Am 16.07.2015 14:42, schrieb Remi Forax:
I hope this fix is temporary because it disables the serialization of
closures.
I think you can take a look to the way lambdas are
serialized/deserialized in Java
http://cr.openjdk.java.net/~briangoetz/lambda/lambda-translation.html
(see section Serialization)
basically the idea is that when desugaring a closure, the compiler adds
a code
in the script that checks that the closure references the right method and
when doing the deserialization, the closure (or a proxy representing the
closure)
is first validated by the code of the script before being accessible.
yes, I was looking at this before already and I was not sure how to put
this into the existing MethodClosure class without breaking things. So
my resolution was, that with the old class we cannot do this without
breaking the serialization format. Which is why I agreed to this
short-term change, to then discuss a better long-term change now.
The Vulnerability basically uses several mechanisms in a chain, that you
cannot use like that in Java with lambdas. First there is a
MethodClosure with a valid target method. Then there is a Proxy, which
is serializable. And then of course there is a deprecated (only kpt o
backwards compatibility), but still working Java class, which imho
behaves incorrectly (but surely arguable) on deserializaton, which is
used as entry point.
Frankly I am not 100% convinced that the Java way is safe, but it is
surely more difficult. You need a deserialize method to support you. A
functional interface and the accessible method, all with mostly fitting
signatures. But given those I am almost sure I could produce a similar
exploit. Groovy just makes it much more easy by being much more flexible
for the signatures, allowing more methods to be accessible and being
able to use a proxy in combination with a method reference without
requiring a functional interface.
And of course there is a way to make the Groovy exploit not work anymore
by utilizing the java security manager.
bye blackdrag
--
Jochen "blackdrag" Theodorou
blog: http://blackdragsview.blogspot.com/
