Bug 1080420
Summary: | [GSS] (6.3.1) DataSourceProvider uses an insecure method to read the input stream | |||
---|---|---|---|---|
Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | William Antônio <wsiqueir> | |
Component: | RESTEasy | Assignee: | Weinan Li <weli> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Katerina Odabasi <kanovotn> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 6.2.0 | CC: | aneelica, bbaranow, jawilson, kanovotn, klape, myarboro, nobody, rsvoboda, sgilda, sisharma, smumford, weli | |
Target Milestone: | CR1 | Keywords: | Triaged | |
Target Release: | EAP 6.3.1 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Known Issue | ||
Doc Text: |
RESTEasy used `InputStream.available()` to determine if it had completed reading an input stream from a client.
RESTEasy would sometimes fail to completely read input data from clients.
This is expected to be resolved in a future release of the product.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1091547 1118893 (view as bug list) | Environment: | ||
Last Closed: | 2014-10-13 18:38:26 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1118893 | |||
Bug Blocks: | 1091547, 1091552, 1102082, 1105695 |
Description
William Antônio
2014-03-25 12:06:26 UTC
Kyle Lape <kyle.lape> updated the status of jira RESTEASY-779 to Resolved Changed from Bug Fix to Known Issue to fix Bug 1097118. Patch applied: master:resteasy-prod weinanli$ git branch 2.3.7.1.Final-redhat 2.3.7.2.Final-redhat 2.3.7.Final-redhat 2.3.7.Final-redhat-2 2.3.7.Final-redhat-2-BZ1091552 2.3.8.Final-redhat * 2.3.8.SP1-redhat-1 master master:resteasy-prod weinanli$ git status On branch 2.3.8.SP1-redhat-1 Changes to be committed: (use "git reset HEAD <file>..." to unstage) new file: jaxrs-api/src/main/java/javax/ws/rs/core/NoContentException.java new file: resteasy-jaxrs/src/main/java/org/jboss/resteasy/util/NoContent.java new file: resteasy-jaxrs/src/main/java/org/jboss/resteasy/util/NoContentInputStreamDelegate.java Changes not staged for commit: (use "git add <file>..." to update what will be committed) (use "git checkout -- <file>..." to discard changes in working directory) modified: resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DataSourceProvider.java Patch borrowed from upstream: https://github.com/resteasy/Resteasy/pull/497/files ### NOTE ### Please note we need to add a new class in 'jaxrs-api' from JAX-RS 2.0 spec: NoContentException.java As EAP6 doesn't use the 'jaxrs-api' inside RESTEasy and build a standalone spec jar: master:jboss-eap-6.3 weinanli$ find . | grep jaxrs-api ./modules/system/layers/base/javax/ws/rs/api/main/jboss-jaxrs-api_1.1_spec-1.0.1.Final-redhat-2.jar It needs to be added into that jar for this patch to work. Or resteasy will fail to work on EAP6. Blocked by BZ1119409. Mark, please decide whether we can put this in EAP 6.3.1 or not. If as Fernando said the jax-rs spec 1.1 can't be modified, then we should defer this issue to RESTEasy 3.x + EAP7. Verified in 6.3.1.CP.CR1. Reproduced with org.jboss.resteasy.plugins.providers.DataSourceProviderTest. Alessio Soldano <asoldano> updated the status of jira RESTEASY-779 to Closed |