Merge branch '2.7' into 2.8

cowtowncoder · cowtowncoder · commit 10fe7f17ea7c · 2017-12-12T17:20:15.000-08:00
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -15,6 +15,7 @@ Project: jackson-databind
  (reported by henryptung@github)
 #1807: Jackson-databind caches plain map deserializer and use it even map has `@JsonDeserializer`
  (reported by lexas2509@github)
+#1855: More blacklisting of serialization gadgets
 
 2.8.10 (24-Aug-2017)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -70,6 +70,9 @@ public class BeanDeserializerFactory
         s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
         s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
 
+        // [databind#1855]: more 3rd party
+        s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+        s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 
diff --git a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
@@ -58,8 +58,15 @@ public void testXalanTypes1599() throws Exception
 
     public void testJDKTypes1737() throws Exception
     {
-        _testTypes1737(java.util.logging.FileHandler.class);
-        _testTypes1737(java.rmi.server.UnicastRemoteObject.class);
+        _testIllegalType(java.util.logging.FileHandler.class);
+        _testIllegalType(java.rmi.server.UnicastRemoteObject.class);
+    }
+
+    // // // Tests for [databind#1855]
+    public void testJDKTypes1855() throws Exception
+    {
+        // apparently included by JDK?
+        _testIllegalType("com.sun.org.apache.bcel.internal.util.ClassLoader");
     }
 
     // 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too,
@@ -69,8 +76,8 @@ public void testJDKTypes1737() throws Exception
     /*
     public void testSpringTypes1737() throws Exception
     {
-        _testTypes1737("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
-        _testTypes1737("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+        _testIllegalType("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
+        _testIllegalType("org.springframework.beans.factory.config.PropertyPathFactoryBean");
     }
 
     public void testC3P0Types1737() throws Exception
@@ -80,11 +87,11 @@ public void testC3P0Types1737() throws Exception
     }
     */
 
-    private void _testTypes1737(Class<?> nasty) throws Exception {
-        _testTypes1737(nasty.getName());
+    private void _testIllegalType(Class<?> nasty) throws Exception {
+        _testIllegalType(nasty.getName());
     }
 
-    private void _testTypes1737(String clsName) throws Exception
+    private void _testIllegalType(String clsName) throws Exception
     {
         // While usually exploited via default typing let's not require
         // it here; mechanism still the same

Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,9 @@ public class BeanDeserializerFactory`
`70`	`70`	`s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");`
`71`	`71`	`s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");`
`72`	`72`
	`73`	`+ // [databind#1855]: more 3rd party`
	`74`	`+ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");`
	`75`	`+ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");`
`73`	`76`	`DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);`
`74`	`77`	`}`
`75`	`78`
Original file line number	Diff line number	Diff line change
`@@ -58,8 +58,15 @@ public void testXalanTypes1599() throws Exception`
`58`	`58`
`59`	`59`	`public void testJDKTypes1737() throws Exception`
`60`	`60`	`{`
`61`		`- _testTypes1737(java.util.logging.FileHandler.class);`
`62`		`- _testTypes1737(java.rmi.server.UnicastRemoteObject.class);`
	`61`	`+ _testIllegalType(java.util.logging.FileHandler.class);`
	`62`	`+ _testIllegalType(java.rmi.server.UnicastRemoteObject.class);`
	`63`	`+ }`
	`64`	`+`
	`65`	`+ // // // Tests for [databind#1855]`
	`66`	`+ public void testJDKTypes1855() throws Exception`
	`67`	`+ {`
	`68`	`+ // apparently included by JDK?`
	`69`	`+ _testIllegalType("com.sun.org.apache.bcel.internal.util.ClassLoader");`
`63`	`70`	`}`
`64`	`71`
`65`	`72`	`// 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too,`
`@@ -69,8 +76,8 @@ public void testJDKTypes1737() throws Exception`
`69`	`76`	`/*`
`70`	`77`	`public void testSpringTypes1737() throws Exception`
`71`	`78`	`{`
`72`		`- _testTypes1737("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");`
`73`		`- _testTypes1737("org.springframework.beans.factory.config.PropertyPathFactoryBean");`
	`79`	`+ _testIllegalType("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");`
	`80`	`+ _testIllegalType("org.springframework.beans.factory.config.PropertyPathFactoryBean");`
`74`	`81`	`}`
`75`	`82`
`76`	`83`	`public void testC3P0Types1737() throws Exception`
`@@ -80,11 +87,11 @@ public void testC3P0Types1737() throws Exception`
`80`	`87`	`}`
`81`	`88`	`*/`
`82`	`89`
`83`		`- private void _testTypes1737(Class<?> nasty) throws Exception {`
`84`		`- _testTypes1737(nasty.getName());`
	`90`	`+ private void _testIllegalType(Class<?> nasty) throws Exception {`
	`91`	`+ _testIllegalType(nasty.getName());`
`85`	`92`	`}`
`86`	`93`
`87`		`- private void _testTypes1737(String clsName) throws Exception`
	`94`	`+ private void _testIllegalType(String clsName) throws Exception`
`88`	`95`	`{`
`89`	`96`	`// While usually exploited via default typing let's not require`
`90`	`97`	`// it here; mechanism still the same`