commit 11c3f8bd9e - Test and its UI class
are added (both V8 and V7). Required functionality should be available
via modern GWT version.
commit 729dbf96fe - About update release
notes. No need to be included.
commit 675f38349c - V8 already contains
correct Import-Packages section which uses osgi.javax.servlet.version
variable whise version is 3.0.0 at the moment.
commit 5da7c052f5 - Use Vaadin plugin
7.7.0 from 7.7.0.alpha1. Is not applicable.
commit 1df80001ab - Updated tutorial to
Vaadin 7.7.0. Is not applicable. The tutorial already contains correct
links and updated source code snippets.
commit 8b4f0ed8a8 - set-property-fallback
name="user.agent" value="safari". Is already there.
commit 28ed04e827 - Fix animation end
listeners so they are always removed. Is already there.
commit 408253bc3f - Use servlet context
classloader when finding servlet class for websockets. Is already there.
commit 7a6f250d89 - Fire actions before
removing menu from the DOM. Is already there.
commit 9b66c6eb9b - Do not run test on IE8
as IE8 is broken. Transplanted.
commit 3faa43ff39 - Discard for DateField
when the data source contains null. It is not applicable for V8 (There
is no anymore discard method in DateField (and no datasource suport in
field)). Transplanted for DateField in compatibility.
commit e0c1f91a3d - Fix ComboBox paging
when number of items equals page length. It's already done by another
fix which replaced ComboBox in compatibility package to the V7 version.
commit 83a1b8a096 - Update DOM and update
escalator row count in the correct order. Transplanted.
commit 45f2fba8ff - Prevent editor from
being canceled while it is being saved. Transplanted to compatibility
package. Is not applicable to modern Grid.
commit ad67f7f43a - Delete broken
stylesheet and revert to default style until a new stylesheet is
created. Is already there.
commit c970a78d42 - Always show loading
indicator for JavaScript RPC. Transplanted.
commit 2aad341606 - Make test independent
of any converters present in the factory. It's already there.
commit c9ad48430b - Do not include
yuicompressor for Sass compiler. Transplanted. Exclusion is added into
vaadin/pom.xml
commit 52d01a68e9 - Test for Firefox
download disconnecting push channel. Transplanted.
commit 4bc375d1d2 - Handle encoded URL
characters correctly when constructing widget set name. Transplanted.
commit 17ba88eaf8 - Update version to
7.7-SNAPSHOT. Is not applicable.
commit 47b7b13e5c - Ensure Firefox always
updates the grid scrollbar. Transplanted. Made changes in the logic to
the test for modern Grid component.
commit 4d851ba21d - Calculate column
widths immediately if there is data. Transplanted to both client side
modules.
commit 8f0b1a1dd0 - Skip Maven enforcer
plugin during demo validation. Transplanted (one build file is
affected).
commit 62815353e1 - Build demos from 7.7
branch (now for master branch). FW8 demos are added (one build file is
affected).
commit 815d72115d - Make test pass on all
browsers. Transplanted to both V7 and V8 version tests.
commit 516c428ca1 - Use widget set
specified by init parameter. Transplanted to the one UIProvider class.
commit b00c580ed7 - Use correct column
index when calculating min width during resize. Transplanted into both
client side classes (main and compatibility) as is. Test for V7 is
transplanted as is. Test for V8 is written from scratch based on V7
version.
commit 7dd91cf057 - Fix regression that
broke widget set compilation in 7.7.1. It's already there.
commit c665731b0b - Ensure temporary
layout manager state is cleared at the end of a layout phase.
Transplanted to the one LayoutManager class.
commit 57a965251a - Fix assertion error
when column widths are calculated. Transplanted to both versions of the
client Grid widget.
commit c5c52684eb - Format Java files
using Eclipse Neon and Vaadin settings. Only formatting changes. Is not
transplanted.
f5d06d8771 - Change javadoc to a style
Eclipse formatter can handle. Transplanted to both versions of the
client Grid widget.
commit 6033e13c20 - Make initially
disabled grid work when enabled. Transplanted to both client side
modules.
commit a2d6e4fb4b - Use
requestAnimationFrame when scrolling in Grid. Transplanted to both
client side modules.
commit fe9438e7b7 - Specify branch also
for Sampler. Is not applicable for master branch.
commit 1ec5d8ef7c - Update to Chrome 53.
Is already there.
commit 961851bfbc - Updated link to new
step 1 video in tutorial. Is already there.
commit 41dc2fe161 - Revert "Use widget set
specified by init parameter. Transplanted to the one UIProvider class.
commit 092b4f7f31 - Use widget set
specified by init parameter. Transplanted to the common server side
classes.
commit 977cec7e31 - Fix widget set builder
to create widget set in correct location. Transplanted to the one
ClassPathExplorer class file.
commit 6c12ad89ea - Format project pom
files using correct settings. Is not transplanted: only formatting
changes for POM files.
commit 0aad93ecc1 - Add tests for
widgetset compilation in different modes. Transplanted. New test
projects.
commit 0a3a1ef832 - Use
versions-maven-plugin 2.3 to avoid NPE while setting project version. Is
already there.
Change-Id: Ie3a5088f25de1772f01ea30c4a5eba0b169ee0ab
Prevent HTTP Response splitting in case the server doesn't (#19611)
Prevent user-provided input used in the redirect from containing newline
characters as the user agent would interpret subsequent parts of the
input as additional headers or the actual HTTP payload.
At least modern versions of Tomcat and Jetty already protect against
this kind of attack by escaping received header values, but that is not
necessarily the case for older versions or other servlet engines.
See https://www.owasp.org/index.php/HTTP_Response_Splitting for details.
Change-Id: If4b9bf5fba953073de49c1ab1cba8e5e6bc8e546
Catch all Exceptions when trying to open a gzipped resource (#13653)
URLConnection.getInputStream may throw any IOException, not just
FileNotFoundException. Additionally, catch and log unexpected non-IOExceptions
just in case to keep the app from failing hard.
Change-Id: Id7ce7ddee3de38ccd10d9e02e6c587a86b9cac96
Catch all Exceptions when trying to open a gzipped resource (#13653)
URLConnection.getInputStream may throw any IOException, not just
FileNotFoundException. Additionally, catch and log unexpected non-IOExceptions
just in case to keep the app from failing hard.
Change-Id: Id7ce7ddee3de38ccd10d9e02e6c587a86b9cac96
Serve pre-compressed static resources by default (#13653)
* enabled widgetset compression in GWT compiler
* serving compressed static files if available (when serving through
VaadinServlet)
Change-Id: I34c289c85cda74a1d291bf621211aee446c6c80f
set Cache-Control and Expires header even when not-modified (#8757)
Usually first a resource is served with the lower code block. this
provides cache-control, expires and last-modification headers to the
browser. But when a not-modified response was served, these headers
were missing. This effectively caused the caching to no longer work once
the not-modified responses are sent out.
Change-Id: I9b1f0cacc91734f88bb0384872da0d426d4b5fe0
Writer.flush() is specified as:
"Flushes the stream. If the stream has saved any characters from the various
write() methods in a buffer, write them immediately to their intended
destination. Then, if that destination is another character or byte stream,
flush it. Thus one flush() invocation will flush all the buffers in a chain
of Writers and OutputStreams."
Change-Id: Iecafdbb13a7a26a48300d2967c25c705f5bf1e38
When InputStream cannot be opened while writing static resource response, display 404 instead of 500 (#10920)
A security audit revealed that it is possible to trigger an error 500 with
stack trace by just trying a directory traversal. An example of this can be
found in the sampler: http://demo.vaadin.com/sampler/VAADIN/widgetsets/
While there are other scenarios that can produce exceptions, in this place
Vaadin can handle it more graceful by just catching the exception and
returning 404.
Change-Id: Iec68d81d3bca365ec133737a9cd3e3b825d192b2
simplified isStaticResourceRequest and improved its performance (#11758)
The previous implementation did first check if the PathInfo was empty (null returned).
This is almost never the case in reality. But if it happens, then the RequestURI would never contain contextRoot+"/VAADIN/".
Next it checked that contextUri was not null, and checked if the Uri started with "/VAADIN/".
This only would have worked in case the context root would have been "".
The next case checked was if the Uri starts with contextRoot+"/VAADIN/".
This is what you normally want to check. The only valid other case from before (contextRoot == "") is also covered by this line.
What you would have seen in normal deployments is:
* First if exit only for first request (http://demo.vaadin.com/sampler/) (and sometimes not even that depending on trailing slash config)
* Second exit only on no context root deployments (getContextRoot() returns "")
* Last exit in all other cases
Additionally, the existing implementation does not work correctly for the case getContextRoot would return null (which thankfully no container does).
Change-Id: I500e0c5eb0ac2bfa0b32af91800b2f7f303485ff
Add getCacheTime(filename) to VaadinServlet (#11744)
This implementation by default adheres to the GWT Pristine Caching rules
and calculates 0 seconds for ".nocache." and 1 year for ".cache."
filenames. All other filenames will use the value configured in the
deployment configuration.
By exposing this to a method, developers can implement custom naming
schemes. Developers also can opt to set an expires header using this
value.
Change-Id: Ibc0d17d48d38bfa3bb28bdf3929ad314828be406
Derive current servlet/portlet from the current service (#11779)
Implement VaadinPortlet.getCurrent() to use VaadinService.getCurrent()
instead of having a separate thread local variable. This is done to
avoid classloading issues when determining which instances to preserve
in CurrentInstance.setThreadLocals. The two current instances have
previously been kept in sync in all cases except during
VaadinPortlet.init where VaadinService has not yet been created.
VaadinPortlet.setCurrent() is removed as no way of preserving its
semantics has been found. This breaks API compatibility, but is probably
better than having a deprecated implementation that can not work as
expected in all situations.
The same changes have also been made to VaadinServlet to maintain the
symmetry.
Change-Id: I0a1ccc07a4aeecec558a9aaae211bd56207313d8
Ilia Motornyi
Henri Sara
caalador
Artur
Leif Åstrand
Pekka Hyvönen
Per-Åke Minborg
Denis Anisimov
Henri Sara
Teemu Suo-Anttila
Leif Åstrand
Vladimir Kulev
Johannes Dahlström
Matti Tahvonen
Fabian Lange