You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@activemq.apache.org by jb...@apache.org on 2021/08/06 05:19:20 UTC

[activemq] branch main updated: [AMQ-8348] Fix XmlMessageRenderer has the risk of XStream deserialization

This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq.git


The following commit(s) were added to refs/heads/main by this push:
     new 0991082  [AMQ-8348] Fix XmlMessageRenderer has the risk of XStream deserialization
     new 4fd439e  Merge pull request #697 from skyguard1/fix_xstream_xml_risk
0991082 is described below

commit 099108239cc9fb81a8d1cbdc48467fe30ba6529c
Author: xingrufei <xi...@sogou-inc.com>
AuthorDate: Thu Aug 5 15:50:28 2021 +0800

    [AMQ-8348] Fix XmlMessageRenderer has the risk of XStream deserialization
---
 .../src/main/java/org/apache/activemq/web/view/XmlMessageRenderer.java   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/activemq-web/src/main/java/org/apache/activemq/web/view/XmlMessageRenderer.java b/activemq-web/src/main/java/org/apache/activemq/web/view/XmlMessageRenderer.java
index 10caf9b..bfa0a06 100644
--- a/activemq-web/src/main/java/org/apache/activemq/web/view/XmlMessageRenderer.java
+++ b/activemq-web/src/main/java/org/apache/activemq/web/view/XmlMessageRenderer.java
@@ -42,6 +42,7 @@ public class XmlMessageRenderer extends SimpleMessageRenderer {
     public XStream getXstream() {
         if (xstream == null) {
             xstream = new XStream();
+            XStream.setupDefaultSecurity(xstream);
         }
         return xstream;
     }