From 80ecfc42ecf81d718400d7b8c557179955ae3854 Mon Sep 17 00:00:00 2001 From: Marek Tokarski Date: Fri, 8 May 2020 11:27:47 +0200 Subject: [PATCH] Block one more gadget type (weblogic/oracle-aqjms) Merged from FasterXML/jackson-databind#2698 --- release-notes/VERSION | 1 + .../jackson/map/jsontype/impl/SubTypeValidator.java | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/release-notes/VERSION b/release-notes/VERSION index 0880ddfe8..9ef85fa88 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -63,6 +63,7 @@ One more patch release for 1.9. * [databind#2680]: Block one more gadget type (SSRF, spring-jpa, CVE-2020-11619) * [databind#2682]: Block one more gadget type (commons-jelly, CVE-2020-11620) * [databind#2688]: Block one more gadget type (apache-drill) +* [databind#2698]: Block one more gadget type (weblogic/oracle-aqjms) 1.9.13 (14-Jul-2013) diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java index 1482709c3..fd0ecf1a7 100644 --- a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java +++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java @@ -164,6 +164,15 @@ public class SubTypeValidator // [databind#2688]: apache/drill s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool"); + // [databind#2698]: weblogic w/ oracle/aq-jms + // (note: dependency not available via Maven Central, but as part of + // weblogic installation, possibly fairly old version(s)) + s.add("oracle.jms.AQjmsQueueConnectionFactory"); + s.add("oracle.jms.AQjmsXATopicConnectionFactory"); + s.add("oracle.jms.AQjmsTopicConnectionFactory"); + s.add("oracle.jms.AQjmsXAQueueConnectionFactory"); + s.add("oracle.jms.AQjmsXAConnectionFactory"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }