[libspring-java] 02/19: Removed the security patches (fixed upstream)
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Wed Dec 3 15:39:45 UTC 2014
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch master
in repository libspring-java.
commit 3154877c41f80993cf1b8f209f58b5651a90da75
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Wed Nov 26 16:04:22 2014 +0100
Removed the security patches (fixed upstream)
---
debian/changelog | 4 +-
debian/patches/CVE-2013-6429.patch | 712 -------------------------------------
debian/patches/CVE-2013-6430.patch | 151 --------
debian/patches/CVE-2014-0054.patch | 319 -----------------
debian/patches/CVE-2014-0225.patch | 305 ----------------
debian/patches/CVE-2014-1904.patch | 46 ---
debian/patches/series | 5 -
7 files changed, 3 insertions(+), 1539 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 35f78ee..74eb894 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
-libspring-java (3.0.6.RELEASE-18) UNRELEASED; urgency=medium
+libspring-java (3.2.12-1) UNRELEASED; urgency=medium
* Team upload.
+ * New upstream release
+ - Removed the patches applied upstream
* Use XZ compression for the upstream tarball
* Remove more jar files from the upstream tarball
diff --git a/debian/patches/CVE-2013-6429.patch b/debian/patches/CVE-2013-6429.patch
deleted file mode 100644
index 3334c0e..0000000
--- a/debian/patches/CVE-2013-6429.patch
+++ /dev/null
@@ -1,712 +0,0 @@
-From: Markus Koschany <apo at gambaru.de>
-Date: Fri, 24 Jan 2014 16:46:07 +0100
-Subject: CVE-2013-6429
-
-Bug: http://bugs.debian.org/735420
----
- .../java/org/springframework/util/StreamUtils.java | 183 ++++++++++++++++++++
- .../org/springframework/util/xml/StaxUtils.java | 15 +-
- .../converter/xml/SourceHttpMessageConverter.java | 190 +++++++++++++++++----
- .../xml/SourceHttpMessageConverterTests.java | 145 +++++++++++++---
- .../http/converter/xml/external.txt | 1 +
- 5 files changed, 478 insertions(+), 56 deletions(-)
- create mode 100644 projects/org.springframework.core/src/main/java/org/springframework/util/StreamUtils.java
- create mode 100644 projects/org.springframework.web/src/test/resources/org/springframework/http/converter/xml/external.txt
-
-diff --git a/projects/org.springframework.core/src/main/java/org/springframework/util/StreamUtils.java b/projects/org.springframework.core/src/main/java/org/springframework/util/StreamUtils.java
-new file mode 100644
-index 0000000..cc3107d
---- /dev/null
-+++ b/projects/org.springframework.core/src/main/java/org/springframework/util/StreamUtils.java
-@@ -0,0 +1,183 @@
-+/*
-+ * Copyright 2002-2013 the original author or authors.
-+ *
-+ * Licensed under the Apache License, Version 2.0 (the "License");
-+ * you may not use this file except in compliance with the License.
-+ * You may obtain a copy of the License at
-+ *
-+ * http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+
-+package org.springframework.util;
-+
-+import java.io.ByteArrayOutputStream;
-+import java.io.FilterInputStream;
-+import java.io.FilterOutputStream;
-+import java.io.IOException;
-+import java.io.InputStream;
-+import java.io.InputStreamReader;
-+import java.io.OutputStream;
-+import java.io.OutputStreamWriter;
-+import java.io.Writer;
-+import java.nio.charset.Charset;
-+
-+
-+/**
-+ * Simple utility methods for dealing with streams. The copy methods of this class are
-+ * similar to those defined in {@link FileCopyUtils} except that all affected streams are
-+ * left open when done. All copy methods use a block size of 4096 bytes.
-+ *
-+ * <p>Mainly for use within the framework, but also useful for application code.
-+ *
-+ * @author Juergen Hoeller
-+ * @author Phillip Webb
-+ * @since 3.2.2
-+ * @see FileCopyUtils
-+ */
-+public abstract class StreamUtils {
-+
-+ public static final int BUFFER_SIZE = 4096;
-+
-+
-+ /**
-+ * Copy the contents of the given InputStream into a new byte array.
-+ * Leaves the stream open when done.
-+ * @param in the stream to copy from
-+ * @return the new byte array that has been copied to
-+ * @throws IOException in case of I/O errors
-+ */
-+ public static byte[] copyToByteArray(InputStream in) throws IOException {
-+ ByteArrayOutputStream out = new ByteArrayOutputStream(BUFFER_SIZE);
-+ copy(in, out);
-+ return out.toByteArray();
-+ }
-+
-+ /**
-+ * Copy the contents of the given InputStream into a String.
-+ * Leaves the stream open when done.
-+ * @param in the InputStream to copy from
-+ * @return the String that has been copied to
-+ * @throws IOException in case of I/O errors
-+ */
-+ public static String copyToString(InputStream in, Charset charset) throws IOException {
-+ Assert.notNull(in, "No InputStream specified");
-+ StringBuilder out = new StringBuilder();
-+ InputStreamReader reader = new InputStreamReader(in, charset);
-+ char[] buffer = new char[BUFFER_SIZE];
-+ int bytesRead = -1;
-+ while ((bytesRead = reader.read(buffer)) != -1) {
-+ out.append(buffer, 0, bytesRead);
-+ }
-+ return out.toString();
-+ }
-+
-+ /**
-+ * Copy the contents of the given byte array to the given OutputStream.
-+ * Leaves the stream open when done.
-+ * @param in the byte array to copy from
-+ * @param out the OutputStream to copy to
-+ * @throws IOException in case of I/O errors
-+ */
-+ public static void copy(byte[] in, OutputStream out) throws IOException {
-+ Assert.notNull(in, "No input byte array specified");
-+ Assert.notNull(out, "No OutputStream specified");
-+ out.write(in);
-+ }
-+
-+ /**
-+ * Copy the contents of the given String to the given output OutputStream.
-+ * Leaves the stream open when done.
-+ * @param in the String to copy from
-+ * @param charset the Charset
-+ * @param out the OutputStream to copy to
-+ * @throws IOException in case of I/O errors
-+ */
-+ public static void copy(String in, Charset charset, OutputStream out) throws IOException {
-+ Assert.notNull(in, "No input String specified");
-+ Assert.notNull(charset, "No charset specified");
-+ Assert.notNull(out, "No OutputStream specified");
-+ Writer writer = new OutputStreamWriter(out, charset);
-+ writer.write(in);
-+ writer.flush();
-+ }
-+
-+ /**
-+ * Copy the contents of the given InputStream to the given OutputStream.
-+ * Leaves both streams open when done.
-+ * @param in the InputStream to copy from
-+ * @param out the OutputStream to copy to
-+ * @return the number of bytes copied
-+ * @throws IOException in case of I/O errors
-+ */
-+ public static int copy(InputStream in, OutputStream out) throws IOException {
-+ Assert.notNull(in, "No InputStream specified");
-+ Assert.notNull(out, "No OutputStream specified");
-+ int byteCount = 0;
-+ byte[] buffer = new byte[BUFFER_SIZE];
-+ int bytesRead = -1;
-+ while ((bytesRead = in.read(buffer)) != -1) {
-+ out.write(buffer, 0, bytesRead);
-+ byteCount += bytesRead;
-+ }
-+ out.flush();
-+ return byteCount;
-+ }
-+
-+ /**
-+ * Returns a variant of the given {@link InputStream} where calling
-+ * {@link InputStream#close() close()} has no effect.
-+ * @param in the InputStream to decorate
-+ * @return a version of the InputStream that ignores calls to close
-+ */
-+ public static InputStream nonClosing(InputStream in) {
-+ Assert.notNull(in, "No InputStream specified");
-+ return new NonClosingInputStream(in);
-+ }
-+
-+ /**
-+ * Returns a variant of the given {@link OutputStream} where calling
-+ * {@link OutputStream#close() close()} has no effect.
-+ * @param out the OutputStream to decorate
-+ * @return a version of the OutputStream that ignores calls to close
-+ */
-+ public static OutputStream nonClosing(OutputStream out) {
-+ Assert.notNull(out, "No OutputStream specified");
-+ return new NonClosingOutputStream(out);
-+ }
-+
-+
-+ private static class NonClosingInputStream extends FilterInputStream {
-+
-+ public NonClosingInputStream(InputStream in) {
-+ super(in);
-+ }
-+
-+ @Override
-+ public void close() throws IOException {
-+ }
-+ }
-+
-+
-+ private static class NonClosingOutputStream extends FilterOutputStream {
-+
-+ public NonClosingOutputStream(OutputStream out) {
-+ super(out);
-+ }
-+
-+ @Override
-+ public void write(byte[] b, int off, int let) throws IOException {
-+ // It is critical that we override this method for performance
-+ out.write(b, off, let);
-+ }
-+
-+ @Override
-+ public void close() throws IOException {
-+ }
-+ }
-+}
-diff --git a/projects/org.springframework.core/src/main/java/org/springframework/util/xml/StaxUtils.java b/projects/org.springframework.core/src/main/java/org/springframework/util/xml/StaxUtils.java
-index 4bd4a7a..dee73ca 100644
---- a/projects/org.springframework.core/src/main/java/org/springframework/util/xml/StaxUtils.java
-+++ b/projects/org.springframework.core/src/main/java/org/springframework/util/xml/StaxUtils.java
-@@ -113,7 +113,16 @@ public abstract class StaxUtils {
- * 1.4 {@link StAXSource}; {@code false} otherwise.
- */
- public static boolean isStaxSource(Source source) {
-- return (source instanceof StaxSource || (jaxp14Available && Jaxp14StaxHandler.isStaxSource(source)));
-+ return ((source instanceof StaxSource) || (jaxp14Available && Jaxp14StaxHandler.isStaxSource(source)));
-+ }
-+
-+ /**
-+ * Indicate whether the given class is a StAX Source class.
-+ * @return {@code true} if {@code source} is a custom StAX source or JAXP
-+ * 1.4 {@link StAXSource} class; {@code false} otherwise.
-+ */
-+ public static boolean isStaxSourceClass(Class<? extends Source> clazz) {
-+ return (StaxSource.class.equals(clazz) || (jaxp14Available && Jaxp14StaxHandler.isStaxSourceClass(clazz)));
- }
-
- // Stax Result
-@@ -343,6 +352,10 @@ public abstract class StaxUtils {
- return source instanceof StAXSource;
- }
-
-+ private static boolean isStaxSourceClass(Class<? extends Source> clazz) {
-+ return StAXSource.class.equals(clazz);
-+ }
-+
- private static boolean isStaxResult(Result result) {
- return result instanceof StAXResult;
- }
-diff --git a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
-index 4ba1aac..15b7d8e 100644
---- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
-+++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2010 the original author or authors.
-+ * Copyright 2002-2013 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
-@@ -19,21 +19,40 @@ package org.springframework.http.converter.xml;
- import java.io.ByteArrayInputStream;
- import java.io.ByteArrayOutputStream;
- import java.io.IOException;
-+import java.io.InputStream;
-+import java.io.OutputStream;
-+import javax.xml.parsers.DocumentBuilder;
-+import javax.xml.parsers.DocumentBuilderFactory;
-+import javax.xml.parsers.ParserConfigurationException;
-+import javax.xml.stream.XMLInputFactory;
-+import javax.xml.stream.XMLStreamException;
-+import javax.xml.stream.XMLStreamReader;
- import javax.xml.transform.Result;
- import javax.xml.transform.Source;
- import javax.xml.transform.TransformerException;
-+import javax.xml.transform.TransformerFactory;
- import javax.xml.transform.dom.DOMResult;
- import javax.xml.transform.dom.DOMSource;
- import javax.xml.transform.sax.SAXSource;
- import javax.xml.transform.stream.StreamResult;
- import javax.xml.transform.stream.StreamSource;
-
-+import org.w3c.dom.Document;
- import org.xml.sax.InputSource;
-+import org.xml.sax.SAXException;
-+import org.xml.sax.XMLReader;
-+import org.xml.sax.helpers.XMLReaderFactory;
-
- import org.springframework.http.HttpHeaders;
-+import org.springframework.http.HttpInputMessage;
-+import org.springframework.http.HttpOutputMessage;
-+import org.springframework.http.MediaType;
-+import org.springframework.http.converter.AbstractHttpMessageConverter;
- import org.springframework.http.converter.HttpMessageConversionException;
- import org.springframework.http.converter.HttpMessageNotReadableException;
- import org.springframework.http.converter.HttpMessageNotWritableException;
-+import org.springframework.util.StreamUtils;
-+import org.springframework.util.xml.StaxUtils;
-
- /**
- * Implementation of {@link org.springframework.http.converter.HttpMessageConverter}
-@@ -42,55 +61,154 @@ import org.springframework.http.converter.HttpMessageNotWritableException;
- * @author Arjen Poutsma
- * @since 3.0
- */
--public class SourceHttpMessageConverter<T extends Source> extends AbstractXmlHttpMessageConverter<T> {
-+public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMessageConverter<T> {
-
-- @Override
-+ private final TransformerFactory transformerFactory = TransformerFactory.newInstance();
-+
-+ private boolean processExternalEntities = false;
-+
-+ /**
-+ * Sets the {@link #setSupportedMediaTypes(java.util.List) supportedMediaTypes}
-+ * to {@code text/xml} and {@code application/xml}, and {@code application/*-xml}.
-+ */
-+ public SourceHttpMessageConverter() {
-+ super(MediaType.APPLICATION_XML, MediaType.TEXT_XML, new MediaType("application", "*+xml"));
-+ }
-+
-+
-+ /**
-+ * Indicates whether external XML entities are processed when converting
-+ * to a Source.
-+ * <p>Default is {@code false}, meaning that external entities are not resolved.
