diff --git a/0001-Prevent-deserialization-of-void.patch b/0001-Prevent-deserialization-of-void.patch deleted file mode 100644 index 6bb9965..0000000 --- a/0001-Prevent-deserialization-of-void.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 376175c482a4914c8d288cf663f978dfb5e55849 Mon Sep 17 00:00:00 2001 -From: Michael Simacek -Date: Wed, 12 Apr 2017 12:19:21 +0200 -Subject: [PATCH] Prevent deserialization of void - ---- - .../SunLimitedUnsafeReflectionProvider.java | 22 ++++++++++++-------- - .../xstream/security/PrimitiveTypePermission.java | 5 +++-- - .../acceptance/SecurityVulnerabilityTest.java | 24 +++++++++++++++++++++- - 3 files changed, 39 insertions(+), 12 deletions(-) - -diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java -index 2c569ae..491f0d6 100644 ---- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java -+++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java -@@ -1,6 +1,6 @@ - /* - * Copyright (C) 2004, 2005 Joe Walnes. -- * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016 XStream Committers. -+ * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016, 2017 XStream Committers. - * All rights reserved. - * - * Created on 08. January 2014 by Joerg Schaible, factored out from SunUnsafeReflectionProvider -@@ -78,14 +78,18 @@ public class SunLimitedUnsafeReflectionProvider extends PureJavaReflectionProvid - throw ex; - } - ErrorWritingException ex = null; -- try { -- return unsafe.allocateInstance(type); -- } catch (SecurityException e) { -- ex = new ObjectAccessException("Cannot construct type", e); -- } catch (InstantiationException e) { -- ex = new ConversionException("Cannot construct type", e); -- } catch (IllegalArgumentException e) { -- ex = new ObjectAccessException("Cannot construct type", e); -+ if (type == void.class || type == Void.class) { -+ ex = new ConversionException("Type void cannot have an instance"); -+ } else { -+ try { -+ return unsafe.allocateInstance(type); -+ } catch (SecurityException e) { -+ ex = new ObjectAccessException("Cannot construct type", e); -+ } catch (InstantiationException e) { -+ ex = new ConversionException("Cannot construct type", e); -+ } catch (IllegalArgumentException e) { -+ ex = new ObjectAccessException("Cannot construct type", e); -+ } - } - ex.add("construction-type", type.getName()); - throw ex; -diff --git a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java -index fb69b95..c3cbad9 100644 ---- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java -+++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2014 XStream Committers. -+ * Copyright (C) 2014, 2017 XStream Committers. - * All rights reserved. - * - * Created on 09. January 2014 by Joerg Schaible -@@ -8,8 +8,9 @@ package com.thoughtworks.xstream.security; - - import com.thoughtworks.xstream.core.util.Primitives; - -+ - /** -- * Permission for any primitive type and its boxed counterpart (incl. void). -+ * Permission for any primitive type and its boxed counterpart (excl. void). - * - * @author Jörg Schaible - * @since 1.4.7 -diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java -index c77b3ce..0180fd7 100644 ---- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java -+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2013, 2014 XStream Committers. -+ * Copyright (C) 2013, 2014, 2017 XStream Committers. - * All rights reserved. - * - * The software in this package is published under the terms of the BSD -@@ -13,9 +13,12 @@ package com.thoughtworks.acceptance; - import java.beans.EventHandler; - - import com.thoughtworks.xstream.XStreamException; -+import com.thoughtworks.xstream.converters.ConversionException; - import com.thoughtworks.xstream.converters.reflection.ReflectionConverter; -+import com.thoughtworks.xstream.security.ForbiddenClassException; - import com.thoughtworks.xstream.security.ProxyTypePermission; - -+ - /** - * @author Jörg Schaible - */ -@@ -80,4 +83,23 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest { - BUFFER.append("Executed!"); - } - } -+ -+ public void testDeniedInstanceOfVoid() { -+ try { -+ xstream.fromXML(""); -+ fail("Thrown " + ForbiddenClassException.class.getName() + " expected"); -+ } catch (final ForbiddenClassException e) { -+ // OK -+ } -+ } -+ -+ public void testAllowedInstanceOfVoid() { -+ xstream.allowTypes(void.class, Void.class); -+ try { -+ xstream.fromXML(""); -+ fail("Thrown " + ConversionException.class.getName() + " expected"); -+ } catch (final ConversionException e) { -+ assertEquals("void", e.get("construction-type")); -+ } -+ } - } --- -2.9.3 - diff --git a/xstream.spec b/xstream.spec index 86cb85f..1d81370 100644 --- a/xstream.spec +++ b/xstream.spec @@ -33,8 +33,8 @@ %bcond_without hibernate Name: xstream -Version: 1.4.9 -Release: 9%{?dist} +Version: 1.4.11.1 +Release: 1%{?dist} Summary: Java XML serialization library License: BSD URL: http://x-stream.github.io/ @@ -42,15 +42,11 @@ BuildArch: noarch Source0: http://repo1.maven.org/maven2/com/thoughtworks/%{name}/%{name}-distribution/%{version}/%{name}-distribution-%{version}-src.zip -# Fixes deserialization of void -# https://bugzilla.redhat.com/show_bug.cgi?id=1441542 -# backport of https://github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b40 -Patch0: 0001-Prevent-deserialization-of-void.patch - BuildRequires: maven-local BuildRequires: mvn(cglib:cglib) BuildRequires: mvn(dom4j:dom4j) BuildRequires: mvn(javassist:javassist) +BuildRequires: mvn(javax.xml.bind:jaxb-api) BuildRequires: mvn(joda-time:joda-time) BuildRequires: mvn(net.sf.kxml:kxml2) BuildRequires: mvn(net.sf.kxml:kxml2-min) @@ -129,10 +125,6 @@ Parent POM for %{name}. find . -name "*.class" -print -delete find . -name "*.jar" -print -delete -%patch0 -p1 - -# Remove org.apache.maven.wagon:wagon-webdav -%pom_xpath_remove "pom:project/pom:build/pom:extensions" # Require org.codehaus.xsite:xsite-maven-plugin %pom_disable_module xstream-distribution @@ -141,13 +133,12 @@ find . -name "*.jar" -print -delete # org.openjdk.jmh:jmh-generator-annprocess:jar:1.11.1 %pom_disable_module xstream-jmh -%pom_remove_plugin :xsite-maven-plugin -%pom_remove_plugin :jxr-maven-plugin # Unwanted %pom_remove_plugin :maven-source-plugin %pom_remove_plugin :maven-dependency-plugin %pom_remove_plugin :maven-eclipse-plugin %pom_remove_plugin :maven-release-plugin +%pom_remove_plugin :xsite-maven-plugin %pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" woodstox-core-asl %pom_xpath_set "pom:dependency[pom:groupId = 'org.codehaus.woodstox' ]/pom:artifactId" woodstox-core-asl xstream @@ -182,24 +173,30 @@ find . -name "*.jar" -print -delete %build # test skipped for unavailable test deps (com.megginson.sax:xml-writer) -%mvn_build -f -s +%mvn_build -f -s -- -Dversion.java.source=8 %install %mvn_install %files -f .mfiles -%doc LICENSE.txt README.txt -%dir %{_javadir}/%{name} +%doc README.txt +%license LICENSE.txt + %files parent -f .mfiles-%{name}-parent + %if %{with hibernate} %files hibernate -f .mfiles-%{name}-hibernate %endif + %files benchmark -f .mfiles-%{name}-benchmark %files javadoc -f .mfiles-javadoc -%doc LICENSE.txt +%license LICENSE.txt %changelog +* Thu Feb 14 2019 Mat Booth - 1.4.11.1-1 +- Update to latest upstream release + * Sun Feb 03 2019 Fedora Release Engineering - 1.4.9-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild