Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / jackson-databind / 9bdc373bcca774ee57b8c42f4af61a7b50f3dc26^! / .
commit9bdc373bcca774ee57b8c42f4af61a7b50f3dc26[log] [tgz]
authorTatu Saloranta <tatu.saloranta@iki.fi>Mon Mar 09 19:57:06 2020 -0700
committerTatu Saloranta <tatu.saloranta@iki.fi>Mon Mar 09 19:57:06 2020 -0700
treec5c3f6c55468e7c1984198f9acfc7d267a1e2635
parent4d038c9de0aa80a5dae27f552a975cb39cc42b60 [diff]
Fix #2648

diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index 5ffdcf3..ad9e723 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x

@@ -10,8 +10,9 @@
  (reported by threedr3am & LFY)
 #2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548)
  (reported by threedr3am & V1ZkRA)
-#2642: Block one more gadget type (javax.swing, CVE-to-be-allocated) #2642
- (reported by threedr3am) 
+#2642: Block one more gadget type (javax.swing, CVE-to-be-allocated)
+ (reported by threedr3am)
+#2648: Block one more gadget type (shiro-core, CVE-to-be-allocated)
 
 2.9.10.3 (23-Feb-2020)
 

diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 3b0de95..9c0ff58 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

@@ -138,6 +138,9 @@
         // [databind#2642]: javax.swing (jdk)
         s.add("javax.swing.JEditorPane");
 
+        // [databind#2648]: shire-core
+        s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }