Skip to content

Commit

Permalink
Merge branch '2.8' into 2.9
Browse files Browse the repository at this point in the history
  • Loading branch information
cowtowncoder committed Dec 13, 2017
2 parents 9bd1829 + 10fe7f1 commit eb217dd
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 7 deletions.
4 changes: 4 additions & 0 deletions release-notes/VERSION
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ Project: jackson-databind
=== Releases ===
------------------------------------------------------------------------

2.9.4 (not yet released)

#1855: More blacklisting of serialization gadgets

2.9.3 (09-Dec-2017)

#1604: Nested type arguments doesn't work with polymorphic types
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,9 @@ public class BeanDeserializerFactory
s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");

// [databind#1855]: more 3rd party
s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,15 @@ public void testXalanTypes1599() throws Exception

public void testJDKTypes1737() throws Exception
{
_testTypes1737(java.util.logging.FileHandler.class);
_testTypes1737(java.rmi.server.UnicastRemoteObject.class);
_testIllegalType(java.util.logging.FileHandler.class);
_testIllegalType(java.rmi.server.UnicastRemoteObject.class);
}

// // // Tests for [databind#1855]
public void testJDKTypes1855() throws Exception
{
// apparently included by JDK?
_testIllegalType("com.sun.org.apache.bcel.internal.util.ClassLoader");
}

// 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too,
Expand All @@ -70,8 +77,8 @@ public void testJDKTypes1737() throws Exception
/*
public void testSpringTypes1737() throws Exception
{
_testTypes1737("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
_testTypes1737("org.springframework.beans.factory.config.PropertyPathFactoryBean");
_testIllegalType("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
_testIllegalType("org.springframework.beans.factory.config.PropertyPathFactoryBean");
}
public void testC3P0Types1737() throws Exception
Expand All @@ -81,11 +88,11 @@ public void testC3P0Types1737() throws Exception
}
*/

private void _testTypes1737(Class<?> nasty) throws Exception {
_testTypes1737(nasty.getName());
private void _testIllegalType(Class<?> nasty) throws Exception {
_testIllegalType(nasty.getName());
}

private void _testTypes1737(String clsName) throws Exception
private void _testIllegalType(String clsName) throws Exception
{
// While usually exploited via default typing let's not require
// it here; mechanism still the same
Expand Down

0 comments on commit eb217dd

Please sign in to comment.