Julian Sedding created SLING-12366:
--------------------------------------
Summary: Failure to read from InputStream backed by closed session
Key: SLING-12366
URL: https://issues.apache.org/jira/browse/SLING-12366
Project: Sling
Issue Type: Improvement
Components: XSS Protection API
Affects Versions: XSS Protection API 2.4.0
Reporter: Julian Sedding
Assignee: Julian Sedding
The method {{org.apache.sling.xss.impl.XSSFilterImpl.AntiSamyPolicy#read()}}
opens a {{ResourceResolver}}, finds a {{Resource}}, adapts it to an
{{InputStream}}, returns the {{InputStream}} and closes the
{{ResourceResolver}} via try-with-resource.
This works fine, as long as the {{InputStream}} is not a
{{JcrExternalizableInputStream}}, which is only available when the blob resides
in an external blob store, e.g. azure.
The reason is that the {{JcrExternalizableInputStream}} takes a reference to
the JCR {{Property}} and only reads it lazily. In this scenario, when it reads
the property, the session is already closed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