-+ */
-+ public void setProcessExternalEntities(boolean processExternalEntities) {
-+ this.processExternalEntities = processExternalEntities;
-+ }
-+
-+ @Override
- public boolean supports(Class<?> clazz) {
-- return DOMSource.class.equals(clazz) || SAXSource.class.equals(clazz) || StreamSource.class.equals(clazz) ||
-- Source.class.equals(clazz);
-+ return DOMSource.class.equals(clazz) || SAXSource.class.equals(clazz)
-+ || StreamSource.class.equals(clazz) || Source.class.equals(clazz);
- }
-
-+ @Override
-+ protected T readInternal(Class<? extends T> clazz, HttpInputMessage inputMessage)
-+ throws IOException, HttpMessageNotReadableException {
-+
-+ InputStream body = inputMessage.getBody();
-+ if (DOMSource.class.equals(clazz)) {
-+ return (T) readDOMSource(body);
-+ }
-+ else if (StaxUtils.isStaxSourceClass(clazz)) {
-+ return (T) readStAXSource(body);
-+ }
-+ else if (SAXSource.class.equals(clazz)) {
-+ return (T) readSAXSource(body);
-+ }
-+ else if (StreamSource.class.equals(clazz) || Source.class.equals(clazz)) {
-+ return (T) readStreamSource(body);
-+ }
-+ else {
-+ throw new HttpMessageConversionException("Could not read class [" + clazz +
-+ "]. Only DOMSource, SAXSource, and StreamSource are supported.");
-+ }
-+ }
-+
-+ private DOMSource readDOMSource(InputStream body) throws IOException {
-+ try {
-+ DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
-+ documentBuilderFactory.setNamespaceAware(true);
-+ documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", processExternalEntities);
-+ DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
-+ Document document = documentBuilder.parse(body);
-+ return new DOMSource(document);
-+ }
-+ catch (ParserConfigurationException ex) {
-+ throw new HttpMessageNotReadableException("Could not set feature: " + ex.getMessage(), ex);
-+ }
-+ catch (SAXException ex) {
-+ throw new HttpMessageNotReadableException("Could not parse document: " + ex.getMessage(), ex);
-+ }
-+ }
-+
-+ private SAXSource readSAXSource(InputStream body) throws IOException {
-+ try {
-+ XMLReader reader = XMLReaderFactory.createXMLReader();
-+ reader.setFeature("http://xml.org/sax/features/external-general-entities", processExternalEntities);
-+ byte[] bytes = StreamUtils.copyToByteArray(body);
-+ return new SAXSource(reader, new InputSource(new ByteArrayInputStream(bytes)));
-+ }
-+ catch (SAXException ex) {
-+ throw new HttpMessageNotReadableException("Could not parse document: " + ex.getMessage(), ex);
-+ }
-+ }
-+
-+ private Source readStAXSource(InputStream body) {
-+ try {
-+ XMLInputFactory inputFactory = XMLInputFactory.newFactory();
-+ inputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", processExternalEntities);
-+ XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body);
-+ return StaxUtils.createStaxSource(streamReader);
-+ }
-+ catch (XMLStreamException ex) {
-+ throw new HttpMessageNotReadableException("Could not parse document: " + ex.getMessage(), ex);
-+ }
-+ }
-+
-+ private StreamSource readStreamSource(InputStream body) throws IOException {
-+ byte[] bytes = StreamUtils.copyToByteArray(body);
-+ return new StreamSource(new ByteArrayInputStream(bytes));
-+ }
-+
- @Override
-- @SuppressWarnings("unchecked")
-- protected T readFromSource(Class clazz, HttpHeaders headers, Source source) throws IOException {
-- try {
-- if (DOMSource.class.equals(clazz)) {
-- DOMResult domResult = new DOMResult();
-- transform(source, domResult);
-- return (T) new DOMSource(domResult.getNode());
-- }
-- else if (SAXSource.class.equals(clazz)) {
-- ByteArrayInputStream bis = transformToByteArrayInputStream(source);
-- return (T) new SAXSource(new InputSource(bis));
-+ protected Long getContentLength(T t, MediaType contentType) {
-+ if (t instanceof DOMSource) {
-+ try {
-+ CountingOutputStream os = new CountingOutputStream();
-+ transform(t, new StreamResult(os));
-+ return os.count;
- }
-- else if (StreamSource.class.equals(clazz) || Source.class.equals(clazz)) {
-- ByteArrayInputStream bis = transformToByteArrayInputStream(source);
-- return (T) new StreamSource(bis);
-- }
-- else {
-- throw new HttpMessageConversionException("Could not read class [" + clazz +
-- "]. Only DOMSource, SAXSource, and StreamSource are supported.");
-+ catch (TransformerException ex) {
-+ // ignore
- }
- }
-- catch (TransformerException ex) {
-- throw new HttpMessageNotReadableException("Could not transform from [" + source + "] to [" + clazz + "]",
-- ex);
-- }
-- }
--
-- private ByteArrayInputStream transformToByteArrayInputStream(Source source) throws TransformerException {
-- ByteArrayOutputStream bos = new ByteArrayOutputStream();
-- transform(source, new StreamResult(bos));
-- return new ByteArrayInputStream(bos.toByteArray());
-+ return null;
- }
-
-- @Override
-- protected void writeToResult(T t, HttpHeaders headers, Result result) throws IOException {
-+ @Override
-+ protected void writeInternal(T t, HttpOutputMessage outputMessage)
-+ throws IOException, HttpMessageNotWritableException {
- try {
-+ Result result = new StreamResult(outputMessage.getBody());
- transform(t, result);
- }
- catch (TransformerException ex) {
-- throw new HttpMessageNotWritableException("Could not transform [" + t + "] to [" + result + "]", ex);
-+ throw new HttpMessageNotWritableException("Could not transform [" + t + "] to output message", ex);
-+ }
-+ }
-+
-+ private void transform(Source source, Result result) throws TransformerException {
-+ this.transformerFactory.newTransformer().transform(source, result);
-+ }
-+
-+
-+ private static class CountingOutputStream extends OutputStream {
-+
-+ private long count = 0;
-+
-+ @Override
-+ public void write(int b) throws IOException {
-+ count++;
-+ }
-+
-+ @Override
-+ public void write(byte[] b) throws IOException {
-+ count += b.length;
-+ }
-+
-+ @Override
-+ public void write(byte[] b, int off, int len) throws IOException {
-+ count += len;
- }
- }
-
-diff --git a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java
-index bb20f8a..8d47c22 100644
---- a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java
-+++ b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2010 the original author or authors.
-+ * Copyright 2002-2013 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
-@@ -16,35 +16,60 @@
-
- package org.springframework.http.converter.xml;
-
-+import static org.custommonkey.xmlunit.XMLAssert.assertXMLEqual;
-+import static org.junit.Assert.*;
-+import static org.junit.Assert.assertNotEquals;
-+
-+import java.io.IOException;
-+import java.io.InputStream;
- import java.io.InputStreamReader;
-+import java.io.StringReader;
- import java.nio.charset.Charset;
-+
- import javax.xml.parsers.DocumentBuilderFactory;
-+import javax.xml.stream.XMLStreamException;
-+import javax.xml.stream.XMLStreamReader;
- import javax.xml.transform.Source;
- import javax.xml.transform.dom.DOMSource;
- import javax.xml.transform.sax.SAXSource;
-+import javax.xml.transform.stax.StAXSource;
- import javax.xml.transform.stream.StreamSource;
-
--import static org.custommonkey.xmlunit.XMLAssert.*;
- import org.junit.Before;
- import org.junit.Test;
--import org.w3c.dom.Document;
--import org.w3c.dom.Element;
--import org.xml.sax.InputSource;
-
-+import org.springframework.core.io.ClassPathResource;
-+import org.springframework.core.io.Resource;
- import org.springframework.http.MediaType;
- import org.springframework.http.MockHttpInputMessage;
- import org.springframework.http.MockHttpOutputMessage;
- import org.springframework.util.FileCopyUtils;
-+import org.w3c.dom.Document;
-+import org.w3c.dom.Element;
-+import org.xml.sax.InputSource;
-+import org.xml.sax.SAXException;
-+import org.xml.sax.XMLReader;
-+import org.xml.sax.helpers.DefaultHandler;
-
--/** @author Arjen Poutsma */
-- at SuppressWarnings("unchecked")
-+/**
-+ * @author Arjen Poutsma
-+ */
- public class SourceHttpMessageConverterTests {
-
-+ private static final String BODY = "<root>Hello World</root>";
-+
- private SourceHttpMessageConverter<Source> converter;
-
-+ private String bodyExternal;
-+
- @Before
-- public void setUp() {
-+ public void setUp() throws IOException {
- converter = new SourceHttpMessageConverter<Source>();
-+ Resource external = new ClassPathResource("external.txt", getClass());
