Log Message:
Update to 8.5.20

Changelog:
Tomcat 8.5.20 (markt)
Catalina

    Fix: Revert the fix for 49464 since it continued to trigger regressions. (markt)
    Fix: Correct a bug in the PushBuilder implementation that meant push URLs \ 
containing %nn sequences were not correctly decoded. Identified by FindBugs. \ 
(markt)
    Add: 61164: Add support for the %X pattern in the AccessLogValve that \ 
reports the connection status at the end of the request. Patch provided by \ 
Zemian Deng. (markt)
    Fix: 61351: Correctly handle %nn decoding of URL patterns in web.xml and \ 
similar locations that may legitimately contain characters that are not \ 
permitted by RFC 3986. (markt)
    Add: 61366: Add a new attribute, localDataSource, to the JDBCStore that \ 
allows the Store to be configured to use a DataSource defined by the web \ 
application rather than the default of using a globally defined DataSource. \ 
Patch provided by Jonathan Horowitz. (markt)

Coyote

    Fix: 61086: Ensure to explicitly signal an empty request body for HTTP 205 \ 
responses. Additional fix to r1795278. Based on a patch provided by Alexandr \ 
Saperov. (violetagg)
    Update: 61345: Add a server listener that can be used to do system property \ 
replacement from the property source configured in the digester. (remm)
    Add: Add additional logging to record problems that occur while waiting for \ 
the NIO pollers to stop during the Connector stop process. (markt)

Jasper

    Fix: 61364: Ensure that files are closed after detecting encoding of JSPs so \ 
that files do not remain locked by the file system. (markt)

WebSocket

    Add: 57767: Add support to the WebSocket client for following redirects when \ 
attempting to establish a WebSocket connection. Patch provided by J Fernandez. \ 
(markt)

2017-07-28 Tomcat 8.5.19 (markt)
Catalina

    Fix: Performance improvements for service loader look-ups (and look-ups of \ 
other class loader resources) when the web application is deployed in a packed \ 
WAR file. (markt)
    Fix: 61253: Add warn message when Digester.updateAttributes throws an \ 
exception instead of ignoring it. (csutherl)
    Fix: Correct a further regression in the fix for 49464 that could cause an \ 
byte order mark character to appear at the start of content included by the \ 
DefaultServlet. (markt)
    Fix: 61313: Make the read timeout configurable in the JNDIRealm and ensure \ 
that a read timeout will result in an attempt to fail over to the alternateURL. \ 
Based on patches by Peter Maloney and Felix Schumacher. (markt)

Web applications

    Fix: Correct the documentation for how StandardRoot is configured. (markt)

Other

    Fix: 61316: Fix corruption of UTF-16 encoded source files in released source \ 
distributions. (markt)

Tomcat 8.5.18 (markt)
Catalina

    Fix: 61232: When log rotation is disabled only one separator will be used \ 
when generating the log file name. For example if the prefix is catalina. and \ 
the suffix is .log then the log file name will be catalina.log instead of \ 
catalina..log. Patch provided by Katya Stoycheva. (violetagg)
    Fix: 61264: Correct a regression in the refactoring to use Charset rather \ 
than String to store request character encoding that prevented getReader() \ 
throwing an UnsupportedEncodingException if the user agent specifies an \ 
unsupported character encoding. (markt)
    Fix: Correct a regression in the fix for 49464 that could cause an incorrect \ 
Content-Length header to be sent by the DefaultServlet if the encoding of a \ 
static is not consistent with the encoding of the response. (markt)

Coyote

    Fix: Enable TLS connectors to use Java key stores that contain multiple keys \ 
where each key has a separate password. Based on a patch by Frank Taffelt. \ 
(markt)
    Fix: Improve the handling of HTTP/2 stream resets due to excessive headers \ 
when a continuation frame is used. (markt)

Jasper

    Add: 53031: Add support for the fork option when compiling JSPs with the \ 
Jasper Ant task and javac. (markt)

Other

    Add: 52791: Add the ability to set the defaults used by the Windows \ 
installer from a configuration file. Patch provided by Sandra Madden. (markt)

Tomcat 8.5.17 (markt)
Catalina

    Fix: 49464: Improve the Default Servlet's handling of static files when the \ 
file encoding is not compatible with the required response encoding. (markt)
    Fix: 61214: Remove deleted attribute servlets from the Context MBean \ 
description. Patch provided by Alexis Hassler. (markt)
    Fix: 61215: Correctly define addConnectorPort and \ 
invalidAuthenticationWhenDeny in the mbean-descriptors.xml file for the \ 
org.apache.catalina.valves package so that the attributes are accessible via \ 
JMX. (markt)
    Fix: Make asynchronous error handling more robust. In particular ensure that \ 
onError() is called for any registered AsyncListeners after an I/O error on a \ 
non-container thread. (markt)
    Fix: Additional permission for deleting files is granted to JULI as it is \ 
required by FileHandler when running under a Security Manager. The thread that \ 
cleans the log files is marked as daemon thread. (violetagg)
    Fix: 61229: Correct a regression in 8.5.15 that broke WebDAV handling for \ 
resources with names that included a & character. (markt)

Coyote

    Fix: Restore the ability to configure support for SSLv3. Enabling this \ 
protocol will trigger a warning in the logs since it is known to be insecure. \ 
(markt)
    Fix: Do not log a warning when a null session is returned for an OpenSSL \ 
based TLS session since this is expected when session tickets are enabled. \ 
(markt)
    Fix: When the access log valve logs a TLS related request attribute and the \ 
NIO2 connector is used with OpenSSL, ensure that the TLS attric SSL session \ 
access for the APR connector. (remm)
    Add: To ease migration from 8.0.x to 8.5.x, if the HTTP or AJP BIO connector \ 
is explicitly configured, rather than failing to start the connector because BIO \ 
has been removed, automatically switch to tribute searchExternalFirst from the \ 
documentation since the attribute is no longer supported. (markt)

2017-06-26 Tomcat 8.5.16 (markt)
Catalina

    Fix: 61072: Respect the documentation statements that allow using the \ 
platform default secure random for session id generation. (remm)
    Fix: Correct the javadoc for \ 
o.a.c.connector.CoyoteAdapter#parseSessionCookiesId. Patch provided by John \ 
Andrew (XUZHOUWANG) via Github. (violetagg)
    Fix: 61101: CORS filter should set Vary header in response. Submitted by \ 
Rick Riemer. (remm)
    Add: 61105: Add a new JULI FileHandler configuration for specifying the \ 
maximum number of days to keep the log files. (violetagg)
    Fix: 61125: Ensure that WarURLConnection returns the correct value for calls \ 
to getLastModified() as this is required for the correct detection of JSP \ 
modifications when the JSP is packaged in a WAR file. (markt)
    Fix: Improve the SSLValve so it is able to handle client certificate headers \ 
from Nginx. Based on a patch by Lucas Ventura Carro. (markt)
    Fix: 61134: Do not use '[' and ']' symbols around substituted text fragments \ 
when generating the default error pages. Patch provided by Katya Todorova. \ 
(violetagg)
    Fix: 61154: Allow the Manager and Host Manager web applications to start by \ 
default when running under a security manager. This was accomplished by adding a \ 
custom permission, org.apache.catalina.security.DeployXmlPermission, that \ 
permits an application to use a META-INF/context.xml file and then granting that \ 
permission to the Manager and Host Manager. (markt)
    Fix: 61173: Polish the javadoc for o.a.catalina.startup.Tomcat. Patch \ 
provided by peterhansson_se. (violetagg)
    Add: A new configuration property crawlerIps is added to the \ 
o.a.catalina.valves.CrawlerSessionManagerValve. Using this property one can \ 
specify a regular expression that will be used to identify crawlers based on \ 
their IP address. Based on a patch provided by Tetradeus. (violetagg)
    Fix: 61180: Log a warning message rather than an information message if it \ 
takes more than 100ms to initialised a SecureRandom instance for a web \ 
application to use to generate session identifiers. Patch provided by Piotr \ 
Chlebda. (markt)
    Fix: 61185: When an asynchronous request is dispatched via \ 
AsyncContext.dispatch() ensure that getRequestURI() for the dispatched request \ 
matches that of the original request. (markt)
    Fix: 61197: Ensure that the charset name used in the Content-Type header has \ 
exactly the same form as that provided by the application. This reverts a \ 
behavioural change in 8.5.15 that caused problems for some clients. (markt)
    Fix: 61201: Ensure that the SCRIPT_NAME environment variable for CGI \ 
executables is populated in a consistent way regardless of how the CGI servlet \ 
is mapped to a request. (markt)

Coyote

    Fix: 61086: Explicitly signal an empty request body for HTTP 205 responses. \ 
(markt)
    Fix: 61120: Do not ignore path parameters when processing HTTP/2 requests. \ 
(markt)
    Fix: Revert a change introduced in the fix for bug 60718 that changed the \ 
status code recorded in the access log when the client dropped the connection \ 
from 200 to 500. (markt)
    Fix: Add additional syncs to the SSL session object provided by the OpenSSL \ 
engine so that a concurrent destruction cannot cause a JVM crash. (remm)
    Fix: 61195: Backport, with deprecation where appropriate, the endpoint and \ 
protocol property changes from 9.0.x to ease migration from 8.5.x to 9.0.x. \ 
(markt)

Jasper

    Fix: 44787: Improve error message when JSP compiler configuration options \ 
are not valid. (markt)
    Fix: 61137: j.s.jsp.tagext.TagLibraryInfo#uri and \ 
j.s.jsp.tagext.TagLibraryInfo#prefix fields should not be final. Patch provided \ 
by Katya Todorova. (violetagg)

WebSocket

    Fix: Correct the log message when a MessageHandler for PongMessage does not \ 
implement MessageHandler.Whole. (rjung)
    Add: Introduce new API o.a.tomcat.websocket.WsSession#suspend/ \ 
o.a.tomcat.websocket.WsSession#resume that can be used to suspend/resume reading \ 
of the incoming messages. (violetagg)
    Fix: Improve thread-safety of Futures used to report the result of sending \ 
WebSocket messages. (markt)
    Fix: 61183: Correct a regression in the previous fix for 58624 that could \ 
trigger a deadlock depending on the locking strategy employed by the client \ 
code. (markt)

Web applications

    Fix: Better document the meaning of the trimSpaces option for Jasper. (markt)
    Fix: 61150: Configure the Manager and Host-Manager web applications to \ 
permit serialization and deserialization of CRSFPreventionFilter related session \ 
objects to avoid warning messages and/or stack traces on web application stop \ 
and/or start when running under a security manager. (markt)
    Fix: Correct the TLS configuration documentation to remove SSLv2 and SSLv3 \ 
from the list of supported protocols. (markt)

Tribes

    Add: Add JMX support for Tribes components. (kfujino)

Other

    Add: 45832: Add HTTP DIGEST authentication support to the Catalina Ant tasks \ 
used to communicate with the Manager application. (markt)
    Fix: 45879: Add the RELEASE-NOTES file to the root of the installation \ 
created by the Tomcat installer for Windows to make it easier for users to \ 
identify the installed Tomcat version. (markt)
    Fix: 61055: Clarify the code comments in the rewrite valve to make clear \ 
that there are no plans to provide proxy support for this valve since Tomcat \ 
does not have proxy capabilities. (markt)
    Fix: 61076: Document the altDDName attribute for the Context element. (markt)
    Fix: Correct typo in Jar Scan Filter Configuration Reference. Issue reported \ 
via comments.apache.org. (violetagg)
    Fix: 61145: Add missing @Documented annotation to annotations in the \ 
annotations API. Patch provided by Katya Todorova. (markt)
    Fix: 61146: Add missing lookup() method to @EJB annotation in the \ 
annotations API. Patch provided by Katya Todorova. (markt)
    Fix: Correct typo in Context Container Configuration Reference. Patch \ 
provided by Katya Todorova. (violetagg)