You are viewing a plain text version of this content. The canonical link for it is here.

Posted to gitbox@activemq.apache.org by GitBox <gi...@apache.org> on 2020/02/07 10:01:36 UTC

[GitHub] [activemq] jbonofre opened a new pull request #446: [AMQ-7399] org.apache.activemq.SERIALIZABLE_PACKAGES is now empty by default

jbonofre opened a new pull request #446: [AMQ-7399] org.apache.activemq.SERIALIZABLE_PACKAGES is now empty by default
URL: https://github.com/apache/activemq/pull/446
 
 
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [activemq] coheigea commented on a change in pull request #446: [AMQ-7399] org.apache.activemq.SERIALIZABLE_PACKAGES doesn't contain java* by default

Posted by GitBox <gi...@apache.org>.

coheigea commented on a change in pull request #446: [AMQ-7399] org.apache.activemq.SERIALIZABLE_PACKAGES doesn't contain java* by default
URL: https://github.com/apache/activemq/pull/446#discussion_r376962668
 
 

 ##########
 File path: activemq-http/src/test/java/org/apache/activemq/transport/http/HttpJMSMessagesWithCompressionTest.java
 ##########
 @@ -71,6 +72,7 @@ public void tearDown() throws Exception {
 
     protected ConnectionFactory createConnectionFactory() throws URISyntaxException {
         ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(getBrokerURL());
+        factory.setTrustedPackages(Arrays.asList("java.lang,javax.security,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper".split(",")));
 
 Review comment:
   java.lang only required here

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [activemq] jbonofre merged pull request #446: [AMQ-7399] org.apache.activemq.SERIALIZABLE_PACKAGES doesn't contain java* by default

Posted by GitBox <gi...@apache.org>.

jbonofre merged pull request #446: [AMQ-7399] org.apache.activemq.SERIALIZABLE_PACKAGES doesn't contain java* by default
URL: https://github.com/apache/activemq/pull/446
 
 
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [activemq] coheigea commented on a change in pull request #446: [AMQ-7399] org.apache.activemq.SERIALIZABLE_PACKAGES doesn't contain java* by default

Posted by GitBox <gi...@apache.org>.

coheigea commented on a change in pull request #446: [AMQ-7399] org.apache.activemq.SERIALIZABLE_PACKAGES doesn't contain java* by default
URL: https://github.com/apache/activemq/pull/446#discussion_r376960252
 
 

 ##########
 File path: activemq-client/src/test/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStreamTest.java
 ##########
 @@ -35,6 +35,10 @@
 
 public class ClassLoadingAwareObjectInputStreamTest {
 
+    static {
+        System.setProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", "java.lang,javax.security,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper");
 
 Review comment:
   Just java.util here fixes the tests in activemq-client

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [activemq] coheigea commented on a change in pull request #446: [AMQ-7399] org.apache.activemq.SERIALIZABLE_PACKAGES doesn't contain java* by default

Posted by GitBox <gi...@apache.org>.

coheigea commented on a change in pull request #446: [AMQ-7399] org.apache.activemq.SERIALIZABLE_PACKAGES doesn't contain java* by default
URL: https://github.com/apache/activemq/pull/446#discussion_r376957963
 
 

 ##########
 File path: activemq-broker/src/test/java/org/apache/activemq/JmsTransactionTestSupport.java
 ##########
 @@ -114,6 +114,7 @@ protected void rollbackTx() throws Exception {
     /**
      */
     protected BrokerService createBroker() throws Exception, URISyntaxException {
+        System.setProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", "java.lang,javax.security,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper");
 
 Review comment:
   Just java.util here fixes the tests in activemq-broker

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [activemq] coheigea commented on a change in pull request #446: [AMQ-7399] org.apache.activemq.SERIALIZABLE_PACKAGES doesn't contain java* by default

Posted by GitBox <gi...@apache.org>.

coheigea commented on a change in pull request #446: [AMQ-7399] org.apache.activemq.SERIALIZABLE_PACKAGES doesn't contain java* by default
URL: https://github.com/apache/activemq/pull/446#discussion_r376963164
 
 

 ##########
 File path: assembly/src/release/bin/env
 ##########
 @@ -113,3 +113,10 @@ ACTIVEMQ_USER=""
 # (set JAVACMD to "auto" for automatic detection)
 #JAVA_HOME=""
 JAVACMD="auto"
+
+# Packages allowed for serialization (when used with ObjectMessage).
+# Packages set is limited to org.apache.activemmq, org.fusesource.hawtbuf and com.thoughtworks.xstream.mapper by default.
+# java* packages are excluded by default for security reason.
+#ACTIVEMQ_OPTS="-Dorg.apache.activemq.SERIALIZABLE_PACKAGES=org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper"
+# You have explicitely add java* packages and your packages (and probably java* packages):
 
 Review comment:
   I think this could be re-worded - you have to explicitly add java.util + java.lang packages ?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services