[
https://issues.apache.org/jira/browse/QPIDJMS-188?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robbie Gemmell updated QPIDJMS-188:
-----------------------------------
Description:
When applications call getObject() on a consumed JMS ObjectMessage they are
subject to the behaviour of any object deserialization during the process of
constructing the body to return.
This improvement adds the new configuration options to whitelist trusted
content permitted for deserialization. When so configured, attempts to
deserialize input containing other content will be prevented.
was:Some additional improvements to ObjectMessage
Summary: [CVE-2016-4974] allow whitelisting trusted classes/packages
for deserialization from ObjectMessage (was: Further ObjectMessage
improvements)
Two new URI options were added:
*jms.deserializationPolicy.whiteList* A comma separated list of class/package
names that should be allowed when deserializing the contents of a JMS
ObjectMessage, unless overridden by the blackList. The names in this list are
not pattern values, the exact class or package name must be configured, e.g
"java.util.Map" or "java.util". Package matches include sub-packages. Default
is to allow all.
*jms.deserializationPolicy.blackList* A comma separated list of class/package
names that should be rejected when deserializing the contents of a JMS
ObjectMessage. The names in this list are not pattern values, the exact class
or package name must be configured, e.g "java.util.Map" or "java.util". Package
matches include sub-packages. Default is to prevent none.
> [CVE-2016-4974] allow whitelisting trusted classes/packages for
> deserialization from ObjectMessage
> --------------------------------------------------------------------------------------------------
>
> Key: QPIDJMS-188
> URL: https://issues.apache.org/jira/browse/QPIDJMS-188
> Project: Qpid JMS
> Issue Type: Improvement
> Components: qpid-jms-client
> Affects Versions: 0.9.0
> Reporter: Timothy Bish
> Assignee: Timothy Bish
> Fix For: 0.10.0
>
>
> When applications call getObject() on a consumed JMS ObjectMessage they are
> subject to the behaviour of any object deserialization during the process of
> constructing the body to return.
> This improvement adds the new configuration options to whitelist trusted
> content permitted for deserialization. When so configured, attempts to
> deserialize input containing other content will be prevented.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
