================================================================================ Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ================================================================================ $Id$ ================================= Apache Tomcat 6.0 Patch Proposals ================================= RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT: [ start all new proposals below, under PATCHES PROPOSED. ] PATCHES PROPOSED TO BACKPORT: [ New proposals should be added at the end of the list ] * Backport cleanup of semantics of thisAccessedTime and lastAccessedTime for sessions: - preparational whitespace changes http://svn.apache.org/viewvc?rev=711695&view=rev - Give thisAccessedTime and lastAccessedTime for sessions a clear semantics: http://svn.apache.org/viewvc?rev=711711&view=rev - thisAccessedTime will be updated at the beginning and at the end of session use - lastAccessedTime will only be updated at the end of session use This means: - lastAccessedTime is the last access time of a session disregarding any request still being processed on. So this is good to use even from within a request to detect when its own session has been used last before. - thisAccessedTime already gets updated when a new request disregarding any request still being processed on. So this is better for any idleness check or information. - thisAccessedTime >= lastAccessedTime always - Port from StandardSession to DeltaSession http://svn.apache.org/viewvc?rev=711714&view=rev - Expose thisAccessedTime via the session interface and ManagerBase, so we can use it from outside the session. http://svn.apache.org/viewvc?rev=711716&view=rev - Make the classes checking session idleness use thisAccessedTime. http://svn.apache.org/viewvc?rev=711720&view=rev This is not for invalidation, only for displaying idle times and making persistance decisions. +1: rjung 0: billbarker: generally agree with remm that this is too big of a change for the stable branch but could agree to some of it if it was split into parts 0: markt: Agree with Bill - smaller parts would be better -1: remm: no for TC 6.0 -1: funkman : api change in Session.java for .x.x release * Improve NIO connector shutdown time by doing shutdowns in parallel and with a timeout http://svn.apache.org/viewvc?view=rev&revision=791914 +1: fhanik, markt, kkolinko, jim -1: kkolinko: ( Some nit-picking: 1. I think that it is better to create the stopLatch in the NioEndpoint#start() method right before the array of Pollers is created, instead of NioEndpoint#init(). And to pass a reference to it to the Poller (as an argument in Poller constructor). That is because otherwise if you call stop() start() the stopLatch won't be in its initial condition, and because the count of pollers can be changed between init() and start(). Just a theory, though. 2. In NioEndpoint.Poller#run(): - if the Poller was looping with paused=true, is there a need to call events() before exiting the loop on if (close) ? - there are several ways to exit the loop: two if(close), one while (running), and may be exceptions. The first if(close) does not call selector.close(). And if you exit because of running = false there is no call to timeout(0, false); and selector.close(). - there is special processing code for OutOfMemoryError, but inside the loop, and in events() method, you catch any Throwable. - it would be better to put stopLatch.countDown() inside a finally{} block 3. In NioEndpoint.Poller#destroy() there is comment ("// Wait..."). Is it still relevant? I do not see any waiting there. ) * Port TLD processing improvements from trunk There have been quite a few changes to TLD processing and they are tightly coupled. Therefore, this proposal is a series of patches and the patches need to be applied in order. Even then the patches do not apply completely cleanly so a rolled up patch has been provided at each stage. Note: The JSP TCK passes with the full set of patches applied. The benefit is twofold. First a number of edge case bugs I came across are fixed. The short version is that the Catalina code and the Jasper code did things differently. As well as the inherent inconsistencies (and hence bugs) this created it also made it much harder to add the additional functionality I was trying to add for embeddability. Which brings me to the second benefit. With these fixes in place, the changes I was trying to make (patch to follow when I have done more testing) for embeddability become possible. Step 1: Clean-up http://svn.apache.org/viewvc?view=rev&revision=647344 +1: markt, kkolinko -1: Step 2: Make validation configuration per-context http://svn.apache.org/viewvc?view=rev&revision=751502 http://people.apache.org/~markt/patches/2009-08-06-TLD-improvements-steps-1-2.patch (Steps 1-2) +1: markt -1: Step 3: Track and don't process duplicate TLDs http://svn.apache.org/viewvc?view=rev&revision=793621 http://people.apache.org/~markt/patches/2009-08-06-TLD-improvements-steps-1-3.patch (Steps 1-3) +1: markt -1: Step 4: Sync Catalina and Jasper code so a) they have the same behaviour and b) use the same code so they are easier to keep in sync. http://svn.apache.org/viewvc?view=rev&revision=795143 http://svn.apache.org/viewvc?view=rev&revision=795767 http://svn.apache.org/viewvc?view=rev&revision=795819 http://svn.apache.org/viewvc?view=rev&revision=795822 http://svn.apache.org/viewvc?view=rev&revision=795824 http://svn.apache.org/viewvc?view=rev&revision=795838 http://svn.apache.org/viewvc?view=rev&revision=795860 http://svn.apache.org/viewvc?view=rev&revision=795902 http://svn.apache.org/viewvc?view=rev&revision=796016 http://svn.apache.org/viewvc?view=rev&revision=796017 http://svn.apache.org/viewvc?view=rev&revision=796030 http://svn.apache.org/viewvc?view=rev&revision=801601 http://svn.apache.org/viewvc?view=rev&revision=801637 http://people.apache.org/~markt/patches/2009-08-06-TLD-improvements-steps-1-4.patch (Steps 1-4) +1: markt -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44041 Threading issue in classloading. Adds a sync so please check performance Updated to use Filip's suggestion http://people.apache.org/~markt/patches/2009-11-05-bug44041.patch +1: markt, fhanik, kkolinko -1: * Allow per instance configuration of JULI or log4j for core Tomcat logging Updated patch with the suggested tweak for 6.0.x so we don't break Eclipse integration http://people.apache.org/~markt/patches/2009-11-06-log-config-per-instance.patch +1: markt, funkman +1: kkolinko (good, though I propose a slightly corrected version of it below) -1: kkolinko: I updated the above Mark's patch with the following changes (in catalina.bat/sh): - Added an explicit check that CATALINA_BASE != CATALINA_HOME. Otherwise the [ -r "$CATALINA_BASE/bin/tomcat-juli.jar" ] check will succeed when those are equal. - Moved the code that adds ";" or ":" to non-empty CLASSPATH. That is to avoid the gap between this preparationary step and the one that actually adds jars to the CLASSPATH. Warning: I have not tried to run the patched catalina.sh yet. I hope it works. http://people.apache.org/~kkolinko/patches/2009-11-12_log-config-per-instance.patch +1: kkolinko -1: * Prevent NPE in JULI FileHandler during shutdown where the logger has been shutdown and delayed resources still trying to log http://svn.apache.org/viewvc?rev=666232&view=rev +1: kkolinko -1: * Make FileHandler.java extensible http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/juli/FileHandler.java?r1=666232&r2=709018&pathrev=793882&view=patch +1: fhanik, jim, markt, kkolinko -1: * Allow configurable buffer size of loggers http://svn.apache.org/viewvc?rev=814708&view=rev http://svn.apache.org/viewvc?rev=814876&view=rev +1: fhanik, jim, markt, kkolinko -1: * Allow to disable buffering in JULI FileHandler This allows to configure immediate publishing of log records, like it was before rev.814876. It depends on the above FileHandler patches. http://svn.apache.org/viewvc?rev=816252&view=rev +1: kkolinko -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47267 http://svn.apache.org/viewvc?rev=817822&view=rev http://svn.apache.org/viewvc?rev=833545&view=rev (to address rjung's comment) +1: markt, funkman +1: kkolinko: only if applied together with r.835336 -1: Additional patch: http://svn.apache.org/viewvc?rev=835336&view=rev +1: kkolinko -1: rjung: Our dreaded multi platform build system is a bit fragile w.r.t. fixcrlf. If you change the file to crlf in the installer target, then all unix packages (which are build after installer) will also contain it in crlf format. Not to bad for especially that file (because part of a webapp), but maybe it would be cleaner to do this for the installer target only, e.g. saving the file, fixcrlf, run nsi, restoring file. markt: see second patch kkolinko: Another way to fix it would be to place a copy of that file into %CATALINA_HOME% (with proper CRLF endings) and display that one in the installer, leaving the one in the ROOT webapp as is. Note, that we already have these two copies of the file in our zip/tgz distributions. * Use correct flag for SSL http://svn.apache.org/viewvc?rev=831106&view=rev +1: fhanik, kkolinko, rjung -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47893 Use StringBuilder instead of StringBuffer -0: markt for all SBuilder->SBuffer patches. Code cleanup is fine in trunk but no need to backport it -0: funkman The patches, as well as patches for individual files inside them, are independent of each other. Vote for as many as you want. There are 51 of them. http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_ant.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_authenticator.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_connector.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_core.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_deploy.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_ha.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_loader.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_manager.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_manager_host.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_mbeans.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_realm.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_servlets.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_session.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_ssi.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_startup.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes_group.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes_group_int.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes_io.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes_membership.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes_tipis.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes_transport.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_tribes_util.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_users.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_util.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_c_valves.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_coyote.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_el_parser.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_el_util.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jasper.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jasper_compiler.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jasper_compiler_JspUtil.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jasper_runtime.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jasper_security.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jasper_tagplugins.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jasper_tagplugins_Import.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_jk.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_juli.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_naming.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_buildutil.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_buf.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_digester.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_fileupload.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_http.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_mapper.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_modeler.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_net.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-02_StringBuilder_o_a_t_util_threads.patch +1: kkolinko -1: http://people.apache.org/~kkolinko/patches/2009-11-03_StringBuilder_o_a_c_valves_AccessLogValve.patch +1: kkolinko -1: * If server.xml not readable - be more explicit in letting the user know http://svn.apache.org/viewvc?rev=833121&view=rev https://issues.apache.org/bugzilla/show_bug.cgi?id=47495 +1: funkman, markt, jfclere -1: Additional patch: http://svn.apache.org/viewvc?rev=836405&view=rev +1: kkolinko -1: * Fix CVE-2009-3548 - Windows installer uses insecure default password http://svn.apache.org/viewvc?rev=834047&view=rev +1: markt, mturk, kkolinko -1: Additional patches: ( http://svn.apache.org/viewvc?rev=836036&view=rev http://svn.apache.org/viewvc?rev=836045&view=rev http://svn.apache.org/viewvc?rev=836209&view=rev ) The following patch file is a combination of rev. 834047, 836036, 836045, 836209: http://people.apache.org/~kkolinko/patches/2009-11-14_Installer_password_tc6.patch +1: kkolinko -1: * Disable TLS renegotiation be default with an option to re-enable it Based on Costin's patch for trunk with Mark's modifications http://people.apache.org/~markt/patches/2009-11-10-cve-2009-3555-tc6.patch +1: markt, billbarker, mturk, kkolinko -1: * Improvements to memory leak prevention http://people.apache.org/~markt/patches/2009-11-10-leak-prevention.patch +1: markt, kkolinko -1: kkolinko: a pair of doc typos: a) in JavaDoc: s/Locked usually files occur/Locked files usually occur/ b) in listeners.xml: s/case by case basis is required/.. as required/ or /.. if required/ ? * Make location and filename of catalina.out configurable in catalina.sh http://svn.apache.org/viewvc?rev=835036&view=rev +1: fhanik, mturk, kkolinko -1: * Additional fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=48097 1) Code cleanup: Remove use of WebappClassLoader$PrivilegedFindResource, because all findResourceInternal(String,String) calls are now already wrapped with AccessController.doPrivileged, so additional wrapping is not needed. 2) Add preloading of WebappClassLoader$PrivilegedFindResourceByName, to fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48097#c13 http://people.apache.org/~kkolinko/patches/2009-11-12_PrivilegedFindResource_tc6.patch +1: kkolinko -1: