diff --git a/0001-Prevent-deserialization-of-void.patch b/0001-Prevent-deserialization-of-void.patch new file mode 100644 index 0000000000000000000000000000000000000000..6bb99657196746ccbd0f14144b77de8ec0834d1a --- /dev/null +++ b/0001-Prevent-deserialization-of-void.patch @@ -0,0 +1,123 @@ +From 376175c482a4914c8d288cf663f978dfb5e55849 Mon Sep 17 00:00:00 2001 +From: Michael Simacek +Date: Wed, 12 Apr 2017 12:19:21 +0200 +Subject: [PATCH] Prevent deserialization of void + +--- + .../SunLimitedUnsafeReflectionProvider.java | 22 ++++++++++++-------- + .../xstream/security/PrimitiveTypePermission.java | 5 +++-- + .../acceptance/SecurityVulnerabilityTest.java | 24 +++++++++++++++++++++- + 3 files changed, 39 insertions(+), 12 deletions(-) + +diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java +index 2c569ae..491f0d6 100644 +--- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java ++++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java +@@ -1,6 +1,6 @@ + /* + * Copyright (C) 2004, 2005 Joe Walnes. +- * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016 XStream Committers. ++ * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016, 2017 XStream Committers. + * All rights reserved. + * + * Created on 08. January 2014 by Joerg Schaible, factored out from SunUnsafeReflectionProvider +@@ -78,14 +78,18 @@ public class SunLimitedUnsafeReflectionProvider extends PureJavaReflectionProvid + throw ex; + } + ErrorWritingException ex = null; +- try { +- return unsafe.allocateInstance(type); +- } catch (SecurityException e) { +- ex = new ObjectAccessException("Cannot construct type", e); +- } catch (InstantiationException e) { +- ex = new ConversionException("Cannot construct type", e); +- } catch (IllegalArgumentException e) { +- ex = new ObjectAccessException("Cannot construct type", e); ++ if (type == void.class || type == Void.class) { ++ ex = new ConversionException("Type void cannot have an instance"); ++ } else { ++ try { ++ return unsafe.allocateInstance(type); ++ } catch (SecurityException e) { ++ ex = new ObjectAccessException("Cannot construct type", e); ++ } catch (InstantiationException e) { ++ ex = new ConversionException("Cannot construct type", e); ++ } catch (IllegalArgumentException e) { ++ ex = new ObjectAccessException("Cannot construct type", e); ++ } + } + ex.add("construction-type", type.getName()); + throw ex; +diff --git a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java +index fb69b95..c3cbad9 100644 +--- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java ++++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2014 XStream Committers. ++ * Copyright (C) 2014, 2017 XStream Committers. + * All rights reserved. + * + * Created on 09. January 2014 by Joerg Schaible +@@ -8,8 +8,9 @@ package com.thoughtworks.xstream.security; + + import com.thoughtworks.xstream.core.util.Primitives; + ++ + /** +- * Permission for any primitive type and its boxed counterpart (incl. void). ++ * Permission for any primitive type and its boxed counterpart (excl. void). + * + * @author Jörg Schaible + * @since 1.4.7 +diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java +index c77b3ce..0180fd7 100644 +--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java ++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2013, 2014 XStream Committers. ++ * Copyright (C) 2013, 2014, 2017 XStream Committers. + * All rights reserved. + * + * The software in this package is published under the terms of the BSD +@@ -13,9 +13,12 @@ package com.thoughtworks.acceptance; + import java.beans.EventHandler; + + import com.thoughtworks.xstream.XStreamException; ++import com.thoughtworks.xstream.converters.ConversionException; + import com.thoughtworks.xstream.converters.reflection.ReflectionConverter; ++import com.thoughtworks.xstream.security.ForbiddenClassException; + import com.thoughtworks.xstream.security.ProxyTypePermission; + ++ + /** + * @author Jörg Schaible + */ +@@ -80,4 +83,23 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest { + BUFFER.append("Executed!"); + } + } ++ ++ public void testDeniedInstanceOfVoid() { ++ try { ++ xstream.fromXML(""); ++ fail("Thrown " + ForbiddenClassException.class.getName() + " expected"); ++ } catch (final ForbiddenClassException e) { ++ // OK ++ } ++ } ++ ++ public void testAllowedInstanceOfVoid() { ++ xstream.allowTypes(void.class, Void.class); ++ try { ++ xstream.fromXML(""); ++ fail("Thrown " + ConversionException.class.getName() + " expected"); ++ } catch (final ConversionException e) { ++ assertEquals("void", e.get("construction-type")); ++ } ++ } + } +-- +2.9.3 + diff --git a/README.en.md b/README.en.md deleted file mode 100644 index 7fdf9c7a57eb6a17f6d2430a6c56a5c846433a0f..0000000000000000000000000000000000000000 --- a/README.en.md +++ /dev/null @@ -1,36 +0,0 @@ -# xstream - -#### Description -{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**} - -#### Software Architecture -Software architecture description - -#### Installation - -1. xxxx -2. xxxx -3. xxxx - -#### Instructions - -1. xxxx -2. xxxx -3. xxxx - -#### Contribution - -1. Fork the repository -2. Create Feat_xxx branch -3. Commit your code -4. Create Pull Request - - -#### Gitee Feature - -1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md -2. Gitee blog [blog.gitee.com](https://blog.gitee.com) -3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore) -4. The most valuable open source project [GVP](https://gitee.com/gvp) -5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help) -6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/README.md b/README.md deleted file mode 100644 index c94e78dab4c0c3094c451517e62b264c462a4f21..0000000000000000000000000000000000000000 --- a/README.md +++ /dev/null @@ -1,39 +0,0 @@ -# xstream - -#### 介绍 -{**以下是码云平台说明,您可以替换此简介** -码云是 OSCHINA 推出的基于 Git 的代码托管平台(同时支持 SVN)。专为开发者提供稳定、高效、安全的云端软件开发协作平台 -无论是个人、团队、或是企业,都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)} - -#### 软件架构 -软件架构说明 - - -#### 安装教程 - -1. xxxx -2. xxxx -3. xxxx - -#### 使用说明 - -1. xxxx -2. xxxx -3. xxxx - -#### 参与贡献 - -1. Fork 本仓库 -2. 新建 Feat_xxx 分支 -3. 提交代码 -4. 新建 Pull Request - - -#### 码云特技 - -1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md -2. 码云官方博客 [blog.gitee.com](https://blog.gitee.com) -3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目 -4. [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目,是码云综合评定出的优秀开源项目 -5. 码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help) -6. 码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) diff --git a/xstream-distribution-1.4.9-src.zip b/xstream-distribution-1.4.9-src.zip new file mode 100644 index 0000000000000000000000000000000000000000..41ef57d5df394779d3bc01d8bdb834d319edd12b Binary files /dev/null and b/xstream-distribution-1.4.9-src.zip differ diff --git a/xstream.spec b/xstream.spec new file mode 100644 index 0000000000000000000000000000000000000000..32ad51508e5a23d3ff336992363aedfec30a6a67 --- /dev/null +++ b/xstream.spec @@ -0,0 +1,108 @@ +Name: xstream +Version: 1.4.9 +Release: 9 +Summary: A simple library to serialize objects to XML and back again +License: BSD +URL: http://x-stream.github.io/ +Source0: https://repo1.maven.org/maven2/com/thoughtworks/%{name}/%{name}-distribution/%{version}/%{name}-distribution-%{version}-src.zip +Patch0: 0001-Prevent-deserialization-of-void.patch +BuildArch: noarch + +BuildRequires: maven-local, mvn(cglib:cglib), mvn(dom4j:dom4j), mvn(javassist:javassist), mvn(joda-time:joda-time), mvn(org.slf4j:slf4j-simple) +BuildRequires: mvn(net.sf.kxml:kxml2), mvn(net.sf.kxml:kxml2-min), mvn(org.apache.felix:maven-bundle-plugin), mvn(stax:stax), mvn(stax:stax-api) +BuildRequires: mvn(org.apache.maven.plugins:maven-enforcer-plugin), mvn(org.codehaus.jettison:jettison), mvn(xom:xom), mvn(xpp3:xpp3) +BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin), mvn(org.codehaus.woodstox:woodstox-core-asl), mvn(xpp3:xpp3_min) +BuildRequires: mvn(org.hibernate:hibernate-core), mvn(org.hibernate:hibernate-envers), mvn(org.jdom:jdom), mvn(org.jdom:jdom2) +Provides: %{name}-javadoc%{?_isa} %{name}-javadoc +Obsoletes: %{name}-javadoc +Provides: %{name}-hibernate%{?_isa} %{name}-hibernate +Obsoletes: %{name}-hibernate +Provides: %{name}-benchmark%{?_isa} %{name}-benchmark +Obsoletes: %{name}-benchmark +Provides: %{name}-parent%{?_isa} %{name}-parent +Obsoletes: %{name}-parent + +%description +XStream is a simple library to serialize objects to XML and back again, which has the following features: +Ease of use. A high level facade is supplied that simplifies common use cases. +No mappings required. Most objects can be serialized without need for specifying mappings. +Performance. Speed and low memory footprint are a crucial part of the design, making it suitable for large +object graphs or systems with high message throughput. +Clean XML. No information is duplicated that can be obtained via reflection. This results in XML that is +easier to read for humans and more compact than native Java serialization. +Requires no modifications to objects. Serializes internal fields, including private and final. Supports +non-public and inner classes. Classes are not required to have default constructor. +Full object graph support. Duplicate references encountered in the object-model will be maintained. Supports +circular references. +Integrates with other XML APIs. By implementing an interface, XStream can serialize directly to/from any +tree structure (not just XML). +Customizable conversion strategies. Strategies can be registered allowing customization of how particular +types are represented as XML. +Security framework. Fine-control about the unmarshalled types to prevent security issues with manipulated input. +Error messages. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate +and fix the problem. +Alternative output format. The modular design allows other output formats. XStream ships currently with JSON +support and morphing. + +%prep +%autosetup -n %{name}-%{version} -p1 +find . -name "*.jar" -print -delete +find . -name "*.class" -print -delete + +%pom_xpath_remove "pom:project/pom:build/pom:extensions" +%pom_disable_module xstream-jmh +%pom_disable_module xstream-distribution + +%pom_remove_plugin :maven-source-plugin +%pom_remove_plugin :maven-eclipse-plugin +%pom_remove_plugin :maven-dependency-plugin +%pom_remove_plugin :maven-release-plugin +%pom_remove_plugin :jxr-maven-plugin +%pom_remove_plugin :xsite-maven-plugin + +%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" \ +woodstox-core-asl +%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" \ +woodstox-core-asl xstream +%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \ +cglib +%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \ +cglib xstream + +%pom_change_dep :xmlpull xpp3:xpp3:1.1.4c xstream +%pom_remove_plugin :maven-javadoc-plugin xstream +%pom_remove_plugin :maven-dependency-plugin xstream +%pom_remove_dep javax.activation:activation xstream + +%pom_xpath_set "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \ +cglib xstream-hibernate +%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" \ +"test" xstream-hibernate +%pom_remove_plugin :maven-dependency-plugin xstream-hibernate +%pom_remove_plugin :maven-javadoc-plugin xstream-hibernate + +%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" \ +"test" xstream-benchmark +%pom_remove_plugin :maven-javadoc-plugin xstream-benchmark + +%mvn_file :%{name} %{name}/%{name} %{name} +%mvn_file :%{name}-benchmark %{name}/%{name}-benchmark %{name}-benchmark + +%mvn_package :%{name} + +%build +%mvn_build -f -s + +%install +%mvn_install + +%files -f .mfiles +%doc README.txt +%license LICENSE.txt +%{_javadir}/* +%{_javadocdir}/%{name}/* +/usr/share/maven* + +%changelog +* Mon Dec 9 2019 openEuler Buildteam - 1.4.9-9 +- Package init