You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@groovy.apache.org by bl...@apache.org on 2016/10/03 16:24:00 UTC
groovy git commit: fix possible deserialization exploit by overriding
readObject
Repository: groovy
Updated Branches:
refs/heads/master 41fb27eb3 -> 716d3e67e
fix possible deserialization exploit by overriding readObject
Project: http://git-wip-us.apache.org/repos/asf/groovy/repo
Commit: http://git-wip-us.apache.org/repos/asf/groovy/commit/716d3e67
Tree: http://git-wip-us.apache.org/repos/asf/groovy/tree/716d3e67
Diff: http://git-wip-us.apache.org/repos/asf/groovy/diff/716d3e67
Branch: refs/heads/master
Commit: 716d3e67e744c7edeed7cbc3f874090d39355764
Parents: 41fb27e
Author: Jochen Theodorou <bl...@gmx.org>
Authored: Mon Oct 3 18:22:28 2016 +0200
Committer: Jochen Theodorou <bl...@gmx.org>
Committed: Mon Oct 3 18:23:11 2016 +0200
----------------------------------------------------------------------
src/main/org/codehaus/groovy/runtime/MethodClosure.java | 8 ++++++++
1 file changed, 8 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/groovy/blob/716d3e67/src/main/org/codehaus/groovy/runtime/MethodClosure.java
----------------------------------------------------------------------
diff --git a/src/main/org/codehaus/groovy/runtime/MethodClosure.java b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
index c1fd1f8..7ead0c7 100644
--- a/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+++ b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
@@ -21,6 +21,7 @@ package org.codehaus.groovy.runtime;
import groovy.lang.Closure;
import groovy.lang.MetaMethod;
+import java.io.IOException;
import java.util.List;
@@ -71,6 +72,13 @@ public class MethodClosure extends Closure {
}
throw new UnsupportedOperationException();
}
+
+ private void readObject(java.io.ObjectInputStream stream) throws IOException, ClassNotFoundException {
+ if (ALLOW_RESOLVE) {
+ stream.defaultReadObject();
+ }
+ throw new UnsupportedOperationException();
+ }
public Object getProperty(String property) {
if ("method".equals(property)) {