|
|
e3ef8a1 |
diff -Nru activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java
|
|
|
e3ef8a1 |
--- activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java 2012-09-11 01:12:25.000000000 +0200
|
|
|
e3ef8a1 |
+++ activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java 2015-12-15 08:35:09.050277423 +0100
|
|
|
e3ef8a1 |
@@ -84,7 +84,7 @@
|
|
|
e3ef8a1 |
msg = createMapMessage(in);
|
|
|
e3ef8a1 |
break;
|
|
|
e3ef8a1 |
default:
|
|
|
e3ef8a1 |
- throw new Exception("Unkown transformation: " + transformation);
|
|
|
e3ef8a1 |
+ throw new Exception("Unknown transformation: " + transformation);
|
|
|
e3ef8a1 |
}
|
|
|
e3ef8a1 |
} catch (Throwable e) {
|
|
|
e3ef8a1 |
command.getHeaders().put(Stomp.Headers.TRANSFORMATION_ERROR, e.getMessage());
|
|
|
e3ef8a1 |
@@ -243,7 +243,8 @@
|
|
|
e3ef8a1 |
}
|
|
|
e3ef8a1 |
|
|
|
e3ef8a1 |
if (xstream == null) {
|
|
|
e3ef8a1 |
- xstream = new XStream();
|
|
|
e3ef8a1 |
+ xstream = XStreamSupport.createXStream();
|
|
|
e3ef8a1 |
+ xstream.ignoreUnknownElements();
|
|
|
e3ef8a1 |
}
|
|
|
e3ef8a1 |
return xstream;
|
|
|
e3ef8a1 |
|
|
|
e3ef8a1 |
diff -Nru activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java
|
|
|
e3ef8a1 |
--- activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java 1970-01-01 01:00:00.000000000 +0100
|
|
|
e3ef8a1 |
+++ activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java 2015-12-15 08:36:14.665520108 +0100
|
|
|
e3ef8a1 |
@@ -0,0 +1,47 @@
|
|
|
e3ef8a1 |
+/**
|
|
|
e3ef8a1 |
+ * Licensed to the Apache Software Foundation (ASF) under one or more
|
|
|
e3ef8a1 |
+ * contributor license agreements. See the NOTICE file distributed with
|
|
|
e3ef8a1 |
+ * this work for additional information regarding copyright ownership.
|
|
|
e3ef8a1 |
+ * The ASF licenses this file to You under the Apache License, Version 2.0
|
|
|
e3ef8a1 |
+ * (the "License"); you may not use this file except in compliance with
|
|
|
e3ef8a1 |
+ * the License. You may obtain a copy of the License at
|
|
|
e3ef8a1 |
+ *
|
|
|
e3ef8a1 |
+ * http://www.apache.org/licenses/LICENSE-2.0
|
|
|
e3ef8a1 |
+ *
|
|
|
e3ef8a1 |
+ * Unless required by applicable law or agreed to in writing, software
|
|
|
e3ef8a1 |
+ * distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
e3ef8a1 |
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
e3ef8a1 |
+ * See the License for the specific language governing permissions and
|
|
|
e3ef8a1 |
+ * limitations under the License.
|
|
|
e3ef8a1 |
+ */
|
|
|
e3ef8a1 |
+package org.apache.activemq.transport.stomp;
|
|
|
e3ef8a1 |
+
|
|
|
e3ef8a1 |
+import com.thoughtworks.xstream.XStream;
|
|
|
e3ef8a1 |
+import com.thoughtworks.xstream.security.AnyTypePermission;
|
|
|
e3ef8a1 |
+import com.thoughtworks.xstream.security.NoTypePermission;
|
|
|
e3ef8a1 |
+import com.thoughtworks.xstream.security.PrimitiveTypePermission;
|
|
|
e3ef8a1 |
+import org.apache.activemq.util.ClassLoadingAwareObjectInputStream;
|
|
|
e3ef8a1 |
+
|
|
|
e3ef8a1 |
+import java.util.Collection;
|
|
|
e3ef8a1 |
+import java.util.Map;
|
|
|
e3ef8a1 |
+
|
|
|
e3ef8a1 |
+public class XStreamSupport {
|
|
|
e3ef8a1 |
+
|
|
|
e3ef8a1 |
+ public static XStream createXStream() {
|
|
|
e3ef8a1 |
+ XStream stream = new XStream();
|
|
|
e3ef8a1 |
+ stream.addPermission(NoTypePermission.NONE);
|
|
|
e3ef8a1 |
+ stream.addPermission(PrimitiveTypePermission.PRIMITIVES);
|
|
|
e3ef8a1 |
+ stream.allowTypeHierarchy(Collection.class);
|
|
|
e3ef8a1 |
+ stream.allowTypeHierarchy(Map.class);
|
|
|
e3ef8a1 |
+ stream.allowTypes(new Class[]{String.class});
|
|
|
e3ef8a1 |
+ if (ClassLoadingAwareObjectInputStream.isAllAllowed()) {
|
|
|
e3ef8a1 |
+ stream.addPermission(AnyTypePermission.ANY);
|
|
|
e3ef8a1 |
+ } else {
|
|
|
e3ef8a1 |
+ for (String packageName : ClassLoadingAwareObjectInputStream.getSerialziablePackages()) {
|
|
|
e3ef8a1 |
+ stream.allowTypesByWildcard(new String[]{packageName + ".**"});
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+ return stream;
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+
|
|
|
e3ef8a1 |
+}
|
|
|
e3ef8a1 |
diff -Nru activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java
|
|
|
e3ef8a1 |
--- activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java 2012-09-11 01:12:25.000000000 +0200
|
|
|
e3ef8a1 |
+++ activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java 2015-12-15 08:47:58.347381368 +0100
|
|
|
e3ef8a1 |
@@ -21,7 +21,10 @@
|
|
|
e3ef8a1 |
import java.io.ObjectInputStream;
|
|
|
e3ef8a1 |
import java.io.ObjectStreamClass;
|
|
|
e3ef8a1 |
import java.lang.reflect.Proxy;
|
|
|
e3ef8a1 |
+import java.util.Arrays;
|
|
|
e3ef8a1 |
+import java.util.Collection;
|
|
|
e3ef8a1 |
import java.util.HashMap;
|
|
|
e3ef8a1 |
+import java.util.Map;
|
|
|
e3ef8a1 |
|
|
|
e3ef8a1 |
@SuppressWarnings("rawtypes")
|
|
|
e3ef8a1 |
public class ClassLoadingAwareObjectInputStream extends ObjectInputStream {
|
|
|
e3ef8a1 |
@@ -29,6 +32,8 @@
|
|
|
e3ef8a1 |
private static final ClassLoader FALLBACK_CLASS_LOADER =
|
|
|
e3ef8a1 |
ClassLoadingAwareObjectInputStream.class.getClassLoader();
|
|
|
e3ef8a1 |
|
|
|
e3ef8a1 |
+ private static String[] serializablePackages;
|
|
|
e3ef8a1 |
+
|
|
|
e3ef8a1 |
/**
|
|
|
e3ef8a1 |
* Maps primitive type names to corresponding class objects.
|
|
|
e3ef8a1 |
*/
|
|
|
e3ef8a1 |
@@ -40,7 +45,9 @@
|
|
|
e3ef8a1 |
|
|
|
e3ef8a1 |
protected Class resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
|
|
|
e3ef8a1 |
ClassLoader cl = Thread.currentThread().getContextClassLoader();
|
|
|
e3ef8a1 |
- return load(classDesc.getName(), cl);
|
|
|
e3ef8a1 |
+ Class clazz = load(classDesc.getName(), cl);
|
|
|
e3ef8a1 |
+ checkSecurity(clazz);
|
|
|
e3ef8a1 |
+ return clazz;
|
|
|
e3ef8a1 |
}
|
|
|
e3ef8a1 |
|
|
|
e3ef8a1 |
protected Class resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
|
|
|
e3ef8a1 |
@@ -50,18 +57,56 @@
|
|
|
e3ef8a1 |
cinterfaces[i] = load(interfaces[i], cl);
|
|
|
e3ef8a1 |
}
|
|
|
e3ef8a1 |
|
|
|
e3ef8a1 |
+ Class clazz = null;
|
|
|
e3ef8a1 |
try {
|
|
|
e3ef8a1 |
- return Proxy.getProxyClass(cl, cinterfaces);
|
|
|
e3ef8a1 |
+ clazz = Proxy.getProxyClass(cl, cinterfaces);
|
|
|
e3ef8a1 |
} catch (IllegalArgumentException e) {
|
|
|
e3ef8a1 |
try {
|
|
|
e3ef8a1 |
- return Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces);
|
|
|
e3ef8a1 |
+ clazz = Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces);
|
|
|
e3ef8a1 |
} catch (IllegalArgumentException e1) {
|
|
|
e3ef8a1 |
}
|
|
|
e3ef8a1 |
|
|
|
e3ef8a1 |
- throw new ClassNotFoundException(null, e);
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+
|
|
|
e3ef8a1 |
+ if (clazz != null) {
|
|
|
e3ef8a1 |
+ checkSecurity(clazz);
|
|
|
e3ef8a1 |
+ return clazz;
|
|
|
e3ef8a1 |
+ } else {
|
|
|
e3ef8a1 |
+ throw new ClassNotFoundException(null);
|
|
|
e3ef8a1 |
}
|
|
|
e3ef8a1 |
}
|
|
|
e3ef8a1 |
|
|
|
e3ef8a1 |
+ public static String[] getSerialziablePackages() {
|
|
|
e3ef8a1 |
+ if (serializablePackages == null) {
|
|
|
e3ef8a1 |
+ serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES",
|
|
|
e3ef8a1 |
+ "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(",");
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+
|
|
|
e3ef8a1 |
+ return serializablePackages;
|
|
|
e3ef8a1 |
+ };
|
|
|
e3ef8a1 |
+
|
|
|
e3ef8a1 |
+ public static boolean isAllAllowed() {
|
|
|
e3ef8a1 |
+ return getSerialziablePackages().length == 1 && getSerialziablePackages()[0].equals("*");
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+
|
|
|
e3ef8a1 |
+ private void checkSecurity(Class clazz) throws ClassNotFoundException {
|
|
|
e3ef8a1 |
+ if (!clazz.isPrimitive()) {
|
|
|
e3ef8a1 |
+ if (clazz.getPackage() != null && !isAllAllowed()) {
|
|
|
e3ef8a1 |
+ boolean found = false;
|
|
|
e3ef8a1 |
+ for (String packageName : getSerialziablePackages()) {
|
|
|
e3ef8a1 |
+ if (clazz.getPackage().getName().equals(packageName) || clazz.getPackage().getName().startsWith(packageName + ".")) {
|
|
|
e3ef8a1 |
+ found = true;
|
|
|
e3ef8a1 |
+ break;
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+
|
|
|
e3ef8a1 |
+ if (!found) {
|
|
|
e3ef8a1 |
+ throw new ClassNotFoundException("Forbidden " + clazz + "! This class is not allowed to be serialized. Add package with 'org.apache.activemq.SERIALIZABLE_PACKAGES' system property.");
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+
|
|
|
e3ef8a1 |
private Class load(String className, ClassLoader cl) throws ClassNotFoundException {
|
|
|
e3ef8a1 |
try {
|
|
|
e3ef8a1 |
return Class.forName(className, false, cl);
|
|
|
e3ef8a1 |
diff -Nru activemq-5.6.0/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java activemq-5.6.0.CVE-2015-5254/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java
|
|
|
e3ef8a1 |
--- activemq-5.6.0/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java 2012-09-11 01:12:25.000000000 +0200
|
|
|
e3ef8a1 |
+++ activemq-5.6.0.CVE-2015-5254/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java 2015-12-15 08:41:19.421068945 +0100
|
|
|
e3ef8a1 |
@@ -17,9 +17,15 @@
|
|
|
e3ef8a1 |
package org.apache.activemq.transport.xstream;
|
|
|
e3ef8a1 |
|
|
|
e3ef8a1 |
import com.thoughtworks.xstream.XStream;
|
|
|
e3ef8a1 |
+import com.thoughtworks.xstream.converters.Converter;
|
|
|
e3ef8a1 |
+import com.thoughtworks.xstream.converters.MarshallingContext;
|
|
|
e3ef8a1 |
+import com.thoughtworks.xstream.converters.UnmarshallingContext;
|
|
|
e3ef8a1 |
+import com.thoughtworks.xstream.io.HierarchicalStreamReader;
|
|
|
e3ef8a1 |
+import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
|
|
|
e3ef8a1 |
import org.apache.activemq.command.Command;
|
|
|
e3ef8a1 |
import org.apache.activemq.command.MarshallAware;
|
|
|
e3ef8a1 |
import org.apache.activemq.command.MessageDispatch;
|
|
|
e3ef8a1 |
+import org.apache.activemq.transport.stomp.XStreamSupport;
|
|
|
e3ef8a1 |
import org.apache.activemq.transport.util.TextWireFormat;
|
|
|
e3ef8a1 |
import org.apache.activemq.wireformat.WireFormat;
|
|
|
e3ef8a1 |
|
|
|
e3ef8a1 |
@@ -105,7 +111,28 @@
|
|
|
e3ef8a1 |
// Implementation methods
|
|
|
e3ef8a1 |
// -------------------------------------------------------------------------
|
|
|
e3ef8a1 |
protected XStream createXStream() {
|
|
|
e3ef8a1 |
- return new XStream();
|
|
|
e3ef8a1 |
+ final XStream xstream = XStreamSupport.createXStream();
|
|
|
e3ef8a1 |
+ xstream.ignoreUnknownElements();
|
|
|
e3ef8a1 |
+ xstream.registerConverter(new Converter() {
|
|
|
e3ef8a1 |
+ final Converter delegate = xstream.getConverterLookup().lookupConverterForType(ByteSequence.class);
|
|
|
e3ef8a1 |
+ @Override
|
|
|
e3ef8a1 |
+ public void marshal(Object o, HierarchicalStreamWriter hierarchicalStreamWriter, MarshallingContext marshallingContext) {
|
|
|
e3ef8a1 |
+ ByteSequence byteSequence = (ByteSequence)o;
|
|
|
e3ef8a1 |
+ byteSequence.compact();
|
|
|
e3ef8a1 |
+ delegate.marshal(byteSequence, hierarchicalStreamWriter, marshallingContext);
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+
|
|
|
e3ef8a1 |
+ @Override
|
|
|
e3ef8a1 |
+ public Object unmarshal(HierarchicalStreamReader hierarchicalStreamReader, UnmarshallingContext unmarshallingContext) {
|
|
|
e3ef8a1 |
+ return delegate.unmarshal(hierarchicalStreamReader, unmarshallingContext);
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+
|
|
|
e3ef8a1 |
+ @Override
|
|
|
e3ef8a1 |
+ public boolean canConvert(Class aClass) {
|
|
|
e3ef8a1 |
+ return aClass == ByteSequence.class;
|
|
|
e3ef8a1 |
+ }
|
|
|
e3ef8a1 |
+ });
|
|
|
e3ef8a1 |
+ return xstream;
|
|
|
e3ef8a1 |
}
|
|
|
e3ef8a1 |
|
|
|
e3ef8a1 |
}
|
|
|
e3ef8a1 |
diff -Nru activemq-5.6.0/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java activemq-5.6.0.CVE-2015-5254/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java
|
|
|
e3ef8a1 |
--- activemq-5.6.0/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java 2012-09-11 01:12:25.000000000 +0200
|
|
|
e3ef8a1 |
+++ activemq-5.6.0.CVE-2015-5254/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java 2015-12-15 08:38:03.340297084 +0100
|
|
|
e3ef8a1 |
@@ -80,9 +80,9 @@
|
|
|
e3ef8a1 |
if (message instanceof ObjectMessage) {
|
|
|
e3ef8a1 |
try {
|
|
|
e3ef8a1 |
return ((ObjectMessage) message).getObject();
|
|
|
e3ef8a1 |
- } catch (JMSException e) {
|
|
|
e3ef8a1 |
+ } catch (Exception e) {
|
|
|
e3ef8a1 |
//message could not be parsed, make the reason available
|
|
|
e3ef8a1 |
- return e;
|
|
|
e3ef8a1 |
+ return new String("Cannot display ObjectMessage body. Reason: " + e.getMessage());
|
|
|
e3ef8a1 |
}
|
|
|
e3ef8a1 |
}
|
|
|
e3ef8a1 |
if (message instanceof MapMessage) {
|