You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am sure that all the content I provide is in English.
Search before asking
I had searched in the issues and found no similar issues.
Apache Dubbo Component
Java SDK (apache/dubbo)
Dubbo Version
dubbo-3.3.0-beta.3-SNAPSHOT.jar
Steps to reproduce this issue
when i upgrade dubbo-3.3.0-beta.3-SNAPSHOT.jar it will show this error,i think it is violent and incompatible
Wrapped by: java.util.concurrent.ExecutionException: org.apache.dubbo.remoting.RemotingException: java.io.IOException: org.apache.dubbo.common.serialize.SerializationException: java.lang.IllegalArgumentException: [Serialization Security] Serialized class java.lang.ArithmeticException is not in allow list. Current mode is `STRICT`, will disallow to deserialize it by default. Please add it into security/serialize.allowlist or follow FAQ to configure it.
java.io.IOException: org.apache.dubbo.common.serialize.SerializationException: java.lang.IllegalArgumentException: [Serialization Security] Serialized class java.lang.ArithmeticException is not in allow list. Current mode is `STRICT`, will disallow to deserialize it by default. Please add it into security/serialize.allowlist or follow FAQ to configure it.
at org.apache.dubbo.common.serialize.DefaultSerializationExceptionWrapper.handleToIOException(DefaultSerializationExceptionWrapper.java:353)
at org.apache.dubbo.common.serialize.DefaultSerializationExceptionWrapper.access$000(DefaultSerializationExceptionWrapper.java:27)
at org.apache.dubbo.common.serialize.DefaultSerializationExceptionWrapper$ProxyObjectInput.readThrowable(DefaultSerializationExceptionWrapper.java:181)
at org.apache.dubbo.rpc.protocol.dubbo.DecodeableRpcResult.handleException(DecodeableRpcResult.java:186)
at org.apache.dubbo.rpc.protocol.dubbo.DecodeableRpcResult.decode(DecodeableRpcResult.java:114)
at org.apache.dubbo.rpc.protocol.dubbo.DecodeableRpcResult.decode(DecodeableRpcResult.java:153)
at org.apache.dubbo.remoting.transport.DecodeHandler.decode(DecodeHandler.java:61)
at org.apache.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:49)
at org.apache.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:64)
at org.apache.dubbo.common.threadpool.ThreadlessExecutor$RunnableWrapper.run(ThreadlessExecutor.java:151)
at org.apache.dubbo.common.threadpool.ThreadlessExecutor.waitAndDrain(ThreadlessExecutor.java:77)
What you expected to happen
The upgrade package version should not directly cause incompatible errors. Can this check be turned off by default?
Anything else
No response
Are you willing to submit a pull request to fix on your own?
Yes I am willing to submit a pull request on my own!
Can we consider a blacklist mechanism? Originally, the code did not need to be added, but after upgrading, it needs to be added one by one, which can easily lead to difficulties in upgrading
Can we consider a blacklist mechanism? Originally, the code did not need to be added, but after upgrading, it needs to be added one by one, which can easily lead to difficulties in upgrading
No, blacklist cannot resolve the serialization risk. Security is more impartant that usability.
Pre-check
Search before asking
Apache Dubbo Component
Java SDK (apache/dubbo)
Dubbo Version
dubbo-3.3.0-beta.3-SNAPSHOT.jar
Steps to reproduce this issue
when i upgrade dubbo-3.3.0-beta.3-SNAPSHOT.jar it will show this error,i think it is violent and incompatible
What you expected to happen
The upgrade package version should not directly cause incompatible errors. Can this check be turned off by default?
Anything else
No response
Are you willing to submit a pull request to fix on your own?
Code of Conduct
The text was updated successfully, but these errors were encountered: