7 changed files with 55 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 SOURCES/slf4j-1.7.28.tar.gz
+/slf4j-1.7.28.tar.gz
--- a/.slf4j.metadata
+++ b/.slf4j.metadata
@ -1 +1 @@
-f57e8e97d434bdcd8ba87ab9933d8de64bafb071 SOURCES/slf4j-1.7.28.tar.gz
+f57e8e97d434bdcd8ba87ab9933d8de64bafb071 slf4j-1.7.28.tar.gz
--- a/0001-Disallow-EventData-deserialization-by-default.patch
+++ b/0001-Disallow-EventData-deserialization-by-default.patch
@ -0,0 +1,44 @@
+From b1c0ca75ca38a7a8b50bfdfdf2c324169a6ddf02 Mon Sep 17 00:00:00 2001
+From: Michael Simacek <msimacek@redhat.com>
+Date: Mon, 19 Mar 2018 16:01:57 +0100
+Subject: [PATCH] Disallow EventData deserialization by default
+
+---
+ .../src/main/java/org/slf4j/ext/EventData.java      | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+index dc5b502..fa5c125 100644
+--- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+@@ -76,12 +76,21 @@ public class EventData implements Serializable {
+      */
+     @SuppressWarnings("unchecked")
+     public EventData(String xml) {
+-        ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
+-        try {
+-            XMLDecoder decoder = new XMLDecoder(bais);
+-            this.eventData = (Map<String, Object>) decoder.readObject();
+-        } catch (Exception e) {
+-            throw new EventException("Error decoding " + xml, e);
+        if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {
+            ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
+            try {
+                XMLDecoder decoder = new XMLDecoder(bais);
+                this.eventData = (Map<String, Object>) decoder.readObject();
+            } catch (Exception e) {
+                throw new EventException("Error decoding " + xml, e);
+            }
+        } else {
+            throw new UnsupportedOperationException(
+                    "Constructing EventData from XML is vulnerable to remote " +
+                    "excution and is not allowed by default. If you're " +
+                    "completely sure the source data is trusted, you can enable " +
+                    "it by setting org.slf4j.ext.allowInsecureDeserialization " +
+                    "JVM property to 1");
+         }
+     }
+ 
+-- 
+2.14.3
+
--- a/SOURCES/LICENSE-2.0.txt
+++ b/SOURCES/LICENSE-2.0.txt
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,8 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_contexts:
+  - osci_compose_gate
+rules:
+  # https://docs.engineering.redhat.com/display/RHELPLAN/Maven+Bootstrap+manual+gating+test
+  - !PassingTestCaseRule {test_case_name: manual.sst_cs_apps.maven.bootstrap}
--- a/SPECS/slf4j.spec
+++ b/SPECS/slf4j.spec
--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA512 (slf4j-1.7.28.tar.gz) = 3eb81e8fefe85f5cc9acf3ac17d0e7c5d9f82f44e10279e7f623f1bf1301cf55dfb67ee9ad29464739c4fe4ea938aecc8d75b093426e9928de81752f80ef391f
				`@ -0,0 +1 @@`
				`SHA512 (slf4j-1.7.28.tar.gz) = 3eb81e8fefe85f5cc9acf3ac17d0e7c5d9f82f44e10279e7f623f1bf1301cf55dfb67ee9ad29464739c4fe4ea938aecc8d75b093426e9928de81752f80ef391f`