diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3be2f6a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/xalan-j_2_7_1-src.tar.gz diff --git a/.xalan-j2.metadata b/.xalan-j2.metadata new file mode 100644 index 0000000..d44aae0 --- /dev/null +++ b/.xalan-j2.metadata @@ -0,0 +1 @@ +dfaac3bd3e18a8961c27b3d07b7405bd8a15d64a SOURCES/xalan-j_2_7_1-src.tar.gz diff --git a/SOURCES/serializer-2.7.1.pom b/SOURCES/serializer-2.7.1.pom new file mode 100644 index 0000000..79b0027 --- /dev/null +++ b/SOURCES/serializer-2.7.1.pom @@ -0,0 +1,39 @@ + + + + 4.0.0 + + org.apache + apache + 4 + + + xalan + serializer + 2.7.1 + + Xalan Java Serializer + + Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input + SAX events. + + http://xml.apache.org/xalan-j/ + + + + xml-apis + xml-apis + 1.3.04 + + + xerces + xercesImpl + 2.9.0 + true + + + + \ No newline at end of file diff --git a/SOURCES/xalan-2.7.1.pom b/SOURCES/xalan-2.7.1.pom new file mode 100644 index 0000000..b4a56e9 --- /dev/null +++ b/SOURCES/xalan-2.7.1.pom @@ -0,0 +1,41 @@ + + + + 4.0.0 + + org.apache + apache + 4 + + + xalan + xalan + 2.7.1 + + Xalan Java + + Xalan-Java is an XSLT processor for transforming XML documents into HTML, + text, or other XML document types. It implements XSL Transformations (XSLT) + Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from + the command line, in an applet or a servlet, or as a module in other program. + + http://xml.apache.org/xalan-j/ + + + + xalan + serializer + 2.7.1 + + + xerces + xercesImpl + 2.9.0 + true + + + + \ No newline at end of file diff --git a/SOURCES/xalan-j2-CVE-2014-0107.patch b/SOURCES/xalan-j2-CVE-2014-0107.patch new file mode 100644 index 0000000..3358f60 --- /dev/null +++ b/SOURCES/xalan-j2-CVE-2014-0107.patch @@ -0,0 +1,148 @@ +diff --git a/src/org/apache/xalan/processor/TransformerFactoryImpl.java b/src/org/apache/xalan/processor/TransformerFactoryImpl.java +index 1298943..96a5e58 100644 +--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java ++++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java +@@ -335,6 +335,10 @@ public class TransformerFactoryImpl extends SAXTransformerFactory + reader = XMLReaderFactory.createXMLReader(); + } + ++ if(m_isSecureProcessing) ++ { ++ reader.setFeature("http://xml.org/sax/features/external-general-entities",false); ++ } + // Need to set options! + reader.setContentHandler(handler); + reader.parse(isource); +diff --git a/src/org/apache/xalan/processor/XSLTElementProcessor.java b/src/org/apache/xalan/processor/XSLTElementProcessor.java +index b946743..17b7395 100644 +--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java ++++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java +@@ -338,17 +338,31 @@ public class XSLTElementProcessor extends ElemTemplateElement + } + else + { +- // Can we switch the order here: +- +- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, +- attributes.getQName(i), attributes.getValue(i), +- target); +- +- // Now we only add the element if it passed a validation check +- if (success) +- processedDefs.add(attrDef); +- else +- errorDefs.add(attrDef); ++ //handle secure processing ++ if(handler.getStylesheetProcessor()==null) ++ System.out.println("stylesheet processor null"); ++ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing()) ++ { ++ //foreign attributes are not allowed in secure processing mode ++ // Then barf, because this element does not allow this attribute. ++ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\"" ++ //+ " attribute is not allowed on the " + rawName ++ // + " element!", null); ++ } ++ else ++ { ++ ++ ++ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, ++ attributes.getQName(i), attributes.getValue(i), ++ target); ++ ++ // Now we only add the element if it passed a validation check ++ if (success) ++ processedDefs.add(attrDef); ++ else ++ errorDefs.add(attrDef); ++ } + } + } + +diff --git a/src/org/apache/xalan/transformer/TransformerImpl.java b/src/org/apache/xalan/transformer/TransformerImpl.java +index dd0d4d9..0906d24 100644 +--- a/src/org/apache/xalan/transformer/TransformerImpl.java ++++ b/src/org/apache/xalan/transformer/TransformerImpl.java +@@ -438,7 +438,9 @@ public class TransformerImpl extends Transformer + try + { + if (sroot.getExtensions() != null) +- m_extensionsTable = new ExtensionsTable(sroot); ++ //only load extensions if secureProcessing is disabled ++ if(!sroot.isSecureProcessing()) ++ m_extensionsTable = new ExtensionsTable(sroot); + } + catch (javax.xml.transform.TransformerException te) + {te.printStackTrace();} +diff --git a/src/org/apache/xpath/functions/FuncSystemProperty.java b/src/org/apache/xpath/functions/FuncSystemProperty.java +index 4bea356..78ac980 100644 +--- a/src/org/apache/xpath/functions/FuncSystemProperty.java ++++ b/src/org/apache/xpath/functions/FuncSystemProperty.java +@@ -58,7 +58,7 @@ public class FuncSystemProperty extends FunctionOneArg + + String fullName = m_arg0.execute(xctxt).str(); + int indexOfNSSep = fullName.indexOf(':'); +- String result; ++ String result = null; + String propName = ""; + + // List of properties where the name of the +@@ -98,14 +98,20 @@ public class FuncSystemProperty extends FunctionOneArg + + try + { +- result = System.getProperty(propName); +- +- if (null == result) +- { +- +- // result = System.getenv(propName); +- return XString.EMPTYSTRING; +- } ++ //if secure procession is enabled only handle required properties do not not map any valid system property ++ if(!xctxt.isSecureProcessing()) ++ { ++ result = System.getProperty(propName); ++ } ++ else ++ { ++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, ++ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName); ++ } ++ if (null == result) ++ { ++ return XString.EMPTYSTRING; ++ } + } + catch (SecurityException se) + { +@@ -120,14 +126,20 @@ public class FuncSystemProperty extends FunctionOneArg + { + try + { +- result = System.getProperty(fullName); +- +- if (null == result) +- { +- +- // result = System.getenv(fullName); +- return XString.EMPTYSTRING; +- } ++ //if secure procession is enabled only handle required properties do not not map any valid system property ++ if(!xctxt.isSecureProcessing()) ++ { ++ result = System.getProperty(fullName); ++ } ++ else ++ { ++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, ++ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName); ++ } ++ if (null == result) ++ { ++ return XString.EMPTYSTRING; ++ } + } + catch (SecurityException se) + { diff --git a/SOURCES/xalan-j2-MANIFEST.MF b/SOURCES/xalan-j2-MANIFEST.MF new file mode 100644 index 0000000..f545333 --- /dev/null +++ b/SOURCES/xalan-j2-MANIFEST.MF @@ -0,0 +1,38 @@ +Manifest-Version: 1.0 +Ant-Version: Apache Ant 1.8.2 +Created-By: 1.7.0_b147-icedtea (Oracle Corporation) +Main-Class: org.apache.xalan.xslt.Process +Bundle-ManifestVersion: 2 +Bundle-Name: %Bundle-Name.0 +Bundle-SymbolicName: org.apache.xalan +Bundle-Version: 2.7.1 +Bundle-Vendor: %Bundle-Vendor.0 +Export-Package: org.apache.xalan, + org.apache.xml, + org.apache.xpath +Require-Bundle: org.apache.xerces +Eclipse-BuddyPolicy: registered + +Name: org/apache/xalan/ +Comment: Main Xalan engine implementing TrAX/JAXP +Specification-Title: Java API for XML Processing +Specification-Vendor: Sun Microsystems Inc. +Specification-Version: 1.3 +Implementation-Title: org.apache.xalan +Implementation-Version: 2.7.1 +Implementation-Vendor: Apache Software Foundation +Implementation-URL: http://xml.apache.org/xalan-j/dist/ + +Name: org/apache/xml/ +Comment: DTM implementation and utilities +Implementation-Title: org.apache.xml +Implementation-Version: 2.7.1 +Implementation-Vendor: Apache Software Foundation +Implementation-URL: http://xml.apache.org/xalan-j/dist/ + +Name: org/apache/xpath/ +Comment: XPath engine +Implementation-Title: org.apache.xpath +Implementation-Version: 2.7.1 +Implementation-Vendor: Apache Software Foundation +Implementation-URL: http://xml.apache.org/xalan-j/dist/ diff --git a/SOURCES/xalan-j2-noxsltcdeps.patch b/SOURCES/xalan-j2-noxsltcdeps.patch new file mode 100644 index 0000000..6840741 --- /dev/null +++ b/SOURCES/xalan-j2-noxsltcdeps.patch @@ -0,0 +1,11 @@ +--- build.xml.orig 2007-11-22 23:44:01.000000000 +0200 ++++ build.xml 2010-04-07 13:32:31.878542610 +0300 +@@ -683,7 +683,7 @@ $Id: build.xml 563656 2007-08-07 21:12:1 + + + +- + + diff --git a/SOURCES/xalan-j2-serializer-MANIFEST.MF b/SOURCES/xalan-j2-serializer-MANIFEST.MF new file mode 100644 index 0000000..436d24a --- /dev/null +++ b/SOURCES/xalan-j2-serializer-MANIFEST.MF @@ -0,0 +1,10 @@ +Manifest-Version: 1.0 +Bundle-RequiredExecutionEnvironment: J2SE-1.2 +Bundle-SymbolicName: org.apache.xml.serializer +Bundle-ManifestVersion: 2 +Bundle-Name: %Bundle-Name.0 +Bundle-Localization: plugin +Bundle-Version: 2.7.1.v200806030322 +Bundle-Vendor: %Bundle-Vendor.0 +Export-Package: org.apache.xml.serializer,org.apache.xml.serializer.do + m3 diff --git a/SOURCES/xalan-j2-serializerJARname.patch b/SOURCES/xalan-j2-serializerJARname.patch new file mode 100644 index 0000000..5f225a6 --- /dev/null +++ b/SOURCES/xalan-j2-serializerJARname.patch @@ -0,0 +1,11 @@ +--- src/manifest.xalan-interpretive 2011-08-10 12:38:23.892219017 -0400 ++++ src/manifest.xalan-interpretive 2011-08-10 12:38:32.032219017 -0400 +@@ -1,7 +1,7 @@ + Manifest-Version: 1.0 + Created-By: @java.version@ (@java.vendor@) + Main-Class: org.apache.xalan.xslt.Process +-Class-Path: xercesImpl.jar xml-apis.jar serializer.jar ++Class-Path: xercesImpl.jar xml-apis.jar xalan-j2-serializer.jar + + Name: org/apache/xalan/ + Comment: Main Xalan engine implementing TrAX/JAXP diff --git a/SOURCES/xsltc-2.7.1.pom b/SOURCES/xsltc-2.7.1.pom new file mode 100644 index 0000000..b32dbd0 --- /dev/null +++ b/SOURCES/xsltc-2.7.1.pom @@ -0,0 +1,13 @@ + + 4.0.0 + xalan + xsltc + 2.7.1 + + + xalan + xalan + 2.7.1 + + + diff --git a/SPECS/xalan-j2.spec b/SPECS/xalan-j2.spec new file mode 100644 index 0000000..0ef0f23 --- /dev/null +++ b/SPECS/xalan-j2.spec @@ -0,0 +1,595 @@ +# Copyright (c) 2000-2005, JPackage Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the +# distribution. +# 3. Neither the name of the JPackage Project nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +%global cvs_version 2_7_1 + +Name: xalan-j2 +Version: 2.7.1 +Release: 23%{?dist} +Epoch: 0 +Summary: Java XSLT processor +# src/org/apache/xpath/domapi/XPathStylesheetDOM3Exception.java is W3C +License: ASL 2.0 and W3C +Source0: http://archive.apache.org/dist/xml/xalan-j/xalan-j_2_7_1-src.tar.gz +Source1: %{name}-serializer-MANIFEST.MF +Source2: http://repo1.maven.org/maven2/xalan/xalan/2.7.1/xalan-2.7.1.pom +Source3: http://repo1.maven.org/maven2/xalan/serializer/2.7.1/serializer-2.7.1.pom +Source4: xsltc-%{version}.pom +Source5: %{name}-MANIFEST.MF +Patch0: %{name}-noxsltcdeps.patch +# Fix the serializer JAR filename in xalan-j2's MANIFEST.MF +# https://bugzilla.redhat.com/show_bug.cgi?id=718738 +Patch1: %{name}-serializerJARname.patch +# Fix CVE-2014-0107: insufficient constraints in secure processing +# feature (oCERT-2014-002). Generated form upstream revisions 1581058 +# and 1581426. +Patch2: %{name}-CVE-2014-0107.patch +URL: http://xalan.apache.org/ +Group: Development/Libraries + +BuildArch: noarch +Provides: jaxp_transform_impl +Requires: xerces-j2 +Requires(post): chkconfig +Requires(preun): chkconfig +BuildRequires: jpackage-utils >= 0:1.6 +BuildRequires: java-devel +BuildRequires: ant +BuildRequires: bcel +BuildRequires: java_cup +BuildRequires: regexp +BuildRequires: sed +BuildRequires: tomcat-servlet-3.0-api +BuildRequires: xerces-j2 >= 0:2.7.1 +BuildRequires: xml-commons-apis >= 0:1.3 +BuildRequires: xml-stylebook +BuildRequires: zip + +%description +Xalan is an XSLT processor for transforming XML documents into HTML, +text, or other XML document types. It implements the W3C Recommendations +for XSL Transformations (XSLT) and the XML Path Language (XPath). It can +be used from the command line, in an applet or a servlet, or as a module +in other program. + +%package xsltc +Summary: XSLT compiler +Group: Development/Tools +Requires: java_cup +Requires: bcel +Requires: regexp +Requires: xerces-j2 + +%description xsltc +The XSLT Compiler is a Java-based tool for compiling XSLT stylesheets into +lightweight and portable Java byte codes called translets. + +%package manual +Summary: Manual for %{name} +Group: Documentation + +%description manual +Documentation for %{name}. + +%package javadoc +Summary: Javadoc for %{name} +Group: Documentation +Requires: jpackage-utils +BuildRequires: java-javadoc + +%description javadoc +Javadoc for %{name}. + +%package demo +Summary: Demo for %{name} +Group: Documentation +Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: tomcat-servlet-3.0-api + +%description demo +Demonstrations and samples for %{name}. + +%prep +%setup -q -n xalan-j_%{cvs_version} +%patch0 -p0 +%patch1 -p0 +%patch2 -p1 +# Remove all binary libs, except ones needed to build docs and N/A elsewhere. +for j in $(find . -name "*.jar"); do + mv $j $j.no +done + +# this tar.gz contains bundled software, some of which has unclear +# licensing terms (W3C Software/Document license) . We could probably +# replicate this with our jars but it's too much work so just generate +# non-interlinked documentation +rm src/*tar.gz +sed -i '/