aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--release-notes/VERSION-2.x2
-rw-r--r--src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java3
2 files changed, 5 insertions, 0 deletions
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index 0bc7e01ef..7e1d550c7 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x
@@ -12,6 +12,8 @@ Project: jackson-databind
(reported by Fangrun Li)
#2704: Block one more gadget type (weblogic/oracle-aqjms)
(reported by XuYuanzhen)
+#2765: Block one more gadget type (org.jsecurity))
+ (reported by Al1ex@knownsec)
2.9.10.4 (11-Apr-2020)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 80cc37879..7c3d4bcc3 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -194,6 +194,9 @@ public class SubTypeValidator
s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
s.add("oracle.jms.AQjmsXAConnectionFactory");
+ // [databind#2764]: org.jsecurity:
+ s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
+
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-16 17:50:11 +0000