From f391169515d77446e94da4836eb65adfbc8acfa2 Mon Sep 17 00:00:00 2001
Date: Mon, 11 Jan 2021 17:32:52 +0800
Subject: [PATCH] Fix and document CVE-2020-26258.


diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
index 692243e..8a4b104 100644
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
@@ -698,7 +698,11 @@ public class XStream {
         }
         
         addPermission(AnyTypePermission.ANY);
-        denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"});
+        denyTypes(new String[]{
+            "java.beans.EventHandler", //
+            "java.lang.ProcessBuilder", //
+            "javax.imageio.ImageIO$ContainsFilter", //
+            "jdk.nashorn.internal.objects.NativeString"});
         denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
         allowTypeHierarchy(Exception.class);
         securityInitialized = false;
-- 
2.23.0