packages/xstream
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

upgrade to 1.4.11.1-1

Browse Source
This commit is contained in:
yaokai13 2020-08-17 16:39:33 +08:00
parent d08b0c128a
commit d0af3a64ad
4 changed files with 103 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
0001-Prevent-deserialization-of-void.patch
View File

@ -1,123 +0,0 @@
From 376175c482a4914c8d288cf663f978dfb5e55849 Mon Sep 17 00:00:00 2001
From: Michael Simacek <msimacek@redhat.com>
Date: Wed, 12 Apr 2017 12:19:21 +0200
Subject: [PATCH] Prevent deserialization of void
---
.../SunLimitedUnsafeReflectionProvider.java | 22 ++++++++++++--------
.../xstream/security/PrimitiveTypePermission.java | 5 +++--
.../acceptance/SecurityVulnerabilityTest.java | 24 +++++++++++++++++++++-
3 files changed, 39 insertions(+), 12 deletions(-)
diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
index 2c569ae..491f0d6 100644
--- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
+++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2004, 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016, 2017 XStream Committers.
* All rights reserved.
*
* Created on 08. January 2014 by Joerg Schaible, factored out from SunUnsafeReflectionProvider
@@ -78,14 +78,18 @@ public class SunLimitedUnsafeReflectionProvider extends PureJavaReflectionProvid
throw ex;
}
ErrorWritingException ex = null;
- try {
- return unsafe.allocateInstance(type);
- } catch (SecurityException e) {
- ex = new ObjectAccessException("Cannot construct type", e);
- } catch (InstantiationException e) {
- ex = new ConversionException("Cannot construct type", e);
- } catch (IllegalArgumentException e) {
- ex = new ObjectAccessException("Cannot construct type", e);
+ if (type == void.class || type == Void.class) {
+ ex = new ConversionException("Type void cannot have an instance");
+ } else {
+ try {
+ return unsafe.allocateInstance(type);
+ } catch (SecurityException e) {
+ ex = new ObjectAccessException("Cannot construct type", e);
+ } catch (InstantiationException e) {
+ ex = new ConversionException("Cannot construct type", e);
+ } catch (IllegalArgumentException e) {
+ ex = new ObjectAccessException("Cannot construct type", e);
+ }
}
ex.add("construction-type", type.getName());
throw ex;
diff --git a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
index fb69b95..c3cbad9 100644
--- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
+++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014 XStream Committers.
+ * Copyright (C) 2014, 2017 XStream Committers.
* All rights reserved.
*
* Created on 09. January 2014 by Joerg Schaible
@@ -8,8 +8,9 @@ package com.thoughtworks.xstream.security;
import com.thoughtworks.xstream.core.util.Primitives;
+
/**
- * Permission for any primitive type and its boxed counterpart (incl. void).
+ * Permission for any primitive type and its boxed counterpart (excl. void).
*
* @author J&ouml;rg Schaible
* @since 1.4.7
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
index c77b3ce..0180fd7 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013, 2014 XStream Committers.
+ * Copyright (C) 2013, 2014, 2017 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -13,9 +13,12 @@ package com.thoughtworks.acceptance;
import java.beans.EventHandler;
import com.thoughtworks.xstream.XStreamException;
+import com.thoughtworks.xstream.converters.ConversionException;
import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+import com.thoughtworks.xstream.security.ForbiddenClassException;
import com.thoughtworks.xstream.security.ProxyTypePermission;
+
/**
* @author J&ouml;rg Schaible
*/
@@ -80,4 +83,23 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
BUFFER.append("Executed!");
}
}
+
+ public void testDeniedInstanceOfVoid() {
+ try {
+ xstream.fromXML("<void/>");
+ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
+ } catch (final ForbiddenClassException e) {
+ // OK
+ }
+ }
+
+ public void testAllowedInstanceOfVoid() {
+ xstream.allowTypes(void.class, Void.class);
+ try {
+ xstream.fromXML("<void/>");
+ fail("Thrown " + ConversionException.class.getName() + " expected");
+ } catch (final ConversionException e) {
+ assertEquals("void", e.get("construction-type"));
+ }
+ }
}
--
2.9.3

BIN
xstream-distribution-1.4.11.1-src.zip Normal file
View File

Binary file not shown.

BIN
xstream-distribution-1.4.9-src.zip
View File

Binary file not shown.

