You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Trejkaz (JIRA)" <ji...@apache.org> on 2017/04/26 01:04:04 UTC

[jira] [Commented] (AMQ-6013) Restrict classes that can be serialized in ObjectMessages

    [ https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15983941#comment-15983941 ] 

Trejkaz commented on AMQ-6013:
------------------------------

The commit to fix this makes serializablePackages a public mutable array:

{code}
    public static final String[] serializablePackages;
{code}

That in itself is not the best idea for security.

> Restrict classes that can be serialized in ObjectMessages
> ---------------------------------------------------------
>
>                 Key: AMQ-6013
>                 URL: https://issues.apache.org/jira/browse/AMQ-6013
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.12.0
>            Reporter: Dejan Bosanac
>            Assignee: Dejan Bosanac
>             Fix For: 5.11.3, 5.13.0, 5.12.2
>
>
> At some points we do (de)serialization of JMS Object messages inside the broker (HTTP, Stomp, Web Console, ...). We need to restrict classes that can be serialized in this way.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)