Backport #2326 fix in 2.8 (for theoretical 2.8.11.4)

cowtowncoder · cowtowncoder · commit efc3c0d02f47 · 2019-05-14T07:46:38.000-07:00
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -3,6 +3,10 @@ Project: jackson-databind
 === Releases ===
 ------------------------------------------------------------------------
 
+2.8.11.4 (not released)
+
+#2326: Block one more gadget type (CVE-2019-12086)
+
 2.8.11.3 (23-Nov-2018)
 
 #2097: Block more classes from polymorphic deserialization (CVE-2018-14718
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -82,6 +82,9 @@ public class SubTypeValidator
         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
 
+        // [databind#2326] (2.9.9): one more 3rd party gadget
+        s.add("com.mysql.cj.jdbc.admin.MiniAdmin");        
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 
@@ -96,7 +99,8 @@ protected SubTypeValidator() { }
 
     public static SubTypeValidator instance() { return instance; }
 
-    public void validateSubType(DeserializationContext ctxt, JavaType type) throws JsonMappingException
+    public void validateSubType(DeserializationContext ctxt, JavaType type)
+            throws JsonMappingException
     {
         // There are certain nasty classes that could cause problems, mostly
         // via default typing -- catch them here.
