You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Olof Larsson (Jira)" <ji...@apache.org> on 2019/11/06 07:17:00 UTC
[jira] [Created] (HTTPCLIENT-2022)
HttpCacheEntrySerializationException Message Unused
Olof Larsson created HTTPCLIENT-2022:
----------------------------------------
Summary: HttpCacheEntrySerializationException Message Unused
Key: HTTPCLIENT-2022
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2022
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpCache
Affects Versions: 4.5.10
Reporter: Olof Larsson
*In Short*
The HttpCacheEntrySerializationException message is unused in one of the class constructors. This looks like an easily corrected coding mistake.
*Further Explanation*
DefaultHttpCacheEntrySerializer has a code section looking like this:
{code:java}
@Override
protected Class<?> resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException {
if (isProhibited(desc)) {
throw new HttpCacheEntrySerializationException(String.format(
"Class %s is not allowed for deserialization", desc.getName()));
}
return super.resolveClass(desc);
}
{code}
The constructor used looks like this:
{code:java}
public HttpCacheEntrySerializationException(final String message) {
super();
}
{code}
This means the useful error message created using string format will actually never be displayed in an error stack trace.
*User Case*
When trying to upgrade from 4.5.8 to 4.5.10 one of my applications stopped working.
I have a custom implementation of persistent disk cache storage. It makes use of the DefaultHttpCacheEntrySerializer.
The stack trace did not tell me what was wrong (because the informative string is not passed along in the constructor)
{noformat}
...
Caused by: java.lang.RuntimeException: org.apache.http.client.cache.HttpCacheEntrySerializationException
at com.looklet.net.httpclientwrapper.executor.RequestExecutorImpl.executeToResponse(RequestExecutorImpl.java:46)
at com.looklet.net.httpclientwrapper.executor.RequestExecutorImpl.execute(RequestExecutorImpl.java:66)
... 63 more
Caused by: org.apache.http.client.cache.HttpCacheEntrySerializationException
at org.apache.http.impl.client.cache.DefaultHttpCacheEntrySerializer$RestrictedObjectInputStream.resolveClass(DefaultHttpCacheEntrySerializer.java:107)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1868)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1751)
...{noformat}
I had to use a debugger to figure out that the message was:
"Class [C is not allowed for deserialization"
Apparently this security patch forbids char arrays? ([https://reverseengineering.stackexchange.com/questions/17429/b-symbol-in-java-bytecode])
On a side note maybe the whitelist could be expanded to allow all kinds of primitives and arrays of primitives?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org