packages/xstream
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!1 init

Browse Source 
Merge pull request !1 from jinjin/master
This commit is contained in:
openeuler-ci-bot 2020-04-09 15:23:20 +08:00 committed by Gitee
commit d08b0c128a
5 changed files with 231 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
0001-Prevent-deserialization-of-void.patch Normal file
View File

@ -0,0 +1,123 @@
From 376175c482a4914c8d288cf663f978dfb5e55849 Mon Sep 17 00:00:00 2001
From: Michael Simacek <msimacek@redhat.com>
Date: Wed, 12 Apr 2017 12:19:21 +0200
Subject: [PATCH] Prevent deserialization of void
---
.../SunLimitedUnsafeReflectionProvider.java | 22 ++++++++++++--------
.../xstream/security/PrimitiveTypePermission.java | 5 +++--
.../acceptance/SecurityVulnerabilityTest.java | 24 +++++++++++++++++++++-
3 files changed, 39 insertions(+), 12 deletions(-)
diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
index 2c569ae..491f0d6 100644
--- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
+++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2004, 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016, 2017 XStream Committers.
* All rights reserved.
*
* Created on 08. January 2014 by Joerg Schaible, factored out from SunUnsafeReflectionProvider
@@ -78,14 +78,18 @@ public class SunLimitedUnsafeReflectionProvider extends PureJavaReflectionProvid
throw ex;
}
ErrorWritingException ex = null;
- try {
- return unsafe.allocateInstance(type);
- } catch (SecurityException e) {
- ex = new ObjectAccessException("Cannot construct type", e);
- } catch (InstantiationException e) {
- ex = new ConversionException("Cannot construct type", e);
- } catch (IllegalArgumentException e) {
- ex = new ObjectAccessException("Cannot construct type", e);
+ if (type == void.class || type == Void.class) {
+ ex = new ConversionException("Type void cannot have an instance");
+ } else {
+ try {
+ return unsafe.allocateInstance(type);
+ } catch (SecurityException e) {
+ ex = new ObjectAccessException("Cannot construct type", e);
+ } catch (InstantiationException e) {
+ ex = new ConversionException("Cannot construct type", e);
+ } catch (IllegalArgumentException e) {
+ ex = new ObjectAccessException("Cannot construct type", e);
+ }
}
ex.add("construction-type", type.getName());
throw ex;
diff --git a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
index fb69b95..c3cbad9 100644
--- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
+++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014 XStream Committers.
+ * Copyright (C) 2014, 2017 XStream Committers.
* All rights reserved.
*
* Created on 09. January 2014 by Joerg Schaible
@@ -8,8 +8,9 @@ package com.thoughtworks.xstream.security;
import com.thoughtworks.xstream.core.util.Primitives;
+
/**
- * Permission for any primitive type and its boxed counterpart (incl. void).
+ * Permission for any primitive type and its boxed counterpart (excl. void).
*
* @author J&ouml;rg Schaible
* @since 1.4.7
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
index c77b3ce..0180fd7 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013, 2014 XStream Committers.
+ * Copyright (C) 2013, 2014, 2017 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -13,9 +13,12 @@ package com.thoughtworks.acceptance;
import java.beans.EventHandler;
import com.thoughtworks.xstream.XStreamException;
+import com.thoughtworks.xstream.converters.ConversionException;
import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+import com.thoughtworks.xstream.security.ForbiddenClassException;
import com.thoughtworks.xstream.security.ProxyTypePermission;
+
/**
* @author J&ouml;rg Schaible
*/
@@ -80,4 +83,23 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
BUFFER.append("Executed!");
}
}
+
+ public void testDeniedInstanceOfVoid() {
+ try {
+ xstream.fromXML("<void/>");
+ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
+ } catch (final ForbiddenClassException e) {
+ // OK
+ }
+ }
+
+ public void testAllowedInstanceOfVoid() {
+ xstream.allowTypes(void.class, Void.class);
+ try {
+ xstream.fromXML("<void/>");
+ fail("Thrown " + ConversionException.class.getName() + " expected");
+ } catch (final ConversionException e) {
+ assertEquals("void", e.get("construction-type"));
+ }
+ }
}
--
2.9.3

36
README.en.md
View File

@ -1,36 +0,0 @@
# xstream
#### Description
{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
#### Software Architecture
Software architecture description
#### Installation
1. xxxx
2. xxxx
3. xxxx
#### Instructions
1. xxxx
2. xxxx
3. xxxx
#### Contribution
1. Fork the repository
2. Create Feat_xxx branch
3. Commit your code
4. Create Pull Request
#### Gitee Feature
1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
2. Gitee blog [blog.gitee.com](https://blog.gitee.com)
3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
4. The most valuable open source project [GVP](https://gitee.com/gvp)
5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

39
README.md
View File

@ -1,39 +0,0 @@
# xstream
#### 介绍
{**以下是码云平台说明,您可以替换此简介**
码云是 OSCHINA 推出的基于 Git 的代码托管平台(同时支持 SVN。专为开发者提供稳定、高效、安全的云端软件开发协作平台
无论是个人、团队、或是企业,都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)}
#### 软件架构
软件架构说明
#### 安装教程
1. xxxx
2. xxxx
3. xxxx
#### 使用说明
1. xxxx
2. xxxx
3. xxxx
#### 参与贡献
1. Fork 本仓库
2. 新建 Feat_xxx 分支
3. 提交代码
4. 新建 Pull Request
#### 码云特技
1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md
2. 码云官方博客 [blog.gitee.com](https://blog.gitee.com)
3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目
4. [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目,是码云综合评定出的优秀开源项目
5. 码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
6. 码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

BIN
xstream-distribution-1.4.9-src.zip Normal file
View File

Binary file not shown.

108
xstream.spec Normal file
View File

@ -0,0 +1,108 @@
Name: xstream
Version: 1.4.9
Release: 9
Summary: A simple library to serialize objects to XML and back again
License: BSD
URL: http://x-stream.github.io/
Source0: https://repo1.maven.org/maven2/com/thoughtworks/%{name}/%{name}-distribution/%{version}/%{name}-distribution-%{version}-src.zip
Patch0: 0001-Prevent-deserialization-of-void.patch
BuildArch: noarch
BuildRequires: maven-local, mvn(cglib:cglib), mvn(dom4j:dom4j), mvn(javassist:javassist), mvn(joda-time:joda-time), mvn(org.slf4j:slf4j-simple)
BuildRequires: mvn(net.sf.kxml:kxml2), mvn(net.sf.kxml:kxml2-min), mvn(org.apache.felix:maven-bundle-plugin), mvn(stax:stax), mvn(stax:stax-api)
BuildRequires: mvn(org.apache.maven.plugins:maven-enforcer-plugin), mvn(org.codehaus.jettison:jettison), mvn(xom:xom), mvn(xpp3:xpp3)
BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin), mvn(org.codehaus.woodstox:woodstox-core-asl), mvn(xpp3:xpp3_min)
BuildRequires: mvn(org.hibernate:hibernate-core), mvn(org.hibernate:hibernate-envers), mvn(org.jdom:jdom), mvn(org.jdom:jdom2)
Provides: %{name}-javadoc%{?_isa} %{name}-javadoc
Obsoletes: %{name}-javadoc
Provides: %{name}-hibernate%{?_isa} %{name}-hibernate
Obsoletes: %{name}-hibernate
Provides: %{name}-benchmark%{?_isa} %{name}-benchmark
Obsoletes: %{name}-benchmark
Provides: %{name}-parent%{?_isa} %{name}-parent
Obsoletes: %{name}-parent
%description
XStream is a simple library to serialize objects to XML and back again, which has the following features:
Ease of use. A high level facade is supplied that simplifies common use cases.
No mappings required. Most objects can be serialized without need for specifying mappings.
Performance. Speed and low memory footprint are a crucial part of the design, making it suitable for large
object graphs or systems with high message throughput.
Clean XML. No information is duplicated that can be obtained via reflection. This results in XML that is
easier to read for humans and more compact than native Java serialization.
Requires no modifications to objects. Serializes internal fields, including private and final. Supports
non-public and inner classes. Classes are not required to have default constructor.
Full object graph support. Duplicate references encountered in the object-model will be maintained. Supports
circular references.
Integrates with other XML APIs. By implementing an interface, XStream can serialize directly to/from any
tree structure (not just XML).
Customizable conversion strategies. Strategies can be registered allowing customization of how particular
types are represented as XML.
Security framework. Fine-control about the unmarshalled types to prevent security issues with manipulated input.
Error messages. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate
and fix the problem.
Alternative output format. The modular design allows other output formats. XStream ships currently with JSON
support and morphing.
%prep
%autosetup -n %{name}-%{version} -p1
find . -name "*.jar" -print -delete
find . -name "*.class" -print -delete
%pom_xpath_remove "pom:project/pom:build/pom:extensions"
%pom_disable_module xstream-jmh
%pom_disable_module xstream-distribution
%pom_remove_plugin :maven-source-plugin
%pom_remove_plugin :maven-eclipse-plugin
%pom_remove_plugin :maven-dependency-plugin
%pom_remove_plugin :maven-release-plugin
%pom_remove_plugin :jxr-maven-plugin
%pom_remove_plugin :xsite-maven-plugin
%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" \
woodstox-core-asl
%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" \
woodstox-core-asl xstream
%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \
cglib
%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \
cglib xstream
%pom_change_dep :xmlpull xpp3:xpp3:1.1.4c xstream
%pom_remove_plugin :maven-javadoc-plugin xstream
%pom_remove_plugin :maven-dependency-plugin xstream
%pom_remove_dep javax.activation:activation xstream
%pom_xpath_set "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \
cglib xstream-hibernate
%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" \
"<scope>test</scope>" xstream-hibernate
%pom_remove_plugin :maven-dependency-plugin xstream-hibernate
%pom_remove_plugin :maven-javadoc-plugin xstream-hibernate
%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" \
"<scope>test</scope>" xstream-benchmark
%pom_remove_plugin :maven-javadoc-plugin xstream-benchmark
%mvn_file :%{name} %{name}/%{name} %{name}
%mvn_file :%{name}-benchmark %{name}/%{name}-benchmark %{name}-benchmark
%mvn_package :%{name}
%build
%mvn_build -f -s
%install
%mvn_install
%files -f .mfiles
%doc README.txt
%license LICENSE.txt
%{_javadir}/*
%{_javadocdir}/%{name}/*
/usr/share/maven*
%changelog
* Mon Dec 9 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.4.9-9
- Package init