Merge branch 'apache:main' into main

Author: Alessio

.github/dependabot.yml

@@ -1,5 +1,15 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
 # Please see the documentation for all configuration options:
 # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
 

.github/workflows/ci-macos.yml

@@ -27,15 +27,15 @@ jobs:
   JDKxx_Matrix:
     strategy:
       fail-fast: false
-    name: JDK24 macos-latest
+    name: JDK25 macos-latest
     runs-on: macos-latest
     steps:
     - name: Git Checkout
       uses: actions/checkout@v5
     - name: Set up Java
       uses: actions/setup-java@v5
       with:
-        java-version: 24
+        java-version: 25
         distribution: zulu
     - name: Build
       run: |
@@ -47,7 +47,7 @@ jobs:
       if: ${{ !cancelled() }}
       uses: actions/upload-artifact@v4
       with:
-        name: JDK24-macos-latest-logs
+        name: JDK25-macos-latest-logs
         path: |
           hs_err_*.log
           output/build/logs/TEST*.txt

.github/workflows/ci.yml

@@ -33,21 +33,19 @@ jobs:
       matrix:
         isMain:
           - ${{ contains(github.ref, 'main') }}
-        java: [ 21, 24, 25-ea ]
+        java: [ 21, 25, 26-ea ]
         os: [ ubuntu-latest, windows-latest, macos-latest ]
         exclude:
           - os: windows-latest
             java: 21
           - os: macos-latest
             java: 21
-          - os: ubuntu-latest
-            java: 24
           - os: windows-latest
-            java: 24
+            java: 25
           - os: macos-latest
-            java: 24
+            java: 25
           - os: macos-latest
-            java: 25-ea
+            java: 26-ea
     name: JDK${{ matrix.java }} ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/coverity.yml

@@ -1,3 +1,15 @@
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
 # Build Tomcat using the Coverity Build Tool and upload the analysis results to scan.covertiy.com
 name: Coverity Scan
 

CONTRIBUTING.md

@@ -43,7 +43,7 @@ the issues marked 'Beginner', link below. Please note that the Beginner keyword
 is pretty new to the project, so if there aren't any issues in the filter feel
 free to ask on the [dev list](https://tomcat.apache.org/lists.html#tomcat-dev).
 
-* [Beginner issues](https://bz.apache.org/bugzilla/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&keywords=Beginner&keywords_type=allwords&list_id=160824&product=Tomcat%207&product=Tomcat%208.5&product=Tomcat%209&query_format=advanced) -
+* [Beginner issues](https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&keywords=Beginner&keywords_type=allwords&product=Tomcat%209&product=Tomcat%2010&product=Tomcat%2011&query_format=advanced) -
 issues which should only require a few lines of code, and a test or two to
 resolve.
 

java/org/apache/catalina/Container.java

@@ -429,7 +429,7 @@ static Service getService(Container container) {
      *
      * @param request    Request (associated with the response) to log
      * @param response   Response (associated with the request) to log
-     * @param time       Time taken to process the request/response in milliseconds (use 0 if not known)
+     * @param time       Time taken to process the request/response in nanoseconds (use 0 if not known)
      * @param useDefault Flag that indicates that the request/response should be logged in the engine's default access
      *                       log
      */

java/org/apache/catalina/Store.java

@@ -75,6 +75,8 @@ public interface Store {
      * <p>
      * Implementations should expect, and correctly handle, concurrent calls to any method but in particular calls to
      * {@code #load(String)}, {@code #save(Session)} and {@code #remove(String)} for the same session.
+     * <p>
+     * The session ID is user provided so stores must treat it as untrusted data.
      *
      * @param id Session identifier of the session to load
      *
@@ -92,6 +94,8 @@ public interface Store {
      * <p>
      * Implementations should expect, and correctly handle, concurrent calls to any method but in particular calls to
      * {@code #load(String)}, {@code #save(Session)} and {@code #remove(String)} for the same session.
+     * <p>
+     * The session ID is user provided so stores must treat it as untrusted data.
      *
      * @param id Session identifier of the Session to be removed
      *

java/org/apache/catalina/ant/AbstractCatalinaTask.java

@@ -28,6 +28,7 @@
 import java.net.URLConnection;
 
 import org.apache.catalina.util.IOTools;
+import org.apache.tomcat.util.http.Method;
 import org.apache.tools.ant.BuildException;
 import org.apache.tools.ant.Project;
 
@@ -187,7 +188,7 @@ public void execute(String command, InputStream istream, String contentType, lon
                 preAuthenticate();
 
                 hconn.setDoOutput(true);
-                hconn.setRequestMethod("PUT");
+                hconn.setRequestMethod(Method.PUT);
                 if (contentType != null) {
                     hconn.setRequestProperty("Content-Type", contentType);
                 }
@@ -198,7 +199,7 @@ public void execute(String command, InputStream istream, String contentType, lon
                 }
             } else {
                 hconn.setDoOutput(false);
-                hconn.setRequestMethod("GET");
+                hconn.setRequestMethod(Method.GET);
             }
             hconn.setRequestProperty("User-Agent", "Catalina-Ant-Task/1.0");
 
@@ -297,7 +298,7 @@ private void preAuthenticate() throws IOException, URISyntaxException {
         hconn.setDoInput(true);
         hconn.setUseCaches(false);
         hconn.setDoOutput(false);
-        hconn.setRequestMethod("OPTIONS");
+        hconn.setRequestMethod(Method.OPTIONS);
         hconn.setRequestProperty("User-Agent", "Catalina-Ant-Task/1.0");
 
         // Establish the connection with the server

java/org/apache/catalina/authenticator/AuthenticatorBase.java

@@ -70,6 +70,7 @@
 import org.apache.tomcat.util.descriptor.web.LoginConfig;
 import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
 import org.apache.tomcat.util.http.FastHttpDateFormat;
+import org.apache.tomcat.util.http.Method;
 import org.apache.tomcat.util.http.RequestUtil;
 import org.apache.tomcat.util.res.StringManager;
 
@@ -500,7 +501,7 @@ public void invoke(Request request, Response response) throws IOException, Servl
 
         // Make sure that constrained resources are not cached by web proxies
         // or browsers as caching can provide a security hole
-        if (constraints != null && disableProxyCaching && !"POST".equalsIgnoreCase(request.getMethod())) {
+        if (constraints != null && disableProxyCaching && !Method.POST.equals(request.getMethod())) {
             if (securePagesWithPragma) {
                 // Note: These can cause problems with downloading files with IE
                 response.setHeader("Pragma", "No-cache");
@@ -623,7 +624,7 @@ protected boolean allowCorsPreflightBypass(Request request) {
         if (allowCorsPreflight != AllowCorsPreflight.NEVER) {
             // First check to see if this is a CORS Preflight request
             // This is a subset of the tests in CorsFilter.checkRequestType
-            if ("OPTIONS".equals(request.getMethod())) {
+            if (Method.OPTIONS.equals(request.getMethod())) {
                 String originHeader = request.getHeader(CorsFilter.REQUEST_HEADER_ORIGIN);
                 if (originHeader != null && !originHeader.isEmpty() && RequestUtil.isValidOrigin(originHeader) &&
                         !RequestUtil.isSameOrigin(request, originHeader)) {

java/org/apache/catalina/authenticator/FormAuthenticator.java

@@ -40,6 +40,7 @@
 import org.apache.tomcat.util.buf.ByteChunk;
 import org.apache.tomcat.util.buf.MessageBytes;
 import org.apache.tomcat.util.descriptor.web.LoginConfig;
+import org.apache.tomcat.util.http.Method;
 import org.apache.tomcat.util.http.MimeHeaders;
 
 /**
@@ -301,7 +302,7 @@ protected boolean doAuthenticate(Request request, HttpServletResponse response)
                 // the landing page
                 String uri = request.getContextPath() + landingPage;
                 SavedRequest saved = new SavedRequest();
-                saved.setMethod("GET");
+                saved.setMethod(Method.GET);
                 saved.setRequestURI(uri);
                 saved.setDecodedRequestURI(uri);
                 request.getSessionInternal(true).setNote(Constants.FORM_REQUEST_NOTE, saved);
@@ -326,7 +327,7 @@ protected boolean doAuthenticate(Request request, HttpServletResponse response)
                 // the landing page
                 String uri = request.getContextPath() + landingPage;
                 SavedRequest saved = new SavedRequest();
-                saved.setMethod("GET");
+                saved.setMethod(Method.GET);
                 saved.setRequestURI(uri);
                 saved.setDecodedRequestURI(uri);
                 session.setNote(Constants.FORM_REQUEST_NOTE, saved);
@@ -443,7 +444,7 @@ protected void forwardToLoginPage(Request request, HttpServletResponse response,
 
         // Always use GET for the login page, regardless of the method used
         String oldMethod = request.getMethod();
-        request.getCoyoteRequest().method().setString("GET");
+        request.getCoyoteRequest().setMethod(Method.GET);
 
         RequestDispatcher disp = context.getServletContext().getRequestDispatcher(loginPage);
         try {
@@ -459,7 +460,7 @@ protected void forwardToLoginPage(Request request, HttpServletResponse response,
             response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, msg);
         } finally {
             // Restore original method so that it is written into access log
-            request.getCoyoteRequest().method().setString(oldMethod);
+            request.getCoyoteRequest().setMethod(oldMethod);
         }
     }
 
@@ -585,7 +586,7 @@ protected boolean restoreRequest(Request request, Session session) throws IOExce
         String method = saved.getMethod();
         MimeHeaders rmh = request.getCoyoteRequest().getMimeHeaders();
         rmh.recycle();
-        boolean cacheable = "GET".equalsIgnoreCase(method) || "HEAD".equalsIgnoreCase(method);
+        boolean cacheable = Method.GET.equals(method) || Method.HEAD.equals(method);
         Iterator<String> names = saved.getHeaderNames();
         while (names.hasNext()) {
             String name = names.next();
@@ -619,15 +620,15 @@ protected boolean restoreRequest(Request request, Session session) throws IOExce
 
             // If no content type specified, use default for POST
             String savedContentType = saved.getContentType();
-            if (savedContentType == null && "POST".equalsIgnoreCase(method)) {
+            if (savedContentType == null && Method.POST.equals(method)) {
                 savedContentType = Globals.CONTENT_TYPE_FORM_URL_ENCODING;
             }
 
             contentType.setString(savedContentType);
             request.getCoyoteRequest().setContentType(contentType);
         }
 
-        request.getCoyoteRequest().method().setString(method);
+        request.getCoyoteRequest().setMethod(method);
         // The method, URI, queryString and protocol are normally stored as
         // bytes in the HttpInputBuffer and converted lazily to String. At this
         // point, the method has already been set as String in the line above