upgrade to 1.4.11.1-1

2020-08-17 16:39:33 +08:00 · 2020-08-17 16:39:33 +08:00 · d0af3a64ad
commit d0af3a64ad
parent d08b0c128a
4 changed files with 103 additions and 203 deletions
--- a/0001-Prevent-deserialization-of-void.patch
+++ b/0001-Prevent-deserialization-of-void.patch
@ -1,123 +0,0 @@
 From 376175c482a4914c8d288cf663f978dfb5e55849 Mon Sep 17 00:00:00 2001
 From: Michael Simacek <msimacek@redhat.com>
 Date: Wed, 12 Apr 2017 12:19:21 +0200
 Subject: [PATCH] Prevent deserialization of void
 ---
 .../SunLimitedUnsafeReflectionProvider.java        | 22 ++++++++++++--------
 .../xstream/security/PrimitiveTypePermission.java  |  5 +++--
 .../acceptance/SecurityVulnerabilityTest.java      | 24 +++++++++++++++++++++-
 3 files changed, 39 insertions(+), 12 deletions(-)
 diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
 index 2c569ae..491f0d6 100644
 --- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
 +++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004, 2005 Joe Walnes.
 - * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016 XStream Committers.
 + * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016, 2017 XStream Committers.
  * All rights reserved.
  *
  * Created on 08. January 2014 by Joerg Schaible, factored out from SunUnsafeReflectionProvider
@@ -78,14 +78,18 @@ public class SunLimitedUnsafeReflectionProvider extends PureJavaReflectionProvid
             throw ex;
         }
         ErrorWritingException ex = null;
 -        try {
 -            return unsafe.allocateInstance(type);
 -        } catch (SecurityException e) {
 -            ex = new ObjectAccessException("Cannot construct type", e);
 -        } catch (InstantiationException e) {
 -            ex =  new ConversionException("Cannot construct type", e);
 -        } catch (IllegalArgumentException e) {
 -            ex = new ObjectAccessException("Cannot construct type", e);
 +        if (type == void.class || type == Void.class) {
 +            ex = new ConversionException("Type void cannot have an instance");
 +        } else {
 +            try {
 +                return unsafe.allocateInstance(type);
 +            } catch (SecurityException e) {
 +                ex = new ObjectAccessException("Cannot construct type", e);
 +            } catch (InstantiationException e) {
 +                ex =  new ConversionException("Cannot construct type", e);
 +            } catch (IllegalArgumentException e) {
 +                ex = new ObjectAccessException("Cannot construct type", e);
 +            }
         }
         ex.add("construction-type", type.getName());
         throw ex;
 diff --git a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
 index fb69b95..c3cbad9 100644
 --- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
 +++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
@@ -1,5 +1,5 @@
 /*
 - * Copyright (C) 2014 XStream Committers.
 + * Copyright (C) 2014, 2017 XStream Committers.
  * All rights reserved.
  *
  * Created on 09. January 2014 by Joerg Schaible
@@ -8,8 +8,9 @@ package com.thoughtworks.xstream.security;
 import com.thoughtworks.xstream.core.util.Primitives;
 +
 /**
 - * Permission for any primitive type and its boxed counterpart (incl. void).
 + * Permission for any primitive type and its boxed counterpart (excl. void).
  * 
  * @author J&ouml;rg Schaible
  * @since 1.4.7
 diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
 index c77b3ce..0180fd7 100644
 --- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
 +++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -1,5 +1,5 @@
 /*
 - * Copyright (C) 2013, 2014 XStream Committers.
