Fix #2478 (cve)

cowtowncoder · cowtowncoder · commit 9593e16cf5a3 · 2019-09-28T18:39:17.000-07:00
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -14,6 +14,7 @@ Unreleased but backported
 #2460: Block one more gadget type (ehcache, no CVE allocated yet)
 #2462: Block two more gadget types (commons-configuration)
 #2469: Block one more gadget type (xalan2)
+#2478: Block two more gadget types (commons-dbcp, p6spy)
 
 2.8.11.4 (25-Jul-2019)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -114,6 +114,10 @@ public class SubTypeValidator
         // [databind#2469]: xalan2
         s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
 
+        // [databind#2478]: comons-dbcp, p6spy
+        s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+        s.add("com.p6spy.engine.spy.P6DataSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,10 @@ public class SubTypeValidator`
`114`	`114`	`// [databind#2469]: xalan2`
`115`	`115`	`s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");`
`116`	`116`
	`117`	`+ // [databind#2478]: comons-dbcp, p6spy`
	`118`	`+ s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");`
	`119`	`+ s.add("com.p6spy.engine.spy.P6DataSource");`
	`120`	`+`
`117`	`121`	`DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);`
`118`	`122`	`}`
`119`	`123`