Skip to content

Commit

Permalink
Merge branch '2.7' into 2.8
Browse files Browse the repository at this point in the history
  • Loading branch information
cowtowncoder committed Dec 13, 2017
2 parents 569e36e + f031f27 commit 10fe7f1
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 7 deletions.
1 change: 1 addition & 0 deletions release-notes/VERSION
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ Project: jackson-databind
(reported by henryptung@github)
#1807: Jackson-databind caches plain map deserializer and use it even map has `@JsonDeserializer`
(reported by lexas2509@github)
#1855: More blacklisting of serialization gadgets

2.8.10 (24-Aug-2017)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,9 @@ public class BeanDeserializerFactory
s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");

// [databind#1855]: more 3rd party
s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,15 @@ public void testXalanTypes1599() throws Exception

public void testJDKTypes1737() throws Exception
{
_testTypes1737(java.util.logging.FileHandler.class);
_testTypes1737(java.rmi.server.UnicastRemoteObject.class);
_testIllegalType(java.util.logging.FileHandler.class);
_testIllegalType(java.rmi.server.UnicastRemoteObject.class);
}

// // // Tests for [databind#1855]
public void testJDKTypes1855() throws Exception
{
// apparently included by JDK?
_testIllegalType("com.sun.org.apache.bcel.internal.util.ClassLoader");
}

// 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too,
Expand All @@ -69,8 +76,8 @@ public void testJDKTypes1737() throws Exception
/*
public void testSpringTypes1737() throws Exception
{
_testTypes1737("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
_testTypes1737("org.springframework.beans.factory.config.PropertyPathFactoryBean");
_testIllegalType("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
_testIllegalType("org.springframework.beans.factory.config.PropertyPathFactoryBean");
}
public void testC3P0Types1737() throws Exception
Expand All @@ -80,11 +87,11 @@ public void testC3P0Types1737() throws Exception
}
*/

private void _testTypes1737(Class<?> nasty) throws Exception {
_testTypes1737(nasty.getName());
private void _testIllegalType(Class<?> nasty) throws Exception {
_testIllegalType(nasty.getName());
}

private void _testTypes1737(String clsName) throws Exception
private void _testIllegalType(String clsName) throws Exception
{
// While usually exploited via default typing let's not require
// it here; mechanism still the same
Expand Down

0 comments on commit 10fe7f1

Please sign in to comment.