8 changed files with 251 additions and 39 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/xalan-j2-2.7.2.tar.gz
+SOURCES/xalan-j2-2.7.1.tar.gz
--- a/.xalan-j2.metadata
+++ b/.xalan-j2.metadata
@ -1 +1 @@
-678a79a205b08c900722406f030e95fb7fa7f1c8 SOURCES/xalan-j2-2.7.2.tar.gz
+91d651b76a402a97290ab0afd2a56dd9a9616f56 SOURCES/xalan-j2-2.7.1.tar.gz
--- a/SOURCES/generate-tarball.sh
+++ b/SOURCES/generate-tarball.sh
@ -5,7 +5,7 @@ name=xalan-j2
 version="$(sed -n 's/Version:\s*//p' *.spec)"

 # RETRIEVE
-wget "http://apache.miloslavbrada.cz/xalan/xalan-j/source/xalan-j_${version//./_}-src.tar.gz" -O "${name}-${version}.orig.tar.gz"
+wget "http://archive.apache.org/dist/xml/xalan-j/xalan-j_${version//./_}-src.tar.gz" -O "${name}-${version}.orig.tar.gz"

 rm -rf tarball-tmp
 mkdir tarball-tmp
@ -15,7 +15,8 @@ tar xf "../${name}-${version}.orig.tar.gz"
 # CLEAN TARBALL
 find -name '*.jar' -delete
 find -name '*.class' -delete
+rm */src/*.tar.gz

-tar czf "../${name}-${version}.tar.gz" *
+tar cf "../${name}-${version}.tar.gz" *
 cd ..
 rm -r tarball-tmp "${name}-${version}.orig.tar.gz"
--- a/SOURCES/serializer-2.7.1.pom
+++ b/SOURCES/serializer-2.7.1.pom
@ -13,7 +13,7 @@

  <groupId>xalan</groupId>
  <artifactId>serializer</artifactId>
-  <version>2.7.2</version>
+  <version>2.7.1</version>

  <name>Xalan Java Serializer</name>
  <description>
@ -31,7 +31,7 @@
    <dependency>
      <groupId>xerces</groupId>
      <artifactId>xercesImpl</artifactId>
-      <version>2.9.1</version>
+      <version>2.9.0</version>
      <optional>true</optional>
    </dependency>
  </dependencies>
--- a/SOURCES/xalan-2.7.1.pom
+++ b/SOURCES/xalan-2.7.1.pom
@ -13,7 +13,7 @@

  <groupId>xalan</groupId>
  <artifactId>xalan</artifactId>
-  <version>2.7.2</version>
+  <version>2.7.1</version>

  <name>Xalan Java</name>
  <description>
@ -28,12 +28,12 @@
    <dependency>
      <groupId>xalan</groupId>
      <artifactId>serializer</artifactId>
-      <version>2.7.2</version>
+      <version>2.7.1</version>
    </dependency>
    <dependency>
      <groupId>xerces</groupId>
      <artifactId>xercesImpl</artifactId>
-      <version>2.9.1</version>
+      <version>2.9.0</version>
      <optional>true</optional>
    </dependency>
  </dependencies>
--- a/SOURCES/xalan-j2-CVE-2014-0107.patch
+++ b/SOURCES/xalan-j2-CVE-2014-0107.patch
@ -0,0 +1,148 @@
+diff --git a/src/org/apache/xalan/processor/TransformerFactoryImpl.java b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+index 1298943..96a5e58 100644
+--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+@@ -335,6 +335,10 @@ public class TransformerFactoryImpl extends SAXTransformerFactory
+           reader = XMLReaderFactory.createXMLReader();
+         }
+ 
+        if(m_isSecureProcessing)
+        {
+            reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
+        }
+         // Need to set options!
+         reader.setContentHandler(handler);
+         reader.parse(isource);
+diff --git a/src/org/apache/xalan/processor/XSLTElementProcessor.java b/src/org/apache/xalan/processor/XSLTElementProcessor.java
+index b946743..17b7395 100644
+--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
+++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
+@@ -338,17 +338,31 @@ public class XSLTElementProcessor extends ElemTemplateElement
+       }
+       else
+       {
+-        // Can we switch the order here:
+-
+-        boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
+-                             attributes.getQName(i), attributes.getValue(i),
+-                             target);
+-                             
+-        // Now we only add the element if it passed a validation check
+-        if (success)
+-            processedDefs.add(attrDef);
+-        else
+-            errorDefs.add(attrDef);
+        //handle secure processing
+        if(handler.getStylesheetProcessor()==null)
+            System.out.println("stylesheet processor null");
+        if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
+        {
+            //foreign attributes are not allowed in secure processing mode
+            // Then barf, because this element does not allow this attribute.
+            handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
+            //+ " attribute is not allowed on the " + rawName
+            // + " element!", null);
+        }
+        else
+        {
+
+
+            boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
+                                 attributes.getQName(i), attributes.getValue(i),
+                                 target);
+
+            // Now we only add the element if it passed a validation check
+            if (success)
+                processedDefs.add(attrDef);
+            else
+                errorDefs.add(attrDef);
+        }
+       }
+     }
+ 
+diff --git a/src/org/apache/xalan/transformer/TransformerImpl.java b/src/org/apache/xalan/transformer/TransformerImpl.java
+index dd0d4d9..0906d24 100644
+--- a/src/org/apache/xalan/transformer/TransformerImpl.java
+++ b/src/org/apache/xalan/transformer/TransformerImpl.java
+@@ -438,7 +438,9 @@ public class TransformerImpl extends Transformer
+     try
+     {
+       if (sroot.getExtensions() != null)
+-        m_extensionsTable = new ExtensionsTable(sroot);
+        //only load extensions if secureProcessing is disabled
+        if(!sroot.isSecureProcessing())
+            m_extensionsTable = new ExtensionsTable(sroot);
+     }
+     catch (javax.xml.transform.TransformerException te)
+     {te.printStackTrace();}
+diff --git a/src/org/apache/xpath/functions/FuncSystemProperty.java b/src/org/apache/xpath/functions/FuncSystemProperty.java
+index 4bea356..78ac980 100644
+--- a/src/org/apache/xpath/functions/FuncSystemProperty.java
+++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
+@@ -58,7 +58,7 @@ public class FuncSystemProperty extends FunctionOneArg
+ 
+     String fullName = m_arg0.execute(xctxt).str();
+     int indexOfNSSep = fullName.indexOf(':');
+-    String result;
+    String result = null;
+     String propName = "";
+ 
+     // List of properties where the name of the
+@@ -98,14 +98,20 @@ public class FuncSystemProperty extends FunctionOneArg
+ 
+         try
+         {
+-          result = System.getProperty(propName);
+-
+-          if (null == result)
+-          {
+-
+-            // result = System.getenv(propName);
+-            return XString.EMPTYSTRING;
+-          }
+            //if secure procession is enabled only handle required properties do not not map any valid system property
+            if(!xctxt.isSecureProcessing())
+            {
+                result = System.getProperty(propName);
+            }
+            else
+            {
+                warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
+                        new Object[]{ fullName });  //"SecurityException when trying to access XSL system property: "+fullName);
+            }
+            if (null == result)
+            {
+                return XString.EMPTYSTRING;
+            }
+         }
+         catch (SecurityException se)
+         {
+@@ -120,14 +126,20 @@ public class FuncSystemProperty extends FunctionOneArg
+     {
+       try
+       {
+-        result = System.getProperty(fullName);
+-
+-        if (null == result)
+-        {
+-
+-          // result = System.getenv(fullName);
+-          return XString.EMPTYSTRING;
+-        }
+          //if secure procession is enabled only handle required properties do not not map any valid system property
+          if(!xctxt.isSecureProcessing())
+          {
+              result = System.getProperty(fullName);
+          }
+          else
+          {
+              warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
+                      new Object[]{ fullName });  //"SecurityException when trying to access XSL system property: "+fullName);
+          }
+          if (null == result)
+          {
+              return XString.EMPTYSTRING;
+          }
+       }
+       catch (SecurityException se)
+       {
--- a/SOURCES/xsltc-2.7.1.pom
+++ b/SOURCES/xsltc-2.7.1.pom
@ -2,12 +2,12 @@
  <modelVersion>4.0.0</modelVersion>
  <groupId>xalan</groupId>
  <artifactId>xsltc</artifactId>
-  <version>2.7.2</version>
+  <version>2.7.1</version>
  <dependencies>
    <dependency>
      <groupId>xalan</groupId>
      <artifactId>xalan</artifactId>
-      <version>2.7.2</version>
+      <version>2.7.1</version>
    </dependency>
  </dependencies>
 </project>
--- a/SPECS/xalan-j2.spec
+++ b/SPECS/xalan-j2.spec
@ -1,8 +1,39 @@
-%global cvs_version %(echo %{version} | tr . _)
+# Copyright (c) 2000-2005, JPackage Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the
+#    distribution.
+# 3. Neither the name of the JPackage Project nor the names of its
+#    contributors may be used to endorse or promote products derived
+#    from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+%global cvs_version 2_7_1

 Name:           xalan-j2
-Version:        2.7.2
-Release:        2%{?dist}
+Version:        2.7.1
+Release:        38%{?dist}
+Epoch:          0
 Summary:        Java XSLT processor
 # src/org/apache/xpath/domapi/XPathStylesheetDOM3Exception.java is W3C
 License:        ASL 2.0 and W3C
@ -10,15 +41,19 @@ URL:            http://xalan.apache.org/

 # ./generate-tarball.sh
 Source0:        %{name}-%{version}.tar.gz
-Source1:        xalan-j2-serializer-MANIFEST.MF
-Source2:        http://repo1.maven.org/maven2/xalan/xalan/%{version}/xalan-%{version}.pom
-Source3:        http://repo1.maven.org/maven2/xalan/serializer/%{version}/serializer-%{version}.pom
+Source1:        %{name}-serializer-MANIFEST.MF
+Source2:        http://repo1.maven.org/maven2/xalan/xalan/2.7.1/xalan-2.7.1.pom
+Source3:        http://repo1.maven.org/maven2/xalan/serializer/2.7.1/serializer-2.7.1.pom
 Source4:        xsltc-%{version}.pom
-Source5:        xalan-j2-MANIFEST.MF
+Source5:        %{name}-MANIFEST.MF
 # Remove bundled binaries which cannot be easily verified for licensing
 Source6:        generate-tarball.sh

-Patch0:         xalan-j2-noxsltcdeps.patch
+Patch0:         %{name}-noxsltcdeps.patch
+# Fix CVE-2014-0107: insufficient constraints in secure processing
+# feature (oCERT-2014-002).  Generated form upstream revisions 1581058
+# and 1581426.
+Patch2:         %{name}-CVE-2014-0107.patch

 BuildArch:      noarch

@ -29,6 +64,7 @@ BuildRequires:  bcel
 BuildRequires:  java_cup
 BuildRequires:  regexp
 BuildRequires:  sed
+BuildRequires:  glassfish-servlet-api
 BuildRequires:  xerces-j2 >= 0:2.7.1
 BuildRequires:  xml-commons-apis >= 0:1.3

@ -62,15 +98,31 @@ License:        ASL 2.0
 %description    manual
 Documentation for %{name}.

+%package        javadoc
+Summary:        Javadoc for %{name}
+License:        ASL 2.0
+
+%description    javadoc
+Javadoc for %{name}.
+
+%package        demo
+Summary:        Demo for %{name}
+License:        ASL 2.0
+Requires:       %{name} = %{epoch}:%{version}-%{release}
+Requires:       glassfish-servlet-api
+
+%description    demo
+Demonstrations and samples for %{name}.
+
 %prep
 %setup -q -n xalan-j_%{cvs_version}
 %patch0 -p0
+%patch2 -p1

 find . -name '*.jar' -delete
 find . -name '*.class' -delete

-sed -i '/<bootclasspath/d' build.xml
-(cd ./src && tar xf xml-commons-external-*-src.tar.gz)
+sed -i '/<!-- Expand jaxp sources/,/<delete file="${xml-commons-srcs.tar}"/{d}' build.xml

 # Remove classpaths from manifests
 sed -i '/class-path/I d' $(find -iname '*manifest*')
@ -99,13 +151,15 @@ popd
 export CLASSPATH=$(build-classpath glassfish-servlet-api)

 ant \
-  -Dcompiler.source=1.6 \
-  -Dcompiler.target=1.6 \
  -Djava.awt.headless=true \
+  -Dapi.j2se=%{_javadocdir}/java \
  -Dbuild.xalan-interpretive.jar=build/xalan-interpretive.jar \
  xalan-interpretive.jar\
  xsltc.unbundledjar \
-  docs
+  docs \
+  javadocs \
+  samples \
+  servlet

 # inject OSGi manifests
 jar ufm build/serializer.jar %{SOURCE1}
@ -116,7 +170,18 @@ jar ufm build/xalan-interpretive.jar %{SOURCE5}
 %mvn_artifact %{SOURCE4} build/xsltc.jar

 %install
-%mvn_install
+%mvn_install -J build/docs/apidocs
+
+# demo
+install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/%{name}
+install -p -m 644 build/xalansamples.jar \
+  $RPM_BUILD_ROOT%{_datadir}/%{name}/%{name}-samples.jar
+install -p -m 644 build/xalanservlet.war \
+  $RPM_BUILD_ROOT%{_datadir}/%{name}/%{name}-servlet.war
+cp -pr samples $RPM_BUILD_ROOT%{_datadir}/%{name}
+
+# fix link between manual and javadoc
+(cd build/docs; ln -sf %{_javadocdir}/%{name} apidocs)

 %post
 # update-alternatives will remove the symlink - preserve it
@ -137,16 +202,14 @@ mv %{_javadir}/jaxp_transform_impl.jar{.tmp,} || :
 %license LICENSE.txt NOTICE.txt
 %doc build/docs/*

+%files javadoc
+%license LICENSE.txt NOTICE.txt
+%doc %{_javadocdir}/%{name}
+
+%files demo
+%{_datadir}/%{name}
+
 %changelog
-* Tue Nov 05 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.7.2-2
- Mass rebuild for javapackages-tools 201902
-
-* Wed Jul 31 2019 Marian Koncek <mkoncek@redhat.com> - 2.7.2-1
- Update to upstream version 2.7.2
-
-* Fri May 24 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.7.1-39
- Mass rebuild for javapackages-tools 201901
-
 * Tue Aug 07 2018 Michael Simacek <msimacek@redhat.com> - 0:2.7.1-38
 - Update license of subpackages