61692: Add the ability to control which HTTP methods are handled by the CGI Servlet via a new initialization parameter cgiMethods. (markt)
62687: Expose content length information for resources when using a compressed war. (remm)
62737: Fix rewrite substitutions parsing of {} nesting. (remm)
Add rewrite flags output when getting the rewrite configuration back. (remm)
Add missing qsdiscard flag to the rewrite flags as a cleaner way to discard the query string. (remm)
Add documentation about the files context.xml.default and web.xml.default that can be used to customize conf/context.xml and conf/web.xml on a per host basis. (fschumacher)
Ensure that a canonical path is always used for the docBase of a Context to ensure consistent behaviour. (markt)
62803: Fix SSL connector configuration processing in storeconfig. (remm)
62797: Pass throwable to keep client aborts with status 200 rather than 500. Patch submitted by zikfat. (remm)
62809: Correct a regression in the implementation of DIGEST authentication support for the Deployer Ant tasks (bug 45832) that prevented the DeployTask from working when authentication was required. (markt)
Update the recommended minimum Tomcat Native version to 1.2.18. (markt)
Ignore an attribute named source on Context elements provided by StandardContext. This is to suppress warnings generated by the Eclipse / Tomcat integration provided by Eclipse. Based on a patch by mdfst13. (markt)
62830: Added JniLifeCycleListener and static methods Library.loadLibrary(libraryName) and Library.load(filename) to load a native library by a shared class loader so that more than one Webapp can use it. (isapir)
Correct a typo in the Spanish resource files. Patch provided by Diego Agulló. (markt)
62868: Order the Enumeration<URL> provided by WebappClassLoaderBase.getResources(String) according to the setting of the delegate flag. (markt)
Coyote
Add TLSv1.3 to the default protocols and to the all alias for JSSE based TLS connectors when running on a JVM that supports TLS version 1.3. One such JVM is OpenJDK version 11. (rjung)
62685: Correct an error in host name validation parsing that did not allow a fully qualified domain name to terminate with a period. Patch provided by AG. (markt)
62739: Do not reject requests with an empty HTTP Host header. Such requests are unusual but not invalid. Patch provided by Michael Orr. (markt)
62748: Add TLS 1.3 support for the APR/Native connector and the NIO/NIO2 connector when using the OpenSSL backed JSSE implementation. (schultz/markt)
62791: Remove an unnecessary check in the NIO TLS implementation that prevented from secure WebSocket connections from being established. (markt)
Fix server initiated TLS renegotiation to obtain a client certificate when using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation. (markt)
62871: Improve MBeans for Endpoint instances (type ThreadPool in JMX) by using explicit declaration of attributes and operations rather than relying on introspection. Add a new MBean to expose the Socketproperties values. (markt)
Jasper
Correct parsing of XML whitespace in TLD function signatures that incorrectly only looked for the space character. (markt)
62674: Correct a regression in the stand-alone JSP compiler utility, JspC, caused by the fix for 53492, that caused the JSP compiler to hang. (markt)
62721: Correct generation of web.xml header when using JspC. (markt)
62757: Correct a regression in the fix for 62603 that caused NullPointerExceptions when compiling tag files on first access when development mode was disabled and background compilation was enabled. Based on a patch by Jordi Llach. (markt)
WebSocket
62731: Make the URI returned by HandshakeRequest.getRequestURI() and Session.getRequestURI() absolute so that the scheme, host and port are accessible. (markt)
Web applications
62676: Expand the CORS filter documentation to make it clear that explicit configuration is required to enable support for cross-origin requests. (markt)
62712: Correct NPE in Manager application when attempting to view configured certificates for an APR/native TLS connector. (markt)
62761: Correct the advanced CORS example in the Filter documentation to use a valid configuration. (markt)
62786: Add a note to the Context documentation to explain that, by default, settings for a Context element defined in server.xml will be overwritten by settings specified in a default context file such as conf/context.xml. (markt)
Create a little visual separation between the Undeploy button and the other buttons in the Manager application. Patch provided by Łukasz Jąder. (markt)
Other
Update the internal fork of Apache Commons Pool 2 to d4e0e88 (2018-09-12) to pick up some bug fixes and enhancements. (markt)
Update the packaged version of the Tomcat Native Library to 1.2.18 to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1. (markt)
62263: Avoid a NullPointerException when the RemoteIpValve processes a request for which no Context can be found. (markt)
Fix a rare edge case that is unlikely to occur in real usage. This edge case meant that writing long streams of UTF-8 characters to the HTTP response that consisted almost entirely of surrogate pairs could result in one surrogate pair being dropped. (markt)
Register MBean when DataSource Resource type="javax.sql.XADataSource". Patch provided by Masafumi Miura. (csutherl)
Update the internal fork of Apache Commons BCEL to r1829827 to add early access Java 11 support to the annotation scanning code. (markt)
62297: Enable the CrawlerSessionManagerValve to correctly handle bots that crawl multiple hosts and/or web applications when the Valve is configured on a Host or an Engine. (fschumacher)
62309: Fix a SecurityException when using JASPIC under a SecurityManager when authentication is not mandatory. (markt)
62329: Correctly list resources in JAR files when directories do not have dedicated entries. Patch provided by Meelis Müür. (markt)
Collapse multiple leading / characters to a single / in the return value of HttpServletRequest#getContextPath() to avoid issues if the value is used with HttpServletResponse#sendRedirect(). This behaviour is enabled by default and configurable via the new Context attribute allowMultipleLeadingForwardSlashInPath. (markt)
Improve handing of overflow in the UTF-8 decoder with supplementary characters. (markt)
Coyote
Correct off-by-one error in thread pool that allowed thread pools to increase in size to one more than the configured limit. Patch provided by usc. (markt)
Prevent unexpected TLS handshake failures caused by errors during a previous handshake that were not correctly cleaned-up when using the NIO or NIO2 connector with the OpenSSLImplementation. (markt)
Enable strict validation of the provided host name and port for all connectors. Requests with invalid host names and/or ports will be rejected with a 400 response. (markt)
62273: Implement configuration options to work-around specification non-compliant user agents (including all the major browsers) that do not correctly %nn encode URI paths and query strings as required by RFC 7230 and RFC 3986. (markt)
Jasper
Enable ECJ version 4.7 and later to be used as a drop in replacement for the ECJ version that ships with Apache Tomcat. (markt)
Enable Java 10 to be specified as a JSP source and/or target if a newer ECJ version is used. (markt)
62287: Do not rely on hash codes to test instances of ValueExpressionImpl for equality. Patch provided by Mark Struberg. (markt)
WebSocket
62301: Correct a regression in the fix for 61491 that didn't correctly handle a final empty message part in all circumstances when using PerMessageDeflate. (markt)
62332: Ensure WebSocket connections are closed after an I/O error is experienced reading from the client. (markt)
Other
Avoid warning when running under Cygwin when the JAVA_ENDORSED_DIRS environment variable is not set. Patch provided by Zemian Deng. (markt)