hi all, as you guys may remember we added
private Object readResolve() { if (ALLOW_RESOLVE) { return this; } throw new UnsupportedOperationException(); }
to prevent proper deserialization of a MethodClosure in case we don't want to allow it (which is the default). Now it seems that this approach is not enough. I have found several articles stating that it is possible to bypass readResolve. In this case you would still have access to the fully deserialized object. Thus I suggest we do the following:
private void readObject(java.io.ObjectInputStream stream) throws IOException, ClassNotFoundException { if (ALLOW_RESOLVE) { stream.defaultReadObject(); } else { stream.readUTF(); // read method and forget it } }
this is very similar to the readResolve implementation of course. So we would still fail deserialization, only much earlier. We would still read the String for the method, but we would make sure it will not be assigned.
So if malicious code manage to go around readResolve, it would still be left with a MethodClosure in which method is null, thus any try to invoke a method will fail with a NullpointException.
Afaik this solution would be compatible to earlier versions of Groovy. What do you guys think? bye Jochen