Merge branch '2.7' into 2.8

cowtowncoder · cowtowncoder · commit 051bd5e447fb · 2018-05-10T18:26:07.000-07:00
diff --git a/release-notes/CREDITS b/release-notes/CREDITS
@@ -634,6 +634,10 @@ Kevin Gallardo (newkek@github)
     with a recursive value type
    (2.8.10)
 
+Guixiong Wu (吴桂雄)
+  * Reported #2032: Blacklist another serialization gadget (ibatis)
+   (2.8.11.2)
+
 Connor Kuhn (ckuhn@github)
   * Contributed #1341: FAIL_ON_MISSING_EXTERNAL_TYPE_ID_PROPERTY
    (2.9.0)
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -8,6 +8,8 @@ Project: jackson-databind
 #1941: `TypeFactory.constructFromCanonical()` throws NPE for Unparameterized
   generic canonical strings
  (reported by ayushgp@github)
+#2032: Blacklist another serialization gadget (ibatis)
+ (reported by Guixiong Wu)
 
 2.8.11.1 (11-Feb-2018)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -57,6 +57,8 @@ public class SubTypeValidator
         // [databind#1899]: more 3rd party
         s.add("org.hibernate.jmx.StatisticsService");
         s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+        // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
+        s.add("org.apache.ibatis.parsing.XPathParser");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,8 @@ public class SubTypeValidator`
`57`	`57`	`// [databind#1899]: more 3rd party`
`58`	`58`	`s.add("org.hibernate.jmx.StatisticsService");`
`59`	`59`	`s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");`
	`60`	`+ // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities`
	`61`	`+ s.add("org.apache.ibatis.parsing.XPathParser");`
`60`	`62`
`61`	`63`	`DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);`
`62`	`64`	`}`