[
https://issues.apache.org/jira/browse/OFBIZ-12016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17428108#comment-17428108
]
Jacques Le Roux commented on OFBIZ-12016:
-----------------------------------------
Hi Benjamin,
TLDR; : look for "Now about" at the end of this comment. It took me some time
(I wrote it just below) before being sure about my answer.
I don't doubt you face an issue. Unfortunately, after Nicolas's request, it
seems not reproductible OOTB?
If I understand well, the problem is only reproductible when using a
request-redirect.
I'll try to understand the problem by following your comment.
You say
bq. In UtilObject.java (ll.99) the comment states that "DiskFileItem [...] are
not serializable, so So SafeObjectInputStream::resolveClass return
ClassNotFoundException". That is not true, SafeObjectInputStream::resolveClass
returns ClassCastException.
Actually the removed comment in
https://github.com/apache/ofbiz-framework/commit/1bc8a20 for OFBIZ-12216 is
bq. DiskFileItem, FileItemHeadersImpl are not serializable. So
SafeObjectInputStream::resolveClass return null
It has been removed, with the rest, for security and refactoring reasons (as
the comment say in same commit <<Handling with exception rather than returning
null cleans UtilObject class.>>). That's why indeed ClassCastException is
throwed by SafeObjectInputStream::resolveClass and
UtilObject::getObjectException which is its only caller.
Then you say
bq. In the actual version of UtilObject.java, ClassCastException ist not
handled, but in the first version of OFBIZ-12216s resolution it had been.
That's not clear to me getObject and getObjectException methods throw
ClassCastException. So what do you mean by ClassCastException ist not handled.
And what is "the first version of OFBIZ-12216s resolution"? There is only 1
commit there.
Also you say
bq. I cannot find an explanation anywhere, why it had been removed.
If you speak about ClassCastException is has not be removed but added, as
explained above ("rather than returning null")
About
bq. Although handling this error would at least solve the hard exception on the
frontend, this alone is not a sufficial solution.
Where would you handle "this error" and what is "this error"?
Now about
bq. Since Request-Redirects can not handle DiskFileItems, is anything
contraindicative for removing them in the redirect
(RequestHandler::callRedirect) and logging a warning, that it has been removed?
Or are there other solutions that I am not aware of?
This was done before with
https://github.com/apache/ofbiz-framework/commit/4725ae6 and removed by
https://github.com/apache/ofbiz-framework/commit/3f60efb
I see no reasons to not do it again in this specific case (that we can't
reproduce OOTB). I don't see any other solutions, though I wonder why it does
not happen OOTB. Have you an idea about that?
Anyway it's not serialisable so impossible to be deserialised by
UtilObject::getBytes and don't introduce security issues. It was actually
changed more as a refactoring trying to clean code, which was ultimately
cleaned by using ClassCastException. You don't even need to log a warning, it's
specific to file upload and I guess nobody care about DiskFileItem and
FileItemHeadersImpl being removed there. Maybe you even want to use something
like in {{"if (obj instanceof Serializable)"}}
HTH
> DiskFileItem as request attribute creates problems
> --------------------------------------------------
>
> Key: OFBIZ-12016
> URL: https://issues.apache.org/jira/browse/OFBIZ-12016
> Project: OFBiz
> Issue Type: Bug
> Affects Versions: 18.12.01, Trunk
> Reporter: Sebastian Berg
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: Upcoming Branch
>
>
> Hi,
> while working on a custom project based on the 18.12.01 version, I noticed a
> problem with the request handling during a request-redirect-noparam if a
> DiskFileItem was involved.
> So the situation for me is as follows: during the first request a file is
> uploaded. I choose a wrong format on purpose, which results in an error
> respond for that event. Nevertheless the DiskFileItem is set as request
> attribute together with the error message.
> The request is finished and based on the controller configurations redirected
> to a second request.
> While handling the second request the previous request's attributes get
> restored (RequestHandler.java line 733ff). This goes down into
> SafeObjectInfo.resolveClass() where an Incompatible class exception is
> thrown. I compared my custom project with the current development status and
> worked in the changes from commit 3f60efb343a11723aa56c1bc1f5afac3a2f26e9f in
> OFBIZ-10837.
> While this fixes the issue with the incompatible class exception it also
> makes it impossible to retrieve any attributes from the first request.
> Therefore my error message cannot be shown.
> Is there a way to fix it or is it otherwise necessary to always set
> "fileItems" as request attribute as added in -OFBIZ-11246-?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