-+
-+ bodyExternal = "<!DOCTYPE root [" +
-+ " <!ELEMENT root ANY >\n" +
-+ " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]><root>&ext;</root>";
- }
-
- @Test
-@@ -62,45 +87,100 @@ public class SourceHttpMessageConverterTests {
-
- @Test
- public void readDOMSource() throws Exception {
-- String body = "<root>Hello World</root>";
-- MockHttpInputMessage inputMessage = new MockHttpInputMessage(body.getBytes("UTF-8"));
-+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8"));
-+ inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
-+ DOMSource result = (DOMSource) converter.read(DOMSource.class, inputMessage);
-+ Document document = (Document) result.getNode();
-+ assertEquals("Invalid result", "root", document.getDocumentElement().getLocalName());
-+ }
-+
-+ @Test
-+ public void readDOMSourceExternal() throws Exception {
-+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(bodyExternal.getBytes("UTF-8"));
- inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
- DOMSource result = (DOMSource) converter.read(DOMSource.class, inputMessage);
- Document document = (Document) result.getNode();
- assertEquals("Invalid result", "root", document.getDocumentElement().getLocalName());
-+ assertNotEquals("Invalid result", "Foo Bar", document.getDocumentElement().getTextContent());
- }
-
- @Test
- public void readSAXSource() throws Exception {
-- String body = "<root>Hello World</root>";
-- MockHttpInputMessage inputMessage = new MockHttpInputMessage(body.getBytes("UTF-8"));
-+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8"));
- inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
- SAXSource result = (SAXSource) converter.read(SAXSource.class, inputMessage);
- InputSource inputSource = result.getInputSource();
- String s = FileCopyUtils.copyToString(new InputStreamReader(inputSource.getByteStream()));
-- assertXMLEqual("Invalid result", body, s);
-+ assertXMLEqual("Invalid result", BODY, s);
- }
-
- @Test
-+ public void readSAXSourceExternal() throws Exception {
-+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(bodyExternal.getBytes("UTF-8"));
-+ inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
-+ SAXSource result = (SAXSource) converter.read(SAXSource.class, inputMessage);
-+ InputSource inputSource = result.getInputSource();
-+ XMLReader reader = result.getXMLReader();
-+ reader.setContentHandler(new DefaultHandler() {
-+ @Override
-+ public void characters(char[] ch, int start, int length) throws SAXException {
-+ String s = new String(ch, start, length);
-+ assertNotEquals("Invalid result", "Foo Bar", s);
-+ }
-+ });
-+ reader.parse(inputSource);
-+ }
-+
-+ @Test
-+ public void readStAXSource() throws Exception {
-+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8"));
-+ inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
-+ StAXSource result = (StAXSource) converter.read(StAXSource.class, inputMessage);
-+ XMLStreamReader streamReader = result.getXMLStreamReader();
-+ assertTrue(streamReader.hasNext());
-+ streamReader.nextTag();
-+ String s = streamReader.getLocalName();
-+ assertEquals("root", s);
-+ s = streamReader.getElementText();
-+ assertEquals("Hello World", s);
-+ streamReader.close();
-+ }
-+
-+ @Test
-+ public void readStAXSourceExternal() throws Exception {
-+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(bodyExternal.getBytes("UTF-8"));
-+ inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
-+ StAXSource result = (StAXSource) converter.read(StAXSource.class, inputMessage);
-+ XMLStreamReader streamReader = result.getXMLStreamReader();
-+ assertTrue(streamReader.hasNext());
-+ streamReader.next();
-+ streamReader.next();
-+ String s = streamReader.getLocalName();
-+ assertEquals("root", s);
-+ s = streamReader.getElementText();
-+ assertNotEquals("Foo Bar", s);
-+ streamReader.close();
-+ }
-+
-+
-+ @Test
- public void readStreamSource() throws Exception {
-- String body = "<root>Hello World</root>";
-- MockHttpInputMessage inputMessage = new MockHttpInputMessage(body.getBytes("UTF-8"));
-+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8"));
- inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
- StreamSource result = (StreamSource) converter.read(StreamSource.class, inputMessage);
- String s = FileCopyUtils.copyToString(new InputStreamReader(result.getInputStream()));
-- assertXMLEqual("Invalid result", body, s);
-+ assertXMLEqual("Invalid result", BODY, s);
- }
-
- @Test
- public void readSource() throws Exception {
-- String body = "<root>Hello World</root>";
-- MockHttpInputMessage inputMessage = new MockHttpInputMessage(body.getBytes("UTF-8"));
-+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8"));
- inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
- converter.read(Source.class, inputMessage);
- }
-
- @Test
-- public void write() throws Exception {
-+ public void writeDOMSource() throws Exception {
- DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
- documentBuilderFactory.setNamespaceAware(true);
- Document document = documentBuilderFactory.newDocumentBuilder().newDocument();
-@@ -115,7 +195,34 @@ public class SourceHttpMessageConverterTests {
- outputMessage.getBodyAsString(Charset.forName("UTF-8")));
- assertEquals("Invalid content-type", new MediaType("application", "xml"),
- outputMessage.getHeaders().getContentType());
-+ assertEquals("Invalid content-length", outputMessage.getBodyAsBytes().length,
-+ outputMessage.getHeaders().getContentLength());
- }
-
-+ @Test
-+ public void writeSAXSource() throws Exception {
-+ String xml = "<root>Hello World</root>";
-+ SAXSource saxSource = new SAXSource(new InputSource(new StringReader(xml)));
-+
-+ MockHttpOutputMessage outputMessage = new MockHttpOutputMessage();
-+ converter.write(saxSource, null, outputMessage);
-+ assertXMLEqual("Invalid result", "<root>Hello World</root>",
-+ outputMessage.getBodyAsString(Charset.forName("UTF-8")));
-+ assertEquals("Invalid content-type", new MediaType("application", "xml"),
-+ outputMessage.getHeaders().getContentType());
-+ }
-+
-+ @Test
-+ public void writeStreamSource() throws Exception {
-+ String xml = "<root>Hello World</root>";
-+ StreamSource streamSource = new StreamSource(new StringReader(xml));
-+
-+ MockHttpOutputMessage outputMessage = new MockHttpOutputMessage();
-+ converter.write(streamSource, null, outputMessage);
-+ assertXMLEqual("Invalid result", "<root>Hello World</root>",
-+ outputMessage.getBodyAsString(Charset.forName("UTF-8")));
-+ assertEquals("Invalid content-type", new MediaType("application", "xml"),
-+ outputMessage.getHeaders().getContentType());
-+ }
-
- }
-diff --git a/projects/org.springframework.web/src/test/resources/org/springframework/http/converter/xml/external.txt b/projects/org.springframework.web/src/test/resources/org/springframework/http/converter/xml/external.txt
-new file mode 100644
-index 0000000..76c7ac2
---- /dev/null
-+++ b/projects/org.springframework.web/src/test/resources/org/springframework/http/converter/xml/external.txt
-@@ -0,0 +1 @@
-+Foo Bar
diff --git a/debian/patches/CVE-2013-6430.patch b/debian/patches/CVE-2013-6430.patch
deleted file mode 100644
index 7c4c362..0000000
--- a/debian/patches/CVE-2013-6430.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From: Markus Koschany <apo at gambaru.de>
-Date: Thu, 23 Jan 2014 00:03:13 +0100
-Subject: CVE-2013-6430
-
-Bug: http://bugs.debian.org/735420
----
- .../springframework/web/util/JavaScriptUtils.java | 35 ++++++++---
- .../web/util/JavaScriptUtilsTests.java | 67 ++++++++++++++++++++++
- 2 files changed, 95 insertions(+), 7 deletions(-)
- create mode 100644 projects/org.springframework.web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java
-
-diff --git a/projects/org.springframework.web/src/main/java/org/springframework/web/util/JavaScriptUtils.java b/projects/org.springframework.web/src/main/java/org/springframework/web/util/JavaScriptUtils.java
-index b28d398..861b46f 100644
---- a/projects/org.springframework.web/src/main/java/org/springframework/web/util/JavaScriptUtils.java
-+++ b/projects/org.springframework.web/src/main/java/org/springframework/web/util/JavaScriptUtils.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2008 the original author or authors.
