From 6f33ac71043a01a94eccaced78002e4ed8078961 Mon Sep 17 00:00:00 2001
From: Alex Blekhman <ablekhman@atlassian.com>
Date: Wed, 23 Oct 2019 11:11:55 +1100
Subject: [PATCH] Block two more gadget types (commons-dbcp, p6spy,
 CVE-2019-16942 / CVE-2019-16943)

Merged from FasterXML/jackson-databind#2478
---
 release-notes/VERSION                                          | 1 +
 .../codehaus/jackson/map/jsontype/impl/SubTypeValidator.java   | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/release-notes/VERSION b/release-notes/VERSION
index e575ebfcc..6d73826ab 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -44,6 +44,7 @@ One more patch release for 1.9.
 * [databind#2449]: Block one more gadget type (cve CVE-2019-14540)
  (reported by Kaki K)
 * [databind#2460]: Block one mode gadget type (ehcache, CVE-2019-17267)
+* [databind#2478]: Block two more gadget types (commons-dbcp, p6spy)
 
 1.9.13 (14-Jul-2013)
 
diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
index ef2d0eef4..89debc041 100644
--- a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
+++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -94,6 +94,9 @@ public class SubTypeValidator
         s.add("com.zaxxer.hikari.HikariDataSource");
         // [databind#2420]: CXF/JAX-RS provider/XSLT
         s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+        // [databind#2478]: comons-dbcp, p6spy
+        s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+        s.add("com.p6spy.engine.spy.P6DataSource");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }