Compare commits
No commits in common. "c8-stream-201902" and "c8-stream-201801" have entirely different histories.
c8-stream-
...
c8-stream-
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/xalan-j2-2.7.2.tar.gz
|
||||
SOURCES/xalan-j2-2.7.1.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
678a79a205b08c900722406f030e95fb7fa7f1c8 SOURCES/xalan-j2-2.7.2.tar.gz
|
||||
91d651b76a402a97290ab0afd2a56dd9a9616f56 SOURCES/xalan-j2-2.7.1.tar.gz
|
||||
|
@ -5,7 +5,7 @@ name=xalan-j2
|
||||
version="$(sed -n 's/Version:\s*//p' *.spec)"
|
||||
|
||||
# RETRIEVE
|
||||
wget "http://apache.miloslavbrada.cz/xalan/xalan-j/source/xalan-j_${version//./_}-src.tar.gz" -O "${name}-${version}.orig.tar.gz"
|
||||
wget "http://archive.apache.org/dist/xml/xalan-j/xalan-j_${version//./_}-src.tar.gz" -O "${name}-${version}.orig.tar.gz"
|
||||
|
||||
rm -rf tarball-tmp
|
||||
mkdir tarball-tmp
|
||||
@ -15,7 +15,8 @@ tar xf "../${name}-${version}.orig.tar.gz"
|
||||
# CLEAN TARBALL
|
||||
find -name '*.jar' -delete
|
||||
find -name '*.class' -delete
|
||||
rm */src/*.tar.gz
|
||||
|
||||
tar czf "../${name}-${version}.tar.gz" *
|
||||
tar cf "../${name}-${version}.tar.gz" *
|
||||
cd ..
|
||||
rm -r tarball-tmp "${name}-${version}.orig.tar.gz"
|
||||
|
@ -1,7 +1,7 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project
|
||||
xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
<project
|
||||
xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
||||
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
@ -13,14 +13,14 @@
|
||||
|
||||
<groupId>xalan</groupId>
|
||||
<artifactId>serializer</artifactId>
|
||||
<version>2.7.2</version>
|
||||
<version>2.7.1</version>
|
||||
|
||||
<name>Xalan Java Serializer</name>
|
||||
<description>
|
||||
Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input
|
||||
SAX events.
|
||||
</description>
|
||||
<url>http://xml.apache.org/xalan-j/</url>
|
||||
<url>http://xml.apache.org/xalan-j/</url>
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
@ -31,9 +31,9 @@
|
||||
<dependency>
|
||||
<groupId>xerces</groupId>
|
||||
<artifactId>xercesImpl</artifactId>
|
||||
<version>2.9.1</version>
|
||||
<version>2.9.0</version>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
</project>
|
||||
</project>
|
@ -13,7 +13,7 @@
|
||||
|
||||
<groupId>xalan</groupId>
|
||||
<artifactId>xalan</artifactId>
|
||||
<version>2.7.2</version>
|
||||
<version>2.7.1</version>
|
||||
|
||||
<name>Xalan Java</name>
|
||||
<description>
|
||||
@ -28,12 +28,12 @@
|
||||
<dependency>
|
||||
<groupId>xalan</groupId>
|
||||
<artifactId>serializer</artifactId>
|
||||
<version>2.7.2</version>
|
||||
<version>2.7.1</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>xerces</groupId>
|
||||
<artifactId>xercesImpl</artifactId>
|
||||
<version>2.9.1</version>
|
||||
<version>2.9.0</version>
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
</dependencies>
|
148
SOURCES/xalan-j2-CVE-2014-0107.patch
Normal file
148
SOURCES/xalan-j2-CVE-2014-0107.patch
Normal file
@ -0,0 +1,148 @@
|
||||
diff --git a/src/org/apache/xalan/processor/TransformerFactoryImpl.java b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
|
||||
index 1298943..96a5e58 100644
|
||||
--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
|
||||
+++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
|
||||
@@ -335,6 +335,10 @@ public class TransformerFactoryImpl extends SAXTransformerFactory
|
||||
reader = XMLReaderFactory.createXMLReader();
|
||||
}
|
||||
|
||||
+ if(m_isSecureProcessing)
|
||||
+ {
|
||||
+ reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
|
||||
+ }
|
||||
// Need to set options!
|
||||
reader.setContentHandler(handler);
|
||||
reader.parse(isource);
|
||||
diff --git a/src/org/apache/xalan/processor/XSLTElementProcessor.java b/src/org/apache/xalan/processor/XSLTElementProcessor.java
|
||||
index b946743..17b7395 100644
|
||||
--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
|
||||
+++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
|
||||
@@ -338,17 +338,31 @@ public class XSLTElementProcessor extends ElemTemplateElement
|
||||
}
|
||||
else
|
||||
{
|
||||
- // Can we switch the order here:
|
||||
-
|
||||
- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
|
||||
- attributes.getQName(i), attributes.getValue(i),
|
||||
- target);
|
||||
-
|
||||
- // Now we only add the element if it passed a validation check
|
||||
- if (success)
|
||||
- processedDefs.add(attrDef);
|
||||
- else
|
||||
- errorDefs.add(attrDef);
|
||||
+ //handle secure processing
|
||||
+ if(handler.getStylesheetProcessor()==null)
|
||||
+ System.out.println("stylesheet processor null");
|
||||
+ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
|
||||
+ {
|
||||
+ //foreign attributes are not allowed in secure processing mode
|
||||
+ // Then barf, because this element does not allow this attribute.
|
||||
+ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
|
||||
+ //+ " attribute is not allowed on the " + rawName
|
||||
+ // + " element!", null);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+
|
||||
+
|
||||
+ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
|
||||
+ attributes.getQName(i), attributes.getValue(i),
|
||||
+ target);
|
||||
+
|
||||
+ // Now we only add the element if it passed a validation check
|
||||
+ if (success)
|
||||
+ processedDefs.add(attrDef);
|
||||
+ else
|
||||
+ errorDefs.add(attrDef);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/src/org/apache/xalan/transformer/TransformerImpl.java b/src/org/apache/xalan/transformer/TransformerImpl.java
|
||||
index dd0d4d9..0906d24 100644
|
||||
--- a/src/org/apache/xalan/transformer/TransformerImpl.java
|
||||
+++ b/src/org/apache/xalan/transformer/TransformerImpl.java
|
||||
@@ -438,7 +438,9 @@ public class TransformerImpl extends Transformer
|
||||
try
|
||||
{
|
||||
if (sroot.getExtensions() != null)
|
||||
- m_extensionsTable = new ExtensionsTable(sroot);
|
||||
+ //only load extensions if secureProcessing is disabled
|
||||
+ if(!sroot.isSecureProcessing())
|
||||
+ m_extensionsTable = new ExtensionsTable(sroot);
|
||||
}
|
||||
catch (javax.xml.transform.TransformerException te)
|
||||
{te.printStackTrace();}
|
||||
diff --git a/src/org/apache/xpath/functions/FuncSystemProperty.java b/src/org/apache/xpath/functions/FuncSystemProperty.java
|
||||
index 4bea356..78ac980 100644
|
||||
--- a/src/org/apache/xpath/functions/FuncSystemProperty.java
|
||||
+++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
|
||||
@@ -58,7 +58,7 @@ public class FuncSystemProperty extends FunctionOneArg
|
||||
|
||||
String fullName = m_arg0.execute(xctxt).str();
|
||||
int indexOfNSSep = fullName.indexOf(':');
|
||||
- String result;
|
||||
+ String result = null;
|
||||
String propName = "";
|
||||
|
||||
// List of properties where the name of the
|
||||
@@ -98,14 +98,20 @@ public class FuncSystemProperty extends FunctionOneArg
|
||||
|
||||
try
|
||||
{
|
||||
- result = System.getProperty(propName);
|
||||
-
|
||||
- if (null == result)
|
||||
- {
|
||||
-
|
||||
- // result = System.getenv(propName);
|
||||
- return XString.EMPTYSTRING;
|
||||
- }
|
||||
+ //if secure procession is enabled only handle required properties do not not map any valid system property
|
||||
+ if(!xctxt.isSecureProcessing())
|
||||
+ {
|
||||
+ result = System.getProperty(propName);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
|
||||
+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
|
||||
+ }
|
||||
+ if (null == result)
|
||||
+ {
|
||||
+ return XString.EMPTYSTRING;
|
||||
+ }
|
||||
}
|
||||
catch (SecurityException se)
|
||||
{
|
||||
@@ -120,14 +126,20 @@ public class FuncSystemProperty extends FunctionOneArg
|
||||
{
|
||||
try
|
||||
{
|
||||
- result = System.getProperty(fullName);
|
||||
-
|
||||
- if (null == result)
|
||||
- {
|
||||
-
|
||||
- // result = System.getenv(fullName);
|
||||
- return XString.EMPTYSTRING;
|
||||
- }
|
||||
+ //if secure procession is enabled only handle required properties do not not map any valid system property
|
||||
+ if(!xctxt.isSecureProcessing())
|
||||
+ {
|
||||
+ result = System.getProperty(fullName);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
|
||||
+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
|
||||
+ }
|
||||
+ if (null == result)
|
||||
+ {
|
||||
+ return XString.EMPTYSTRING;
|
||||
+ }
|
||||
}
|
||||
catch (SecurityException se)
|
||||
{
|
@ -2,12 +2,12 @@
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>xalan</groupId>
|
||||
<artifactId>xsltc</artifactId>
|
||||
<version>2.7.2</version>
|
||||
<version>2.7.1</version>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>xalan</groupId>
|
||||
<artifactId>xalan</artifactId>
|
||||
<version>2.7.2</version>
|
||||
<version>2.7.1</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</project>
|
@ -1,8 +1,39 @@
|
||||
%global cvs_version %(echo %{version} | tr . _)
|
||||
# Copyright (c) 2000-2005, JPackage Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
#
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the
|
||||
# distribution.
|
||||
# 3. Neither the name of the JPackage Project nor the names of its
|
||||
# contributors may be used to endorse or promote products derived
|
||||
# from this software without specific prior written permission.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
#
|
||||
|
||||
%global cvs_version 2_7_1
|
||||
|
||||
Name: xalan-j2
|
||||
Version: 2.7.2
|
||||
Release: 2%{?dist}
|
||||
Version: 2.7.1
|
||||
Release: 38%{?dist}
|
||||
Epoch: 0
|
||||
Summary: Java XSLT processor
|
||||
# src/org/apache/xpath/domapi/XPathStylesheetDOM3Exception.java is W3C
|
||||
License: ASL 2.0 and W3C
|
||||
@ -10,15 +41,19 @@ URL: http://xalan.apache.org/
|
||||
|
||||
# ./generate-tarball.sh
|
||||
Source0: %{name}-%{version}.tar.gz
|
||||
Source1: xalan-j2-serializer-MANIFEST.MF
|
||||
Source2: http://repo1.maven.org/maven2/xalan/xalan/%{version}/xalan-%{version}.pom
|
||||
Source3: http://repo1.maven.org/maven2/xalan/serializer/%{version}/serializer-%{version}.pom
|
||||
Source1: %{name}-serializer-MANIFEST.MF
|
||||
Source2: http://repo1.maven.org/maven2/xalan/xalan/2.7.1/xalan-2.7.1.pom
|
||||
Source3: http://repo1.maven.org/maven2/xalan/serializer/2.7.1/serializer-2.7.1.pom
|
||||
Source4: xsltc-%{version}.pom
|
||||
Source5: xalan-j2-MANIFEST.MF
|
||||
Source5: %{name}-MANIFEST.MF
|
||||
# Remove bundled binaries which cannot be easily verified for licensing
|
||||
Source6: generate-tarball.sh
|
||||
|
||||
Patch0: xalan-j2-noxsltcdeps.patch
|
||||
Patch0: %{name}-noxsltcdeps.patch
|
||||
# Fix CVE-2014-0107: insufficient constraints in secure processing
|
||||
# feature (oCERT-2014-002). Generated form upstream revisions 1581058
|
||||
# and 1581426.
|
||||
Patch2: %{name}-CVE-2014-0107.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
@ -29,6 +64,7 @@ BuildRequires: bcel
|
||||
BuildRequires: java_cup
|
||||
BuildRequires: regexp
|
||||
BuildRequires: sed
|
||||
BuildRequires: glassfish-servlet-api
|
||||
BuildRequires: xerces-j2 >= 0:2.7.1
|
||||
BuildRequires: xml-commons-apis >= 0:1.3
|
||||
|
||||
@ -62,15 +98,31 @@ License: ASL 2.0
|
||||
%description manual
|
||||
Documentation for %{name}.
