From 61d3cbac20b8f93f64e4dec9ec9052d0bdaa88d1 Mon Sep 17 00:00:00 2001
From: Mikolaj Izdebski <mizdebsk@redhat.com>
Date: Mon, 14 Dec 2020 16:03:03 +0100
Subject: [PATCH 2/2] Fix for CVE-2020-26217

Backported from upstream commit 0fec095d534126931c99fd38e9c6d41f5c685c1a
---
 xstream/src/java/com/thoughtworks/xstream/XStream.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
index 8af0f6a..3ca31cc 100644
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
@@ -545,6 +545,7 @@ public class XStream {
         }
         
         addPermission(AnyTypePermission.ANY);
+        denyTypes(new String[]{"javax.imageio.ImageIO$ContainsFilter"});
     }
 
     protected void setupAliases() {
-- 
2.26.2