Merge pull request #608 from jbonofre/AMQ-8097

[AMQ-8097] Deal with deserialization with xstream unmarshal poison ack
This commit is contained in:
Jean-Baptiste Onofré 2021-01-13 18:28:34 +01:00 committed by GitHub
commit feaa2de87b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 4 deletions

View File

@ -369,7 +369,10 @@ public class SubQueueSelectorCacheBroker extends BrokerFilter implements Runnabl
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
if (!(desc.getName().equals("java.lang.String") || desc.getName().startsWith("java.util."))) {
if (!(desc.getName().startsWith("java.lang.")
|| desc.getName().startsWith("com.thoughtworks.xstream")
|| desc.getName().startsWith("java.util.")
|| desc.getName().startsWith("org.apache.activemq."))) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}
return super.resolveClass(desc);

View File

@ -40,7 +40,7 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream {
private final ClassLoader inLoader;
static {
serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES","org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(",");
serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES","java.lang,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(",");
}
public ClassLoadingAwareObjectInputStream(InputStream in) throws IOException {

View File

@ -4254,8 +4254,10 @@ public abstract class MessageDatabase extends ServiceSupport implements BrokerSe
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
if (!(desc.getName().startsWith("java.lang.") || desc.getName().startsWith("java.util.")
|| desc.getName().startsWith("org.apache.activemq."))) {
if (!(desc.getName().startsWith("java.lang.")
|| desc.getName().startsWith("com.thoughtworks.xstream")
|| desc.getName().startsWith("java.util.")
|| desc.getName().startsWith("org.apache.activemq."))) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}
return super.resolveClass(desc);