================================================================================ Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ================================================================================ $Id$ ================================= Apache Tomcat 6.0 Patch Proposals ================================= RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT: [ start all new proposals below, under PATCHES PROPOSED. ] PATCHES PROPOSED TO BACKPORT: [ New proposals should be added at the end of the list ] * Backport cleanup of semantics of thisAccessedTime and lastAccessedTime for sessions: - preparational whitespace changes http://svn.apache.org/viewvc?rev=711695&view=rev - Give thisAccessedTime and lastAccessedTime for sessions a clear semantics: http://svn.apache.org/viewvc?rev=711711&view=rev - thisAccessedTime will be updated at the beginning and at the end of session use - lastAccessedTime will only be updated at the end of session use This means: - lastAccessedTime is the last access time of a session disregarding any request still being processed on. So this is good to use even from within a request to detect when its own session has been used last before. - thisAccessedTime already gets updated when a new request disregarding any request still being processed on. So this is better for any idleness check or information. - thisAccessedTime >= lastAccessedTime always - Port from StandardSession to DeltaSession http://svn.apache.org/viewvc?rev=711714&view=rev - Expose thisAccessedTime via the session interface and ManagerBase, so we can use it from outside the session. http://svn.apache.org/viewvc?rev=711716&view=rev - Make the classes checking session idleness use thisAccessedTime. http://svn.apache.org/viewvc?rev=711720&view=rev This is not for invalidation, only for displaying idle times and making persistance decisions. +1: rjung 0: billbarker: generally agree with remm that this is too big of a change for the stable branch but could agree to some of it if it was split into parts 0: markt: Agree with Bill - smaller parts would be better -1: remm: no for TC 6.0 -1: funkman : api change in Session.java for .x.x release * Improve NIO connector shutdown time by doing shutdowns in parallel and with a timeout http://svn.apache.org/viewvc?view=rev&revision=791914 +1: fhanik, markt, kkolinko, jim -1: kkolinko: ( Some nit-picking: 1. I think that it is better to create the stopLatch in the NioEndpoint#start() method right before the array of Pollers is created, instead of NioEndpoint#init(). And to pass a reference to it to the Poller (as an argument in Poller constructor). That is because otherwise if you call stop() start() the stopLatch won't be in its initial condition, and because the count of pollers can be changed between init() and start(). Just a theory, though. 2. In NioEndpoint.Poller#run(): - if the Poller was looping with paused=true, is there a need to call events() before exiting the loop on if (close) ? - there are several ways to exit the loop: two if(close), one while (running), and may be exceptions. The first if(close) does not call selector.close(). And if you exit because of running = false there is no call to timeout(0, false); and selector.close(). - there is special processing code for OutOfMemoryError, but inside the loop, and in events() method, you catch any Throwable. - it would be better to put stopLatch.countDown() inside a finally{} block 3. In NioEndpoint.Poller#destroy() there is comment ("// Wait..."). Is it still relevant? I do not see any waiting there. ) * Port TLD processing improvements from trunk There have been quite a few changes to TLD processing and they are tightly coupled. Therefore, this proposal is a series of patches and the patches need to be applied in order. Even then the patches do not apply completely cleanly so a rolled up patch has been provided at each stage. Note: The JSP TCK passes with the full set of patches applied. The benefit is twofold. First a number of edge case bugs I came across are fixed. The short version is that the Catalina code and the Jasper code did things differently. As well as the inherent inconsistencies (and hence bugs) this created it also made it much harder to add the additional functionality I was trying to add for embeddability. Which brings me to the second benefit. With these fixes in place, the changes I was trying to make (patch to follow when I have done more testing) for embeddability become possible. Step 1: Clean-up http://svn.apache.org/viewvc?view=rev&revision=647344 +1: markt, kkolinko -1: Step 2: Make validation configuration per-context http://svn.apache.org/viewvc?view=rev&revision=751502 http://people.apache.org/~markt/patches/2009-08-06-TLD-improvements-steps-1-2.patch (Steps 1-2) +1: markt -1: Step 3: Track and don't process duplicate TLDs http://svn.apache.org/viewvc?view=rev&revision=793621 http://people.apache.org/~markt/patches/2009-08-06-TLD-improvements-steps-1-3.patch (Steps 1-3) +1: markt -1: Step 4: Sync Catalina and Jasper code so a) they have the same behaviour and b) use the same code so they are easier to keep in sync. http://svn.apache.org/viewvc?view=rev&revision=795143 http://svn.apache.org/viewvc?view=rev&revision=795767 http://svn.apache.org/viewvc?view=rev&revision=795819 http://svn.apache.org/viewvc?view=rev&revision=795822 http://svn.apache.org/viewvc?view=rev&revision=795824 http://svn.apache.org/viewvc?view=rev&revision=795838 http://svn.apache.org/viewvc?view=rev&revision=795860 http://svn.apache.org/viewvc?view=rev&revision=795902 http://svn.apache.org/viewvc?view=rev&revision=796016 http://svn.apache.org/viewvc?view=rev&revision=796017 http://svn.apache.org/viewvc?view=rev&revision=796030 http://svn.apache.org/viewvc?view=rev&revision=801601 http://svn.apache.org/viewvc?view=rev&revision=801637 http://people.apache.org/~markt/patches/2009-08-06-TLD-improvements-steps-1-4.patch (Steps 1-4) +1: markt -1: * Allow per instance configuration of JULI or log4j for core Tomcat logging Updated patch with the suggested tweak for 6.0.x so we don't break Eclipse integration Konstantin's update of Mark's patch with the following changes (in catalina.bat/sh): - Added an explicit check that CATALINA_BASE != CATALINA_HOME. Otherwise the [ -r "$CATALINA_BASE/bin/tomcat-juli.jar" ] check will succeed when those are equal. - Moved the code that adds ";" or ":" to non-empty CLASSPATH. That is to avoid the gap between this preparationary step and the one that actually adds jars to the CLASSPATH. http://people.apache.org/~kkolinko/patches/2009-11-16_log-config-per-instance.patch +1: kkolinko +1: markt - You should also give yourself credit in the changelog +1: funkman - was +1 for the original patch, assume he is OK with Konstantin's improvements but give him a change to change hos vote if not -1: * Prevent NPE in JULI FileHandler during shutdown where the logger has been shutdown and delayed resources still trying to log http://svn.apache.org/viewvc?rev=666232&view=rev +1: kkolinko, markt +1: fhanik - I would add in http://svn.apache.org/viewvc?rev=881396&view=rev -1: * Make FileHandler.java extensible http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/juli/FileHandler.java?r1=666232&r2=709018&pathrev=793882&view=patch +1: fhanik, jim, markt, kkolinko -1: * Allow configurable buffer size of loggers http://svn.apache.org/viewvc?rev=814708&view=rev http://svn.apache.org/viewvc?rev=814876&view=rev +1: fhanik, jim, markt, kkolinko -1: * Allow to disable buffering in JULI FileHandler This allows to configure immediate publishing of log records, like it was before rev.814876. It depends on the above FileHandler patches. http://svn.apache.org/viewvc?rev=816252&view=rev +1: kkolinko, markt -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47893 Use StringBuilder instead of StringBuffer -0: markt for all SBuilder->SBuffer patches. Code cleanup is fine in trunk but no need to backport it -0: funkman -1: Is there a real benefit, other than clouding the revision history? ;) I'd consider 6.0.x to be in maintenance mode not clean up/refactor mode. The patches, as well as patches for individual files inside them, are independent of each other. Vote for as many as you want. There are 51 of them. http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_ant.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_authenticator.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_connector.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_core.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_deploy.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_ha.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_loader.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_manager.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_manager_host.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_mbeans.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_realm.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_servlets.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_session.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_ssi.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_startup.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes_group.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes_group_int.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes_io.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes_membership.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes_tipis.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes_transport.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes_util.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_users.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_util.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_valves.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_coyote.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_el_parser.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_el_util.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jasper.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jasper_compiler.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jasper_compiler_JspUtil.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jasper_runtime.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jasper_security.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jasper_tagplugins.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jasper_tagplugins_Import.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jk.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_juli.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_naming.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_buildutil.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_buf.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_digester.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_fileupload.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_http.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_mapper.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_modeler.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_net.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_threads.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-03_StringBuilder_o_a_c_valves_AccessLogValve.patch +1: kkolinko -1: * Additional fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47495 Exit immediately if Catalina.load() failed to create a server instance. http://svn.apache.org/viewvc?rev=836405&view=rev +1: kkolinko, markt -1: * Further improvements to Windows installer password handling http://svn.apache.org/viewvc?rev=836036&view=rev http://svn.apache.org/viewvc?rev=836045&view=rev http://svn.apache.org/viewvc?rev=836209&view=rev The following patch file is a combination of rev. 834047, 836036, 836045, 836209: http://people.apache.org/~kkolinko/patches/2009-11-14_Installer_password_tc6.patch +1: kkolinko -1: +0: markt Combined patch needs to have 834047 removed and 881765 added * Improvements to memory leak prevention http://people.apache.org/~markt/patches/2009-11-10-leak-prevention.patch +1: markt, kkolinko -1: * Additional fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=48097 1) Code cleanup: Remove use of WebappClassLoader$PrivilegedFindResource, because all findResourceInternal(String,String) calls are now already wrapped with AccessController.doPrivileged, so additional wrapping is not needed. 2) Add preloading of WebappClassLoader$PrivilegedFindResourceByName, to fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48097#c13 http://people.apache.org/~kkolinko/patches/2009-11-12_PrivilegedFindResource_tc6.patch +1: kkolinko, markt -1: * Single quote should be not be treated as a separator http://svn.apache.org/viewvc?rev=830999&view=rev +1: markt, kkolinko -1: * Update to commons-pool 1.5.4 http://svn.apache.org/viewvc?rev=881412&view=rev +1: markt -1: * Provide new option to allow = in cookie values http://people.apache.org/~markt/patches/2009-11-17-cookie-allow-equals.patch +1: markt -1: * Alternative fix for CVE-2009-3555 SSL MITN The current patch uses an async callback to close the socket. It is technically possible an attack may suceed before the socket is closed The new patch only logs failed server initiated negotiations http://people.apache.org/~markt/patches/2009-11-20-cve2009-3555-v2.patch +1: markt -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48252 Patch attached to BZ +1: fhanik -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47609 Implment fail-safe EOL conversion for source disributions Based on a patch provided by sebb http://svn.apache.org/viewvc?rev=883125&view=rev +1: markt -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47718 Correct file descriptor leak on context stop/reload Patch provided by George Sexton http://svn.apache.org/viewvc?rev=883130&view=rev +1: markt -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47997 Process changes for all naming contexts, not just the global one http://svn.apache.org/viewvc?rev=883134&view=rev +1: markt -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47453 Need to be able to override metadata complete if set in the global web.xml Patch provided by Keiichi Fujino http://svn.apache.org/viewvc?rev=883146&view=rev +1: markt -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47554 httpOnly flag not applied to migrated session cookie https://issues.apache.org/bugzilla/show_bug.cgi?id=47554 +1: markt -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47799 Unable to configure domain in Membership and DomainFilterInterceptor Patch provided by Keiichi Fujino http://svn.apache.org/viewvc?rev=883165&view=rev +1: markt -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48049 Fix copy and paste error and call correct function Patch provided by gingyang.xu http://svn.apache.org/viewvc?rev=883177&view=rev +1: markt -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48113 Display IP addresses using 0-255 rather than -128 to +127 Port Filip's patch from trunk plus additional changes based on a patch by Quintin Beukes http://svn.apache.org/viewvc?view=revision&revision=758249 (Filip) http://svn.apache.org/viewvc?rev=883362&view=rev (Qunitin) +1: markt -1: