* Add `--execute-bundle` option to `jekyll new` to disable running bundler
default.
* Now depends on ruby-jekyll-minima and ruby-jekyll-feed. These are used
by default theme of a site created by `jekyll new`.
v3.4.3 2017/3/21
* Backport #5957 for v3.4.x: Allow colons in uri_escape filter (#5968)
This is really part of jekyll.
Minima is a one-size-fits-all Jekyll theme for writers*. It's Jekyll's default
(and first) theme. It's what you get when you run `jekyll new`.
Faraday 0.12.1 2017/04/21
* Fix an issue with Patron tests failing on jruby
* Fix an issue with new rewind_files feature that was causing an exception
when the body was not an Hash
* Expose wrapped_exception in all client errors
* Add Authentication Section to the ReadMe
Faraday 0.12.0.1 2017/04/02
*Hotfix release to address an issue with TravisCI deploy on Rubygems
Faraday 0.12.0 2017/03/21
* Proxy feature now relies on Ruby URI::Generic#find_proxy and can use
no_proxy ENV variable (not compatible with ruby < 2.0)
* Fix an issue with options that was causing new options to override defaults
ones unexpectedly
* Rewind UploadIOs on retry to fix a compatibility issue
* Make multipart boundary unique
* Adds support for context request option to pass arbitrary information to
middlewares
* Improvements in README.md
#Version 2.13.0
Release date: 2017-03-16
### Added
* Selenium driver supports returning element(s) from evaluate_script [Thomas Walpole]
* rack_test driver supports click on checkboxes and radio buttons to change their states [Thomas Walpole]
* Support RSpec equivalent assertions and expectations for MiniTest [Thomas Walpole]
### Foxed
* Editing of content editable children with selenium
#Version 2.12.1
Release date: 2017-02-16
### Fixed
* Disable lazy Capybara::Results evaluation for JRuby due to ongoing issues
#Version 2.12.0
Release date: 2017-01-22
### Added
* Session#switch_to_frame for manually handling frame switching - Issue #1365 [Thomas Walpole]
* Session#within_frame now accepts a selector type (defaults to :frame) and locator [Thomas Walpole]
* Session#execute_script and Session#evaluate_script now accept optional arguments that will be passed to the JS function. This may not be supported
by all drivers, and the types of arguments that may be passed is limited. If drivers opt to support this feature they should support passing page elements. [Thomas Walpole]
* :exact option for text and title matchers - Issue #1256 [Thomas Walpole]
* :exact_text option for selector finders/minders - Issue #1256 [Thomas Walpole]
* Capybara.exact_text setting that affects the text matchers and :text options passed to selector finders/matchers. Issue #1256 [Thomas Walpole]
* :make_visible option for #attach_file that allows for convenient changing of the CSS style of a file input element before attaching the file to it. Requires driver
support for passing page elements to Session#execute_script [Thomas Walpole]
* assert_all_selectors/assert_none_of_selectors assertions added
* :link selector (used by find_link/click_link) now supports finding hyperlink placeholders (no href attribute) when href: nil option is specified [Thomas Walpole]
* `within_element` as an alias of `within` due to RSpec collision
### Fixed
* Fields inside a disabled fieldset are now correctly considered disabled - Issue #1816 [Thomas Walpole]
* Lazy Capybara::Results evaluation enabled for JRuby 9.1.6.0+
* A driver returning nil for #current_url won't raise an exception when calling #current_path [Dylan Reichstadt]
* Support Ruby 2.4.0 unified Integer [Koichi ITO]
* RackTest driver no longer modifies the text content of textarea elements in order to behave more like a real browser [Thomas Walpole]
* TextQuery (assert_text/have_text/etc) now ignores errors when trying to generate more helpful errors messages so the original error isn't hidden [Thomas Walpole]
#2.11.0
Release date: 2016-12-05
### Added
* Options for clearing session/local storage on reset added to the Selenium driver
* Window size changes wait for the size to stabilize
* Defined return value for most actions
* Ignore specific error when qutting selenium driver instance - Issue #1773 [Dylan Reichstadt, Thomas Walpole]
* Warn on selenium unknown errors rather than raising when quitting driver [Adam Pohorecki, Thomas Walpole]
* Capybara::Result#each now returns an `Enumerator` when called without a block - Issue #1777 [Thomas Walpole]
### Fixed
* Selenium driver with Chrome should support multiple file upload [Thomas Walpole]
* Fix visible: :hidden with :text option behavior [Thomas Walpole]
#2.10.2
Release date: 2016-11-30
### Fixed
* App exceptions with multiple parameter initializers now re-raised correctly - Issue #1785 [Michael Lutsiuk]
* Use Addressable::URI when parsing current_path since it's more lenient of technically invalid URLs - Issue #1801 [Marcos Duque, Thomas Walpole]
Sun Dec 4 18:48:03 2015 Jeremy Daer <jeremydaer@gmail.com>
* First-party "SameSite" cookies. Browsers omit SameSite cookies
from third-party requests, closing the door on many CSRF attacks.
Pass `same_site: true` (or `:strict`) to enable:
response.set_cookie 'foo', value: 'bar', same_site: true
or `same_site: :lax` to use Lax enforcement:
response.set_cookie 'foo', value: 'bar', same_site: :lax
Based on version 7 of the Same-site Cookies internet draft:
https://tools.ietf.org/html/draft-west-first-party-cookies-07
Thanks to Ben Toews (@mastahyeti) and Bob Long (@bobjflong) for
updating to drafts 5 and 7.
Wed Jun 24 12:13:37 2015 Aaron Patterson <tenderlove@ruby-lang.org>
* Fix Ruby 1.8 backwards compatibility
Notable changes since 3.2:
- Change the stylesheet of exception pages for development
mode. Additionally display also the line of code and fragment that
raised the exception in all exceptions pages.
- protect_from_forgery also prevents cross-origin <script>
tags. Update your tests to use xhr :get, :foo, format: :js instead
of get :foo, format: :js.
- #url_for takes a hash with options inside an array.
- Added session#fetch method fetch behaves similarly to Hash#fetch,
#with the exception that the returned value is always saved into the
#session.
- Separated Action View completely from Action Pack.
- Log which keys were affected by deep munge.
- New config option config.action_dispatch.perform_deep_munge to opt
out of params "deep munging" that was used to address security
vulnerability CVE-2013-0155.
- New config option config.action_dispatch.cookies_serializer for
specifying a serializer for the signed and encrypted cookie jars.
- Added render :plain, render :html and render :body.
- The *_filter family of methods have been removed from the
documentation. Their usage is discouraged in favor of the *_action
family of methods:
- render nothing: true or rendering a nil body no longer add a single
space padding to the response body.
- Rails now automatically includes the template's digest in ETags.
- Segments that are passed into URL helpers are now automatically
escaped.
- Introduced the always_permitted_parameters option to configure which
parameters are permitted globally. The default value of this
configuration is ['controller', 'action'].
- Added the HTTP method MKCALENDAR from RFC 4791.
- *_fragment.action_controller notifications now include the
controller and action name in the payload.
- Improved the Routing Error page with fuzzy matching for route
search.
- Added an option to disable logging of CSRF failures.
- When the Rails server is set to serve static assets, gzip assets
will now be served if the client supports it and a pre-generated
gzip file (.gz) is on disk. By default the asset pipeline generates
.gz files for all compressible assets. Serving gzip files minimizes
data transfer and speeds up asset requests. Always use a CDN if you
are serving assets from your Rails server in production.
- When calling the process helpers in an integration test the path
needs to have a leading slash. Previously you could omit it but that
was a byproduct of the implementation and not an intentional
feature.
6.26 2017-04-12
- Perltidy all apps in the bin/ directory
- Make all apps in bin/ use strict and warnings (RT #92633)
- Fix bug tracker URL in metadata
5.04 2017--04-17
Release by Jeff Fearn
[FIXES]
* Remove Distzilla to fix RT #120521#89820
* Add POD to htmltree RT #116367
* Speed up is_inside method RT #113415
- From Todd Rinaldo https://github.com/madsen/HTML-Tree/pull/5
* Fix extra spaces being added to comments RT #94311
- From Tomaz Solc
* Don't needlessly escape characters in element content RT #93431
- From Tomaz Solc
4.36 2017-03-29
[ ENHANCEMENT ]
- Support PATCH HTTP method (thanks to GovtGeek for the... patch)
- pass through max_age and samesite to CGI::Cookie->new in the call
in CGI->cookie (GH #220)
[ FIX ]
- skip t/command_line.t on windows as it doesn't work
Tue Apr 11 22:17:00 MSK 2017
Releasing GNU libmicrohttpd 0.9.53. -EG
Mon Apr 10 19:50:20 MSK 2017
HTTPS tests: skip tests instead of failing if HTTPS is not supported by
libcurl.
HTTPS tests: fixed return values so testsuite is able to correctly
interpret it.
Fixed ignored result of epoll test in test_https_get_select. -EG
Thu Apr 06 23:02:07 MSK 2017
Make zzuf tests compatible with *BSD platforms. -EG
Thu Apr 06 22:14:22 MSK 2017
Added warning for hypothetical extra large timeout.
Fixed incorrect timeout calculation under extra rare conditions.
Fixed accidental usage of IPv6 in testsuite in specific conditions. -EG
Wed Apr 05 14:14:22 MSK 2017
Updated autoinit_funcs.h to latest upstream version with proper support of
Oracle/Sun compiler. -EG
Wed Apr 05 12:53:26 MSK 2017
Fixed some compiler warnings.
Fixed error snprintf() errors detection in digestauth.c.
Converted many run-time 'strlen()' to compile-time calculations. -EG
Sun Mar 26 13:49:01 MSK 2017
Internal refactoring for simplification and unification.
Minor optimizations and minor fixes.
MHD_USE_ITC used again in thread pool mode. -EG
Sat Mar 25 20:58:24 CET 2017
Remove dead MHD_strx_to_sizet-functions and associated
test cases from code. -CG
Sat Mar 25 20:40:10 CET 2017
Allow chunk size > 16 MB (up to 2^64-1). Ignore
chunk extensions instead of triggering an error.
(fixes#4967). -CG
Tue Mar 25 20:59:18 MSK 2017
Check for invalid combinations of flags and options in
MHD_start_daemon(). -EG
Tue Mar 21 13:51:04 CET 2017
Use "-lrt" to link libmicrohttpd if we are using
clock_gettime() as needed by glibc < 2.17. -CG
Tue Mar 21 13:42:07 CET 2017
Allow chaining of suspend-resume calls withuot
the application processing data from the network. -CG
Mon Mar 20 0:51:24 MSK 2017
Added autoconf module for detection whatever shutdown of listening socket
trigger select. This is only reliable method to use such feature as some
platforms change behaviour from version to version. -EG
Sun Mar 19 13:57:30 MSK 2017
Rewritten logic of handling "upgraded" TLS connections in epoll mode:
used edge trigger instead of level trigger,
upgraded "ready" connection are stored in DL-list,
fixed handling of more than 128 ready connections,
fixed busy-waiting for idle "upgraded" TLS connections. -EG
Fri Mar 17 10:45:31 MSK 2017
If read buffer is full, MHD need to receive remote data and application
suspended connection, do not fail while connection is suspended and give
application one more chance to read data from buffer once connection is
resumed. -EG
Thu Mar 16 23:45:29 MSK 2017
Allow again to run MHD in external epoll mode by
MHD_run_from_select() - this allow unification of user code
and produce no harm for performance. Especially useful with
MHD_USE_AUTO flag. -EG
Thu Mar 16 23:12:07 MSK 2017
Idle connection should be disconnected *after* "timeout" number of
second, not *before* this number. -EG/VT
Thu Mar 16 22:31:54 MSK 2017
Unified update of last activity on connections.
Update last activity only if something is really transmitted.
Update last activity each time when something is transmitted.
Removed early duplicated check for timeout on HTTPS connections.
Removed update of last active time for connections without timeout.
Fixed reset of timeout timer on resumed connections.
Fixed never-expired timeouts on HTTPS connections.
Fixed thread-safety of MHD_set_connection_option(). -EG
Thu Mar 16 21:05:08 MSK 2017
Fixed minor bug resulted in slight slowdown of HTTPS connection
handshake. -EG
Thu Mar 16 20:35:59 MSK 2017
Improved thread-safety for DL-lists. -EG
Thu Mar 16 17:55:01 MSK 2017
Fixed thread-safety of MHD_get_daemon_info() for
MHD_DAEMON_INFO_CURRENT_CONNECTIONS. -EG
Thu Mar 16 16:49:07 MSK 2017
Added ability to get actual daemon flags via MHD_get_daemon_info().
Fixed test_upgrade to work in request mode.
Fixed compiler warnings in test_upgrade. -EG
Wed Mar 15 23:29:59 MSK 2017
Prevented socket read/write if connection is suspended.
Added missing resets of 'connection->in_idle'.
Reworked handling of suspended connection: ensure that
connection is not disconnected by timeout, always
updated read/write states right after suspending. -EG
Wed Mar 15 21:02:26 MSK 2017
Added new enum value MHD_CONNECTION_INFO_CONNECTION_TIMEOUT
to get connection timeout by MHD_get_connection_info(). -EG
Sat Mar 11 12:03:45 CET 2017
Fix largepost example from tutorial to properly generate
error pages. -CG
Fix largepost example, must only queue replies either before upload
happens or after upload is done, not while upload is ongoing
Fri Mar 10 16:37:12 CET 2017
Fix hypothetical integer overflow for very, very large
timeout values. -CG
Fri Mar 10 16:22:54 CET 2017
Handle case that we do not listen at all more gracefully
in MHD_start_daemon() and not pass '-1' to helper functions
that expect a valid socket. -CG
Tue Mar 7 12:11:44 BRT 2017
Updates file `.gitignore`.
Tue Mar 7 10:37:45 BRT 2017
Updated the MHD_OPTION_URI_LOG_CALLBACK's documentation.
Mon Mar 6 21:46:59 BRT 2017
Added the i18n example fixing #4924. -SC
Wed Mar 1 23:47:05 CET 2017
Minor internal optimisations.
Changed closure connection monitoring logic: now all connections are
monitored for OOB data (which treated as error), connections are not
monitored any more for incoming data if incoming data is not required for
processing. except_fd_set is not optional now for MHD_get_fdset(),
MHD_get_fdset2() and MHD_run_from_select().
Improved connection processing in epoll mode: now connection can process
both read and write each turn.
Updated HTTP response codes; updated and added all missing standard HTTP
headers names (and headers categories); updated and added all missing
standard and additional HTTP methods. Now MHD return status
MHD_HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE (431) instead of old
MHD_HTTP_REQUEST_ENTITY_TOO_LARGE (413) for very long header.
Reworked handling of data pending in TLS buffers, resolved busy-waiting
if incoming data is pending in TLS buffers and connection is in
LOOP_INFO_WRITE mode.
Do not clear 'ready' flag in epoll mode if send()/recv() result is
EINTERRUPTED.
Better detection of unready connection state: used less number of calls of
recv()/send() in epoll mode.
Configure: do not run gcrypt and GnuTLS tests if HTTPS is disabled by
configure parameter.
Fixed wrong value returned by MHD_get_timeout().
All double-linked lists now walked from tail to head. As new items are
added to head, this result in more uniform processing time.
Improved sockets errors handling in epoll mode.
OOB data on 'upgraded' sockets is treated as error. -EG
Thu Feb 16 11:20:05 CET 2017
Replace tsearch configure check with code from gnulib. -CG
Wed Feb 15 13:35:36 CET 2017
Fixing a few very rare race conditions for thread-pool or
thread-per-connection operations during shutdown.
Various minor cosmetic improvements.
Fixed#4884 and #4888 (solaris portability issues). -CG
Wed Feb 08 22:33:10 MSK 2016
Ported test_quiesce_stream to W32.
Improved precompiler flags selection of OpenBSD.
Fixed sending responses backed by files not supported by sendfile().
Fixed thread safety for responses backed by file FD.
Updated fileserver_example.
Improved handling of 'upgraded' TLS forwarding in select() and poll()
modes.
Fixed processing of incoming TLS data in epoll mode if more than 128
connections are active.
Fixed accepting more than 128 incoming connection in epoll mode.
Improved test_large_put, added poll() and epoll testing.
Added test_large_put_inc for testing of incremental buffer processing.
Rewritten epoll connection processing logic: handle all connection one
time per turn instead of trying to handle all active connection until all
pending data is dried. Result is more uniform connection processing
period. -EG
Wed Nov 23 15:24:10 MSK 2016
Used SO_REUSEADDR (on non-W32) alongside with SO_REUSEPORT if option
MHD_OPTION_LISTENING_ADDRESS_REUSE was set. -EG
Wed Nov 23 12:48:23 MSK 2016
Move all gettext-related staff to 'po' subdirectory.
Excluded gettext files generation from normal build.
Removed generated files from GIT. -EG
Tue Nov 15 19:08:43 MSK 2016
Fixed forwarding "upgraded" TLS connections for
chunks sizes larger than buffer size. -EG
Mon Nov 14 22:18:30 MSK 2016
Fixed unintentional usage of SO_REUSEADDR on W32.
Added support for SO_EXCLBIND on Solaris.
Fixed using MHD with MHD_OPTION_LISTENING_ADDRESS_REUSE
on Linux kernels before 3.9 (longterm 3.2 and 3.4
are still supported). -EG
Sun Nov 13 19:16:38 CET 2016
Fixed a few race issues on suspend-resume in cases where the
application uses threads even though MHD did not (or at least
had no internal need for locking). Also fixed DLL handling of
the timeout list, avoiding manipulating it for suspended
connections. Finally, eliminated calling application logic
on suspended connections (which before could happen under
certain circumstances). -CG
Thu Nov 11 20:49:23 MSK 2016
Added support for various forms of
pthread_attr_setname_np() so thread names will be set
more efficiently on certain platforms (Solaris, NetBSD etc.) -EG
Thu Nov 10 21:50:35 MSK 2016
Added rejection in MHD_start_daemon() of invalid combinations
of daemon flags.
Added MHD_USE_AUTO and MHD_USE_AUTO_INTERNAL_THREAD for
automatic selection of polling function depending on
platform capabilities and requested mode. -EG
Thu Nov 10 17:49:56 MSK 2016
Ported "upgrade" tests to W32 and other platforms, used
"gnutls-cli" instead of "openssl" in tests, minor bugs
fixed, added verbose reporting if requested.
"Upgrade" processing - changed internal handling logic, improved
and refactored, bugs fixed, fixed sigpipe on Darwin, added
printing error to log, fixed compilation without HTTPS.
Added 'configure' parameter "--disable-httpupgrade" for building
minimal-sized MHD versions.
Added feature check "MHD_FEATURE_UPGRADE".
Responses destroyed (freed) earlier if possible.
Added many remarks in code comments about thread safety.
Some data races and other multithread-related issues are fixed,
including usage of closed sockets (may resulted in accidental closing
of wrong socket).
SO_NOSIGPIPE is used on all platform which support it, not only
on Darwin.
Added support for suspending connections in thread-per-connection
mode (itself almost useless, mostly to unify modes support).
Fixed Inter-Thread Communication channel usage in epoll modes.
Reworked daemon cleanups and handling MHD_stop_daemon(): resources
are freed only by specific threads, data races and other fixes.
Started usage of C99 standard 'bool' where supported with
fallback to 'int'.
Renamed many MHD flags. Now they are self-explainable and more
obvious, like MHD_USE_INTERNAL_POLLING_THREAD instead of
MHD_USE_SELECT_INTERNALLY. Old flag names are supported for
backward compatibility.
Improved processing of "fast" connections: now full sequence
"read request - send reply headers - send reply body" is processed
after single select()/poll(). If connection is slow, request is huge
or response in not immediately ready - connection will be processed
in "traditional" way.
Added usage of "calloc()" where supported.
Minor documentation fixes.
Minor improvements and fixes. -EG
"Upgrade" test fixes.
Documentation updated.
Added HTTP "Upgrade" example. -CG
Curl and libcurl 7.54.0
Public curl releases: 165
Command line options: 207
curl_easy_setopt() options: 245
Public functions in libcurl: 61
Contributors: 1538
This release includes the following changes:
o Add CURL_SSLVERSION_MAX_* constants to CURLOPT_SSLVERSION [19]
o Add --max-tls [19]
o Add CURLOPT_SUPPRESS_CONNECT_HEADERS [24]
o Add --suppress-connect-headers [24]
This release includes the following bugfixes:
o CVE-2017-7468: switch off SSL session id when client cert is used [68]
o cmake: Replace invalid UTF-8 byte sequence [1]
o tests: use consistent environment variables for setting charset
o proxy: fixed a memory leak on OOM
o ftp: removed an erroneous free in an OOM path
o docs: de-duplicate file lists in the Makefiles [2]
o ftp: fixed a NULL pointer dereference on OOM
o gopher: fixed detection of an error condition from Curl_urldecode
o url: fix unix-socket support for proxy-disabled builds [3]
o test1139: allow for the possibility that the man page is not rebuilt
o cyassl: get library version string at runtime
o digest_sspi: fix compilation warning
o tests: enable HTTP/2 tests to run with non-default port numbers
o warnless: suppress compiler warning
o darwinssl: Warn that disabling host verify also disables SNI [4]
o configure: fix for --enable-pthreads [5]
o checksrc.bat: Ignore curl_config.h.in, curl_config.h
o no-keepalive.d: fix typo [6]
o configure: fix --with-zlib when a path is specified [7]
o build: fix gcc7 implicit fallthrough warnings [8]
o fix potential use of uninitialized variables [9]
o CURLOPT_SSL_CTX_FUNCTION.3: Fix EXAMPLE formatting errors [10]
o CMake: Reorganize SSL support, separate WinSSL and SSPI [11]
o CMake: Add DarwinSSL support [12]
o CMake: Add mbedTLS support [13]
o ares: return error at once if timed out before name resolve starts [14]
o BINDINGS: added C++, perl, go and Scilab bindings
o URL: return error on malformed URLs with junk after port number
o KNOWN_BUGS: Add DarwinSSL won't import PKCS#12 without a password [15]
o http2: Fix assertion error on redirect with CL=0 [16]
o updatemanpages.pl: Update man pages to use current date and versions [17]
o --insecure: clarify that this option is for server connections [18]
o mkhelp: simplified the gzip code
o build: fixed making man page in out-of-tree tarball builds
o tests: disabled 1903 due to flakiness
o openssl: add two /* FALLTHROUGH */ to satisfy coverity
o cmdline-opts: fixed a few typos
o authneg: clear auth.multi flag at http_done [20]
o curl_easy_reset: Also reset the authentication state [21]
o proxy: skip SSL initialization for closed connections [22]
o http_proxy: ignore TE and CL in CONNECT 2xx responses [23]
o tool_writeout: fixed a buffer read overrun on --write-out
o make: regenerate docs/curl.1 by running make in docs [25]
o winbuild: add basic support for OpenSSL 1.1.x [26]
o build: removed redundant DEPENDENCIES from makefiles
o CURLINFO_LOCAL_PORT.3: added example
o curl: show HTTPS-Proxy options on CURLE_SSL_CACERT [27]
o tests: strip more options from non-HTTP --libcurl tests
o tests: fixed the documented test server port numbers
o runtests.pl: fixed display of the Gopher IPv6 port number
o multi: fix streamclose() crash in debug mode [28]
o cmake: build manual pages [29]
o cmake: add support for building HTML and PDF docs [30]
o mbedtls: add support for CURLOPT_SSL_CTX_FUNCTION [31]
o make: introduce 'test-nonflaky' target
o CURLINFO_PRIMARY_IP.3: add example
o tests/README: mention nroff for --manual tests [32]
o mkhelp: disable compression if the perl gzip module is unavailable
o openssl: fall back on SSL_ERROR_* string when no error detail [33]
o asiohiper: make sure socket is open in event_cb [34]
o tests/README: make "Run" section foolproof [35]
o curl: check for end of input in writeout backslash handling
o .gitattributes: turn off CRLF for *.am [36]
o multi: fix MinGW-w64 compiler warnings
o schannel: fix variable shadowing warning
o openssl: exclude DSA code when OPENSSL_NO_DSA is defined [37]
o http: Fix proxy connection reuse with basic-auth [38]
o pause: handle mixed types of data when paused [39]
o http: do not treat FTPS over CONNECT as HTTPS
o conncache: make hashkey avoid malloc [40]
o make: use the variable MAKE for recursive calls [41]
o curl: fix callback argument inconsistency [42]
o NTLM: check for features with #ifdef instead of #if [43]
o cmake: add several missing files to the dist
o select: use correct SIZEOF_ constant [44]
o connect: fix unreferenced parameter warning
o schannel: fix unused variable warning
o gcc7: fix ‘*’ in boolean context [45]
o http2: silence unused parameter warnings
o ssh: fix narrowing conversion warning
o telnet: (win32) fix read callback return variable [46]
o docs: Explain --fail-early does not imply --fail [47]
o docs: added examples for CURLINFO_FILETIME.3 and CURLOPT_FILETIME.3
o tests/server/util: remove in6addr_any for recent MinGW [48]
o multi: make curl_multi_wait avoid malloc in the typical case [49]
o include: curl/system.h is a run-time version of curlbuild.h [50]
o easy: silence compiler warning
o llist: replace Curl_llist_alloc with Curl_llist_init [51]
o hash: move key into hash struct to reduce mallocs [52]
o url: don't free postponed data on connection reuse [53]
o curl_sasl: declare mechtable static
o curl: fix Windows Unicode build
o multi: fix queueing of pending easy handles [54]
o tool_operate: fix MinGW compiler warning [55]
o low_speed_limit: improved function for longer time periods [56]
o gtls: fix compiler warning
o sspi: print out InitializeSecurityContext() error message [57]
o schannel: fix compiler warnings [58]
o vtls: fix unreferenced variable warnings
o INSTALL.md: fix secure transport configure arguments
o CURLINFO_SCHEME.3: fix variable type
o libcurl-thread.3: also mention threaded-resolver [59]
o nss: load CA certificates even with --insecure [60]
o openssl: fix this statement may fall through [61]
o poll: prefer <poll.h> over <sys/poll.h> [62]
o polarssl: unbreak build with versions < 1.3.8 [63]
o Curl_expire_latest: ignore already expired timers [64]
o configure: turn implicit function declarations into errors [65]
o mbedtls: fix memory leak in error path [66]
o http2: fix handle leak in error path [67]
o .gitattributes: force shell scripts to LF [69]
o configure.ac: ignore CR after version numbers [70]
o extern-scan.pl: strip trailing CR [71]
o openssl: make SSL_ERROR_to_str more future-proof [72]
o openssl: fix thread-safety bugs in error-handling [73]
o openssl: don't try to print nonexistant peer private keys [74]
o nss: fix MinGW compiler warnings [75]
SUBST_SED.confs+= -e "s|logs/|${VARBASE}/log/httpd/|g"
SUBST_SED.confs+= -e 's|/var/log/httpd/foo\.log|logs/foo.log/|g'
The first one only applied to an instrucion in the comment at the top of
the configuration file and made it meaningless.
The second one has been useless.
Bugs Fixed
* Incorrect version for mod_wsgi was being reported in server token.
* On 32 bit platforms, when reading from request content, all input would be returned and the chunk size would be ignored.
===================
- fix: continue if SO_REUSEPORT seems to be available but fails (:issue:`1480`)
- fix: support non-decimal values for the umask command line option (:issue:`1325`)
19.7.0 / 2017/03/01
===================
- The previously deprecated ``gunicorn_django`` command has been removed.
Use the :ref:`gunicorn-cmd` command-line interface instead.
- The previously deprecated ``django_settings`` setting has been removed.
Use the :ref:`raw-env` setting instead.
- The default value of :ref:`ssl-version` has been changed from
``ssl.PROTOCOL_TLSv1`` to ``ssl.PROTOCOL_SSLv23``.
- fix: initialize the group access list when initgroups is set (:issue:`1297`)
- add environment variables to gunicorn access log format (:issue:`1291`)
- add --paste-global-conf option (:issue:`1304`)
- fix: print access logs to STDOUT (:issue:`1184`)
- remove upper limit on max header size config (:issue:`1313`)
- fix: print original exception on AppImportError (:issue:`1334`)
- use SO_REUSEPORT if available (:issue:`1344`)
- `fix leak <b4c41481e2>`_ of duplicate file descriptor for bound sockets.
- add --reload-engine option, support inotify and other backends (:issue:`1368`, :issue:`1459`)
- fix: reject request with invalid HTTP versions
- add ``child_exit`` callback (:issue:`1394`)
- add support for eventlets _AlreadyHandled object (:issue:`1406`)
- format boot tracebacks properly with reloader (:issue:`1408`)
- refactor socket activation and fd inheritance for better support of SystemD (:issue:`1310`)
- fix: o fds are given by default in gunicorn (:issue:`1423`)
- add ability to pass settings to GUNICORN_CMD_ARGS environment variable which helps in container world (:issue:`1385`)
- fix: catch access denied to pid file (:issue:`1091`)
- many additions and improvements to the documentation
Changes:
2.5.2 (2017-01-27)
------------------
- Resolved issue where the ``HTTP2-Settings`` header value for plaintext
upgrade that was emitted by ``initiate_upgrade_connection`` included the
*entire* ``SETTINGS`` frame, instead of just the payload.
- Resolved issue where the ``HTTP2-Settings`` header value sent by a client for
plaintext upgrade would be ignored by ``initiate_upgrade_connection``, rather
than have those settings applied appropriately.
2.4.3 (2017-01-27)
------------------
- Resolved issue where the ``HTTP2-Settings`` header value for plaintext
upgrade that was emitted by ``initiate_upgrade_connection`` included the
*entire* ``SETTINGS`` frame, instead of just the payload.
- Resolved issue where the ``HTTP2-Settings`` header value sent by a client for
plaintext upgrade would be ignored by ``initiate_upgrade_connection``, rather
than have those settings applied appropriately.
2.3.4 (2017-01-27)
------------------
- Resolved issue where the ``HTTP2-Settings`` header value for plaintext
upgrade that was emitted by ``initiate_upgrade_connection`` included the
*entire* ``SETTINGS`` frame, instead of just the payload.
- Resolved issue where the ``HTTP2-Settings`` header value sent by a client for
plaintext upgrade would be ignored by ``initiate_upgrade_connection``, rather
than have those settings applied appropriately.
2.5.1 (2016-12-17)
------------------
Bugfixes
~~~~~~~~
- Remote peers are now allowed to send zero or any positive number as a value
for ``SETTINGS_MAX_HEADER_LIST_SIZE``, where previously sending zero would
raise a ``InvalidSettingsValueError``.
2.5.0 (2016-10-25)
------------------
API Changes (Backward-Compatible)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Added a new ``H2Configuration`` object that allows rich configuration of
a ``H2Connection``. This object supersedes the prior keyword arguments to the
``H2Connection`` object, which are now deprecated and will be removed in 3.0.
- Added support for automated window management via the
``acknowledge_received_data`` method. See the documentation for more details.
- Added a ``DenialOfServiceError`` that is raised whenever a behaviour that
looks like a DoS attempt is encountered: for example, an overly large
decompressed header list. This is a subclass of ``ProtocolError``.
- Added support for setting and managing ``SETTINGS_MAX_HEADER_LIST_SIZE``.
This setting is now defaulted to 64kB.
- Added ``h2.errors.ErrorCodes``, an enum that is used to store all the HTTP/2
error codes. This allows us to use a better printed representation of the
error code in most places that it is used.
- The ``error_code`` fields on ``ConnectionTerminated`` and ``StreamReset``
events have been updated to be instances of ``ErrorCodes`` whenever they
correspond to a known error code. When they are an unknown error code, they
are instead ``int``. As ``ErrorCodes`` is a subclass of ``int``, this is
non-breaking.
- Deprecated the other fields in ``h2.errors``. These will be removed in 3.0.0.
Bugfixes
~~~~~~~~
- Correctly reject request header blocks with neither :authority nor Host
headers, or header blocks which contain mismatched :authority and Host
headers, per RFC 7540 Section 8.1.2.3.
- Correctly expect that responses to HEAD requests will have no body regardless
of the value of the Content-Length header, and reject those that do.
- Correctly refuse to send header blocks that contain neither :authority nor
Host headers, or header blocks which contain mismatched :authority and Host
headers, per RFC 7540 Section 8.1.2.3.
- Hyper-h2 will now reject header field names and values that contain leading
or trailing whitespace.
- Correctly strip leading/trailing whitespace from header field names and
values.
- Correctly refuse to send header blocks with a TE header whose value is not
``trailers``, per RFC 7540 Section 8.1.2.2.
- Correctly refuse to send header blocks with connection-specific headers,
per RFC 7540 Section 8.1.2.2.
- Correctly refuse to send header blocks that contain duplicate pseudo-header
fields, or with pseudo-header fields that appear after ordinary header fields,
per RFC 7540 Section 8.1.2.1.
This may cause passing a dictionary as the header block to ``send_headers``
to throw a ``ProtocolError``, because dictionaries are unordered and so they
may trip this check. Passing dictionaries here is deprecated, and callers
should change to using a sequence of 2-tuples as their header blocks.
- Correctly reject trailers that contain HTTP/2 pseudo-header fields, per RFC
7540 Section 8.1.2.1.
- Correctly refuse to send trailers that contain HTTP/2 pseudo-header fields,
per RFC 7540 Section 8.1.2.1.
- Correctly reject responses that do not contain the ``:status`` header field,
per RFC 7540 Section 8.1.2.4.
- Correctly refuse to send responses that do not contain the ``:status`` header
field, per RFC 7540 Section 8.1.2.4.
- Correctly update the maximum frame size when the user updates the value of
that setting. Prior to this release, if the user updated the maximum frame
size hyper-h2 would ignore the update, preventing the remote peer from using
the higher frame sizes.
2.4.2 (2016-10-25)
------------------
Bugfixes
~~~~~~~~
- Correctly update the maximum frame size when the user updates the value of
that setting. Prior to this release, if the user updated the maximum frame
size hyper-h2 would ignore the update, preventing the remote peer from using
the higher frame sizes.
2.3.3 (2016-10-25)
------------------
Bugfixes
~~~~~~~~
- Correctly update the maximum frame size when the user updates the value of
that setting. Prior to this release, if the user updated the maximum frame
size hyper-h2 would ignore the update, preventing the remote peer from using
the higher frame sizes.
2.2.7 (2016-10-25)
------------------
*Final 2.2.X release*
Bugfixes
~~~~~~~~
- Correctly update the maximum frame size when the user updates the value of
that setting. Prior to this release, if the user updated the maximum frame
size hyper-h2 would ignore the update, preventing the remote peer from using
the higher frame sizes.
2.4.1 (2016-08-23)
------------------
Bugfixes
~~~~~~~~
- Correctly expect that responses to HEAD requests will have no body regardless
of the value of the Content-Length header, and reject those that do.
2.3.2 (2016-08-23)
------------------
Bugfixes
~~~~~~~~
- Correctly expect that responses to HEAD requests will have no body regardless
of the value of the Content-Length header, and reject those that do.
2.4.0 (2016-07-01)
------------------
API Changes (Backward-Compatible)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Adds ``additional_data`` to ``H2Connection.close_connection``, allowing the
user to send additional debug data on the GOAWAY frame.
- Adds ``last_stream_id`` to ``H2Connection.close_connection``, allowing the
user to manually control what the reported last stream ID is.
- Add new method: ``prioritize``.
- Add support for emitting stream priority information when sending headers
frames using three new keyword arguments: ``priority_weight``,
``priority_depends_on``, and ``priority_exclusive``.
- Add support for "related events": events that fire simultaneously on a single
frame.
2.3.1 (2016-05-12)
------------------
Bugfixes
~~~~~~~~
- Resolved ``AttributeError`` encountered when receiving more than one sequence
of CONTINUATION frames on a given connection.
2.2.5 (2016-05-12)
------------------
Bugfixes
~~~~~~~~
- Resolved ``AttributeError`` encountered when receiving more than one sequence
of CONTINUATION frames on a given connection.
2.3.0 (2016-04-26)
------------------
API Changes (Backward-Compatible)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Added a new flag to the ``H2Connection`` constructor: ``header_encoding``,
that controls what encoding is used (if any) to decode the headers from bytes
to unicode. This defaults to UTF-8 for backward compatibility. To disable the
decode and use bytes exclusively, set the field to False, None, or the empty
string. This affects all headers, including those pushed by servers.
- Bumped the minimum version of HPACK allowed from 2.0 to 2.2.
- Added support for advertising RFC 7838 Alternative services.
- Allowed users to provide ``hpack.HeaderTuple`` and
``hpack.NeverIndexedHeaderTuple`` objects to all methods that send headers.
- Changed all events that carry headers to emit ``hpack.HeaderTuple`` and
``hpack.NeverIndexedHeaderTuple`` instead of plain tuples. This allows users
to maintain header indexing state.
- Added support for plaintext upgrade with the ``initiate_upgrade_connection``
method.
Bugfixes
~~~~~~~~
- Automatically ensure that all ``Authorization`` and ``Proxy-Authorization``
headers, as well as short ``Cookie`` headers, are prevented from being added
to encoding contexts.
2.2.4 (2016-04-25)
------------------
Bugfixes
~~~~~~~~
- Correctly forbid pseudo-headers that were not defined in RFC 7540.
- Ignore AltSvc frames, rather than exploding when receiving them.
2.1.5 (2016-04-25)
------------------
*Final 2.1.X release*
Bugfixes
~~~~~~~~
- Correctly forbid pseudo-headers that were not defined in RFC 7540.
- Ignore AltSvc frames, rather than exploding when receiving them.
Changes:
5.0.0 (2017-03-07)
------------------
**Backwards Incompatible API Changes**
- Added support for unknown extension frames. These will be returned in the new
``ExtensionFrame`` object. The flag information for these frames is persisted
in ``flag_byte`` if needed.
4.0.2 (2017-02-20)
------------------
**Bugfixes**
- Fixed AltSvc stream association, which was incorrectly set to ``'both'``:
should have been ``'either'``.
- Fixed a bug where stream IDs on received frames were allowed to be 32-bit,
instead of 31-bit.
- Fixed a bug with frames that had the ``PADDING`` flag set but zero-length
padding, whose flow-controlled length was calculated wrongly.
- Miscellaneous performance improvements to serialization and parsing logic.
4.0.1 (2016-03-13)
------------------
**Bugfixes**
- Fixed bug with the repr of ``AltSvcFrame``, where building it could throw
exceptions if the frame had been received from the network.
4.0.0 (2016-03-13)
------------------
**Backwards Incompatible API Changes**
- Updated old ALTSVC frame definition to match the newly specified RFC 7838.
- Remove BLOCKED frame, which was never actually specified.
- Removed previously deprecated ``SettingsFrame.SETTINGS_MAX_FRAME_SIZE`` and
``SettingsFrame.SETTINGS_MAX_HEADER_LIST_SIZE``.
Changes:
## 2.12 - 2017-04-11
### Added
* Queueing of key events - fixes swalled chars in case of some imap bindings
#258 (thanks to Michael Mackus)
* Allow to disable xembed by `FEATURE_NO_XEMBED` to compile on wayland only
platforms (thanks to Patrick Steinhardt)
* Custom default_zoom setting disables HIGH_DPI logic (thanks to Robert Timm)
* Allow link activation from search result via `<CR>` #131
### Changed
* Allow shortcuts without parameters #329
* Write soup cache to disk after each page load to allow other instances to
pick this up.
* Use the beginning position of links for hinting (thanks to Yutao Yuan)
### Fixed
* Fix path expansion to accept only valid POSIX.1-2008 usernames (thanks to
Manzur Mukhitdinov)
* Fix default previouspattern (thanks to Nicolas Porcel)
Please note that this is the last release of the vimb for WebKit1. WebKit1 is not
supported anymore and is considered unsecure.
So this release is a way to end the WebKit1 version of vimb gracefully.
I hope the WebKit2 branch will be in alpha state soon. Hope some developer
will help to migrate the known features to the new WebKit2 process model.
Help is appreciated.
Apache Tomcat is an implementation of the Java Servlet and JavaServer Pages
technologies. The Java Servlet and JavaServer Pages specifications are
developed under the Java Community Process.
Apache Tomcat is developed in an open and participatory environment and
released under the Apache Software License. Apache Tomcat is intended to
be a collaboration of the best-of-breed developers from around the world.
We invite you to participate in this open development project.
Apache Tomcat powers numerous large-scale, mission-critical web applications
across a diverse range of industries and organizations.
This package tracks 8.5.x release branch.
Changelog:
Tomcat 8.0.43 (violetagg)
Catalina
Add: 54618: Add support to the HttpHeaderSecurityFilter for the HSTS preload parameter. (markt)
Fix: 60876: Ensure that Set-Cookie headers generated by the Rfc6265CookieProcessor are aligned with the specification. Patch provided by Jim Griswold. (markt)
Fix: 60911: Ensure NPE will not be thrown when looking for SSL session ID. Based on a patch by Didier Gutacker. (violetagg)
Coyote
Fix: When using the NIO2 connector, ensure a WebSocket close frame is processed before the end of stream is processed to ensure that the end of stream is processed correctly. (markt)
Fix: 60852: Correctly spell compressible when used in configuration attributes and internal code. Based on a patch by Michael Osipov. (markt)
Fix: Improve sendfile handling when requests are pipelined. (markt)
Jasper
Fix: Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. (remm, violetagg)
Fix: 60844: Correctly handle the error when fewer parameter values than required by the method are used to invoke an EL method expression. Patch provided by Daniel Gray. (markt)
jdbc-pool
Fix: 60764: Implement equals() and hashCode() in the StatementFacade in order to enable these methods to be called on the closed statements if any statement proxy is set. This behavior can be changed with useStatementFacade attribute. (kfujino)
Other
Fix: Refactor the build script and the NSIS installer script so that either NSIS 2.x or NSIS 3.x can be used to build the installer. This is primarily to re-enable building the installer on the Linux based CI system where the combination of NSIS 3.x and wine leads to failed installer builds. (markt)
2017-03-14 Tomcat 8.0.42 (markt)
Catalina
Update: 60596: Improve performance of DefaultServlet when sendfile feature is disabled on connector. (kkolinko)
Fix: Reduce the contention in the default InstanceManager implementation when multiple threads are managing objects and need to reference the annotation cache. (markt)
Add: Extend the JreMemoryLeakPreventionListener to provide protection against ForkJoinPool.commonPool() related memory leaks. (markt)
Code: 60674: Remove final marker from CorsFilter to enable sub-classing. (markt)
Fix: 60683: Security manager failure causing NPEs when doing IO on some JVMs. (csutherl)
Fix: 60688: Update the internal fork of Apache Commons BCEL to r1782855 to add early access Java 9 support to the annotation scanning code. (markt)
Fix: When HTTP TRACE requests are disabled on the Connector, ensure that the HTTP OPTIONS response from the WebDAV servlet does not include TRACE in the returned Allow header. (markt)
Fix: 60718: Improve error handling for asynchronous processing and correct a number of cases where the requestDestroyed() event was not being fired and an entry wasn't being made in the access logs. (markt)
Fix: 60722: Take account of the dispatchersUseEncodedPaths setting on the current Context when generating paths for dispatches triggered by AsyncContext.dispatch(). (markt)
Fix: 60728: Make the separator Tomcat uses in the Tomcat specific war:file:... URL protocol customizable via a system property. The separator is equivalent to the use of the ! character in jar:file:... URLs. The default separator of * remains unchanged. (markt)
Fix: 60798: Correct a bug in the handling of JARs in unpacked WARs that meant multiple attempts to read the same entry from a JAR in succession would fail for the second and subsequent attempts. (markt)
Fix: 60808: Ensure that the Map returned by ServletRequest.getParameterMap() is fully immutable. Based on a patch provided by woosan. (markt)
Fix: 60824: Correctly cache the Subject in the session - if there is a session - when running under a SecurityManager. Patch provided by Jan Engehausen. (markt)
Fix: Ensure request and response facades are used when firing application listeners. (markt/remm)
Coyote
Fix: Ensure that executor thread pools used with connectors pre-start the configured minimum number of idle threads. (markt)
Add: 60594: Allow some invalid characters that were recently restricted to be processed in requests by using the system property tomcat.util.http.parser.HttpParser.requestTargetAllow. (csutherl)
Fix: Modify the cookie header generated by the Rfc6265CookieProcessor so it always sends an Expires attribute as well as a Max-Age attribute to avoid problems with Microsoft browsers that do not support the Max-Age attribute. (markt)
Jasper
Fix: Follow up to the fix for 58178. When creating the ELContext for a tag file, ensure that any registered ELContextListeners are fired. (markt)
Fix: Refactor code generated for JSPs to reduce the size of the code required for tags. (markt)
Update: Update to the Eclipse JDT Compiler 4.6.1. (markt)
Cluster
Add: Make the accessTimeout configurable in ClusterSingleSignOn. The accessTimeout is used as a timeout period for PING in replication map. (kfujino)
Fix: 60806: To avoid ClassNotFoundException, make sure that the web application class loader is passed to ReplicatedContext. (kfujino)
WebSocket
Fix: 60617: Correctly create a CONNECT request when establishing a WebSocket connection via a proxy. Patch provided by Svetlin Zarev. (markt)
Tribes
Fix: Ensure that NoRpcChannelReply messages are not received on RpcCallback. (kfujino)
Other
Update: Update the packaged version of the Tomcat Native Library to 1.2.12 to pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg)
Add: 60784: Update all unit tests that test the HTTP status line to check for the required space after the status code. Patch provided by Michael Osipov. (markt)
Update: Update the NSIS Installer used to build the Windows installer to version 3.01. (markt)
Changelog:
Tomcat 7.0.77 (violetagg)
Catalina
add 54618: Add support to the HttpHeaderSecurityFilter for the HSTS preload parameter. (markt)
fix 60911: Ensure NPE will not be thrown when looking for SSL session ID. Based on a patch by Didier Gutacker. (violetagg)
Coyote
fix When using the NIO2 connector, ensure a WebSocket close frame is processed before the end of stream is processed to ensure that the end of stream is processed correctly. (markt)
fix 60852: Correctly spell compressible when used in configuration attributes and internal code. Based on a patch by Michael Osipov. (markt)
fix Improve sendfile handling when requests are pipelined. (markt)
Jasper
fix Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. (remm, violetagg)
fix 60844: Correctly handle the error when fewer parameter values than required by the method are used to invoke an EL method expression. Patch provided by Daniel Gray. (markt)
jdbc-pool
fix 60764: Implement equals() and hashCode() in the StatementFacade in order to enable these methods to be called on the closed statements if any statement proxy is set. This behavior can be changed with useStatementFacade attribute. (kfujino)
Tomcat 7.0.76 (markt) released 2017-03-16
Catalina
code Make it easier for sub-classes of Tomcat to modify the default web.xml settings by over-riding getDefaultWebXmlListener(). Patch provided by Aaron Anderson. (markt)
fix Reduce the contention in the default InstanceManager implementation when multiple threads are managing objects and need to reference the annotation cache. (markt)
code 60674: Remove final marker from CorsFilter to enable sub-classing. (markt)
fix 60683: Security manager failure causing NPEs when doing IO on some JVMs. (csutherl)
fix 60688: Update the internal fork of Apache Commons BCEL to r1782855 to add early access Java 9 support to the annotation scanning code. (markt)
fix 60718: Improve error handling for asynchronous processing and correct a number of cases where the requestDestroyed() event was not being fired and an entry wasn't being made in the access logs. (markt)
fix 60808: Ensure that the Map returned by ServletRequest.getParameterMap() is fully immutable. Based on a patch provided by woosan. (markt)
fix 60824: Correctly cache the Subject in the session - if there is a session - when running under a SecurityManager. Patch provided by Jan Engehausen. (markt)
fix Ensure request and response facades are used when firing application listeners. (markt/remm)
fix When HTTP TRACE requests are disabled on the Connector, ensure that the HTTP OPTIONS response from the WebDAV servlet does not include TRACE in the returned Allow header. (markt)
Coyote
fix Ensure that executor thread pools used with connectors pre-start the configured minimum number of idle threads. (markt)
add 60594: Allow some invalid characters that were recently restricted to be processed in requests by using the system property tomcat.util.http.parser.HttpParser.requestTargetAllow. (csutherl)
Jasper
fix Refactor code generated for JSPs to reduce the size of the code required for tags. (markt)
Cluster
add Make the accessTimeout configurable in ClusterSingleSignOn. The accessTimeout is used as a timeout period for PING in replication map. (kfujino)
fix 60806: To avoid ClassNotFoundException, make sure that the web application class loader is passed to ReplicatedContext. (kfujino)
WebSocket
fix 60617: Correctly create a CONNECT request when establishing a WebSocket connection via a proxy. Patch provided by Svetlin Zarev. (markt)
Tribes
fix Ensure that NoRpcChannelReply messages are not received on RpcCallback. (kfujino)
fix 60722: Take account of the dispatchersUseEncodedPaths setting on the current Context when generating paths for dispatches triggered by AsyncContext.dispatch(). (markt)
Other
fix 60620: Fix configuration of Eclipse projects, broken by introduction of SafeForkJoinWorkerThreadFactory helper class. This class cannot be built with Java 6. (kkolinko)
update Update the packaged version of the Tomcat Native Library to 1.2.12 to pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg)
add 60784: Update all unit tests that test the HTTP status line to check for the required space after the status code. Patch provided by Michael Osipov. (markt)
update Update the NSIS Installer used to build the Windows installer to version 3.01. (markt)
fix Refactor the build script and the NSIS installer script so that either NSIS 2.x or NSIS 3.x can be used to build the installer. This is primarily to re-enable building the installer on the Linux based CI system where the combination of NSIS 3.x and wine leads to failed installer builds. (markt)
Tomcat 7.0.75 (violetagg) released 2017-01-24
Cluster
add Make the accessTimeout configurable in BackupManager. The accessTimeout is used as a timeout period for PING in replication map. (kfujino)
Web applications
fix Ensure the ASF logo image is correctly displayed in docs and host-manager applications. (violetagg)
Tomcat 7.0.74 (violetagg) not released
Catalina
add 53602: Add HTTP status code 451 (RFC 7725) to the list of HTTP status codes recognised by Tomcat. (markt)
fix Correctly handle the configClass attribute of a Host when embedding Tomcat. (markt)
fix 60379: Dispose of the GSS credential once it is no longer required. Patch provided by Michael Osipov. (markt)
fix 60380: Ensure that a call to HttpServletRequest#logout() triggers a call to TomcatPrincipal#logout(). Based on a patch by Michael Osipov. (markt)
fix 60387: Correct the javadoc for o.a.catalina.AccessLog.setRequestAttributesEnabled. The default value is different for the different implementations. (violetagg)
code 60393: Use consistent parameter naming in implementations of Realm#authenticate(GSSContext, boolean). (markt)
fix 60395: Log when an Authenticator passes an incomplete GSSContext to a Realm since it indicates a bug in the Authenticator. Patch provided by Michael Osipov. (markt)
update Update the warnings that reference required options for running on Java 9 to use the latest syntax for those options. (markt)
fix 60513: Fix thread safety issue with RMI cleanup code. (remm)
add 60620: Extend thed memory leaks. (markt)
Coyote
fix Ensure that the endpoint is able to unlock the acceptor thread during shutdown if the endpoint is configured to listen to any local address of a specific type such as 0.0.0.0 or ::. (markt)
fix Ensue is enabled by default for APR. (markt)
fix Prevent read time out when the file is deleted while serving the response. The issue was observed only with APR Connector and sendfile enabled. (violetagg)
fix Improve the logic that selects an to unlock the Acceptor to take account of platforms what do not listen on all local addresses when configured with an address of 0.0.0.0 or ::. (markt)
fix 60409: When unable to complete sendfile request, ensure the Processor will be added to the(markt)
fix 60431: Improve handling of varargs in UEL expressions. Based on a patch by Ben Wolfe. (markt)
fix 60497: Restore previous tag reuse behavior following the use of try/finally. (remm)
fix Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. (remm)
fix 60497: Follow up fix using a better variable name for the tag reuse flag. (remm)
fix Revert use of try/finally for simple tags. (remm)
Web applications
fix Correct a typo in Host Configuration Reference. Issue reported via comments.apache.org. (violetagg)
add In the documentation web application, be explicit that clustering requires a secure network for all of the cluster network traffic. (markt)
update Update the ASF logos to the new versions.
Tribes
fix Reduce the warning logs for a message received from a different domain in order to avoid excessive log outputs. (kfujino)
add Add log message that PING message has received beyond the timeout period. (kfujino)
fix When a PING message that beyond the time-out period has been received, make sure that valid member is added to the map membership. (kfujino)
WebSocket
fix 60437: Avoid possible handshake overflows in the websocket client. (remm)
jdbc-pool
add 58816: Implement the statistics of jdbc-pool. The stats infos are borrowedCount, returnedCount, createdCount, releasedCount, reconnectedCount, releasedIdleCount and removeAbandonedCount. (kfujino)
fix 60194: If validationQuery is not specified, connection validation is done by calling the isValid() method. (kfujino)
fix 60398: Fix testcase of TestSlowQueryReport. (kfujino)
add Enable reset the statistics without restarting the pool. (kfujino)
Other
fix 60366: Change catalina.bat to use directly LOGGING_MANAGER and LOGGING_CONFIG variables in order to configure logging, instead of modifying JAVA_OPTS. Patch provided by Petter Isberg. (violetagg)
add New property is added test.verbose in order to control whether the output of the tests is displayed on the console or not. Patch provided by Emmanuel Bourg. (violetagg)
update Update the ASF logos used in the Apache Tomcat installer for Windows to use the new versions.
fix Spelling corrections provided by Josh Soref. (violetagg)
Tomcat 7.0.73 (violetagg) released 2016-11-14
Catalina
fix 60117: Ensure that the name of LogLevel is localized when using OneLineFormatter. Patch provided by Tatsuya Bessho. (kfujino)
add 60151: Improve the exception error messages when a ResourceLink fails to specify the type, specifies an unknown type or specifies the wrong type. (markt)
fix 60167: Ignore empty lines in /etc/passwd files when using the PasswdUserDatabase. (markt)
fix Improve the access checks for linked global resources to handle the case where the current class loader is a child of the web application class loader. (markt)
fix 60199: Log a warning if deserialization issues prevent a session attribute from being loaded. (markt)
fix Correctly test for control characters when reading the provided shutdown password. (markt)
fix When configuring the JMX remote listener, specify the allowed types for the credentials. (markt)
Coyote
fix 60123: Avoid potential threading issues that could cause excessively large vales to be returned for the processing time of a current request. (markt)
fix 60174: Log instances of HeadersTooLargeException during request processing. (markt)
fix Correct the HTTP header parser so that DEL is not treated as a valid token character. (markt)
fix 60319: When using an Executor, disconnect it from the Connector attributes maxThreads, minSpareThreads and threadPriority to enable the configuration settings to be consistently reported. These Connector attributes will be reported as -1 when an Executor is in use. The values used by the executor may be set and obtained via the Executor. (markt)
fix If an I/O error occurs during async processing on a non-container thread, ensure that the onError() event is triggered. (markt)
fix Improve detection of I/O errors during async processing on non-container threads and trigger async error handling when they are detected. (markt)
add Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. (markt)
Web applications
add Add an example of using the classesToInitialize attribute of the JreMemoryLeakPreventionListener to the documentation web application. Based on a patch by Cris Berneburg. (markt)
fix 60192: Correct a typo in the status output of the Manager application. Patch provided by Radhakrishna Pemmasani. (markt)
fix Correct a typo in HTTP Connector How-To. Issue reported via comments.apache.org. (violetagg)
fix Fix default value of validationInterval attribute in jdbc-pool. (kfujino)
fix Correct a typo in CGI How-To. Issue reported via comments.apache.org. (violetagg)
fix 60344: Add a note to BUILDING.txt regarding using the source bundle with the correct line endings. (markt)
Tribes
fix When the proxy node sends a backup retrieve message, ensure that using the channelSendOptions that has been set rather than the default channelSendOptions. (kfujino)
jdbc-pool
fix 60099: Ensure that use all method arguments as a cache key when using StatementCache. (kfujino)
fix 60139: Correct Javadocs for PoolConfiguration.getValidationInterval and setValidationInterval. Reported by Phillip Webb. (kfujino)
Other
add Add documentation to the bin/catalina.bat script to remind users that environment variables don't affect the configuration of Tomcat when run as a Windows Service. Based upon a documentation patch by James H.H. Lampert. (schultz)
Tomcat 7.0.72 (violetagg) released 2016-09-19
Catalina
fix Ensure Digester.useContextClassLoader is considered in case the class loader is used. (violetagg)
Jasper
fix 60101: Remove preloading of the class that was deleted. (violetagg)
jdbc-pool
fix Notify jmx when returning the connection that has been marked suspect. (kfujino)
fix Ensure that the POOL_EMPTY notification has been added to the jmx notification types. (kfujino)
Other
update Update the packaged version of the Tomcat Native Library to 1.2.10 to pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt)
Tomcat 7.0.71 (violetagg) not released
Catalina
fix 57705: Add debug logging for requests denied by the remote host and remote address valves and filters. Based on a patch by Graham Leggett. (markt)
update Change the default of the sessionCookiePathUsesTrailingSlash attribute of the Context element to false since the problems caused when a Servlet is mapped to /* are more significant than the security risk of not enabling this option by default. (markt)
fix 59708: Modify the LockOutRealm logic. Valid authentication attempts during the lock out period will no longer reset the lock out timer to zero. (markt)
fix Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
fix Ensure that reading the singleThreadModel attribute of a StandardWrapper via JMX does not trigger initialisation of the associated servlet. With some frameworks this can trigger an unexpected initialisation thread and if initilisation is not thread-safe the initialisation can then fail. (markt)
fix By default, treat paths used to obtain a request dispatcher as encoded. This behaviour can be changed per web application via the dispatchersUseEncodedPaths attribute of the Context. (markt)
fix 59839: Apply roleSearchAsUser to all nested searches in JNDIRealm. (fschumacher)
add Provide a mechanism that enables the container to check if a component (typically a web application) has been granted a given permission when running under a SecurityManager without the current execution stack having to have passed through the component. Use this new mechanism to extend SecurityManager protection to the system property replacement feature of the digester. (markt)
add When retrieving an object via a ResourceLink, ensure that the object obtained is of the expected type. (markt)
fix 59866: When scanning WEB-INF/classes for annotations, don't scan the contents of WEB-INF/classes/META-INF (if present) since classes will never be loaded from that location. (markt)
fix 59912: Fix an edge case in input stream handling where an IOException could be thrown when reading a POST body. (markt)
fix 59966: Do not start the web application if the error page configuration in web.xml is invalid. (markt)
fix Switch the CGI servlet to the standard logging mechanism and remove support for the debug attribute. (markt)
add Add a new initialisation parameter, envHttpHeaders, to the CGI Servlet to mitigate httpoxy (CVE-2016-5388) by default and to provide a mechanism that can be used to mitigate any future, similar issues. (markt)
add When adding and removing ResourceLinks dynamically, ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be. (markt)
fix 60008: When processing CORs requests, treat any origin with a URI scheme of file as a valid origin. (markt)
fix Improve handling of exceptions during a Lifecycle events triggered by a state transition. The exception is now caught and the component is now placed into the FAILED state. (markt)
fix Fix a file descriptor leak when reading the global web.xml. (markt)
fix 60041: Better error message if a JAR is deleted while a web application is running. Note: Deleting a JAR while the application is running is not supported and errors are expected. Based on a patch by gehui. (markt)
Coyote
fix Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
fix 59904: Add a limit (default 200) for the number of cookies allowed per request. Based on a patch by gehui. (markt)
fix Make timing attacks against the Realm implementations harder. (schultz)
add Refactor the code that implements the requirement that a call to complete() or dispatch() made from a non-container thread before the container initiated thread that called startAsync() completes must be delayed until the container initiated thread has completed. Rather than implementing this by blocking the non-container thread, extend the internal state machine to track this. This removes the possibility that blocking the non-container thread could trigger a deadlock. (markt)
Jasper
fix Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
fix Improve the error handling for custom tags to ensure that the tag is returned to the pool or released and destroyed once used. (markt)
fix Fixed StringIndexOutOfBoundsException. Based on a patch provided by wuwen via Github. (violetagg)
WebSocket
fix Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
fix 59868: Clarify the documentation for the Manager web application to make clearer that the host name and IP address in the server section are the primary host name and IP address. (markt)
fix 59908: Ensure that a reason phrase is included in the close message if a session is closed due to a timeout. (markt)
Web Applications
fix Do not log an additional case of IOExceptions in the error handler for the Drawboard WebSocket example when the root cause is the client disconnecting since the logs add no value. (markt)
fix 59642: Mention the localDataSource in the DataSourceRealm section of the Realm How-To. (markt)
fix Follow-up to the fix for 59399. Ensure that the new attribute transportGuaranteeRedirectStatus is documented for all Realms. Also document the NullRealm and when it is automatically created for an Engine. (markt)
fix MBeans Descriptors How-To is moved to mbeans-descriptors-howto.html. Patch provided by Radoslav Husar. (violetagg)
fix 60034: Correct a typo in the Manager How-To page of the documentation web application. (markt)
Tribes
add Add log message when the ping has timed-out. (kfujino)
fix If the ping message has been received at the AbstractReplicatedMap#leftOver method, ensure that notify the member is alive than ignore it. (kfujino)
jdbc-pool
fix Fix the duplicated connection release when connection verification failed. (kfujino)
fix Ensure that do not remove the abandoned connection that has been already released. (kfujino)
fix In order to avoid the unintended skip of PoolCleaner, remove the check code of the execution interval in the task that has been scheduled. (kfujino)
fix 59849: Ensure that the connection verification is executed by initSQL (if required) if the borrowing PooledConnection has not been initialized. (kfujino)
fix 59850: Ensure that the ResultSet is closed when enabling the StatementCache interceptor. (kfujino)
fix 59923: Reduce the default value of validationInterval in order to avoid the potential issue that continues to return an invalid connection after database restart. (kfujino)
fix Ensure that the ResultSet is returned as Proxy object when enabling the StatementDecoratorInterceptor. (kfujino)
fix 60043: Ensure that the suspectTimeout works without removing connection when the removeAbandoned is disabled. (kfujino)
fix Add log message of when returning the connection that has been marked suspect. (kfujino)
fix Correct Javadoc for ConnectionPool.suspect(). Based on a patch by Yahya Cahyadi. (markt)
Other
add Use the mirror network rather than the ASF master site to download the current ASF dependencies. (markt)
update Update the packaged version of the Tomcat Native Library to 1.2.8 to pick up the latest fixes and make 1.2.8 the minimum recommended version. (markt)
fix Fixed typos in mbeans-descriptors.xml files. (violetagg)
update Update the internal fork of Commons BCEL to r1757132 to align with the BCEL 6 release. (markt)
update Update the internal fork of Commons Codec to r1757174. Code formatting changes only. (markt)
update Update the internal fork of Commons FileUpload to afdedc9. This pulls in a fix to improve the performance with large multipart boundaries. (markt)
fix Update the download location for Objenesis. (violetagg)
Tomcat 7.0.70 (violetagg) released 2016-06-20
Catalina
fix 59219: Ensure AsyncListener.onError() is called if an Exception is thrown during async processing. (markt)
fix 59220: Ensure that AsyncListener.onComplete() is called if the async request times out and the response is already committed. (markt)
fix 59261: ServletRequest.getAsyncContext() now throws an IllegalStateException as required by the Servlet specification if the request is not in asynchronous mode when called. (markt)
fix 59310: Do not add a Content-Length: 0 header for custom responses to HEAD requests that do not set a Content-Length value. (markt)
fix When normalizing paths, improve the handling when paths end with /. or /.. and ensure that input and output are consistent with respect to whether or not they end with /. (markt)
fix 59317: Ensure that HttpServletRequest.getRequestURI() returns an encoded URI rather than a decoded URI after a dispatch. (markt)
fix Ensure that the value for the header X-Frame-Options is constructed correctly according to the specification when ALLOW-FROM option is used. (violetagg)
add 59399: Add a new option to the Realm implementations that ship with Tomcat that allows the HTTP status code used for HTTP -> HTTPS redirects to be controlled per Realm. (markt)
fix 59449: In ContainerBase, ensure that the process to remove a child container is the reverse of the process to add one. Patch provided by Huxing Zhang. (markt)
fix RMI Target related memory leaks are avoidable which makes them an application bug that needs to be fixed rather than a JRE bug to work around. Therefore, start logging RMI Target related memory leaks on web application stop. Add an option that controls if the check for these leaks is made. Log a warning if running on Java 9 with this check enabled but without the command line option it requires. (markt)
fix Fix a potential concurrency issue with the web application class loader and concurrent reads and writes of the resource cache. (markt)
fix 59619: Within the web application class loader, always use path as the key for the resource cache to improve the hit ratio. This also fixes a problem exposed by the fix for 56777 that enabled file based configuration resources to be loaded from the class path. (markt)
fix Fix error message when failed to register MBean. (kfujino)
Coyote
fix 58970: Fix a connection counting bug in the NIO connector that meant some dropped connections were not removed from the current connection count. (markt)
fix 59289: Do not recycle upgrade processors in unexpected close situations. (remm)
fix Ensure that requests with HTTP method names that are not tokens (as required by RFC 7231) are rejected with a 400 response. (markt)
fix When an asynchronous request is processed by the AJP connector, ensure that request processing has fully completed before starting the next request. (markt)
fix If an async dispatch results in the completion of request processing, ensure that any remaining request body is swallowed before starting the processing of the next request else the remaining body may be read as the start of the next request leading to a 400 response. (markt)
Jasper
fix Fix a memory leak in the expression language implementation that caused the class loader of the first web application to use expressions to be pinned in memory. (markt)
fix 59654: Enforce the requirements of section 7.3.1 of the JSP specification regarding the permitted locations for TLD files. Patch provided by Huxing Zhang. (markt)
WebSocket
fix Ensure that a client disconnection triggers the error handling for the associated WebSocket end point. (markt)
Web Applications
fix Correct a typo in SSL/TLS Configuration How-To. Issue reported via comments.apache.org. (violetagg)
fix 58891: Update the SSL how-to. Based on a suggestion by Alexander Kjäll. (markt)
Tribes
fix Fix potential NPE that depends on the setting order of attributes of static member when using the static cluster. (kfujino)
add Add get/set method for the channel that is related to ChannelInterceptorBase. (kfujino)
fix As with the multicast cluster environment, in the static cluster environment, the local member inherits properties from the cluster receiver. (kfujino)
add Add get/set method for the channel that is related to each Channel services. (kfujino)
add Add name to channel in order to identify channels. In tomcat cluster environment, it is set the cluster name + "-Channel" as default value. (kfujino)
add Add the channel name to the thread which is invoked by channel services in order to identify the associated channel. (kfujino)
fix Ensure that clear the channel instance from channel services when stopping channel. (kfujino)
add Implement map state in the replication map. (kfujino)
fix Ensure that the ping is not executed during the start/stop of the replication map. (kfujino)
fix In ping processing in the replication map, send not the INIT message but the newly introduced PING message. (kfujino)
jdbc-pool
fix Fix a memory leak with the pool cleaner thread that retained a reference to the web application class loader for the first web application to use a connection pool. (markt)
Other
update Update the packaged version of the Tomcat Native Library to 1.2.7 to pick up the Windows binaries that are based on OpenSSL 1.0.2h and APR 1.5.2. (violetagg/markt)
update Remove native code (Windows Service Wrapper, APR/native connector) support for Windows Itanium. (markt)
update Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus additional fixes). (markt)
fix 58626: Add support for a new environment variable (USE_NOHUP) that causes nohup to be used when starting Tomcat. It is disabled by default except on HP-UX where it is enabled by default since it is required when starting Tomcat at boot on HP-UX. (markt)
Features
* Update Visual Studio build facade
* Update read me
* Performance improvements for @extend
* Performance improvements
Fixes
Disable FMA3 when compiling with Visual Studio 2013
Fix for loop variable to be referenced
Fix number compare issues when used as map keys with old gcc
Fix results of map-get not being evaluated
Fix null pointer access
Fix bug with media queries and @extend
Misc
Cleanup initial shared ptr interface
Refactor selector list and schema handling
Cleanup context usage and extend code
Cleanup misc
Cleanup issues detected by clangs static analyser
Remove Textual intermediate AST node
Add libsass-python to README
[core] add crash-handler.wait-pipe-close parameter 1092 (Frederik Deweerdt)
[core] introduce an option to bypass the server header sent from upstream 1226 (Frederik Deweerdt)
[core] apply global- and host-level configuration to requests not applicable to any of the path-level configurations 1231 (Kazuho Oku)
[access-log] add %{remote}p for logging the remote port 1166 (Kazuho Oku)
[access-log] add support for JSON-style escapes and null 1208 (Kazuho Oku)
[access-log] add specifier for logging per-request environment variables 1221 (Yannick Koechlin)
[access-log] add support for <, > modifiers for logging either the original or the final response 1238 (Kazuho Oku)
[access-log] do not emit request-total-time twice 1017 (Kazuho Oku)
[fastcgi] fix a bug that closes the FastCGI listener socket during startup 1203 (Frederik Deweerdt)
[file] add directive for serving gzipped files, decompressing them on-the-fly 1140 (Ichito Nagata)
[headers] fix buffer overrun during startup 1180 (Frederik Deweerdt)
[http1][proxy] preserve the cases of characters used in header names 1194 (Frederik Deweerdt)
[http1][proxy] fix undefined behavior in HTTP/1 parser 1189 (Frederik Deweerdt)
[http1] stop reading from socket after sending 400 to avoid the risk of assertion failure 1223 (Frederik Deweerdt)
[http2] recognize x-http2-push-only attribute on link header 1169 (Frederik Deweerdt)
[http2] add optional timeout for closing connections upon graceful shutdown 1108 (Frederik Deweerdt)
[http2] do not ack an acked PING frame 1175 (Moto Ishisawa)
[http2] reject requests exceeding the maximum allowed size more efficiently 1183 (Frederik Deweerdt)
[mruby] remove dependenty to mkmf 1197 (Yuki Kurihara)
[mruby] correct the line number reported on an exception 1239 (Ichito Nagata)
[proxy] add directives for tweaking headers sent to upstream 1126 (Justin Zhu)
[proxy] retain case-sensitivity of unix socket paths 1131 (Frederik Deweerdt)
[proxy] add directive for controlling the via request header 1225 (Frederik Deweerdt)
[ssl] add directive for logging session ID 1164 (Yannick Koechlin)
[ssl] add support for TLS 1.3 draft-18 1204 (Kazuho Oku)
[ssl] stop evicting session entries in memcached when they are removed from internal cache 1185 (Ichito Nagata)
[ssl] fix crash when a secp384r1, secp521r1 certificate is used with TLS 1.3 1214 (Kazuho Oku)
[ssl] fix build failure with OpenSSL 1.1.0 1216 (Kazuho Oku)
[ssl] add doc for handshake-timeout 1233 (Kazuho Oku)
[status] fix race condition during start-up 1242 (Frederik Deweerdt)
[libh2o] implement h2o_evloop_destroy 1200 (kazan417)
[misc] add test code for fuzzing 1174 1182 1191 1192 (Frederik Deweerdt, Jonathan Foote)
[misc] fix issues reported by Coverity 1168 1172 1179 (Harrison Bowden, Frederik Deweerdt)
The bug which causes libnghttp2_asio client to crash has been fixed.
The bug which causes nghttpx to respond to a client with 502 status code if it receives 204 status code from HTTP/1 backend has been fixed.
Upstream changes:
unicorn 5.3.0 / 2017-04-01 08:03 UTC
A couple of portability fixes from Dylan Thacker-Smith and
Jeremy Evans since 5.3.0.pre1 over a week ago, but this looks
ready for a stable release, today.
When I started this over 8 years ago, I wondered if this would
just end up being an April Fools' joke. Guess not. I guess I
somehow tricked people into using a terribly marketed web server
that cannot talk directly to untrusted clients :x Anyways,
unicorn won't be able to handle slow clients 8 years from now,
either, or 80 years from now. And I vow never to learn to use
new-fangled things like epoll, kqueue, or threads :P
Anyways, this is a largish release with several new features,
and no backwards incompatibilities.
Simon Eskildsen contributed heavily using TCP_INFO under Linux
to implement the (now 5 year old) check_client_connection feature:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-check_client_connectionhttps://bogomips.org/unicorn-public/?q=s:check_client_connection&d:..20170401&x=t
This also led to FreeBSD and OpenBSD portability improvements in
one of our dependencies, raindrops:
https://bogomips.org/raindrops-public/20170323024829.GA5190@dcvr/T/#u
Jeremy Evans contributed several new features. First he
implemented after_worker_exit to aid debugging:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-after_worker_exithttps://bogomips.org/unicorn-public/?q=s:after_worker_exit&d:..20170401&x=t#t
And then security-related features to isolate workers. Workers
may now chroot to drop access to the master filesystem, and the
new after_worker_ready configuration hook now exists to aid with
chroot support in workers:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-after_worker_readyhttps://bogomips.org/unicorn/Unicorn/Worker.html#method-i-userhttps://bogomips.org/unicorn-public/?q=s:after_worker_ready&d:..20170401&x=t#thttps://bogomips.org/unicorn-public/?q=s:chroot&d:..20170401&x=t#t
Additionally, workers may run in a completely different VM space
(nullifying preload_app and any CoW savings) with the new
worker_exec option:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-worker_exechttps://bogomips.org/unicorn-public/?q=s:worker_exec&d:..20170401&x=t#t
There are also several improvements to FreeBSD and OpenBSD
support with the addition of these features.
shortlog of changes since v5.2.0 (2016-10-31):
Dylan Thacker-Smith (1):
Check for Socket::TCP_INFO constant before trying to get TCP_INFO
Eric Wong (30):
drop rb_str_set_len compatibility replacement
TUNING: document THP caveat for Linux users
tee_input: simplify condition for IO#write
remove response_start_sent
http_request: freeze constant strings passed IO#write
Revert "remove response_start_sent"
t/t0012-reload-empty-config.sh: access ivars directly if needed
t0011-active-unix-socket.sh: fix race condition in test
new test for check_client_connection
revert signature change to HttpServer#process_client
support "struct tcp_info" on non-Linux and Ruby 2.2+
unicorn_http: reduce rb_global_variable calls
oob_gc: rely on opt_aref_with optimization on Ruby 2.2+
http_request: reduce insn size for check_client_connection
freebsd: avoid EINVAL when setting accept filter
test-lib: expr(1) portability fix
tests: keep disabled tests defined
test_exec: SO_KEEPALIVE value only needs to be true
doc: fix links to raindrops project
http_request: support proposed Raindrops::TCP states on non-Linux
ISSUES: expand on mail archive info + subscription disclaimer
test_ccc: use a pipe to synchronize test
doc: remove private email support address
input: update documentation and hide internals.
http_server: initialize @pid ivar
gemspec: remove olddoc from build dependency
doc: add version annotations for new features
unicorn 5.3.0.pre1
doc: note after_worker_exit is also 5.3.0+
test_exec: SO_KEEPALIVE value only needs to be true (take #2)
Jeremy Evans (7):
Add after_worker_exit configuration option
Fix code example in after_worker_exit documentation
Add support for chroot to Worker#user
Add after_worker_ready configuration option
Add worker_exec configuration option
Don't pass a block for fork when forking workers
Check for SocketError on first ccc attempt
Simon Eskildsen (1):
check_client_connection: use tcp state on linux
unicorn 5.3.0.pre1 / 2017-03-24 00:25 UTC
A largish release with several new features.
Simon Eskildsen contributed heavily using TCP_INFO under Linux
to implement the (now 5 year old) check_client_connection feature:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-check_client_connectionhttps://bogomips.org/unicorn-public/?q=s:check_client_connection&d:..20170324&x=t
This also led to FreeBSD and OpenBSD portability improvements in
one of our dependencies, raindrops:
https://bogomips.org/raindrops-public/20170323024829.GA5190@dcvr/T/#u
Jeremy Evans contributed several new features. First he
implemented after_worker_exit to aid debugging:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-after_worker_exithttps://bogomips.org/unicorn-public/?q=s:after_worker_exit&d:..20170324&x=t#t
And then security-related features to isolate workers. Workers
may now chroot to drop access to the master filesystem, and the
new after_worker_ready configuration hook now exists to aid with
chroot support in workers:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-after_worker_readyhttps://bogomips.org/unicorn/Unicorn/Worker.html#method-i-userhttps://bogomips.org/unicorn-public/?q=s:after_worker_ready&d:..20170324&x=t#thttps://bogomips.org/unicorn-public/?q=s:chroot&d:..20170324&x=t#t
Additionally, workers may run in a completely different VM space
(nullifying preload_app and any CoW savings) with the new
worker_exec option:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-worker_exechttps://bogomips.org/unicorn-public/?q=s:worker_exec&d:..20170324&x=t#t
There are also several improvements to FreeBSD and OpenBSD
support with the addition of these features.
34 changes since 5.2.0 (2016-10-31):
Eric Wong (27):
drop rb_str_set_len compatibility replacement
TUNING: document THP caveat for Linux users
tee_input: simplify condition for IO#write
remove response_start_sent
http_request: freeze constant strings passed IO#write
Revert "remove response_start_sent"
t/t0012-reload-empty-config.sh: access ivars directly if needed
t0011-active-unix-socket.sh: fix race condition in test
new test for check_client_connection
revert signature change to HttpServer#process_client
support "struct tcp_info" on non-Linux and Ruby 2.2+
unicorn_http: reduce rb_global_variable calls
oob_gc: rely on opt_aref_with optimization on Ruby 2.2+
http_request: reduce insn size for check_client_connection
freebsd: avoid EINVAL when setting accept filter
test-lib: expr(1) portability fix
tests: keep disabled tests defined
test_exec: SO_KEEPALIVE value only needs to be true
doc: fix links to raindrops project
http_request: support proposed Raindrops::TCP states on non-Linux
ISSUES: expand on mail archive info + subscription disclaimer
test_ccc: use a pipe to synchronize test
doc: remove private email support address
input: update documentation and hide internals.
http_server: initialize @pid ivar
gemspec: remove olddoc from build dependency
doc: add version annotations for new features
Jeremy Evans (6):
Add after_worker_exit configuration option
Fix code example in after_worker_exit documentation
Add support for chroot to Worker#user
Add after_worker_ready configuration option
Add worker_exec configuration option
Don't pass a block for fork when forking workers
Simon Eskildsen (1):
check_client_connection: use tcp state on linux
Upstream changes:
MediaWiki 1.28.1
Changes since 1.28.0
$wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0.
Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has more than one database server setup.
(T152717) Better escaping for PHP mail() command
(T154670) A missing method causing the MySQL installer to fatal in rare circumstances was restored.
(T154672) Un-deprecate ArticleAfterFetchContentObject hook.
(T158766) Avoid SQL error on MSSQL when using selectRowCount()
(T145635) Fix too long index error when installing with MSSQL
(T156184) $wgRawHtml will no longer apply to internationalization messages.
(T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
(T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
(T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
(T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.
(T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs.
(T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token.
(T156184) SECURITY: Escape content model/format url parameter in message.
(T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration.
(T161453) SECURITY: LocalisationCache will no longer use the temporary directory in it's fallback chain when trying to work out where to write the cache.
(T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter.
Added support for waiting for I/O using selectors other than select, improving urllib3’s behaviour with large numbers of concurrent connections. (Pull 1001)
Updated the date for the system clock check. (Issue 1005)
ConnectionPools now correctly consider hostnames to be case-insensitive. (Issue 1032)
Outdated versions of PyOpenSSL now cause the PyOpenSSL contrib module to fail when it is injected, rather than at first use. (Pull 1063)
Outdated versions of cryptography now cause the PyOpenSSL contrib module to fail when it is injected, rather than at first use. (Issue 1044)
Automatically attempt to rewind a file-like body object when a request is retried or redirected. (Pull 1039)
Fix some bugs that occur when modules incautiously patch the queue module. (Pull 1061)
Prevent retries from occuring on read timeouts for which the request method was not in the method whitelist. (Issue 1059)
Changed the PyOpenSSL contrib module to lazily load idna to avoid unnecessarily bloating the memory of programs that don’t need it. (Pull 1076)
Add support for IPv6 literals with zone identifiers. (Pull 1013)
Added support for socks5h:// and socks4a:// schemes when working with SOCKS proxies, and controlled remote DNS appropriately. (Issue 1035)
Maintenance release
Issues
Unfortunately there are still 2 unfixed long standing bugs in this release:
* suwsgi protocol behind nginx does not work reliably when a request body is sent by the client (https://github.com/unbit/uwsgi/issues/1490). As we cannot reproduce it in uWSGI itself, we will start checking in the nginx module too
* There are reports of the “holy” wsgi env allocator crashing on specific conditions, this release includes a bunch of workarounds but they could not be enough
Changes
* workaround for the holy allocator for avoiding crashes with newrelic (see Issues notes)
* avoid time overflow in request logs during (even minimal) clock skew
* fixed python logger with python3
* fixed catch-exceptions with python3
* backported “don’t clone $env->{‘psgix.io’} on ‘PSGI cancel’”
* added support for authentication in the redis logger
* added the spinningfifo action hook to the core
* fixed compilation with php 7.1
* correctly returns error code 22 in lazy_apps + master_mode
* fixed compilation for OpenSSL 1.1
* Add a –skip-atexit-teardown option to skip perl/python teardown
* fixed static file serving over https-socket
Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API. Loofah excels at HTML sanitization (XSS
prevention). It includes some nice HTML sanitizers, which are based on
HTML5lib's whitelist, so it most likely won't make your codes less
secure.
Highlights of this release:
1. Binary wheels are now built for Windows systems.
2. setopt_string method added to Curl objects to permit setting string libcurl
options that PycURL does not know about.
3. curl module can now be imported on Windows again.
4. OPENSOCKETFUNCTION callback is now invoked with the address as bytes on
Python 3 as was documented.
5. Support for many libcurl options and constants was added.
As always, the release notes cover the medley of new features in detail, but a few highlights are:
* Class-based model indexes for creating database indexes.
* Template-based widget rendering to ease customizing form widgets.
* Subquery expressions to create explicit subqueries using the ORM.
6.25 2017-04-03
- Fix LWP::UserAgent docs for request and request_simple that pointed to
functions in LWP::Simple rather than LWP::UserAgent
- Moved the official bug tracker to GitHub rather than RT.
7.29 2017-03-12
- Added support for overriding configuration files in applications tested with
Test::Mojo.
- Added html_attr_unescape function to Mojo::Util.
- Fixed unescaping of HTML5 attribute values in Mojo::DOM::HTML.
7.28 2017-03-07
- Added copy_to, realpath and sibling methods to Mojo::File.
- Added dir option to list_tree method in Mojo::File.
- Improved app generator command to generate a config file.
(tudorconstantin)
7.27 2017-02-27
- Added support for UNIX domain sockets. (sri, salva)
- Improved Mojo::UserAgent to complain about unsupported protocols.
- Fixed a bug in Mojo::URL where invalid host strings could be generated.
- Fixed blib handling in Mojo::Home.
6.03 2017-04-03 11:35:35-04:00 America/Toronto
- No changes since TRIAL release 6.02
6.02 2017-01-12 18:02:49-05:00 America/Toronto (TRIAL RELEASE)
- Document the lack of Public Suffix https://publicsuffix.org/ support
- Add TODO tests for lack of Public Suffix support
- Improve "maxage" documentation
- Update the GitHub repository location
- Use GitHub Issues instead of RT
- Stop using bareword filehandles
- Various internal distribution management and testing changes
* Bug 4688: various typo error(s) in man page(s)
* libtrie: Fix 'make check' when run before 'make all'
* Docs: update refresh_pattern description regarding 'max' option
* Fix variable shadowing after rev.14149
* Bug 4508: Host forgery stalls intercepted being-spliced connections.
* Native FTP relay: NAT and TPROXY interception fixes
* ext_kerberos_ldap_group_acl: fix unused value warnings
* Check that -k argument is provided before trying to use it.
* Fix missing CRLF on FTP timeout ABORT commands
* Fix crash when configuring with invalid delay_parameters restore value.
* Fix regression in CONNECT authentication after rev.14142
* Bump SSL client on [more] errors encountered before ssl_bump evaluation
Upstream changes:
0.23 20170323 (Thu Mar 23 19:35:00 GMT+1 2017)
- seems as if "provides" in META.json makes new versions not get indexed
properly
. No code changes, no need to upgrade
. We also allow static installation now, without running Makefile.PL
0.22 20160923 (Fri Sep 23 21:35:00 GMT+2 2016)
- seems as if "provides" in META.json must be a full path to the file...
. No code changes, no need to upgrade
0.21 Fri Sep 23 17:38:00 GMT+2 2016
- add META.json, added by Lisa Hare
. No code changes, no need to upgrade
Changelog:
Fixed:
Use Nirmala UI as fallback font for additional Indic languages (Bug 1342787)
Fix loading tab icons on session restore (Bug 1338009)
Fix a crash on startup on Linux (Bug 1345413)
Fix new installs erroneously not prompting to change the default browser setting (Bug 1343938)
libnghttp2
----------
The bug that nghttp2_session_want_write may return 0 if there is pending frames after GOAWAY frame is submitted has been fixed.
build
-----
_U_ macro has been eliminated in favor of old school (void)VAR for better compiler compatibility.
libnghttp2_asio
---------------
The asio client now sends PING frame when it gets idle for 30 seconds.
src
---
Mozilla’s “Modern compatibility” ciphers are used by default.
nghttpx
-------
The bug that -v option does not print out version number has been fixed.
The workaround of getaddrinfo failure with AI_ADDRCONFIG has been applied.
nghttpx now escapes certain characters in access log.
nghttpx now enables backend pattern matching with --http2-proxy option as well.
Changelog:
#CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
#CVE-2017-5401: Memory Corruption when handling ErrorResult
#CVE-2017-5402: Use-after-free working with events in FontFace objects
#CVE-2017-5404: Use-after-free working with ranges in selections
#CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
#CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
#CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service
#CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
#CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
#CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8
Changelog:
Version 9.1.4 Feb 2 2017
[major] Make error message for password reset form more generic - core/#27011
[major] When sharing autocomplete is disabled, also disable for the email field - core/#26504
[major] Add command to clean up invalid/expired remote storages - core/#26379
[major] Fix encryption key storage when using LDAP home folder rules - core/#26820
[major] Properly react on memcache errors - core/#25692
[major] Fix random normalizedPathCache log messages / garbage collection issues from PHP 7 - core/#22370
[major] Properly deal with inconsistent LDAP/memcache or user/group manager responses - core/#26871
[major] Added configreport app which will help with better bug reports - configreport/#6
[minor] Fix syncing of file names with colon followed by a number - core/#25479
[minor] Prevent empty user uid from LDAP - user_ldap/#6
[minor] Prevent repeated log messages when dealing with broken picture files - core/#26758
[minor] Fix group-enable option in apps page when memcache is enabled - core/#26638
[minor] Add AVMaxFileSize config option - files_antivirus/#133
[minor] Reduce number of federated share requests when dealing with non-existing entries - core/#26324
[minor] Remove obsolete legacy storage repair routine - core/#26774
[minor] Fix broken remote avatar image in activities tab - activity/#529
[minor] When grouping duplicate shares, sort by stime then id - core/#25830
[minor] Make file upload post hooks consistent between chunking and non-chunking mode - core/#26387
[minor] Fix wrong German translation in upload progress bar by using momentjs library - core/#26804
[minor] Skip unavailable storages in background file scan instead of failing - core/#26055
[minor] Update PHP 7.1 incompatibility warning - core/#26982
[minor] Warning notification when uploading 4+ GB file in IE11 - core/#27004
Quote from release announce:
The bugfix release fixes several issues, including a problem
with the initialization of custom entry points. Also, the
changes from Contao 3.5 have been adopted.