-+ * Copyright 2002-2013 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
-@@ -21,21 +21,21 @@ package org.springframework.web.util;
- * Escapes based on the JavaScript 1.5 recommendation.
- *
- * <p>Reference:
-- * <a href="http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Guide:Literals#String_Literals">
-- * Core JavaScript 1.5 Guide
-- * </a>
-+ * <a href="https://developer.mozilla.org/en-US/docs/JavaScript/Guide/Values,_variables,_and_literals#String_literals">
-+ * JavaScript Guide</a> on Mozilla Developer Network.
- *
- * @author Juergen Hoeller
- * @author Rob Harrop
-+ * @author Rossen Stoyanchev
- * @since 1.1.1
- */
- public class JavaScriptUtils {
-
- /**
-- * Turn special characters into escaped characters conforming to JavaScript.
-- * Handles complete character set defined in HTML 4.01 recommendation.
-+ * Turn JavaScript special characters into escaped characters.
-+ *
- * @param input the input string
-- * @return the escaped string
-+ * @return the string with escaped characters
- */
- public static String javaScriptEscape(String input) {
- if (input == null) {
-@@ -73,6 +73,27 @@ public class JavaScriptUtils {
- else if (c == '\f') {
- filtered.append("\\f");
- }
-+ else if (c == '\b') {
-+ filtered.append("\\b");
-+ }
-+ // No '\v' in Java, use octal value for VT ascii char
-+ else if (c == '\013') {
-+ filtered.append("\\v");
-+ }
-+ else if (c == '<') {
-+ filtered.append("\\u003C");
-+ }
-+ else if (c == '>') {
-+ filtered.append("\\u003E");
-+ }
-+ // Unicode for PS (line terminator in ECMA-262)
-+ else if (c == '\u2028') {
-+ filtered.append("\\u2028");
-+ }
-+ // Unicode for LS (line terminator in ECMA-262)
-+ else if (c == '\u2029') {
-+ filtered.append("\\u2029");
-+ }
- else {
- filtered.append(c);
- }
-diff --git a/projects/org.springframework.web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java b/projects/org.springframework.web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java
-new file mode 100644
-index 0000000..182f18e
---- /dev/null
-+++ b/projects/org.springframework.web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java
-@@ -0,0 +1,67 @@
-+/*
-+ * Copyright 2004-2013 the original author or authors.
-+ *
-+ * Licensed under the Apache License, Version 2.0 (the "License");
-+ * you may not use this file except in compliance with the License.
-+ * You may obtain a copy of the License at
-+ *
-+ * http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+
-+package org.springframework.web.util;
-+
-+import static org.junit.Assert.*;
-+
-+import java.io.UnsupportedEncodingException;
-+
-+import org.junit.Test;
-+
-+/**
-+ * Test fixture for {@link JavaScriptUtils}.
-+ *
-+ * @author Rossen Stoyanchev
-+ */
-+public class JavaScriptUtilsTests {
-+
-+ @Test
-+ public void escape() {
-+ StringBuilder sb = new StringBuilder();
-+ sb.append('"');
-+ sb.append("'");
-+ sb.append("\\");
-+ sb.append("/");
-+ sb.append("\t");
-+ sb.append("\n");
-+ sb.append("\r");
-+ sb.append("\f");
-+ sb.append("\b");
-+ sb.append("\013");
-+ assertEquals("\\\"\\'\\\\\\/\\t\\n\\n\\f\\b\\v", JavaScriptUtils.javaScriptEscape(sb.toString()));
-+ }
-+
-+ // SPR-9983
-+
-+ @Test
-+ public void escapePsLsLineTerminators() {
-+ StringBuilder sb = new StringBuilder();
-+ sb.append('\u2028');
-+ sb.append('\u2029');
-+ String result = JavaScriptUtils.javaScriptEscape(sb.toString());
-+
-+ assertEquals("\\u2028\\u2029", result);
-+ }
-+
-+ // SPR-9983
-+
-+ @Test
-+ public void escapeLessThanGreaterThanSigns() throws UnsupportedEncodingException {
-+ assertEquals("\\u003C\\u003E", JavaScriptUtils.javaScriptEscape("<>"));
-+ }
-+
-+}
diff --git a/debian/patches/CVE-2014-0054.patch b/debian/patches/CVE-2014-0054.patch
deleted file mode 100644
index dcb9faa..0000000
--- a/debian/patches/CVE-2014-0054.patch
+++ /dev/null
@@ -1,319 +0,0 @@
-From: Miguel Landaeta <nomadium at debian.org>
-Date: Mon, 24 Mar 2014 16:57:19 -0300
-Subject: CVE-2014-0054
-
-Bug: http://bugs.debian.org/741604
-
-diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
-index 871075f..fea0519 100644
---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
-+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
-@@ -120,6 +120,11 @@ public class CastorMarshaller extends AbstractMarshaller implements Initializing
- this.encoding = encoding;
- }
-
-+ @Override
-+ protected String getDefaultEncoding() {
-+ return this.encoding;
-+ }
-+
- /**
- * Set the locations of the Castor XML Mapping files.
- */
-diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
-index 1b3412d..37d7937 100644
---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
-+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
-@@ -317,6 +317,13 @@ public class Jaxb2Marshaller
- this.processExternalEntities = processExternalEntities;
- }
-
-+ /**
-+ * @return the configured value for whether XML external entities are allowed.
-+ */
-+ public boolean isProcessExternalEntities() {
-+ return this.processExternalEntities;
-+ }
-+
- public void setBeanClassLoader(ClassLoader classLoader) {
- this.beanClassLoader = classLoader;
- }
-diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
-index 5d6a053..0de00b2 100644
---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
-+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2010 the original author or authors.
-+ * Copyright 2002-2014 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
-@@ -28,6 +28,7 @@ import javax.xml.stream.XMLEventWriter;
- import javax.xml.stream.XMLStreamException;
- import javax.xml.stream.XMLStreamReader;
- import javax.xml.stream.XMLStreamWriter;
-+import javax.xml.transform.OutputKeys;
- import javax.xml.transform.Result;
- import javax.xml.transform.Source;
- import javax.xml.transform.Transformer;
-@@ -133,6 +134,11 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
- this.encoding = encoding;
- }
-
-+ @Override
-+ protected String getDefaultEncoding() {
-+ return this.encoding;
-+ }
-+
- /**
- * Set the document standalone flag for marshalling. By default, this flag is not present.
- */
-@@ -301,7 +307,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
- }
- catch (TransformerException ex) {
- throw new MarshallingFailureException(
-- "Could not transform to [" + ClassUtils.getShortName(result.getClass()) + "]");
-+ "Could not transform to [" + ClassUtils.getShortName(result.getClass()) + "]", ex);
- }
-
- }
-@@ -367,7 +373,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
- @Override
- protected Object unmarshalDomNode(Node node) throws XmlMappingException {
- try {
-- return transformAndUnmarshal(new DOMSource(node));
-+ return transformAndUnmarshal(new DOMSource(node), null);
- }
- catch (IOException ex) {
- throw new UnmarshallingFailureException("JiBX unmarshalling exception", ex);
-@@ -377,12 +383,15 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
- @Override
- protected Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource)
- throws XmlMappingException, IOException {
-- return transformAndUnmarshal(new SAXSource(xmlReader, inputSource));
-+ return transformAndUnmarshal(new SAXSource(xmlReader, inputSource), inputSource.getEncoding());
- }
-
-- private Object transformAndUnmarshal(Source source) throws IOException {
-+ private Object transformAndUnmarshal(Source source, String encoding) throws IOException {
- try {
- Transformer transformer = transformerFactory.newTransformer();
-+ if (encoding != null) {
-+ transformer.setOutputProperty(OutputKeys.ENCODING, encoding);
-+ }
- ByteArrayOutputStream os = new ByteArrayOutputStream();
- transformer.transform(source, new StreamResult(os));
- ByteArrayInputStream is = new ByteArrayInputStream(os.toByteArray());
-@@ -390,7 +399,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
- }
- catch (TransformerException ex) {
- throw new MarshallingFailureException(
-- "Could not transform from [" + ClassUtils.getShortName(source.getClass()) + "]");
-+ "Could not transform from [" + ClassUtils.getShortName(source.getClass()) + "]", ex);
- }
- }
-
-diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
-index cee37bb..09bc006 100644
---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
-+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2010 the original author or authors.
-+ * Copyright 2002-2014 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
-@@ -73,6 +73,34 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
-
- private final Object documentBuilderFactoryMonitor = new Object();
-
-+ private boolean processExternalEntities = false;
-+
-+
-+ /**
-+ * Indicates whether external XML entities are processed when unmarshalling.
-+ * <p>Default is {@code false}, meaning that external entities are not resolved.
-+ * Note that processing of external entities will only be enabled/disabled when the
-+ * {@code Source} passed to {@link #unmarshal(Source)} is a {@link SAXSource} or
-+ * {@link StreamSource}. It has no effect for {@link DOMSource} or {@link StAXSource}
-+ * instances.
-+ */
-+ public void setProcessExternalEntities(boolean processExternalEntities) {
-+ this.processExternalEntities = processExternalEntities;
-+ }
-+
-+ /**
-+ * @return the configured value for whether XML external entities are allowed.
-+ */
-+ public boolean isProcessExternalEntities() {
-+ return this.processExternalEntities;
-+ }
-+
-+ /**
-+ * @return the default encoding to use for marshalling or unmarshalling from
-+ * a byte stream, or {@code null}.
-+ */
-+ abstract protected String getDefaultEncoding();
-+
-
- /**
- * Marshals the object graph with the given root into the provided <code>javax.xml.transform.Result</code>.
-@@ -131,7 +159,7 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
- return unmarshalSaxSource((SAXSource) source);
- }
- else if (source instanceof StreamSource) {
-- return unmarshalStreamSource((StreamSource) source);
-+ return unmarshalStreamSourceNoExternalEntitities((StreamSource) source);
- }
- else {
- throw new IllegalArgumentException("Unknown Source type: " + source.getClass());
-@@ -173,7 +201,9 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
- * @throws SAXException if thrown by JAXP methods
- */
- protected XMLReader createXmlReader() throws SAXException {
-- return XMLReaderFactory.createXMLReader();
-+ XMLReader xmlReader = XMLReaderFactory.createXMLReader();
-+ xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", isProcessExternalEntities());
-+ return xmlReader;
- }
-
-
-@@ -356,8 +386,42 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
- }
-
- /**
-+ * Template method for handling {@code StreamSource}s with protection against
-+ * the XML External Entity (XXE) processing vulnerability taking into account
-+ * the value of the {@link #setProcessExternalEntities(boolean)} property.
-+ * <p>
-+ * The default implementation wraps the StreamSource as a SAXSource and delegates
-+ * to {@link #unmarshalSaxSource(javax.xml.transform.sax.SAXSource)}.
-+ *
-+ * @param streamSource the {@code StreamSource}
-+ * @return the object graph
-+ * @throws IOException if an I/O exception occurs
-+ * @throws XmlMappingException if the given source cannot be mapped to an object
-+ *
-+ * @see <a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML_External_Entity_(XXE)_Processing</a>
-+ */
-+ protected Object unmarshalStreamSourceNoExternalEntitities(StreamSource streamSource) throws XmlMappingException, IOException {
-+ InputSource inputSource;
-+ if (streamSource.getInputStream() != null) {
-+ inputSource = new InputSource(streamSource.getInputStream());
-+ inputSource.setEncoding(getDefaultEncoding());
-+ }
-+ else if (streamSource.getReader() != null) {
-+ inputSource = new InputSource(streamSource.getReader());
-+ }
-+ else {
-+ inputSource = new InputSource(streamSource.getSystemId());
-+ }
-+ return unmarshalSaxSource(new SAXSource(inputSource));
-+ }
-+
-+ /**
- * Template method for handling <code>StreamSource</code>s.
- * <p>This implementation defers to <code>unmarshalInputStream</code> or <code>unmarshalReader</code>.
-+ * <p>As of 3.2.8 and 4.0.2 this method is no longer invoked from
-+ * {@link #unmarshal(javax.xml.transform.Source)}. The method invoked instead is
-+ * {@link #unmarshalStreamSourceNoExternalEntitities(javax.xml.transform.stream.StreamSource)}.
-+ *
- * @param streamSource the <code>StreamSource</code>
- * @return the object graph
- * @throws IOException if an I/O exception occurs
-diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
-index eb5a6e6..9f06b35 100644
---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
-+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2009 the original author or authors.
-+ * Copyright 2002-2014 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
-@@ -116,6 +116,10 @@ public class XmlBeansMarshaller extends AbstractMarshaller {
- return this.validating;
- }
-
-+ @Override
-+ protected String getDefaultEncoding() {
-+ return null;
-+ }
-
- /**
- * This implementation returns true if the given class is an implementation of {@link XmlObject}.
-diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
-index d6521ff..efa9403 100644
---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
-+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
-@@ -26,11 +26,9 @@ import java.io.Writer;
- import java.util.LinkedHashMap;
- import java.util.List;
- import java.util.Map;
--import javax.xml.stream.XMLEventReader;
--import javax.xml.stream.XMLEventWriter;
--import javax.xml.stream.XMLStreamException;
--import javax.xml.stream.XMLStreamReader;
--import javax.xml.stream.XMLStreamWriter;
-+import javax.xml.stream.*;
-+import javax.xml.transform.stax.StAXSource;
-+import javax.xml.transform.stream.StreamSource;
-
- import com.thoughtworks.xstream.XStream;
- import com.thoughtworks.xstream.converters.ConversionException;
-@@ -349,6 +347,11 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin
- this.encoding = encoding;
- }
-
-+ @Override
-+ protected String getDefaultEncoding() {
-+ return this.encoding;
-+ }
-+
- /**
- * Set the classes supported by this marshaller.
- * <p>If this property is empty (the default), all classes are supported.
-@@ -470,6 +473,13 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin
- // Unmarshalling
-
- @Override
-+ protected Object unmarshalStreamSourceNoExternalEntitities(StreamSource streamSource)
-+ throws XmlMappingException, IOException {
-+
-+ return super.unmarshalStreamSource(streamSource);
-+ }
-+
-+ @Override
- protected Object unmarshalDomNode(Node node) throws XmlMappingException {
- HierarchicalStreamReader streamReader;
- if (node instanceof Document) {
-diff --git a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
-index 15b7d8e..3126ca4 100644
---- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
-+++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
-@@ -85,6 +85,13 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
- this.processExternalEntities = processExternalEntities;
- }
-
-+ /**
-+ * @return the configured value for whether XML external entities are allowed.
-+ */
-+ public boolean isProcessExternalEntities() {
-+ return this.processExternalEntities;
-+ }
-+
- @Override
- public boolean supports(Class<?> clazz) {
- return DOMSource.class.equals(clazz) || SAXSource.class.equals(clazz)
-@@ -146,7 +153,7 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
- private Source readStAXSource(InputStream body) {
- try {
- XMLInputFactory inputFactory = XMLInputFactory.newFactory();
-- inputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", processExternalEntities);
-+ inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, this.processExternalEntities);
- XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body);
- return StaxUtils.createStaxSource(streamReader);
- }
diff --git a/debian/patches/CVE-2014-0225.patch b/debian/patches/CVE-2014-0225.patch
deleted file mode 100644
index 9fe2e7b..0000000
--- a/debian/patches/CVE-2014-0225.patch
+++ /dev/null
@@ -1,305 +0,0 @@
---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
-+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
-@@ -21,6 +21,7 @@
- import java.io.IOException;
- import java.io.InputStream;
- import java.io.OutputStream;
-+import java.io.StringReader;
- import java.io.UnsupportedEncodingException;
- import java.lang.reflect.GenericArrayType;
- import java.lang.reflect.ParameterizedType;
-@@ -69,6 +70,7 @@
-
- import org.apache.commons.logging.Log;
- import org.apache.commons.logging.LogFactory;
-+import org.xml.sax.EntityResolver;
- import org.xml.sax.InputSource;
- import org.xml.sax.SAXException;
- import org.xml.sax.XMLReader;
-@@ -668,8 +670,11 @@
- if (xmlReader == null) {
- xmlReader = XMLReaderFactory.createXMLReader();
- }
-- xmlReader.setFeature("http://xml.org/sax/features/external-general-entities",
-- this.processExternalEntities);
-+ String name = "http://xml.org/sax/features/external-general-entities";
-+ xmlReader.setFeature(name, isProcessExternalEntities());
-+ if (!isProcessExternalEntities()) {
-+ xmlReader.setEntityResolver(NO_OP_ENTITY_RESOLVER);
-+ }
-
- return new SAXSource(xmlReader, inputSource);
- }
-@@ -865,4 +870,11 @@
- }
- }
-
-+
-+ private static final EntityResolver NO_OP_ENTITY_RESOLVER = new EntityResolver() {
-+ public InputSource resolveEntity(String publicId, String systemId) {
-+ return new InputSource(new StringReader(""));
-+ }
-+ };
-+
- }
---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
-+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
-@@ -20,6 +20,7 @@
- import java.io.InputStream;
- import java.io.OutputStream;
- import java.io.Reader;
-+import java.io.StringReader;
- import java.io.Writer;
- import javax.xml.parsers.DocumentBuilder;
- import javax.xml.parsers.DocumentBuilderFactory;
-@@ -42,6 +43,7 @@
- import org.apache.commons.logging.LogFactory;
- import org.w3c.dom.Node;
- import org.xml.sax.ContentHandler;
-+import org.xml.sax.EntityResolver;
- import org.xml.sax.InputSource;
- import org.xml.sax.SAXException;
- import org.xml.sax.XMLReader;
-@@ -203,6 +205,9 @@
- protected XMLReader createXmlReader() throws SAXException {
- XMLReader xmlReader = XMLReaderFactory.createXMLReader();
- xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", isProcessExternalEntities());
-+ if (!isProcessExternalEntities()) {
-+ xmlReader.setEntityResolver(NO_OP_ENTITY_RESOLVER);
-+ }
- return xmlReader;
- }
-
-@@ -563,4 +568,11 @@
- protected abstract Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource)
- throws XmlMappingException, IOException;
-
-+
-+ private static final EntityResolver NO_OP_ENTITY_RESOLVER = new EntityResolver() {
-+ public InputSource resolveEntity(String publicId, String systemId) {
-+ return new InputSource(new StringReader(""));
-+ }
-+ };
-+
- }
---- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java
-+++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java
-@@ -17,6 +17,7 @@
- package org.springframework.http.converter.xml;
-
- import java.io.IOException;
-+import java.io.StringReader;
- import javax.xml.bind.JAXBElement;
- import javax.xml.bind.JAXBException;
- import javax.xml.bind.MarshalException;
-@@ -28,6 +29,8 @@
- import javax.xml.bind.annotation.XmlType;
- import javax.xml.transform.Result;
- import javax.xml.transform.Source;
-+import javax.xml.transform.sax.SAXSource;
-+import javax.xml.transform.stream.StreamSource;
-
- import org.springframework.core.annotation.AnnotationUtils;
- import org.springframework.http.HttpHeaders;
-@@ -36,6 +39,11 @@
- import org.springframework.http.converter.HttpMessageNotReadableException;
- import org.springframework.http.converter.HttpMessageNotWritableException;
- import org.springframework.util.ClassUtils;
-+import org.xml.sax.EntityResolver;
-+import org.xml.sax.InputSource;
-+import org.xml.sax.SAXException;
-+import org.xml.sax.XMLReader;
-+import org.xml.sax.helpers.XMLReaderFactory;
-
- /**
- * Implementation of {@link org.springframework.http.converter.HttpMessageConverter HttpMessageConverter} that can read
-@@ -49,6 +57,21 @@
- */
- public class Jaxb2RootElementHttpMessageConverter extends AbstractJaxb2HttpMessageConverter<Object> {
-
-+ private boolean processExternalEntities = false;
-+
-+
-+ /**
-+ * Indicates whether external XML entities are processed when converting to a Source.
-+ * <p>Default is {@code false}, meaning that external entities are not resolved.
-+ */
-+ public void setProcessExternalEntities(boolean processExternalEntities) {
-+ this.processExternalEntities = processExternalEntities;
-+ }
-+
-+ public boolean isProcessExternalEntities() {
-+ return this.processExternalEntities;
-+ }
-+
- @Override
- public boolean canRead(Class<?> clazz, MediaType mediaType) {
- return (clazz.isAnnotationPresent(XmlRootElement.class) || clazz.isAnnotationPresent(XmlType.class)) &&
-@@ -69,6 +92,7 @@
- @Override
- protected Object readFromSource(Class<?> clazz, HttpHeaders headers, Source source) throws IOException {
- try {
-+ source = processSource(source);
- Unmarshaller unmarshaller = createUnmarshaller(clazz);
- if (clazz.isAnnotationPresent(XmlRootElement.class)) {
- return unmarshaller.unmarshal(source);
-@@ -87,6 +111,29 @@
- }
- }
-
-+ protected Source processSource(Source source) {
-+ if (source instanceof StreamSource) {
-+ StreamSource streamSource = (StreamSource) source;
-+ InputSource inputSource = new InputSource(streamSource.getInputStream());
-+ try {
-+ XMLReader xmlReader = XMLReaderFactory.createXMLReader();
-+ String featureName = "http://xml.org/sax/features/external-general-entities";
-+ xmlReader.setFeature(featureName, isProcessExternalEntities());
-+ if (!isProcessExternalEntities()) {
-+ xmlReader.setEntityResolver(NO_OP_ENTITY_RESOLVER);
-+ }
-+ return new SAXSource(xmlReader, inputSource);
-+ }
-+ catch (SAXException ex) {
-+ logger.warn("Processing of external entities could not be disabled", ex);
-+ return source;
-+ }
-+ }
-+ else {
-+ return source;
-+ }
-+ }
-+
- @Override
- protected void writeToResult(Object o, HttpHeaders headers, Result result) throws IOException {
- try {
-@@ -109,4 +156,11 @@
- }
- }
-
-+
-+ private static final EntityResolver NO_OP_ENTITY_RESOLVER = new EntityResolver() {
-+ public InputSource resolveEntity(String publicId, String systemId) {
-+ return new InputSource(new StringReader(""));
-+ }
-+ };
-+
- }
---- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
-+++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
-@@ -21,9 +21,11 @@
- import java.io.IOException;
- import java.io.InputStream;
- import java.io.OutputStream;
-+import java.io.StringReader;
- import javax.xml.parsers.DocumentBuilder;
- import javax.xml.parsers.DocumentBuilderFactory;
- import javax.xml.parsers.ParserConfigurationException;
-+import javax.xml.stream.XMLResolver;
- import javax.xml.stream.XMLInputFactory;
- import javax.xml.stream.XMLStreamException;
- import javax.xml.stream.XMLStreamReader;
-@@ -38,6 +40,7 @@
- import javax.xml.transform.stream.StreamSource;
-
- import org.w3c.dom.Document;
-+import org.xml.sax.EntityResolver;
- import org.xml.sax.InputSource;
- import org.xml.sax.SAXException;
- import org.xml.sax.XMLReader;
-@@ -125,8 +128,11 @@
- try {
- DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
- documentBuilderFactory.setNamespaceAware(true);
-- documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", processExternalEntities);
-+ documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", isProcessExternalEntities());
- DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
-+ if (!isProcessExternalEntities()) {
-+ documentBuilder.setEntityResolver(NO_OP_ENTITY_RESOLVER);
-+ }
- Document document = documentBuilder.parse(body);
- return new DOMSource(document);
- }
-@@ -141,8 +147,11 @@
- private SAXSource readSAXSource(InputStream body) throws IOException {
- try {
- XMLReader reader = XMLReaderFactory.createXMLReader();
-- reader.setFeature("http://xml.org/sax/features/external-general-entities", processExternalEntities);
-+ reader.setFeature("http://xml.org/sax/features/external-general-entities", isProcessExternalEntities());
- byte[] bytes = StreamUtils.copyToByteArray(body);
-+ if (!isProcessExternalEntities()) {
-+ reader.setEntityResolver(NO_OP_ENTITY_RESOLVER);
-+ }
- return new SAXSource(reader, new InputSource(new ByteArrayInputStream(bytes)));
- }
- catch (SAXException ex) {
-@@ -219,4 +228,17 @@
- }
- }
-
-+
-+ private static final EntityResolver NO_OP_ENTITY_RESOLVER = new EntityResolver() {
-+ public InputSource resolveEntity(String publicId, String systemId) {
-+ return new InputSource(new StringReader(""));
-+ }
-+ };
-+
-+ private static final XMLResolver NO_OP_XML_RESOLVER = new XMLResolver() {
-+ public Object resolveEntity(String publicID, String systemID, String base, String ns) {
-+ return new ByteArrayInputStream(new byte[0]);
-+ }
-+ };
-+
- }
---- a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTest.java
-+++ b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTest.java
-@@ -98,6 +98,33 @@
- assertEquals("Invalid result", "Hello World", result.s);
- }
-
-+ @Test
-+ public void readXmlRootElementExternalEntityDisabled() throws Exception {
-+ Resource external = new ClassPathResource("external.txt", getClass());
-+ String content = "<!DOCTYPE root SYSTEM \"http://192.168.28.42/1.jsp\" [" +
-+ " <!ELEMENT external ANY >\n" +
-+ " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]>" +
-+ " <rootElement><external>&ext;</external></rootElement>";
-+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
-+ RootElement rootElement = (RootElement) converter.read(RootElement.class, inputMessage);
-+
-+ assertEquals("", rootElement.external);
-+ }
-+
-+ @Test
-+ public void readXmlRootElementExternalEntityEnabled() throws Exception {
-+ Resource external = new ClassPathResource("external.txt", getClass());
-+ String content = "<!DOCTYPE root [" +
-+ " <!ELEMENT external ANY >\n" +
-+ " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]>" +
-+ " <rootElement><external>&ext;</external></rootElement>";
-+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
-+ this.converter.setProcessExternalEntities(true);
-+ RootElement rootElement = (RootElement) converter.read(RootElement.class, inputMessage);
-+
-+ assertEquals("Foo Bar", rootElement.external);
-+ }
-+
- @Test
- public void writeXmlRootElement() throws Exception {
- MockHttpOutputMessage outputMessage = new MockHttpOutputMessage();
---- a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java
-+++ b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java
-@@ -67,9 +67,10 @@
- converter = new SourceHttpMessageConverter<Source>();
- Resource external = new ClassPathResource("external.txt", getClass());
-
-- bodyExternal = "<!DOCTYPE root [" +
-- " <!ELEMENT root ANY >\n" +
-- " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]><root>&ext;</root>";
-+ bodyExternal = "<!DOCTYPE root SYSTEM \"http://192.168.28.42/1.jsp\" [" +
-+ " <!ELEMENT root ANY >\n" +
-+ " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]><root>&ext;</root>";
-+
- }
-
- @Test
diff --git a/debian/patches/CVE-2014-1904.patch b/debian/patches/CVE-2014-1904.patch
deleted file mode 100644
index d9274d1..0000000
--- a/debian/patches/CVE-2014-1904.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: Miguel Landaeta <nomadium at debian.org>
-Date: Mon, 24 Mar 2014 17:07:58 -0300
-Subject: CVE-2014-1904
-
-Bug: http://bugs.debian.org/741604
-
-diff --git a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
-index 2e9cc84..b416084 100644
---- a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
-+++ b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2010 the original author or authors.
-+ * Copyright 2002-2014 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
-@@ -21,11 +21,14 @@ import javax.servlet.http.HttpServletResponse;
- import javax.servlet.jsp.JspException;
- import javax.servlet.jsp.PageContext;
-
-+import java.io.UnsupportedEncodingException;
-+
- import org.springframework.beans.PropertyAccessor;
- import org.springframework.core.Conventions;
- import org.springframework.util.ObjectUtils;
- import org.springframework.util.StringUtils;
- import org.springframework.web.util.HtmlUtils;
-+import org.springframework.web.util.UriUtils;
-
- /**
- * Databinding-aware JSP tag for rendering an HTML '<code>form</code>' whose
-@@ -397,6 +400,13 @@ public class FormTag extends AbstractHtmlElementTag {
- }
- else {
- String requestUri = getRequestContext().getRequestUri();
-+ String encoding = pageContext.getResponse().getCharacterEncoding();
-+ try {
-+ requestUri = UriUtils.encodePath(requestUri, encoding);
-+ }
-+ catch (UnsupportedEncodingException e) {
-+ throw new JspException(e);
-+ }
- ServletResponse response = this.pageContext.getResponse();
- if (response instanceof HttpServletResponse) {
- requestUri = ((HttpServletResponse) response).encodeURL(requestUri);
diff --git a/debian/patches/series b/debian/patches/series
index ce0d404..ffdb73a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,10 +10,5 @@
0010_velocity_17.diff
0011-java7-compat.patch
Add-processExternalEntities-to-JAXB2Marshaller.patch
-CVE-2013-6429.patch
-CVE-2013-6430.patch
-CVE-2014-0054.patch
-CVE-2014-1904.patch
-CVE-2014-0225.patch
0012_use_debian_asm4.patch
0013-disable-struts-bundle.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libspring-java.git
More information about the pkg-java-commits
mailing list