[ https://issues.apache.org/jira/browse/AMQ-9503?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré reassigned AMQ-9503: ----------------------------------------- Assignee: Jean-Baptiste Onofré > Disable stacktrace for HTTP Connector > ------------------------------------- > > Key: AMQ-9503 > URL: https://issues.apache.org/jira/browse/AMQ-9503 > Project: ActiveMQ Classic > Issue Type: Task > Affects Versions: 5.18.4 > Reporter: Colm O hEigeartaigh > Assignee: Jean-Baptiste Onofré > Priority: Major > > > The HTTP Connector is returning stack traces to clients, which is not a good > idea from a security point of view as it may leak internal information. > Please disable (at least by default) > > To reproduce: > > On 5.18.x I configure AMQ with <transportConnector > name="http" uri="[http://localhost:12345|http://localhost:12345/]"/ > > data.xml: > {code:java} > <java.lang.String>1234</java.lang.String> {code} > Then with curl: > {code:java} > curl --data '@deser.xml' http://localhost:12345 {code} > I get the following stacktrace: > {code:java} > <h3>Caused by:</h3><pre>java.lang.ClassCastException: class java.lang.String > cannot be cast to class org.apache.activemq.command.Command (java.lang.String > is in module java.base of loader 'bootstrap'; > org.apache.activemq.command.Command is in unnamed module of loader > java.net.URLClassLoader @6ce139a4) at > org.apache.activemq.transport.http.HttpTunnelServlet.doPost(HttpTunnelServlet.java:137) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:681) at > javax.servlet.http.HttpServlet.service(HttpServlet.java:764) at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799) > at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:554) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) > at > org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:722) > at > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600) > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > at > org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440) > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505) > at > org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) > at org.eclipse.jetty.server.Server.handle(Server.java:516) at > org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487) > at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732) at > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479) at > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) > at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at > org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) > at > org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:137) > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) > at java.base/java.lang.Thread.run(Thread.java:829)</pre> > </body></html> {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)