Shouldn't 461 be re-classified as a 4.0 issue?
ServletRequest.setCharacterEncoding is a new feature of 2.3.
----- Original Message -----
From: "Larry Isaacs" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 12, 2001 8:31 AM
Subject: Remaining Tomcat 3.3 Issues
> Hi All,
>
> I have made a pass through all Tomcat3 bugs. Those listed below
> are the only ones that remain open as of last night. Listed for
> RC1 and RC2 are issues I have accumulated as well as bugs that must
> be resolved.
>
> Each of these issues needs to be considered according to its
> impact on the stability of Tomcat 3.3. I think most of the bugs
> are already fixed, but I need someone more familiar with the
> code to make a more informed assessment about the appropriate
> resolution.
>
> I am going ahead and posting this even though I haven't spent much
> time trying to identify which of these I consider showstoppers
> (mainly due to dancing late into the night with Bugzilla).
> At this moment, by default I don't consider any of these
> showstoppers. I will try to review this and post my opinions later,
> probably tomorrow. Others are welcome to offer their opinions in this
> regard.
>
> ===== Tomcat 3.3 Release Issues =====
>
> To Be Addressed for RC1:
>
> 1. HttpSessionFacade.setAttribute() isn't synchronized. If a second
request
> called "setAttribute()" after this request's "removeAttribute()" and
before
> "realSession.setAttribute()", the second request's value would be
overwritten
> without an valueUnbound() being called.
>
> 2. Evaluate Tomcat 3.3's vulnerability to "Double Checked Locking". This
> is referred to in Bug #177. See:
> http://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html
> for details. I think ServletHandler.init() is currently subject to this
> vulnerability.
>
> 3. The spec doesn't address whether a the form-login-page and
form-error-page
> should be excluded from the security-constraint, but it makes sense that
> it should. It might be best to postpone this.
>
> 4. Address user authentication via Ajp12 and Ajp13. Ajp12 has a test for
> isTomcatAuthentication() to see if req.setRemoteUser() should be called.
> I think Ajp13 doesn't have this yet and probably should. Also, if the
> user is anonymous, i.e. user = "", should we call req.setRemoteUser()
> with this value? This prevents Tomcat's normal authentication from being
> triggered.
>
> 5. If a error handler is not found for an exception, check the root cause
> as well if it is a ServletException. This is mentioned in Bug 3233. I
think
> it would be a good idea to apply this. I don't think we are prohibited
> by the spec. We could add an option to be safe if there is concern.
>
> 6. StaticInterceptor is missing a localization enhancement added to
> Tomcat 3.2.x. Should this enhancement be ported to Tomcat 3.3? Is
> this still considered a regression, though it isn't part of the
> Servlet 2.2/JSP 1.1 spec?
>
> 7. Evaluate whether anything should be done to deal with the use of
> non-thread-safe DateFormat and related classes.
>
> Must Resolve Bugs:
>
> 177 Race condition during servlet initialization BugRat Report#2
> 182 JSP error-page doesn't work with virtual hosts BugRat Report
> 274 request.getUserPrincipal() doesn't work when user is authent
> 437 req.getParameter(name) Ignores charset. always assumes ISO88
> 461 Use setCharacterEncoding("UTF8") does not change the way get
> 463 Ctx( /examples ): IOException in: R( /examples + + null) No
> 1253 Frequent Connection reset by peer errors
> 1482 Ignored session ids in encoded URLs
> 1663 Tomcat -SSL problem
> 1798 Tomcat 3.2.2b5 with Apache and ajp13 stops responding after
> 3233 exception handling wrt errorpages seems to be incorrect
> 3486 Session problem (with case insensitive context matching on windows)
>
>
>
> To Be Addressed by RC2:
>
> 8. We need to remove or optionally disable the shutdown support in
> Ajp13Interceptor. This allows configuring a password protected
> Ajp12Interceptor shutdown to be the only shutdown available.
>
> 9. Some files under src/native have embedded CR's, i.e. Unix files would
have
> CRLF and Windows files would have CRCRLF's. These need to be fixed.
>
> 10. The jk_nt_service, and I assume jniconnect, redirect stdout and stderr
to
> files. With the default server.xml with no path for tc_log, Tomcat's
> startup output ends up in the "stderr" log. I would have expected it to
> be in the "stdout" log. Is there a reason the o.a.t.u.qlog.Logger uses
> stderr as the default sink instead of stdout?
>
> 11. Make sure we are okay with mod_jk not supporting Apache's rewrite
> in Tomcat 3.3's mod_jk. I'm fine with not supporting it, but I want
> to include some justification in the documentation to avoid some of
> the "why don't you" questions.
>
> 12. To simplify upgrade development, I would like to see the classpath
> for the "container", "common", and "apps" classloaders include the
> directory so classes placed under them will be picked up.
>
> 13. Determine cause of pauses running Tomcat's internal test with
> Tomcat + IIS.
>
>
> Must Resolve Bugs:
>
> 82 Jasper not affected by mod_rewrite BugRat Report#49 (part of issue
11)
> 111 after httpd reload mod_jk fails to find a worker BugRat Repo
> 276 JNI problem: bufferedreader.read fails in Tomcat/IIS/JNI set
> 319 Nor Hig All [EMAIL PROTECTED] UNCO Tomcat does not launch with
given
> Unix script files BugRat R
> 405 response.sendRedirect() in MS Explorer 5.5 fails using both
> 620 StopTomcat defaults to localhost
> 2333 Nor Oth PC [EMAIL PROTECTED] NEW HTTP Reason will be destroyed in
header
> using AJP12
> 2550 Ajp13 Connection hanging on static content.
> 2927 Nor Oth PC [EMAIL PROTECTED] NEW ArrayIndexOutOfBoundsException when
> accessing ajp13
>
>
> Open in 3.2.x But Fixed in 3.3
>
> 384 AJP13 returns no Status Message (Reason-Phrase RFC 2616) Bug
> 2057 URL contains encoded special chars
>
> ========================
>
> I will update the RELEASE-PLAN-3.3 tomorrow with the previous
> schedule and these issues, updating as needed base on discussion
> that occurs before then. These issues are the driving force for
> when RC1 and RC2 can be built and posted. The dates previously
> voted on are still the targets, but may slip as needed to deal
> with these issues.
>
> I plan to go through (possibly with some help) all the Tomcat3 bugs.
> Where I find bugs for earlier Tomcat's that have not been addressed
> for Tomcat 3.3, I will do what I can to address them. I will prepare
> and post a list of all bugs and there status in Tomcat 3.3. If
> I don't have this list ready prior to RC2, I will still build and
> post RC2, but will not start the 7 day voting deadline clock until
> this list is posted.
>
> If a showstopper appears from this scan (which I don't expect to happen)
> I will post this issue and plan on another release candidate.
>
>
> Cheers,
> Larry
>
>
*----*
This message is intended only for the use of the person(s) listed above
as the intended recipient(s), and may contain information that is
PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient,
you may not read, copy, or distribute this message or any attachment.
If you received this communication in error, please notify us immediately
by e-mail and then delete all copies of this message and any attachments.
In addition you should be aware that ordinary (unencrypted) e-mail sent
through the Internet is not secure. Do not send confidential or sensitive
information, such as social security numbers, account numbers, personal
identification numbers and passwords, to us via ordinary (unencrypted)
e-mail.