Fixed #2765

cowtowncoder · cowtowncoder · commit f6d9c664f6d4 · 2020-06-13T20:30:10.000-07:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -12,6 +12,8 @@ Project: jackson-databind
  (reported by Fangrun Li)
 #2704: Block one more gadget type (weblogic/oracle-aqjms)
  (reported by XuYuanzhen)
+#2765: Block one more gadget type (org.jsecurity))
+ (reported by Al1ex@knownsec)
 
 2.9.10.4 (11-Apr-2020)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -194,6 +194,9 @@ public class SubTypeValidator
         s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
         s.add("oracle.jms.AQjmsXAConnectionFactory");
 
+        // [databind#2764]: org.jsecurity:
+        s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -194,6 +194,9 @@ public class SubTypeValidator`
`194`	`194`	`s.add("oracle.jms.AQjmsXAQueueConnectionFactory");`
`195`	`195`	`s.add("oracle.jms.AQjmsXAConnectionFactory");`
`196`	`196`
	`197`	`+ // [databind#2764]: org.jsecurity:`
	`198`	`+ s.add("org.jsecurity.realm.jndi.JndiRealmFactory");`
	`199`	`+`
`197`	`200`	`DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);`
`198`	`201`	`}`
`199`	`202`