README.md

@@ -25,7 +25,7 @@ Functionality of this package is contained in Java package `com.fasterxml.jackso
 <properties>
   ...
   <!-- Use the latest version whenever possible. -->
-  <jackson.version>2.9.0</jackson.version>
+  <jackson.version>2.10.0</jackson.version>
   ...
 </properties>
 
@@ -419,13 +419,13 @@ usually a Jackson module.
 `master` branch is for developing the next major Jackson version -- 3.0 -- but there
 are active maintenance branches in which much of development happens:
 
-* `2.10` is for developing the next (and possibly last) minor 2.x version
-* `2.8` and `2.9` are for backported fixes for 2.8/2.9 patch versions
+* `2.10` is the current stable minor 2.x version
+* `2.9` is for selected backported fixes 
 
 Older branches are usually not maintained after being declared as closed
 on [Jackson Releases](https://github.com/FasterXML/jackson/wiki/Jackson-Releases) page,
 but exist just in case a rare emergency patch is needed.
-All released versions have matching git tags (`jackson-dataformats-binary-2.9.4`).
+All released versions have matching git tags (`jackson-dataformats-binary-2.9.10`).
 
 -----
 

debian/changelog

+jackson-databind (2.10.1-1) unstable; urgency=medium
+
+  * New upstream version 2.10.1.
+  * Drop CVE-2019-16942-and-CVE-2019-16943.patch. Fixed upstream.
+
+ -- Markus Koschany <apo@debian.org>  Sun, 15 Dec 2019 16:07:37 +0100
+
 jackson-databind (2.10.0-2) unstable; urgency=high
 
   * Fix CVE-2019-16942 and CVE-2019-16943.

debian/patches/CVE-2019-16942-and-CVE-2019-16943.patch

-From: Markus Koschany <apo@debian.org>
-Date: Thu, 3 Oct 2019 15:56:30 +0200
-Subject: CVE-2019-16942 and CVE-2019-16943
-
-Forwarded: not-needed
----
- .../fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java    | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-index e54149e..4215b4e 100644
---- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-@@ -112,6 +112,10 @@ public class SubTypeValidator
-         // [databind#2469]: xalan2
-         s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
- 
-+        // [databind#2478]: comons-dbcp, p6spy
-+        s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
-+        s.add("com.p6spy.engine.spy.P6DataSource");
-+
-         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
-     }
- 

debian/patches/base-pom.patch

@@ -18,7 +18,7 @@ index 95fdb10..4ee8e91 100644
    <parent>
      <groupId>com.fasterxml.jackson</groupId>
      <artifactId>jackson-base</artifactId>
--    <version>2.10.0</version>
+-    <version>2.10.1</version>
 +    <version>2.9.8</version>
    </parent>
  

debian/patches/series

 base-pom.patch
-CVE-2019-16942-and-CVE-2019-16943.patch

pom.xml

@@ -5,12 +5,12 @@
   <parent>
     <groupId>com.fasterxml.jackson</groupId>
     <artifactId>jackson-base</artifactId>
-    <version>2.10.0</version>
+    <version>2.10.1</version>
   </parent>
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.10.0</version>
+  <version>2.10.1</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>jackson-databind-2.10.0</tag>
+    <tag>jackson-databind-2.10.1</tag>
   </scm>
 
   <properties>
@@ -187,15 +187,6 @@
     </plugins>
   </build>
 
-  <reporting>
-    <plugins>
-      <plugin>
-        <groupId>org.codehaus.mojo</groupId>
-        <artifactId>cobertura-maven-plugin</artifactId>
-      </plugin>
-    </plugins>
-  </reporting>
-
   <profiles>
     <profile>
       <id>release</id>

release-notes/CREDITS-2.x

@@ -971,3 +971,31 @@ Martín Coll (colltoaction@github)
   * Contributed #2467: Accept `JsonTypeInfo.As.WRAPPER_ARRAY` with no second argument to
    deserialize as "null value"
   (2.10.0)
+
+Andrey Kulikov (ankulikov@github)
+  * Reported #2457: Extended enum values are not handled as enums when used as Map keys
+  (2.10.1)
+
+João Guerra (joca-bt@github)
+  * Reported #2473: Array index missing in path of `JsonMappingException` for `Collection<String>`,
+    with custom deserializer
+  (2.10.1)
+
+Ryan Bohn (bohnman@github)
+  * Reported #2475: `StringCollectionSerializer` calls `JsonGenerator.setCurrentValue(value)`,
+    which messes up current value for sibling properties
+  (2.10.1)
+
+Johan Haleby (johanhaleby@github)
+  * Reported #2513: BigDecimalAsStringSerializer in NumberSerializer throws IllegalStateException
+    in 2.10
+  (2.10.1)
+
+Richard Wise (Woodz@github)
+  * Reported #2519: Serializing `BigDecimal` values inside containers ignores shape override	
+  (2.10.1)
+
+Mark Schäfer (mark--@github)
+  * Reported #2520: Sub-optimal exception message when failing to deserialize non-static inner classes
+  (2.10.1)
+

release-notes/VERSION-2.x

@@ -4,6 +4,28 @@ Project: jackson-databind
 === Releases === 
 ------------------------------------------------------------------------
 
+2.10.1 (09-Nov-2019)
+
+#2457: Extended enum values are not handled as enums when used as Map keys
+ (reported by Andrey K)
+#2473: Array index missing in path of `JsonMappingException` for `Collection<String>`,
+  with custom deserializer
+ (reported by João G)
+#2475: `StringCollectionSerializer` calls `JsonGenerator.setCurrentValue(value)`,
+  which messes up current value for sibling properties
+ (reported by Ryan B)
+#2485: Add `uses` for `Module` in module-info
+ (contributed by Marc M)
+#2513: BigDecimalAsStringSerializer in NumberSerializer throws IllegalStateException in 2.10
+ (reported by Johan H)
+#2519: Serializing `BigDecimal` values inside containers ignores shape override
+ (reported by Richard W)
+#2520: Sub-optimal exception message when failing to deserialize non-static inner classes
+ (reported by Mark S)
+#2529: Add tests to ensure `EnumSet` and `EnumMap` work correctly with "null-as-empty"
+#2534: Add `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()`
+#2535: Allow String-to-byte[] coercion for String-value collections
+
 2.10.0 (26-Sep-2019)
 
 #18: Make `JsonNode` serializable
@@ -76,6 +98,8 @@ Project: jackson-databind
  (reported by Victor N)
 #2339: Suboptimal return type for `ObjectNode.set()`
  (reported by Victor N)
+#2348: Add sanity checks for `ObjectMapper.readXXX()` methods
+ (requested by ebundy@github)
 #2349: Add option `DefaultTyping.EVERYTHING` to support Kotlin data classes
 #2357: Lack of path on MismatchedInputException
  (suggested by TheEin@github)
@@ -95,7 +119,7 @@ Project: jackson-databind
 #2416: Optimize `ValueInstantiator` construction for default `Collection`, `Map` types
 #2422: `scala.collection.immutable.ListMap` fails to serialize since 2.9.3
  (reported by dejanlokar1@github)
-#2425: Add global config override setting for `@JsonFormat.lenient()`
+#2424: Add global config override setting for `@JsonFormat.lenient()`
 #2428: Use "activateDefaultTyping" over "enableDefaultTyping" in 2.10 with new methods
 #2430: Change `ObjectMapper.valueToTree()` to convert `null` to `NullNode`
 #2432: Add support for module bundles
@@ -117,6 +141,18 @@ Project: jackson-databind
   deserialize as "null value"
  (contributed by Martin C)
 
+2.9.10.2 (not yet released)
+
+#2526: Block two more gadget types (ehcache/JNDI - CVEs to be allocated)
+  (repoerted by UltramanGaia)
+
+2.9.10.1 (20-Oct-2019)
+
+#2478: Block two more gadget types (commons-dbcp, p6spy,
+  CVE-2019-16942 / CVE-2019-16943)
+ (reported by b5mali4 / root@codersec.net)
+#2498: Block one more gadget type (log4j-extras/1.2, CVE-2019-17531)
+
 2.9.10 (21-Sep-2019)
 
 #2331: `JsonMappingException` through nested getter with generic wildcard return type
@@ -135,7 +171,7 @@ Project: jackson-databind
   (reported by crazylirui@gmail.com)
 #2449: Block one more gadget type (CVE-2019-14540)
   (reported by kingkk)
-#2460: Block one mode gadget type (ehcache, no CVE allocated yet)
+#2460: Block one more gadget type (ehcache, CVE-2019-17267)
   (reported by Fei Lu)
 #2462: Block two more gadget types (commons-configuration)
 #2469: Block one more gadget type (xalan2)

src/main/java/com/fasterxml/jackson/databind/DatabindContext.java

@@ -242,8 +242,9 @@ public abstract class DatabindContext
         }
         final JavaType subType = config.getTypeFactory().constructSpecializedType(baseType, cls);
         // May skip check if type was allowed by subclass name already
+        if (vld == Validity.INDETERMINATE) {
+            vld = ptv.validateSubType(config, baseType, subType);
             if (vld != Validity.ALLOWED) {
-            if (ptv.validateSubType(config, baseType, subType) != Validity.ALLOWED) {
                 return _throwSubtypeClassNotAllowed(baseType, subClass, ptv);
             }
         }

src/main/java/com/fasterxml/jackson/databind/DeserializationConfig.java

@@ -28,6 +28,9 @@ public final class DeserializationConfig
     // since 2.9
     private static final long serialVersionUID = 2;
 
+    // since 2.10.1
+    private final static int DESER_FEATURE_DEFAULTS = collectFeatureDefaults(DeserializationFeature.class);
+
     /*
     /**********************************************************
     /* Configured helper objects
@@ -101,7 +104,7 @@ public final class DeserializationConfig
             ConfigOverrides configOverrides)
     {
         super(base, str, mixins, rootNames, configOverrides);
-        _deserFeatures = collectFeatureDefaults(DeserializationFeature.class);
+        _deserFeatures = DESER_FEATURE_DEFAULTS;
         _nodeFactory = JsonNodeFactory.instance;
         _problemHandlers = null;
         _parserFeatures = 0;

src/main/java/com/fasterxml/jackson/databind/DeserializationContext.java

@@ -1754,7 +1754,7 @@ trailingToken, ClassUtil.nameOf(targetType)
     public JsonMappingException invalidTypeIdException(JavaType baseType, String typeId,
             String extraDesc) {
         String msg = String.format("Could not resolve type id '%s' as a subtype of %s",
-                typeId, baseType);
+                typeId, ClassUtil.getTypeDescription(baseType));
         return InvalidTypeIdException.from(_parser, _colonConcat(msg, extraDesc), baseType, typeId);
     }
 
@@ -1784,7 +1784,7 @@ trailingToken, ClassUtil.nameOf(targetType)
             String extraDesc)
     {
         String msg = String.format("Could not resolve type id '%s' into a subtype of %s",
-                id, type);
+                id, ClassUtil.getTypeDescription(type));
         msg = _colonConcat(msg, extraDesc);
         return MismatchedInputException.from(_parser, type, msg);
     }

src/main/java/com/fasterxml/jackson/databind/JavaType.java

@@ -288,7 +288,13 @@ public abstract class JavaType
     public boolean isArrayType() { return false; }
 
     @Override
-    public final boolean isEnumType() { return _class.isEnum(); }
+    public final boolean isEnumType() {
+        // 29-Sep-2019, tatu: `Class.isEnum()` not enough to detect custom subtypes,
+        //   but for some reason this fix will break couple of unit tests:
+        // See [databind#2480]:
+//        return ClassUtil.isEnumType(_class);
+        return _class.isEnum();
+    }
 
     @Override
     public final boolean isInterface() { return _class.isInterface(); }

src/main/java/com/fasterxml/jackson/databind/JsonDeserializer.java

@@ -82,7 +82,7 @@ public abstract class JsonDeserializer<T>
      *  after the @class. Thus, if you want your method to work correctly
      *  both with and without polymorphism, you must begin your method with:
      *  <pre>
-     *       if (p.getCurrentToken() == JsonToken.START_OBJECT) {
+     *       if (p.currentToken() == JsonToken.START_OBJECT) {
      *         p.nextToken();
      *       }
      *  </pre>

src/main/java/com/fasterxml/jackson/databind/JsonNode.java

@@ -85,7 +85,7 @@ public abstract class JsonNode
      * Convenience method that is functionally same as:
      *<pre>
      *    size() == 0
-     *<pre>
+     *</pre>
      * for all node types.
      *
      * @since 2.10
@@ -683,45 +683,122 @@ public abstract class JsonNode
      */
 
     /**
+     * Method that may be called to verify that {@code this} node is NOT so-called
+     * "missing node": that is, one for which {@link #isMissingNode()} returns {@code true}.
+     * If not missing node, {@code this} is returned to allow chaining; otherwise
+     * {@link IllegalArgumentException} is thrown.
+     *
+     * @return {@code this} node to allow chaining
+     *
+     * @throws IllegalArgumentException if this node is "missing node"
+     *
      * @since 2.10
      */
-    public <T extends JsonNode> T require() {
+    public <T extends JsonNode> T require() throws IllegalArgumentException {
         return _this();
     }
 
     /**
+     * Method that may be called to verify that {@code this} node is neither so-called
+     * "missing node" (that is, one for which {@link #isMissingNode()} returns {@code true})
+     * nor "null node" (one for which {@link #isNull()} returns {@code true}).
+     * If non-null non-missing node, {@code this} is returned to allow chaining; otherwise
+     * {@link IllegalArgumentException} is thrown.
+     *
+     * @return {@code this} node to allow chaining
+     *
+     * @throws IllegalArgumentException if this node is either "missing node" or "null node"
+     *
      * @since 2.10
      */
-    public <T extends JsonNode> T requireNonNull() {
+    public <T extends JsonNode> T requireNonNull() throws IllegalArgumentException {
         return _this();
     }
 
     /**
+     * Method is functionally equivalent to
+     *{@code
+     *   path(fieldName).required()
+     *}
+     * and can be used to check that this node is an {@code ObjectNode} (that is, represents
+     * JSON Object value) and has value for specified property with key {@code fieldName}
+     * (but note that value may be explicit JSON null value).
+     * If this node is Object Node and has value for specified property, {@code this} is returned
+     * to allow chaining; otherwise {@link IllegalArgumentException} is thrown.
+     *
+     * @return {@code this} node to allow chaining
+     *
+     * @throws IllegalArgumentException if this node is not an Object node or if it does not
+     *   have value for specified property
+     *
      * @since 2.10
      */
-    public JsonNode required(String fieldName) {
+    public JsonNode required(String fieldName) throws IllegalArgumentException {
         return _reportRequiredViolation("Node of type `%s` has no fields", getClass().getName());
     }
 
     /**
+     * Method is functionally equivalent to
+     *{@code
+     *   path(index).required()
+     *}
+     * and can be used to check that this node is an {@code ArrayNode} (that is, represents
+     * JSON Array value) and has value for specified {@code index}
+     * (but note that value may be explicit JSON null value).
+     * If this node is Array Node and has value for specified index, {@code this} is returned
+     * to allow chaining; otherwise {@link IllegalArgumentException} is thrown.
+     *
+     * @return {@code this} node to allow chaining
+     *
+     * @throws IllegalArgumentException if this node is not an Array node or if it does not
+     *   have value for specified index
+     *
      * @since 2.10
      */
-    public JsonNode required(int index) {
+    public JsonNode required(int index) throws IllegalArgumentException {
         return _reportRequiredViolation("Node of type `%s` has no indexed values", getClass().getName());
     }
 
     /**
+     * Method is functionally equivalent to
+     *{@code
+     *   at(pathExpr).required()
+     *}
+     * and can be used to check that there is an actual value node at specified {@link JsonPointer}
+     * starting from {@code this} node
+     * (but note that value may be explicit JSON null value).
+     * If such value node exists {@code this} is returned
+     * to allow chaining; otherwise {@link IllegalArgumentException} is thrown.
+     *
+     * @return {@code this} node to allow chaining
+     *
+     * @throws IllegalArgumentException if no value node exists at given {@code JSON Pointer} path
+     *
      * @since 2.10
      */
-    public JsonNode requiredAt(String pathExpr) {
+    public JsonNode requiredAt(String pathExpr) throws IllegalArgumentException {
         return requiredAt(JsonPointer.compile(pathExpr));
     }
 
     /**
+     * Method is functionally equivalent to
+     *{@code
+     *   at(path).required()
+     *}
+     * and can be used to check that there is an actual value node at specified {@link JsonPointer}
+     * starting from {@code this} node
+     * (but note that value may be explicit JSON null value).
+     * If such value node exists {@code this} is returned
+     * to allow chaining; otherwise {@link IllegalArgumentException} is thrown.
+     *
+     * @return {@code this} node to allow chaining
+     *
+     * @throws IllegalArgumentException if no value node exists at given {@code JSON Pointer} path
+     *
      * @since 2.10
      */
-    public final JsonNode requiredAt(final JsonPointer pathExpr) {
-        JsonPointer currentExpr = pathExpr;
+    public final JsonNode requiredAt(final JsonPointer path) throws IllegalArgumentException {
+        JsonPointer currentExpr = path;
         JsonNode curr = this;
 
         // Note: copied from `at()`
@@ -732,7 +809,7 @@ public abstract class JsonNode
             curr = curr._at(currentExpr);
             if (curr == null) {
                 _reportRequiredViolation("No node at '%s' (unmatched part: '%s')",
-                        pathExpr, currentExpr);
+                        path, currentExpr);
             }
             currentExpr = currentExpr.tail();
         }

src/main/java/com/fasterxml/jackson/databind/MapperFeature.java

@@ -296,7 +296,7 @@ public enum MapperFeature implements ConfigFeature
      *<p>
      * Feature is disabled by default for backwards compatibility.
      *
-     * @since 2.9.6
+     * @since 2.10
      */
     USE_BASE_TYPE_AS_DEFAULT_IMPL(false),
 

src/main/java/com/fasterxml/jackson/databind/MappingIterator.java

@@ -152,7 +152,7 @@ public class MappingIterator<T> implements Iterator<T>, Closeable
                 // regardless, recovery context should be whatever context we have now,
                 // with sole exception of pointing to a start marker, in which case it's
                 // the parent
-                JsonToken t = p.getCurrentToken();
+                JsonToken t = p.currentToken();
                 if ((t == JsonToken.START_OBJECT) || (t == JsonToken.START_ARRAY)) {
                     sctxt = sctxt.getParent();
                 }
@@ -238,7 +238,7 @@ public class MappingIterator<T> implements Iterator<T>, Closeable
             _resync();
             // fall-through
         case STATE_MAY_HAVE_VALUE:
-            JsonToken t = _parser.getCurrentToken();
+            JsonToken t = _parser.currentToken();
             if (t == null) { // un-initialized or cleared; find next
                 t = _parser.nextToken();
                 // If EOF, no more, or if we hit END_ARRAY (although we don't clear the token).

src/main/java/com/fasterxml/jackson/databind/ObjectReader.java

@@ -1373,7 +1373,7 @@ public class ObjectReader
      * Method that reads content from given input source,
      * using configuration of this reader, and binds it as JSON Tree.
      * Returns {@link JsonNode} that represents the root of the resulting tree, if there
-     * was content to read, or "missing node" (instance of {@JsonNode} for which
+     * was content to read, or "missing node" (instance of {@link JsonNode} for which
      * {@link JsonNode#isMissingNode()} returns true, and behaves otherwise similar to
      * "null node") if no more content is accessible through passed-in input source.
      *<p>

src/main/java/com/fasterxml/jackson/databind/SerializationConfig.java

@@ -37,6 +37,9 @@ public final class SerializationConfig
     // since 2.6
     protected final static PrettyPrinter DEFAULT_PRETTY_PRINTER = new DefaultPrettyPrinter();
 
+    // since 2.10.1
+    private final static int SER_FEATURE_DEFAULTS = collectFeatureDefaults(SerializationFeature.class);
+
     /*
     /**********************************************************
     /* Configured helper objects
@@ -113,7 +116,7 @@ public final class SerializationConfig
             ConfigOverrides configOverrides)
     {
         super(base, str, mixins, rootNames, configOverrides);
-        _serFeatures = collectFeatureDefaults(SerializationFeature.class);
+        _serFeatures = SER_FEATURE_DEFAULTS;
         _filterProvider = null;
         _defaultPrettyPrinter = DEFAULT_PRETTY_PRINTER;
         _generatorFeatures = 0;

src/main/java/com/fasterxml/jackson/databind/SerializerProvider.java

@@ -1227,7 +1227,7 @@ public abstract class SerializerProvider
     public JsonMappingException invalidTypeIdException(JavaType baseType, String typeId,
             String extraDesc) {
         String msg = String.format("Could not resolve type id '%s' as a subtype of %s",
-                typeId, baseType);
+                typeId, ClassUtil.getTypeDescription(baseType));
         return InvalidTypeIdException.from(null, _colonConcat(msg, extraDesc), baseType, typeId);
     }
 

src/main/java/com/fasterxml/jackson/databind/cfg/MapperBuilder.java

@@ -96,19 +96,16 @@ public abstract class MapperBuilder<M extends ObjectMapper,
     /**********************************************************************
      */
 
-    @SuppressWarnings("deprecation")
     public B enable(MapperFeature... features) {
         _mapper.enable(features);
         return _this();
     }
 
-    @SuppressWarnings("deprecation")
     public B disable(MapperFeature... features) {
         _mapper.disable(features);
         return _this();
     }
 
-    @SuppressWarnings("deprecation")
     public B configure(MapperFeature feature, boolean state) {
         _mapper.configure(feature, state);
         return _this();
@@ -583,6 +580,16 @@ public abstract class MapperBuilder<M extends ObjectMapper,
     }
 
     /**
+     * Method for assigning {@link PolymorphicTypeValidator} to use for validating
+     * subtypes when using Class name - based polymorphic deserialization
+     * using annotations (validator used with "Default Typing" is specified by
+     * passing in {@link #activateDefaultTyping(PolymorphicTypeValidator)} instead).
+     *<p>
+     * Validator will be called on validating types for which no default databind
+     * deserializer, or module-provided deserializer is found: typically this
+     * includes "POJO" (aka Bean) types, but not (for example) most container
+     * types.
+     *
      * @since 2.10
      */
     public B polymorphicTypeValidator(PolymorphicTypeValidator ptv) {
@@ -599,7 +606,7 @@ public abstract class MapperBuilder<M extends ObjectMapper,
     /**
      * Convenience method that is equivalent to calling
      *<pre>
-     *  enableDefaultTyping(subtypeValidator, DefaultTyping.OBJECT_AND_NON_CONCRETE);
+     *  activateDefaultTyping(subtypeValidator, DefaultTyping.OBJECT_AND_NON_CONCRETE);
      *</pre>
      *<p>
      * NOTE: choice of {@link PolymorphicTypeValidator} to pass is critical for security
@@ -613,7 +620,7 @@ public abstract class MapperBuilder<M extends ObjectMapper,
     /**
      * Convenience method that is equivalent to calling
      *<pre>
-     *  enableDefaultTyping(subtypeValidator, dti, JsonTypeInfo.As.WRAPPER_ARRAY);
+     *  activateDefaultTyping(subtypeValidator, dti, JsonTypeInfo.As.WRAPPER_ARRAY);
      *</pre>
      *<p>
      * NOTE: choice of {@link PolymorphicTypeValidator} to pass is critical for security