You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@dubbo.apache.org by "linjianming02 (via GitHub)" <gi...@apache.org> on 2023/04/26 07:14:38 UTC

[GitHub] [dubbo] linjianming02 opened a new issue, #12193: 3.1.8版本特定用法下调用产生序列化报错

linjianming02 opened a new issue, #12193:
URL: https://github.com/apache/dubbo/issues/12193

   <!-- If you need to report a security issue please visit https://github.com/apache/dubbo/security/policy -->
   
   - [ ] I have searched the [issues](https://github.com/apache/dubbo/issues) of this repository and believe that this is not a duplicate.
   
   ### Environment
   
   * Dubbo version: 3.1.8
   * Operating System version: xxx
   * Java version: 1.8
   
   ### Steps to reproduce this issue
   
   1. 定义如下类，其中一个属性是Object类型
   @Data
   public class StoreDTO implements Serializable {
       private Object object;
   }
   2. 执行如下方法
   public StoreDTO test3() {
           StoreDTO storeDTO = new StoreDTO();
           ArrayList<String> objects = new ArrayList<>();
           objects.add("a");
           objects.add("b");
           objects.add("c");
           List<String> strings = objects.subList(0, 2);
           storeDTO.setObject(strings);
           return storeDTO;
   }
   3. 会产生如下报错
    [Serialization Security] Serialized class java.util.ArrayList$SubList has not implement Serializable interface. Current mode is strict check, will disallow to deserialize it by default. , dubbo version: 3.1.8
   
   复现步骤可以描述为：Dubbo 入参或者出参的对象 包含Object类型，例如返回值为Object，List<Object>，Map<String,Object>，或是StoreDTO种有属性为Object，List<Object>，Map<String,Object>，同时Object的实际类型是未实现序列化接口， 则会报相关错误。
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

Re: [I] 3.1.8版本特定用法下调用产生序列化报错 [dubbo]

Posted by "CrazyHZM (via GitHub)" <gi...@apache.org>.

CrazyHZM closed issue #12193: 3.1.8版本特定用法下调用产生序列化报错
URL: https://github.com/apache/dubbo/issues/12193


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] linjianming02 commented on issue #12193: 3.1.8版本特定用法下调用产生序列化报错

Posted by "linjianming02 (via GitHub)" <gi...@apache.org>.

linjianming02 commented on issue #12193:
URL: https://github.com/apache/dubbo/issues/12193#issuecomment-1522986331

   > `Serializable` 这个是 RPC 调用中保证数据传递的一个规范，java.util.ArrayList$SubList 如果本身没有实现 Serializable 接口说明 JDK 本身就是不希望这个类传递到 RPC 中的
   
   那这边建议是不用Object传数据这种用法吗。  你们实践过程中有遇到这种情况吗


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] AlbumenJ commented on issue #12193: 3.1.8版本特定用法下调用产生序列化报错

Posted by "AlbumenJ (via GitHub)" <gi...@apache.org>.

AlbumenJ commented on issue #12193:
URL: https://github.com/apache/dubbo/issues/12193#issuecomment-1522952205

   `Serializable` 这个是 RPC 调用中保证数据传递的一个规范，java.util.ArrayList$SubList 如果本身没有实现 Serializable 接口说明 JDK 本身就是不希望这个类传递到 RPC 中的


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org

[GitHub] [dubbo] AlbumenJ commented on issue #12193: 3.1.8版本特定用法下调用产生序列化报错

Posted by "AlbumenJ (via GitHub)" <gi...@apache.org>.

AlbumenJ commented on issue #12193:
URL: https://github.com/apache/dubbo/issues/12193#issuecomment-1525068144

   1. object 这种传递本身可能导致安全风险，因此就可能避免
   2. Serializable 这个问题是使用了 SubList，使用中直接再复制个普通 list 就行了


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org