diff options
author | Tatu Saloranta <tatu.saloranta@iki.fi> | 2020-07-20 17:40:57 -0700 |
---|---|---|
committer | Tatu Saloranta <tatu.saloranta@iki.fi> | 2020-07-20 17:40:57 -0700 |
commit | 6cc9f1a1af323cd156f5668a47e43bab324ae16f (patch) | |
tree | d107b87d285f823a3cdbc9e4983f09dd65103ebf | |
parent | fae36eb4daccfb37569bd54341ecc49d22dc6f6f (diff) | |
download | jackson-databind-6cc9f1a1af323cd156f5668a47e43bab324ae16f.tar.gz |
Work for addressing #2798
-rw-r--r-- | release-notes/VERSION-2.x | 5 | ||||
-rw-r--r-- | src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | 3 |
2 files changed, 8 insertions, 0 deletions
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x index 187307ed8..f06b7c5dc 100644 --- a/release-notes/VERSION-2.x +++ b/release-notes/VERSION-2.x @@ -4,6 +4,11 @@ Project: jackson-databind === Releases === ------------------------------------------------------------------------ +2.9.10.6 (not yet released) + +#2798: Block one more gadget type (xxx, xxx) + (reported by Al1ex@knownsec) + 2.9.10.5 (21-Jun-2020) #2688: Block one more gadget type (apache-drill, CVE-2020-14060) diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index 7c3d4bcc3..d0753df93 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -197,6 +197,9 @@ public class SubTypeValidator // [databind#2764]: org.jsecurity: s.add("org.jsecurity.realm.jndi.JndiRealmFactory"); + // [databind#2798]: com.pastdev.httpcomponents: + s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); } |