diff --git a/src/main/org/codehaus/groovy/runtime/MethodClosure.java b/src/main/org/codehaus/groovy/runtime/MethodClosure.java index 828930f..d172df2 100644 --- a/src/main/org/codehaus/groovy/runtime/MethodClosure.java +++ b/src/main/org/codehaus/groovy/runtime/MethodClosure.java @@ -19,7 +19,7 @@ import groovy.lang.Closure; import groovy.lang.MetaMethod; import java.util.List; - +import java.io.IOException; /** * Represents a method on an object using a closure which can be invoked @@ -30,6 +30,8 @@ import java.util.List; */ public class MethodClosure extends Closure { + public static boolean ALLOW_RESOLVE = false; + private String method; public MethodClosure(Object owner, String method) { @@ -66,6 +68,16 @@ public class MethodClosure extends Closure { } else return super.getProperty(property); } + + // fix for CVE-2016-6814 + // http://seclists.org/oss-sec/2017/q1/92 + private void readObject(java.io.ObjectInputStream stream) throws IOException, ClassNotFoundException { + if (ALLOW_RESOLVE) { + stream.defaultReadObject(); + } + throw new UnsupportedOperationException(); + } + private Object readResolve() { throw new UnsupportedOperationException(); }