fix 43515: Fix bug in Manager application that may have caused problems when listing contexts. Patch provided by Lucas Galfaso. (markt)
fix 43611: Provide an error message if user tries to upload a war for a context defined in server.xml rather than failing silently. (markt/jim)
fix 43800: Make relationship between APR and the native connector clearer. (markt)
fix 44088: Fix expire session button in manager. (markt)
fix 44094: Add a note about the side effects of configuring a context as privileged. (markt)
update Update JNDI documentation to refer to configuring contexts via context.xml rather than server.xml. (markt/jim)
Cluster
fix Fix FarmWarDeployer can be only configured as host subelement (pero)
fix Fix wrong && at ReplicationValve (pero)
update Add get/set methods for properties in the Tcp Failure detector. (fhanik/jim)
Tomcat 6.0.15 (remm)not released
General
updateFix the MD5 file contents in distribution
update Add ANT script to be able to publish signed Tomcat JAR's to ASF Maven repo (fhanik)
update Use Eclipse JDT 3.3.1. (pero)
Catalina
updateGuess java location from the PATH environment and improve fix for 37284
updateAdd NIO connector to server.xml parsing warning, remove Connector as exception case
fix43653: Fix SSL buffer mixup when response is unable to write more than socket buffer can handle
fix43643: If connector doesn't support external executor, display warning
fix43641: Property bind multicast address for cluster membership
fix42693: Fix JSP compiler bug
updateAdd mbean descriptor for virtual webapp loader
fix43487: Fix request processing stats
fix 43435: Don't iterate and relocate sessions if they are not part of the map.
fix 43356: Keystore parameter is relative to CATALINA_BASE, Truststore is either defined as parameter, javax.net.ssl.trustStore or if empty defaults to the keystore. SSL Client cert authentication changed from boolean to "true|false|want" (fhanik)
fix 30949: Improve previous fix. Ensure requests are re-cycled on cross-context includes and forwards when an exception occurs in the target page. (markt)
fix 42944: Correctly handle servlet mappings that use a '+' character as part of the url pattern. (markt)
fix 42951: Don't use CATALINA_OPTS when stopping Tomcat. This allows options for starting and stopping to be set on JAVA_OPTS and options for starting only to be set on CATALINA_OPTS. Without this fix, some startup options (eg the port for remote JMX) would cause stop to fail. Based on a fix suggested by Michael Vorburger. Port of r454193 (36976) from Tomcat 5.5.x. (markt,rjung)
add Validation of attributes and elements used in server.xml. (remm)
fix 43175: Fix typos in servlet XSD files. Patch provided by Takayuki Kaneko. (markt)
fix 43216: Set correct StandardSession#accessCount as StandardSession.ACTIVITY_CHECK is true. Patch provided by Takayuki Kaneko (pero)
add Made session createTime accessible for all SessionManager via JMX (pero)
update 43129: Support logging of all response header values at AccessLogValve (ex. add %{Set-Cookie}o to your pattern). (pero)
add Support logging of all response header values at ExtendedAccessLogValve (ex. add x-O(Set-Cookie) to your pattern). (pero)
add Support logging of current thread name at AccessLogValve (ex. add %I to your pattern). Usefull to compare access logging entry later with a stacktraces. (pero)
fix Improve large-file support (more then 4 Gb) at all AccessLogValves, backport from 5.5.25. (pero)
update Optimized JDBCAccessLogValve combined pattern request attribute access. (pero)
fix o.a.juli.ClassLoaderLogManager handle more then one system property replacement at file logging.properties. (pero)
fix 43338: Support '*' servlet-name mapping at filter-mapping. Patch provided by Keiichi Fujino. (pero)
fix 41797: CNFE/NPE thrown from function mapper when externalizing Patch by Tuomas Kiviaho- tuomas.kiviahos at ikis fi (funkman)
fix 43453: ClassCastException at org.apache.catalina.core.StandardContext.findStatusPage(int) (funkman)
fix Fix important vulnerability when webdav is enabled for write. (markt)
fix Call stopAwait in StandardServer.stop if port == -1. (pero)
fix 43668: Fix NPE when the outer most wrapper is a ServletRequest/ResponseWrapper, but not a HttpServletRequest/ResponseWrapper on a Forward. (billbarker)
Coyote
fix Harmonize with HTTP java.io code. Otherwise the socket is not closed.
fix In the APR connector, start accepting connections after fully starting the connector, to prevent possible exceptions due to non initialized fields. (remm)
update Cookie parser refactoring, submitted by John Kew. (remm)
fix Make cookie escaping / unescaping consistent. (markt)
fix 43479: Memory leak cleaning up sendfile connections, submitted by Chris Elving. (remm)
fix 42925: Add maintain for sendfile. (remm)
fix Fix explicit flush before response commit in the org.apache.jk AJP connector. (pero)
fix 43621: Fix possible Dos condition when using the experimental NIO/AJP Connector (billbarker)
Jasper
fix 37326: No error reported when an included page does not exist. (markt)
Web applications
fix Fix WebDAV Servlet so it works correctly with MS clients. (markt)
fix Fix CVE-2007-5461, an important information disclosure vulnerability in the WebDAV Servlet. Based on a patch by Marc Schoenefeld. (markt)
fix 42979: Update sample.war to include recent security fixes in the source code. (markt)
fix Minor connector doc fix. (jfclere)
Cluster
fix Set correct BioReceiver transfer buffer size. (pero)
Other
add Tests for unit tests for the cookie issues. (jfclere)
Tomcat 6.0.14 (remm)released 2007-08-13
General
docs Correct j.u.l log levels in JULI docs. (rjung)
Catalina
fix Handle special case of ROOT when re-loading webapp after ROOT.xml has been modified. In some circumstances the reloaded ROOT webapp had no associated resources. (markt)
fix Remove invalid attribute "encoding" of MBean MemoryUserDatabase, which lead to errors in the manager webapp JMXProxy output. (rjung)
fix 33774: Retry JNDI authentication on ServiceUnavailableException as at least one provider throws this after an idle connection has been closed. (markt)
fix 39875: Fix BPE in RealmBase.init(). Port of yoavs's fix from Tomcat 5. (markt)
fix 41722: Make the role-link element optional (as required by the spec) when using a security-role-ref element. (markt)
fix 42361: Handle multi-part forms when saving requests during FORM authentication process. Patch provided by Peter Runge. (markt)
fix 42401: Update RUNNING.txt with better JRE/JDK information. (markt)
fix 42444: prevent NPE for AccessLogValve Patch provided by Nils Hammar (funkman)
fix 42449: JNDIRealm does not catch NullPointerException for Sun's LDAP provider (See bug for details) (funkman)
fix 42497: Ensure ETag header is present in a 304 response. Patch provided by Len Popp. (markt)
fix Fix XSS security vulnerability (CVE-2007-2450) in the Manager and Host Manager. Reported by Daiki Fukumori. (markt)
fix 42547: Fix NPE when a ResourceLink in context.xml tries to override an env-entry in web.xml. (markt)
fix Avoid some casting in ErrorReportValve (remm)
fix Fix persistence API annotation, submitted by Bill Burke (remm)
fix In Comet mode, if bytes are not read, send an error event (otherwise, fields referring to the connection could remain) (remm)
fix Fix Comet when running Tomcat with the security manager (remm)
Jasper
fix 39425: Add additional system property permission to catalina.policy for pre-compiled JSPs. (markt)
fix 42438: Duplicate temporary variables were created when jsp:attribute was used in conjunction with custom tags. Patch provided by Brian Lenz. (markt)
fix 42643: Prevent creation of duplicate JSP function mapper variables. (markt)
Coyote
fix Separate sequence increment from getter in ThreadPool to avoid misleading increments during monitoring via JMX. (rjung)
fix Add back missing socketBuffer attribute in the java.io HTTP connector (remm)
Web applications
fix Don't write error on System.out, use log() instead. (rjung)
fix 39813: Correct handling of new line characters in JMX attributes. Patch provided by R Bramley. Ported from tc5.5.x r415029. (markt,rjung)
fix 42459: Fix Tomcat Web Application Manager table error. (rjung)
fix Fix XSS security vulnerabilities (CVE-2007-2449) in the examples. Reported by Toshiharu Sugiyama. (markt)
Tomcat 6.0.13 (remm)released 2007-05-15
Catalina
fix More accurate available() method. (remm)
fix Add recycle check in the event object, since it is a facade like the others. (remm)
fix When processing a read event, enforce that the servlet consumes all available bytes. (remm)
update Add a flag in ContainerBase which could be used in embedded scenarios to avoid a double start of contexts (this problem generally occurs when adding contexts to a started host). (remm)
fix 42309: Ability to create a connector using a custom protocol specification for embedded. (fhanik)
fix Add SSL engine flag to AprLifecycleListener. (fhanik)
fix Improve event processing, so that an END event is generated when encountering EOF, and an ERROR is always generated on client disconnects. (remm)
fix Add declarations for the new XSD files. (remm)
Coyote
fix Add heartbeatBackgroundEnabled flag to SimpleTcpCluster. Enable this flag don't forget to disable the channel heartbeat thread (pero)
fix Possible memory leak when using comet, caused by adding the socket to the poller before cleaning up the connection tracking structure. (remm)
fix 42308: nextRequest recycles the request, which caused issues with statistics. (remm)
fix Fix non recycled comet flag in the APR connector. (remm)
Cluster
fix Add heartbeatBackgroundEnabled flag to SimpleTcpCluster. Enable this flag don't forget to disable the channel heartbeat thread (pero)
fix Method name cleanup. (fhanik)
Web applications
fix Some examples webapp fixes. Submitted by Frank McCown. (remm)
Tomcat 6.0.12 (remm)not released
General
fix License source headers. Submitted by Niall Pemberton. (remm)
Catalina
fix 42039: Log a stack trace if a servlet throws an UnavailableException. Patch provided by Kawasima Kazuh. (markt)
fix 41990: Add some additional mime-type mappings. (markt)
fix 41655: Fix message translations. Japanese translations provided by Suzuki Yuichiro. (markt)
add Add enabled attribute to AccessLogValve (pero)
fix 42085: Avoid adding handlers for the root logger twice when they are explicitly specified. (remm)
fix Reduce thread local manipulation in the request dispatcher. Submitted by Arvind Srinivasan. (remm)
fix Avoid keeping references to loggers tied to the webapp classloaders after a reload in a couple more places. (remm)
fix 42202: Fix container parsing of TLDs in webapps when Tomcat is installed in a URL encodable path. (remm)
Coyote
fix 42119: Fix return value for request.getCharacterEncoding() when Content-Type headers contain parameters other than charset. Patch by Leigh L Klotz Jr. (markt)
update Move away from using a thread local processor for the APR and java.io connectors, as this does not work well when using an executor. (remm)
fix Remove Comet timeout hack in the APR connector. Comet connections will now use the regular timeout or the keepalive timeout if specified. (remm)
Web applications
fix 42025: Update valve documentation to refer to correct regular expression implementation. (markt)
fix Fix various paths in the manager webapps (remm)
add Session viewer and editor for the HTML manager. Submitted by Cédrik Lime. (remm)
add Session handling tools for the manager. Submitted by Rainer Jung. (remm)
Jasper
fix 41869: TagData.getAttribute() should return TagData.REQUEST_TIME_VALUE when the attribute value is an EL expression. (markt)
fix 42071: Fix IllegalStateException on multiple requests to an unavailable JSP. Patch provided by Kawasima Kazuh. (markt)
fix After a JSP throws an UnavailableException allow it to be accessed once the unavailable period has expired. (markt)
Cluster
fix Add toString method to better logging session replication message at tribes MESSAGES (pero)
Tomcat 6.0.11 (remm)not released
General
update Update DBCP to 1.2.2, pool to 1.3, JDT to 3.2.2 and remove collections build dependency (pero, remm)
Catalina
fix Don't log pattern subtoken at ExtendedAccesLogValve (pero)
fix Add some missing JMX attributes for new AccessLogValve (pero)
fix 41786: Incorrect reference to catalina_home in catalina.sh/bat Patch provided by Mike Hanafey (fhanik)
fix 41703: SingleSignOnMessage invalid setter, patch provided by Nils Hammar (fhanik)
fix 41682: ClassCastException when logging is turned on (fhanik)
fix 41530: Don't log error messages when connector is stopped (fhanik)
fix 41166: Invalid handling when using replicated context (fhanik)
add Added SENDFILE support for the NIO connector. (fhanik)
add Added support for shared thread pools by adding in the <Executor> element as a nested element to the <Service> element. (fhanik)
fix 41666: Correct handling of boundary conditions for If-Unmodified-Since and If-Modified-Since headers. Patch provided by Suzuki Yuichiro. (markt)
fix 41739: Correct handling of servlets with a load-on-startup value of zero. These are now the first servlets to be started. (markt)
fix 41747: Correct example ant script for deploy task. (markt)
fix 41752: Correct error message on exception in MemoryRealm. (markt)
update 39883: Add documentation warning about using antiResourceLocking on a webapp outside the Host's appBase. (yoavs)
fix 40150: Ensure user and roll classnames are validated on startup. Patch by Tom. (yoavs)
update Refactor extend access log valve using the optimized access log valve. Submitted by Takayuki Kaneko. (remm)
fix Possible deadlock in classloading when defining packages. (remm)
fix Remove excessive syncing from listener support. (remm)
add Web services support. The actual factory implementations are implemented in the extras. Submitted by Fabien Carrion. (remm)
update Add logging to display APR capabilities on the platform. (remm)
fix Expose executors in JMX. (remm)
fix CRLF inside a URL pattern is always invalid. (remm)
fix Tweak startup time display. (remm)
fix Adjustments to handling exceptions with Comet. (remm)
fix If the event is closed asynchronously, generate an end event for cleanup on the next event. (remm)
fix Cleanup hello webapp from the docs and fix a XSS issue in the JSP. (remm)
fix Examples webapp cleanup. Submitted by Takayuki Kaneko and Markus Schönhaber. (remm)
fix 41289: Create configBase, since it is no longer created elsewhere. Submitted by Shiva Kumar H R. (remm)
Coyote
update Fixed NIO memory leak caused by the NioChannel cache not working properly.
update Added flag to enable/disable the usage of the pollers selector instead of a Selector pool when the serviet is reading/writing from the input/output streams The flag is -Dorg.apache.tomcat.util.net.NioSelectorShared=true
fix Requests with multiple content-length headers are now rejected. (markt)
add 41675: Add a couple of DEBUG-level logging statements to Http11Processors when sending error responses. Patch by Ralf Hauser. (yoavs)
fix Reuse digester used by the modeler. (remm)
update When the platform does not support deferred accept, put accepted sockets in the poller. (remm)
fix Fix problem with blocking reads for keepalive when using an executor (the number of busy threads is always 0). (remm)
update The poller now has good performance, so remove firstReadTimeout. (remm)
fix 42119: Fix return value for request.getCharacterEncoding() when Content-Type headers contain parameters other than charset. Patch by Leigh L Klotz Jr. (markt)
Web applications
fix Fix previous update to servlet 2.5 xsd to use correct declaration. (markt)
update Update host configuration document for new behaviour for directories in appBase. (markt)
update 39540: Add link to httpd 2.2 mod_proxy_ajp docs in AJP connector doc. (yoavs)
Jasper
fix 41227: Add a bit of DEBUG-level logging to JspC so users know which file is being compiled. (yoavs)
update Remove some dead utility code, and refactor stream capture as part of the Ant compiler. (remm)
fix Support the trim directive of JSP 2.1 as an equivalent of Jasper's own parameter. (remm)
fix 41790: Close file stream used to read the Java source. (remm)
fix Fix reporting of errors which do not correspond to a portion of the JSP source. (remm)
fix Remove try/catch usage for annotation processing in classic tags. The usage of the log method might have been questionable as well. (remm)
fix Cleanup of the message that is displayed for compilation errors. (remm)
fix Skip BOM when reading a JSP file. (remm)
Tomcat 6.0.10 (remm)released 2007-02-28
Catalina
update Unify usage of security manager flag, submitted by Arvind Srinivasan. (remm)
fix Fix formatting of CGI variable SCRIPT_NAME. (markt)
fix 41521: Support * for servlet-name, submitted by Paul McMahan. (remm)
update Cache getServletContext value, submitted by Arvind Srinivasan. (remm)
fix Add options for handling special URL characters in paths, and disallow '\' and encoded '/' due to possible differences in behavior between Tomcat and a front end webserver. (remm)
fix Fix bad comparison for FORM processing, submitted by Anil Saldhana. (remm)
fix 41608: Make log levels consistent when Servlet.service() throws an exception. (markt)
Coyote
fix Reduce usage of MessageBytes.getLength(), submitted by Arvind Srinivasan. (remm)
Jasper
fix 41558: Don't call synced method on every request, submitted by Arvind Srinivasan. (remm)
fix Switch to a thread local page context pool. (remm)
Tomcat 6.0.9 (remm)beta, 2007-02-08
General
fix Use 2.5 xsd in Tomcat webapps. (markt)
fix Compression filter improvements, submitted by Eric Hedström. (markt)
Catalina
fix Properly return connector names. (remm)
fix Remove logging of the XML validation flag. (remm)
fix Correct error messages for context.xml. (markt)
fix 41217: Set secure flag correctly on SSO cookie, submitted by Chris Halstead. (markt)
fix 40524: request.getAuthType() now returns CLIENT_CERT rather than CLIENT-CERT. (markt)
fix 40526: Return support for JPDA_OPTS to catalina.bat and add a new option JPDA_SUSPEND, submitted by by Kurt Roy. (markt)
fix 41265: In embedded, remove the code that resets checkInterval values of zero to 300. (markt)
Coyote
fix 37869: Fix getting client certificate, submitted by Christophe Pierret. (remm)
fix 40960: Throw a timeout exception when getting a timeout rather than a generic IOE, submitted by Christophe Pierret. (remm)
Jasper
fix EL validation fixes for attributes. (remm)
fix 41327: Show full URI for a 404. (markt)
fix JspException now uses getCause() as the result for getRootCause(). (markt)
Cluster
fix 41466: When using the NioChannel and SecureNioChannel its important to use the channels buffers. (fhanik)
Tomcat 6.0.8 (remm)alpha
Catalina
fix Make provided instances of RequestDispatcher thread safe. (markt)
add Optional development oriented loader implementation. (funkman)
add Optimized access log valve, submitted by Takayuki Kaneko. (remm)
fix Fix error messages when parsing context.xml that incorrectly referred to web.xml. (markt)
fix 41217: Set secure attribute on SSO cookie when cookie is created during a secure request. Patch provided by Chris Halstead. (markt)
fix 40524: HttpServletRequest.getAuthType() now returns CLIENT_CERT rather than CLIENT-CERT for certificate authentication as per the spec. Note that web.xml continues to use CLIENT-CERT to specify the certificate authentication should be used. (markt)
fix 41401: Add support for JPDA_OPTS to catalina.bat and add a JPDA_SUSPEND environment variable to both startup scripts. Patch provided by Kurt Roy. (markt)
Coyote
fix Use the tomcat-native-1.1.10 as recommended version. OpenSSL detection on some platforms was broken 1.1.8 will continue to work, although on some platforms there can be JVM crash if IPV6 is enabled and platform doesn't support IPV4 mapped addresses on IPV6 sockets.
Jasper
fix When displaying JSP source after an exception, handle included files. (markt)
fix Display the JSP source when a compilation error occurs and display the correct line number rather than start of a scriptlet block. (markt)
fix Fix NPE when processing dynamic attributes. (remm)
fix More accurate EL usage validation. (remm)
fix Fix regression for implicit taglib and page data version numbers. (remm)
fix 41265: Allow JspServlet checkInterval init parameter to be explicitly set to the stated default value of zero by removing the code that resets it to 300 if explicitly specified as zero. (markt)
fix 41327: Show full URI for a 404. Patch provided by Vijay. (markt)
Web applications
docs Add a virtual hosting how-to contributed by Hassan Schroeder. (markt)
update Update all webapps to use the servlet 2.5 xsd. (markt)
fix 39572: Improvements to CompressionFilter example provided by Eric Hedström. (markt)
Tomcat 6.0.7 (remm)beta, 2007-01-10
General
fix Fix installer's bitmap (mturk)
Catalina
fix Refactor logging of errors which may occur when reading a post body (remm)
Coyote
fix 37869: Also use the SSL_INFO_CLIENT_CERT field if the chain is empty, submitted by Grzegorz Grzybek (remm)
Tomcat 6.0.6 (remm)alpha
General
fix Fix tagging which did not include 6.0.5's changelog (remm)
Tomcat 6.0.5 (remm)not released
Catalina
fix 40585: Fix parameterised constructor for o.a.juli.FileHandler so parameters have an effect. (markt)
fix Escape invalid characters from request.getLocale. (markt, remm)
update Update required version for native to 1.1.8. (remm)
fix Do not log broken pipe errors which can occur when flushing the content of an error page. (remm)
Coyote
fix Fix firstReadTimeout behavior for the AJP connector. (remm)
Jasper
fix 41057: Make jsp:plugin output XHTML compliant. (markt)
Cluster
update Cluster interface cleanup. (fhanik)
update Refactoring to allow usage of executors. (fhanik)
Tomcat 6.0.4 (remm)alpha
General
update Update to NSIS 2.22 (remm)
fix Fix regression in 6.0.3 with Windows wrapper (mturk)
Tomcat 6.0.3 (remm)not released
General
Catalina
fix 37509: Do not remove whitespace from the end of values defined in logging.properties files. (markt)
fix 38198: Add reference to Context documentation from Host documentation that explains how Context name is obtained from the Context filename. (markt)
fix 40844: Missing syncs in JDBCRealm. (markt)
fix 40901: Encode directory listing output. Based on a patch provided by Chris Halstead. (markt)
fix 40929: Correct JavaDoc for StandardClassLoader. (markt)
fix 41008: Allow POST to be used for indexed queries with CGI Servlet. Patch provided by Chris Halstead. (markt)
fix Fix usage of print on the servlet output stream if the processor never used a writer (fhanik)
fix Fix logic of sameSameObjects used to determine correct wrapping of request and response objects (fhanik)
fix Update TLD scan lists, and disable caching for now (remm)
update Add system property to WebappClassLoader to allow disabling setting references to null when stopping it (remm)
add Add clustered SSO code, submitted by Fabien Carrion (remm)
Coyote
fix 40860: Log exceptions and other problems during parameter processing. (markt)
update Enable JMX for trust store attributes for SSL connector. (markt)
update Port memory usage reduction changes to the java.io HTTP connector. (remm)
fix MessageBytes.setString(null) will remove the String value. (remm)
fix 41057: Caching large strings is not useful and takes too much memory, so don't cache these (remm)
update Add keepAliveTimeout attribute to most connectors (mturk, remm)
Jasper
fix Relax EL type validation for litterals. (remm)
fix Update some version numbers to 2.1. (funkman, remm)
fix Add xsds for JSP 2.1 (remm)
fix 41106: Update validation checks for EL to also include legacy 1.2 tags (remm)
Web applications
fix 40677: Update SSL documentation to indicate that PKCS11 keystores may be used. (markt)
Tomcat 6.0.2 (remm)beta, 2006-11-23
General
fix Various tweaks to distribution (remm, funkman)
update Update Tomcat native to 1.1.7 (mturk)
update Update to JDT 3.2.1 (remm)
Catalina
fix Fix EJB annotation interface (remm)
Coyote
fix Fix passing of the keystore password for the NIO connector (fhanik)
Tomcat 6.0.1 (remm)alpha
General
fix 37439, 40823: Documentation cleanup (markt)
Catalina
update Refactor exception processing using Throwable.getCause to improve exception chaining (remm)
add Remove dead code involving the Logger (funkman)
fix 37458: Fix some exceptions which could happen during classloading (markt)
fix 40817: Fix CGI path (markt)
fix 34956: Add the possibility to enforce usage of request and response wrapper objects (markt)
Jasper
update Many fixes for JSP 2.1 compliance, involving tag files handling, deferred expressions validation, bom encoding support (remm)
Coyote
update Many HTTP NIO connector fixes and refactorings (fhanik)
update HTTP NIO connector performance improvements (fhanik)
update Add packetSize option for the classic AJP connector (jfclere)
update Implement explicit flushing in AJP (mturk)
Tomcat 6.0.0 (remm)alpha
Catalina
add SSLEngine attribute added to the AprLifecycleListener(fhanik)
add Add API for Comet IO handling (remm, fhanik)
add Servlet 2.5 support (remm)
Jasper
add JSP 2.1 support (jhook, remm)
add Unifed EL 2.1 support (jhook)
Coyote
add SSLEnabled attribute required for SSL to be turned on, on all HTTP connectors (fhanik)
update Memory usage reduction for the HTTP connectors, except java.io (remm)
update Modeler update to use dynamic mbeans rather than model mbeans, which consume more resources (costin)
Cluster
add New cluster configuration and new documentation (fhanik)

Copyright © 1999-2017, Apache Software Foundation