From 038b471e2efde2e8f96b4e0be958d3e5a1ff1d05 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Sun, 21 Jan 2018 21:01:07 -0800 Subject: [PATCH] Fix #1899 --- release-notes/VERSION | 4 +++- .../jackson/databind/jsontype/impl/SubTypeValidator.java | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/release-notes/VERSION b/release-notes/VERSION index b0becca90a..e5c11b30c2 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -5,9 +5,11 @@ Project: jackson-databind 2.8.11.1 (not yet released) -#1872 `NullPointerException` in `SubTypeValidator.validateSubType` when +#1872: `NullPointerException` in `SubTypeValidator.validateSubType` when validating Spring interface (reported by Rob W) +#1899: Another two gadgets to exploit default typing issue in jackson-databind + (reported by OneSourceCat@github) 2.8.11 (24-Dec-2017) diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index 42273e0848..37b122734c 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -50,6 +50,10 @@ public class SubTypeValidator // [databind#1855]: more 3rd party s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); + // [databind#1899]: more 3rd party + s.add("org.hibernate.jmx.StatisticsService"); + s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }