[ https://issues.apache.org/jira/browse/AMQ-8097?focusedWorklogId=534943&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-534943 ]
ASF GitHub Bot logged work on AMQ-8097: --------------------------------------- Author: ASF GitHub Bot Created on: 12/Jan/21 17:33 Start Date: 12/Jan/21 17:33 Worklog Time Spent: 10m Work Description: jbonofre opened a new pull request #608: URL: https://github.com/apache/activemq/pull/608 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking ------------------- Worklog Id: (was: 534943) Remaining Estimate: 0h Time Spent: 10m > Harden deserialization block xstream ack processing > --------------------------------------------------- > > Key: AMQ-8097 > URL: https://issues.apache.org/jira/browse/AMQ-8097 > Project: ActiveMQ > Issue Type: Bug > Components: Broker > Affects Versions: 5.16.0, 5.15.13 > Reporter: Jean-Baptiste Onofré > Assignee: Jean-Baptiste Onofré > Priority: Major > Fix For: 5.16.1, 5.15.15 > > Time Spent: 10m > Remaining Estimate: 0h > > Since we improve serialization security (see AMQ-7438), when a message has to > be loaded from store and the message is xstream serialized, it fails with: > {code:java} > 2020-12-04 16:42:26,107 | WARN | / | org.eclipse.jetty.server.HttpChannel | > qtp1987354705-137568 > com.thoughtworks.xstream.converters.ConversionException: > ---- Debugging information ---- > cause-exception : > com.thoughtworks.xstream.security.ForbiddenClassException > cause-message : java.lang.StackTraceElement > class : [Ljava.lang.StackTraceElement; > required-type : [Ljava.lang.StackTraceElement; > converter-type : > com.thoughtworks.xstream.converters.collections.ArrayConverter > path : > /org.apache.activemq.command.MessageAck/poisonCause/stackTrace/trace > line number : 28 > class[1] : java.lang.Throwable > required-type[1] : java.lang.Throwable > converter-type[1] : > com.thoughtworks.xstream.converters.extended.ThrowableConverter > class[2] : org.apache.activemq.command.MessageAck > required-type[2] : org.apache.activemq.command.MessageAck > converter-type[2] : > com.thoughtworks.xstream.converters.reflection.ReflectionConverter > version : 1.4.11.1 > ------------------------------- > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:77)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:499)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:425)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.extended.ThrowableConverter.unmarshal(ThrowableConverter.java:70)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:499)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:425)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:277)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:72)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:134)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1487)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1467)[xstream-1.4.11.1.jar:1.4.11.1] > at > com.thoughtworks.xstream.XStream.fromXML(XStream.java:1338)[xstream-1.4.11.1.jar:1.4.11.1] > at > org.apache.activemq.transport.xstream.XStreamWireFormat.unmarshalText(XStreamWireFormat.java:71)[activemq-http-5.15.13.jar:5.15.13] > at > org.apache.activemq.transport.http.HttpTunnelServlet.doPost(HttpTunnelServlet.java:137)[activemq-http-5.15.13.jar:5.15.13] > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:707)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:790)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:763)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:551)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:717)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1363)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:489)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1278)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.Server.handle(Server.java:500)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)[jetty-all-9.4.28.v20200408-uber.jar:9.4.28.v20200408] > at java.lang.Thread.run(Unknown Source)[:1.8.0_181] {code} -- This message was sent by Atlassian Jira (v8.3.4#803005)