Fix #2682

cowtowncoder · cowtowncoder · commit 77040d85e3eb · 2020-04-07T09:34:38.000-07:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -29,6 +29,7 @@ Project: jackson-databind
 #2670: Block one more gadget type (openjpa, CVE-2020-11113)
  (reported by XuYuanzhen)
 #2680: Block one more gadget type (spring-aop)
+#2680: Block one more gadget type (commons-jelly)
 
 2.9.10.3 (23-Feb-2020)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -177,6 +177,9 @@ public class SubTypeValidator
         // [databind#2666]: apache/commons-jms
         s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
 
+        // [databind#2682]: commons-jelly
+        s.add("org.apache.commons.jelly.impl.Embedded");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -177,6 +177,9 @@ public class SubTypeValidator`
`177`	`177`	`// [databind#2666]: apache/commons-jms`
`178`	`178`	`s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");`
`179`	`179`
	`180`	`+ // [databind#2682]: commons-jelly`
	`181`	`+ s.add("org.apache.commons.jelly.impl.Embedded");`
	`182`	`+`
`180`	`183`	`DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);`
`181`	`184`	`}`
`182`	`185`