183
xstream.spec
View File

@ -1,97 +1,109 @@
Name: xstream
Version: 1.4.9
Release: 9
Summary: A simple library to serialize objects to XML and back again
License: BSD
URL: http://x-stream.github.io/
Source0: https://repo1.maven.org/maven2/com/thoughtworks/%{name}/%{name}-distribution/%{version}/%{name}-distribution-%{version}-src.zip
Patch0: 0001-Prevent-deserialization-of-void.patch
BuildArch: noarch
BuildRequires: maven-local, mvn(cglib:cglib), mvn(dom4j:dom4j), mvn(javassist:javassist), mvn(joda-time:joda-time), mvn(org.slf4j:slf4j-simple)
BuildRequires: mvn(net.sf.kxml:kxml2), mvn(net.sf.kxml:kxml2-min), mvn(org.apache.felix:maven-bundle-plugin), mvn(stax:stax), mvn(stax:stax-api)
BuildRequires: mvn(org.apache.maven.plugins:maven-enforcer-plugin), mvn(org.codehaus.jettison:jettison), mvn(xom:xom), mvn(xpp3:xpp3)
BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin), mvn(org.codehaus.woodstox:woodstox-core-asl), mvn(xpp3:xpp3_min)
BuildRequires: mvn(org.hibernate:hibernate-core), mvn(org.hibernate:hibernate-envers), mvn(org.jdom:jdom), mvn(org.jdom:jdom2)
Provides: %{name}-javadoc%{?_isa} %{name}-javadoc
Obsoletes: %{name}-javadoc
Provides: %{name}-hibernate%{?_isa} %{name}-hibernate
Obsoletes: %{name}-hibernate
Provides: %{name}-benchmark%{?_isa} %{name}-benchmark
Obsoletes: %{name}-benchmark
Provides: %{name}-parent%{?_isa} %{name}-parent
Obsoletes: %{name}-parent
%bcond_with jp_minimal
Name: xstream
Version: 1.4.11.1
Release: 1
Summary: Java XML serialization library
License: BSD
URL: http://x-stream.github.io/
BuildArch: noarch
Source0: http://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/%{version}/xstream-distribution-%{version}-src.zip
BuildRequires: maven-local mvn(cglib:cglib) mvn(dom4j:dom4j) mvn(javax.xml.bind:jaxb-api)
BuildRequires: mvn(joda-time:joda-time) mvn(net.sf.kxml:kxml2-min)
BuildRequires: mvn(org.apache.felix:maven-bundle-plugin)
BuildRequires: mvn(org.apache.maven.plugins:maven-enforcer-plugin)
BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin)
BuildRequires: mvn(org.codehaus.woodstox:woodstox-core-asl) mvn(org.jdom:jdom)
BuildRequires: mvn(org.jdom:jdom2) mvn(stax:stax) mvn(stax:stax-api) mvn(xpp3:xpp3)
BuildRequires: mvn(xpp3:xpp3_min)
%if %{without jp_minimal}
BuildRequires: mvn(javassist:javassist) mvn(org.codehaus.jettison:jettison)
BuildRequires: mvn(org.hibernate:hibernate-core) mvn(org.hibernate:hibernate-envers)
BuildRequires: mvn(org.slf4j:slf4j-simple) mvn(xom:xom)
%endif
%description
XStream is a simple library to serialize objects to XML and back again, which has the following features:
Ease of use. A high level facade is supplied that simplifies common use cases.
No mappings required. Most objects can be serialized without need for specifying mappings.
Performance. Speed and low memory footprint are a crucial part of the design, making it suitable for large
object graphs or systems with high message throughput.
Clean XML. No information is duplicated that can be obtained via reflection. This results in XML that is
easier to read for humans and more compact than native Java serialization.
Requires no modifications to objects. Serializes internal fields, including private and final. Supports
non-public and inner classes. Classes are not required to have default constructor.
Full object graph support. Duplicate references encountered in the object-model will be maintained. Supports
circular references.
Integrates with other XML APIs. By implementing an interface, XStream can serialize directly to/from any
tree structure (not just XML).
Customizable conversion strategies. Strategies can be registered allowing customization of how particular
types are represented as XML.
Security framework. Fine-control about the unmarshalled types to prevent security issues with manipulated input.
Error messages. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate
and fix the problem.
Alternative output format. The modular design allows other output formats. XStream ships currently with JSON
support and morphing.
XStream is a simple library to serialize objects to XML
and back again. A high level facade is supplied that
simplifies common use cases. Custom objects can be serialized
without need for specifying mappings. Speed and low memory
footprint are a crucial part of the design, making it suitable
for large object graphs or systems with high message throughput.
No information is duplicated that can be obtained via reflection.
This results in XML that is easier to read for humans and more
compact than native Java serialization. XStream serializes internal
fields, including private and final. Supports non-public and inner
classes. Classes are not required to have default constructor.
Duplicate references encountered in the object-model will be
maintained. Supports circular references. By implementing an
interface, XStream can serialize directly to/from any tree
structure (not just XML). Strategies can be registered allowing
customization of how particular types are represented as XML.
When an exception occurs due to malformed XML, detailed diagnostics
are provided to help isolate and fix the problem.
%package javadoc
Summary: Javadoc for xstream
%description javadoc
xstream API documentation.
%if %{without jp_minimal}
%package hibernate
Summary: hibernate module for xstream
Requires: xstream = %{version}-%{release}
%description hibernate
hibernate module for xstream.
%endif
%package benchmark
Summary: benchmark module for xstream
Requires: xstream = %{version}-%{release}
%description benchmark
benchmark module for xstream.
%package parent
Summary: Parent POM for xstream
Requires: xstream = %{version}-%{release}
%description parent
Parent POM for xstream.
%prep
%autosetup -n %{name}-%{version} -p1
find . -name "*.jar" -print -delete
%setup -qn xstream-%{version}
find . -name "*.class" -print -delete
%pom_xpath_remove "pom:project/pom:build/pom:extensions"
%pom_disable_module xstream-jmh
find . -name "*.jar" -print -delete
%pom_disable_module xstream-distribution
%pom_disable_module xstream-jmh
%pom_remove_plugin :maven-source-plugin
%pom_remove_plugin :maven-eclipse-plugin
%pom_remove_plugin :maven-dependency-plugin
%pom_remove_plugin :maven-eclipse-plugin
%pom_remove_plugin :maven-release-plugin
%pom_remove_plugin :jxr-maven-plugin
%pom_remove_plugin :xsite-maven-plugin
%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" \
woodstox-core-asl
%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" \
woodstox-core-asl xstream
%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \
cglib
%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \
cglib xstream
%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" woodstox-core-asl
%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" woodstox-core-asl xstream
%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" cglib
%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" cglib xstream
%pom_change_dep :xmlpull xpp3:xpp3:1.1.4c xstream
%pom_remove_plugin :maven-javadoc-plugin xstream
%pom_remove_plugin :maven-dependency-plugin xstream
%pom_remove_plugin :maven-javadoc-plugin xstream
%pom_remove_dep javax.activation:activation xstream
%pom_xpath_set "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \
cglib xstream-hibernate
%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" \
"<scope>test</scope>" xstream-hibernate
%pom_xpath_set "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" cglib xstream-hibernate
%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" "<scope>test</scope>" xstream-hibernate
%pom_remove_plugin :maven-dependency-plugin xstream-hibernate
%pom_remove_plugin :maven-javadoc-plugin xstream-hibernate
%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" \
"<scope>test</scope>" xstream-benchmark
%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" "<scope>test</scope>" xstream-benchmark
%pom_remove_plugin :maven-javadoc-plugin xstream-benchmark
%mvn_file :%{name} %{name}/%{name} %{name}
%mvn_file :%{name}-benchmark %{name}/%{name}-benchmark %{name}-benchmark
%mvn_package :%{name}
%if %{with jp_minimal}
%pom_disable_module xstream-hibernate
%pom_remove_dep -r xom:xom
%pom_remove_dep -r org.codehaus.jettison:jettison
rm xstream/src/java/com/thoughtworks/xstream/io/xml/Xom*
rm xstream/src/java/com/thoughtworks/xstream/io/json/Jettison*
rm xstream-benchmark/src/java/com/thoughtworks/xstream/tools/benchmark/products/XStreamXom.java
%endif
%mvn_file :xstream xstream/xstream xstream
%mvn_file :xstream-benchmark xstream/xstream-benchmark xstream-benchmark
%mvn_package :xstream
%build
%mvn_build -f -s
%mvn_build -f -s -- -Dversion.java.source=8
%install
%mvn_install
@ -99,10 +111,21 @@ cglib xstream-hibernate
%files -f .mfiles
%doc README.txt
%license LICENSE.txt
%{_javadir}/*
%{_javadocdir}/%{name}/*
/usr/share/maven*
%files parent -f .mfiles-xstream-parent
%if %{without jp_minimal}
%files hibernate -f .mfiles-xstream-hibernate
%endif
%files benchmark -f .mfiles-xstream-benchmark
%files javadoc -f .mfiles-javadoc
%license LICENSE.txt
%changelog
* Fri Aug 14 2020 yaokai <yaokai13@huawei.com> - 1.4.11.1-1
- upgrade to 1.4.11.1-1
* Mon Dec 9 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.4.9-9
- Package init