From cfa0801b99329b455e8f3ef2f191e489a00ab5f6 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Wed, 3 Apr 2024 16:46:11 +0300 Subject: [PATCH] import xalan-j2-2.7.1-38.module+el8.10.0+20993+d0f024b0 --- .gitignore | 1 + .xalan-j2.metadata | 1 + SOURCES/generate-tarball.sh | 22 + SOURCES/serializer-2.7.1.pom | 39 ++ SOURCES/xalan-2.7.1.pom | 41 ++ SOURCES/xalan-j2-CVE-2014-0107.patch | 148 ++++++ SOURCES/xalan-j2-MANIFEST.MF | 75 +++ SOURCES/xalan-j2-noxsltcdeps.patch | 11 + SOURCES/xalan-j2-serializer-MANIFEST.MF | 10 + SOURCES/xsltc-2.7.1.pom | 13 + SPECS/xalan-j2.spec | 608 ++++++++++++++++++++++++ 11 files changed, 969 insertions(+) create mode 100644 .gitignore create mode 100644 .xalan-j2.metadata create mode 100755 SOURCES/generate-tarball.sh create mode 100644 SOURCES/serializer-2.7.1.pom create mode 100644 SOURCES/xalan-2.7.1.pom create mode 100644 SOURCES/xalan-j2-CVE-2014-0107.patch create mode 100644 SOURCES/xalan-j2-MANIFEST.MF create mode 100644 SOURCES/xalan-j2-noxsltcdeps.patch create mode 100644 SOURCES/xalan-j2-serializer-MANIFEST.MF create mode 100644 SOURCES/xsltc-2.7.1.pom create mode 100644 SPECS/xalan-j2.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5853c74 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/xalan-j2-2.7.1.tar.gz diff --git a/.xalan-j2.metadata b/.xalan-j2.metadata new file mode 100644 index 0000000..acd6616 --- /dev/null +++ b/.xalan-j2.metadata @@ -0,0 +1 @@ +91d651b76a402a97290ab0afd2a56dd9a9616f56 SOURCES/xalan-j2-2.7.1.tar.gz diff --git a/SOURCES/generate-tarball.sh b/SOURCES/generate-tarball.sh new file mode 100755 index 0000000..bee814c --- /dev/null +++ b/SOURCES/generate-tarball.sh @@ -0,0 +1,22 @@ +#!/bin/bash +set -e + +name=xalan-j2 +version="$(sed -n 's/Version:\s*//p' *.spec)" + +# RETRIEVE +wget "http://archive.apache.org/dist/xml/xalan-j/xalan-j_${version//./_}-src.tar.gz" -O "${name}-${version}.orig.tar.gz" + +rm -rf tarball-tmp +mkdir tarball-tmp +cd tarball-tmp +tar xf "../${name}-${version}.orig.tar.gz" + +# CLEAN TARBALL +find -name '*.jar' -delete +find -name '*.class' -delete +rm */src/*.tar.gz + +tar cf "../${name}-${version}.tar.gz" * +cd .. +rm -r tarball-tmp "${name}-${version}.orig.tar.gz" diff --git a/SOURCES/serializer-2.7.1.pom b/SOURCES/serializer-2.7.1.pom new file mode 100644 index 0000000..79b0027 --- /dev/null +++ b/SOURCES/serializer-2.7.1.pom @@ -0,0 +1,39 @@ + + + + 4.0.0 + + org.apache + apache + 4 + + + xalan + serializer + 2.7.1 + + Xalan Java Serializer + + Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input + SAX events. + + http://xml.apache.org/xalan-j/ + + + + xml-apis + xml-apis + 1.3.04 + + + xerces + xercesImpl + 2.9.0 + true + + + + \ No newline at end of file diff --git a/SOURCES/xalan-2.7.1.pom b/SOURCES/xalan-2.7.1.pom new file mode 100644 index 0000000..b4a56e9 --- /dev/null +++ b/SOURCES/xalan-2.7.1.pom @@ -0,0 +1,41 @@ + + + + 4.0.0 + + org.apache + apache + 4 + + + xalan + xalan + 2.7.1 + + Xalan Java + + Xalan-Java is an XSLT processor for transforming XML documents into HTML, + text, or other XML document types. It implements XSL Transformations (XSLT) + Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from + the command line, in an applet or a servlet, or as a module in other program. + + http://xml.apache.org/xalan-j/ + + + + xalan + serializer + 2.7.1 + + + xerces + xercesImpl + 2.9.0 + true + + + + \ No newline at end of file diff --git a/SOURCES/xalan-j2-CVE-2014-0107.patch b/SOURCES/xalan-j2-CVE-2014-0107.patch new file mode 100644 index 0000000..3358f60 --- /dev/null +++ b/SOURCES/xalan-j2-CVE-2014-0107.patch @@ -0,0 +1,148 @@ +diff --git a/src/org/apache/xalan/processor/TransformerFactoryImpl.java b/src/org/apache/xalan/processor/TransformerFactoryImpl.java +index 1298943..96a5e58 100644 +--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java ++++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java +@@ -335,6 +335,10 @@ public class TransformerFactoryImpl extends SAXTransformerFactory + reader = XMLReaderFactory.createXMLReader(); + } + ++ if(m_isSecureProcessing) ++ { ++ reader.setFeature("http://xml.org/sax/features/external-general-entities",false); ++ } + // Need to set options! + reader.setContentHandler(handler); + reader.parse(isource); +diff --git a/src/org/apache/xalan/processor/XSLTElementProcessor.java b/src/org/apache/xalan/processor/XSLTElementProcessor.java +index b946743..17b7395 100644 +--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java ++++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java +@@ -338,17 +338,31 @@ public class XSLTElementProcessor extends ElemTemplateElement + } + else + { +- // Can we switch the order here: +- +- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, +- attributes.getQName(i), attributes.getValue(i), +- target); +- +- // Now we only add the element if it passed a validation check +- if (success) +- processedDefs.add(attrDef); +- else +- errorDefs.add(attrDef); ++ //handle secure processing ++ if(handler.getStylesheetProcessor()==null) ++ System.out.println("stylesheet processor null"); ++ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing()) ++ { ++ //foreign attributes are not allowed in secure processing mode ++ // Then barf, because this element does not allow this attribute. ++ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\"" ++ //+ " attribute is not allowed on the " + rawName ++ // + " element!", null); ++ } ++ else ++ { ++ ++ ++ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, ++ attributes.getQName(i), attributes.getValue(i), ++ target); ++ ++ // Now we only add the element if it passed a validation check ++ if (success) ++ processedDefs.add(attrDef); ++ else ++ errorDefs.add(attrDef); ++ } + } + } + +diff --git a/src/org/apache/xalan/transformer/TransformerImpl.java b/src/org/apache/xalan/transformer/TransformerImpl.java +index dd0d4d9..0906d24 100644 +--- a/src/org/apache/xalan/transformer/TransformerImpl.java ++++ b/src/org/apache/xalan/transformer/TransformerImpl.java +@@ -438,7 +438,9 @@ public class TransformerImpl extends Transformer + try + { + if (sroot.getExtensions() != null) +- m_extensionsTable = new ExtensionsTable(sroot); ++ //only load extensions if secureProcessing is disabled ++ if(!sroot.isSecureProcessing()) ++ m_extensionsTable = new ExtensionsTable(sroot); + } + catch (javax.xml.transform.TransformerException te) + {te.printStackTrace();} +diff --git a/src/org/apache/xpath/functions/FuncSystemProperty.java b/src/org/apache/xpath/functions/FuncSystemProperty.java +index 4bea356..78ac980 100644 +--- a/src/org/apache/xpath/functions/FuncSystemProperty.java ++++ b/src/org/apache/xpath/functions/FuncSystemProperty.java +@@ -58,7 +58,7 @@ public class FuncSystemProperty extends FunctionOneArg + + String fullName = m_arg0.execute(xctxt).str(); + int indexOfNSSep = fullName.indexOf(':'); +- String result; ++ String result = null; + String propName = ""; + + // List of properties where the name of the +@@ -98,14 +98,20 @@ public class FuncSystemProperty extends FunctionOneArg + + try + { +- result = System.getProperty(propName); +- +- if (null == result) +- { +- +- // result = System.getenv(propName); +- return XString.EMPTYSTRING; +- } ++ //if secure procession is enabled only handle required properties do not not map any valid system property ++ if(!xctxt.isSecureProcessing()) ++ { ++ result = System.getProperty(propName); ++ } ++ else ++ { ++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, ++ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName); ++ } ++ if (null == result) ++ { ++ return XString.EMPTYSTRING; ++ } + } + catch (SecurityException se) + { +@@ -120,14 +126,20 @@ public class FuncSystemProperty extends FunctionOneArg + { + try + { +- result = System.getProperty(fullName); +- +- if (null == result) +- { +- +- // result = System.getenv(fullName); +- return XString.EMPTYSTRING; +- } ++ //if secure procession is enabled only handle required properties do not not map any valid system property ++ if(!xctxt.isSecureProcessing()) ++ { ++ result = System.getProperty(fullName); ++ } ++ else ++ { ++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, ++ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName); ++ } ++ if (null == result) ++ { ++ return XString.EMPTYSTRING; ++ } + } + catch (SecurityException se) + { diff --git a/SOURCES/xalan-j2-MANIFEST.MF b/SOURCES/xalan-j2-MANIFEST.MF new file mode 100644 index 0000000..f5d77cf --- /dev/null +++ b/SOURCES/xalan-j2-MANIFEST.MF @@ -0,0 +1,75 @@ +Manifest-Version: 1.0 +Ant-Version: Apache Ant 1.8.2 +Created-By: 1.7.0_b147-icedtea (Oracle Corporation) +Main-Class: org.apache.xalan.xslt.Process +Bundle-ManifestVersion: 2 +Bundle-Name: %Bundle-Name.0 +Bundle-SymbolicName: org.apache.xalan +Bundle-Version: 2.7.1 +Bundle-Vendor: %Bundle-Vendor.0 +Export-Package: org.apache.regexp;version="2.7.1", + org.apache.xalan;version="2.7.1", + org.apache.xalan.client;version="2.7.1", + org.apache.xalan.extensions;version="2.7.1", + org.apache.xalan.lib;version="2.7.1", + org.apache.xalan.lib.sql;version="2.7.1", + org.apache.xalan.processor;version="2.7.1", + org.apache.xalan.res;version="2.7.1", + org.apache.xalan.serialize;version="2.7.1", + org.apache.xalan.templates;version="2.7.1", + org.apache.xalan.trace;version="2.7.1", + org.apache.xalan.transformer;version="2.7.1", + org.apache.xalan.xslt;version="2.7.1", + org.apache.xalan.xsltc;version="2.7.1", + org.apache.xalan.xsltc.cmdline;version="2.7.1", + org.apache.xalan.xsltc.cmdline.getopt;version="2.7.1", + org.apache.xalan.xsltc.compiler;version="2.7.1", + org.apache.xalan.xsltc.compiler.util;version="2.7.1", + org.apache.xalan.xsltc.dom;version="2.7.1", + org.apache.xalan.xsltc.runtime;version="2.7.1", + org.apache.xalan.xsltc.runtime.output;version="2.7.1", + org.apache.xalan.xsltc.trax;version="2.7.1", + org.apache.xalan.xsltc.util;version="2.7.1", + org.apache.xml.dtm;version="2.7.1", + org.apache.xml.dtm.ref;version="2.7.1", + org.apache.xml.dtm.ref.dom2dtm;version="2.7.1", + org.apache.xml.dtm.ref.sax2dtm;version="2.7.1", + org.apache.xml.res;version="2.7.1", + org.apache.xml.utils;version="2.7.1", + org.apache.xml.utils.res;version="2.7.1", + org.apache.xpath;version="2.7.1", + org.apache.xpath.axes;version="2.7.1", + org.apache.xpath.compiler;version="2.7.1", + org.apache.xpath.domapi;version="2.7.1", + org.apache.xpath.functions;version="2.7.1", + org.apache.xpath.jaxp;version="2.7.1", + org.apache.xpath.objects;version="2.7.1", + org.apache.xpath.operations;version="2.7.1", + org.apache.xpath.patterns;version="2.7.1", + org.apache.xpath.res;version="2.7.1" +Require-Bundle: system.bundle, org.apache.xerces +Eclipse-BuddyPolicy: registered + +Name: org/apache/xalan/ +Comment: Main Xalan engine implementing TrAX/JAXP +Specification-Title: Java API for XML Processing +Specification-Vendor: Sun Microsystems Inc. +Specification-Version: 1.3 +Implementation-Title: org.apache.xalan +Implementation-Version: 2.7.1 +Implementation-Vendor: Apache Software Foundation +Implementation-URL: http://xml.apache.org/xalan-j/dist/ + +Name: org/apache/xml/ +Comment: DTM implementation and utilities +Implementation-Title: org.apache.xml +Implementation-Version: 2.7.1 +Implementation-Vendor: Apache Software Foundation +Implementation-URL: http://xml.apache.org/xalan-j/dist/ + +Name: org/apache/xpath/ +Comment: XPath engine +Implementation-Title: org.apache.xpath +Implementation-Version: 2.7.1 +Implementation-Vendor: Apache Software Foundation +Implementation-URL: http://xml.apache.org/xalan-j/dist/ diff --git a/SOURCES/xalan-j2-noxsltcdeps.patch b/SOURCES/xalan-j2-noxsltcdeps.patch new file mode 100644 index 0000000..6840741 --- /dev/null +++ b/SOURCES/xalan-j2-noxsltcdeps.patch @@ -0,0 +1,11 @@ +--- build.xml.orig 2007-11-22 23:44:01.000000000 +0200 ++++ build.xml 2010-04-07 13:32:31.878542610 +0300 +@@ -683,7 +683,7 @@ $Id: build.xml 563656 2007-08-07 21:12:1 + + + +- + + diff --git a/SOURCES/xalan-j2-serializer-MANIFEST.MF b/SOURCES/xalan-j2-serializer-MANIFEST.MF new file mode 100644 index 0000000..436d24a --- /dev/null +++ b/SOURCES/xalan-j2-serializer-MANIFEST.MF @@ -0,0 +1,10 @@ +Manifest-Version: 1.0 +Bundle-RequiredExecutionEnvironment: J2SE-1.2 +Bundle-SymbolicName: org.apache.xml.serializer +Bundle-ManifestVersion: 2 +Bundle-Name: %Bundle-Name.0 +Bundle-Localization: plugin +Bundle-Version: 2.7.1.v200806030322 +Bundle-Vendor: %Bundle-Vendor.0 +Export-Package: org.apache.xml.serializer,org.apache.xml.serializer.do + m3 diff --git a/SOURCES/xsltc-2.7.1.pom b/SOURCES/xsltc-2.7.1.pom new file mode 100644 index 0000000..b32dbd0 --- /dev/null +++ b/SOURCES/xsltc-2.7.1.pom @@ -0,0 +1,13 @@ + + 4.0.0 + xalan + xsltc + 2.7.1 + + + xalan + xalan + 2.7.1 + + + diff --git a/SPECS/xalan-j2.spec b/SPECS/xalan-j2.spec new file mode 100644 index 0000000..fc6c539 --- /dev/null +++ b/SPECS/xalan-j2.spec @@ -0,0 +1,608 @@ +# Copyright (c) 2000-2005, JPackage Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the +# distribution. +# 3. Neither the name of the JPackage Project nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +%global cvs_version 2_7_1 + +Name: xalan-j2 +Version: 2.7.1 +Release: 38%{?dist} +Epoch: 0 +Summary: Java XSLT processor +# src/org/apache/xpath/domapi/XPathStylesheetDOM3Exception.java is W3C +License: ASL 2.0 and W3C +URL: http://xalan.apache.org/ + +# ./generate-tarball.sh +Source0: %{name}-%{version}.tar.gz +Source1: %{name}-serializer-MANIFEST.MF +Source2: http://repo1.maven.org/maven2/xalan/xalan/2.7.1/xalan-2.7.1.pom +Source3: http://repo1.maven.org/maven2/xalan/serializer/2.7.1/serializer-2.7.1.pom +Source4: xsltc-%{version}.pom +Source5: %{name}-MANIFEST.MF +# Remove bundled binaries which cannot be easily verified for licensing +Source6: generate-tarball.sh + +Patch0: %{name}-noxsltcdeps.patch +# Fix CVE-2014-0107: insufficient constraints in secure processing +# feature (oCERT-2014-002). Generated form upstream revisions 1581058 +# and 1581426. +Patch2: %{name}-CVE-2014-0107.patch + +BuildArch: noarch + +BuildRequires: javapackages-local +BuildRequires: ant +BuildRequires: apache-parent +BuildRequires: bcel +BuildRequires: java_cup +BuildRequires: regexp +BuildRequires: sed +BuildRequires: glassfish-servlet-api +BuildRequires: xerces-j2 >= 0:2.7.1 +BuildRequires: xml-commons-apis >= 0:1.3 + +Requires: xerces-j2 + +Provides: jaxp_transform_impl + +%description +Xalan is an XSLT processor for transforming XML documents into HTML, +text, or other XML document types. It implements the W3C Recommendations +for XSL Transformations (XSLT) and the XML Path Language (XPath). It can +be used from the command line, in an applet or a servlet, or as a module +in other program. + +%package xsltc +Summary: XSLT compiler +License: ASL 2.0 +Requires: java_cup +Requires: bcel +Requires: regexp +Requires: xerces-j2 + +%description xsltc +The XSLT Compiler is a Java-based tool for compiling XSLT stylesheets into +lightweight and portable Java byte codes called translets. + +%package manual +Summary: Manual for %{name} +License: ASL 2.0 + +%description manual +Documentation for %{name}. + +%package javadoc +Summary: Javadoc for %{name} +License: ASL 2.0 + +%description javadoc +Javadoc for %{name}. + +%package demo +Summary: Demo for %{name} +License: ASL 2.0 +Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: glassfish-servlet-api + +%description demo +Demonstrations and samples for %{name}. + +%prep +%setup -q -n xalan-j_%{cvs_version} +%patch0 -p0 +%patch2 -p1 + +find . -name '*.jar' -delete +find . -name '*.class' -delete + +sed -i '/