 + * Copyright (C) 2013, 2014, 2017 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -13,9 +13,12 @@ package com.thoughtworks.acceptance;
 import java.beans.EventHandler;
 import com.thoughtworks.xstream.XStreamException;
 +import com.thoughtworks.xstream.converters.ConversionException;
 import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
 +import com.thoughtworks.xstream.security.ForbiddenClassException;
 import com.thoughtworks.xstream.security.ProxyTypePermission;
 +
 /**
  * @author J&ouml;rg Schaible
  */
@@ -80,4 +83,23 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
             BUFFER.append("Executed!");
         }
     }
 +
 +    public void testDeniedInstanceOfVoid() {
 +        try {
 +            xstream.fromXML("<void/>");
 +            fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
 +        } catch (final ForbiddenClassException e) {
 +            // OK
 +        }
 +    }
 +
 +    public void testAllowedInstanceOfVoid() {
 +        xstream.allowTypes(void.class, Void.class);
 +        try {
 +            xstream.fromXML("<void/>");
 +            fail("Thrown " + ConversionException.class.getName() + " expected");
 +        } catch (final ConversionException e) {
 +            assertEquals("void", e.get("construction-type"));
 +        }
 +    }
 }
 -- 
 2.9.3
--- a/xstream-distribution-1.4.11.1-src.zip
+++ b/xstream-distribution-1.4.11.1-src.zip
--- a/xstream-distribution-1.4.9-src.zip
+++ b/xstream-distribution-1.4.9-src.zip
--- a/xstream.spec
+++ b/xstream.spec
@ -1,97 +1,109 @@
 %bcond_with jp_minimal
 Name:                xstream
-Version:       1.4.9
+Version:             1.4.11.1
-Release:       9
+Release:             1
-Summary:       A simple library to serialize objects to XML and back again
+Summary:             Java XML serialization library
 License:             BSD
 URL:                 http://x-stream.github.io/
 Source0:       https://repo1.maven.org/maven2/com/thoughtworks/%{name}/%{name}-distribution/%{version}/%{name}-distribution-%{version}-src.zip
 Patch0:        0001-Prevent-deserialization-of-void.patch
 BuildArch:           noarch
-
+Source0:             http://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/%{version}/xstream-distribution-%{version}-src.zip
-BuildRequires: maven-local, mvn(cglib:cglib), mvn(dom4j:dom4j), mvn(javassist:javassist), mvn(joda-time:joda-time), mvn(org.slf4j:slf4j-simple)
+BuildRequires:       maven-local mvn(cglib:cglib) mvn(dom4j:dom4j) mvn(javax.xml.bind:jaxb-api)
-BuildRequires: mvn(net.sf.kxml:kxml2), mvn(net.sf.kxml:kxml2-min), mvn(org.apache.felix:maven-bundle-plugin), mvn(stax:stax), mvn(stax:stax-api)
+BuildRequires:       mvn(joda-time:joda-time) mvn(net.sf.kxml:kxml2-min)
-BuildRequires: mvn(org.apache.maven.plugins:maven-enforcer-plugin), mvn(org.codehaus.jettison:jettison), mvn(xom:xom), mvn(xpp3:xpp3)
+BuildRequires:       mvn(org.apache.felix:maven-bundle-plugin)
-BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin), mvn(org.codehaus.woodstox:woodstox-core-asl), mvn(xpp3:xpp3_min)
+BuildRequires:       mvn(org.apache.maven.plugins:maven-enforcer-plugin)
-BuildRequires: mvn(org.hibernate:hibernate-core), mvn(org.hibernate:hibernate-envers), mvn(org.jdom:jdom), mvn(org.jdom:jdom2)
+BuildRequires:       mvn(org.codehaus.mojo:build-helper-maven-plugin)
-Provides:      %{name}-javadoc%{?_isa} %{name}-javadoc
+BuildRequires:       mvn(org.codehaus.woodstox:woodstox-core-asl) mvn(org.jdom:jdom)
-Obsoletes:     %{name}-javadoc
+BuildRequires:       mvn(org.jdom:jdom2) mvn(stax:stax) mvn(stax:stax-api) mvn(xpp3:xpp3)
-Provides:      %{name}-hibernate%{?_isa} %{name}-hibernate
+BuildRequires:       mvn(xpp3:xpp3_min)
-Obsoletes:     %{name}-hibernate
+%if %{without jp_minimal}
-Provides:      %{name}-benchmark%{?_isa} %{name}-benchmark
+BuildRequires:       mvn(javassist:javassist) mvn(org.codehaus.jettison:jettison)
-Obsoletes:     %{name}-benchmark
+BuildRequires:       mvn(org.hibernate:hibernate-core) mvn(org.hibernate:hibernate-envers)
-Provides:      %{name}-parent%{?_isa} %{name}-parent
+BuildRequires:       mvn(org.slf4j:slf4j-simple) mvn(xom:xom)
-Obsoletes:     %{name}-parent
+%endif
 %description
-XStream is a simple library to serialize objects to XML and back again, which has the following features:
+XStream is a simple library to serialize objects to XML
-Ease of use. A high level facade is supplied that simplifies common use cases.
+and back again. A high level facade is supplied that
-No mappings required. Most objects can be serialized without need for specifying mappings.
+simplifies common use cases. Custom objects can be serialized
-Performance. Speed and low memory footprint are a crucial part of the design, making it suitable for large
+without need for specifying mappings. Speed and low memory
-object graphs or systems with high message throughput.
+footprint are a crucial part of the design, making it suitable
-Clean XML. No information is duplicated that can be obtained via reflection. This results in XML that is
+for large object graphs or systems with high message throughput.
-easier to read for humans and more compact than native Java serialization.
+No information is duplicated that can be obtained via reflection.
-Requires no modifications to objects. Serializes internal fields, including private and final. Supports
+This results in XML that is easier to read for humans and more
-non-public and inner classes. Classes are not required to have default constructor.
+compact than native Java serialization. XStream serializes internal
-Full object graph support. Duplicate references encountered in the object-model will be maintained. Supports
+fields, including private and final. Supports non-public and inner
-circular references.
+classes. Classes are not required to have default constructor.
-Integrates with other XML APIs. By implementing an interface, XStream can serialize directly to/from any
+Duplicate references encountered in the object-model will be
-tree structure (not just XML).
+maintained. Supports circular references. By implementing an
-Customizable conversion strategies. Strategies can be registered allowing customization of how particular
+interface, XStream can serialize directly to/from any tree
-types are represented as XML.
+structure (not just XML). Strategies can be registered allowing
-Security framework. Fine-control about the unmarshalled types to prevent security issues with manipulated input.
+customization of how particular types are represented as XML.
-Error messages. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate
+When an exception occurs due to malformed XML, detailed diagnostics
-and fix the problem.
+are provided to help isolate and fix the problem.
-Alternative output format. The modular design allows other output formats. XStream ships currently with JSON
+
-support and morphing.
+%package        javadoc
 Summary:             Javadoc for xstream
 %description    javadoc
 xstream API documentation.
 %if %{without jp_minimal}
 %package        hibernate
 Summary:             hibernate module for xstream
 Requires:            xstream = %{version}-%{release}
 %description    hibernate
 hibernate module for xstream.
 %endif
 %package        benchmark
 Summary:             benchmark module for xstream
 Requires:            xstream = %{version}-%{release}
 %description    benchmark
 benchmark module for xstream.
 %package parent
 Summary:             Parent POM for xstream
 Requires:            xstream = %{version}-%{release}
 %description parent
 Parent POM for xstream.
 %prep
-%autosetup -n %{name}-%{version} -p1
+%setup -qn xstream-%{version}
 find . -name "*.jar" -print -delete
 find . -name "*.class" -print -delete
-
+find . -name "*.jar" -print -delete
 %pom_xpath_remove "pom:project/pom:build/pom:extensions"
 %pom_disable_module xstream-jmh
 %pom_disable_module xstream-distribution
-
+%pom_disable_module xstream-jmh
 %pom_remove_plugin :maven-source-plugin
 %pom_remove_plugin :maven-eclipse-plugin
 %pom_remove_plugin :maven-dependency-plugin
 %pom_remove_plugin :maven-eclipse-plugin
 %pom_remove_plugin :maven-release-plugin
 %pom_remove_plugin :jxr-maven-plugin
 %pom_remove_plugin :xsite-maven-plugin
-
+%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" woodstox-core-asl
-%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" \
+%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" woodstox-core-asl xstream
-woodstox-core-asl
+%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" cglib
-%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" \
+%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" cglib xstream
 woodstox-core-asl xstream
 %pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \
 cglib
 %pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \
 cglib xstream
 %pom_change_dep :xmlpull xpp3:xpp3:1.1.4c xstream
 %pom_remove_plugin :maven-javadoc-plugin xstream
 %pom_remove_plugin :maven-dependency-plugin xstream
 %pom_remove_plugin :maven-javadoc-plugin xstream
 %pom_remove_dep javax.activation:activation xstream
-
+%pom_xpath_set "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" cglib xstream-hibernate
-%pom_xpath_set "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \
+%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" "<scope>test</scope>" xstream-hibernate
 cglib xstream-hibernate
 %pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" \
 "<scope>test</scope>" xstream-hibernate
 %pom_remove_plugin :maven-dependency-plugin xstream-hibernate
 %pom_remove_plugin :maven-javadoc-plugin xstream-hibernate
-
+%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" "<scope>test</scope>" xstream-benchmark
 %pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" \
 "<scope>test</scope>" xstream-benchmark
 %pom_remove_plugin :maven-javadoc-plugin xstream-benchmark
-
+%if %{with jp_minimal}
-%mvn_file :%{name} %{name}/%{name} %{name}
+%pom_disable_module xstream-hibernate
-%mvn_file :%{name}-benchmark %{name}/%{name}-benchmark %{name}-benchmark
+%pom_remove_dep -r xom:xom
-
+%pom_remove_dep -r org.codehaus.jettison:jettison
-%mvn_package :%{name}
+rm xstream/src/java/com/thoughtworks/xstream/io/xml/Xom*
 rm xstream/src/java/com/thoughtworks/xstream/io/json/Jettison*
 rm xstream-benchmark/src/java/com/thoughtworks/xstream/tools/benchmark/products/XStreamXom.java
 %endif
 %mvn_file :xstream xstream/xstream xstream
 %mvn_file :xstream-benchmark xstream/xstream-benchmark xstream-benchmark
 %mvn_package :xstream
 %build
-%mvn_build -f -s
+%mvn_build -f -s -- -Dversion.java.source=8
 %install
 %mvn_install
@ -99,10 +111,21 @@ cglib xstream-hibernate
 %files -f .mfiles
 %doc README.txt
 %license LICENSE.txt
-%{_javadir}/*
+
-%{_javadocdir}/%{name}/*
+%files parent -f .mfiles-xstream-parent
-/usr/share/maven*
+%if %{without jp_minimal}
 %files hibernate -f .mfiles-xstream-hibernate
 %endif
 %files benchmark -f .mfiles-xstream-benchmark
 %files javadoc -f .mfiles-javadoc
 %license LICENSE.txt
 %changelog
 * Fri Aug 14 2020 yaokai <yaokai13@huawei.com> - 1.4.11.1-1
 - upgrade to 1.4.11.1-1
 * Mon Dec 9 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.4.9-9
 - Package init