bin/catalina.sh

@@ -240,7 +240,7 @@ if $cygwin; then
   CATALINA_BASE=`cygpath --absolute --windows "$CATALINA_BASE"`
   CATALINA_TMPDIR=`cygpath --absolute --windows "$CATALINA_TMPDIR"`
   CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
-  JAVA_ENDORSED_DIRS=`cygpath --path --windows "$JAVA_ENDORSED_DIRS"`
+  [ -n "$JAVA_ENDORSED_DIRS" ] && JAVA_ENDORSED_DIRS=`cygpath --path --windows "$JAVA_ENDORSED_DIRS"`
 fi
 
 if [ -z "$JSSE_OPTS" ] ; then

build.properties.default

@@ -25,7 +25,7 @@
 # ----- Version Control Flags -----
 version.major=8
 version.minor=5
-version.build=30
+version.build=31
 version.patch=0
 version.suffix=
 

conf/catalina.properties

@@ -147,6 +147,9 @@ tomcat.util.buf.StringCache.byte.enabled=true
 #tomcat.util.buf.StringCache.trainThreshold=500000
 #tomcat.util.buf.StringCache.cacheSize=5000
 
+# This system property is deprecated. Use the relaxedPathChars relaxedQueryChars
+# attributes of the Connector instead. These attributes permit a wider range of
+# characters to be configured as valid.
 # Allow for changes to HTTP request validation
-# WARNING: Using this option will expose the server to CVE-2016-6816
+# WARNING: Using this option may expose the server to CVE-2016-6816
 #tomcat.util.http.parser.HttpParser.requestTargetAllow=|

debian/changelog

+tomcat8 (8.5.31-1) unstable; urgency=medium
+
+  * Team upload.
+  * New upstream release
+  * Build with ant/1.10.3-2 and the automatic 'release' attribute restoring
+    the backward compatibility with Java 7 (Closes: #895866)
+  * Search for Java 10 and 11 runtimes
+  * Don't follow the symlinks when setting the owner of the /var/log/tomcat8
+    and /var/cache/tomcat8 directories in the postinst script
+  * Use salsa.debian.org Vcs-* URLs
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Thu, 14 Jun 2018 13:32:46 +0200
+
 tomcat8 (8.5.30-1) unstable; urgency=medium
 
   * Team upload.

debian/control

@@ -8,7 +8,7 @@ Uploaders:
  Jakub Adam <jakub.adam@ktknet.cz>,
  Emmanuel Bourg <ebourg@apache.org>
 Build-Depends:
- ant-optional,
+ ant-optional (>= 1.10.3-2~),
  debhelper (>= 11),
  default-jdk,
  javahelper,
@@ -25,8 +25,8 @@ Build-Depends:
  maven-repo-helper,
  po-debconf
 Standards-Version: 4.1.4
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/tomcat8.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/tomcat8.git
+Vcs-Git: https://salsa.debian.org/java-team/tomcat8.git
+Vcs-Browser: https://salsa.debian.org/java-team/tomcat8
 Homepage: http://tomcat.apache.org
 
 Package: tomcat8-common

debian/tomcat8.init

@@ -58,7 +58,7 @@ TOMCAT8_GROUP=tomcat8
 # this function sets the variable JDK_DIRS
 find_jdks()
 {
-    for java_version in 9 8
+    for java_version in 11 10 9 8
     do
         for jvmdir in /usr/lib/jvm/java-${java_version}-openjdk-* \
                       /usr/lib/jvm/jdk-${java_version}-oracle-* \

debian/tomcat8.postinst

@@ -36,7 +36,7 @@ case "$1" in
 		--ingroup "$TOMCAT8_GROUP" --disabled-password --shell /bin/false \
 		"$TOMCAT8_USER"
 	fi
-	chown -R $TOMCAT8_USER:adm /var/log/tomcat8 /var/cache/tomcat8
+	chown -Rh $TOMCAT8_USER:adm /var/log/tomcat8 /var/cache/tomcat8
 	chmod 750 /var/log/tomcat8 /var/cache/tomcat8
 
 	# populate /etc/logrotate.d/tomcat8

java/org/apache/catalina/Context.java

@@ -1848,4 +1848,24 @@ public interface Context extends Container, ContextBind {
      * @return The default response body encoding
      */
     public String getResponseCharacterEncoding();
+
+    /**
+     * Configure if, when returning a context path from {@link
+     * javax.servlet.http.HttpServletRequest#getContextPath()}, the return value
+     * is allowed to contain multiple leading '/' characters.
+     *
+     * @param allowMultipleLeadingForwardSlashInPath The new value for the flag
+     */
+    public void setAllowMultipleLeadingForwardSlashInPath(
+            boolean allowMultipleLeadingForwardSlashInPath);
+
+    /**
+     * When returning a context path from {@link
+     * javax.servlet.http.HttpServletRequest#getContextPath()}, is it allowed to
+     * contain multiple leading '/' characters?
+     *
+     * @return <code>true</code> if multiple leading '/' characters are allowed,
+     *         otherwise <code>false</code>
+     */
+    public boolean getAllowMultipleLeadingForwardSlashInPath();
 }

java/org/apache/catalina/WebResourceRoot.java

@@ -430,7 +430,7 @@ public interface WebResourceRoot extends Lifecycle {
      */
     void gc();
 
-    static enum ResourceSetType {
+    enum ResourceSetType {
         PRE,
         RESOURCE_JAR,
         POST,

java/org/apache/catalina/connector/OutputBuffer.java

@@ -454,6 +454,16 @@ public class OutputBuffer extends Writer {
             }
             if (from.remaining() > 0) {
                 flushByteBuffer();
+            } else if (conv.isUndeflow() && bb.limit() > bb.capacity() - 4) {
+                // Handle an edge case. There are no more chars to write at the
+                // moment but there is a leftover character in the converter
+                // which must be part of a surrogate pair. The byte buffer does
+                // not have enough space left to output the bytes for this pair
+                // once it is complete )it will require 4 bytes) so flush now to
+                // prevent the bytes for the leftover char and the rest of the
+                // surrogate pair yet to be written from being lost.
+                // See TestOutputBuffer#testUtf8SurrogateBody()
+                flushByteBuffer();
             }
         }
 

java/org/apache/catalina/connector/Request.java

@@ -1552,6 +1552,9 @@ public class Request implements org.apache.catalina.servlet4preview.http.HttpSer
     private void notifyAttributeAssigned(String name, Object value,
             Object oldValue) {
         Context context = getContext();
+        if (context == null) {
+            return;
+        }
         Object listeners[] = context.getApplicationEventListeners();
         if ((listeners == null) || (listeners.length == 0)) {
             return;
@@ -1940,7 +1943,7 @@ public class Request implements org.apache.catalina.servlet4preview.http.HttpSer
      * @param principal The user Principal
      */
     public void setUserPrincipal(final Principal principal) {
-        if (Globals.IS_SECURITY_ENABLED) {
+        if (Globals.IS_SECURITY_ENABLED && principal != null) {
             if (subject == null) {
                 final HttpSession session = getSession(false);
                 if (session == null) {
@@ -2048,15 +2051,28 @@ public class Request implements org.apache.catalina.servlet4preview.http.HttpSer
      */
     @Override
     public String getContextPath() {
-        String canonicalContextPath = getServletContext().getContextPath();
-        String uri = getRequestURI();
-        char[] uriChars = uri.toCharArray();
         int lastSlash = mappingData.contextSlashCount;
         // Special case handling for the root context
         if (lastSlash == 0) {
             return "";
         }
+
+        String canonicalContextPath = getServletContext().getContextPath();
+
+        String uri = getRequestURI();
         int pos = 0;
+        if (!getContext().getAllowMultipleLeadingForwardSlashInPath()) {
+            // Ensure that the returned value only starts with a single '/'.
+            // This prevents the value being misinterpreted as a protocol-
+            // relative URI if used with sendRedirect().
+            do {
+                pos++;
+            } while (pos < uri.length() && uri.charAt(pos) == '/');
+            pos--;
+            uri = uri.substring(pos);
+        }
+
+        char[] uriChars = uri.toCharArray();
         // Need at least the number of slashes in the context path
         while (lastSlash > 0) {
             pos = nextSlash(uriChars, pos + 1);

java/org/apache/catalina/core/DefaultInstanceManager.java

@@ -801,7 +801,7 @@ public class DefaultInstanceManager implements InstanceManager {
         }
     }
 
-    private static enum AnnotationCacheEntryType {
+    private enum AnnotationCacheEntryType {
         FIELD, SETTER, POST_CONSTRUCT, PRE_DESTROY
     }
 }

java/org/apache/catalina/core/NamingContextListener.java

@@ -963,7 +963,8 @@ public class NamingContextListener
             log.error(sm.getString("naming.bindFailed", e));
         }
 
-        if ("javax.sql.DataSource".equals(ref.getClassName()) &&
+        if (("javax.sql.DataSource".equals(ref.getClassName())  ||
+            "javax.sql.XADataSource".equals(ref.getClassName())) &&
                 resource.getSingleton()) {
             try {
                 ObjectName on = createObjectName(resource);

java/org/apache/catalina/core/StandardContext.java

@@ -821,8 +821,24 @@ public class StandardContext extends ContainerBase
 
     private String responseEncoding = null;
 
+    private boolean allowMultipleLeadingForwardSlashInPath = false;
+
+
     // ----------------------------------------------------- Context Properties
 
+    @Override
+    public void setAllowMultipleLeadingForwardSlashInPath(
+            boolean allowMultipleLeadingForwardSlashInPath) {
+        this.allowMultipleLeadingForwardSlashInPath = allowMultipleLeadingForwardSlashInPath;
+    }
+
+
+    @Override
+    public boolean getAllowMultipleLeadingForwardSlashInPath() {
+        return allowMultipleLeadingForwardSlashInPath;
+    }
+
+
     @Override
     public String getRequestCharacterEncoding() {
         return requestEncoding;

java/org/apache/catalina/filters/CorsFilter.java

@@ -1049,7 +1049,7 @@ public class CorsFilter implements Filter {
      * Enumerates varies types of CORS requests. Also, provides utility methods
      * to determine the request type.
      */
-    protected static enum CORSRequestType {
+    protected enum CORSRequestType {
         /**
          * A simple HTTP request, i.e. it shouldn't be pre-flighted.
          */

java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java

@@ -247,7 +247,7 @@ public class HttpHeaderSecurityFilter extends FilterBase {
     }
 
 
-    private static enum XFrameOption {
+    private enum XFrameOption {
         DENY("DENY"),
         SAME_ORIGIN("SAMEORIGIN"),
         ALLOW_FROM("ALLOW-FROM");

java/org/apache/catalina/filters/RestCsrfPreventionFilter.java

@@ -74,7 +74,7 @@ import javax.servlet.http.HttpSession;
  * </pre>
  */
 public class RestCsrfPreventionFilter extends CsrfPreventionFilterBase {
-    private static enum MethodType {
+    private enum MethodType {
         NON_MODIFYING_METHOD, MODIFYING_METHOD
     }
 

java/org/apache/catalina/startup/ClassLoaderFactory.java

@@ -298,7 +298,7 @@ public final class ClassLoaderFactory {
     }
 
 
-    public static enum RepositoryType {
+    public enum RepositoryType {
         DIR,
         GLOB,
         JAR,

java/org/apache/catalina/startup/FailedContext.java

@@ -806,4 +806,12 @@ public class FailedContext extends LifecycleMBeanBase implements Context {
     public void setResponseCharacterEncoding(String encoding) { /* NO-OP */ }
     @Override
     public String getResponseCharacterEncoding() { return null; }
+
+    @Override
+    public void setAllowMultipleLeadingForwardSlashInPath(
+            boolean allowMultipleLeadingForwardSlashInPath) {
+        // NO-OP
+    }
+    @Override
+    public boolean getAllowMultipleLeadingForwardSlashInPath() { return false; }
 }
\ No newline at end of file

java/org/apache/catalina/startup/HostConfig.java

@@ -1655,13 +1655,14 @@ public class HostConfig implements LifecycleListener {
      * now unused (have no active sessions) and undeploy any that are found.
      */
     public synchronized void checkUndeploy() {
+        if (deployed.size() < 2) {
+            return;
+        }
+
         // Need ordered set of names
         SortedSet<String> sortedAppNames = new TreeSet<>();
         sortedAppNames.addAll(deployed.keySet());
 
-        if (sortedAppNames.size() < 2) {
-            return;
-        }
         Iterator<String> iter = sortedAppNames.iterator();
 
         ContextName previous = new ContextName(iter.next(), false);