Now
MAIN commitmail json YAML
Update to 8.0.53
Changelog:
Tomcat 8.0.53 (violetagg)
Catalina
Fix: Treat the <mapped-name> element of a <env-entry> in web.xml in the same way as the mappedName element of the equivalent @Resource annotation. Both now attempt to set the mappedName property of the resource. (markt)
Fix: Correct the processing of resources with <injection-target>s defined in web.xml. First look for a match using JavaBean property names and then, only if a match is not found, look for a match using fields. (markt)
Fix: When restoring a saved request with a request body after FORM authentication, ensure that calls to the HttpServletRequest methods getRequestURI(), getQueryString() and getProtocol() are not corrupted by the processing of the saved request body. (markt)
Fix: JNDI resources that are defined with injection targets but no value are now treated as if the resource is not defined. (markt)
Fix: Ensure that JNDI names used for <lookup-name> entries in web.xml and for lookup elements of @Resource annotations specify a name with an explicit java: namespace. (markt)
Code: Refactor the org.apache.naming package to reduce duplicate code. Duplicate code identified by the Simian tool. (markt)
Fix: 50019: Add support for <lookup-name>. Based on a patch by Gurkan Erdogdu. (markt)
Fix: 60490: Various formatting and layout improvements for the ErrorReportValve. Patch provided by Michael Osipov. (markt)
Fix: 62343: Make CORS filter defaults more secure. This is the fix for CVE-2018-8014. (markt)
Fix: Ensure that the web application resources implementation does not incorrectly cache results for resources that are only visible as class loader resources. (markt)
Fix: Make all loggers associated with Tomcat provided Filters non-static to ensure that log messages are not lost when a web application is reloaded. (markt)
Fix: Correct the manifest for the annotations-api.jar. The JAR implements the Common Annotations API 1.2 and the manifest should reflect that. (markt)
Fix: Switch to non-static loggers where there is a possibility of a logger becoming associated with a web application class loader causing log messages to be lost if the web application is stopped. (markt)
Add: 62389: Add the IPv6 loopback address to the default internalProxies regular expression. Patch by Craig Andrews. (markt)
Fix: In the RemoteIpValve and RemoteIpFilter, correctly handle the case when the request passes through one or more trustedProxies but no internalProxies. Based on a patch by zhanhb. (markt)
Fix: Correct the logic in MBeanFactory.removeConnector() to ensure that the correct Connector is removed when there are multiple Connectors using different addresses but the same port. (markt)
Fix: Make JAASRealm mis-configuration more obvious by requiring the authenticated Subject to include at least one Principal of a type specified by userClassNames. (markt)
Fix: 62476: Use GMT timezone for the value of Expires header as required by HTTP specification (RFC 7231, 7234). (kkolinko)
Changelog:
Tomcat 8.0.53 (violetagg)
Catalina
Fix: Treat the <mapped-name> element of a <env-entry> in web.xml in the same way as the mappedName element of the equivalent @Resource annotation. Both now attempt to set the mappedName property of the resource. (markt)
Fix: Correct the processing of resources with <injection-target>s defined in web.xml. First look for a match using JavaBean property names and then, only if a match is not found, look for a match using fields. (markt)
Fix: When restoring a saved request with a request body after FORM authentication, ensure that calls to the HttpServletRequest methods getRequestURI(), getQueryString() and getProtocol() are not corrupted by the processing of the saved request body. (markt)
Fix: JNDI resources that are defined with injection targets but no value are now treated as if the resource is not defined. (markt)
Fix: Ensure that JNDI names used for <lookup-name> entries in web.xml and for lookup elements of @Resource annotations specify a name with an explicit java: namespace. (markt)
Code: Refactor the org.apache.naming package to reduce duplicate code. Duplicate code identified by the Simian tool. (markt)
Fix: 50019: Add support for <lookup-name>. Based on a patch by Gurkan Erdogdu. (markt)
Fix: 60490: Various formatting and layout improvements for the ErrorReportValve. Patch provided by Michael Osipov. (markt)
Fix: 62343: Make CORS filter defaults more secure. This is the fix for CVE-2018-8014. (markt)
Fix: Ensure that the web application resources implementation does not incorrectly cache results for resources that are only visible as class loader resources. (markt)
Fix: Make all loggers associated with Tomcat provided Filters non-static to ensure that log messages are not lost when a web application is reloaded. (markt)
Fix: Correct the manifest for the annotations-api.jar. The JAR implements the Common Annotations API 1.2 and the manifest should reflect that. (markt)
Fix: Switch to non-static loggers where there is a possibility of a logger becoming associated with a web application class loader causing log messages to be lost if the web application is stopped. (markt)
Add: 62389: Add the IPv6 loopback address to the default internalProxies regular expression. Patch by Craig Andrews. (markt)
Fix: In the RemoteIpValve and RemoteIpFilter, correctly handle the case when the request passes through one or more trustedProxies but no internalProxies. Based on a patch by zhanhb. (markt)
Fix: Correct the logic in MBeanFactory.removeConnector() to ensure that the correct Connector is removed when there are multiple Connectors using different addresses but the same port. (markt)
Fix: Make JAASRealm mis-configuration more obvious by requiring the authenticated Subject to include at least one Principal of a type specified by userClassNames. (markt)
Fix: 62476: Use GMT timezone for the value of Expires header as required by HTTP specification (RFC 7231, 7234). (kkolinko)