From 3e8fa3beea49ea62109df9e643c9cb678dabdde1 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Sat, 26 Dec 2020 13:58:25 -0800 Subject: [PATCH] Fixed #2997 --- release-notes/VERSION-2.x | 4 +++- .../jackson/databind/jsontype/impl/SubTypeValidator.java | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x index a3624f8036..3a24d72614 100644 --- a/release-notes/VERSION-2.x +++ b/release-notes/VERSION-2.x @@ -8,7 +8,9 @@ Project: jackson-databind #2986: Block two more gadget types (commons-dbcp2, CVE-2020-35490/CVE-2020-35491) (reported by Al1ex@knownsec) -#2996: Block 2 more gadget types (placeholder) +#2996: Block 2 more gadget types (newrelic-agent) + (reported by Al1ex@knownsec) +#2997: Block 2 more gadget types (tomcat/naming-factory-dbcp) (reported by Al1ex@knownsec) 2.9.10.7 (02-Dec-2020) diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index 0b4c2778fc..578a1be5dc 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -216,6 +216,11 @@ public class SubTypeValidator s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource"); s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource"); + // [databind#2997]: tomcat/naming-factory-dbcp (embedded dbcp 1.x) + // (derivative of #2478) + s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource"); + s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }