From 3c398bdefb206b4c5e5ae16b063401f0bc537030 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: May 31 2018 20:38:18 +0000
Subject: import xmlrpc-3.1.3-9.el7_5


---

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..90c8acf
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/apache-xmlrpc-3.1.3-src.tar.bz2
diff --git a/.xmlrpc.metadata b/.xmlrpc.metadata
new file mode 100644
index 0000000..309f012
--- /dev/null
+++ b/.xmlrpc.metadata
@@ -0,0 +1 @@
+43b99531366c6e1ce5275e13930bafc62aacd5ae SOURCES/apache-xmlrpc-3.1.3-src.tar.bz2
diff --git a/README.md b/README.md
deleted file mode 100644
index 0e7897f..0000000
--- a/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-The master branch has no content
- 
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
- 
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/xmlrpc-client-addosgimanifest.patch b/SOURCES/xmlrpc-client-addosgimanifest.patch
new file mode 100644
index 0000000..1b39a19
--- /dev/null
+++ b/SOURCES/xmlrpc-client-addosgimanifest.patch
@@ -0,0 +1,20 @@
+--- pom.xml.sav	2010-02-06 17:44:57.000000000 +0200
++++ pom.xml	2010-09-29 09:27:06.194857352 +0300
+@@ -48,6 +48,17 @@
+               <Implementation-Vendor-Id>org.apache</Implementation-Vendor-Id>
+               <Implementation-Vendor>Apache Software Foundation</Implementation-Vendor>
+               <Implementation-Version>${project.version}</Implementation-Version>
++              <Bundle-ManifestVersion>2</Bundle-ManifestVersion>
++              <Bundle-Name>%Bundle-Name</Bundle-Name>
++              <Bundle-Localization>plugin</Bundle-Localization>
++              <Bundle-SymbolicName>org.apache.xmlrpc</Bundle-SymbolicName>
++              <Bundle-Version>${project.version}</Bundle-Version>
++              <Require-Bundle>org.apache.xmlrpc.common</Require-Bundle>
++	      <Export-Package>org.apache.xmlrpc.client, org.apache.xmlrpc.client.util</Export-Package>
++	      <Import-Package>javax.xml.namespace, javax.xml.parsers, org.apache.commons.httpclient, org.apache.commons.httpclient.auth, org.apache.commons.httpclient.methods, org.apache.commons.httpclient.params, org.apache.commons.logging, org.apache.ws.commons.serialize, org.apache.ws.commons.util, org.w3c.dom, org.xml.sax, org.xml.sax.helpers</Import-Package>
++	      <Bundle-RequiredExecutionEnvironment>J2SE-1.4, CDC-1.0/Foundation-1.0, J2SE-1.3</Bundle-RequiredExecutionEnvironment>
++	      <Eclipse-BuddyPolicy>dependent</Eclipse-BuddyPolicy>
++	      <Bundle-Vendor>%Bundle-Vendor.0</Bundle-Vendor>
+             </manifestEntries>
+           </archive>
+         </configuration>
diff --git a/SOURCES/xmlrpc-common-addosgimanifest.patch b/SOURCES/xmlrpc-common-addosgimanifest.patch
new file mode 100644
index 0000000..4d4aeca
--- /dev/null
+++ b/SOURCES/xmlrpc-common-addosgimanifest.patch
@@ -0,0 +1,19 @@
+--- pom.xml.sav	2010-02-06 17:44:50.000000000 +0200
++++ pom.xml	2010-09-29 09:30:38.857857644 +0300
+@@ -48,6 +48,16 @@
+               <Implementation-Vendor-Id>org.apache</Implementation-Vendor-Id>
+               <Implementation-Vendor>Apache Software Foundation</Implementation-Vendor>
+               <Implementation-Version>${project.version}</Implementation-Version>
++              <Bundle-ManifestVersion>2</Bundle-ManifestVersion>
++              <Bundle-Name>%Bundle-Name</Bundle-Name>
++              <Bundle-Localization>plugin</Bundle-Localization>
++              <Bundle-SymbolicName>org.apache.xmlrpc.common</Bundle-SymbolicName>
++              <Bundle-Version>${project.version}</Bundle-Version>
++              <Export-Package>org.apache.xmlrpc, org.apache.xmlrpc.common, org.apache.xmlrpc.jaxb, org.apache.xmlrpc.parser, org.apache.xmlrpc.serializer, org.apache.xmlrpc.util</Export-Package>
++              <Import-Package>javax.xml.namespace, javax.xml.parsers, org.apache.commons.httpclient, org.apache.commons.httpclient.auth, org.apache.commons.httpclient.methods, org.apache.commons.httpclient.params, org.apache.commons.logging, org.apache.ws.commons.serialize, org.apache.ws.commons.util, org.w3c.dom, org.xml.sax, org.xml.sax.helpers</Import-Package>
++              <Bundle-RequiredExecutionEnvironment>J2SE-1.4, CDC-1.0/Foundation-1.0, J2SE-1.3</Bundle-RequiredExecutionEnvironment>
++              <Eclipse-BuddyPolicy>dependent</Eclipse-BuddyPolicy>
++              <Bundle-Vendor>%Bundle-Vendor.0</Bundle-Vendor>
+             </manifestEntries>
+           </archive>
+         </configuration>
diff --git a/SOURCES/xmlrpc-disallow-deserialization-of-ex-serializable-tags.patch b/SOURCES/xmlrpc-disallow-deserialization-of-ex-serializable-tags.patch
new file mode 100644
index 0000000..d11490e
--- /dev/null
+++ b/SOURCES/xmlrpc-disallow-deserialization-of-ex-serializable-tags.patch
@@ -0,0 +1,35 @@
+From 5d6fe1e8c071bd56cf08f86e337f617fc9895b30 Mon Sep 17 00:00:00 2001
+From: Michael Simacek <msimacek@redhat.com>
+Date: Fri, 18 May 2018 15:22:49 +0200
+Subject: [PATCH] Disallow deserialization of <ex:serializable> tags
+
+Can be reenabled by setting JVM property
+org.apache.xmlrpc.allowInsecureDeserialization to 1.
