File: 04_CVE-2015-3253.diff

package info (click to toggle)
groovy2 2.2.2%2Bdfsg-3%2Bdeb8u2
  • links: PTS, VCS
  • area: main
  • in suites: jessie
  • size: 23,924 kB
  • ctags: 23,595
  • sloc: java: 136,585; xml: 948; sh: 486; makefile: 67; ansic: 64
file content (32 lines) | stat: -rw-r--r-- 1,166 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253)
Author: Cedric Champeau <cchampeau@apache.org>
Bug-Debian: https://bugs.debian.org/793398
Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
Forwarded: no
Last-Update: 2015-07-25

--- groovy2-2.4.3+dfsg.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+++ groovy2-2.4.3+dfsg/src/main/org/codehaus/groovy/runtime/MethodClosure.java
@@ -30,6 +30,8 @@ import java.util.List;
  */
 public class MethodClosure extends Closure {
 
+    public static boolean ALLOW_RESOLVE = false;
+
     private String method;
     
     public MethodClosure(Object owner, String method) {
@@ -60,6 +62,13 @@ public class MethodClosure extends Closure {
         return InvokerHelper.invokeMethod(getOwner(), method, arguments);
     }
     
+    private Object readResolve() {
+        if (ALLOW_RESOLVE) {
+            return this;
+        }
+        throw new UnsupportedOperationException();
+    }
+
     public Object getProperty(String property) {
         if ("method".equals(property)) {
             return getMethod();