From 98c42f7a2750c877c652de8cf8f4f2fe0443671c Mon Sep 17 00:00:00 2001
From: Marek Tokarski <mtokarski@atlassian.com>
Date: Fri, 8 May 2020 11:49:19 +0200
Subject: [PATCH] Block two more gadget types (commons-configuration/-2)

Merged from FasterXML/jackson-databind#2462
---
 release-notes/VERSION                                        | 1 +
 .../codehaus/jackson/map/jsontype/impl/SubTypeValidator.java | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/release-notes/VERSION b/release-notes/VERSION
index 9ef85fa88..6adb62c67 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -64,6 +64,7 @@ One more patch release for 1.9.
 * [databind#2682]: Block one more gadget type (commons-jelly, CVE-2020-11620)
 * [databind#2688]: Block one more gadget type (apache-drill)
 * [databind#2698]: Block one more gadget type (weblogic/oracle-aqjms)
+* [databind#2462]: Block two more gadget types (commons-configuration/-2)
 
 1.9.13 (14-Jul-2013)
 
diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
index fd0ecf1a7..53c00c613 100644
--- a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
+++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -99,6 +99,11 @@ public class SubTypeValidator
         s.add("com.zaxxer.hikari.HikariDataSource");
         // [databind#2420]: CXF/JAX-RS provider/XSLT
         s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+
+        // [databind#2462]: commons-configuration / -2
+        s.add("org.apache.commons.configuration.JNDIConfiguration");
+        s.add("org.apache.commons.configuration2.JNDIConfiguration");
+
         // [databind#2478]: comons-dbcp, p6spy
         s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
         s.add("com.p6spy.engine.spy.P6DataSource");