[activemq] branch activemq-5.16.x updated: [AMQ-8097] Deal with deserialization with xstream unmarshal poison ack

Wed, 13 Jan 2021 09:29:40 -0800 

This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch activemq-5.16.x
in repository https://gitbox.apache.org/repos/asf/activemq.git


The following commit(s) were added to refs/heads/activemq-5.16.x by this push:
     new 4cc287f  [AMQ-8097] Deal with deserialization with xstream unmarshal 
poison ack
4cc287f is described below

commit 4cc287fcd71318fc459d09fed35f54b0ef0f8231
Author: jbonofre <[email protected]>
AuthorDate: Tue Jan 12 18:32:09 2021 +0100

    [AMQ-8097] Deal with deserialization with xstream unmarshal poison ack
    
    (cherry picked from commit cbc1baa07a2c3774dcfed288c9f3316dbcd35100)
---
 .../org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java     | 5 ++++-
 .../apache/activemq/util/ClassLoadingAwareObjectInputStream.java    | 2 +-
 .../main/java/org/apache/activemq/store/kahadb/MessageDatabase.java | 6 ++++--
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git 
a/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
 
b/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
index 7a0e58c..47d4754 100644
--- 
a/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
+++ 
b/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
@@ -369,7 +369,10 @@ public class SubQueueSelectorCacheBroker extends 
BrokerFilter implements Runnabl
 
         @Override
         protected Class<?> resolveClass(ObjectStreamClass desc) throws 
IOException, ClassNotFoundException {
-            if (!(desc.getName().equals("java.lang.String") || 
desc.getName().startsWith("java.util."))) {
+            if (!(desc.getName().startsWith("java.lang.")
+                    || desc.getName().startsWith("com.thoughtworks.xstream")
+                    || desc.getName().startsWith("java.util.")
+                    || desc.getName().startsWith("org.apache.activemq."))) {
                 throw new InvalidClassException("Unauthorized deserialization 
attempt", desc.getName());
             }
             return super.resolveClass(desc);
diff --git 
a/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java
 
b/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java
index 0a717f4..396b650 100644
--- 
a/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java
+++ 
b/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java
@@ -40,7 +40,7 @@ public class ClassLoadingAwareObjectInputStream extends 
ObjectInputStream {
     private final ClassLoader inLoader;
 
     static {
-        serializablePackages = 
System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES","org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(",");
+        serializablePackages = 
System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES","java.lang,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(",");
     }
 
     public ClassLoadingAwareObjectInputStream(InputStream in) throws 
IOException {
diff --git 
a/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
 
b/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
index e30f3bf..6e0688b 100644
--- 
a/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
+++ 
b/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
@@ -4254,8 +4254,10 @@ public abstract class MessageDatabase extends 
ServiceSupport implements BrokerSe
 
         @Override
         protected Class<?> resolveClass(ObjectStreamClass desc) throws 
IOException, ClassNotFoundException {
-            if (!(desc.getName().startsWith("java.lang.") || 
desc.getName().startsWith("java.util.")
-                || desc.getName().startsWith("org.apache.activemq."))) {
+            if (!(desc.getName().startsWith("java.lang.")
+                    || desc.getName().startsWith("com.thoughtworks.xstream")
+                    || desc.getName().startsWith("java.util.")
+                    || desc.getName().startsWith("org.apache.activemq."))) {
                 throw new InvalidClassException("Unauthorized deserialization 
attempt", desc.getName());
             }
             return super.resolveClass(desc);

Reply via email to