From e701bd852ca9a22e04743104987f11ae575a6fe2 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Sat, 22 Aug 2020 15:24:52 -0700 Subject: [PATCH] Fixed #2826, #2827 --- release-notes/VERSION-2.x | 4 ++++ .../jackson/databind/jsontype/impl/SubTypeValidator.java | 8 ++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x index 56375c739f..c24809b05a 100644 --- a/release-notes/VERSION-2.x +++ b/release-notes/VERSION-2.x @@ -10,6 +10,10 @@ Project: jackson-databind (reported by Al1ex@knownsec) #2814: Block one more gadget type (xxx, CVE-xxxx-xxx) (reported by ChenZhaojun) +#2826: Block one more gadget type (xxx, CVE-xxxx-xxx) + (reported by ChenZhaojun) +#2827: Block one more gadget type (xxx, CVE-xxxx-xxx) + (reported by ChenZhaojun) 2.9.10.5 (21-Jun-2020) diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index d470bb53d5..dc706429cf 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -13,7 +13,7 @@ * Helper class used to encapsulate rules that determine subtypes that * are invalid to use, even with default typing, mostly due to security * concerns. - * Used by BeanDeserializerFacotry + * Used by BeanDeserializerFactory * * @since 2.8.11 */ @@ -201,7 +201,11 @@ public class SubTypeValidator // [databind#2798]: com.pastdev.httpcomponents: s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration"); - + + // [databind#2826], [databind#2827] + s.add("com.nqadmin.rowset.JdbcRowSetImpl"); + s.add("org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }