Skip to content

Commit 1ca0388

Browse files
cowtowncodercowtowncoder
committed
Fixed #2999 
1 parent 567194c commit 1ca0388

File tree

2 files changed

+6
-0
lines changed

2 files changed

+6
-0
lines changed

release-notes/VERSION-2.x

+2
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ Project: jackson-databind
1414
(reported by Al1ex@knownsec)
1515
#2998: Block 2 more gadget types (org.apache.tomcat/tomcat-dbcp)
1616
(reported by Al1ex@knownsec)
17+
#2999: Block 1 more gadget type (org.glassfish.web/javax.servlet.jsp.jstl)
18+
(reported by bu5yer of Sangfor FarSight Security Lab)
1719

1820
2.9.10.7 (02-Dec-2020)
1921

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

+4
Original file line numberDiff line numberDiff line change
@@ -226,6 +226,10 @@ public class SubTypeValidator
226226
s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource");
227227
s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource");
228228

229+
// [databind#2999]: org.glassfish.web/javax.servlet.jsp.jstl (embedded Xalan)
230+
// (derivative of #2469)
231+
s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");
232+
229233
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
230234
}
231235

0 commit comments

Comments
 (0)