diff -Nru activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java --- activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java 2012-09-11 01:12:25.000000000 +0200 +++ activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java 2015-12-15 08:35:09.050277423 +0100 @@ -84,7 +84,7 @@ msg = createMapMessage(in); break; default: - throw new Exception("Unkown transformation: " + transformation); + throw new Exception("Unknown transformation: " + transformation); } } catch (Throwable e) { command.getHeaders().put(Stomp.Headers.TRANSFORMATION_ERROR, e.getMessage()); @@ -243,7 +243,8 @@ } if (xstream == null) { - xstream = new XStream(); + xstream = XStreamSupport.createXStream(); + xstream.ignoreUnknownElements(); } return xstream; diff -Nru activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java --- activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java 1970-01-01 01:00:00.000000000 +0100 +++ activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java 2015-12-15 08:36:14.665520108 +0100 @@ -0,0 +1,47 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.transport.stomp; + +import com.thoughtworks.xstream.XStream; +import com.thoughtworks.xstream.security.AnyTypePermission; +import com.thoughtworks.xstream.security.NoTypePermission; +import com.thoughtworks.xstream.security.PrimitiveTypePermission; +import org.apache.activemq.util.ClassLoadingAwareObjectInputStream; + +import java.util.Collection; +import java.util.Map; + +public class XStreamSupport { + + public static XStream createXStream() { + XStream stream = new XStream(); + stream.addPermission(NoTypePermission.NONE); + stream.addPermission(PrimitiveTypePermission.PRIMITIVES); + stream.allowTypeHierarchy(Collection.class); + stream.allowTypeHierarchy(Map.class); + stream.allowTypes(new Class[]{String.class}); + if (ClassLoadingAwareObjectInputStream.isAllAllowed()) { + stream.addPermission(AnyTypePermission.ANY); + } else { + for (String packageName : ClassLoadingAwareObjectInputStream.getSerialziablePackages()) { + stream.allowTypesByWildcard(new String[]{packageName + ".**"}); + } + } + return stream; + } + +} diff -Nru activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java --- activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java 2012-09-11 01:12:25.000000000 +0200 +++ activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java 2015-12-15 08:47:58.347381368 +0100 @@ -21,7 +21,10 @@ import java.io.ObjectInputStream; import java.io.ObjectStreamClass; import java.lang.reflect.Proxy; +import java.util.Arrays; +import java.util.Collection; import java.util.HashMap; +import java.util.Map; @SuppressWarnings("rawtypes") public class ClassLoadingAwareObjectInputStream extends ObjectInputStream { @@ -29,6 +32,8 @@ private static final ClassLoader FALLBACK_CLASS_LOADER = ClassLoadingAwareObjectInputStream.class.getClassLoader(); + private static String[] serializablePackages; + /** * Maps primitive type names to corresponding class objects. */ @@ -40,7 +45,9 @@ protected Class resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException { ClassLoader cl = Thread.currentThread().getContextClassLoader(); - return load(classDesc.getName(), cl); + Class clazz = load(classDesc.getName(), cl); + checkSecurity(clazz); + return clazz; } protected Class resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException { @@ -50,18 +57,56 @@ cinterfaces[i] = load(interfaces[i], cl); } + Class clazz = null; try { - return Proxy.getProxyClass(cl, cinterfaces); + clazz = Proxy.getProxyClass(cl, cinterfaces); } catch (IllegalArgumentException e) { try { - return Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces); + clazz = Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces); } catch (IllegalArgumentException e1) { } - throw new ClassNotFoundException(null, e); + } + + if (clazz != null) { + checkSecurity(clazz); + return clazz; + } else { + throw new ClassNotFoundException(null); } } + public static String[] getSerialziablePackages() { + if (serializablePackages == null) { + serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", + "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(","); + } + + return serializablePackages; + }; + + public static boolean isAllAllowed() { + return getSerialziablePackages().length == 1 && getSerialziablePackages()[0].equals("*"); + } + + private void checkSecurity(Class clazz) throws ClassNotFoundException { + if (!clazz.isPrimitive()) { + if (clazz.getPackage() != null && !isAllAllowed()) { + boolean found = false; + for (String packageName : getSerialziablePackages()) { + if (clazz.getPackage().getName().equals(packageName) || clazz.getPackage().getName().startsWith(packageName + ".")) { + found = true; + break; + } + } + + if (!found) { + throw new ClassNotFoundException("Forbidden " + clazz + "! This class is not allowed to be serialized. Add package with 'org.apache.activemq.SERIALIZABLE_PACKAGES' system property."); + } + } + } + } + private Class load(String className, ClassLoader cl) throws ClassNotFoundException { try { return Class.forName(className, false, cl); diff -Nru activemq-5.6.0/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java activemq-5.6.0.CVE-2015-5254/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java --- activemq-5.6.0/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java 2012-09-11 01:12:25.000000000 +0200 +++ activemq-5.6.0.CVE-2015-5254/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java 2015-12-15 08:41:19.421068945 +0100 @@ -17,9 +17,15 @@ package org.apache.activemq.transport.xstream; import com.thoughtworks.xstream.XStream; +import com.thoughtworks.xstream.converters.Converter; +import com.thoughtworks.xstream.converters.MarshallingContext; +import com.thoughtworks.xstream.converters.UnmarshallingContext; +import com.thoughtworks.xstream.io.HierarchicalStreamReader; +import com.thoughtworks.xstream.io.HierarchicalStreamWriter; import org.apache.activemq.command.Command; import org.apache.activemq.command.MarshallAware; import org.apache.activemq.command.MessageDispatch; +import org.apache.activemq.transport.stomp.XStreamSupport; import org.apache.activemq.transport.util.TextWireFormat; import org.apache.activemq.wireformat.WireFormat; @@ -105,7 +111,28 @@ // Implementation methods // ------------------------------------------------------------------------- protected XStream createXStream() { - return new XStream(); + final XStream xstream = XStreamSupport.createXStream(); + xstream.ignoreUnknownElements(); + xstream.registerConverter(new Converter() { + final Converter delegate = xstream.getConverterLookup().lookupConverterForType(ByteSequence.class); + @Override + public void marshal(Object o, HierarchicalStreamWriter hierarchicalStreamWriter, MarshallingContext marshallingContext) { + ByteSequence byteSequence = (ByteSequence)o; + byteSequence.compact(); + delegate.marshal(byteSequence, hierarchicalStreamWriter, marshallingContext); + } + + @Override + public Object unmarshal(HierarchicalStreamReader hierarchicalStreamReader, UnmarshallingContext unmarshallingContext) { + return delegate.unmarshal(hierarchicalStreamReader, unmarshallingContext); + } + + @Override + public boolean canConvert(Class aClass) { + return aClass == ByteSequence.class; + } + }); + return xstream; } } diff -Nru activemq-5.6.0/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java activemq-5.6.0.CVE-2015-5254/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java --- activemq-5.6.0/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java 2012-09-11 01:12:25.000000000 +0200 +++ activemq-5.6.0.CVE-2015-5254/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java 2015-12-15 08:38:03.340297084 +0100 @@ -80,9 +80,9 @@ if (message instanceof ObjectMessage) { try { return ((ObjectMessage) message).getObject(); - } catch (JMSException e) { + } catch (Exception e) { //message could not be parsed, make the reason available - return e; + return new String("Cannot display ObjectMessage body. Reason: " + e.getMessage()); } } if (message instanceof MapMessage) {