Permalink
Browse files

Backport #2186 to 2.7.9[.5]

  • Loading branch information...
cowtowncoder committed Nov 23, 2018
1 parent 0899726 commit 42912cac4753f3f718ece875e4d486f8264c2f2b
@@ -10,6 +10,9 @@ Project: jackson-databind
(reported by OneSourceCat@github)
#2097: Block more classes from polymorphic deserialization (CVE-2018-14718
- CVE-2018-14721)
#2186: Block more classes from polymorphic deserialization (CVE-2018-19360,
CVE-2018-19361, CVE-2018-19362)
(reported by Guixiong Wu)

2.7.9.4 (08-Jun-2018)

@@ -73,6 +73,11 @@
s.add("com.sun.deploy.security.ruleset.DRSHelper");
s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");

// [databind#2186]: yet more 3rd party gadgets
s.add("org.jboss.util.propertyeditor.DocumentEditor");
s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}

0 comments on commit 42912ca

Please sign in to comment.