Merge pull request #608 from jbonofre/AMQ-8097
[AMQ-8097] Deal with deserialization with xstream unmarshal poison ack
diff --git a/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java b/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
index 7a0e58c..47d4754 100644
--- a/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
+++ b/activemq-broker/src/main/java/org/apache/activemq/plugin/SubQueueSelectorCacheBroker.java
@@ -369,7 +369,10 @@
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
- if (!(desc.getName().equals("java.lang.String") || desc.getName().startsWith("java.util."))) {
+ if (!(desc.getName().startsWith("java.lang.")
+ || desc.getName().startsWith("com.thoughtworks.xstream")
+ || desc.getName().startsWith("java.util.")
+ || desc.getName().startsWith("org.apache.activemq."))) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}
return super.resolveClass(desc);
diff --git a/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java b/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java
index 0a717f4..396b650 100644
--- a/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java
+++ b/activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java
@@ -40,7 +40,7 @@
private final ClassLoader inLoader;
static {
- serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES","org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(",");
+ serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES","java.lang,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(",");
}
public ClassLoadingAwareObjectInputStream(InputStream in) throws IOException {
diff --git a/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java b/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
index e30f3bf..6e0688b 100644
--- a/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
+++ b/activemq-kahadb-store/src/main/java/org/apache/activemq/store/kahadb/MessageDatabase.java
@@ -4254,8 +4254,10 @@
@Override
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
- if (!(desc.getName().startsWith("java.lang.") || desc.getName().startsWith("java.util.")
- || desc.getName().startsWith("org.apache.activemq."))) {
+ if (!(desc.getName().startsWith("java.lang.")
+ || desc.getName().startsWith("com.thoughtworks.xstream")
+ || desc.getName().startsWith("java.util.")
+ || desc.getName().startsWith("org.apache.activemq."))) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}
return super.resolveClass(desc);
