diff -Nru tomcat6-6.0.33/BUILDING.txt tomcat6-6.0.35/BUILDING.txt
--- tomcat6-6.0.33/BUILDING.txt 2008-11-15 19:48:42.000000000 +0000
+++ tomcat6-6.0.35/BUILDING.txt 2011-11-15 15:54:27.000000000 +0000
@@ -15,7 +15,7 @@
limitations under the License.
================================================================================
-$Id: BUILDING.txt 717919 2008-11-15 19:48:42Z markt $
+$Id: BUILDING.txt 1202262 2011-11-15 15:54:27Z kkolinko $
====================================================
Building The Apache Tomcat 6.0 Servlet/JSP Container
@@ -23,9 +23,14 @@
This subproject contains the source code for Tomcat 6.0, a container that
implements the Servlet 2.5 and JSP 2.1 specifications from the Java
-Community Process . In order to build a binary
-distribution version of the container from a source distribution,
-do the following:
+Community Process .
+
+Note: If you just need to run Apache Tomcat, it is not necessary to build
+it. You may simply download a binary distribution. It is cross-platform.
+Read RUNNING.txt for the instruction on how to run it.
+
+In order to build a binary distribution version of Apache Tomcat from a
+source distribution, do the following:
(0) Download and Install a Java Development Kit
@@ -68,17 +73,16 @@
(2.1) Checkout or obtain the source code for Tomcat 6.0
-* Tomcat SVN repository URL:
- http://svn.apache.org/repos/asf/tomcat/tc6.0.x/
+* Tomcat 6.0 SVN repository URL:
+ http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/
* Download a source package from:
http://tomcat.apache.org/download-60.cgi
-* Checkout the source using SVN, selecting the desired version or
- branch (current development source is at
- http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/), or
- unpack the source package. The location where the source has been
- placed will be referred as ${tomcat.source}.
+* Checkout the source using SVN, selecting a tag for released version or
+ trunk for the current development code, or unpack a source package. The
+ location where the source has been placed will be referred as
+ ${tomcat.source}.
(2.2) Building
@@ -88,14 +92,19 @@
ant download
ant
+* WARNING: Running "ant download" command will download libraries required
+ to build Tomcat to the /usr/share/java directory. On a typical Linux or
+ MacOX system an ordinary user will not have access to write to this
+ directory, and, even if you do, it may not be appropriate for you to
+ write there.
+
+ On Windows this usually corresponds to the "C:\usr\share\java"
+ directory, unless Cygwin is used. Read below to learn how to customize
+ the directory used to download the binaries.
+
* NOTE: Users accessing the Internet through a proxy must use a properties
file to indicate to Ant the proxy configuration. Read below.
-* WARNING: Running this command will download binaries to the /usr/share/java
- directory. Make sure this is appropriate to do on your computer. On Windows,
- this usually corresponds to the "C:\usr\share\java" directory, unless Cygwin
- is used. Read below to customize the directory used to download the binaries.
-
* The build can be controlled by creating a ${tomcat.source}/build.properties
file, and adding the following content to it:
@@ -108,7 +117,7 @@
# ----- Default Base Path for Dependent Packages -----
# Replace this path with the directory path where dependencies binaries
# should be downloaded
- base.path=/usr/share/java
+ base.path=/home/me/some-place-to-download-to
(3) Updating sources
@@ -138,5 +147,3 @@
cd ${tomcat.source}
ant -f dist.xml release
-
-
diff -Nru tomcat6-6.0.33/build.properties.default tomcat6-6.0.35/build.properties.default
