Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 325B3200B98 for ; Mon, 3 Oct 2016 18:30:18 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 3106D160ADC; Mon, 3 Oct 2016 16:30:18 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 6F604160ACD for ; Mon, 3 Oct 2016 18:30:17 +0200 (CEST) Received: (qmail 49894 invoked by uid 500); 3 Oct 2016 16:30:16 -0000 Mailing-List: contact commits-help@groovy.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@groovy.apache.org Delivered-To: mailing list commits@groovy.apache.org Received: (qmail 49885 invoked by uid 99); 3 Oct 2016 16:30:16 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Oct 2016 16:30:16 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 4CCB0DFB81; Mon, 3 Oct 2016 16:30:16 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: blackdrag@apache.org To: commits@groovy.apache.org Message-Id: <9c3b1afcc601486f9af4bd7df9f02416@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: groovy git commit: fix possible deserialization exploit by overriding readObject Date: Mon, 3 Oct 2016 16:30:16 +0000 (UTC) archived-at: Mon, 03 Oct 2016 16:30:18 -0000 Repository: groovy Updated Branches: refs/heads/GROOVY_2_4_X 675a04eab -> 4df8b652a fix possible deserialization exploit by overriding readObject Project: http://git-wip-us.apache.org/repos/asf/groovy/repo Commit: http://git-wip-us.apache.org/repos/asf/groovy/commit/4df8b652 Tree: http://git-wip-us.apache.org/repos/asf/groovy/tree/4df8b652 Diff: http://git-wip-us.apache.org/repos/asf/groovy/diff/4df8b652 Branch: refs/heads/GROOVY_2_4_X Commit: 4df8b652aa018a5d5d1cda8fba938bf3422db31c Parents: 675a04e Author: Jochen Theodorou Authored: Mon Oct 3 18:22:28 2016 +0200 Committer: Jochen Theodorou Committed: Mon Oct 3 18:24:50 2016 +0200 ---------------------------------------------------------------------- src/main/org/codehaus/groovy/runtime/MethodClosure.java | 8 ++++++++ 1 file changed, 8 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/groovy/blob/4df8b652/src/main/org/codehaus/groovy/runtime/MethodClosure.java ---------------------------------------------------------------------- diff --git a/src/main/org/codehaus/groovy/runtime/MethodClosure.java b/src/main/org/codehaus/groovy/runtime/MethodClosure.java index 6dfb2f3..cacdca8 100644 --- a/src/main/org/codehaus/groovy/runtime/MethodClosure.java +++ b/src/main/org/codehaus/groovy/runtime/MethodClosure.java @@ -21,6 +21,7 @@ package org.codehaus.groovy.runtime; import groovy.lang.Closure; import groovy.lang.MetaMethod; +import java.io.IOException; import java.util.List; @@ -71,6 +72,13 @@ public class MethodClosure extends Closure { } throw new UnsupportedOperationException(); } + + private void readObject(java.io.ObjectInputStream stream) throws IOException, ClassNotFoundException { + if (ALLOW_RESOLVE) { + stream.defaultReadObject(); + } + throw new UnsupportedOperationException(); + } public Object getProperty(String property) { if ("method".equals(property)) {