Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253)
Author: Cedric Champeau <cchampeau@apache.org>
Bug-Debian: https://bugs.debian.org/793398
Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
Forwarded: no
Last-Update: 2015-07-25

--- groovy2-2.4.3+dfsg.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+++ groovy2-2.4.3+dfsg/src/main/org/codehaus/groovy/runtime/MethodClosure.java
@@ -30,6 +30,8 @@ import java.util.List;
  */
 public class MethodClosure extends Closure {
 
+    public static boolean ALLOW_RESOLVE = false;
+
     private String method;
     
     public MethodClosure(Object owner, String method) {
@@ -60,6 +62,13 @@ public class MethodClosure extends Closure {
         return InvokerHelper.invokeMethod(getOwner(), method, arguments);
     }
     
+    private Object readResolve() {
+        if (ALLOW_RESOLVE) {
+            return this;
+        }
+        throw new UnsupportedOperationException();
+    }
+
     public Object getProperty(String property) {
         if ("method".equals(property)) {
             return getMethod();