Merge branch '2.8' into 2.9

Author: cowtowncoder

release-notes/CREDITS-2.x

@@ -649,6 +649,10 @@ Kevin Gallardo (newkek@github)
 Lukas Euler
   * Reported #1735: Missing type checks when using polymorphic type ids
 
+Guixiong Wu (吴桂雄)
+  * Reported #2032: Blacklist another serialization gadget (ibatis)
+   (2.8.11.2)
+
 Connor Kuhn (ckuhn@github)
   * Contributed #1341: FAIL_ON_MISSING_EXTERNAL_TYPE_ID_PROPERTY
    (2.9.0)

release-notes/VERSION-2.x

@@ -33,6 +33,8 @@ Project: jackson-databind
   with `null` coercion with `@JsonSetter`
 #2027: Concurrency error causes `IllegalStateException` on `BeanPropertyMap`
  (reported by franboragina@github)
+#2032: Blacklist another serialization gadget (ibatis)
+ (reported by Guixiong Wu)
 
 2.9.5 (26-Mar-2018)
 

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

@@ -58,6 +58,8 @@ public class SubTypeValidator
         // [databind#1899]: more 3rd party
         s.add("org.hibernate.jmx.StatisticsService");
         s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+        // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
+        s.add("org.apache.ibatis.parsing.XPathParser");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }