From 26e11326b1386b316ba42761d8bb119ce1797a05 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Feb 10 2014 07:39:36 +0000 Subject: Update to upstream version 1.3.1 --- diff --git a/.gitignore b/.gitignore index 7e0f367..00bbdef 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ commons-fileupload-1.2.1-src.tar.gz /commons-fileupload-1.2.2-src.tar.gz /commons-fileupload-1.3-src.tar.gz +/commons-fileupload-1.3.1-src.tar.gz diff --git a/apache-commons-fileupload-CVE-2014-0050.patch b/apache-commons-fileupload-CVE-2014-0050.patch deleted file mode 100644 index 3780736..0000000 --- a/apache-commons-fileupload-CVE-2014-0050.patch +++ /dev/null @@ -1,151 +0,0 @@ -diff --git a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java -index b693744..c8f5ca1 100644 ---- a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java -+++ b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java -@@ -991,7 +991,12 @@ public abstract class FileUploadBase { - } - - notifier = new MultipartStream.ProgressNotifier(listener, requestSize); -- multi = new MultipartStream(input, boundary, notifier); -+ try { -+ multi = new MultipartStream(input, boundary, notifier); -+ } catch (IllegalArgumentException iae) { -+ throw new InvalidContentTypeException( -+ format("The boundary specified in the %s header is too long", CONTENT_TYPE), iae); -+ } - multi.setHeaderEncoding(charEncoding); - - skipPreamble = true; -@@ -1183,7 +1188,7 @@ public abstract class FileUploadBase { - * detail message. - */ - public InvalidContentTypeException() { -- // Nothing to do. -+ super(); - } - - /** -@@ -1196,6 +1201,9 @@ public abstract class FileUploadBase { - super(message); - } - -+ public InvalidContentTypeException(String msg, Throwable cause) { -+ super(msg, cause); -+ } - } - - /** -diff --git a/src/main/java/org/apache/commons/fileupload/MultipartStream.java b/src/main/java/org/apache/commons/fileupload/MultipartStream.java -index 9088947..0474ef9 100644 ---- a/src/main/java/org/apache/commons/fileupload/MultipartStream.java -+++ b/src/main/java/org/apache/commons/fileupload/MultipartStream.java -@@ -268,10 +268,8 @@ public class MultipartStream { - /** - * Creates a new instance. - * -- * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[], -- * org.apache.commons.fileupload.MultipartStream.ProgressNotifier)}, -- * or {@link #MultipartStream(InputStream, byte[], int, -- * org.apache.commons.fileupload.MultipartStream.ProgressNotifier)} -+ * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[], int, -+ * ProgressNotifier)} - */ - @Deprecated - public MultipartStream() { -@@ -292,10 +290,8 @@ public class MultipartStream { - * encapsulations. - * @param bufSize The size of the buffer to be used, in bytes. - * -- * @see #MultipartStream(InputStream, byte[], -- * MultipartStream.ProgressNotifier) - * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[], int, -- * org.apache.commons.fileupload.MultipartStream.ProgressNotifier)}. -+ * ProgressNotifier)}. - */ - @Deprecated - public MultipartStream(InputStream input, byte[] boundary, int bufSize) { -@@ -317,8 +313,7 @@ public class MultipartStream { - * @param pNotifier The notifier, which is used for calling the - * progress listener, if any. - * -- * @see #MultipartStream(InputStream, byte[], -- * MultipartStream.ProgressNotifier) -+ * @throws IllegalArgumentException If the buffer size is too small - */ - MultipartStream(InputStream input, - byte[] boundary, -@@ -331,9 +326,14 @@ public class MultipartStream { - - // We prepend CR/LF to the boundary to chop trailing CR/LF from - // body-data tokens. -- this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length]; - this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length; -+ if (bufSize < this.boundaryLength + 1) { -+ throw new IllegalArgumentException( -+ "The buffer size specified for the MultipartStream is too small"); -+ } -+ this.boundary = new byte[this.boundaryLength]; - this.keepRegion = this.boundary.length; -+ - System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0, - BOUNDARY_PREFIX.length); - System.arraycopy(boundary, 0, this.boundary, BOUNDARY_PREFIX.length, -@@ -352,8 +352,7 @@ public class MultipartStream { - * @param pNotifier An object for calling the progress listener, if any. - * - * -- * @see #MultipartStream(InputStream, byte[], int, -- * MultipartStream.ProgressNotifier) -+ * @see #MultipartStream(InputStream, byte[], int, ProgressNotifier) - */ - MultipartStream(InputStream input, - byte[] boundary, -@@ -368,10 +367,8 @@ public class MultipartStream { - * @param boundary The token used for dividing the stream into - * encapsulations. - * -- * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[], -- * MultipartStream.ProgressNotifier)}. -- * @see #MultipartStream(InputStream, byte[], int, -- * MultipartStream.ProgressNotifier) -+ * @deprecated 1.2.1 Use {@link #MultipartStream(InputStream, byte[], int, -+ * ProgressNotifier)}. - */ - @Deprecated - public MultipartStream(InputStream input, -diff --git a/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java b/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java -index 7148d81..80871f4 100644 ---- a/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java -+++ b/src/test/java/org/apache/commons/fileupload/MultipartStreamTest.java -@@ -38,7 +38,8 @@ public class MultipartStreamTest { - final byte[] contents = strData.getBytes(); - InputStream input = new ByteArrayInputStream(contents); - byte[] boundary = BOUNDARY_TEXT.getBytes(); -- int iBufSize = boundary.length; -+ int iBufSize = -+ boundary.length + MultipartStream.BOUNDARY_PREFIX.length + 1; - MultipartStream ms = new MultipartStream( - input, - boundary, -@@ -47,6 +48,21 @@ public class MultipartStreamTest { - assertNotNull(ms); - } - -+ @Test(expected=IllegalArgumentException.class) -+ public void testSmallBuffer() throws Exception { -+ final String strData = "foobar"; -+ final byte[] contents = strData.getBytes(); -+ InputStream input = new ByteArrayInputStream(contents); -+ byte[] boundary = BOUNDARY_TEXT.getBytes(); -+ int iBufSize = 1; -+ @SuppressWarnings("unused") -+ MultipartStream ms = new MultipartStream( -+ input, -+ boundary, -+ iBufSize, -+ new MultipartStream.ProgressNotifier(null, contents.length)); -+ } -+ - @Test - public void testTwoParamConstructor() throws Exception { - final String strData = "foobar"; diff --git a/apache-commons-fileupload-portlet20.patch b/apache-commons-fileupload-portlet20.patch deleted file mode 100644 index 378b7a4..0000000 --- a/apache-commons-fileupload-portlet20.patch +++ /dev/null @@ -1,65 +0,0 @@ -diff --git a/src/test/org/apache/commons/fileupload/MockPortletRequest.java b/src/test/org/apache/commons/fileupload/MockPortletRequest.java -index 28cda7a..9e4e4a0 100644 ---- a/src/test/org/apache/commons/fileupload/MockPortletRequest.java -+++ b/src/test/org/apache/commons/fileupload/MockPortletRequest.java -@@ -27,6 +27,7 @@ import javax.portlet.PortletPreferences; - import javax.portlet.PortletRequest; - import javax.portlet.PortletSession; - import javax.portlet.WindowState; -+import javax.servlet.http.Cookie; - - /** - * A mock portlet request, useful for unit testing and offline utilities -@@ -312,5 +313,24 @@ public class MockPortletRequest implements PortletRequest - { - return null; - } -+ -+ public Map getPublicParameterMap() { -+ // TODO -+ throw new UnsupportedOperationException("Not supported."); -+ } -+ -+ public Map getPrivateParameterMap() { -+ // TODO -+ throw new UnsupportedOperationException("Not supported."); -+ } - -+ public Cookie[] getCookies() { -+ // TODO -+ throw new UnsupportedOperationException("Not supported."); -+ } -+ -+ public String getWindowID() { -+ // TODO -+ throw new UnsupportedOperationException("Not supported."); -+ } - } -diff --git a/src/test/org/apache/commons/fileupload/MockPortletSession.java b/src/test/org/apache/commons/fileupload/MockPortletSession.java -index 76f57c2..aa0b967 100644 ---- a/src/test/org/apache/commons/fileupload/MockPortletSession.java -+++ b/src/test/org/apache/commons/fileupload/MockPortletSession.java -@@ -18,6 +18,7 @@ package org.apache.commons.fileupload; - - import java.util.Enumeration; - import java.util.Hashtable; -+import java.util.Map; - import javax.portlet.PortletContext; - import javax.portlet.PortletSession; - -@@ -168,4 +169,15 @@ public class MockPortletSession implements PortletSession - // TODO Auto-generated method stub - return null; - } -+ -+ public Map getAttributeMap(int scope) { -+ // TODO -+ throw new UnsupportedOperationException("Not supported."); -+ } -+ -+ public Map getAttributeMap() { -+ // TODO -+ throw new UnsupportedOperationException("Not supported."); -+ } -+ - } diff --git a/apache-commons-fileupload-remove-portlet.patch b/apache-commons-fileupload-remove-portlet.patch deleted file mode 100644 index 90689cd..0000000 --- a/apache-commons-fileupload-remove-portlet.patch +++ /dev/null @@ -1,24 +0,0 @@ ---- pom.xml 2010-10-20 16:08:37.203973687 +0200 -+++ pom.xml 2010-10-20 16:09:32.984097099 +0200 -@@ -147,8 +147,6 @@ - 1.2.1 - FILEUPLOAD - 12310476 -- !javax.portlet,* -- javax.portlet - - - -@@ -189,12 +187,6 @@ - provided - - -- portlet-api -- portlet-api -- 1.0 -- provided -- -- - commons-io - commons-io - 1.3.2 diff --git a/apache-commons-fileupload.spec b/apache-commons-fileupload.spec index c00bc7d..db55e7b 100644 --- a/apache-commons-fileupload.spec +++ b/apache-commons-fileupload.spec @@ -2,8 +2,8 @@ %global short_name commons-%{base_name} Name: apache-%{short_name} -Version: 1.3 -Release: 5%{?dist} +Version: 1.3.1 +Release: 1%{?dist} Summary: This package provides an api to work with html file upload License: ASL 2.0 Group: Development/Libraries @@ -11,10 +11,6 @@ URL: http://commons.apache.org/%{base_name}/ Source0: http://www.apache.org/dist/commons/%{base_name}/source/%{short_name}-%{version}-src.tar.gz BuildArch: noarch -# Backported from upstream revision 1565143 -Patch0: %{name}-CVE-2014-0050.patch -Patch1: %{name}-portlet20.patch - BuildRequires: java-devel >= 1:1.6.0 BuildRequires: maven-local BuildRequires: junit >= 0:3.8.1 @@ -65,7 +61,6 @@ This package contains the API documentation for %{name}. %prep %setup -q -n %{short_name}-%{version}-src -%patch0 -p1 sed -i 's/\r//' LICENSE.txt sed -i 's/\r//' NOTICE.txt @@ -126,6 +121,10 @@ rm -rf $(readlink -f %{_javadocdir}/%{name}) %{_javadocdir}/%{name} || : # ----------------------------------------------------------------------------- %changelog +* Mon Feb 10 2014 Mikolaj Izdebski - 1.3.1-1 +- Update to upstream version 1.3.1 +- Remove unused patched + * Thu Feb 6 2014 Mikolaj Izdebski - 1.3-5 - Add backported upstream patch to fix DoS vulnerability - Resolves: CVE-2014-0050 diff --git a/sources b/sources index 7b8af5f..becc879 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -4ebb9e0e7d528d4660c35c63a13f20a5 commons-fileupload-1.3-src.tar.gz +0903f9606096d11a8ff57525fd9ee83c commons-fileupload-1.3.1-src.tar.gz