diff --git a/0001-Disallow-EventData-deserialization-by-default.patch b/0001-Disallow-EventData-deserialization-by-default.patch new file mode 100644 index 0000000..f77a14e --- /dev/null +++ b/0001-Disallow-EventData-deserialization-by-default.patch @@ -0,0 +1,44 @@ +From b1c0ca75ca38a7a8b50bfdfdf2c324169a6ddf02 Mon Sep 17 00:00:00 2001 +From: Michael Simacek +Date: Mon, 19 Mar 2018 16:01:57 +0100 +Subject: [PATCH] Disallow EventData deserialization by default + +--- + .../src/main/java/org/slf4j/ext/EventData.java | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java +index dc5b502..fa5c125 100644 +--- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java ++++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java +@@ -76,12 +76,21 @@ public class EventData implements Serializable { + */ + @SuppressWarnings("unchecked") + public EventData(String xml) { +- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); +- try { +- XMLDecoder decoder = new XMLDecoder(bais); +- this.eventData = (Map) decoder.readObject(); +- } catch (Exception e) { +- throw new EventException("Error decoding " + xml, e); ++ if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) { ++ ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); ++ try { ++ XMLDecoder decoder = new XMLDecoder(bais); ++ this.eventData = (Map) decoder.readObject(); ++ } catch (Exception e) { ++ throw new EventException("Error decoding " + xml, e); ++ } ++ } else { ++ throw new UnsupportedOperationException( ++ "Constructing EventData from XML is vulnerable to remote " + ++ "excution and is not allowed by default. If you're " + ++ "completely sure the source data is trusted, you can enable " + ++ "it by setting org.slf4j.ext.allowInsecureDeserialization " + ++ "JVM property to 1"); + } + } + +-- +2.14.3 + diff --git a/README.en.md b/README.en.md deleted file mode 100644 index f259b4a..0000000 --- a/README.en.md +++ /dev/null @@ -1,36 +0,0 @@ -# slf4j - -#### Description -{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**} - -#### Software Architecture -Software architecture description - -#### Installation - -1. xxxx -2. xxxx -3. xxxx - -#### Instructions - -1. xxxx -2. xxxx -3. xxxx - -#### Contribution - -1. Fork the repository -2. Create Feat_xxx branch -3. Commit your code -4. Create Pull Request - - -#### Gitee Feature - -1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md -2. Gitee blog [blog.gitee.com](https://blog.gitee.com) -3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore) -4. The most valuable open source project [GVP](https://gitee.com/gvp) -5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help) -6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/README.md b/README.md deleted file mode 100644 index 8f34d8f..0000000 --- a/README.md +++ /dev/null @@ -1,39 +0,0 @@ -# slf4j - -#### 介绍 -{**以下是码云平台说明,您可以替换此简介** -码云是 OSCHINA 推出的基于 Git 的代码托管平台(同时支持 SVN)。专为开发者提供稳定、高效、安全的云端软件开发协作平台 -无论是个人、团队、或是企业,都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)} - -#### 软件架构 -软件架构说明 - - -#### 安装教程 - -1. xxxx -2. xxxx -3. xxxx - -#### 使用说明 - -1. xxxx -2. xxxx -3. xxxx - -#### 参与贡献 - -1. Fork 本仓库 -2. 新建 Feat_xxx 分支 -3. 提交代码 -4. 新建 Pull Request - - -#### 码云特技 - -1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md -2. 码云官方博客 [blog.gitee.com](https://blog.gitee.com) -3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目 -4. [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目,是码云综合评定出的优秀开源项目 -5. 码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help) -6. 码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/slf4j-1.7.25.tar.gz b/slf4j-1.7.25.tar.gz new file mode 100644 index 0000000..e3b0a4e Binary files /dev/null and b/slf4j-1.7.25.tar.gz differ diff --git a/slf4j.spec b/slf4j.spec index 67eda25..cde7be2 100644 --- a/slf4j.spec +++ b/slf4j.spec @@ -1,92 +1,91 @@ Name: slf4j Version: 1.7.25 -Release: 7 +Release: 8 Epoch: 0 Summary: Simple Logging Facade for Java(SLF4J) License: MIT and ASL 2.0 URL: http://www.slf4j.org/ -Source0: https://github.com/qos-ch/%{name}/archive/v_%{version}.tar.gz +Source0: http://www.slf4j.org/dist/slf4j-%{version}.tar.gz Source1: http://www.apache.org/licenses/LICENSE-2.0.txt - BuildArch: noarch -BuildRequires: maven-local mvn(ch.qos.cal10n:cal10n-api) mvn(commons-lang:commons-lang) -BuildRequires: mvn(commons-logging:commons-logging) mvn(javassist:javassist) mvn(log4j:log4j:1.2.17) -BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin) mvn(org.apache.maven.plugins:maven-source-plugin) -BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin) +BuildRequires: mvn(ch.qos.cal10n:cal10n-api) mvn(org.apache.maven.plugins:maven-source-plugin) +BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin) mvn(commons-lang:commons-lang) +BuildRequires: mvn(commons-logging:commons-logging) mvn(javassist:javassist) maven-local +BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin) mvn(log4j:log4j:1.2.17) +# Disallow EventData deserialization by default +Patch0000: 0001-Disallow-EventData-deserialization-by-default.patch %description The Simple Logging Facade for Java (SLF4J) serves as a simple facade or abstraction for various logging frameworks (e.g. java.util.logging, logback, log4j) allowing the end user to plug in the desired logging framework at deployment time.Before you start using SLF4J, we highly recommend -that you read the two-page SLF4J user manual. -Note that SLF4J-enabling your library implies the addition of only a single mandatory dependency, -namely slf4j-api.jar. If no binding is found on the class path, then SLF4J will default to a -no-operation implementation. -In case you wish to migrate your Java source files to SLF4J, consider our migrator tool which -can migrate your project to use the SLF4J API in just a few minutes. -In case an externally-maintained component you depend on uses a logging API other than SLF4J, -such as commons logging, log4j or java.util.logging, have a look at SLF4J's binary-support for legacy APIs. +that you read the two-page SLF4J user manual. Note that SLF4J-enabling your library implies the +addition of only a single mandatory dependency, namely slf4j-api.jar. If no binding is found on +the class path, then SLF4J will default to a no-operation implementation. In case you wish to +migrate your Java source files to SLF4J, consider our migrator tool which can migrate your project +to use the SLF4J API in just a few minutes. In case an externally-maintained component you depend +on uses a logging API other than SLF4J, such as commons logging, log4j or java.util.logging, have +a look at SLF4J's binary-support for legacy APIs. -%package jdk14 +%package help +Summary: Help documentation for slf4j +Provides: slf4j-javadoc = %{epoch}:%{version}-%{release} slf4j-manual = %{epoch}:%{version}-%{release} +Obsoletes: slf4j-javedoc < %{epoch}:%{version}-%{release} slf4j-manual < %{epoch}:%{version}-%{release} + +%description help +Help documentation for slf4j. + +%package jdk14 Summary: JDK14 Binding of SLF4J -%description jdk14 +%description jdk14 JDK14 Binding of SLF4J. -%package log4j12 +%package log4j12 Summary: LOG4J-12 Binding of SLF4J -%description log4j12 +%description log4j12 LOG4J-12 Binding of SLF4J. -%package jcl +%package jcl Summary: JCL Binding of SLF4J -%description jcl +%description jcl JCL Binding of SLF4J. -%package -n jcl-over-slf4j +%package ext +Summary: Extensions Module of SLF4J + +%description ext +Extensions Module of SLF4J. + +%package -n jcl-over-slf4j Summary: JCL 1.1.1 implemented over SLF4J %description -n jcl-over-slf4j JCL 1.1.1 implemented over SLF4J. -%package -n jul-to-slf4j -Summary: JUL to SLF4J bridge - -%description -n jul-to-slf4j -JUL to SLF4J bridge. - -%package -n log4j-over-slf4j +%package -n log4j-over-slf4j Summary: Log4j implemented over SLF4J %description -n log4j-over-slf4j Log4j implemented over SLF4J. -%package ext -Summary: Extensions Module of SLF4J +%package -n jul-to-slf4j +Summary: JUL to SLF4J bridge -%description ext -Extensions Module of SLF4J. +%description -n jul-to-slf4j +JUL to SLF4J bridge. -%package sources +%package sources Summary: Source JARs of SLF4J -%description sources -SLF4J Source JARs,which is required by Maven 3.4.0. - -%package help -Summary: API documentation for slf4j package -Provides: %{name}-javadoc = %{epoch}:%{version}-%{release} %{name}-manual = %{epoch}:%{version}-%{release} -Obsoletes: %{name}-javadoc < %{epoch}:%{version}-%{release} %{name}-manual < %{epoch}:%{version}-%{release} - -%description help -API documentation for slf4j package. +%description sources +Source JARs of SLF4J. %prep -%autosetup -n %{name}-v_%{version} -p1 - -find . -name "*.jar" -delete +%autosetup -p1 +find . -name "*.jar" | xargs rm cp -p %{SOURCE1} APACHE-LICENSE %pom_disable_module integration @@ -98,6 +97,7 @@ cp -p %{SOURCE1} APACHE-LICENSE ISO-8859-1" %pom_xpath_remove "pom:links" + %pom_xpath_inject "pom:plugin[pom:artifactId[text()='maven-javadoc-plugin']]/pom:configuration" " false false @@ -115,9 +115,7 @@ find -name "*.css" -o -name "*.js" -o -name "*.txt" | xargs -t sed -i 's/\r$//' sed -i "/Import-Package/s/.$/;resolution:=optional&/" slf4j-api/src/main/resources/META-INF/MANIFEST.MF -# source of slf4j is required by maven 3.4.0 %mvn_package :::sources: sources - %mvn_package :slf4j-parent __noinstall %mvn_package :slf4j-site __noinstall %mvn_package :slf4j-api @@ -128,41 +126,32 @@ sed -i "/Import-Package/s/.$/;resolution:=optional&/" slf4j-api/src/main/resourc %mvn_build -f -s %install -%mvn_file ':%{name}-{*}' %{name}/%{name}-@1 %{name}/@1 +%mvn_file ':slf4j-{*}' slf4j/slf4j-@1 slf4j/@1 %mvn_install -sed -i 's/[0-9a-f]\{8\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{12\}/f2f42549-cfab-4d71-be48-5e9f9a41e5f5/g' $(find %{_buildrootdir} -name slf4j-slf4j-jdk14.xml) -sed -i 's/[0-9a-f]\{8\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{12\}/f2f42549-cfab-4d71-be48-5e9f9a41e5f5/g' $(find %{_buildrootdir} -name slf4j.xml) - install -d -m 0755 $RPM_BUILD_ROOT%{_defaultdocdir}/slf4j-manual -cp -rp target/site/* $RPM_BUILD_ROOT%{_defaultdocdir}/slf4j-manual +rm -rf target/site/{.htaccess,apidocs} +cp -pr target/site/* $RPM_BUILD_ROOT%{_defaultdocdir}/slf4j-manual %files -f .mfiles -%license LICENSE.txt APACHE-LICENSE +%doc LICENSE.txt APACHE-LICENSE %files jdk14 -f .mfiles-slf4j-jdk14 - %files log4j12 -f .mfiles-slf4j-log4j12 - %files jcl -f .mfiles-slf4j-jcl - +%files ext -f .mfiles-slf4j-ext %files -n jcl-over-slf4j -f .mfiles-jcl-over-slf4j - +%files -n log4j-over-slf4j -f .mfiles-log4j-over-slf4j %files -n jul-to-slf4j -f .mfiles-jul-to-slf4j -%files -n log4j-over-slf4j -f .mfiles-log4j-over-slf4j - -%files ext -f .mfiles-slf4j-ext - %files sources -f .mfiles-sources -%license LICENSE.txt APACHE-LICENSE +%doc LICENSE.txt APACHE-LICENSE %files help -f .mfiles-javadoc %{_defaultdocdir}/slf4j-manual -%exclude %{_defaultdocdir}/slf4j-manual/{.htaccess,apidocs} %changelog +* Sun Mar 15 2020 Ling Yang - 0:1.7.25-8 +- Fix format + * Wed Dec 04 2019 daiqianwen - 0:1.7.25-7 - Package init - - - diff --git a/v_1.7.25.tar.gz b/v_1.7.25.tar.gz deleted file mode 100644 index 9e8767a..0000000 Binary files a/v_1.7.25.tar.gz and /dev/null differ