Colm O hEigeartaigh created AMQ-9503: ----------------------------------------
Summary: Disable stacktrace for HTTP Connector Key: AMQ-9503 URL: https://issues.apache.org/jira/browse/AMQ-9503 Project: ActiveMQ Classic Issue Type: Task Affects Versions: 5.18.4 Reporter: Colm O hEigeartaigh The HTTP Connector is returning stack traces to clients, which is not a good idea from a security point of view as it may leak internal information. Please disable (at least by default) To reproduce: On 5.18.x I configure AMQ with <transportConnector name="http" uri="[http://localhost:12345|http://localhost:12345/]"/ data.xml: {code:java} <java.lang.String>1234</java.lang.String> {code} Then with curl: {code:java} curl --data '@deser.xml' http://localhost:12345 {code} I get the following stacktrace: {code:java} <h3>Caused by:</h3><pre>java.lang.ClassCastException: class java.lang.String cannot be cast to class org.apache.activemq.command.Command (java.lang.String is in module java.base of loader 'bootstrap'; org.apache.activemq.command.Command is in unnamed module of loader java.net.URLClassLoader @6ce139a4) at org.apache.activemq.transport.http.HttpTunnelServlet.doPost(HttpTunnelServlet.java:137) at javax.servlet.http.HttpServlet.service(HttpServlet.java:681) at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:554) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:722) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.Server.handle(Server.java:516) at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:137) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) at java.base/java.lang.Thread.run(Thread.java:829)</pre> </body></html> {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)