From 7ca7118a9544fd6b2aac4dd72fd3a6edc3369aca Mon Sep 17 00:00:00 2001
From: Colm O hEigeartaigh <coheigea@apache.org>
Date: Thu, 3 Jun 2021 14:42:42 +0100
Subject: [PATCH] AMQ-8117 - Allow java.util arrays for deserialization

---
 .../org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java  | 1 +
 .../java/org/apache/activemq/store/kahadb/MessageDatabase.java   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java b/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
index 47d475416f..322e1e7126 100644
--- a/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
+++ b/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
@@ -372,6 +372,7 @@ public class SubQueueSelectorCacheBroker extends BrokerFilter implements Runnabl
             if (!(desc.getName().startsWith("java.lang.")
                     || desc.getName().startsWith("com.thoughtworks.xstream")
                     || desc.getName().startsWith("java.util.")
+                    || desc.getName().length() > 2 && desc.getName().substring(2).startsWith("java.util.") // Allow arrays
                     || desc.getName().startsWith("org.apache.activemq."))) {
                 throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
             }
diff --git a/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java b/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
index a41c15a75b..448cb6a3f2 100644
--- a/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
+++ b/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
@@ -4250,6 +4250,7 @@ public abstract class MessageDatabase extends ServiceSupport implements BrokerSe
             if (!(desc.getName().startsWith("java.lang.")
                     || desc.getName().startsWith("com.thoughtworks.xstream")
                     || desc.getName().startsWith("java.util.")
+                    || desc.getName().length() > 2 && desc.getName().substring(2).startsWith("java.util.") // Allow arrays
                     || desc.getName().startsWith("org.apache.activemq."))) {
                 throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
             }