From 49a3747d2ec18f95749ee787b66205cc3b006dfe Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Sat, 10 Feb 2018 19:36:18 -0800 Subject: [PATCH 1/4] prepare for 2.7.9.3 --- release-notes/VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/VERSION b/release-notes/VERSION index b13ccfb782..9c0b3bd5cc 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -4,7 +4,7 @@ Project: jackson-databind === Releases === ------------------------------------------------------------------------ -2.7.9.3 (not yet released) +2.7.9.3 (11-Feb-2018) #1872 `NullPointerException` in `SubTypeValidator.validateSubType` when validating Spring interface From 5cacb069a16653844e4c04c2a53578666080c1bb Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Sat, 10 Feb 2018 19:38:24 -0800 Subject: [PATCH 2/4] [maven-release-plugin] prepare release jackson-databind-2.7.9.3 --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 16dc32fdae..59220f74a5 100644 --- a/pom.xml +++ b/pom.xml @@ -10,7 +10,7 @@ com.fasterxml.jackson.core jackson-databind - 2.7.9.3-SNAPSHOT + 2.7.9.3 jackson-databind bundle General data-binding functionality for Jackson: works on core streaming API @@ -21,7 +21,7 @@ scm:git:git@github.com:FasterXML/jackson-databind.git scm:git:git@github.com:FasterXML/jackson-databind.git http://github.com/FasterXML/jackson-databind - HEAD + jackson-databind-2.7.9.3 From 29c3a1f374f6060c4ccadbdeedc394792c0722bf Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Sat, 10 Feb 2018 19:38:35 -0800 Subject: [PATCH 3/4] [maven-release-plugin] prepare for next development iteration --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 59220f74a5..3eb8a7c3b4 100644 --- a/pom.xml +++ b/pom.xml @@ -10,7 +10,7 @@ com.fasterxml.jackson.core jackson-databind - 2.7.9.3 + 2.7.9.4-SNAPSHOT jackson-databind bundle General data-binding functionality for Jackson: works on core streaming API @@ -21,7 +21,7 @@ scm:git:git@github.com:FasterXML/jackson-databind.git scm:git:git@github.com:FasterXML/jackson-databind.git http://github.com/FasterXML/jackson-databind - jackson-databind-2.7.9.3 + HEAD From 27b4defc270454dea6842bd9279f17387eceb737 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Thu, 10 May 2018 18:18:32 -0700 Subject: [PATCH 4/4] Fix #2032 --- release-notes/VERSION | 4 ++++ .../jackson/databind/jsontype/impl/SubTypeValidator.java | 2 ++ 2 files changed, 6 insertions(+) diff --git a/release-notes/VERSION b/release-notes/VERSION index 9c0b3bd5cc..49e4fd87a2 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -4,6 +4,10 @@ Project: jackson-databind === Releases === ------------------------------------------------------------------------ +2.7.9.4 (not yet released) + +#2032: Blacklist another serialization gadget (ibatis) + 2.7.9.3 (11-Feb-2018) #1872 `NullPointerException` in `SubTypeValidator.validateSubType` when diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index 777637a75e..cae5a9e97e 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -54,6 +54,8 @@ public class SubTypeValidator // [databind#1855]: more 3rd party s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); + // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities + s.add("org.apache.ibatis.parsing.XPathParser"); DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }