You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by jb...@apache.org on 2021/06/04 04:16:28 UTC
[activemq] branch activemq-5.16.x updated: AMQ-8117 - Allow
java.util arrays for deserialization
This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch activemq-5.16.x
in repository https://gitbox.apache.org/repos/asf/activemq.git
The following commit(s) were added to refs/heads/activemq-5.16.x by this push:
new f3e90aa AMQ-8117 - Allow java.util arrays for deserialization
f3e90aa is described below
commit f3e90aab446bb1fc88feba64e710d80dcc03dab1
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Jun 3 14:42:42 2021 +0100
AMQ-8117 - Allow java.util arrays for deserialization
(cherry picked from commit 7ca7118a9544fd6b2aac4dd72fd3a6edc3369aca)
---
.../java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java | 1 +
.../src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java | 1 +
2 files changed, 2 insertions(+)
diff --git a/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java b/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
index 47d4754..322e1e7 100644
--- a/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
+++ b/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
@@ -372,6 +372,7 @@ public class SubQueueSelectorCacheBroker extends BrokerFilter implements Runnabl
if (!(desc.getName().startsWith("java.lang.")
|| desc.getName().startsWith("com.thoughtworks.xstream")
|| desc.getName().startsWith("java.util.")
+ || desc.getName().length() > 2 && desc.getName().substring(2).startsWith("java.util.") // Allow arrays
|| desc.getName().startsWith("org.apache.activemq."))) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}
diff --git a/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java b/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
index 886695b..020ea1e 100644
--- a/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
+++ b/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
@@ -4250,6 +4250,7 @@ public abstract class MessageDatabase extends ServiceSupport implements BrokerSe
if (!(desc.getName().startsWith("java.lang.")
|| desc.getName().startsWith("com.thoughtworks.xstream")
|| desc.getName().startsWith("java.util.")
+ || desc.getName().length() > 2 && desc.getName().substring(2).startsWith("java.util.") // Allow arrays
|| desc.getName().startsWith("org.apache.activemq."))) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}