You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by jb...@apache.org on 2021/08/06 05:19:20 UTC
[activemq] branch main updated: [AMQ-8348] Fix XmlMessageRenderer
has the risk of XStream deserialization
This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq.git
The following commit(s) were added to refs/heads/main by this push:
new 0991082 [AMQ-8348] Fix XmlMessageRenderer has the risk of XStream deserialization
new 4fd439e Merge pull request #697 from skyguard1/fix_xstream_xml_risk
0991082 is described below
commit 099108239cc9fb81a8d1cbdc48467fe30ba6529c
Author: xingrufei <xi...@sogou-inc.com>
AuthorDate: Thu Aug 5 15:50:28 2021 +0800
[AMQ-8348] Fix XmlMessageRenderer has the risk of XStream deserialization
---
.../src/main/java/org/apache/activemq/web/view/XmlMessageRenderer.java | 1 +
1 file changed, 1 insertion(+)
diff --git a/activemq-web/src/main/java/org/apache/activemq/web/view/XmlMessageRenderer.java b/activemq-web/src/main/java/org/apache/activemq/web/view/XmlMessageRenderer.java
index 10caf9b..bfa0a06 100644
--- a/activemq-web/src/main/java/org/apache/activemq/web/view/XmlMessageRenderer.java
+++ b/activemq-web/src/main/java/org/apache/activemq/web/view/XmlMessageRenderer.java
@@ -42,6 +42,7 @@ public class XmlMessageRenderer extends SimpleMessageRenderer {
public XStream getXstream() {
if (xstream == null) {
xstream = new XStream();
+ XStream.setupDefaultSecurity(xstream);
}
return xstream;
}