• last updated a few seconds ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
BZ1608654: Add host name verfication for WebSocket client
BZ1625416: Add a fix for mixed parameters, similar to Tomcat 58545. Patch by Aaron Ogburn.
    • -7
    • +0
    ./tomcat/websocket/server/WsServerContainer.java
    • -1
    • +1
    ./tomcat/websocket/server/UpgradeUtil.java
BZ1608656 - CVE-2018-1336: Fix overflow loop with UTF-8.
BZ1548975: Port Tomcat patch for CVE-2018-1304.
BZ1520539: Log all multi value headers. Submitted by Petr Jurak.
    • -5
    • +10
    ./catalina/valves/AccessLogValve.java
BZ1513302: Set DESx as MEDIUM. Patch submitted by Michal Babacek.
    • -18
    • +18
    ./tomcat/util/net/jsse/openssl/Cipher.java
BZ1498331: Followup, some specific code for trailing / handling needed to be added.
    • -1
    • +7
    ./naming/resources/FileDirContext.java
BZ1498331: Port over new checks for CVE-2017-12615 and followups.
    • -52
    • +137
    ./naming/resources/FileDirContext.java
BZ1492870: Endpoint close has to be taken out of the sync to avoid a deadlock.
BZ1491857: Switch the default to the HTTP spec.
    • -1
    • +1
    ./tomcat/util/http/parser/HttpParser.java
BZ1489846: Part 2: remove char restrictions.
    • -4
    • +1
    ./tomcat/util/http/parser/HttpParser.java
BZ1489846: Port Coty's patch to allow again {|} chars in the URL. For compatibility, this is enabled by default (set the system property to empty to disable it).
    • -1
    • +14
    ./tomcat/util/http/parser/HttpParser.java
BZ1433123: Avoid calling prepareRequest if an error occurred earlier.
    • -10
    • +13
    ./coyote/http11/Http11NioProcessor.java
    • -8
    • +10
    ./coyote/http11/Http11Processor.java
    • -9
    • +11
    ./coyote/http11/Http11AprProcessor.java
BZ1460573: Handle error processing as a GET, fix for CVE-2017-5664.
    • -0
    • +12
    ./catalina/servlets/DefaultServlet.java
    • -0
    • +6
    ./catalina/servlets/WebdavServlet.java
BZ1393221: Port Tomcat fix for CVE-2016-6796.
  1. … 1 more file in changeset.
BZ1393226: Patch CVE-2016-5018, just in case.
    • -50
    • +0
    ./jasper/runtime/JspRuntimeLibrary.java
    • -2
    • +0
    ./jasper/security/SecurityClassLoad.java
    • -2
    • +0
    ./jasper/compiler/JspRuntimeContext.java
BZ1419145: Hack to force restore of the content type header even when there's no body. Submitted by Aaron Ogburn.
BZ1439225: set encoding for multipart/form-data. Submitted by Aaron Ogburn.
BZ1426471: Remove possible deadlock situation. The non blocking code is only really used by websockets, which has write syncs already, so it is possible to remove it.
    • -9
    • +7
    ./coyote/http11/Http11NioProcessor.java
BZ1426264: Fix weird error handling in blockingWrite, also remove the immediate close for other errors, and always return a negative value.
    • -12
    • +1
    ./coyote/http11/InternalNioOutputBuffer.java
BZ1423453: Port code cleanup from Tomcat.
    • -9
    • +2
    ./coyote/http11/InternalInputBuffer.java
    • -11
    • +4
    ./coyote/http11/AbstractInternalInputBuffer.java
BZ1410869: Fix sync of AysncContext.complete, and change all syncs from the processor object to the request object (since it is available everywhere).
    • -2
    • +2
    ./coyote/http11/Http11NioProtocol.java
    • -18
    • +22
    ./coyote/http11/Http11NioProcessor.java
    • -2
    • +2
    ./coyote/http11/Http11AprProtocol.java
    • -12
    • +16
    ./catalina/connector/AsyncContextImpl.java
    • -3
    • +3
    ./coyote/http11/Http11AprProcessor.java
    • -2
    • +4
    ./catalina/connector/HttpEventImpl.java
BZ1410869: Make the async context a separate object from the request, so that it can be recycled to avoid bad side effects.
    • -207
    • +29
    ./catalina/connector/Request.java
    • -4
    • +3
    ./catalina/connector/CoyoteAdapter.java
    • -4
    • +4
    ./catalina/core/StandardWrapperValve.java
    • -0
    • +253
    ./catalina/connector/AsyncContextImpl.java
    • -2
    • +3
    ./catalina/core/StandardHostValve.java
BZ1399005: Add debug to max swallow input.
  1. … 1 more file in changeset.
BZ1399014: Fix CVE-2016-6816 request smuggling
    • -0
    • +39
    ./coyote/http11/AbstractInternalInputBuffer.java
    • -1
    • +39
    ./coyote/http11/InternalInputBuffer.java
    • -0
    • +551
    ./tomcat/util/http/parser/HttpParser.java
    • -0
    • +125
    ./tomcat/util/http/parser/MediaType.java
  1. … 1 more file in changeset.
BZ1391834: Avoid logging NPE.
BZ1376379: Port Tomcat change that sets 500 status when an unexpected exception is caught as best effort to report an error.
    • -0
    • +1
    ./catalina/connector/CoyoteAdapter.java
BZ1275403: Loop over unwrap loop to make sure some bytes are produced in blocking mode. Patch by Masafumi Miura.
    • -7
    • +6
    ./tomcat/util/net/jsse/SecureNioChannel.java
BZ1370182: Add syncing for Servlet 3.0 async to allow non container threads interaction. The extra sync shouldn't be too expensive.
    • -61
    • +65
    ./coyote/http11/Http11AprProtocol.java
    • -58
    • +61
    ./coyote/ajp/AjpAprProtocol.java
    • -19
    • +27
    ./coyote/http11/Http11AprProcessor.java
    • -120
    • +121
    ./coyote/http11/Http11NioProtocol.java
    • -62
    • +65
    ./coyote/http11/Http11Protocol.java
BZ1203510: Apply workaround patch to display statistics if possible with the NIO connector. Patch by Enrique Gonzalez Martinez.