Merge branch '2.8' into 2.9

FasterXML · May 11, 2018 · 78e7873 · 78e7873
2 parents ba0df20 + 051bd5e
commit 78e7873
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 0 deletions.
diff --git a/release-notes/CREDITS-2.x b/release-notes/CREDITS-2.x
@@ -649,6 +649,10 @@ Kevin Gallardo (newkek@github)
 Lukas Euler
   * Reported #1735: Missing type checks when using polymorphic type ids
 
+Guixiong Wu (吴桂雄)
+  * Reported #2032: Blacklist another serialization gadget (ibatis)
+   (2.8.11.2)
+
 Connor Kuhn (ckuhn@github)
   * Contributed #1341: FAIL_ON_MISSING_EXTERNAL_TYPE_ID_PROPERTY
    (2.9.0)

diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -33,6 +33,8 @@ Project: jackson-databind
   with `null` coercion with `@JsonSetter`
 #2027: Concurrency error causes `IllegalStateException` on `BeanPropertyMap`
  (reported by franboragina@github)
+#2032: Blacklist another serialization gadget (ibatis)
+ (reported by Guixiong Wu)
 
 2.9.5 (26-Mar-2018)
 

diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -58,6 +58,8 @@ public class SubTypeValidator
         // [databind#1899]: more 3rd party
         s.add("org.hibernate.jmx.StatisticsService");
         s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+        // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
+        s.add("org.apache.ibatis.parsing.XPathParser");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }