Comments (5)
目前的解决方案是对Hessian2Serialization打了补丁
Hessian2Input#reset
_sbufMaxLength是在启动参数指定
private static int _sbufMaxLength = 3_000_000;
//启动参数增加-Dsbuf.max.length=5000000
String sbufMaxLength = System.getProperty("sbuf.max.length");
if (sbufMaxLength != null && sbufMaxLength.length() > 0) {
_sbufMaxLength = Integer.parseInt(sbufMaxLength);
}
public void reset() {
this.resetReferences();
if (this._classDefs != null) {
this._classDefs.clear();
}
if (this._types != null) {
this._types.clear();
}
this._offset = 0;
this._length = 0;
if (this._sbuf != null && this._sbuf.capacity() > _sbufMaxLength) {
this._sbuf = new StringBuilder();
}
}
from dubbo-hessian-lite.
请问,这个有修复版本吗,我遇到了同样的问题,因为是固定线程数,而且数量比较大,导致了OOM
from dubbo-hessian-lite.
Hessian2Input 的 ThreadLocal 在 Dubbo 高版本已经移除,可以升级 3.1.7 版本看下
from dubbo-hessian-lite.
这是生产的应用,涉及的老应用较多,大版本升级估计不太可能,不考虑出修复版本吗
from dubbo-hessian-lite.
这是生产的应用,涉及的老应用较多,大版本升级估计不太可能,不考虑出修复版本吗
2.7.x 版本目前已经是仅安全维护状态了,而且将在下个月发布正式 EOL。目前最新的开发版本是 3.2.0。
发版规划请参考:https://cn.dubbo.apache.org/zh-cn/blog/2022/10/22/%E8%81%9A%E7%84%A6%E7%A8%B3%E5%AE%9A%E6%80%A7dubbo-java-%E5%8F%91%E7%89%88%E8%A7%84%E5%88%92%E5%85%AC%E5%B8%83/
如果升级过程中有任何问题可以提交 issue,对于大规模集群也可以联系我们提供专门的协助。
from dubbo-hessian-lite.
Related Issues (20)
- does hessian-lite supoort deserilize cglib object ?
- throw 0x41 for large request in hessian InputStream & OutputStream
- add back dubbo-hessian-lite 3.2.6 code
- Issue about IdentityIntMap of null Key HOT 1
- com.alibaba.com.caucho.hessian.io.HessianInput.readObject()不管什么类型读取出来的都是list HOT 1
- 接口参数如果Map的key 是NULL会被替换成0
- 3.2.9 could not found in maven central repo
- wrong generic type for decoding HOT 1
- Apache Dubbo中Hessian2协议存在远程代码执行漏洞 HOT 1
- hessian can NOT initial org.springframework.data.domain.Pageable correctly
- The startup test reported an error. HOT 2
- org.bson.types.ObjectId序列化以及反序列化问题 HOT 19
- Dubbo 3.0.4 java.util.List反序列化失败 HOT 3
- 不支持jdk17吗?
- put a length param into this createList method so that the collection will not resize
- I have upgraded the latest version. How to verify whether the cve-2022-39198 deserialization vulnerability still exists HOT 1
- 属性反序列化解析失败 HessianFieldException HOT 1
- rpc返回结果用Stream.collect(Collectors.toList())可以正常返回,用Stream.toList()返回会报错 HOT 2
- InaccessibleObjectException was found on jdk 17 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dubbo-hessian-lite.