You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Trejkaz (JIRA)" <ji...@apache.org> on 2017/04/26 01:04:04 UTC
[jira] [Commented] (AMQ-6013) Restrict classes that can be
serialized in ObjectMessages
[ https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15983941#comment-15983941 ]
Trejkaz commented on AMQ-6013:
------------------------------
The commit to fix this makes serializablePackages a public mutable array:
{code}
public static final String[] serializablePackages;
{code}
That in itself is not the best idea for security.
> Restrict classes that can be serialized in ObjectMessages
> ---------------------------------------------------------
>
> Key: AMQ-6013
> URL: https://issues.apache.org/jira/browse/AMQ-6013
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.12.0
> Reporter: Dejan Bosanac
> Assignee: Dejan Bosanac
> Fix For: 5.11.3, 5.13.0, 5.12.2
>
>
> At some points we do (de)serialization of JMS Object messages inside the broker (HTTP, Stomp, Web Console, ...). We need to restrict classes that can be serialized in this way.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)