Colm O hEigeartaigh created AMQ-9503:
----------------------------------------
Summary: Disable stacktrace for HTTP Connector
Key: AMQ-9503
URL: https://issues.apache.org/jira/browse/AMQ-9503
Project: ActiveMQ Classic
Issue Type: Task
Affects Versions: 5.18.4
Reporter: Colm O hEigeartaigh
The HTTP Connector is returning stack traces to clients, which is not a good
idea from a security point of view as it may leak internal information. Please
disable (at least by default)
To reproduce:
On 5.18.x I configure AMQ with <transportConnector
name="http" uri="[http://localhost:12345|http://localhost:12345/]"/
data.xml:
{code:java}
<java.lang.String>1234</java.lang.String> {code}
Then with curl:
{code:java}
curl --data '@deser.xml' http://localhost:12345 {code}
I get the following stacktrace:
{code:java}
<h3>Caused by:</h3><pre>java.lang.ClassCastException: class java.lang.String
cannot be cast to class org.apache.activemq.command.Command (java.lang.String
is in module java.base of loader 'bootstrap';
org.apache.activemq.command.Command is in unnamed module of loader
java.net.URLClassLoader @6ce139a4) at
org.apache.activemq.transport.http.HttpTunnelServlet.doPost(HttpTunnelServlet.java:137)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:681) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:764) at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799) at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:554) at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at
org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:722)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600) at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505) at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516) at
org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487) at
org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732) at
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479) at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at
org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:137)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
at java.base/java.lang.Thread.run(Thread.java:829)</pre>
</body></html> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
