Improved: Improve ObjectInputStream denyList (OFBIZ-12221)

Prevents generics markup in string type names.

Author: JacquesLeRoux

framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java

@@ -64,8 +64,9 @@ public SafeObjectInputStream(InputStream in) throws IOException {
     @Override
     protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
         String className = classDesc.getName();
-        // DenyList exploits; eg: don't allow RMI here
-        if (className.contains("java.rmi")) {
+        // DenyList
+        if (className.contains("java.rmi") // Don't allow RMI
+                || className.contains("<")) { // Prevent generics markup in string type names
             throw new InvalidClassException(className, "Unauthorized deserialisation attempt");
         }
         if (!allowlistPattern.matcher(className).find()) {