You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@groovy.apache.org by bl...@apache.org on 2016/10/03 16:24:00 UTC

groovy git commit: fix possible deserialization exploit by overriding readObject

Repository: groovy
Updated Branches:
  refs/heads/master 41fb27eb3 -> 716d3e67e


fix possible deserialization exploit by overriding readObject


Project: http://git-wip-us.apache.org/repos/asf/groovy/repo
Commit: http://git-wip-us.apache.org/repos/asf/groovy/commit/716d3e67
Tree: http://git-wip-us.apache.org/repos/asf/groovy/tree/716d3e67
Diff: http://git-wip-us.apache.org/repos/asf/groovy/diff/716d3e67

Branch: refs/heads/master
Commit: 716d3e67e744c7edeed7cbc3f874090d39355764
Parents: 41fb27e
Author: Jochen Theodorou <bl...@gmx.org>
Authored: Mon Oct 3 18:22:28 2016 +0200
Committer: Jochen Theodorou <bl...@gmx.org>
Committed: Mon Oct 3 18:23:11 2016 +0200

----------------------------------------------------------------------
 src/main/org/codehaus/groovy/runtime/MethodClosure.java | 8 ++++++++
 1 file changed, 8 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/groovy/blob/716d3e67/src/main/org/codehaus/groovy/runtime/MethodClosure.java
----------------------------------------------------------------------
diff --git a/src/main/org/codehaus/groovy/runtime/MethodClosure.java b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
index c1fd1f8..7ead0c7 100644
--- a/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+++ b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
@@ -21,6 +21,7 @@ package org.codehaus.groovy.runtime;
 import groovy.lang.Closure;
 import groovy.lang.MetaMethod;
 
+import java.io.IOException;
 import java.util.List;
 
 
@@ -71,6 +72,13 @@ public class MethodClosure extends Closure {
         }
         throw new UnsupportedOperationException();
     }
+
+    private void readObject(java.io.ObjectInputStream stream) throws IOException, ClassNotFoundException {
+        if (ALLOW_RESOLVE) {
+            stream.defaultReadObject();
+        }
+        throw new UnsupportedOperationException();
+    }
     
     public Object getProperty(String property) {
         if ("method".equals(property)) {