Fix 1/3 of #1855

Author: cowtowncoder

release-notes/VERSION

@@ -12,6 +12,7 @@ Project: jackson-databind
  (reported by Villane@github)
 #1680: Blacklist couple more types for deserialization
 #1737: Block more JDK types from polymorphic deserialization
+#1855: (partial) Blacklist for more serialization gadgets (dbcp/tomcat)
 
 2.7.9.1 (18-Apr-2017)
 

src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java

@@ -68,7 +68,9 @@ public class BeanDeserializerFactory
         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
         s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
         s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
-
+        // [databind#1855]: more 3rd party
+        s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+        s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java

@@ -58,8 +58,15 @@ public void testXalanTypes1599() throws Exception
 
     public void testJDKTypes1737() throws Exception
     {
-        _testTypes1737(java.util.logging.FileHandler.class);
-        _testTypes1737(java.rmi.server.UnicastRemoteObject.class);
+        _testIllegalType(java.util.logging.FileHandler.class);
+        _testIllegalType(java.rmi.server.UnicastRemoteObject.class);
+    }
+
+    // // // Tests for [databind#1855]
+    public void testJDKTypes1855() throws Exception
+    {
+        // apparently included by JDK?
+        _testIllegalType("com.sun.org.apache.bcel.internal.util.ClassLoader");
     }
 
     // 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too,
@@ -69,22 +76,22 @@ public void testJDKTypes1737() throws Exception
     /*
     public void testSpringTypes1737() throws Exception
     {
-        _testTypes1737("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
-        _testTypes1737("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+        _testIllegalType("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
+        _testIllegalType("org.springframework.beans.factory.config.PropertyPathFactoryBean");
     }
 
     public void testC3P0Types1737() throws Exception
     {
-        _testTypes1737("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
-        _testTypes1737("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+        _testIllegalType("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+        _testIllegalType("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
     }
     */
 
-    private void _testTypes1737(Class<?> nasty) throws Exception {
-        _testTypes1737(nasty.getName());
+    private void _testIllegalType(Class<?> nasty) throws Exception {
+        _testIllegalType(nasty.getName());
     }
 
-    private void _testTypes1737(String clsName) throws Exception
+    private void _testIllegalType(String clsName) throws Exception
     {
         // While usually exploited via default typing let's not require
         // it here; mechanism still the same