mirror of https://github.com/apache/activemq.git
Merge pull request #608 from jbonofre/AMQ-8097
[AMQ-8097] Deal with deserialization with xstream unmarshal poison ack
This commit is contained in:
commit
feaa2de87b
|
@ -369,7 +369,10 @@ public class SubQueueSelectorCacheBroker extends BrokerFilter implements Runnabl
|
|||
|
||||
@Override
|
||||
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
|
||||
if (!(desc.getName().equals("java.lang.String") || desc.getName().startsWith("java.util."))) {
|
||||
if (!(desc.getName().startsWith("java.lang.")
|
||||
|| desc.getName().startsWith("com.thoughtworks.xstream")
|
||||
|| desc.getName().startsWith("java.util.")
|
||||
|| desc.getName().startsWith("org.apache.activemq."))) {
|
||||
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
|
||||
}
|
||||
return super.resolveClass(desc);
|
||||
|
|
|
@ -40,7 +40,7 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream {
|
|||
private final ClassLoader inLoader;
|
||||
|
||||
static {
|
||||
serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES","org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(",");
|
||||
serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES","java.lang,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(",");
|
||||
}
|
||||
|
||||
public ClassLoadingAwareObjectInputStream(InputStream in) throws IOException {
|
||||
|
|
|
@ -4254,7 +4254,9 @@ public abstract class MessageDatabase extends ServiceSupport implements BrokerSe
|
|||
|
||||
@Override
|
||||
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
|
||||
if (!(desc.getName().startsWith("java.lang.") || desc.getName().startsWith("java.util.")
|
||||
if (!(desc.getName().startsWith("java.lang.")
|
||||
|| desc.getName().startsWith("com.thoughtworks.xstream")
|
||||
|| desc.getName().startsWith("java.util.")
|
||||
|| desc.getName().startsWith("org.apache.activemq."))) {
|
||||
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue