You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/01/12 17:34:00 UTC
[jira] [Work logged] (AMQ-8097) Harden deserialization block
xstream ack processing
[ https://issues.apache.org/jira/browse/AMQ-8097?focusedWorklogId=534943&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-534943 ]
ASF GitHub Bot logged work on AMQ-8097:
---------------------------------------
Author: ASF GitHub Bot
Created on: 12/Jan/21 17:33
Start Date: 12/Jan/21 17:33
Worklog Time Spent: 10m
Work Description: jbonofre opened a new pull request #608:
URL: https://github.com/apache/activemq/pull/608
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 534943)
Remaining Estimate: 0h
Time Spent: 10m
> Harden deserialization block xstream ack processing
> ---------------------------------------------------
>
> Key: AMQ-8097
> URL: https://issues.apache.org/jira/browse/AMQ-8097
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Affects Versions: 5.16.0, 5.15.13
> Reporter: Jean-Baptiste Onofré
> Assignee: Jean-Baptiste Onofré
> Priority: Major
> Fix For: 5.16.1, 5.15.15
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Since we improve serialization security (see AMQ-7438), when a message has to be loaded from store and the message is xstream serialized, it fails with:
> {code:java}
> 2020-12-04 16:42:26,107 | WARN | / | org.eclipse.jetty.server.HttpChannel | qtp1987354705-137568
> com.thoughtworks.xstream.converters.ConversionException:
> ---- Debugging information ----
> cause-exception : com.thoughtworks.xstream.security.ForbiddenClassException
> cause-message : java.lang.StackTraceElement
> class : [Ljava.lang.StackTraceElement;
> required-type : [Ljava.lang.StackTraceElement;
> converter-type : com.thoughtworks.xstream.converters.collections.ArrayConverter
> path : /org.apache.activemq.command.MessageAck/poisonCause/stackTrace/trace
> line number : 28
> class[1] : java.lang.Throwable
> required-type[1] : java.lang.Throwable
> converter-type[1] : com.thoughtworks.xstream.converters.extended.ThrowableConverter
> class[2] : org.apache.activemq.command.MessageAck
> required-type[2] : org.apache.activemq.command.MessageAck
> converter-type[2] : com.thoughtworks.xstream.converters.reflection.ReflectionConverter
> version : 1.4.11.1
> -------------------------------
> at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:77)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:499)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:425)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.converters.extended.ThrowableConverter.unmarshal(ThrowableConverter.java:70)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:499)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:425)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:134)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1487)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1467)[xstream-1.4.11.1.jar:1.4.11.1]
> at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1338)[xstream-1.4.11.1.jar:1.4.11.1]
> at org.apache.activemq.transport.xstream.XStreamWireFormat.unmarshalText(XStreamWireFormat.java:71)[activemq-http-5.15.13.jar:5.15.13]
> at org.apache.activemq.transport.http.HttpTunnelServlet.doPost(HttpTunnelServlet.java:137)[activemq-http-5.15.13.jar:5.15.13]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:763)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:551)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1363)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:489)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1278)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.Server.handle(Server.java:500)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408]
> at java.lang.Thread.run(Unknown Source)[:1.8.0_181] {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)