[jira] [Assigned] (AMQ-9503) Disable stacktrace for HTTP Connector

Jira Tue, 21 May 2024 01:40:40 -0700


     [ 
https://issues.apache.org/jira/browse/AMQ-9503?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Jean-Baptiste Onofré reassigned AMQ-9503:
-----------------------------------------

    Assignee: Jean-Baptiste Onofré

> Disable stacktrace for HTTP Connector
> -------------------------------------
>
>                 Key: AMQ-9503
>                 URL: https://issues.apache.org/jira/browse/AMQ-9503
>             Project: ActiveMQ Classic
>          Issue Type: Task
>    Affects Versions: 5.18.4
>            Reporter: Colm O hEigeartaigh
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>
>  
> The HTTP Connector is returning stack traces to clients, which is not a good 
> idea from a security point of view as it may leak internal information. 
> Please disable (at least by default)
>  
> To reproduce:
>  
> On 5.18.x I configure AMQ with  <transportConnector
> name="http" uri="[http://localhost:12345|http://localhost:12345/]"/
>  
> data.xml:
> {code:java}
> <java.lang.String>1234</java.lang.String> {code}
> Then with curl:
> {code:java}
> curl --data '@deser.xml' http://localhost:12345 {code}
> I get the following stacktrace:
> {code:java}
> <h3>Caused by:</h3><pre>java.lang.ClassCastException: class java.lang.String 
> cannot be cast to class org.apache.activemq.command.Command (java.lang.String 
> is in module java.base of loader &apos;bootstrap&apos;; 
> org.apache.activemq.command.Command is in unnamed module of loader 
> java.net.URLClassLoader @6ce139a4)      at 
> org.apache.activemq.transport.http.HttpTunnelServlet.doPost(HttpTunnelServlet.java:137)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:681) at 
> javax.servlet.http.HttpServlet.service(HttpServlet.java:764) at 
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)       
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:554) 
>   at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) 
>        at 
> org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:722)
>        at 
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600)  
> at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
>       at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
>     at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
>    at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
>      at 
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505)    
> at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
>      at 
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
>     at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) 
>        at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
>       at org.eclipse.jetty.server.Server.handle(Server.java:516)      at 
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)   
> at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)  at 
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)    at 
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)  
> at 
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
>   at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)    at 
> org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
>        at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
>      at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
>     at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:137)
>        at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
>      at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
>         at java.base/java.lang.Thread.run(Thread.java:829)</pre>
> </body></html> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Assigned] (AMQ-9503) Disable stacktrace for HTTP Connector

Reply via email to