[pkg-java] r19310 - in trunk/plexus-utils/debian: . patches

Markus Koschany apo at moszumanska.debian.org
Tue Jan 9 20:42:29 UTC 2018


Author: apo
Date: 2018-01-09 20:42:28 +0000 (Tue, 09 Jan 2018)
New Revision: 19310

Added:
   trunk/plexus-utils/debian/orig-tar.sh
   trunk/plexus-utils/debian/patches/
   trunk/plexus-utils/debian/patches/CVE-2017-1000487.patch
   trunk/plexus-utils/debian/patches/series
Modified:
   trunk/plexus-utils/debian/changelog
   trunk/plexus-utils/debian/compat
   trunk/plexus-utils/debian/control
   trunk/plexus-utils/debian/copyright
   trunk/plexus-utils/debian/rules
   trunk/plexus-utils/debian/watch
Log:
Release plexus-utils 1:1.5.15-5


Modified: trunk/plexus-utils/debian/changelog
===================================================================
--- trunk/plexus-utils/debian/changelog	2018-01-04 00:30:56 UTC (rev 19309)
+++ trunk/plexus-utils/debian/changelog	2018-01-09 20:42:28 UTC (rev 19310)
@@ -1,16 +1,18 @@
-plexus-utils (1:1.5.15-5) UNRELEASED; urgency=low
+plexus-utils (1:1.5.15-5) unstable; urgency=high
 
   * Team upload.
-  * debian/control:
-    - Use canonical URLs for the Vcs-* fields
-    - Updated Standards-Version to 3.9.4 (no changes)
-    - Removed Michael Koch from the uploaders (Closes: #654127)
-  * Build depend on debhelper >= 9
-  * debian/rules: Improved the clean target
-  * debian/watch: Updated to watch the new release tags on Github
-  * Removed debian/orig-tar.sh and use the tarball from Github directly
+  * Switch to compat level 10.
+  * wrap-and-sort -sa.
+  * Declare compliance with Debian Policy 4.1.3.
+  * Remove Michael Koch from Uploaders because he is not active anymore.
+    (Closes: #654127)
+  * Use only Build-Depends field.
+  * Fix CVE-2017-1000487: Shell command injection vulnerability.
+  * Change homepage address to Git repository at github.com.
+  * Update watch file because codehaus.org is obsolete.
+    Use the same one as plexus-utils2.
 
- -- Emmanuel Bourg <ebourg at apache.org>  Wed, 23 Oct 2013 12:25:00 +0200
+ -- Markus Koschany <apo at debian.org>  Tue, 09 Jan 2018 20:59:32 +0100
 
 plexus-utils (1:1.5.15-4) unstable; urgency=low
 
@@ -40,8 +42,8 @@
   * Add the Maven POM to the package,
   * Add a Build-Depends-Indep dependency on maven-repo-helper
   * Use mh_installpom and mh_installjar to install the POM and the jar to the
-    Maven repository 
-  * Remove the dependency on default-java and java2-runtime as this is a 
+    Maven repository
+  * Remove the dependency on default-java and java2-runtime as this is a
     library
 
  -- Ludovic Claude <ludovic.claude at laposte.net>  Thu, 02 Jul 2009 14:41:15 +0000

Modified: trunk/plexus-utils/debian/compat
===================================================================
--- trunk/plexus-utils/debian/compat	2018-01-04 00:30:56 UTC (rev 19309)
+++ trunk/plexus-utils/debian/compat	2018-01-09 20:42:28 UTC (rev 19310)
@@ -1 +1 @@
-9
+10

Modified: trunk/plexus-utils/debian/control
===================================================================
--- trunk/plexus-utils/debian/control	2018-01-04 00:30:56 UTC (rev 19309)
+++ trunk/plexus-utils/debian/control	2018-01-09 20:42:28 UTC (rev 19310)
@@ -2,18 +2,30 @@
 Section: java
 Priority: optional
 Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
-Uploaders: Torsten Werner <twerner at debian.org>, Ludovic Claude <ludovic.claude at laposte.net>
-Build-Depends-Indep: libplexus-interpolation-java, libxalan2-java, maven-repo-helper
-Build-Depends: ant, cdbs (>= 0.4.5.3), debhelper (>= 9), default-jdk
-Standards-Version: 3.9.4
+Uploaders:
+ Torsten Werner <twerner at debian.org>,
+ Ludovic Claude <ludovic.claude at laposte.net>
+Build-Depends:
+ ant,
+ cdbs (>= 0.4.5.3),
+ debhelper (>= 10),
+ default-jdk,
+ libplexus-interpolation-java,
+ libxalan2-java,
+ maven-repo-helper
+Standards-Version: 4.1.3
+Homepage: https://github.com/codehaus-plexus/plexus-utils/
 Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/plexus-utils
-Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/plexus-utils
-Homepage: http://plexus.codehaus.org
+Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-java/trunk/plexus-utils
 
 Package: libplexus-utils-java
 Architecture: all
-Depends: libplexus-interpolation-java, libxalan2-java, ${misc:Depends}
-Suggests: libplexus-utils-java-doc
+Depends:
+ libplexus-interpolation-java,
+ libxalan2-java,
+ ${misc:Depends}
+Suggests:
+ libplexus-utils-java-doc
 Description: utilities for the Plexus framework
  The Plexus project provides a full software stack for creating and executing
  software projects. Based on the Plexus container, the applications can
@@ -36,8 +48,11 @@
 Package: libplexus-utils-java-doc
 Architecture: all
 Section: doc
-Depends: default-jdk-doc, ${misc:Depends}
-Suggests: libplexus-utils-java
+Depends:
+ default-jdk-doc,
+ ${misc:Depends}
+Suggests:
+ libplexus-utils-java
 Description: API Documentation for plexus-utils
  The Plexus project provides a full software stack for creating and executing
  software projects. Based on the Plexus container, the applications can

Modified: trunk/plexus-utils/debian/copyright
===================================================================
--- trunk/plexus-utils/debian/copyright	2018-01-04 00:30:56 UTC (rev 19309)
+++ trunk/plexus-utils/debian/copyright	2018-01-09 20:42:28 UTC (rev 19310)
@@ -1,9 +1,9 @@
 This package was debianized by Trygve Laugstøl <trygvis at codehaus.org> on
 Tue, 19 Aug 2005 00:26:30 +0100.
 
-libplex-utils was downloaded from http://plexus.codehaus.org/
+The source for plexus-utils can be found at https://github.com/codehaus-plexus/plexus-utils/
 
-Upstream Authors:  
+Upstream Authors:
                    Javolution
 		   ThoughtWorks, Inc
 		   The Apache Software Foundation
@@ -44,33 +44,33 @@
 
 	Copyright (c) 2002 Extreme! Lab, Indiana University. All rights reserved.
 
-	Redistribution and use in source and binary forms, with or without 
-	modification, are permitted provided that the following conditions 
+	Redistribution and use in source and binary forms, with or without
+	modification, are permitted provided that the following conditions
 	are met:
 
-	1. Redistributions of source code must retain the above copyright notice, 
+	1. Redistributions of source code must retain the above copyright notice,
 	   this list of conditions and the following disclaimer.
 
-	2. Redistributions in binary form must reproduce the above copyright 
-	   notice, this list of conditions and the following disclaimer in 
+	2. Redistributions in binary form must reproduce the above copyright
+	   notice, this list of conditions and the following disclaimer in
 	   the documentation and/or other materials provided with the distribution.
 
-	3. The end-user documentation included with the redistribution, if any, 
+	3. The end-user documentation included with the redistribution, if any,
 	   must include the following acknowledgment:
 
-	  "This product includes software developed by the Indiana University 
+	  "This product includes software developed by the Indiana University
 	  Extreme! Lab (http://www.extreme.indiana.edu/)."
 
-	Alternately, this acknowledgment may appear in the software itself, 
+	Alternately, this acknowledgment may appear in the software itself,
 	if and wherever such third-party acknowledgments normally appear.
 
-	4. The names "Indiana Univeristy" and "Indiana Univeristy Extreme! Lab" 
-	must not be used to endorse or promote products derived from this 
-	software without prior written permission. For written permission, 
+	4. The names "Indiana Univeristy" and "Indiana Univeristy Extreme! Lab"
+	must not be used to endorse or promote products derived from this
+	software without prior written permission. For written permission,
 	please contact http://www.extreme.indiana.edu/.
 
