Work for addressing #2798

cowtowncoder · cowtowncoder · commit 6cc9f1a1af32 · 2020-07-20T17:40:57.000-07:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -4,6 +4,11 @@ Project: jackson-databind
 === Releases === 
 ------------------------------------------------------------------------
 
+2.9.10.6 (not yet released)
+
+#2798: Block one more gadget type (xxx, xxx)
+ (reported by Al1ex@knownsec)
+
 2.9.10.5 (21-Jun-2020)
 
 #2688: Block one more gadget type (apache-drill, CVE-2020-14060)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -197,6 +197,9 @@ public class SubTypeValidator
         // [databind#2764]: org.jsecurity:
         s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
 
+        // [databind#2798]: com.pastdev.httpcomponents:
+        s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
+        
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -197,6 +197,9 @@ public class SubTypeValidator`
`197`	`197`	`// [databind#2764]: org.jsecurity:`
`198`	`198`	`s.add("org.jsecurity.realm.jndi.JndiRealmFactory");`
`199`	`199`
	`200`	`+ // [databind#2798]: com.pastdev.httpcomponents:`
	`201`	`+ s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");`
	`202`	`+`
`200`	`203`	`DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);`
`201`	`204`	`}`
`202`	`205`