What versions of Jackson are allowed in JBoss 6.4.20 patch?

前端 未结 2 1558
挽巷
挽巷 2021-02-20 05:11

I am trying to update my version of Jackson being used after the 6.4.20 JBoss patch. I\'m using org.codehause.jackson, and JBoss 6.4.x does not provide implicit dep

2条回答
  •  一生所求
    2021-02-20 05:41

    Building on @MhagnumDw's answer, I also encountered the same error with JBoss 6.4.20 patch and used this solution. Here is the source code relevant source code from https://maven.repository.redhat.com/techpreview/all/org/codehaus/jackson/jackson-mapper-asl/1.9.9.redhat-6/jackson-mapper-asl-1.9.9.redhat-6-sources.jar in org.codehaus.jackson.map.deser.BeanDeserializerFactory;

    /**
         * @since 1.9.9.redhat-5
         */
    protected void checkLegalTypes(DeserializationConfig config, JavaType type,
            BeanDescription beanDesc)
        throws JsonMappingException
    {
        // There are certain nasty classes that could cause problems, mostly
        // via default typing -- catch them here.
        String full = type.getRawClass().getName();
    
        Iterator iter = _cfgLegalPackageNames.iterator();
    
        boolean pass = false;
    
        while(iter.hasNext()) {
            if(full.startsWith(iter.next())) {
                pass = true;
                break;
            }
        }
    
        if(!pass) {
            throw new JsonMappingException(
                                      String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
        }
    }
    

    You can see that full.startsWith(iter.next()) means you can put in higher level package names to whitelist. For example,

    
        
    
    

    would whitelist br.com.myapp.package.aclass and br.com.myapp.package.bclass

提交回复
热议问题