-	5. Products derived from this software may not use "Indiana Univeristy" 
-	name nor may "Indiana Univeristy" appear in their name, without prior 
+	5. Products derived from this software may not use "Indiana Univeristy"
+	name nor may "Indiana Univeristy" appear in their name, without prior
 	written permission of the Indiana University.
 
 	THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED
@@ -99,17 +99,17 @@
 	      and/or other materials provided with the distribution.
 
 	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-	ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 
-	WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
-	DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 
-	ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 
-	(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
+	ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+	WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+	DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+	ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+	(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 	LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
-	ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 
-	(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
+	ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+	(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 	SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-	
+
 	/********************************************************************************
 	 * CruiseControl, a Continuous Integration Toolkit
 	 * Copyright (c) 2001-2003, ThoughtWorks, Inc.

Added: trunk/plexus-utils/debian/orig-tar.sh
===================================================================
--- trunk/plexus-utils/debian/orig-tar.sh	                        (rev 0)
+++ trunk/plexus-utils/debian/orig-tar.sh	2018-01-09 20:42:28 UTC (rev 19310)
@@ -0,0 +1,16 @@
+#!/bin/sh -e
+
+TAR=../libplexus-utils_$2.orig.tar.gz
+DIR=plexus-utils-$2
+TAG=plexus-utils-$2
+
+svn export http://svn.codehaus.org/plexus/plexus-utils/tags/$TAG $DIR
+tar -c -z -f $TAR $DIR
+rm -rf $DIR ../$TAG
+
+# move to directory 'tarballs'
+if [ -r .svn/deb-layout ]; then
+  . .svn/deb-layout
+  mv $TAR $origDir
+  echo "moved $TAR to $origDir"
+fi


Property changes on: trunk/plexus-utils/debian/orig-tar.sh
___________________________________________________________________
Added: svn:executable
   + *

Added: trunk/plexus-utils/debian/patches/CVE-2017-1000487.patch
===================================================================
--- trunk/plexus-utils/debian/patches/CVE-2017-1000487.patch	                        (rev 0)
+++ trunk/plexus-utils/debian/patches/CVE-2017-1000487.patch	2018-01-09 20:42:28 UTC (rev 19310)
@@ -0,0 +1,524 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 9 Jan 2018 20:45:31 +0100
+Subject: CVE-2017-1000487
+
+Bug-Upstream: https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522
+Origin: https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41
+---
+ .../org/codehaus/plexus/util/cli/Commandline.java  | 38 +++++++++++---
+ .../plexus/util/cli/shell/BourneShell.java         | 60 +++++++---------------
+ .../org/codehaus/plexus/util/cli/shell/Shell.java  | 35 ++++++++++---
+ .../codehaus/plexus/util/cli/CommandlineTest.java  | 37 +++++++------
+ .../plexus/util/cli/shell/BourneShellTest.java     | 17 +++---
+ 5 files changed, 106 insertions(+), 81 deletions(-)
+
+diff --git a/src/main/java/org/codehaus/plexus/util/cli/Commandline.java b/src/main/java/org/codehaus/plexus/util/cli/Commandline.java
+index 5e0d5af..7346c7e 100644
+--- a/src/main/java/org/codehaus/plexus/util/cli/Commandline.java
++++ b/src/main/java/org/codehaus/plexus/util/cli/Commandline.java
+@@ -139,6 +139,8 @@ public class Commandline
+      * Create a new command line object.
+      * Shell is autodetected from operating system
+      *
++     * Shell usage is only desirable when generating code for remote execution.
++     *
+      * @param toProcess
+      */
+     public Commandline( String toProcess, Shell shell )
+@@ -167,6 +169,8 @@ public class Commandline
+     /**
+      * Create a new command line object.
+      * Shell is autodetected from operating system
++     *
++     * Shell usage is only desirable when generating code for remote execution.
+      */
+     public Commandline( Shell shell )
+     {
+@@ -174,8 +178,7 @@ public class Commandline
+     }
+ 
+     /**
+-     * Create a new command line object.
+-     * Shell is autodetected from operating system
++     * Create a new command line object, given a command following POSIX sh quoting rules
+      *
+      * @param toProcess
+      */
+@@ -203,7 +206,6 @@ public class Commandline
+ 
+     /**
+      * Create a new command line object.
+-     * Shell is autodetected from operating system
+      */
+     public Commandline()
+     {
+@@ -253,7 +255,7 @@ public class Commandline
+         {
+             if ( realPos == -1 )
+             {
+-                realPos = ( getExecutable() == null ? 0 : 1 );
++                realPos = ( getLiteralExecutable() == null ? 0 : 1 );
+                 for ( int i = 0; i < position; i++ )
+                 {
+                     Arg arg = (Arg) arguments.elementAt( i );
+@@ -404,6 +406,21 @@ public class Commandline
+         this.executable = executable;
+     }
+ 
++    /**
++     * @return Executable to be run, as a literal string (no shell quoting/munging)
++     */
++    public String getLiteralExecutable()
++    {
++        return executable;
++    }
++
++    /**
++     * Return an executable name, quoted for shell use.
++     *
++     * Shell usage is only desirable when generating code for remote execution.
++     *
++     * @return Executable to be run, quoted for shell interpretation
++     */
+     public String getExecutable()
+     {
+         String exec = shell.getExecutable();
+@@ -483,7 +500,7 @@ public class Commandline
+     public String[] getCommandline()
+     {
+         final String[] args = getArguments();
+-        String executable = getExecutable();
++        String executable = getLiteralExecutable();
+ 
+         if ( executable == null )
+         {
+@@ -497,6 +514,8 @@ public class Commandline
+ 
+     /**
+      * Returns the shell, executable and all defined arguments.
++     *
++     * Shell usage is only desirable when generating code for remote execution.
+      */
+     public String[] getShellCommandline()
+     {
+@@ -633,7 +652,7 @@ public class Commandline
+         {
+             if ( workingDir == null )
+             {
+-                process = Runtime.getRuntime().exec( getShellCommandline(), environment );
++                process = Runtime.getRuntime().exec( getCommandline(), environment, workingDir );
+             }
+             else
+             {
+@@ -648,7 +667,7 @@ public class Commandline
+                         + "\" does not specify a directory." );
+                 }
+ 
+-                process = Runtime.getRuntime().exec( getShellCommandline(), environment, workingDir );
++                process = Runtime.getRuntime().exec( getCommandline(), environment, workingDir );
+             }
+         }
+         catch ( IOException ex )
+@@ -669,7 +688,7 @@ public class Commandline
+             shell.setWorkingDirectory( workingDir );
+         }
+ 
+-        if ( shell.getExecutable() == null )
++        if ( shell.getOriginalExecutable() == null )
+         {
+             shell.setExecutable( executable );
+         }
+@@ -684,6 +703,8 @@ public class Commandline
+     /**
+      * Allows to set the shell to be used in this command line.
+      *
++     * Shell usage is only desirable when generating code for remote execution.
++     *
+      * @param shell
+      * @since 1.2
+      */
+@@ -695,6 +716,7 @@ public class Commandline
+     /**
+      * Get the shell to be used in this command line.
+      *
++     * Shell usage is only desirable when generating code for remote execution.
+      * @since 1.2
+      */
+     public Shell getShell()
+diff --git a/src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java b/src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java
+index afde64f..325ba0e 100644
+--- a/src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java
++++ b/src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java
+@@ -17,7 +17,6 @@ package org.codehaus.plexus.util.cli.shell;
+  */
+ 
+ import org.codehaus.plexus.util.Os;
+-import org.codehaus.plexus.util.StringUtils;
+ 
+ import java.util.ArrayList;
+ import java.util.List;
+@@ -29,34 +28,18 @@ import java.util.List;
+ public class BourneShell
+     extends Shell
+ {
+-    private static final char[] BASH_QUOTING_TRIGGER_CHARS = {
+-        ' ',
+-        '$',
+-        ';',
+-        '&',
+-        '|',
+-        '<',
+-        '>',
+-        '*',
+-        '?',
+-        '(',
+-        ')',
+-        '[',
+-        ']',
+-        '{',
+-        '}',
+-        '`' };
+ 
+     public BourneShell()
+     {
+-        this( false );
++        this(false);
+     }
+ 
+     public BourneShell( boolean isLoginShell )
+     {
++        setUnconditionalQuoting( true );
+         setShellCommand( "/bin/sh" );
+         setArgumentQuoteDelimiter( '\'' );
+-        setExecutableQuoteDelimiter( '\"' );
++        setExecutableQuoteDelimiter( '\'' );
+         setSingleQuotedArgumentEscaped( true );
+         setSingleQuotedExecutableEscaped( false );
+         setQuotedExecutableEnabled( true );
+@@ -75,7 +58,7 @@ public class BourneShell
+             return super.getExecutable();
+         }
+ 
+-        return unifyQuotes( super.getExecutable());
++        return quoteOneItem( super.getOriginalExecutable(), true );
+     }
+ 
+     public List getShellArgsList()
+@@ -125,46 +108,41 @@ public class BourneShell
+         StringBuffer sb = new StringBuffer();
+         sb.append( "cd " );
+ 
+-        sb.append( unifyQuotes( dir ) );
++        sb.append( quoteOneItem( dir, false ) );
+         sb.append( " && " );
+ 
+         return sb.toString();
+     }
+ 
+-    protected char[] getQuotingTriggerChars()
+-    {
+-        return BASH_QUOTING_TRIGGER_CHARS;
+-    }
+-
+     /**
+      * <p>Unify quotes in a path for the Bourne Shell.</p>
+      *
+      * <pre>
+-     * BourneShell.unifyQuotes(null)                       = null
+-     * BourneShell.unifyQuotes("")                         = (empty)
+-     * BourneShell.unifyQuotes("/test/quotedpath'abc")     = /test/quotedpath\'abc
+-     * BourneShell.unifyQuotes("/test/quoted path'abc")    = "/test/quoted path'abc"
+-     * BourneShell.unifyQuotes("/test/quotedpath\"abc")    = "/test/quotedpath\"abc"
+-     * BourneShell.unifyQuotes("/test/quoted path\"abc")   = "/test/quoted path\"abc"
+-     * BourneShell.unifyQuotes("/test/quotedpath\"'abc")   = "/test/quotedpath\"'abc"
+-     * BourneShell.unifyQuotes("/test/quoted path\"'abc")  = "/test/quoted path\"'abc"
++     * BourneShell.quoteOneItem(null)                       = null
++     * BourneShell.quoteOneItem("")                         = ''
++     * BourneShell.quoteOneItem("/test/quotedpath'abc")     = '/test/quotedpath'"'"'abc'
++     * BourneShell.quoteOneItem("/test/quoted path'abc")    = '/test/quoted pat'"'"'habc'
++     * BourneShell.quoteOneItem("/test/quotedpath\"abc")    = '/test/quotedpath"abc'
++     * BourneShell.quoteOneItem("/test/quoted path\"abc")   = '/test/quoted path"abc'
++     * BourneShell.quoteOneItem("/test/quotedpath\"'abc")   = '/test/quotedpath"'"'"'abc'
++     * BourneShell.quoteOneItem("/test/quoted path\"'abc")  = '/test/quoted path"'"'"'abc'
+      * </pre>
+      *
+      * @param path not null path.
+      * @return the path unified correctly for the Bourne shell.
+      */
+-    protected static String unifyQuotes( String path )
++    protected String quoteOneItem( String path, boolean isExecutable )
+     {
+         if ( path == null )
+         {
+             return null;
+         }
+ 
+-        if ( path.indexOf( " " ) == -1 && path.indexOf( "'" ) != -1 && path.indexOf( "\"" ) == -1 )
+-        {
+-            return StringUtils.escape( path );
+-        }
++        StringBuilder sb = new StringBuilder();
++        sb.append( "'" );
++        sb.append( path.replace( "'", "'\"'\"'" ) );
++        sb.append( "'" );
+ 
+-        return StringUtils.quoteAndEscape( path, '\"', BASH_QUOTING_TRIGGER_CHARS );
++        return sb.toString();
+     }
+ }
+diff --git a/src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java b/src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java
+index f51f6ad..7041e28 100644
+--- a/src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java
++++ b/src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java
+@@ -48,6 +48,8 @@ public class Shell
+ 
+     private boolean quotedArgumentsEnabled = true;
+ 
++    private boolean unconditionallyQuote = false;
++
+     private String executable;
+ 
+     private String workingDir;
+@@ -66,6 +68,16 @@ public class Shell
+ 
+     private char exeQuoteDelimiter = '\"';
+ 
++    /**
++     * Toggle unconditional quoting
++     *
++     * @param unconditionallyQuote
++     */
++    public void setUnconditionalQuoting(boolean unconditionallyQuote)
++    {
++        this.unconditionallyQuote = unconditionallyQuote;
++    }
++
+     /**
+      * Set the command to execute the shell (eg. COMMAND.COM, /bin/bash,...)
+      *
+@@ -98,6 +110,19 @@ public class Shell
+         this.shellArgs.addAll( Arrays.asList( shellArgs ) );
+     }
+ 
++    protected String quoteOneItem(String inputString, boolean isExecutable)
++    {
++        char[] escapeChars = getEscapeChars( isSingleQuotedExecutableEscaped(), isDoubleQuotedExecutableEscaped() );
++        return StringUtils.quoteAndEscape(
++            inputString,
++            isExecutable ? getExecutableQuoteDelimiter() : getArgumentQuoteDelimiter(),
++            escapeChars,
++            getQuotingTriggerChars(),
++            '\\',
++            unconditionallyQuote
++        );
++    }
++
+     /**
+      * Get the shell arguments
+      *
+@@ -142,9 +167,7 @@ public class Shell
+ 
+             if ( isQuotedExecutableEnabled() )
+             {
+-                char[] escapeChars = getEscapeChars( isSingleQuotedExecutableEscaped(), isDoubleQuotedExecutableEscaped() );
+-
+-                sb.append( StringUtils.quoteAndEscape( getExecutable(), getExecutableQuoteDelimiter(), escapeChars, getQuotingTriggerChars(), '\\', false ) );
++                sb.append( quoteOneItem( getOriginalExecutable(), true ) );
+             }
+             else
+             {
+@@ -160,9 +183,7 @@ public class Shell
+ 
+             if ( isQuotedArgumentsEnabled() )
+             {
+-                char[] escapeChars = getEscapeChars( isSingleQuotedExecutableEscaped(), isDoubleQuotedExecutableEscaped() );
+-
+-                sb.append( StringUtils.quoteAndEscape( arguments[i], getArgumentQuoteDelimiter(), escapeChars, getQuotingTriggerChars(), '\\', false ) );
++                sb.append( quoteOneItem( arguments[i], false ) );
+             }
+             else
+             {
+@@ -267,7 +288,7 @@ public class Shell
+             commandLine.addAll( getShellArgsList() );
+         }
+ 
+-        commandLine.addAll( getCommandLine( getExecutable(), arguments ) );
++        commandLine.addAll( getCommandLine( getOriginalExecutable(), arguments ) );
+ 
+         return commandLine;
+ 
+diff --git a/src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java b/src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java
+index b22814b..42bbb7f 100644
+--- a/src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java
++++ b/src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java
+@@ -16,6 +16,7 @@ package org.codehaus.plexus.util.cli;
+  * limitations under the License.
+  */
+ 
++import junit.framework.TestCase;
+ import org.codehaus.plexus.util.IOUtil;
+ import org.codehaus.plexus.util.Os;
+ import org.codehaus.plexus.util.StringUtils;
+@@ -23,15 +24,7 @@ import org.codehaus.plexus.util.cli.shell.BourneShell;
+ import org.codehaus.plexus.util.cli.shell.CmdShell;
+ import org.codehaus.plexus.util.cli.shell.Shell;
+ 
+-import java.io.File;
+-import java.io.FileWriter;
+-import java.io.IOException;
+-import java.io.InputStreamReader;
+-import java.io.Reader;
+-import java.io.StringWriter;
+-import java.io.Writer;
+-
+-import junit.framework.TestCase;
++import java.io.*;
+ 
+ public class CommandlineTest
+     extends TestCase
+@@ -252,7 +245,7 @@ public class CommandlineTest
+ 
+         assertEquals( "/bin/sh", shellCommandline[0] );
+         assertEquals( "-c", shellCommandline[1] );
+-        String expectedShellCmd = "/bin/echo \'hello world\'";
++        String expectedShellCmd = "'/bin/echo' 'hello world'";
+         if ( Os.isFamily( Os.FAMILY_WINDOWS ) )
+         {
+             expectedShellCmd = "\\bin\\echo \'hello world\'";
+@@ -282,12 +275,12 @@ public class CommandlineTest
+ 
+         assertEquals( "/bin/sh", shellCommandline[0] );
+         assertEquals( "-c", shellCommandline[1] );
+-        String expectedShellCmd = "cd \"" + root.getAbsolutePath()
+-                                  + "path with spaces\" && /bin/echo \'hello world\'";
++        String expectedShellCmd = "cd '" + root.getAbsolutePath()
++                                  + "path with spaces' && '/bin/echo' 'hello world'";
+         if ( Os.isFamily( Os.FAMILY_WINDOWS ) )
+         {
+-            expectedShellCmd = "cd \"" + root.getAbsolutePath()
+-                               + "path with spaces\" && \\bin\\echo \'hello world\'";
++            expectedShellCmd = "cd '" + root.getAbsolutePath()
++                               + "path with spaces' && '\\bin\\echo' 'hello world'";
+         }
+         assertEquals( expectedShellCmd, shellCommandline[2] );
+     }
+@@ -311,7 +304,7 @@ public class CommandlineTest
+ 
+         assertEquals( "/bin/sh", shellCommandline[0] );
+         assertEquals( "-c", shellCommandline[1] );
+-        String expectedShellCmd = "/bin/echo \'hello world\'";
++        String expectedShellCmd = "'/bin/echo' ''\"'\"'hello world'\"'\"''";
+         if ( Os.isFamily( Os.FAMILY_WINDOWS ) )
+         {
+             expectedShellCmd = "\\bin\\echo \'hello world\'";
+@@ -341,7 +334,7 @@ public class CommandlineTest
+         }
+         else
+         {
+-            assertEquals( "/usr/bin a b", shellCommandline[2] );
++            assertEquals( "'/usr/bin' 'a' 'b'", shellCommandline[2] );
+         }
+     }
+ 
+@@ -387,6 +380,18 @@ public class CommandlineTest
+         createAndCallScript( dir, "echo Quoted" );
+     }
+ 
++    /**
++     * Test an executable with shell-expandable content in its path.
++     *
++     * @throws Exception
++     */
++    public void testPathWithShellExpansionStrings()
++        throws Exception
++    {
++        File dir = new File( System.getProperty( "basedir" ), "target/test/dollar$test" );
++        createAndCallScript( dir, "echo Quoted" );
++    }
++
+     /**
+      * Test an executable with a single quotation mark <code>\"</code> in its path only for non Windows box.
+      *
+diff --git a/src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java b/src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java
+index 807bff5..f1645b6 100644
+--- a/src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java
++++ b/src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java
+@@ -16,14 +16,13 @@ package org.codehaus.plexus.util.cli.shell;
+  * limitations under the License.
+  */
+ 
++import junit.framework.TestCase;
+ import org.codehaus.plexus.util.StringUtils;
+ import org.codehaus.plexus.util.cli.Commandline;
+ 
+ import java.util.Arrays;
+ import java.util.List;
+ 
+-import junit.framework.TestCase;
+-
+ public class BourneShellTest
+     extends TestCase
+ {
+@@ -42,7 +41,7 @@ public class BourneShellTest
+ 
+         String executable = StringUtils.join( sh.getShellCommandLine( new String[]{} ).iterator(), " " );
+ 
+-        assertEquals( "/bin/sh -c cd /usr/local/bin && chmod", executable );
++        assertEquals( "/bin/sh -c cd '/usr/local/bin' && 'chmod'", executable );
+     }
+ 
+     public void testQuoteWorkingDirectoryAndExecutable_WDPathWithSingleQuotes()
+@@ -54,7 +53,7 @@ public class BourneShellTest
+ 
+         String executable = StringUtils.join( sh.getShellCommandLine( new String[]{} ).iterator(), " " );
+ 
+-        assertEquals( "/bin/sh -c cd \"/usr/local/\'something else\'\" && chmod", executable );
++        assertEquals( "/bin/sh -c cd '/usr/local/'\"'\"'something else'\"'\"'' && 'chmod'", executable );
+     }
+ 
+     public void testQuoteWorkingDirectoryAndExecutable_WDPathWithSingleQuotes_BackslashFileSep()
+@@ -66,7 +65,7 @@ public class BourneShellTest
+ 
+         String executable = StringUtils.join( sh.getShellCommandLine( new String[]{} ).iterator(), " " );
+ 
+-        assertEquals( "/bin/sh -c cd \"\\usr\\local\\\'something else\'\" && chmod", executable );
++        assertEquals( "/bin/sh -c cd '\\usr\\local\\\'\"'\"'something else'\"'\"'' && 'chmod'", executable );
+     }
+ 
+     public void testPreserveSingleQuotesOnArgument()
+@@ -82,7 +81,7 @@ public class BourneShellTest
+ 
+         String cli = StringUtils.join( shellCommandLine.iterator(), " " );
+         System.out.println( cli );
+-        assertTrue( cli.endsWith( args[0] ) );
++        assertTrue( cli.endsWith("''\"'\"'some arg with spaces'\"'\"''"));
+     }
+ 
+     public void testAddSingleQuotesOnArgumentWithSpaces()
+@@ -130,7 +129,7 @@ public class BourneShellTest
+ 
+         assertEquals( "/bin/sh", lines[0] );
+         assertEquals( "-c", lines[1] );
+-        assertEquals( "chmod --password ';password'", lines[2] );
++        assertEquals( "'chmod' '--password' ';password'", lines[2] );
+ 
+         commandline = new Commandline( newShell() );
+         commandline.setExecutable( "chmod" );
+@@ -142,7 +141,7 @@ public class BourneShellTest
+ 
+         assertEquals( "/bin/sh", lines[0] );
+         assertEquals( "-c", lines[1] );
+-        assertEquals( "chmod --password ';password'", lines[2] );
++        assertEquals( "'chmod' '--password' ';password'", lines[2] );
+ 
+         commandline = new Commandline( new CmdShell() );
+         commandline.getShell().setQuotedArgumentsEnabled( true );
+@@ -190,7 +189,7 @@ public class BourneShellTest
+ 
+         assertEquals( "/bin/sh", lines[0] );
+         assertEquals( "-c", lines[1] );
+-        assertEquals( "chmod ' ' '|' '&&' '||' ';' ';;' '&' '()' '<' '<<' '>' '>>' '*' '?' '[' ']' '{' '}' '`'",
++        assertEquals( "'chmod' ' ' '|' '&&' '||' ';' ';;' '&' '()' '<' '<<' '>' '>>' '*' '?' '[' ']' '{' '}' '`'",
+                       lines[2] );
+ 
+     }

