AMQ-8117 - Allow java.util arrays for deserialization

This commit is contained in:
Colm O hEigeartaigh 2021-06-03 14:42:42 +01:00
parent ac27cc2cda
commit 7ca7118a95
2 changed files with 2 additions and 0 deletions

View File

@ -372,6 +372,7 @@ public class SubQueueSelectorCacheBroker extends BrokerFilter implements Runnabl
if (!(desc.getName().startsWith("java.lang.")
|| desc.getName().startsWith("com.thoughtworks.xstream")
|| desc.getName().startsWith("java.util.")
|| desc.getName().length() > 2 && desc.getName().substring(2).startsWith("java.util.") // Allow arrays
|| desc.getName().startsWith("org.apache.activemq."))) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}

View File

@ -4250,6 +4250,7 @@ public abstract class MessageDatabase extends ServiceSupport implements BrokerSe
if (!(desc.getName().startsWith("java.lang.")
|| desc.getName().startsWith("com.thoughtworks.xstream")
|| desc.getName().startsWith("java.util.")
|| desc.getName().length() > 2 && desc.getName().substring(2).startsWith("java.util.") // Allow arrays
|| desc.getName().startsWith("org.apache.activemq."))) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}