Merge branch '2.7' into 2.8

Author: cowtowncoder

release-notes/VERSION

@@ -10,6 +10,7 @@ Project: jackson-databind
  (reported by Rob W)
 #1899: Another two gadgets to exploit default typing issue in jackson-databind
  (reported by OneSourceCat@github)
+#1931: Two more `c3p0` gadgets to exploit default typing issue
 
 2.8.11 (24-Dec-2017)
 

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

@@ -18,7 +18,10 @@
  */
 public class SubTypeValidator
 {
-    protected final static String PREFIX_STRING = "org.springframework.";
+    protected final static String PREFIX_SPRING = "org.springframework.";
+
+    protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";
+
     /**
      * Set of well-known "nasty classes", deserialization of which is considered dangerous
      * and should (and is) prevented by default.
@@ -45,8 +48,9 @@ public class SubTypeValidator
         // [databind#1737]; 3rd party
 //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
-        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
-        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+
+// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
+// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
         // [databind#1855]: more 3rd party
         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
@@ -84,8 +88,10 @@ public void validateSubType(DeserializationContext ctxt, JavaType type) throws J
             // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
             //    for some Spring framework types
             // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces
-            if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) {
-                for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()) {
+            if (raw.isInterface()) {
+                ;
+            } else if (full.startsWith(PREFIX_SPRING)) {
+                for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){
                     String name = cls.getSimpleName();
                     // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
                     if ("AbstractPointcutAdvisor".equals(name)
@@ -94,6 +100,16 @@ public void validateSubType(DeserializationContext ctxt, JavaType type) throws J
                         break main_check;
                     }
                 }
+            } else if (full.startsWith(PREFIX_C3P0)) {
+                // [databind#1737]; more 3rd party
+                // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+                // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+                // [databind#1931]; more 3rd party
+                // com.mchange.v2.c3p0.ComboPooledDataSource
+                // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource 
+                if (full.endsWith("DataSource")) {
+                    break main_check;
+                }
             }
             return;
         } while (false);

src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java

@@ -8,6 +8,10 @@
 
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
 import com.fasterxml.jackson.databind.*;
+import com.mchange.v2.c3p0.jacksontest.ComboPooledDataSource;
+
+import java.util.ArrayList;
+import java.util.List;
 
 /**
  * Test case(s) to guard against handling of types that are illegal to handle
@@ -37,7 +41,7 @@ static class Authentication1872 {
      */
 
     private final ObjectMapper MAPPER = objectMapper();
-    
+
     // // // Tests for [databind#1599]
 
     public void testXalanTypes1599() throws Exception
@@ -85,34 +89,34 @@ public void testJDKTypes1855() throws Exception
 
     // 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too,
     //    but would require adding dependencies. This may be practical when
-    //    checking done by module, but for now let's not do that for databind.
+    //    checking done by separate module, but for now let's not do that for databind.
 
     /*
     public void testSpringTypes1737() throws Exception
     {
         _testIllegalType("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
         _testIllegalType("org.springframework.beans.factory.config.PropertyPathFactoryBean");
     }
-
-    public void testC3P0Types1737() throws Exception
-    {
-        _testTypes1737("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
-        _testTypes1737("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
-    }
     */
 
     // // // Tests for [databind#1872]
     public void testJDKTypes1872() throws Exception
     {
         ObjectMapper mapper = new ObjectMapper();
         mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY);
-    
+
         String json = aposToQuotes(String.format("{'@class':'%s','authorities':['java.util.ArrayList',[]]}",
                 Authentication1872.class.getName()));
         Authentication1872 result = mapper.readValue(json, Authentication1872.class);
         assertNotNull(result);
     }
 
+    // [databind#1931]
+    public void testC3P0Types() throws Exception
+    {
+        _testIllegalType(ComboPooledDataSource.class); // [databind#1931]
+    }
+
     private void _testIllegalType(Class<?> nasty) throws Exception {
         _testIllegalType(nasty.getName());
     }

src/test/java/com/mchange/v2/c3p0/jacksontest/ComboPooledDataSource.java

@@ -0,0 +1,6 @@
+package com.mchange.v2.c3p0.jacksontest;
+
+// test class for [databind#1931]
+public class ComboPooledDataSource {
+
+}