|
||||
|
||||
%package javadoc
|
||||
Summary: Javadoc for %{name}
|
||||
License: ASL 2.0
|
||||
|
||||
%description javadoc
|
||||
Javadoc for %{name}.
|
||||
|
||||
%package demo
|
||||
Summary: Demo for %{name}
|
||||
License: ASL 2.0
|
||||
Requires: %{name} = %{epoch}:%{version}-%{release}
|
||||
Requires: glassfish-servlet-api
|
||||
|
||||
%description demo
|
||||
Demonstrations and samples for %{name}.
|
||||
|
||||
%prep
|
||||
%setup -q -n xalan-j_%{cvs_version}
|
||||
%patch0 -p0
|
||||
%patch2 -p1
|
||||
|
||||
find . -name '*.jar' -delete
|
||||
find . -name '*.class' -delete
|
||||
|
||||
sed -i '/<bootclasspath/d' build.xml
|
||||
(cd ./src && tar xf xml-commons-external-*-src.tar.gz)
|
||||
sed -i '/<!-- Expand jaxp sources/,/<delete file="${xml-commons-srcs.tar}"/{d}' build.xml
|
||||
|
||||
# Remove classpaths from manifests
|
||||
sed -i '/class-path/I d' $(find -iname '*manifest*')
|
||||
@ -99,13 +151,15 @@ popd
|
||||
export CLASSPATH=$(build-classpath glassfish-servlet-api)
|
||||
|
||||
ant \
|
||||
-Dcompiler.source=1.6 \
|
||||
-Dcompiler.target=1.6 \
|
||||
-Djava.awt.headless=true \
|
||||
-Dapi.j2se=%{_javadocdir}/java \
|
||||
-Dbuild.xalan-interpretive.jar=build/xalan-interpretive.jar \
|
||||
xalan-interpretive.jar\
|
||||
xsltc.unbundledjar \
|
||||
docs
|
||||
docs \
|
||||
javadocs \
|
||||
samples \
|
||||
servlet
|
||||
|
||||
# inject OSGi manifests
|
||||
jar ufm build/serializer.jar %{SOURCE1}
|
||||
@ -116,7 +170,18 @@ jar ufm build/xalan-interpretive.jar %{SOURCE5}
|
||||
%mvn_artifact %{SOURCE4} build/xsltc.jar
|
||||
|
||||
%install
|
||||
%mvn_install
|
||||
%mvn_install -J build/docs/apidocs
|
||||
|
||||
# demo
|
||||
install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/%{name}
|
||||
install -p -m 644 build/xalansamples.jar \
|
||||
$RPM_BUILD_ROOT%{_datadir}/%{name}/%{name}-samples.jar
|
||||
install -p -m 644 build/xalanservlet.war \
|
||||
$RPM_BUILD_ROOT%{_datadir}/%{name}/%{name}-servlet.war
|
||||
cp -pr samples $RPM_BUILD_ROOT%{_datadir}/%{name}
|
||||
|
||||
# fix link between manual and javadoc
|
||||
(cd build/docs; ln -sf %{_javadocdir}/%{name} apidocs)
|
||||
|
||||
%post
|
||||
# update-alternatives will remove the symlink - preserve it
|
||||
@ -137,16 +202,14 @@ mv %{_javadir}/jaxp_transform_impl.jar{.tmp,} || :
|
||||
%license LICENSE.txt NOTICE.txt
|
||||
%doc build/docs/*
|
||||
|
||||
%files javadoc
|
||||
%license LICENSE.txt NOTICE.txt
|
||||
%doc %{_javadocdir}/%{name}
|
||||
|
||||
%files demo
|
||||
%{_datadir}/%{name}
|
||||
|
||||
%changelog
|
||||
* Tue Nov 05 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.7.2-2
|
||||
- Mass rebuild for javapackages-tools 201902
|
||||
|
||||
* Wed Jul 31 2019 Marian Koncek <mkoncek@redhat.com> - 2.7.2-1
|
||||
- Update to upstream version 2.7.2
|
||||
|
||||
* Fri May 24 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.7.1-39
|
||||
- Mass rebuild for javapackages-tools 201901
|
||||
|
||||
* Tue Aug 07 2018 Michael Simacek <msimacek@redhat.com> - 0:2.7.1-38
|
||||
- Update license of subpackages
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user