Merge pull request #667 from coheigea/AMQ-8117 AMQ-8117 - Allow java.util arrays for deserialization

commit: c73998477879a7f1cccd371f0254ffd3829aa5ab [log] [tgz]
author: Jean-Baptiste Onofré <jbonofre@apache.org> Fri Jun 04 06:15:41 2021 +0200
committer: GitHub <noreply@github.com> Fri Jun 04 06:15:41 2021 +0200
tree: 4d62b14e051122dd6b9fd25ee97178db04e3f3f4
parent: ac27cc2cda1ac10d01bc87c1f875dcf278a9594f [diff]
parent: 7ca7118a9544fd6b2aac4dd72fd3a6edc3369aca [diff]
diff --git a/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java b/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
index 47d4754..322e1e7 100644
--- a/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
+++ b/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java

@@ -372,6 +372,7 @@
             if (!(desc.getName().startsWith("java.lang.")
                     || desc.getName().startsWith("com.thoughtworks.xstream")
                     || desc.getName().startsWith("java.util.")
+                    || desc.getName().length() > 2 && desc.getName().substring(2).startsWith("java.util.") // Allow arrays
                     || desc.getName().startsWith("org.apache.activemq."))) {
                 throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
             }

diff --git a/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java b/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
index a41c15a..448cb6a 100644
--- a/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
+++ b/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java

@@ -4250,6 +4250,7 @@
             if (!(desc.getName().startsWith("java.lang.")
                     || desc.getName().startsWith("com.thoughtworks.xstream")
                     || desc.getName().startsWith("java.util.")
+                    || desc.getName().length() > 2 && desc.getName().substring(2).startsWith("java.util.") // Allow arrays
                     || desc.getName().startsWith("org.apache.activemq."))) {
                 throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
             }
commit	c73998477879a7f1cccd371f0254ffd3829aa5ab	[log] [tgz]
author	Jean-Baptiste Onofré <jbonofre@apache.org>	Fri Jun 04 06:15:41 2021 +0200
committer	GitHub <noreply@github.com>	Fri Jun 04 06:15:41 2021 +0200
tree	4d62b14e051122dd6b9fd25ee97178db04e3f3f4
parent	ac27cc2cda1ac10d01bc87c1f875dcf278a9594f [diff]
parent	7ca7118a9544fd6b2aac4dd72fd3a6edc3369aca [diff]