Added: trunk/plexus-utils/debian/patches/series
===================================================================
--- trunk/plexus-utils/debian/patches/series	                        (rev 0)
+++ trunk/plexus-utils/debian/patches/series	2018-01-09 20:42:28 UTC (rev 19310)
@@ -0,0 +1 @@
+CVE-2017-1000487.patch

Modified: trunk/plexus-utils/debian/rules
===================================================================
--- trunk/plexus-utils/debian/rules	2018-01-04 00:30:56 UTC (rev 19309)
+++ trunk/plexus-utils/debian/rules	2018-01-09 20:42:28 UTC (rev 19310)
@@ -24,6 +24,5 @@
 	dh_install -plibplexus-utils-java-doc $(API_DOCS) usr/share/doc/libplexus-utils-java
 
 clean::
-	mh_clean
 	-rm -rf debian/tmp
 

Modified: trunk/plexus-utils/debian/watch
===================================================================
--- trunk/plexus-utils/debian/watch	2018-01-04 00:30:56 UTC (rev 19309)
+++ trunk/plexus-utils/debian/watch	2018-01-09 20:42:28 UTC (rev 19310)
@@ -1,2 +1,4 @@
 version=3
-https://github.com/sonatype/plexus-utils/releases .*/plexus-utils-(.*).tar.gz
+opts="uversionmangle=s/-(alpha|beta)-/~$1/" \
+ https://github.com/codehaus-plexus/plexus-utils/tags .*/plexus-utils-(\d.*).tar.gz
+




More information about the pkg-java-commits mailing list