+
+- Resolves CVE-2016-5003
+---
+ .../java/org/apache/xmlrpc/parser/SerializableParser.java | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
+index 18f25ac..c8bb7ed 100644
+--- a/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
++++ b/common/src/main/java/org/apache/xmlrpc/parser/SerializableParser.java
+@@ -29,6 +29,14 @@ import org.apache.xmlrpc.XmlRpcException;
+  */
+ public class SerializableParser extends ByteArrayParser {
+ 	public Object getResult() throws XmlRpcException {
++                if (!"1".equals(System.getProperty("org.apache.xmlrpc.allowInsecureDeserialization"))) {
++                    throw new UnsupportedOperationException(
++                            "Deserialization of ex:serializable objects is vulnerable to " +
++                            "remote execution attacks and is disabled by default. " +
++                            "If you are sure the source data is trusted, you can enable " +
++                            "it by setting org.apache.xmlrpc.allowInsecureDeserialization " +
++                            "JVM property to 1");
++                }
+ 		try {
+ 			byte[] res = (byte[]) super.getResult();
+ 			ByteArrayInputStream bais = new ByteArrayInputStream(res);
+-- 
+2.17.0
+
diff --git a/SOURCES/xmlrpc-javax-methods.patch b/SOURCES/xmlrpc-javax-methods.patch
new file mode 100644
index 0000000..2a99d9f
--- /dev/null
+++ b/SOURCES/xmlrpc-javax-methods.patch
@@ -0,0 +1,128 @@
+diff -up ./server/src/main/java/org/apache/xmlrpc/webserver/HttpServletRequestImpl.java.fix ./server/src/main/java/org/apache/xmlrpc/webserver/HttpServletRequestImpl.java
+--- ./server/src/main/java/org/apache/xmlrpc/webserver/HttpServletRequestImpl.java.fix	2012-07-24 14:49:54.000000000 -0400
++++ ./server/src/main/java/org/apache/xmlrpc/webserver/HttpServletRequestImpl.java	2012-07-24 18:20:17.000000000 -0400
+@@ -31,6 +31,7 @@ import java.net.URLDecoder;
+ import java.security.Principal;
+ import java.util.ArrayList;
+ import java.util.Collections;
++import java.util.Collection;
+ import java.util.Enumeration;
+ import java.util.HashMap;
+ import java.util.Iterator;
+@@ -41,8 +42,15 @@ import java.util.StringTokenizer;
+ 
+ import javax.servlet.RequestDispatcher;
+ import javax.servlet.ServletInputStream;
++import javax.servlet.DispatcherType;
++import javax.servlet.AsyncContext;
++import javax.servlet.ServletContext;
++import javax.servlet.ServletRequest;
++import javax.servlet.ServletResponse;
+ import javax.servlet.http.Cookie;
++import javax.servlet.http.Part;
+ import javax.servlet.http.HttpServletRequest;
++import javax.servlet.http.HttpServletResponse;
+ import javax.servlet.http.HttpSession;
+ 
+ import org.apache.xmlrpc.common.XmlRpcStreamConfig;
+@@ -66,6 +74,7 @@ public class HttpServletRequestImpl impl
+ 	private String queryString;
+ 	private String httpVersion;
+ 	private final Map headers = new HashMap();
++	private final Map parts = new HashMap();
+ 	private final Map attributes = new HashMap();
+ 	private Map parameters;
+ 	private String characterEncoding;
+@@ -227,6 +236,12 @@ public class HttpServletRequestImpl impl
+ 		return Collections.enumeration(list);
+ 	}
+ 
++	public Part getPart(String name) { throw new IllegalStateException("Not implemented"); }
++
++	public Collection getParts() { throw new IllegalStateException("Not implemented"); }
++
++	public boolean authenticate (HttpServletResponse response) { throw new IllegalStateException("Not implemented"); }
++
+ 	public int getIntHeader(String pHeader) {
+ 		String s = getHeader(pHeader);
+ 		return s == null ? -1 : Integer.parseInt(s);
+@@ -242,6 +257,10 @@ public class HttpServletRequestImpl impl
+ 
+ 	public String getRemoteUser() { throw new IllegalStateException("Not implemented"); }
+ 
++	public void login(String username, String password) { throw new IllegalStateException("Not implemented"); }
++
++	public void logout() { throw new IllegalStateException("Not implemented"); }
++
+ 	public String getRequestURI() { return uri; }
+ 
+ 	public StringBuffer getRequestURL() {
+@@ -280,6 +299,20 @@ public class HttpServletRequestImpl impl
+ 		return sb;
+ 	}
+ 
++	public AsyncContext getAsyncContext() { throw new IllegalStateException("Not implemented"); }
++
++	public boolean isAsyncSupported() { return false; }
++
++	public boolean isAsyncStarted() { return false; }
++
++	public ServletContext getServletContext() { throw new IllegalStateException("Not implemented"); }
++
++	public AsyncContext startAsync(ServletRequest req, ServletResponse resp) { throw new IllegalStateException("Not implemented"); }
++
++	public AsyncContext startAsync() { throw new IllegalStateException("Not implemented"); }
++
++	public DispatcherType getDispatcherType() { throw new IllegalStateException("Not implemented"); }
++
+ 	public String getRequestedSessionId() { throw new IllegalStateException("Not implemented"); }
+ 
+ 	public String getServletPath() { return uri; }
+diff -up ./server/src/main/java/org/apache/xmlrpc/webserver/HttpServletResponseImpl.java.fix ./server/src/main/java/org/apache/xmlrpc/webserver/HttpServletResponseImpl.java
+--- ./server/src/main/java/org/apache/xmlrpc/webserver/HttpServletResponseImpl.java.fix	2012-07-24 14:49:46.000000000 -0400
++++ ./server/src/main/java/org/apache/xmlrpc/webserver/HttpServletResponseImpl.java	2012-07-24 15:22:31.000000000 -0400
+@@ -29,6 +29,8 @@ import java.util.Iterator;
+ import java.util.List;
+ import java.util.Locale;
+ import java.util.Map;
++import java.util.Collection;
++import java.util.Collections;
+ import java.util.StringTokenizer;
+ 
+ import javax.servlet.ServletOutputStream;
+@@ -84,7 +86,7 @@ public class HttpServletResponseImpl imp
+ 		}
+ 	}
+ 
+-	private String getHeader(String pHeader) {
++	public String getHeader(String pHeader) {
+ 		String key = pHeader.toLowerCase();
+ 		Object o = headers.get(key);
+ 		if (o == null) {
+@@ -101,6 +103,26 @@ public class HttpServletResponseImpl imp
+ 		}
+ 	}
+ 
++	public Collection getHeaderNames() {
++		return headers.keySet();
++	}
++
++	public Collection getHeaders(String pHeader) {
++		String key = pHeader.toLowerCase();
++		Object o = headers.get(key);
++		List list;
++		if (o instanceof List) {
++		list = (List) o;
++		} else {
++			list = Collections.singletonList(o);
++		}
++		return list;
++	}
++
++	public int getStatus() {
++		return status;
++	}
++
+ 	public void addIntHeader(String pHeader, int pValue) {
+ 		addHeader(pHeader, Integer.toString(pValue));
+ 	}
diff --git a/SPECS/xmlrpc.spec b/SPECS/xmlrpc.spec
new file mode 100644
index 0000000..bbb465f
--- /dev/null
+++ b/SPECS/xmlrpc.spec
@@ -0,0 +1,145 @@
+Name:       xmlrpc
+Version:    3.1.3
+Release:    9%{?dist}
+Epoch:      1
+Summary:    Java XML-RPC implementation
+License:    ASL 2.0
+URL:        http://ws.apache.org/xmlrpc/
+Source0:    http://www.apache.org/dist/ws/xmlrpc/sources/apache-xmlrpc-%{version}-src.tar.bz2
+# Add OSGi MANIFEST information
+Patch0:     %{name}-client-addosgimanifest.patch
+Patch1:     %{name}-common-addosgimanifest.patch
+Patch2:     %{name}-javax-methods.patch
+Patch3:     %{name}-disallow-deserialization-of-ex-serializable-tags.patch
+
+BuildRequires:  maven-local
+BuildRequires:  maven-resources-plugin
+BuildRequires:  maven-assembly-plugin
+BuildRequires:  maven-source-plugin
+BuildRequires:  maven-site-plugin
+BuildRequires:  ws-commons-util
+BuildRequires:  jpackage-utils >= 0:1.6
+BuildRequires:  tomcat-servlet-3.0-api
+BuildRequires:  junit
+BuildRequires:  jakarta-commons-httpclient
+BuildRequires:  apache-commons-logging
+
+BuildArch:    noarch
+
+%description
+Apache XML-RPC is a Java implementation of XML-RPC, a popular protocol
+that uses XML over HTTP to implement remote procedure calls.
+Apache XML-RPC was previously known as Helma XML-RPC. If you have code
+using the Helma library, all you should have to do is change the import
+statements in your code from helma.xmlrpc.* to org.apache.xmlrpc.*.
+
+%package javadoc
+Summary:    Javadoc for %{name}
+
+%description javadoc
+Javadoc for %{name}.
+
+%package common
+Summary:    Common classes for XML-RPC client and server implementations
+# Provide xmlrpc is not here because it would be useless due to different jar names
+Obsoletes:  %{name} < 3.1.3
+Obsoletes:  %{name}3-common < 3.1.3-13
+Provides:   %{name}3-common = 3.1.3-13
+# in OSGI manifest
+Requires:   apache-commons-logging
+
+%description common
+%{summary}.
+
+%package client
+Summary:    XML-RPC client implementation
+Obsoletes:  %{name}3-client < 3.1.3-13
+Provides:  %{name}3-client = 3.1.3-13
+# in OSGI manifest
+Requires:   jakarta-commons-httpclient
+
+%description client
+%{summary}.
+
+%package server
+Summary:    XML-RPC server implementation
+Obsoletes:  %{name}3-server < 3.1.3-13
+Provides:  %{name}3-server = 3.1.3-13
+
+%description server
+%{summary}.
+
+%prep
+%setup -q -n apache-%{name}-%{version}-src
+%patch2 -b .sav
+pushd client
+%patch0 -b .sav
+popd
+pushd common
+%patch1 -b .sav
+popd
+%patch3 -p1
+
+sed -i 's/\r//' LICENSE.txt
+
+%pom_remove_dep jaxme:jaxmeapi
+
+%pom_disable_module dist
+
+%mvn_package :xmlrpc common
+%mvn_package :xmlrpc-{common} @1
+%mvn_package :xmlrpc-{client} @1
+%mvn_package :xmlrpc-{server} @1
+
+%mvn_file :xmlrpc-{common} %{name}-@1 %{name}3-@1
+%mvn_file :xmlrpc-{client} %{name}-@1 %{name}3-@1
+%mvn_file :xmlrpc-{server} %{name}-@1 %{name}3-@1
+
+%build
+# ignore test failure because server part needs network
+%mvn_build -f
+
+%install
+%mvn_install
+
+%files common -f .mfiles-common
+%doc LICENSE.txt NOTICE.txt
+
+%files client -f .mfiles-client
+%files server -f .mfiles-server
+
+%files javadoc -f .mfiles-javadoc
+%doc LICENSE.txt NOTICE.txt
+
+
+%changelog
+* Wed May 23 2018 Michael Simacek <msimacek@redhat.com> - 1:3.1.3-9
+- Disallow deserialization of <ex:serializable> tags by default
+- Resolves: CVE-2016-5003
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1:3.1.3-8
+- Mass rebuild 2013-12-27
+
+* Mon Aug 19 2013 Stanislav Ochotnicky <sochotnicky@redhat.com> - 1:3.1.3-7
+- Migrate away from mvn-rpmbuild (#997460)
+
+* Fri Jun 28 2013 Mikolaj Izdebski <mizdebsk@redhat.com> - 1:3.1.3-6
+- Rebuild to regenerate API documentation
+- Resolves: CVE-2013-1571
+
+* Fri May 17 2013 Alexander Kurtakov <akurtako@redhat.com> 1:3.1.3-5
+- Remove javax.xml.bind from osgi imports - it's part of the JVM now.
+- Drop the ws-jaxme dependency for the same reason.
+
+* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:3.1.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Wed Feb 06 2013 Java SIG <java-devel@lists.fedoraproject.org> - 1:3.1.3-3
+- Update for https://fedoraproject.org/wiki/Fedora_19_Maven_Rebuild
+- Replace maven BuildRequires with maven-local
+
+* Sat Oct 20 2012 Peter Robinson <pbrobinson@fedoraproject.org>	3.1.3-2
+- xmlrpc v2 had an Epoch so we need one here. Add it back
+
+* Fri Sep 14 2012 Alexander Kurtakov <akurtako@redhat.com> 3.1.3-1
+- First release of version 3.x package