From efc3c0d02f4743dbaa6d1b9c466772a2f13d966b Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Tue, 14 May 2019 07:46:38 -0700
Subject: [PATCH] Backport #2326 fix in 2.8 (for theoretical 2.8.11.4)

---
 release-notes/VERSION                                       | 4 ++++
 .../jackson/databind/jsontype/impl/SubTypeValidator.java    | 6 +++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/release-notes/VERSION b/release-notes/VERSION
index 02dc4c53e5..60f84df46f 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -3,6 +3,10 @@ Project: jackson-databind
 === Releases ===
 ------------------------------------------------------------------------
 
+2.8.11.4 (not released)
+
+#2326: Block one more gadget type (CVE-2019-12086)
+
 2.8.11.3 (23-Nov-2018)
 
 #2097: Block more classes from polymorphic deserialization (CVE-2018-14718
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index fc35c67d6e..6f663237ec 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -82,6 +82,9 @@ public class SubTypeValidator
         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
 
+        // [databind#2326] (2.9.9): one more 3rd party gadget
+        s.add("com.mysql.cj.jdbc.admin.MiniAdmin");        
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 
@@ -96,7 +99,8 @@ protected SubTypeValidator() { }
 
     public static SubTypeValidator instance() { return instance; }
 
-    public void validateSubType(DeserializationContext ctxt, JavaType type) throws JsonMappingException
+    public void validateSubType(DeserializationContext ctxt, JavaType type)
+            throws JsonMappingException
     {
         // There are certain nasty classes that could cause problems, mostly
         // via default typing -- catch them here.