[jira] [Created] (HTTPCLIENT-2022) HttpCacheEntrySerializationException Message Unused

Tue, 05 Nov 2019 23:17:34 -0800 

Olof Larsson created HTTPCLIENT-2022:
----------------------------------------

             Summary: HttpCacheEntrySerializationException Message Unused
                 Key: HTTPCLIENT-2022
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2022
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpCache
    Affects Versions: 4.5.10
            Reporter: Olof Larsson


*In Short*
The HttpCacheEntrySerializationException message is unused in one of the class 
constructors. This looks like an easily corrected coding mistake.

*Further Explanation*
DefaultHttpCacheEntrySerializer has a code section looking like this:
{code:java}
@Override
protected Class<?> resolveClass(final ObjectStreamClass desc) throws 
IOException, ClassNotFoundException {
    if (isProhibited(desc)) {
        throw new HttpCacheEntrySerializationException(String.format(
                "Class %s is not allowed for deserialization", desc.getName()));
    }
    return super.resolveClass(desc);
}
{code}
The constructor used looks like this:
{code:java}
public HttpCacheEntrySerializationException(final String message) {
    super();
}
{code}
This means the useful error message created using string format will actually 
never be displayed in an error stack trace.

*User Case*
When trying to upgrade from 4.5.8 to 4.5.10 one of my applications stopped 
working.

I have a custom implementation of persistent disk cache storage. It makes use 
of the DefaultHttpCacheEntrySerializer.

The stack trace did not tell me what was wrong (because the informative string 
is not passed along in the constructor)
{noformat}
...

Caused by: java.lang.RuntimeException: 
org.apache.http.client.cache.HttpCacheEntrySerializationException
    at 
com.looklet.net.httpclientwrapper.executor.RequestExecutorImpl.executeToResponse(RequestExecutorImpl.java:46)
    at 
com.looklet.net.httpclientwrapper.executor.RequestExecutorImpl.execute(RequestExecutorImpl.java:66)
    ... 63 more
Caused by: org.apache.http.client.cache.HttpCacheEntrySerializationException
    at 
org.apache.http.impl.client.cache.DefaultHttpCacheEntrySerializer$RestrictedObjectInputStream.resolveClass(DefaultHttpCacheEntrySerializer.java:107)
    at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1868)
    at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1751)

...{noformat}
I had to use a debugger to figure out that the message was:
"Class [C is not allowed for deserialization"

Apparently this security patch forbids char arrays? 
([https://reverseengineering.stackexchange.com/questions/17429/b-symbol-in-java-bytecode])

On a side note maybe the whitelist could be expanded to allow all kinds of 
primitives and arrays of primitives?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to