diff --git a/SOURCES/resteasy-2.3.5.Final-resteasy-1073.patch b/SOURCES/resteasy-2.3.5.Final-resteasy-1073.patch
new file mode 100644
index 0000000..3fa8b63
--- /dev/null
+++ b/SOURCES/resteasy-2.3.5.Final-resteasy-1073.patch
@@ -0,0 +1,497 @@
+diff -Nurb resteasy-2.3.5.Final.orig/arquillian/pom.xml resteasy-2.3.5.Final/arquillian/pom.xml
+--- resteasy-2.3.5.Final.orig/arquillian/pom.xml 2014-07-25 15:36:38.637079327 -0400
++++ resteasy-2.3.5.Final/arquillian/pom.xml 2014-07-25 15:52:17.575397163 -0400
+@@ -15,6 +15,7 @@
+
+ RESTEASY-752-jetty
+ RESTEASY-760-jetty
++ RESTEASY-1073-WF8
+
+
+ arquillian
+diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/pom.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/pom.xml
+--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/pom.xml 1969-12-31 19:00:00.000000000 -0500
++++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/pom.xml 2014-07-25 15:38:04.783298392 -0400
+@@ -0,0 +1,189 @@
++
++
++ 4.0.0
++
++
++ org.jboss.resteasy
++ resteasy-jaxrs-all
++ 3.0.8.Final
++ ../../pom.xml
++
++
++ RESTEASY-1073-WF8
++ jar
++ RESTEASY-1073-WF8
++ http://maven.apache.org
++
++
++ UTF-8
++ 8.0.0.Final
++
++
++
++
++
++ org.apache.maven.plugins
++ maven-compiler-plugin
++ 2.3.2
++
++ 1.6
++ 1.6
++
++
++
++ maven-surefire-plugin
++ 2.12
++
++
++ maven-dependency-plugin
++
++
++ unpack
++ process-test-classes
++
++ unpack
++
++
++
++
++ org.wildfly
++ wildfly-dist
++ ${as-version}
++ zip
++ false
++ target
++
++
++
++
++
++
++
++ org.apache.maven.plugins
++ maven-antrun-plugin
++ 1.6
++
++
++ unpack resteasy
++ process-test-classes
++
++
++
++
++
++
++ run
++
++
++
++
++
++
++ org.apache.maven.plugins
++ maven-war-plugin
++
++
++
++
++ javax.xml.bind.api
++
++
++
++
++
++
++
++
++
++
++
++
++ org.jboss.arquillian
++ arquillian-bom
++ 1.0.3.Final
++ import
++ pom
++
++
++
++
++
++
++ org.jboss.spec
++ jboss-javaee-6.0
++ 1.0.0.Final
++ pom
++ provided
++
++
++ junit
++ junit
++ 4.8.1
++ test
++
++
++ org.jboss.arquillian.junit
++ arquillian-junit-container
++ test
++
++
++ org.wildfly
++ wildfly-arquillian-container-managed
++ 8.0.0.Alpha1
++ test
++
++
++ org.jboss.arquillian.protocol
++ arquillian-protocol-servlet
++ test
++
++
++ org.jboss.resteasy
++ jaxrs-api
++ ${project.version}
++
++
++ org.jboss.resteasy
++ resteasy-jaxrs
++ ${project.version}
++
++
++ org.jboss.resteasy
++ resteasy-validator-provider-11
++ ${project.version}
++
++
++ javax.validation
++ validation-api
++ 1.1.0.Final
++
++
++ org.hibernate
++ hibernate-validator
++ 5.0.1.Final
++
++
++ javax.el
++ javax.el-api
++ 2.2.4
++
++
++ org.glassfish.web
++ javax.el
++ 2.2.4
++
++
++ org.jboss.spec.javax.xml.bind
++ jboss-jaxb-api_2.2_spec
++ 1.0.4.Final
++
++
++ org.jboss.resteasy
++ resteasy-jaxb-provider
++ ${project.version}
++ test
++
++
++
+diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java
+--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java 1969-12-31 19:00:00.000000000 -0500
++++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java 2014-07-25 15:40:28.833658314 -0400
+@@ -0,0 +1,16 @@
++package org.jboss.resteasy.resteasy1073;
++
++import java.util.HashSet;
++import java.util.Set;
++
++import javax.ws.rs.core.Application;
++
++public class TestApplication extends Application
++{
++ @Override
++ public Set> getClasses() {
++ HashSet> set = new HashSet>();
++ set.add(TestResource.class);
++ return set;
++ }
++}
+diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java
+--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java 1969-12-31 19:00:00.000000000 -0500
++++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java 2014-07-25 15:41:14.393770993 -0400
+@@ -0,0 +1,26 @@
++package org.jboss.resteasy.resteasy1073;
++
++import javax.ws.rs.Consumes;
++import javax.ws.rs.POST;
++import javax.ws.rs.Path;
++import javax.ws.rs.core.MediaType;
++
++/**
++* RESTEASY-1073
++*
++* @author Ron Sigal
++* @version $Revision: 1.1 $
++*
++* Copyright July 19, 2014
++*/
++@Path("")
++public class TestResource
++{
++ @POST
++ @Path("test")
++ @Consumes(MediaType.APPLICATION_XML)
++ public String post(TestWrapper wrapper)
++ {
++ return wrapper.getName();
++ }
++}
+diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java
+--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java 1969-12-31 19:00:00.000000000 -0500
++++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java 2014-07-25 15:41:52.762865571 -0400
+@@ -0,0 +1,17 @@
++package org.jboss.resteasy.resteasy1073;
++
++import javax.xml.bind.annotation.XmlRootElement;
++
++@XmlRootElement
++public class TestWrapper
++{
++ private String name;
++ public String getName()
++ {
++ return name;
++ }
++ public void setName(String name)
++ {
++ this.name = name;
++ }
++}
+diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java
+--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java 1969-12-31 19:00:00.000000000 -0500
++++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java 2014-07-25 15:43:11.465058832 -0400
+@@ -0,0 +1,96 @@
++package org.jboss.resteasy.test.resteasy1073;
++
++import java.io.File;
++
++import javax.ws.rs.core.MediaType;
++
++import junit.framework.Assert;
++
++import org.jboss.arquillian.container.test.api.Deployment;
++import org.jboss.arquillian.junit.Arquillian;
++import org.jboss.resteasy.client.ClientRequest;
++import org.jboss.resteasy.client.ClientResponse;
++import org.jboss.resteasy.resteasy1073.TestApplication;
++import org.jboss.resteasy.resteasy1073.TestResource;
++import org.jboss.resteasy.resteasy1073.TestWrapper;
++import org.jboss.shrinkwrap.api.Archive;
++import org.jboss.shrinkwrap.api.ShrinkWrap;
++import org.jboss.shrinkwrap.api.spec.WebArchive;
++import org.junit.Test;
++import org.junit.runner.RunWith;
++
++/**
++ * RESTEASY-1073.
++ *
++ * @author Ron Sigal
++ * @version $Revision: 1.1 $
++ *
++ * Created July 19, 2014
++ */
++@RunWith(Arquillian.class)
++public class TestExternalParameterEntity
++{
++ @Deployment(name="war_expand", order=1)
++ public static Archive createTestArchive1()
++ {
++ WebArchive war = ShrinkWrap.create(WebArchive.class, "RESTEASY-1073-expand.war")
++ .addClasses(TestApplication.class)
++ .addClasses(TestResource.class, TestWrapper.class)
++ .addAsWebInfResource("web_expand.xml", "web.xml")
++ ;
++ System.out.println(war.toString(true));
++ return war;
++ }
++
++ @Deployment(name="war_no_expand", order=2)
++ public static Archive createTestArchive2()
++ {
++ WebArchive war = ShrinkWrap.create(WebArchive.class, "RESTEASY-1073-no-expand.war")
++ .addClasses(TestApplication.class)
++ .addClasses(TestResource.class, TestWrapper.class)
++ .addAsWebInfResource("web_no_expand.xml", "web.xml")
++ ;
++ System.out.println(war.toString(true));
++ return war;
++ }
++
++ private String passwdFile = new File("src/test/resources/passwd").getAbsolutePath();
++ private String dtdFile = new File("src/test/resources/test.dtd").getAbsolutePath();
++
++ private String text =
++"\r" +
++" \r" +
++" \">\r" +
++" \r" +
++"%dtd;\r" +
++"]>\r" +
++"&xxe;";
++
++ @Test
++ public void testExternalParameterEntityExpand() throws Exception
++ {
++ ClientRequest request = new ClientRequest("http://localhost:8080/RESTEASY-1073-expand/test");
++ System.out.println(text);
++ request.body(MediaType.APPLICATION_XML, text);
++ ClientResponse response = request.post();
++ Assert.assertEquals(200, response.getStatus());
++ String entity = response.getEntity(String.class);
++ System.out.println("Result: " + entity);
++ Assert.assertEquals("root:x:0:0:root:/root:/bin/bash", entity.trim());
++ }
++
++ @Test
++ public void testExternalParameterEntityNoExpand() throws Exception
++ {
++ ClientRequest request = new ClientRequest("http://localhost:8080/RESTEASY-1073-no-expand/test");
++ System.out.println(text);
++ request.body(MediaType.APPLICATION_XML, text);
++ ClientResponse response = request.post();
++ Assert.assertEquals(200, response.getStatus());
++ String entity = response.getEntity(String.class);
++ System.out.println("Result: " + entity);
++ Assert.assertEquals("", entity.trim());
++ }
++}
++
+diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml
+--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml 1969-12-31 19:00:00.000000000 -0500
