================================================================================ Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ================================================================================ $Revision$ $Date$ ================================= Apache Tomcat 6.0 Patch Proposals ================================= RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT: [ start all new proposals below, under PATCHES PROPOSED. ] PATCHES PROPOSED TO BACKPORT: [ New proposals should be added at the end of the list ] * Fix issue where the first request for a deleted JSPs returns as if the JSP still exists. http://svn.apache.org/viewvc?view=rev&revision=683969 +1: markt, funkman 0: remm (looks risky, very minor problem), fhanik - minor problem -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45026 Never use empty reason phrase. http://svn.apache.org/viewvc?rev=697183&view=rev +1: rjung, mturk, markt, jim 0: remm (also affects to the two other AJP connectors) * Allow huge request body packets for AJP13. This was already applied to connectors, but never carried forward to trunk and tc6.0.x. http://svn.apache.org/viewvc?rev=697192&view=rev Original change: http://svn.apache.org/viewvc?rev=486217&view=rev +1: rjung, mturk, markt, pero, jim 0: remm (also affects to the two other AJP connectors) * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45403 See commit message for details of negligable performance impact http://svn.apache.org/viewvc?rev=701358&view=rev +1: markt, funkman -0: remm (I also do not think the patch is a good idea as a backport) -0: fhanik - the bug talks about WEB-INF/lib and reload, that would be when reload="true" which should be considered development only So to make this bug actually worth while fixing, and not impact performance, then it should only do this check on files that are relevant to the reload of an application, in other words a watched resource * Changes required to run with a security manager http://svn.apache.org/viewvc?rev=721286&view=rev (original) http://svn.apache.org/viewvc?rev=721704&view=rev (original) http://svn.apache.org/viewvc?rev=721708&view=rev (original) http://svn.apache.org/viewvc?rev=721886&view=rev (original) http://svn.apache.org/viewvc?rev=746425&view=rev (to address Bill's concerns) +1: markt 0: billbarker: Haven't tried to break it yet, but the 4th patch potentially offers access to static fields in ELContextImpl and ELResolverImpl that could possibly be exploited by a malicious webapp. -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46351 Build script re-factoring Patch provided by Marc Guillemot http://svn.apache.org/viewvc?rev=729681&view=rev +1: markt, jim 0: fhanik - not sure its needed in 6.0 branch if all is working with the old script 0: funkman - ditto -1: * Deprecate unused code (with a view to deleting it in TC7 http://svn.apache.org/viewvc?view=rev&revision=719119 http://svn.apache.org/viewvc?view=rev&revision=719124 +1: markt, fhanik -0: mturk: We cannot change API in the middle of the life cycle. I'm fine with deprecating that in trunk, but IMO there is no reason to deprecate something in maintenance branch. markt: I'd like to delete a lot of stuff (that is already unused) in tc7. Deprecating it in tc6 doesn't stop people using it, nor does it change the functionality of the API. It just gives folks that may be using this old code a warning that it won't be there in the next version. -1: