Compare commits

...

No commits in common. "c8-stream-201902" and "c8-stream-201801" have entirely different histories.

8 changed files with 251 additions and 39 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/xalan-j2-2.7.2.tar.gz
SOURCES/xalan-j2-2.7.1.tar.gz

View File

@ -1 +1 @@
678a79a205b08c900722406f030e95fb7fa7f1c8 SOURCES/xalan-j2-2.7.2.tar.gz
91d651b76a402a97290ab0afd2a56dd9a9616f56 SOURCES/xalan-j2-2.7.1.tar.gz

View File

@ -5,7 +5,7 @@ name=xalan-j2
version="$(sed -n 's/Version:\s*//p' *.spec)"
# RETRIEVE
wget "http://apache.miloslavbrada.cz/xalan/xalan-j/source/xalan-j_${version//./_}-src.tar.gz" -O "${name}-${version}.orig.tar.gz"
wget "http://archive.apache.org/dist/xml/xalan-j/xalan-j_${version//./_}-src.tar.gz" -O "${name}-${version}.orig.tar.gz"
rm -rf tarball-tmp
mkdir tarball-tmp
@ -15,7 +15,8 @@ tar xf "../${name}-${version}.orig.tar.gz"
# CLEAN TARBALL
find -name '*.jar' -delete
find -name '*.class' -delete
rm */src/*.tar.gz
tar czf "../${name}-${version}.tar.gz" *
tar cf "../${name}-${version}.tar.gz" *
cd ..
rm -r tarball-tmp "${name}-${version}.orig.tar.gz"

View File

@ -13,7 +13,7 @@
<groupId>xalan</groupId>
<artifactId>serializer</artifactId>
<version>2.7.2</version>
<version>2.7.1</version>
<name>Xalan Java Serializer</name>
<description>
@ -31,7 +31,7 @@
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>2.9.1</version>
<version>2.9.0</version>
<optional>true</optional>
</dependency>
</dependencies>

View File

@ -13,7 +13,7 @@
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
<version>2.7.2</version>
<version>2.7.1</version>
<name>Xalan Java</name>
<description>
@ -28,12 +28,12 @@
<dependency>
<groupId>xalan</groupId>
<artifactId>serializer</artifactId>
<version>2.7.2</version>
<version>2.7.1</version>
</dependency>
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>2.9.1</version>
<version>2.9.0</version>
<optional>true</optional>
</dependency>
</dependencies>

View File

@ -0,0 +1,148 @@
diff --git a/src/org/apache/xalan/processor/TransformerFactoryImpl.java b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
index 1298943..96a5e58 100644
--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
@@ -335,6 +335,10 @@ public class TransformerFactoryImpl extends SAXTransformerFactory
reader = XMLReaderFactory.createXMLReader();
}
+ if(m_isSecureProcessing)
+ {
+ reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
+ }
// Need to set options!
reader.setContentHandler(handler);
reader.parse(isource);
diff --git a/src/org/apache/xalan/processor/XSLTElementProcessor.java b/src/org/apache/xalan/processor/XSLTElementProcessor.java
index b946743..17b7395 100644
--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
+++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
@@ -338,17 +338,31 @@ public class XSLTElementProcessor extends ElemTemplateElement
}
else
{
- // Can we switch the order here:
-
- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
- attributes.getQName(i), attributes.getValue(i),
- target);
-
- // Now we only add the element if it passed a validation check
- if (success)
- processedDefs.add(attrDef);
- else
- errorDefs.add(attrDef);
+ //handle secure processing
+ if(handler.getStylesheetProcessor()==null)
+ System.out.println("stylesheet processor null");
+ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
+ {
+ //foreign attributes are not allowed in secure processing mode
+ // Then barf, because this element does not allow this attribute.
+ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
+ //+ " attribute is not allowed on the " + rawName
+ // + " element!", null);
+ }
+ else
+ {
+
+
+ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
+ attributes.getQName(i), attributes.getValue(i),
+ target);
+
+ // Now we only add the element if it passed a validation check
+ if (success)
+ processedDefs.add(attrDef);
+ else
+ errorDefs.add(attrDef);
+ }
}
}
diff --git a/src/org/apache/xalan/transformer/TransformerImpl.java b/src/org/apache/xalan/transformer/TransformerImpl.java
index dd0d4d9..0906d24 100644
--- a/src/org/apache/xalan/transformer/TransformerImpl.java
+++ b/src/org/apache/xalan/transformer/TransformerImpl.java
@@ -438,7 +438,9 @@ public class TransformerImpl extends Transformer
try
{
if (sroot.getExtensions() != null)
- m_extensionsTable = new ExtensionsTable(sroot);
+ //only load extensions if secureProcessing is disabled
+ if(!sroot.isSecureProcessing())
+ m_extensionsTable = new ExtensionsTable(sroot);
}
catch (javax.xml.transform.TransformerException te)
{te.printStackTrace();}
diff --git a/src/org/apache/xpath/functions/FuncSystemProperty.java b/src/org/apache/xpath/functions/FuncSystemProperty.java
index 4bea356..78ac980 100644
--- a/src/org/apache/xpath/functions/FuncSystemProperty.java
+++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
@@ -58,7 +58,7 @@ public class FuncSystemProperty extends FunctionOneArg
String fullName = m_arg0.execute(xctxt).str();
int indexOfNSSep = fullName.indexOf(':');
- String result;
+ String result = null;
String propName = "";
// List of properties where the name of the
@@ -98,14 +98,20 @@ public class FuncSystemProperty extends FunctionOneArg
try
{
- result = System.getProperty(propName);
-
- if (null == result)
- {
-
- // result = System.getenv(propName);
- return XString.EMPTYSTRING;
- }
+ //if secure procession is enabled only handle required properties do not not map any valid system property
+ if(!xctxt.isSecureProcessing())
+ {
+ result = System.getProperty(propName);
+ }
+ else
+ {
+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
+ }
+ if (null == result)
+ {
+ return XString.EMPTYSTRING;
+ }
}
catch (SecurityException se)
{
@@ -120,14 +126,20 @@ public class FuncSystemProperty extends FunctionOneArg
{
try
{
- result = System.getProperty(fullName);
-
- if (null == result)
- {
-
- // result = System.getenv(fullName);
- return XString.EMPTYSTRING;
- }
+ //if secure procession is enabled only handle required properties do not not map any valid system property
+ if(!xctxt.isSecureProcessing())
+ {
+ result = System.getProperty(fullName);
+ }
+ else
+ {
+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
+ }
+ if (null == result)
+ {
+ return XString.EMPTYSTRING;
+ }
}
catch (SecurityException se)
{

View File

@ -2,12 +2,12 @@
<modelVersion>4.0.0</modelVersion>
<groupId>xalan</groupId>
<artifactId>xsltc</artifactId>
<version>2.7.2</version>
<version>2.7.1</version>
<dependencies>
<dependency>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
<version>2.7.2</version>
<version>2.7.1</version>
</dependency>
</dependencies>
</project>

View File

@ -1,8 +1,39 @@
%global cvs_version %(echo %{version} | tr . _)
# Copyright (c) 2000-2005, JPackage Project
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the
# distribution.
# 3. Neither the name of the JPackage Project nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
%global cvs_version 2_7_1
Name: xalan-j2
Version: 2.7.2
Release: 2%{?dist}
Version: 2.7.1
Release: 38%{?dist}
Epoch: 0
Summary: Java XSLT processor
# src/org/apache/xpath/domapi/XPathStylesheetDOM3Exception.java is W3C
License: ASL 2.0 and W3C
@ -10,15 +41,19 @@ URL: http://xalan.apache.org/
# ./generate-tarball.sh
Source0: %{name}-%{version}.tar.gz
Source1: xalan-j2-serializer-MANIFEST.MF
Source2: http://repo1.maven.org/maven2/xalan/xalan/%{version}/xalan-%{version}.pom
Source3: http://repo1.maven.org/maven2/xalan/serializer/%{version}/serializer-%{version}.pom
Source1: %{name}-serializer-MANIFEST.MF
Source2: http://repo1.maven.org/maven2/xalan/xalan/2.7.1/xalan-2.7.1.pom
Source3: http://repo1.maven.org/maven2/xalan/serializer/2.7.1/serializer-2.7.1.pom
Source4: xsltc-%{version}.pom
Source5: xalan-j2-MANIFEST.MF
Source5: %{name}-MANIFEST.MF
# Remove bundled binaries which cannot be easily verified for licensing
Source6: generate-tarball.sh
Patch0: xalan-j2-noxsltcdeps.patch
Patch0: %{name}-noxsltcdeps.patch
# Fix CVE-2014-0107: insufficient constraints in secure processing
# feature (oCERT-2014-002). Generated form upstream revisions 1581058
# and 1581426.
Patch2: %{name}-CVE-2014-0107.patch
BuildArch: noarch
@ -29,6 +64,7 @@ BuildRequires: bcel
BuildRequires: java_cup
BuildRequires: regexp
BuildRequires: sed
BuildRequires: glassfish-servlet-api
BuildRequires: xerces-j2 >= 0:2.7.1
BuildRequires: xml-commons-apis >= 0:1.3
@ -62,15 +98,31 @@ License: ASL 2.0
%description manual
Documentation for %{name}.
%package javadoc
Summary: Javadoc for %{name}
License: ASL 2.0
%description javadoc
Javadoc for %{name}.
%package demo
Summary: Demo for %{name}
License: ASL 2.0
Requires: %{name} = %{epoch}:%{version}-%{release}
Requires: glassfish-servlet-api
%description demo
Demonstrations and samples for %{name}.
%prep
%setup -q -n xalan-j_%{cvs_version}
%patch0 -p0
%patch2 -p1
find . -name '*.jar' -delete
find . -name '*.class' -delete
sed -i '/<bootclasspath/d' build.xml
(cd ./src && tar xf xml-commons-external-*-src.tar.gz)
sed -i '/<!-- Expand jaxp sources/,/<delete file="${xml-commons-srcs.tar}"/{d}' build.xml
# Remove classpaths from manifests
sed -i '/class-path/I d' $(find -iname '*manifest*')
@ -99,13 +151,15 @@ popd
export CLASSPATH=$(build-classpath glassfish-servlet-api)
ant \
-Dcompiler.source=1.6 \
-Dcompiler.target=1.6 \
-Djava.awt.headless=true \
-Dapi.j2se=%{_javadocdir}/java \
-Dbuild.xalan-interpretive.jar=build/xalan-interpretive.jar \
xalan-interpretive.jar\
xsltc.unbundledjar \
docs
docs \
javadocs \
samples \
servlet
# inject OSGi manifests
jar ufm build/serializer.jar %{SOURCE1}
@ -116,7 +170,18 @@ jar ufm build/xalan-interpretive.jar %{SOURCE5}
%mvn_artifact %{SOURCE4} build/xsltc.jar
%install
%mvn_install
%mvn_install -J build/docs/apidocs
# demo
install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/%{name}
install -p -m 644 build/xalansamples.jar \
$RPM_BUILD_ROOT%{_datadir}/%{name}/%{name}-samples.jar
install -p -m 644 build/xalanservlet.war \
$RPM_BUILD_ROOT%{_datadir}/%{name}/%{name}-servlet.war
cp -pr samples $RPM_BUILD_ROOT%{_datadir}/%{name}
# fix link between manual and javadoc
(cd build/docs; ln -sf %{_javadocdir}/%{name} apidocs)
%post
# update-alternatives will remove the symlink - preserve it
@ -137,16 +202,14 @@ mv %{_javadir}/jaxp_transform_impl.jar{.tmp,} || :
%license LICENSE.txt NOTICE.txt
%doc build/docs/*
%files javadoc
%license LICENSE.txt NOTICE.txt
%doc %{_javadocdir}/%{name}
%files demo
%{_datadir}/%{name}
%changelog
* Tue Nov 05 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.7.2-2
- Mass rebuild for javapackages-tools 201902
* Wed Jul 31 2019 Marian Koncek <mkoncek@redhat.com> - 2.7.2-1
- Update to upstream version 2.7.2
* Fri May 24 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 2.7.1-39
- Mass rebuild for javapackages-tools 201901
* Tue Aug 07 2018 Michael Simacek <msimacek@redhat.com> - 0:2.7.1-38
- Update license of subpackages