[
https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15006631#comment-15006631
]
Dejan Bosanac commented on AMQ-6013:
------------------------------------
Hi David,
I looked at this some more and I don't think we have a problem. If you take a
look at
https://github.com/apache/activemq/blob/master/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java#L125
we load the class without initializing it (second parameter is false), so the
static code is not executed until the class if used the first time.
> Restrict classes that can be serialized in ObjectMessages
> ---------------------------------------------------------
>
> Key: AMQ-6013
> URL: https://issues.apache.org/jira/browse/AMQ-6013
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.12.0
> Reporter: Dejan Bosanac
> Assignee: Dejan Bosanac
> Fix For: 5.11.3, 5.13.0
>
>
> At some points we do (de)serialization of JMS Object messages inside the
> broker (HTTP, Stomp, Web Console, ...). We need to restrict classes that can
> be serialized in this way.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
