diff --git a/CVE-2018-7489.patch b/CVE-2018-7489.patch new file mode 100644 index 0000000..b8a9803 --- /dev/null +++ b/CVE-2018-7489.patch @@ -0,0 +1,58 @@ +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index 164ab3454..bdd3b2f4e 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -19,7 +19,10 @@ import com.fasterxml.jackson.databind.JsonMappingException; + */ + public class SubTypeValidator + { +- protected final static String PREFIX_STRING = "org.springframework."; ++ protected final static String PREFIX_SPRING = "org.springframework."; ++ ++ protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0."; ++ + /** + * Set of well-known "nasty classes", deserialization of which is considered dangerous + * and should (and is) prevented by default. +@@ -46,8 +49,9 @@ public class SubTypeValidator + // [databind#1737]; 3rd party + //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855] + s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); +- s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); +- s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); ++ ++// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931] ++// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" - + // [databind#1855]: more 3rd party + s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); + s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); +@@ -86,8 +90,10 @@ public class SubTypeValidator + // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling + // for some Spring framework types + // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces +- if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) { +- for (Class cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()) { ++ if (raw.isInterface()) { ++ ; ++ } else if (full.startsWith(PREFIX_SPRING)) { ++ for (Class cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){ + String name = cls.getSimpleName(); + // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? + if ("AbstractPointcutAdvisor".equals(name) +@@ -96,6 +102,16 @@ public class SubTypeValidator + break main_check; + } + } ++ } else if (full.startsWith(PREFIX_C3P0)) { ++ // [databind#1737]; more 3rd party ++ // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); ++ // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); ++ // [databind#1931]; more 3rd party ++ // com.mchange.v2.c3p0.ComboPooledDataSource ++ // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource ++ if (full.endsWith("DataSource")) { ++ break main_check; ++ } + } + return; + } while (false); diff --git a/README.en.md b/README.en.md deleted file mode 100644 index 143b5d9..0000000 --- a/README.en.md +++ /dev/null @@ -1,36 +0,0 @@ -# jackson-databind - -#### Description -{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**} - -#### Software Architecture -Software architecture description - -#### Installation - -1. xxxx -2. xxxx -3. xxxx - -#### Instructions - -1. xxxx -2. xxxx -3. xxxx - -#### Contribution - -1. Fork the repository -2. Create Feat_xxx branch -3. Commit your code -4. Create Pull Request - - -#### Gitee Feature - -1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md -2. Gitee blog [blog.gitee.com](https://blog.gitee.com) -3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore) -4. The most valuable open source project [GVP](https://gitee.com/gvp) -5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help) -6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/README.md b/README.md deleted file mode 100644 index 89c0b63..0000000 --- a/README.md +++ /dev/null @@ -1,39 +0,0 @@ -# jackson-databind - -#### 介绍 -{**以下是码云平台说明,您可以替换此简介** -码云是 OSCHINA 推出的基于 Git 的代码托管平台(同时支持 SVN)。专为开发者提供稳定、高效、安全的云端软件开发协作平台 -无论是个人、团队、或是企业,都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)} - -#### 软件架构 -软件架构说明 - - -#### 安装教程 - -1. xxxx -2. xxxx -3. xxxx - -#### 使用说明 - -1. xxxx -2. xxxx -3. xxxx - -#### 参与贡献 - -1. Fork 本仓库 -2. 新建 Feat_xxx 分支 -3. 提交代码 -4. 新建 Pull Request - - -#### 码云特技 - -1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md -2. 码云官方博客 [blog.gitee.com](https://blog.gitee.com) -3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目 -4. [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目,是码云综合评定出的优秀开源项目 -5. 码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help) -6. 码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/jackson-databind-2.9.4.tar.gz b/jackson-databind-2.9.4.tar.gz new file mode 100644 index 0000000..b7a2e06 Binary files /dev/null and b/jackson-databind-2.9.4.tar.gz differ diff --git a/jackson-databind.spec b/jackson-databind.spec new file mode 100644 index 0000000..e00e044 --- /dev/null +++ b/jackson-databind.spec @@ -0,0 +1,66 @@ +%global main_res_dir src/main/resources/META-INF +%global test_com_dir src/test/java/com/fasterxml/jackson/databind + +Name: jackson-databind +Version: 2.9.4 +Release: 5 +Summary: General data-binding package for Jackson (2.x) +License: ASL 2.0 and LGPLv2+ +URL: https://github.com/FasterXML/jackson-databind/ +Source0: https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz +Patch0: CVE-2018-7489.patch + +BuildRequires: mvn(org.powermock:powermock-module-junit4) +BuildRequires: mvn(org.powermock:powermock-api-mockito) +BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) +BuildRequires: mvn(com.google.code.maven-replacer-plugin:replacer) +BuildRequires: mvn(com.fasterxml.jackson:jackson-base:pom:) >= %{version} +BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version} +BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version} +BuildRequires: maven-local + +BuildArch: noarch + +Provides: jackson-core-javadoc +Obsoletes: jackson-core-javadoc + +%description +The general-purpose data-binding functionality and tree-model for Jackson Data +Processor. It builds on core streaming parser/generator package, and uses +Jackson Annotations for configuration. + +%prep +%autosetup -n %{name}-%{name}-%{version} -p1 + +%pom_remove_plugin ":maven-enforcer-plugin" + +cp -p %{main_res_dir}/LICENSE . +cp -p %{main_res_dir}/NOTICE . +sed -i 's/\r//' LICENSE NOTICE + +%pom_remove_dep javax.measure:jsr-275 +rm %{test_com_dir}/introspect/NoClassDefFoundWorkaroundTest.java +%pom_xpath_remove pom:classpathDependencyExcludes + +rm %{test_com_dir}/type/TestTypeFactoryWithClassLoader.java +rm %{test_com_dir}/ser/jdk/JDKTypeSerializationTest.java +rm %{test_com_dir}/deser/jdk/JDKStringLikeTypesTest.java +rm %{test_com_dir}/TestJDKSerialization.java + +%mvn_file : %{name} + +%build +%mvn_build -- -Dmaven.test.failure.ignore=true + +%install +%mvn_install + +%files -f .mfiles +%doc README.md release-notes/* +%doc %{_javadocdir}/%{name} +%license LICENSE NOTICE + + +%changelog +* Tue Dec 3 2019 huyan - 2.9.4-4 +- Package Initialization