Fixed #3003

cowtowncoder · cowtowncoder · commit 12e23c962ffb · 2020-12-31T18:12:24.000-08:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -16,6 +16,7 @@ Project: jackson-databind
  (reported by Al1ex@knownsec)
 #2999: Block 1 more gadget type (org.glassfish.web/javax.servlet.jsp.jstl, CVE-2020-35728)
  (reported by bu5yer of Sangfor FarSight Security Lab)
+#3003: Block one more gadget type (xxx, CVE to be allocated)
 
 2.9.10.7 (02-Dec-2020)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -232,6 +232,9 @@ public class SubTypeValidator
         // (derivative of #2469)
         s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");
 
+        // [databind#303]: another case of embedded Xalan (derivative of #2469)
+        s.add("org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -232,6 +232,9 @@ public class SubTypeValidator`
`232`	`232`	`// (derivative of #2469)`
`233`	`233`	`s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");`
`234`	`234`
	`235`	`+ // [databind#303]: another case of embedded Xalan (derivative of #2469)`
	`236`	`+ s.add("org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool");`
	`237`	`+`
`235`	`238`	`DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);`
`236`	`239`	`}`
`237`	`240`