++++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml 2014-07-25 15:44:43.551284000 -0400
+@@ -0,0 +1,23 @@
++
++
++
++
++
++
++ target/deployments
++
++
++
++
++ target/wildfly-8.0.0.Final
++
++ standalone-full.xml
++
++
++
++
++
+diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd
+--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd 1969-12-31 19:00:00.000000000 -0500
++++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd 2014-07-25 15:49:38.648001614 -0400
+@@ -0,0 +1 @@
++root:x:0:0:root:/root:/bin/bash
+diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd
+--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd 1969-12-31 19:00:00.000000000 -0500
++++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd 2014-07-25 15:50:14.822089344 -0400
+@@ -0,0 +1 @@
++
+diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml
+--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml 1969-12-31 19:00:00.000000000 -0500
++++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml 2014-07-25 15:50:50.589177751 -0400
+@@ -0,0 +1,29 @@
++
++
++ RESTEASY-1073-Expand
++
++
++ resteasy.document.expand.entity.references
++ true
++
++
++
++ Resteasy
++
++
++ org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
++
++
++ javax.ws.rs.Application
++ org.jboss.resteasy.resteasy1073.TestApplication
++
++
++
++
++ Resteasy
++ /*
++
++
++
+diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml
+--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml 1969-12-31 19:00:00.000000000 -0500
++++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml 2014-07-25 15:51:27.218270317 -0400
+@@ -0,0 +1,29 @@
++
++
++ RESTEASY-1073-NoExpand
++
++
++ resteasy.document.expand.entity.references
++ false
++
++
++
++ Resteasy
++
++
++ org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
++
++
++ javax.ws.rs.Application
++ org.jboss.resteasy.resteasy1073.TestApplication
++
++
++
++
++ Resteasy
++ /*
++
++
++
+diff -Nurb resteasy-2.3.5.Final.orig/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java resteasy-2.3.5.Final/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java
+--- resteasy-2.3.5.Final.orig/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java 2014-07-25 15:36:38.989080230 -0400
++++ resteasy-2.3.5.Final/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java 2014-07-25 15:54:25.056716412 -0400
+@@ -150,6 +150,7 @@
+ XMLReader xmlReader = XMLReaderFactory.createXMLReader();
+ xmlReader.setFeature("http://xml.org/sax/features/validation", false);
+ xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
++ xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ SAXSource saxSource = new SAXSource(xmlReader, source);
+ return delegate.unmarshal(saxSource);
+ }
+@@ -188,6 +189,7 @@
+ XMLReader xmlReader = XMLReaderFactory.createXMLReader();
+ xmlReader.setFeature("http://xml.org/sax/features/validation", false);
+ xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
++ xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ ((SAXSource) source).setXMLReader(xmlReader);
+ return delegate.unmarshal(source, declaredType);
+ }
diff --git a/SPECS/resteasy-base.spec b/SPECS/resteasy-base.spec
index ec531ec..8ccb5cc 100644
--- a/SPECS/resteasy-base.spec
+++ b/SPECS/resteasy-base.spec
@@ -4,7 +4,7 @@
Name: resteasy-base
Version: 2.3.5
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Framework for RESTful Web services and Java applications
License: ASL 2.0 and CDDL
URL: http://www.jboss.org/resteasy
@@ -13,6 +13,7 @@ URL: http://www.jboss.org/resteasy
# cd Resteasy
# git archive --prefix=resteasy-2.3.5.Final/ --output=resteasy-2.3.5.Final.tgz 2.3.5.Final
Source0: %{prodname}-%{namedversion}.tgz
+Patch0: %{prodname}-%{namedversion}-resteasy-1073.patch
BuildArch: noarch
@@ -123,6 +124,7 @@ Summary: Module tjws for %{name}
%prep
%setup -q -n %{prodname}-%{namedversion}
+%patch0 -p1
# remove unneeded modules
%pom_disable_module resteasy-jaxrs-war
@@ -236,6 +238,9 @@ tjws tjws
%changelog
+* Fri Jul 25 2014 Ade Lee - 2.3.5-3
+- Resolves: rhbz1121917 - CVE-2014-3490: XXE via parameter entities
+
* Fri Dec 27 2013 Daniel Mach - 2.3.5-2
- Mass rebuild 2013-12-27