dubbo-hessian-lite

dubbo-hessian-lite copied to clipboard

Hessian2 Deserializer Joda-time error

3

我在dubbo项目上看到了一个[issue](https://github.com/apache/incubator-dubbo/issues/126)。我跟踪了一下代码发现是你们这个hessian工程导致的。我在Hessian 4.0.38上没有重新该问题。经过debug，我发现是因为你们的代码缺少了UnsafeDeserializer.class相关类导致的，我在sofa上看到他们已经把hessian协议升级到了高版本。你们这边有升级的计划吗？https://github.com/alipay/sofa-hessian

Bricks-Man

Dubbo 3.0.4 java.util.List反序列化失败

2

- [x] I have searched the [issues](https://github.com/apache/dubbo/issues) of this repository and believe that this is not a duplicate. ### Environment * Dubbo version: 3.0.4 * Operating System version: MAC OS...

lucky-xin

com.alibaba.com.caucho.hessian.io.HessianInput.readObject()不管什么类型读取出来的都是list

1

### 代码 ```java com.alibaba.com.caucho.hessian.io.HessianInput.readObject(); if (List.class != reader.getType() && List.class.isAssignableFrom(reader.getType())) return reader.readList(this, length, valueType ? expectedTypes.get(0) : null); ``` 第一个条件：List.class != reader.getType() 读取的类型不能是List 第二个条件：List.class.isAssignableFrom(reader.getType())) 判断接口类型，这里明显少了一个 感叹号。 应该加一个感叹号 ```java !List.class.isAssignableFrom(reader.getType())) ```...

iwhalecloud-platform

- [x] I have searched the [issues](https://github.com/apache/dubbo/issues) of this repository and believe that this is not a duplicate. - [x] I have checked the [FAQ](https://github.com/apache/dubbo/blob/master/FAQ.md) of this repository and believe...

huangzy01

LocalDateTime support from hessian-lite see a big drop on performance compared to Date type.

1

chickenlj

Apache Dubbo默认使用Hessian2作为序列化/反序列化协议。 当使用Hessian2反序列化HashMap对象时，一些存储在HashMap中的函数将被执行。 攻击者可通过构造特定的序列实现任意远程命令执行。 受影响版本为Dubbo 2.7.0至2.7.7；Dubbo 2.6.0至2.6.8；Dubbo 2.5.x。 问下2.7.8版本中有没有修复此漏洞了？

ghost

com.alibaba.com.caucho.hessian.io.HessianProtocolException: com.alibaba.com.caucho.hessian.io.ObjectDeserializer: unexpected object java.lang.String (2)

2

我们使用dubbo的时候，返回的结果对象是这样的 class Result { int code;//错误码 String message;//错误消息 T module ;//保存数据 } 但是调用时报反序列失败，报错如下： `Exception in thread "main" com.alibaba.com.caucho.hessian.io.HessianFieldException: AVX$Result.data: com.alibaba.com.caucho.hessian.io.ObjectDeserializer: unexpected object java.lang.String (2) at com.alibaba.com.caucho.hessian.io.JavaDeserializer.logDeserializeError(JavaDeserializer.java:163) at com.alibaba.com.caucho.hessian.io.JavaDeserializer$ObjectFieldDeserializer.deserialize(JavaDeserializer.java:394) at com.alibaba.com.caucho.hessian.io.JavaDeserializer.readObject(JavaDeserializer.java:269)...

xuyanhua

wrong generic type for decoding

1

for type `List` , the decoded type will be `List`, which will cause jackson can't serialize the object, and get the error `java.util.ArrayList cannot be cast to [Ljava.lang.Object;` the following...

wongoo

 refer to the image, the latest is stll 3.2.8

awayings

```java public class User implements java.io.Serializable { private Map map; public Map getMap() { return map; } public void setMap(Map map) { this.map = map; } } ``` 序列化之前： ```java...

iwhalecloud-platform