You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Oleg Kalnichevski (Jira)" <ji...@apache.org> on 2019/11/06 15:45:00 UTC
[jira] [Commented] (HTTPCLIENT-2022)
HttpCacheEntrySerializationException Message Unused
[ https://issues.apache.org/jira/browse/HTTPCLIENT-2022?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16968452#comment-16968452 ]
Oleg Kalnichevski commented on HTTPCLIENT-2022:
-----------------------------------------------
[~Olof Larsson] Please submit the proposed fix as a PR at Github.
Oleg
> HttpCacheEntrySerializationException Message Unused
> ---------------------------------------------------
>
> Key: HTTPCLIENT-2022
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2022
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpCache
> Affects Versions: 4.5.10
> Reporter: Olof Larsson
> Priority: Minor
>
> *In Short*
> The HttpCacheEntrySerializationException message is unused in one of the class constructors. This looks like an easily corrected coding mistake.
> *Further Explanation*
> DefaultHttpCacheEntrySerializer has a code section looking like this:
> {code:java}
> @Override
> protected Class<?> resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException {
> if (isProhibited(desc)) {
> throw new HttpCacheEntrySerializationException(String.format(
> "Class %s is not allowed for deserialization", desc.getName()));
> }
> return super.resolveClass(desc);
> }
> {code}
> The constructor used looks like this:
> {code:java}
> public HttpCacheEntrySerializationException(final String message) {
> super();
> }
> {code}
> This means the useful error message created using string format will actually never be displayed in an error stack trace.
> *User Case*
> When trying to upgrade from 4.5.8 to 4.5.10 one of my applications stopped working.
> I have a custom implementation of persistent disk cache storage. It makes use of the DefaultHttpCacheEntrySerializer.
> The stack trace did not tell me what was wrong (because the informative string is not passed along in the constructor)
> {noformat}
> ...
> Caused by: java.lang.RuntimeException: org.apache.http.client.cache.HttpCacheEntrySerializationException
> at com.looklet.net.httpclientwrapper.executor.RequestExecutorImpl.executeToResponse(RequestExecutorImpl.java:46)
> at com.looklet.net.httpclientwrapper.executor.RequestExecutorImpl.execute(RequestExecutorImpl.java:66)
> ... 63 more
> Caused by: org.apache.http.client.cache.HttpCacheEntrySerializationException
> at org.apache.http.impl.client.cache.DefaultHttpCacheEntrySerializer$RestrictedObjectInputStream.resolveClass(DefaultHttpCacheEntrySerializer.java:107)
> at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1868)
> at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1751)
> ...{noformat}
> I had to use a debugger to figure out that the message was:
> "Class [C is not allowed for deserialization"
> Apparently this security patch forbids char arrays? ([https://reverseengineering.stackexchange.com/questions/17429/b-symbol-in-java-bytecode])
> On a side note maybe the whitelist could be expanded to allow all kinds of primitives and arrays of primitives?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org