Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-2022

HttpCacheEntrySerializationException Message Unused

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 4.5.10
    • 4.5.11
    • HttpCache
    • None
    • Patch

    Description

      In Short
      The HttpCacheEntrySerializationException message is unused in one of the class constructors. This looks like an easily corrected coding mistake.

      Further Explanation
      DefaultHttpCacheEntrySerializer has a code section looking like this:

      @Override
protected Class<?> resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException {
    if (isProhibited(desc)) {
        throw new HttpCacheEntrySerializationException(String.format(
                "Class %s is not allowed for deserialization", desc.getName()));
    }
    return super.resolveClass(desc);
}

      The constructor used looks like this:

      public HttpCacheEntrySerializationException(final String message) {
    super();
}

      This means the useful error message created using string format will actually never be displayed in an error stack trace.

      User Case
      When trying to upgrade from 4.5.8 to 4.5.10 one of my applications stopped working.

      I have a custom implementation of persistent disk cache storage. It makes use of the DefaultHttpCacheEntrySerializer.

      The stack trace did not tell me what was wrong (because the informative string is not passed along in the constructor)

      ...

Caused by: java.lang.RuntimeException: org.apache.http.client.cache.HttpCacheEntrySerializationException
    at com.looklet.net.httpclientwrapper.executor.RequestExecutorImpl.executeToResponse(RequestExecutorImpl.java:46)
    at com.looklet.net.httpclientwrapper.executor.RequestExecutorImpl.execute(RequestExecutorImpl.java:66)
    ... 63 more
Caused by: org.apache.http.client.cache.HttpCacheEntrySerializationException
    at org.apache.http.impl.client.cache.DefaultHttpCacheEntrySerializer$RestrictedObjectInputStream.resolveClass(DefaultHttpCacheEntrySerializer.java:107)
    at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1868)
    at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1751)

...

      I had to use a debugger to figure out that the message was:
      "Class [C is not allowed for deserialization"

      Apparently this security patch forbids char arrays? (https://reverseengineering.stackexchange.com/questions/17429/b-symbol-in-java-bytecode)

      On a side note maybe the whitelist could be expanded to allow all kinds of primitives and arrays of primitives?

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. HTTPCLIENT-2023 Whitelist Char Array in DefaultHttpCacheEntrySerializer

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #169

          Activity

            People

              Unassigned Unassigned
              Olof Larsson Olof Larsson
              Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m