Add MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES to allow blocking use of unsafe base type for polymorphic deserialization

[cowtowncoder]

With 2.10 there is new PolymorphicTypeValidator interface that is used both with

1. Default Typing
2. Explicit per-type/per-property polymorphic handling (@JsonTypeInfo) when class name is used

But although use of PTV is needed for new methods to enable (1), and may be used when building ObjectMapper for (2), there are existing use cases that are not affected:

• Legacy enableDefaultTyping() method (which for backwards-compatibility reasons use a lenient validator)
• Cases where no PTV is configured for annotation-based approach (similarly, default PTV is lenient for backwards compatibility).

Now: we can not really change the behavior to override lenient PTV for legacy usage, but what we can do is add a MapperFeature that will do this. Introduction of DefaultBaseTypeLimitingValidator in 2.11 (which by default blocks unsafe base types such as java.lang.Object) makes it easy to try one approach that should make it much easier to opt-in for fully safe handling: add a MapperFeature, changing of which will then use DefaultBaseTypeLimitingValidator for legacy use cases.

Note that this issue should replace #2533 as well.

[cowtowncoder]

Types considered unsafe base types include:

• java.lang.Object
• java.io.Closeable
• java.io.Serializable
• java.lang.AutoCloseable
• java.lang.Cloneable

as well as less likely but better-safe-than-sorry:

• java.util.logging.Handler
• javax.naming.Referenceable
• javax.sql.DataSource

List of types compiled from a set of all known deserialization "gadgets", types they implement.