diff --git a/0001-Prevent-deserialization-of-void.patch b/0001-Prevent-deserialization-of-void.patch deleted file mode 100644 index 6bb99657196746ccbd0f14144b77de8ec0834d1a..0000000000000000000000000000000000000000 --- a/0001-Prevent-deserialization-of-void.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 376175c482a4914c8d288cf663f978dfb5e55849 Mon Sep 17 00:00:00 2001 -From: Michael Simacek -Date: Wed, 12 Apr 2017 12:19:21 +0200 -Subject: [PATCH] Prevent deserialization of void - ---- - .../SunLimitedUnsafeReflectionProvider.java | 22 ++++++++++++-------- - .../xstream/security/PrimitiveTypePermission.java | 5 +++-- - .../acceptance/SecurityVulnerabilityTest.java | 24 +++++++++++++++++++++- - 3 files changed, 39 insertions(+), 12 deletions(-) - -diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java -index 2c569ae..491f0d6 100644 ---- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java -+++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java -@@ -1,6 +1,6 @@ - /* - * Copyright (C) 2004, 2005 Joe Walnes. -- * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016 XStream Committers. -+ * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016, 2017 XStream Committers. - * All rights reserved. - * - * Created on 08. January 2014 by Joerg Schaible, factored out from SunUnsafeReflectionProvider -@@ -78,14 +78,18 @@ public class SunLimitedUnsafeReflectionProvider extends PureJavaReflectionProvid - throw ex; - } - ErrorWritingException ex = null; -- try { -- return unsafe.allocateInstance(type); -- } catch (SecurityException e) { -- ex = new ObjectAccessException("Cannot construct type", e); -- } catch (InstantiationException e) { -- ex = new ConversionException("Cannot construct type", e); -- } catch (IllegalArgumentException e) { -- ex = new ObjectAccessException("Cannot construct type", e); -+ if (type == void.class || type == Void.class) { -+ ex = new ConversionException("Type void cannot have an instance"); -+ } else { -+ try { -+ return unsafe.allocateInstance(type); -+ } catch (SecurityException e) { -+ ex = new ObjectAccessException("Cannot construct type", e); -+ } catch (InstantiationException e) { -+ ex = new ConversionException("Cannot construct type", e); -+ } catch (IllegalArgumentException e) { -+ ex = new ObjectAccessException("Cannot construct type", e); -+ } - } - ex.add("construction-type", type.getName()); - throw ex; -diff --git a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java -index fb69b95..c3cbad9 100644 ---- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java -+++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2014 XStream Committers. -+ * Copyright (C) 2014, 2017 XStream Committers. - * All rights reserved. - * - * Created on 09. January 2014 by Joerg Schaible -@@ -8,8 +8,9 @@ package com.thoughtworks.xstream.security; - - import com.thoughtworks.xstream.core.util.Primitives; - -+ - /** -- * Permission for any primitive type and its boxed counterpart (incl. void). -+ * Permission for any primitive type and its boxed counterpart (excl. void). - * - * @author Jörg Schaible - * @since 1.4.7 -diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java -index c77b3ce..0180fd7 100644 ---- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java -+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2013, 2014 XStream Committers. -+ * Copyright (C) 2013, 2014, 2017 XStream Committers. - * All rights reserved. - * - * The software in this package is published under the terms of the BSD -@@ -13,9 +13,12 @@ package com.thoughtworks.acceptance; - import java.beans.EventHandler; - - import com.thoughtworks.xstream.XStreamException; -+import com.thoughtworks.xstream.converters.ConversionException; - import com.thoughtworks.xstream.converters.reflection.ReflectionConverter; -+import com.thoughtworks.xstream.security.ForbiddenClassException; - import com.thoughtworks.xstream.security.ProxyTypePermission; - -+ - /** - * @author Jörg Schaible - */ -@@ -80,4 +83,23 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest { - BUFFER.append("Executed!"); - } - } -+ -+ public void testDeniedInstanceOfVoid() { -+ try { -+ xstream.fromXML(""); -+ fail("Thrown " + ForbiddenClassException.class.getName() + " expected"); -+ } catch (final ForbiddenClassException e) { -+ // OK -+ } -+ } -+ -+ public void testAllowedInstanceOfVoid() { -+ xstream.allowTypes(void.class, Void.class); -+ try { -+ xstream.fromXML(""); -+ fail("Thrown " + ConversionException.class.getName() + " expected"); -+ } catch (final ConversionException e) { -+ assertEquals("void", e.get("construction-type")); -+ } -+ } - } --- -2.9.3 - diff --git a/xstream-distribution-1.4.9-src.zip b/xstream-distribution-1.4.11.1-src.zip similarity index 44% rename from xstream-distribution-1.4.9-src.zip rename to xstream-distribution-1.4.11.1-src.zip index 41ef57d5df394779d3bc01d8bdb834d319edd12b..097d5f96bfd61504d59ae243b198e9fda5ae5485 100644 Binary files a/xstream-distribution-1.4.9-src.zip and b/xstream-distribution-1.4.11.1-src.zip differ diff --git a/xstream.spec b/xstream.spec index 32ad51508e5a23d3ff336992363aedfec30a6a67..00f92c22e545ba06abbd5b8c4c4b6e9c8ac82a33 100644 --- a/xstream.spec +++ b/xstream.spec @@ -1,97 +1,109 @@ -Name: xstream -Version: 1.4.9 -Release: 9 -Summary: A simple library to serialize objects to XML and back again -License: BSD -URL: http://x-stream.github.io/ -Source0: https://repo1.maven.org/maven2/com/thoughtworks/%{name}/%{name}-distribution/%{version}/%{name}-distribution-%{version}-src.zip -Patch0: 0001-Prevent-deserialization-of-void.patch -BuildArch: noarch +%bcond_with jp_minimal +Name: xstream +Version: 1.4.11.1 +Release: 1 +Summary: Java XML serialization library +License: BSD +URL: http://x-stream.github.io/ +BuildArch: noarch +Source0: http://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/%{version}/xstream-distribution-%{version}-src.zip +BuildRequires: maven-local mvn(cglib:cglib) mvn(dom4j:dom4j) mvn(javax.xml.bind:jaxb-api) +BuildRequires: mvn(joda-time:joda-time) mvn(net.sf.kxml:kxml2-min) +BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) +BuildRequires: mvn(org.apache.maven.plugins:maven-enforcer-plugin) +BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin) +BuildRequires: mvn(org.codehaus.woodstox:woodstox-core-asl) mvn(org.jdom:jdom) +BuildRequires: mvn(org.jdom:jdom2) mvn(stax:stax) mvn(stax:stax-api) mvn(xpp3:xpp3) +BuildRequires: mvn(xpp3:xpp3_min) +%if %{without jp_minimal} +BuildRequires: mvn(javassist:javassist) mvn(org.codehaus.jettison:jettison) +BuildRequires: mvn(org.hibernate:hibernate-core) mvn(org.hibernate:hibernate-envers) +BuildRequires: mvn(org.slf4j:slf4j-simple) mvn(xom:xom) +%endif +%description +XStream is a simple library to serialize objects to XML +and back again. A high level facade is supplied that +simplifies common use cases. Custom objects can be serialized +without need for specifying mappings. Speed and low memory +footprint are a crucial part of the design, making it suitable +for large object graphs or systems with high message throughput. +No information is duplicated that can be obtained via reflection. +This results in XML that is easier to read for humans and more +compact than native Java serialization. XStream serializes internal +fields, including private and final. Supports non-public and inner +classes. Classes are not required to have default constructor. +Duplicate references encountered in the object-model will be +maintained. Supports circular references. By implementing an +interface, XStream can serialize directly to/from any tree +structure (not just XML). Strategies can be registered allowing +customization of how particular types are represented as XML. +When an exception occurs due to malformed XML, detailed diagnostics +are provided to help isolate and fix the problem. -BuildRequires: maven-local, mvn(cglib:cglib), mvn(dom4j:dom4j), mvn(javassist:javassist), mvn(joda-time:joda-time), mvn(org.slf4j:slf4j-simple) -BuildRequires: mvn(net.sf.kxml:kxml2), mvn(net.sf.kxml:kxml2-min), mvn(org.apache.felix:maven-bundle-plugin), mvn(stax:stax), mvn(stax:stax-api) -BuildRequires: mvn(org.apache.maven.plugins:maven-enforcer-plugin), mvn(org.codehaus.jettison:jettison), mvn(xom:xom), mvn(xpp3:xpp3) -BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin), mvn(org.codehaus.woodstox:woodstox-core-asl), mvn(xpp3:xpp3_min) -BuildRequires: mvn(org.hibernate:hibernate-core), mvn(org.hibernate:hibernate-envers), mvn(org.jdom:jdom), mvn(org.jdom:jdom2) -Provides: %{name}-javadoc%{?_isa} %{name}-javadoc -Obsoletes: %{name}-javadoc -Provides: %{name}-hibernate%{?_isa} %{name}-hibernate -Obsoletes: %{name}-hibernate -Provides: %{name}-benchmark%{?_isa} %{name}-benchmark -Obsoletes: %{name}-benchmark -Provides: %{name}-parent%{?_isa} %{name}-parent -Obsoletes: %{name}-parent +%package javadoc +Summary: Javadoc for xstream +%description javadoc +xstream API documentation. +%if %{without jp_minimal} -%description -XStream is a simple library to serialize objects to XML and back again, which has the following features: -Ease of use. A high level facade is supplied that simplifies common use cases. -No mappings required. Most objects can be serialized without need for specifying mappings. -Performance. Speed and low memory footprint are a crucial part of the design, making it suitable for large -object graphs or systems with high message throughput. -Clean XML. No information is duplicated that can be obtained via reflection. This results in XML that is -easier to read for humans and more compact than native Java serialization. -Requires no modifications to objects. Serializes internal fields, including private and final. Supports -non-public and inner classes. Classes are not required to have default constructor. -Full object graph support. Duplicate references encountered in the object-model will be maintained. Supports -circular references. -Integrates with other XML APIs. By implementing an interface, XStream can serialize directly to/from any -tree structure (not just XML). -Customizable conversion strategies. Strategies can be registered allowing customization of how particular -types are represented as XML. -Security framework. Fine-control about the unmarshalled types to prevent security issues with manipulated input. -Error messages. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate -and fix the problem. -Alternative output format. The modular design allows other output formats. XStream ships currently with JSON -support and morphing. +%package hibernate +Summary: hibernate module for xstream +Requires: xstream = %{version}-%{release} +%description hibernate +hibernate module for xstream. +%endif + +%package benchmark +Summary: benchmark module for xstream +Requires: xstream = %{version}-%{release} +%description benchmark +benchmark module for xstream. + +%package parent +Summary: Parent POM for xstream +Requires: xstream = %{version}-%{release} +%description parent +Parent POM for xstream. %prep -%autosetup -n %{name}-%{version} -p1 -find . -name "*.jar" -print -delete +%setup -qn xstream-%{version} find . -name "*.class" -print -delete - -%pom_xpath_remove "pom:project/pom:build/pom:extensions" -%pom_disable_module xstream-jmh +find . -name "*.jar" -print -delete %pom_disable_module xstream-distribution - +%pom_disable_module xstream-jmh %pom_remove_plugin :maven-source-plugin -%pom_remove_plugin :maven-eclipse-plugin %pom_remove_plugin :maven-dependency-plugin +%pom_remove_plugin :maven-eclipse-plugin %pom_remove_plugin :maven-release-plugin -%pom_remove_plugin :jxr-maven-plugin %pom_remove_plugin :xsite-maven-plugin - -%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" \ -woodstox-core-asl -%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" \ -woodstox-core-asl xstream -%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \ -cglib -%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \ -cglib xstream - +%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" woodstox-core-asl +%pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" woodstox-core-asl xstream +%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" cglib +%pom_xpath_set "pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" cglib xstream %pom_change_dep :xmlpull xpp3:xpp3:1.1.4c xstream -%pom_remove_plugin :maven-javadoc-plugin xstream %pom_remove_plugin :maven-dependency-plugin xstream +%pom_remove_plugin :maven-javadoc-plugin xstream %pom_remove_dep javax.activation:activation xstream - -%pom_xpath_set "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" \ -cglib xstream-hibernate -%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" \ -"test" xstream-hibernate +%pom_xpath_set "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'cglib' ]/pom:artifactId" cglib xstream-hibernate +%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" "test" xstream-hibernate %pom_remove_plugin :maven-dependency-plugin xstream-hibernate %pom_remove_plugin :maven-javadoc-plugin xstream-hibernate - -%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" \ -"test" xstream-benchmark +%pom_xpath_inject "pom:project/pom:dependencies/pom:dependency[pom:groupId = 'junit' ]" "test" xstream-benchmark %pom_remove_plugin :maven-javadoc-plugin xstream-benchmark - -%mvn_file :%{name} %{name}/%{name} %{name} -%mvn_file :%{name}-benchmark %{name}/%{name}-benchmark %{name}-benchmark - -%mvn_package :%{name} +%if %{with jp_minimal} +%pom_disable_module xstream-hibernate +%pom_remove_dep -r xom:xom +%pom_remove_dep -r org.codehaus.jettison:jettison +rm xstream/src/java/com/thoughtworks/xstream/io/xml/Xom* +rm xstream/src/java/com/thoughtworks/xstream/io/json/Jettison* +rm xstream-benchmark/src/java/com/thoughtworks/xstream/tools/benchmark/products/XStreamXom.java +%endif +%mvn_file :xstream xstream/xstream xstream +%mvn_file :xstream-benchmark xstream/xstream-benchmark xstream-benchmark +%mvn_package :xstream %build -%mvn_build -f -s +%mvn_build -f -s -- -Dversion.java.source=8 %install %mvn_install @@ -99,10 +111,21 @@ cglib xstream-hibernate %files -f .mfiles %doc README.txt %license LICENSE.txt -%{_javadir}/* -%{_javadocdir}/%{name}/* -/usr/share/maven* + +%files parent -f .mfiles-xstream-parent +%if %{without jp_minimal} + +%files hibernate -f .mfiles-xstream-hibernate +%endif + +%files benchmark -f .mfiles-xstream-benchmark + +%files javadoc -f .mfiles-javadoc +%license LICENSE.txt %changelog +* Fri Aug 14 2020 yaokai - 1.4.11.1-1 +- upgrade to 1.4.11.1-1 + * Mon Dec 9 2019 openEuler Buildteam - 1.4.9-9 - Package init