diff -Nru activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java

--- activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java	2012-09-11 01:12:25.000000000 +0200

+++ activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java	2015-12-15 08:35:09.050277423 +0100

@@ -84,7 +84,7 @@

                     msg = createMapMessage(in);

                     break;

                 default:

-                    throw new Exception("Unkown transformation: " + transformation);

+                    throw new Exception("Unknown transformation: " + transformation);

                 }

             } catch (Throwable e) {

                 command.getHeaders().put(Stomp.Headers.TRANSFORMATION_ERROR, e.getMessage());

@@ -243,7 +243,8 @@

         }

         if (xstream == null) {

-            xstream = new XStream();

+            xstream = XStreamSupport.createXStream();

+            xstream.ignoreUnknownElements();

         }

         return xstream;

diff -Nru activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java

--- activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java	1970-01-01 01:00:00.000000000 +0100

+++ activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java	2015-12-15 08:36:14.665520108 +0100

@@ -0,0 +1,47 @@

+/**

+ * Licensed to the Apache Software Foundation (ASF) under one or more

+ * contributor license agreements.  See the NOTICE file distributed with

+ * this work for additional information regarding copyright ownership.

+ * The ASF licenses this file to You under the Apache License, Version 2.0

+ * (the "License"); you may not use this file except in compliance with

+ * the License.  You may obtain a copy of the License at

+ *

+ *      http://www.apache.org/licenses/LICENSE-2.0

+ *

+ * Unless required by applicable law or agreed to in writing, software

+ * distributed under the License is distributed on an "AS IS" BASIS,

+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+ * See the License for the specific language governing permissions and

+ * limitations under the License.

+ */

+package org.apache.activemq.transport.stomp;

+

+import com.thoughtworks.xstream.XStream;

+import com.thoughtworks.xstream.security.AnyTypePermission;

+import com.thoughtworks.xstream.security.NoTypePermission;

+import com.thoughtworks.xstream.security.PrimitiveTypePermission;

+import org.apache.activemq.util.ClassLoadingAwareObjectInputStream;

+

+import java.util.Collection;

+import java.util.Map;

+

+public class XStreamSupport {

+

+    public static XStream createXStream() {

+        XStream stream = new XStream();

+        stream.addPermission(NoTypePermission.NONE);

+        stream.addPermission(PrimitiveTypePermission.PRIMITIVES);

+        stream.allowTypeHierarchy(Collection.class);

+        stream.allowTypeHierarchy(Map.class);

+        stream.allowTypes(new Class[]{String.class});

+        if (ClassLoadingAwareObjectInputStream.isAllAllowed()) {

+            stream.addPermission(AnyTypePermission.ANY);

+        } else {

+            for (String packageName : ClassLoadingAwareObjectInputStream.getSerialziablePackages()) {

+                stream.allowTypesByWildcard(new String[]{packageName + ".**"});

+            }

+        }

+        return stream;

+    }

+

+}

diff -Nru activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java

--- activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java	2012-09-11 01:12:25.000000000 +0200

+++ activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java	2015-12-15 08:47:58.347381368 +0100

@@ -21,7 +21,10 @@

 import java.io.ObjectInputStream;

 import java.io.ObjectStreamClass;

 import java.lang.reflect.Proxy;

+import java.util.Arrays;

+import java.util.Collection;

 import java.util.HashMap;

+import java.util.Map;

 @SuppressWarnings("rawtypes")

 public class ClassLoadingAwareObjectInputStream extends ObjectInputStream {

@@ -29,6 +32,8 @@

     private static final ClassLoader FALLBACK_CLASS_LOADER =

         ClassLoadingAwareObjectInputStream.class.getClassLoader();

+    private static String[] serializablePackages;

+

     /**

      * Maps primitive type names to corresponding class objects.

      */

@@ -40,7 +45,9 @@

     protected Class resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {

         ClassLoader cl = Thread.currentThread().getContextClassLoader();

-        return load(classDesc.getName(), cl);

+        Class clazz = load(classDesc.getName(), cl);

+        checkSecurity(clazz);

+        return clazz;

     }

     protected Class resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {

@@ -50,18 +57,56 @@

             cinterfaces[i] = load(interfaces[i], cl);

         }

+        Class clazz = null;

         try {

-            return Proxy.getProxyClass(cl, cinterfaces);

+            clazz = Proxy.getProxyClass(cl, cinterfaces);

         } catch (IllegalArgumentException e) {

             try {

-                return Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces);

+                clazz = Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces);

             } catch (IllegalArgumentException e1) {

             }

-            throw new ClassNotFoundException(null, e);

+        }

+

+        if (clazz != null) {

+            checkSecurity(clazz);

+            return clazz;

+        } else {

+            throw new ClassNotFoundException(null);

         }

     }

+    public static String[] getSerialziablePackages() {

+       if (serializablePackages == null) {

+           serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES",

+                       "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(",");

+       }

+

+       return serializablePackages;

+    };

+

+    public static boolean isAllAllowed() {

+        return getSerialziablePackages().length == 1 && getSerialziablePackages()[0].equals("*");

+    }

+

+    private void checkSecurity(Class clazz) throws ClassNotFoundException {

+        if (!clazz.isPrimitive()) {

+            if (clazz.getPackage() != null && !isAllAllowed()) {

+               boolean found = false;

+               for (String packageName : getSerialziablePackages()) {

+                   if (clazz.getPackage().getName().equals(packageName) || clazz.getPackage().getName().startsWith(packageName + ".")) {

+                       found = true;

+                       break;

+                   }

+               }

+

+               if (!found) {

+                   throw new ClassNotFoundException("Forbidden " + clazz + "! This class is not allowed to be serialized. Add package with 'org.apache.activemq.SERIALIZABLE_PACKAGES' system property.");

+               }

+            }

+         }

+     }

+

     private Class load(String className, ClassLoader cl) throws ClassNotFoundException {

         try {

             return Class.forName(className, false, cl);

diff -Nru activemq-5.6.0/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java activemq-5.6.0.CVE-2015-5254/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java

--- activemq-5.6.0/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java	2012-09-11 01:12:25.000000000 +0200

+++ activemq-5.6.0.CVE-2015-5254/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java	2015-12-15 08:41:19.421068945 +0100

@@ -17,9 +17,15 @@

 package org.apache.activemq.transport.xstream;

 import com.thoughtworks.xstream.XStream;

+import com.thoughtworks.xstream.converters.Converter;

+import com.thoughtworks.xstream.converters.MarshallingContext;

+import com.thoughtworks.xstream.converters.UnmarshallingContext;

+import com.thoughtworks.xstream.io.HierarchicalStreamReader;

+import com.thoughtworks.xstream.io.HierarchicalStreamWriter;

 import org.apache.activemq.command.Command;

 import org.apache.activemq.command.MarshallAware;

 import org.apache.activemq.command.MessageDispatch;

+import org.apache.activemq.transport.stomp.XStreamSupport;

 import org.apache.activemq.transport.util.TextWireFormat;

 import org.apache.activemq.wireformat.WireFormat;

@@ -105,7 +111,28 @@

     // Implementation methods

     // -------------------------------------------------------------------------

     protected XStream createXStream() {

-        return new XStream();

+        final XStream xstream = XStreamSupport.createXStream();

+        xstream.ignoreUnknownElements();

+        xstream.registerConverter(new Converter() {

+            final Converter delegate = xstream.getConverterLookup().lookupConverterForType(ByteSequence.class);

+            @Override

+            public void marshal(Object o, HierarchicalStreamWriter hierarchicalStreamWriter, MarshallingContext marshallingContext) {

+                ByteSequence byteSequence = (ByteSequence)o;

+                byteSequence.compact();

+                delegate.marshal(byteSequence, hierarchicalStreamWriter, marshallingContext);

+            }

+

+            @Override

+            public Object unmarshal(HierarchicalStreamReader hierarchicalStreamReader, UnmarshallingContext unmarshallingContext) {

+                return delegate.unmarshal(hierarchicalStreamReader, unmarshallingContext);

+            }

+

+            @Override

+            public boolean canConvert(Class aClass) {

+                return aClass == ByteSequence.class;

+            }

+        });

+        return xstream;

     }

 }

diff -Nru activemq-5.6.0/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java activemq-5.6.0.CVE-2015-5254/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java

--- activemq-5.6.0/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java	2012-09-11 01:12:25.000000000 +0200

+++ activemq-5.6.0.CVE-2015-5254/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java	2015-12-15 08:38:03.340297084 +0100

@@ -80,9 +80,9 @@

         if (message instanceof ObjectMessage) {

             try {

                 return ((ObjectMessage) message).getObject();

-            } catch (JMSException e) {

+            } catch (Exception e) {

                 //message could not be parsed, make the reason available

-                return e;

+                return new String("Cannot display ObjectMessage body. Reason: " + e.getMessage());

             }

         }

         if (message instanceof MapMessage) {