[
https://issues.apache.org/jira/browse/SLING-12366?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joerg Hoh closed SLING-12366.
-----------------------------
> Failure to read from InputStream backed by closed session
> ---------------------------------------------------------
>
> Key: SLING-12366
> URL: https://issues.apache.org/jira/browse/SLING-12366
> Project: Sling
> Issue Type: Improvement
> Components: XSS Protection API
> Affects Versions: XSS Protection API 2.4.0
> Reporter: Julian Sedding
> Assignee: Julian Sedding
> Priority: Major
> Fix For: XSS Protection API 2.4.2
>
>
> The method {{org.apache.sling.xss.impl.XSSFilterImpl.AntiSamyPolicy#read()}}
> opens a {{ResourceResolver}}, finds a {{Resource}}, adapts it to an
> {{InputStream}}, returns the {{InputStream}} and closes the
> {{ResourceResolver}} via try-with-resource.
> This works fine, as long as the {{InputStream}} is not a
> {{JcrExternalizableInputStream}}, which is only available when the blob
> resides in an external blob store, e.g. azure.
> The reason is that the {{JcrExternalizableInputStream}} takes a reference to
> the JCR {{Property}} and only reads it lazily. In this scenario, when it
> reads the property, the session is already closed.
> A typical stack-trace looks like the one below:
> {noformat}
> [main] ERROR org.apache.sling.xss.impl.XSSFilterImpl - Unable to load policy
> from /libs/sling/xss/config.xml
> java.io.IOException: This session has been closed.
> at
> org.apache.sling.jcr.resource.internal.helper.jcr.JcrExternalizableInputStream.getInputStream(JcrExternalizableInputStream.java:70)
> at
> org.apache.sling.jcr.resource.internal.helper.jcr.JcrExternalizableInputStream.read(JcrExternalizableInputStream.java:57)
> at java.base/java.io.InputStream.read(InputStream.java:271)
> at java.base/java.io.InputStream.read(InputStream.java:205)
> at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1485)
> at org.apache.commons.io.IOUtils.copy(IOUtils.java:1105)
> at org.apache.commons.io.IOUtils.copyLarge(IOUtils.java:1458)
> at org.apache.commons.io.IOUtils.copy(IOUtils.java:1083)
> at org.apache.sling.xss.impl.PolicyHandler.<init>(PolicyHandler.java:43)
> at
> org.apache.sling.xss.impl.XSSFilterImpl.setActivePolicy(XSSFilterImpl.java:331)
> at
> org.apache.sling.xss.impl.XSSFilterImpl.updatePolicy(XSSFilterImpl.java:293)
> at
> org.apache.sling.xss.impl.XSSFilterImpl.activate(XSSFilterImpl.java:269)
> [... snipped the caller ...]
> Caused by: javax.jcr.RepositoryException: This session has been closed.
> at
> org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.checkAlive(SessionDelegate.java:323)
> at
> org.apache.jackrabbit.oak.jcr.delegate.ItemDelegate.checkAlive(ItemDelegate.java:83)
> at
> org.apache.jackrabbit.oak.jcr.session.operation.ItemOperation.checkPreconditions(ItemOperation.java:34)
> at
> org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.prePerform(SessionDelegate.java:614)
> at
> org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:204)
> at
> org.apache.jackrabbit.oak.jcr.session.ItemImpl.perform(ItemImpl.java:112)
> at
> org.apache.jackrabbit.oak.jcr.session.PropertyImpl.getValue(PropertyImpl.java:248)
> at
> org.apache.jackrabbit.oak.jcr.session.PropertyImpl.getBinary(PropertyImpl.java:287)
> at
> org.apache.sling.jcr.resource.internal.helper.jcr.JcrExternalizableInputStream.getInputStream(JcrExternalizableInputStream.java:68)
> ... 93 more
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
