Tomcat 8

Tomcat 8 8.0.53

No permission to download
  • Treat the <mapped-name> element of a <env-entry> in web.xml in the same way as the mappedName element of the equivalent @Resource annotation. Both now attempt to set the mappedName property of the resource. (markt)
  • Correct the processing of resources with <injection-target>s defined in web.xml. First look for a match using JavaBean property names and then, only if a match is not found, look for a match using fields. (markt)
  • When restoring a saved request with a request body after FORM authentication, ensure that calls to the HttpServletRequest methods getRequestURI(), getQueryString() and getProtocol() are not corrupted by the processing of the saved request body. (markt)
  • JNDI resources that are defined with injection targets but no value are now treated as if the resource is not defined. (markt)
  • Ensure that JNDI names used for <lookup-name> entries in web.xml and for lookup elements of @Resource annotations specify a name with an explicit java:namespace. (markt)
  • Refactor the org.apache.naming package to reduce duplicate code. Duplicate code identified by the Simian tool. (markt)
  • 50019: Add support for <lookup-name>. Based on a patch by Gurkan Erdogdu. (markt)
  • 60490: Various formatting and layout improvements for the ErrorReportValve. Patch provided by Michael Osipov. (markt)
  • 62343: Make CORS filter defaults more secure. This is the fix for CVE-2018-8014. (markt)
  • Ensure that the web application resources implementation does not incorrectly cache results for resources that are only visible as class loader resources. (markt)
  • Make all loggers associated with Tomcat provided Filters non-static to ensure that log messages are not lost when a web application is reloaded. (markt)
  • Correct the manifest for the annotations-api.jar. The JAR implements the Common Annotations API 1.2 and the manifest should reflect that. (markt)
  • Switch to non-static loggers where there is a possibility of a logger becoming associated with a web application class loader causing log messages to be lost if the web application is stopped. (markt)
  • 62389: Add the IPv6 loopback address to the default internalProxies regular expression. Patch by Craig Andrews. (markt)
  • In the RemoteIpValve and RemoteIpFilter, correctly handle the case when the request passes through one or more trustedProxies but no internalProxies. Based on a patch by zhanhb. (markt)
  • Correct the logic in MBeanFactory.removeConnector() to ensure that the correct Connector is removed when there are multiple Connectors using different addresses but the same port. (markt)
  • Make JAASRealm mis-configuration more obvious by requiring the authenticated Subject to include at least one Principal of a type specified by userClassNames. (markt)
  • 62476: Use GMT timezone for the value of Expires header as required by HTTP specification (RFC 7231, 7234). (kkolinko)
  • Log an error message if the AJP connector detects the the reverse proxy is sending AJP messages that are too large for the configured packetSize. (markt)
  • Relax Host validation by removing the requirement that the final component of a FQDN must be alphabetic. (markt)
  • 62371: Improve logging of Host validation failures. (markt)
  • Correctly handle a digest authorization header when the user name contains an escaped character. (markt)
  • Correctly handle a digest authorization header when one of the hex field values ends the header with in an invalid character. (markt)
  • Correctly handle an invalid quality value in an Accept-Language header. (markt)
  • Improve IPv6 validation by ensuring that IPv4-Mapped IPv6 addresses do not contain leading zeros in the IPv4 part. Based on a patch by Katya Stoycheva. (markt)
  • 62080: Ensure that all reads of the current thread's context class loader made by the UEL API and implementation are performed via a PrivilegedAction to ensure that a SecurityException is not triggered when running under a SecurityManager. (mark)
  • 62350: Refactor org.apache.jasper.runtime.BodyContentImpl so a SecurityException is not thrown when running under a SecurityManger and additional permissions are not required in the catalina.policy file. This is a follow-up to the fix for 43925. (kkolinko/markt)
  • Remove duplicate calls when creating a replicated session to reduce the time taken to create the session and thereby reduce the chances of a subsequent session update message being ignored because the session does not yet exist. (markt)
  • When decoding of path parameter failed, make sure to throw DecodeException instead of throwing ArrayIndexOutOfBoundsException. (kfujino)
  • Enable host name verification when using TLS with the WebSocket client. (markt)
Web applications
62395: Clarify the meaning of the connector attribute minSpareThreads in the documentation web application. (markt)
  • Ensure that the correct default value is returned when retrieve unset properties in McastService. (kfujino)
  • When logValidationErrors is set to true, the connection validation error is logged as SEVERE instead of WARNING. (kfujino)
  • 62391: Remove references to javaw.exe as this file is not required by Tomcat and the references prevent the use of the Server JRE. (markt)
  • Update the packaged version of the Tomcat Native Library to 1.2.17 to pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL 1.0.2o. (markt)
  • 62458: Update the internal fork of Commons Pool 2 to dfef97b (2018-06-18) to pick up some bug fixes and enhancements. (markt)
  • Update the internal fork of Commons DBCP 2 to 2.4.0. (markt)
  • Support building with Java 9+ while preserving the Java 7 compatibility at runtime (requires Ant 1.9.8 or later). (ebourg)
  • Implement checksum checks when downloading dependencies that are used to build Tomcat. (kkolinko)
  • Fix a rare edge case that is unlikely to occur in real usage. This edge case meant that writing long streams of UTF-8 characters to the HTTP response that consisted almost entirely of surrogate pairs could result in one surrogate pair being dropped. (markt)
  • Register MBean when DataSource Resource type="javax.sql.XADataSource". Patch provided by Masafumi Miura. (csutherl)
  • 62297: Enable the CrawlerSessionManagerValve to correctly handle bots that crawl multiple hosts and/or web applications when the Valve is configured on a Host or an Engine. (fschumacher)
  • 62329: Correctly list resources in JAR files when directories do not have dedicated entries. Patch provided by Meelis Müür. (markt)
  • Collapse multiple leading / characters to a single / in the return value of HttpServletRequest#getContextPath() to avoid issues if the value is used with HttpServletResponse#sendRedirect(). This behaviour is enabled by default and configurable via the new Context attribute allowMultipleLeadingForwardSlashInPath. (markt)
  • Improve handing of overflow in the UTF-8 decoder with supplementary characters. (markt)
  • Enable strict validation of the provided host name and port for all connectors. Requests with invalid host names and/or ports will be rejected with a 400 response. (markt)
  • Implement the requirements of RFC 7230 (and RFC 2616) that HTTP/1.1 requests must include a Host header and any request that does not must be rejected with a 400 response. (markt)
  • Implement the requirements of RFC 7230 that any HTTP/1.1 request that specifies a host in the request line, must specify the same host in the Host header and that any such request that does not, must be rejected with a 400 response. This check is optional and disabled by default. It may be enabled with theallowHostHeaderMismatch attribute of the Connector. (markt)
  • Implement the requirements of RFC 7230 that any HTTP/1.1 request that contains multiple Host headers is rejected with a 400 response. (markt)
  • 62273: Implement configuration options to work-around specification non-compliant user agents (including all the major browsers) that do not correctly %nn encode URI paths and query strings as required by RFC 7230 and RFC 3986. (markt)
  • Enable ECJ version 4.7 and later to be used as a drop in replacement for the ECJ version that ships with Apache Tomcat. (markt)
  • Enable Java 10 to be specified as a JSP source and/or target if a newer ECJ version is used. (markt)
  • 62287: Do not rely on hash codes to test instances of ValueExpressionImpl for equality. Patch provided by Mark Struberg. (markt)
  • 62301: Correct a regression in the fix for 61491 that didn't correctly handle a final empty message part in all circumstances when using PerMessageDeflate. (markt)
  • Avoid warning when running under Cygwin when the JAVA_ENDORSED_DIRS environment variable is not set. Patch provided by Zemian Deng. (markt)