--- tomcat6-6.0.33/build.properties.default 2011-08-15 14:11:04.000000000 +0000
+++ tomcat6-6.0.35/build.properties.default 2011-11-28 10:12:53.000000000 +0000
@@ -21,16 +21,16 @@
# modules that Tomcat depends on. Copy this file to "build.properties"
# in the top-level source directory, and customize it as needed.
#
-# $Id: build.properties.default 1157853 2011-08-15 14:11:04Z jfclere $
+# $Id: build.properties.default 1207052 2011-11-28 10:12:53Z jfclere $
# -----------------------------------------------------------------------------
# ----- Version Control Flags -----
version.major=6
version.minor=0
-version.build=33
+version.build=35
version.patch=0
version.suffix=-dev
-version=6.0.33
+version=6.0.35
# ----- Default Base Path for Dependent Packages -----
# Please note this path must be absolute, not relative,
@@ -108,17 +108,17 @@
# - noTldJars in o.a.j.compiler.TldLocationsCache
# - res/maven/jasper.pom
# - eclipse.classpath
-jdt.version=3.3.1
-jdt.release=R-3.3.1-200709211145
+jdt.version=3.7
+jdt.release=R-3.7-201106131736
jdt.home=${base.path}/ecj-${jdt.version}
jdt.jar=${jdt.home}/ecj-${jdt.version}.jar
# The download will be moved to the archive area eventually. We are taking care of that in advance.
# Note older JARs were called ecj.jar. Newer JARs are called ecj-${jdt.version}.jar
-jdt.loc.1=http://archive.eclipse.org/eclipse/downloads/drops/${jdt.release}/ecj.jar
-jdt.loc.2=http://download.eclipse.org/eclipse/downloads/drops/${jdt.release}/ecj.jar
+jdt.loc.1=http://archive.eclipse.org/eclipse/downloads/drops/${jdt.release}/ecj-${jdt.version}.jar
+jdt.loc.2=http://download.eclipse.org/eclipse/downloads/drops/${jdt.release}/ecj-${jdt.version}.jar
# ----- Tomcat native library -----
-tomcat-native.version=1.1.20
+tomcat-native.version=1.1.22
tomcat-native.home=${base.path}/tomcat-native-${tomcat-native.version}
tomcat-native.tar.gz=${tomcat-native.home}/tomcat-native.tar.gz
tomcat-native.loc.1=${base-tomcat.loc.1}/tomcat-connectors/native/${tomcat-native.version}/source/tomcat-native-${tomcat-native.version}-src.tar.gz
diff -Nru tomcat6-6.0.33/build.xml tomcat6-6.0.35/build.xml
--- tomcat6-6.0.33/build.xml 2011-08-04 10:09:45.000000000 +0000
+++ tomcat6-6.0.35/build.xml 2011-10-14 16:07:51.000000000 +0000
@@ -417,6 +417,9 @@
excludes="build.xml project.xml"
includes="*.xml">
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff -Nru tomcat6-6.0.33/conf/web.xml tomcat6-6.0.35/conf/web.xml
--- tomcat6-6.0.33/conf/web.xml 2011-04-18 14:04:17.000000000 +0000
+++ tomcat6-6.0.35/conf/web.xml 2011-11-10 22:24:17.000000000 +0000
@@ -421,6 +421,19 @@
+
+
+
+
+
+
@@ -481,6 +494,14 @@
+
+
+
-
+
+
+
+
+ Fix regression in decoding of parameters that contain spaces.
+ Patch by Willem Fibbe. (kkolinko)
+
+
+
+
+
+
+
+
+ 51550: Display an error page rather than an empty response
+ for an IllegalStateException caused by too many active sessions. (markt)
+
+
+ 51640: Improve the memory leak prevention for leaks
+ triggered by java.sql.DriverManager. (markt/kkolinko)
+
+
+ 51688: JreMemoryLeakPreventionListener now protects against
+ AWT thread creation. (schultz)
+
+
+ 51758: The digester (used for processing XML files) used the
+ logger name org.apache.commons.digester.Digester
rather
+ than the expected org.apache.tomcat.util.digester.Digester
.
+ The digester has been changed to use the expected logger name.
+ (kkolinko)
+
+
+ 51862: Added a classesToInitialize
attribute to
+ JreMemoryLeakPreventionListener
to allow pre-loading of configurable
+ classes to avoid some classloader leaks. (slaurent)
+
+
+ 51872: Ensure that the access log always uses the correct
+ value for the remote IP address associated with the request and that
+ requests with multiple errors do not result in multiple entries in
+ the access log. (markt)
+
+
+ Allow to overwrite the check for distributability
+ of session attributes by session implementations. (rjung)
+
+
+ Provide the log format "OneLineFormatter" for JULI that provides the same
+ information as the default plus thread name but on a single line.
+ (markt/rjung)
+
+
+ Ensure the the memory leak protection for the HttpClient keep-alive
+ always operates even if the thread has already stopped. (markt)
+
+
+ 51940: Do not limit saving of request bodies during FORM
+ authentication to POST requests since any HTTP method may include a
+ request body. Based on a patch by Nicholas Sushkin. (kkolinko)
+
+
+ 52091: Address performance issues related to lock contention
+ in StandardWrapper. Based on patch provided by Taiki Sugawara.
+ (kkolinko)
+
+
+ In GenericPrincipal, SerializablePrincipal: Do not sort lists of roles
+ that have only one element. (kkolinko)
+
+
+ Make configuration issue for CsrfPreventionFilter result in the
+ failure of the filter rather than just a warning message. (kkolinko)
+
+
+ Ensure changes to the configuration of RemoteAddrValve and
+ RemoteHostValve via JMX are thread-safe. (kkolinko)
+
+
+ Make configuration issue for RemoteAddrValve and
+ RemoteHostValve result in the failure of the valve rather than
+ just a warning message. (kkolinko)
+
+
+ In RequestFilterValve
(RemoteAddrValve
,
+ RemoteHostValve
): refactor value matching logic into
+ separate method and expose this new method isAllowed
+ through JMX. (kkolinko)
+
+
+ Improve performance of parameter processing for GET and POST requests.
+ Also add an option to limit the maximum number of parameters processed
+ per request. This defaults to 10000. Excessive parameters are ignored.
+ Note that FailedRequestFilter
can be used to reject the
+ request if some parameters were ignored. (markt/kkolinko)
+
+
+ New filter FailedRequestFilter
that will reject a request
+ if there were errors during HTTP parameter parsing. (kkolinko)
+
+
+
+
+
+
+ 50394: Return -1 from read operation instead of throwing an
+ exception when encountering an EOF with the HTTP APR connector.
+ (kkolinko)
+
+
+ 51698: Fix CVE-2011-3190. Prevent AJP message injection.
+ (markt)
+
+
+ Detect incomplete AJP messages and reject the associated request if one
+ is found. (markt)
+
+
+ 51794: Fix race condition in NioEndpoint selector. Patch
+ provided by dlord. (fhanik)
+
+
+ 51905: Fix infinite loop in AprEndpoint shutdown if
+ acceptor unlock fails. Reduce timeout before forcefully closing
+ the socket from 30s to 10s. (kkolinko)
+
+
+ 52121: Fix possible output corruption when compression is
+ enabled for a connector and the response is flushed. Test
+ case provided by David Marcks. (kkolinko)
+
+
+ Replace unneeded call that iterated events queue in NioEndpoint.Poller.
+ (kkolinko)
+
+
+ Improve MimeHeaders.toString(). (kkolinko)
+
+
+ Allow the BIO HTTP connector to be used with SSL when running under Java
+ 7. (markt)
+
+
+ Improve multi-byte character handling in all connectors. (rjung)
+
+
+
+
+
+
+ 51220: Correct copy/paste error in original commit for this
+ issue. (markt)
+
+
+ 52091: Address performance issues related to log creation
+ in TagHandlerPool. Patch provided by Taiki Sugawara. (markt)
+
+
+
+
+
+
+ 51736: Make rpcTimeout configurable in BackupManager.
+ (kfujino)
+
+
+ New cluster manager attribute sessionAttributeFilter
+ allows to filter which session attributes are replicated using a
+ regular expression applied to the attribute name. (rjung)
+
+
+ Avoid an unnecessary session ID change notice.
+ Notice of changed session ID by JvmRouteBinderValve is unnecessary to
+ BackupManager. In BackupManager, change of session ID is replicated by
+ the call of a setId() method. (kfujino)
+
+
+ Fix unneeded duplicate resetDeltaRequest()
call in
+ DeltaSession.setId(String)
. (kkolinko)
+
+
+ When Context manager does not exist, no context manager message is
+ replied in order to avoid timeout (default 60 sec) of
+ GET_ALL_SESSIONS sync phase. (kfujino)
+
+
+
+
+
+
+ Correct the documentation for the connectionLinger attribute of the HTTP
+ connector. (markt)
+
+
+ Show build date and version in the header on every documentation
+ page. (kkolinko)
+
+
+ 52049: Improve setup instructions for running as a Windows
+ service: correct information on how a JRE is identified and selected.
+ (markt)
+
+
+ 52172: Clarify Tomcat build instructions. Patch provided
+ by bmargulies. (kkolinko)
+
+
+
+
+
+
+ Update the native component of the APR/native connectors to 1.1.22.
+ (markt)
+
+
+ Update the recommended version of the native component of the APR/native
+ connectors to 1.1.22. (kkolinko)
+
+
+ Update the Eclipse compiler (used for JSPs) to 3.7. (markt)
+
+
+ Correct two typos in the Windows installer. (kkolinko)
+
+
+ 52059: In Windows uninstaller: Do not forget to remove
+ Tomcat keys from 32-bit registry on deinstallation. (kkolinko)
+
+
+
+
+
@@ -154,7 +385,7 @@
51400: Avoid jvm bottleneck on String/byte[] conversion
triggered by a JVM bug. Based on patches by Dave Engberg and Konstantin
- Preißer. (markt)
+ Preißer. (markt)
51403: Avoid NPE in JULI FileHandler if formatter is
@@ -191,8 +422,8 @@
Unregister DataSource MBeans when web application stops. (kfujino)
- Add additional configuration options to the DIGEST authenticator.
- (markt)
+ CVE-2011-1184: Add additional configuration options to the DIGEST
+ authenticator. (markt)
@@ -445,7 +676,8 @@
Improve HTTP specification compliance in support of
- Accept-Language
header. (kkolinko)
+ Accept-Language
header. This protects from known exploit
+ of the Oracle JVM bug that triggers a DoS, CVE-2010-4476. (kkolinko)
@@ -1645,7 +1877,7 @@
operation. Patch provided by sebb. (markt)
- 48417: Update French translations. Patch provided by Andr�
+ 48417: Update French translations. Patch provided by André
Warnier. (markt/kkolinko)
@@ -1946,7 +2178,7 @@
47918: Correct mbean descriptors for the host deployer. Patch
- provided by Uwe G�nther. (markt)
+ provided by Uwe Günther. (markt)
47930: Fix thread safety issues on session swap-in in the
@@ -1977,7 +2209,7 @@
48257: Correct error in Spanish translations. Patch provided
- by Guillermo Guti�rrez. (markt)
+ by Guillermo Gutiérrez. (markt)
48306, 48307: Correct French translations. Patches
@@ -1989,7 +2221,7 @@
48413: Correct some French translations. Patch provided by
- Andr� Warnier. (markt)
+ André Warnier. (markt)
Deprecate the caseSensitive
option on the
@@ -3038,7 +3270,7 @@
46047: Include the path to the JAR when recording
dependencies that are located inside a JAR file. Patch provided by
- C�dric Mailleux. (markt)
+ Cédric Mailleux. (markt)
46381: Composite expressions used for attribute values must
@@ -3419,7 +3651,7 @@
44988: Use Java5 syntax for debug options. Patch provided
- by Cedrik Lime. (markt)
+ by Cédrik Lime. (markt)
45101: Format header dates obtained from
@@ -4322,7 +4554,7 @@
Fix various paths in the manager webapps (remm)
- Session viewer and editor for the HTML manager. Submitted by C�drik Lime. (remm)
+ Session viewer and editor for the HTML manager. Submitted by Cédrik Lime. (remm)
Session handling tools for the manager. Submitted by Rainer Jung. (remm)
@@ -4454,7 +4686,7 @@
Cleanup hello webapp from the docs and fix a XSS issue in the JSP. (remm)
- Examples webapp cleanup. Submitted by Takayuki Kaneko and Markus Sch�nhaber. (remm)
+ Examples webapp cleanup. Submitted by Takayuki Kaneko and Markus Schönhaber. (remm)
41289: Create configBase, since it is no longer created elsewhere.
@@ -4599,7 +4831,7 @@
Use 2.5 xsd in Tomcat webapps. (markt)
- Compression filter improvements, submitted by Eric Hedstr�m. (markt)
+ Compression filter improvements, submitted by Eric Hedström. (markt)
@@ -4749,7 +4981,7 @@
39572: Improvements to CompressionFilter example provided by
- Eric Hedstr�m. (markt)
+ Eric Hedström. (markt)
diff -Nru tomcat6-6.0.33/webapps/docs/config/ajp.xml tomcat6-6.0.35/webapps/docs/config/ajp.xml
--- tomcat6-6.0.33/webapps/docs/config/ajp.xml 2011-06-03 08:17:02.000000000 +0000
+++ tomcat6-6.0.35/webapps/docs/config/ajp.xml 2011-11-10 22:24:17.000000000 +0000
@@ -93,6 +93,14 @@
By default, DNS lookups are enabled.
+
+ The maximum number of parameters (GET plus POST) which will be
+ automatically parsed by the container. A value of less than 0 means no
+ limit. If not specified, a default of 10000 is used. Note that
+ FailedRequestFilter
filter can be
+ used to reject requests that hit the limit.
+
+
The maximum size in bytes of the POST which will be handled by
the container FORM URL parameter parsing. The feature can be disabled by
diff -Nru tomcat6-6.0.33/webapps/docs/config/cluster-manager.xml tomcat6-6.0.35/webapps/docs/config/cluster-manager.xml
--- tomcat6-6.0.33/webapps/docs/config/cluster-manager.xml 2011-08-01 19:10:01.000000000 +0000
+++ tomcat6-6.0.35/webapps/docs/config/cluster-manager.xml 2011-09-24 16:39:29.000000000 +0000
@@ -123,6 +123,15 @@
from another node when a node is starting up.
Default value is 60
seconds.
+
+ A regular expression used to filter, which session attributes will
+ be replicated. An attribute will only be replicated, if its name
+ matches this pattern. If the pattern is not set (default), all
+ attributes are eligible for replication. As an example, the value
+ ^(userName|sessionHistory)$
will only replicate the two
+ session attributes named userName
and
+ sessionHistory
.
+
@@ -141,6 +150,11 @@
sessions where the current node is the primary node for the session are
considered active sessions.
+
+ Timeout for RPC message used for broadcast and transfer state from
+ another map.
+ Default value is 15000
milliseconds.
+
diff -Nru tomcat6-6.0.33/webapps/docs/config/context.xml tomcat6-6.0.35/webapps/docs/config/context.xml
--- tomcat6-6.0.33/webapps/docs/config/context.xml 2011-08-02 09:38:38.000000000 +0000
+++ tomcat6-6.0.35/webapps/docs/config/context.xml 2011-10-18 12:52:22.000000000 +0000
@@ -50,7 +50,7 @@
unpacked contents, as described in the Servlet Specification (version
2.2 or later). For more information about web application archives,
you can download the
- Servlet
+ Servlet
Specification, and review the Tomcat
Application Developer's Guide.
diff -Nru tomcat6-6.0.33/webapps/docs/config/filter.xml tomcat6-6.0.35/webapps/docs/config/filter.xml
--- tomcat6-6.0.33/webapps/docs/config/filter.xml 2010-11-03 17:17:59.000000000 +0000
+++ tomcat6-6.0.35/webapps/docs/config/filter.xml 2011-11-10 22:24:17.000000000 +0000
@@ -112,6 +112,46 @@
+
+
+
+
+ This filter triggers parameters parsing in a request and rejects the
+ request if some parameters were skipped during parameter parsing because
+ of parsing errors or request size limitations (such as
+ maxParameterCount
attribute in a
+ Connector).
+ This filter can be used to ensure that none parameter values submitted by
+ client are lost.
+
+ Note that parameter parsing may consume the body of an HTTP request, so
+ caution is needed if the servlet protected by this filter uses
+ request.getInputStream()
or request.getReader()
+ calls. In general the risk of breaking a web application by adding this
+ filter is not so high, because parameter parsing does check content type
+ of the request before consuming the request body.
+
+ The request is rejected with HTTP status code 400 (Bad Request).
+
+
+
+
+
+ The filter class name for the Failed Request Filter is
+ org.apache.catalina.filters.FailedRequestFilter
+ .
+
+
+
+
+
+ The Failed Request Filter does not support any initialization parameters.
+
+
+
+
+
+