Package init

2019-12-14 18:55:53 +08:00 · 2019-12-14 18:55:53 +08:00 · 4a7ea86acf
commit 4a7ea86acf
parent c4860c309d
5 changed files with 124 additions and 75 deletions
--- a/CVE-2018-7489.patch
+++ b/CVE-2018-7489.patch
@ -0,0 +1,58 @@
 diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
 index 164ab3454..bdd3b2f4e 100644
 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
 +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -19,7 +19,10 @@ import com.fasterxml.jackson.databind.JsonMappingException;
  */
 public class SubTypeValidator
 {
 -    protected final static String PREFIX_STRING = "org.springframework.";
 +    protected final static String PREFIX_SPRING = "org.springframework.";
 +
 +    protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";
 +
     /**
      * Set of well-known "nasty classes", deserialization of which is considered dangerous
      * and should (and is) prevented by default.
@@ -46,8 +49,9 @@ public class SubTypeValidator
         // [databind#1737]; 3rd party
 //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
 -        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
 -        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
 +
 +// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
 +// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
         // [databind#1855]: more 3rd party
         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
@@ -86,8 +90,10 @@ public class SubTypeValidator
             // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
             //    for some Spring framework types
             // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces
 -            if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) {
 -                for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()) {
 +            if (raw.isInterface()) {
 +                ;
 +            } else if (full.startsWith(PREFIX_SPRING)) {
 +                for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){
                     String name = cls.getSimpleName();
                     // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
                     if ("AbstractPointcutAdvisor".equals(name)
@@ -96,6 +102,16 @@ public class SubTypeValidator
                         break main_check;
                     }
                 }
 +            } else if (full.startsWith(PREFIX_C3P0)) {
 +                // [databind#1737]; more 3rd party
 +                // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
 +                // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
 +                // [databind#1931]; more 3rd party
 +                // com.mchange.v2.c3p0.ComboPooledDataSource
 +                // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource 
 +                if (full.endsWith("DataSource")) {
 +                    break main_check;
 +                }
             }
             return;
         } while (false);
--- a/README.en.md
+++ b/README.en.md
@ -1,36 +0,0 @@
 # jackson-databind
 #### Description
 {**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
 #### Software Architecture
 Software architecture description
 #### Installation
 1.  xxxx
 2.  xxxx
 3.  xxxx
 #### Instructions
 1.  xxxx
 2.  xxxx
 3.  xxxx
 #### Contribution
 1.  Fork the repository
 2.  Create Feat_xxx branch
 3.  Commit your code
 4.  Create Pull Request
 #### Gitee Feature
 1.  You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
 2.  Gitee blog [blog.gitee.com](https://blog.gitee.com)
 3.  Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
 4.  The most valuable open source project [GVP](https://gitee.com/gvp)
 5.  The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
 6.  The most popular members  [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)
--- a/README.md
+++ b/README.md
@ -1,39 +0,0 @@
 # jackson-databind
 #### 介绍
 {**以下是码云平台说明，您可以替换此简介**
 码云是 OSCHINA 推出的基于 Git 的代码托管平台（同时支持 SVN）。专为开发者提供稳定、高效、安全的云端软件开发协作平台
 无论是个人、团队、或是企业，都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)}
 #### 软件架构
 软件架构说明
 #### 安装教程
 1.  xxxx
 2.  xxxx
 3.  xxxx
 #### 使用说明
 1.  xxxx
 2.  xxxx
 3.  xxxx
 #### 参与贡献
 1.  Fork 本仓库
 2.  新建 Feat_xxx 分支
 3.  提交代码
 4.  新建 Pull Request
 #### 码云特技
 1.  使用 Readme\_XXX.md 来支持不同的语言，例如 Readme\_en.md, Readme\_zh.md
 2.  码云官方博客 [blog.gitee.com](https://blog.gitee.com)
 3.  你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目
 4.  [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目，是码云综合评定出的优秀开源项目
 5.  码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
 6.  码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)
--- a/jackson-databind-2.9.4.tar.gz
+++ b/jackson-databind-2.9.4.tar.gz
--- a/jackson-databind.spec
+++ b/jackson-databind.spec
@ -0,0 +1,66 @@
 %global main_res_dir src/main/resources/META-INF
 %global test_com_dir src/test/java/com/fasterxml/jackson/databind
 Name:          jackson-databind
 Version:       2.9.4
 Release:       5
 Summary:       General data-binding package for Jackson (2.x)
 License:       ASL 2.0 and LGPLv2+
 URL:           https://github.com/FasterXML/jackson-databind/
 Source0:       https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz
 Patch0:        CVE-2018-7489.patch
 BuildRequires:  mvn(org.powermock:powermock-module-junit4)
 BuildRequires:  mvn(org.powermock:powermock-api-mockito)
 BuildRequires:  mvn(org.apache.felix:maven-bundle-plugin)
 BuildRequires:  mvn(com.google.code.maven-replacer-plugin:replacer)
 BuildRequires:  mvn(com.fasterxml.jackson:jackson-base:pom:) >= %{version}
 BuildRequires:  mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
 BuildRequires:  mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
 BuildRequires:  maven-local
 BuildArch:      noarch
 Provides:       jackson-core-javadoc
 Obsoletes:      jackson-core-javadoc
 %description
 The general-purpose data-binding functionality and tree-model for Jackson Data
 Processor. It builds on core streaming parser/generator package, and uses
 Jackson Annotations for configuration.
 %prep
 %autosetup -n %{name}-%{name}-%{version} -p1
 %pom_remove_plugin ":maven-enforcer-plugin"
 cp -p %{main_res_dir}/LICENSE .
 cp -p %{main_res_dir}/NOTICE .
 sed -i 's/\r//' LICENSE NOTICE
 %pom_remove_dep javax.measure:jsr-275
 rm %{test_com_dir}/introspect/NoClassDefFoundWorkaroundTest.java
 %pom_xpath_remove pom:classpathDependencyExcludes
 rm %{test_com_dir}/type/TestTypeFactoryWithClassLoader.java
 rm %{test_com_dir}/ser/jdk/JDKTypeSerializationTest.java
 rm %{test_com_dir}/deser/jdk/JDKStringLikeTypesTest.java
 rm %{test_com_dir}/TestJDKSerialization.java
 %mvn_file : %{name}
 %build
 %mvn_build -- -Dmaven.test.failure.ignore=true
 %install
 %mvn_install
 %files -f .mfiles
 %doc README.md release-notes/*
 %doc %{_javadocdir}/%{name}
 %license LICENSE NOTICE
 %changelog
 * Tue Dec 3 2019 huyan <hu.huyan@huawei.com> - 2.9.4-4
 - Package Initialization