From 41b8bdb5ccc1d8edb71acf1c8234da235a24249d Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Tue, 15 Dec 2020 17:27:03 -0800 Subject: [PATCH] Fixed #2986 --- release-notes/VERSION-2.x | 5 +++++ .../jackson/databind/jsontype/impl/SubTypeValidator.java | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x index df000288a1..2af8b31497 100644 --- a/release-notes/VERSION-2.x +++ b/release-notes/VERSION-2.x @@ -4,6 +4,11 @@ Project: jackson-databind === Releases === ------------------------------------------------------------------------ +2.9.10.8 (not yet released) + +#2986: Block two more gadget types + (reported by Al1ex@knownsec) + 2.9.10.7 (02-Dec-2020) #2589: `DOMDeserializer`: setExpandEntityReferences(false) may not prevent diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index a8b5cb1ba3..6e007b9c24 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -207,6 +207,10 @@ public class SubTypeValidator s.add("com.nqadmin.rowset.JdbcRowSetImpl"); s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl"); + // [databind#2986]: dbcp2 + s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource"); + s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }