Apache
/
activemq
mirror of https://github.com/apache/activemq.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #667 from coheigea/AMQ-8117 

AMQ-8117 - Allow java.util arrays for deserialization
This commit is contained in:
Jean-Baptiste Onofré 2021-06-04 06:15:41 +02:00 committed by GitHub
parent ac27cc2cda 7ca7118a95
commit c739984778
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
View File

@ -372,6 +372,7 @@ public class SubQueueSelectorCacheBroker extends BrokerFilter implements Runnabl
if (!(desc.getName().startsWith("java.lang.")
|| desc.getName().startsWith("com.thoughtworks.xstream")
|| desc.getName().startsWith("java.util.")
|| desc.getName().length() > 2 && desc.getName().substring(2).startsWith("java.util.") // Allow arrays
|| desc.getName().startsWith("org.apache.activemq."))) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}

1
activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
View File

@ -4250,6 +4250,7 @@ public abstract class MessageDatabase extends ServiceSupport implements BrokerSe
if (!(desc.getName().startsWith("java.lang.")
|| desc.getName().startsWith("com.thoughtworks.xstream")
|| desc.getName().startsWith("java.util.")
|| desc.getName().length() > 2 && desc.getName().substring(2).startsWith("java.util.") // Allow arrays
|| desc.getName().startsWith("org.apache.activemq."))) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}