From fdcdffee7e9233cc8842979ba0b07c6f0967d6a58d52cdac5c2a13945ae8e25a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Sat, 4 May 2024 01:44:35 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main velocity revision b45f9b9ca850fc160276408427de9aac --- .gitattributes | 23 ++ velocity-1.7-CVE-2020-13936.patch | 58 +++++ velocity-1.7-commons-lang3.patch | 366 ++++++++++++++++++++++++++++++ velocity-1.7-log-chute.patch | 11 + velocity-1.7.pom | 346 ++++++++++++++++++++++++++++ velocity-1.7.tar.gz | 3 + velocity-build_xml.patch | 12 + velocity.changes | 106 +++++++++ velocity.spec | 213 +++++++++++++++++ 9 files changed, 1138 insertions(+) create mode 100644 .gitattributes create mode 100644 velocity-1.7-CVE-2020-13936.patch create mode 100644 velocity-1.7-commons-lang3.patch create mode 100644 velocity-1.7-log-chute.patch create mode 100644 velocity-1.7.pom create mode 100644 velocity-1.7.tar.gz create mode 100644 velocity-build_xml.patch create mode 100644 velocity.changes create mode 100644 velocity.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/velocity-1.7-CVE-2020-13936.patch b/velocity-1.7-CVE-2020-13936.patch new file mode 100644 index 0000000..88a9b71 --- /dev/null +++ b/velocity-1.7-CVE-2020-13936.patch @@ -0,0 +1,58 @@ +--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties ++++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties +@@ -245,15 +245,15 @@ + # accessed. + # ---------------------------------------------------------------------------- + ++# Prohibit reflection + introspector.restrict.packages = java.lang.reflect + +-# The two most dangerous classes ++# ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl + +-introspector.restrict.classes = java.lang.Class +-introspector.restrict.classes = java.lang.ClassLoader +- +-# Restrict these for extra safety ++# Restrict these system classes. Note that anything in this list is matched exactly. ++# (Subclasses must be explicitly named to be included). + ++introspector.restrict.classes = java.lang.Class + introspector.restrict.classes = java.lang.Compiler + introspector.restrict.classes = java.lang.InheritableThreadLocal + introspector.restrict.classes = java.lang.Package +@@ -262,8 +262,15 @@ + introspector.restrict.classes = java.lang.RuntimePermission + introspector.restrict.classes = java.lang.SecurityManager + introspector.restrict.classes = java.lang.System +-introspector.restrict.classes = java.lang.Thread + introspector.restrict.classes = java.lang.ThreadGroup + introspector.restrict.classes = java.lang.ThreadLocal + ++# Restrict instance managers for common servlet containers (Tomcat, JBoss, Jetty) ++ ++introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager ++introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager ++introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager ++introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory ++ ++ + +--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java ++++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java +@@ -122,6 +122,15 @@ + } + + /** ++ * Always disallow ClassLoader, Thread and subclasses ++ */ ++ if (ClassLoader.class.isAssignableFrom(clazz) || ++ Thread.class.isAssignableFrom(clazz)) ++ { ++ return false; ++ } ++ ++ /** + * check the classname (minus any array info) + * whether it matches disallowed classes or packages + */ diff --git a/velocity-1.7-commons-lang3.patch b/velocity-1.7-commons-lang3.patch new file mode 100644 index 0000000..1f3accd --- /dev/null +++ b/velocity-1.7-commons-lang3.patch @@ -0,0 +1,366 @@ +--- velocity-1.7/pom.xml 2023-09-27 00:55:09.936941022 +0200 ++++ velocity-1.7/pom.xml 2023-09-27 00:55:44.023830711 +0200 +@@ -148,9 +148,9 @@ + 3.2.1 + + +- commons-lang +- commons-lang +- 2.4 ++ org.apache.commons ++ commons-lang3 ++ 3.9 + + + oro +--- velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeHtmlReference.java 2023-09-27 00:55:09.973607930 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeHtmlReference.java 2023-09-27 00:55:44.023830711 +0200 +@@ -19,7 +19,7 @@ + * under the License. + */ + +-import org.apache.commons.lang.StringEscapeUtils; ++import org.apache.commons.lang3.StringEscapeUtils; + + /** + * Escape all HTML entities. +@@ -39,7 +39,7 @@ + */ + protected String escape(Object text) + { +- return StringEscapeUtils.escapeHtml(text.toString()); ++ return StringEscapeUtils.escapeHtml4(text.toString()); + } + + /** +--- velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeJavaScriptReference.java 2023-09-27 00:55:09.973607930 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeJavaScriptReference.java 2023-09-27 00:55:44.023830711 +0200 +@@ -19,7 +19,7 @@ + * under the License. + */ + +-import org.apache.commons.lang.StringEscapeUtils; ++import org.apache.commons.lang3.StringEscapeUtils; + + /** + * Escapes the characters in a String to be suitable for use in JavaScript. +@@ -39,7 +39,7 @@ + */ + protected String escape(Object text) + { +- return StringEscapeUtils.escapeJavaScript(text.toString()); ++ return StringEscapeUtils.escapeEcmaScript(text.toString()); + } + + /** +--- velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeSqlReference.java 2023-09-27 00:55:09.973607930 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeSqlReference.java 2023-09-27 00:55:44.023830711 +0200 +@@ -19,7 +19,7 @@ + * under the License. + */ + +-import org.apache.commons.lang.StringEscapeUtils; ++import org.apache.commons.lang3.StringUtils; + + /** + * Escapes the characters in a String to be suitable to pass to an SQL query. +@@ -39,7 +39,8 @@ + */ + protected String escape(Object text) + { +- return StringEscapeUtils.escapeSql(text.toString()); ++ // See https://commons.apache.org/proper/commons-lang/javadocs/api-2.6/org/apache/commons/lang/StringEscapeUtils.html#escapeSql(java.lang.String) ++ return StringUtils.replace(text.toString(), "'", "''"); + } + + /** +--- velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeXmlReference.java 2023-09-27 00:55:09.973607930 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeXmlReference.java 2023-09-27 00:55:44.023830711 +0200 +@@ -19,7 +19,7 @@ + * under the License. + */ + +-import org.apache.commons.lang.StringEscapeUtils; ++import org.apache.commons.lang3.StringEscapeUtils; + + /** + * Escape all XML entities. +--- velocity-1.7/src/java/org/apache/velocity/runtime/directive/Block.java 2023-09-27 00:55:09.976941285 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/directive/Block.java 2023-09-27 00:55:44.023830711 +0200 +@@ -23,7 +23,7 @@ + import java.io.StringWriter; + import java.io.Writer; + +-import org.apache.commons.lang.text.StrBuilder; ++import org.apache.commons.lang3.text.StrBuilder; + import org.apache.velocity.context.InternalContextAdapter; + import org.apache.velocity.exception.TemplateInitException; + import org.apache.velocity.runtime.Renderable; +--- velocity-1.7/src/java/org/apache/velocity/runtime/directive/RuntimeMacro.java 2023-09-27 00:55:09.976941285 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/directive/RuntimeMacro.java 2023-09-27 00:55:44.027164066 +0200 +@@ -23,7 +23,7 @@ + import java.io.Writer; + import java.util.List; + +-import org.apache.commons.lang.text.StrBuilder; ++import org.apache.commons.lang3.text.StrBuilder; + import org.apache.velocity.context.InternalContextAdapter; + import org.apache.velocity.exception.MethodInvocationException; + import org.apache.velocity.exception.ParseErrorException; +--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/ASTDirective.java 2023-09-27 00:55:09.976941285 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/ASTDirective.java 2023-09-27 00:55:44.027164066 +0200 +@@ -22,7 +22,7 @@ + import java.io.IOException; + import java.io.Writer; + +-import org.apache.commons.lang.builder.ToStringBuilder; ++import org.apache.commons.lang3.builder.ToStringBuilder; + import org.apache.velocity.context.InternalContextAdapter; + import org.apache.velocity.exception.MethodInvocationException; + import org.apache.velocity.exception.ParseErrorException; +--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/ASTMethod.java 2023-09-27 00:55:09.980274640 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/ASTMethod.java 2023-09-27 00:55:44.027164066 +0200 +@@ -21,8 +21,8 @@ + + import java.lang.reflect.InvocationTargetException; + +-import org.apache.commons.lang.ArrayUtils; +-import org.apache.commons.lang.StringUtils; ++import org.apache.commons.lang3.ArrayUtils; ++import org.apache.commons.lang3.StringUtils; + import org.apache.velocity.app.event.EventHandlerUtil; + import org.apache.velocity.context.InternalContextAdapter; + import org.apache.velocity.exception.MethodInvocationException; +--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/ASTStringLiteral.java 2023-09-27 00:55:09.980274640 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/ASTStringLiteral.java 2023-09-27 00:55:44.027164066 +0200 +@@ -21,7 +21,7 @@ + import java.io.StringReader; + import java.io.StringWriter; + +-import org.apache.commons.lang.text.StrBuilder; ++import org.apache.commons.lang3.text.StrBuilder; + import org.apache.velocity.context.InternalContextAdapter; + import org.apache.velocity.exception.TemplateInitException; + import org.apache.velocity.exception.VelocityException; +--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/NodeUtils.java 2023-09-27 00:55:09.980274640 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/NodeUtils.java 2023-09-27 00:55:44.027164066 +0200 +@@ -19,7 +19,7 @@ + * under the License. + */ + +-import org.apache.commons.lang.text.StrBuilder; ++import org.apache.commons.lang3.text.StrBuilder; + import org.apache.velocity.context.Context; + import org.apache.velocity.exception.MethodInvocationException; + import org.apache.velocity.runtime.parser.ParserConstants; +--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/PropertyExecutor.java 2023-09-27 00:55:09.980274640 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/PropertyExecutor.java 2023-09-27 00:55:44.027164066 +0200 +@@ -21,7 +21,7 @@ + + import java.lang.reflect.InvocationTargetException; + +-import org.apache.commons.lang.StringUtils; ++import org.apache.commons.lang3.StringUtils; + import org.apache.velocity.exception.VelocityException; + import org.apache.velocity.runtime.RuntimeLogger; + import org.apache.velocity.runtime.log.Log; +--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/SetPropertyExecutor.java 2023-09-27 00:55:09.980274640 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/SetPropertyExecutor.java 2023-09-27 00:55:44.030497422 +0200 +@@ -21,8 +21,8 @@ + + import java.lang.reflect.InvocationTargetException; + +-import org.apache.commons.lang.StringUtils; +-import org.apache.commons.lang.text.StrBuilder; ++import org.apache.commons.lang3.StringUtils; ++import org.apache.commons.lang3.text.StrBuilder; + import org.apache.velocity.exception.VelocityException; + import org.apache.velocity.runtime.log.Log; + import org.apache.velocity.util.introspection.Introspector; +--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/SimpleNode.java 2023-09-27 00:55:09.980274640 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/SimpleNode.java 2023-09-27 00:55:44.030497422 +0200 +@@ -22,8 +22,8 @@ + import java.io.IOException; + import java.io.Writer; + +-import org.apache.commons.lang.builder.ToStringBuilder; +-import org.apache.commons.lang.text.StrBuilder; ++import org.apache.commons.lang3.builder.ToStringBuilder; ++import org.apache.commons.lang3.text.StrBuilder; + import org.apache.velocity.context.InternalContextAdapter; + import org.apache.velocity.exception.MethodInvocationException; + import org.apache.velocity.exception.ParseErrorException; +--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/Parser.java 2023-09-27 00:55:09.976941285 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/Parser.java 2023-09-27 00:55:44.027164066 +0200 +@@ -10,7 +10,7 @@ + import org.apache.velocity.runtime.directive.Macro; + import org.apache.velocity.runtime.directive.MacroParseException; + import org.apache.velocity.util.StringUtils; +-import org.apache.commons.lang.text.StrBuilder; ++import org.apache.commons.lang3.text.StrBuilder; + import org.apache.velocity.runtime.RuntimeConstants; + + /** +--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/ParserTokenManager.java 2023-09-27 00:55:09.976941285 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/ParserTokenManager.java 2023-09-27 00:55:44.027164066 +0200 +@@ -9,7 +9,7 @@ + import org.apache.velocity.runtime.directive.Macro; + import org.apache.velocity.runtime.directive.MacroParseException; + import org.apache.velocity.util.StringUtils; +-import org.apache.commons.lang.text.StrBuilder; ++import org.apache.commons.lang3.text.StrBuilder; + import org.apache.velocity.runtime.RuntimeConstants; + + /** Token Manager. */ +--- velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/ClasspathResourceLoader.java 2023-09-27 00:55:09.980274640 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/ClasspathResourceLoader.java 2023-09-27 00:55:44.030497422 +0200 +@@ -22,7 +22,7 @@ + import java.io.InputStream; + + import org.apache.commons.collections.ExtendedProperties; +-import org.apache.commons.lang.StringUtils; ++import org.apache.commons.lang3.StringUtils; + import org.apache.velocity.exception.ResourceNotFoundException; + import org.apache.velocity.runtime.resource.Resource; + import org.apache.velocity.util.ClassUtils; +--- velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java 2023-09-27 00:55:09.980274640 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java 2023-09-27 00:55:44.030497422 +0200 +@@ -218,7 +218,7 @@ + public synchronized InputStream getResourceStream(final String name) + throws ResourceNotFoundException + { +- if (org.apache.commons.lang.StringUtils.isEmpty(name)) ++ if (org.apache.commons.lang3.StringUtils.isEmpty(name)) + { + throw new ResourceNotFoundException("DataSourceResourceLoader: Template name was empty or null"); + } +--- velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/FileResourceLoader.java 2023-09-27 00:55:09.980274640 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/FileResourceLoader.java 2023-09-27 00:55:44.030497422 +0200 +@@ -118,7 +118,7 @@ + /* + * Make sure we have a valid templateName. + */ +- if (org.apache.commons.lang.StringUtils.isEmpty(templateName)) ++ if (org.apache.commons.lang3.StringUtils.isEmpty(templateName)) + { + /* + * If we don't get a properly formed templateName then +--- velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/JarResourceLoader.java 2023-09-27 00:55:09.980274640 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/JarResourceLoader.java 2023-09-27 00:55:44.030497422 +0200 +@@ -195,7 +195,7 @@ + { + InputStream results = null; + +- if (org.apache.commons.lang.StringUtils.isEmpty(source)) ++ if (org.apache.commons.lang3.StringUtils.isEmpty(source)) + { + throw new ResourceNotFoundException("Need to have a resource!"); + } +--- velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/StringResourceLoader.java 2023-09-27 00:55:09.980274640 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/StringResourceLoader.java 2023-09-27 00:55:44.030497422 +0200 +@@ -26,7 +26,7 @@ + import java.io.InputStream; + import java.io.UnsupportedEncodingException; + import org.apache.commons.collections.ExtendedProperties; +-import org.apache.commons.lang.StringUtils; ++import org.apache.commons.lang3.StringUtils; + import org.apache.velocity.exception.ResourceNotFoundException; + import org.apache.velocity.exception.VelocityException; + import org.apache.velocity.runtime.resource.Resource; +--- velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/URLResourceLoader.java 2023-09-27 00:55:09.980274640 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/URLResourceLoader.java 2023-09-27 00:55:44.030497422 +0200 +@@ -26,7 +26,7 @@ + import java.net.URLConnection; + import java.util.HashMap; + import org.apache.commons.collections.ExtendedProperties; +-import org.apache.commons.lang.StringUtils; ++import org.apache.commons.lang3.StringUtils; + import org.apache.velocity.exception.VelocityException; + import org.apache.velocity.exception.ResourceNotFoundException; + import org.apache.velocity.runtime.resource.Resource; +--- velocity-1.7/src/java/org/apache/velocity/runtime/resource/ResourceManagerImpl.java 2023-09-27 00:55:09.980274640 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/resource/ResourceManagerImpl.java 2023-09-27 00:55:44.030497422 +0200 +@@ -158,7 +158,7 @@ + + Object cacheObject = null; + +- if (org.apache.commons.lang.StringUtils.isNotEmpty(cacheClassName)) ++ if (org.apache.commons.lang3.StringUtils.isNotEmpty(cacheClassName)) + { + try + { +@@ -534,7 +534,7 @@ + * this strikes me as bad... + */ + +- if (!org.apache.commons.lang.StringUtils.equals(resource.getEncoding(), encoding)) ++ if (!org.apache.commons.lang3.StringUtils.equals(resource.getEncoding(), encoding)) + { + log.warn("Declared encoding for template '" + + resource.getName() + +--- velocity-1.7/src/java/org/apache/velocity/runtime/RuntimeInstance.java 2023-09-27 00:55:09.976941285 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/RuntimeInstance.java 2023-09-27 00:55:44.023830711 +0200 +@@ -32,7 +32,7 @@ + import java.util.Properties; + + import org.apache.commons.collections.ExtendedProperties; +-import org.apache.commons.lang.text.StrBuilder; ++import org.apache.commons.lang3.text.StrBuilder; + import org.apache.velocity.Template; + import org.apache.velocity.app.event.EventCartridge; + import org.apache.velocity.app.event.EventHandler; +--- velocity-1.7/src/java/org/apache/velocity/runtime/VelocimacroFactory.java 2023-09-27 00:55:09.976941285 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/VelocimacroFactory.java 2023-09-27 00:55:44.023830711 +0200 +@@ -26,7 +26,7 @@ + import java.util.Vector; + import java.util.ArrayList; + +-import org.apache.commons.lang.StringUtils; ++import org.apache.commons.lang3.StringUtils; + import org.apache.velocity.Template; + import org.apache.velocity.exception.VelocityException; + import org.apache.velocity.runtime.directive.Directive; +--- velocity-1.7/src/java/org/apache/velocity/util/introspection/ClassMap.java 2023-09-27 00:55:09.980274640 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/util/introspection/ClassMap.java 2023-09-27 00:55:44.030497422 +0200 +@@ -23,7 +23,7 @@ + import java.lang.reflect.Modifier; + import java.util.HashMap; + import java.util.Map; +-import org.apache.commons.lang.text.StrBuilder; ++import org.apache.commons.lang3.text.StrBuilder; + import org.apache.velocity.runtime.log.Log; + import org.apache.velocity.util.MapFactory; + +--- velocity-1.7/src/test/org/apache/velocity/io/UnicodeInputStreamTestCase.java 2023-09-27 00:55:09.983607995 +0200 ++++ velocity-1.7/src/test/org/apache/velocity/io/UnicodeInputStreamTestCase.java 2023-09-27 00:55:44.030497422 +0200 +@@ -27,7 +27,7 @@ + import junit.framework.TestCase; + import junit.framework.TestSuite; + +-import org.apache.commons.lang.ArrayUtils; ++import org.apache.commons.lang3.ArrayUtils; + + + /** +--- velocity-1.7/src/test/org/apache/velocity/test/BaseTestCase.java 2023-09-27 00:55:09.983607995 +0200 ++++ velocity-1.7/src/test/org/apache/velocity/test/BaseTestCase.java 2023-09-27 00:55:44.030497422 +0200 +@@ -353,7 +353,7 @@ + buf.append(baseFile.getPath()); + } + +- if (org.apache.commons.lang.StringUtils.isNotEmpty(ext)) ++ if (org.apache.commons.lang3.StringUtils.isNotEmpty(ext)) + { + buf.append('.').append(ext); + } +--- velocity-1.7/src/test/org/apache/velocity/test/MethodCacheKeyTestCase.java 2023-09-27 00:55:09.983607995 +0200 ++++ velocity-1.7/src/test/org/apache/velocity/test/MethodCacheKeyTestCase.java 2023-09-27 00:55:44.030497422 +0200 +@@ -21,7 +21,7 @@ + + import junit.framework.TestCase; + +-import org.apache.commons.lang.ArrayUtils; ++import org.apache.commons.lang3.ArrayUtils; + import org.apache.velocity.runtime.parser.node.ASTMethod; + + /** diff --git a/velocity-1.7-log-chute.patch b/velocity-1.7-log-chute.patch new file mode 100644 index 0000000..c3e2422 --- /dev/null +++ b/velocity-1.7-log-chute.patch @@ -0,0 +1,11 @@ +--- velocity-1.7/src/java/org/apache/velocity/runtime/defaults/velocity.properties 2023-09-27 00:55:09.976941285 +0200 ++++ velocity-1.7/src/java/org/apache/velocity/runtime/defaults/velocity.properties 2023-09-27 00:57:58.884707172 +0200 +@@ -23,7 +23,7 @@ + # default LogChute to use: default: AvalonLogChute, Log4JLogChute, CommonsLogLogChute, ServletLogChute, JdkLogChute + # ---------------------------------------------------------------------------- + +-runtime.log.logsystem.class = org.apache.velocity.runtime.log.AvalonLogChute,org.apache.velocity.runtime.log.Log4JLogChute,org.apache.velocity.runtime.log.CommonsLogLogChute,org.apache.velocity.runtime.log.ServletLogChute,org.apache.velocity.runtime.log.JdkLogChute ++runtime.log.logsystem.class = org.apache.velocity.runtime.log.JdkLogChute + + # --------------------------------------------------------------------------- + # This is the location of the Velocity Runtime log. diff --git a/velocity-1.7.pom b/velocity-1.7.pom new file mode 100644 index 0000000..103c529 --- /dev/null +++ b/velocity-1.7.pom @@ -0,0 +1,346 @@ + + + + + + + 4.0.0 + + + org.apache + apache + 4 + + + org.apache.velocity + velocity + 1.7 + + Apache Velocity + http://velocity.apache.org/engine/devel/ + Apache Velocity is a general purpose template engine. + 2000 + jar + + + 2.0.9 + + + + install + src/java + src/test + + + org.apache.maven.plugins + maven-site-plugin + + UTF-8 + UTF-8 + ${basedir}/xdocs/docs + + + + + + src/java + + **/*.java + + + + + + + + velocity.apache.org + scpexe://people.apache.org/www/velocity.apache.org/engine/releases/velocity-1.7 + + + apache.releases + Apache Release Distribution Repository + scp://people.apache.org/www/people.apache.org/repo/m2-ibiblio-rsync-repository + + + apache.snapshots + Apache Development Snapshot Repository + scp://people.apache.org/www/people.apache.org/repo/m2-snapshot-repository + + + + + + Will Glass-Husain + wglass + wglass@forio.com + Forio Business Simulations + + Java Developer + + + + + Geir Magnusson Jr. + geirm + geirm@optonline.net + Independent (DVSL Maven) + + Java Developer + + + + + Daniel Rall + dlr + dlr@finemaltcoding.com + CollabNet, Inc. + + Java Developer + + + + + Henning P. Schmiedehausen + henning + hps@intermeta.de + INTERMETA - Gesellschaft für Mehrwertdienste mbH + + Java Developer + + 2 + + + + Nathan Bubna + nbubna + nathan@esha.com + ESHA Research + + Java Developer + + + + + + + + commons-collections + commons-collections + 3.2.1 + + + commons-lang + commons-lang + 2.4 + + + oro + oro + 2.0.8 + true + + + jdom + jdom + 1.0 + provided + + + commons-logging + commons-logging + 1.1 + provided + + + avalon-framework + avalon-framework + + + log4j + log4j + + + javax.servlet + servlet-api + + + + + log4j + log4j + 1.2.12 + provided + + + javax.servlet + servlet-api + 2.3 + provided + + + logkit + logkit + 2.0 + provided + + + ant + ant + 1.6 + provided + + + werken-xpath + werken-xpath + 0.9.4 + provided + + + junit + junit + 3.8.1 + test + + + hsqldb + hsqldb + 1.7.1 + test + + + + + + + org.apache.maven.plugins + maven-project-info-reports-plugin + 2.1 + + + + dependencies + issue-tracking + license + summary + scm + + + + + + org.apache.maven.plugins + maven-changes-plugin + 2.0 + + + + changes-report + jira-report + + + + + ${jira.browse.url}/%ISSUE% + + 12311337 + + fixfor=12310290&sorter/field=issuekey&sorter/order=ASC + 100 + http://velocity.apache.org/who-we-are.html + + + + org.codehaus.mojo + taglist-maven-plugin + 2.2 + + TODO + FIXME + + + + org.apache.maven.plugins + maven-jxr-plugin + 2.1 + + + org.apache.maven.plugins + maven-javadoc-plugin + 2.5 + + + http://java.sun.com/j2se/1.4.2/docs/api + http://jakarta.apache.org/oro/api + http://jakarta.apache.org/commons/lang/api-release + http://jakarta.apache.org/commons/collections/api-release + + http://www.jdom.org/docs/apidocs + http://logging.apache.org/log4j/docs/api + http://excalibur.apache.org/apidocs + http://tomcat.apache.org/tomcat-4.1-doc/servletapi + + + + + org.apache.maven.plugins + maven-changelog-plugin + 2.1 + + + org.codehaus.mojo + findbugs-maven-plugin + 1.2 + + true + Low + Max + build/findbugs-exclude.xml + xdocs + + + + org.apache.maven.plugins + maven-compiler-plugin + + 1.4 + 1.4 + + + + + + + scm:svn:http://svn.apache.org/repos/asf/velocity/engine/trunk + scm:svn:https://svn.apache.org/repos/asf/velocity/engine/trunk + HEAD + http://svn.apache.org/viewvc/velocity/engine/trunk + + + + https://issues.apache.org/jira/browse + + + + JIRA + ${jira.browse.url}/VELOCITY + + diff --git a/velocity-1.7.tar.gz b/velocity-1.7.tar.gz new file mode 100644 index 0000000..de9cf32 --- /dev/null +++ b/velocity-1.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6cabbc45ead01b32e9833db31b1726f2e34f5ff6a03346df9822e70909d06766 +size 5882643 diff --git a/velocity-build_xml.patch b/velocity-build_xml.patch new file mode 100644 index 0000000..62b09d8 --- /dev/null +++ b/velocity-build_xml.patch @@ -0,0 +1,12 @@ +--- build/build.xml.sav 2007-08-25 16:17:48.000000000 +0200 ++++ build/build.xml 2007-08-25 16:18:14.000000000 +0200 +@@ -139,7 +139,9 @@ + + + ++ + + + diff --git a/velocity.changes b/velocity.changes new file mode 100644 index 0000000..8c1dd74 --- /dev/null +++ b/velocity.changes @@ -0,0 +1,106 @@ +------------------------------------------------------------------- +Wed Sep 27 04:36:41 UTC 2023 - Fridrich Strba + +- Reduce considerably the dependencies graph +- Added patches: + * velocity-1.7-commons-lang3.patch + + port from apache-commons-lang to apache-commons-lang3 + * velocity-1.7-log-chute.patch + + make JDK's own logging provider as default so that the others + can be removed and dependencies on other logging frameworks + with them + +------------------------------------------------------------------- +Tue Mar 22 15:13:03 UTC 2022 - Fridrich Strba + +- Build with java source and target levels 8 + +------------------------------------------------------------------- +Tue Feb 22 18:59:05 UTC 2022 - Fridrich Strba + +- Do not build against the log4j12 packages, use the new reload4j + +------------------------------------------------------------------- +Fri Mar 12 08:18:50 UTC 2021 - Fridrich Strba + +- Added patch: + * velocity-1.7-CVE-2020-13936.patch + + Backport fixes for bsc#1183360, CVE-2020-13936: arbitrary + code execution when attacker is able to modify templates + +------------------------------------------------------------------- +Tue Oct 1 11:35:09 UTC 2019 - Fridrich Strba + +- Build against the compatibility package log4j12 + +------------------------------------------------------------------- +Mon Apr 8 11:39:35 UTC 2019 - Fridrich Strba + +- Do not depend on the apache-parent, since we are not building + using Maven. + +------------------------------------------------------------------- +Thu Feb 14 08:35:38 UTC 2019 - Fridrich Strba + +- Build against the new plexus-classworlds package + +------------------------------------------------------------------- +Mon Nov 5 22:15:24 UTC 2018 - Fridrich Strba + +- Add alias "velocity:velocity" to the maven artifact + +------------------------------------------------------------------- +Tue Sep 19 08:36:49 UTC 2017 - fstrba@suse.com + +- Fix buid with jdk9: specify java source and target level 1.6 + +------------------------------------------------------------------- +Fri May 19 16:41:19 UTC 2017 - tchvatal@suse.com + +- Remove unneeded deps + +------------------------------------------------------------------- +Fri May 19 09:23:26 UTC 2017 - dziolkowski@suse.com + +- New build dependency: javapackages-local + +------------------------------------------------------------------- +Wed Mar 18 09:46:23 UTC 2015 - tchvatal@suse.com + +- Fix build with new javapackages-tools + +------------------------------------------------------------------- +Fri Dec 5 14:34:48 UTC 2014 - p.drouand@gmail.com + +- Update to version 1.7 + + No changelog available +- Add requirement to commons-logging; new dependency +- Remove java-devel >= 1.6.0 requirement; not needed anymore +- Do not copy convert folder; doesn't exist anymore + +------------------------------------------------------------------- +Fri Jun 27 14:17:29 UTC 2014 - tchvatal@suse.com + +- Fix build on SLE11 + +------------------------------------------------------------------- +Wed Sep 11 08:47:42 UTC 2013 - mvyskocil@suse.com + +- use add_maven_depmap from javapackages-tools + +------------------------------------------------------------------- +Mon Sep 9 11:06:25 UTC 2013 - tchvatal@suse.com + +- Move from jpackage-utils to javapackage-tools + +------------------------------------------------------------------- +Mon Dec 17 12:17:24 UTC 2012 - mvyskocil@suse.com + +- require avalon-logkit + * drop excalibur from Factory + +------------------------------------------------------------------- +Wed Jun 3 17:14:32 CEST 2009 - mvyskocil@suse.cz + +- Initial SUSE packaging + diff --git a/velocity.spec b/velocity.spec new file mode 100644 index 0000000..31e4d4c --- /dev/null +++ b/velocity.spec @@ -0,0 +1,213 @@ +# +# spec file for package velocity +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: velocity +Version: 1.7 +Release: 0 +Summary: Java-based template engine +License: Apache-2.0 +Group: Development/Libraries/Java +URL: https://velocity.apache.org/ +Source0: https://archive.apache.org/dist/velocity/engine/%{version}/%{name}-%{version}.tar.gz +Source1: %{name}-%{version}.pom +Patch0: velocity-build_xml.patch +Patch1: velocity-1.7-CVE-2020-13936.patch +Patch2: velocity-1.7-commons-lang3.patch +Patch3: velocity-1.7-log-chute.patch +BuildRequires: ant +BuildRequires: commons-collections +BuildRequires: commons-lang3 +BuildRequires: fdupes +BuildRequires: java-devel >= 1.8 +BuildRequires: javapackages-local >= 6 +BuildArch: noarch + +%description +Velocity is a Java-based template engine. It permits anyone to use the +simple yet powerful template language to reference objects defined in +Java code. +When Velocity is used for web development, Web designers can work in +parallel with Java programmers to develop web sites according to the +Model-View-Controller (MVC) model, meaning that web page designers can +focus solely on creating a site that looks good, and programmers can +focus solely on writing top-notch code. Velocity separates Java code +from the web pages, making the web site more maintainable over the long +run and providing a viable alternative to Java Server Pages (JSPs) or +PHP. +Velocity's capabilities reach well beyond the realm of web sites; for +example, it can generate SQL and PostScript and XML (see Anakia for more +information on XML transformations) from templates. It can be used +either as a standalone utility for generating source code and reports, +or as an integrated component of other systems. Velocity also provides +template services for the Turbine web application framework. +Velocity+Turbine provides a template service that will allow web +applications to be developed according to a true MVC model. + +%package manual +Summary: Manual for %{name} +Group: Development/Libraries/Java + +%description manual +Velocity is a Java-based template engine. It permits anyone to use the +simple yet powerful template language to reference objects defined in +Java code. +When Velocity is used for web development, Web designers can work in +parallel with Java programmers to develop web sites according to the +Model-View-Controller (MVC) model, meaning that web page designers can +focus solely on creating a site that looks good, and programmers can +focus solely on writing top-notch code. Velocity separates Java code +from the web pages, making the web site more maintainable over the long +run and providing a viable alternative to Java Server Pages (JSPs) or +PHP. +Velocity's capabilities reach well beyond the realm of web sites; for +example, it can generate SQL and PostScript and XML (see Anakia for more +information on XML transformations) from templates. It can be used +either as a standalone utility for generating source code and reports, +or as an integrated component of other systems. Velocity also provides +template services for the Turbine web application framework. +Velocity+Turbine provides a template service that will allow web +applications to be developed according to a true MVC model. + +%package javadoc +Summary: Javadoc for %{name} +Group: Documentation/HTML + +%description javadoc +Velocity is a Java-based template engine. It permits anyone to use the +simple yet powerful template language to reference objects defined in +Java code. +When Velocity is used for web development, Web designers can work in +parallel with Java programmers to develop web sites according to the +Model-View-Controller (MVC) model, meaning that web page designers can +focus solely on creating a site that looks good, and programmers can +focus solely on writing top-notch code. Velocity separates Java code +from the web pages, making the web site more maintainable over the long +run and providing a viable alternative to Java Server Pages (JSPs) or +PHP. +Velocity's capabilities reach well beyond the realm of web sites; for +example, it can generate SQL and PostScript and XML (see Anakia for more +information on XML transformations) from templates. It can be used +either as a standalone utility for generating source code and reports, +or as an integrated component of other systems. Velocity also provides +template services for the Turbine web application framework. +Velocity+Turbine provides a template service that will allow web +applications to be developed according to a true MVC model. + +%package demo +Summary: Demo for %{name} +Group: Development/Libraries/Java +Requires: %{name} = %{version}-%{release} + +%description demo +Velocity is a Java-based template engine. It permits anyone to use the +simple yet powerful template language to reference objects defined in +Java code. +When Velocity is used for web development, Web designers can work in +parallel with Java programmers to develop web sites according to the +Model-View-Controller (MVC) model, meaning that web page designers can +focus solely on creating a site that looks good, and programmers can +focus solely on writing top-notch code. Velocity separates Java code +from the web pages, making the web site more maintainable over the long +run and providing a viable alternative to Java Server Pages (JSPs) or +PHP. +Velocity's capabilities reach well beyond the realm of web sites; for +example, it can generate SQL and PostScript and XML (see Anakia for more +information on XML transformations) from templates. It can be used +either as a standalone utility for generating source code and reports, +or as an integrated component of other systems. Velocity also provides +template services for the Turbine web application framework. +Velocity+Turbine provides a template service that will allow web +applications to be developed according to a true MVC model. + +%prep +%setup -q +cp %{SOURCE1} pom.xml +%patch0 -b .sav0 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 + +find . -name '*.jar' -print -delete +find . -name '*.class' -print -delete + +# Disable unneeded features +rm -r src/java/org/apache/velocity/{anakia,texen,servlet,convert} +rm src/java/org/apache/velocity/runtime/log/{Avalon,Log4J}Log{Chute,System}.java +rm src/java/org/apache/velocity/runtime/log/{CommonsLog,Servlet}LogChute.java +rm src/java/org/apache/velocity/runtime/log/SimpleLog4JLogSystem.java +rm src/java/org/apache/velocity/runtime/log/VelocityFormatter.java +rm src/java/org/apache/velocity/app/event/implement/Escape{Html,JavaScript,Sql,Xml,}Reference.java + +%pom_remove_dep :oro +%pom_remove_dep :jdom +%pom_remove_dep :commons-logging +%pom_remove_dep :log4j +%pom_remove_dep :servlet-api +%pom_remove_dep :logkit +%pom_remove_dep :ant +%pom_remove_dep :werken-xpath + +%build +mkdir -p bin/lib +build-jar-repository -s -p bin/lib commons-collections commons-lang3 + +export CLASSPATH=$(build-classpath commons-collections commons-lang3) + +ant \ + -Djavac.source=1.8 -Djavac.target=1.8 \ + -buildfile build/build.xml \ + jar javadocs + +%install +# jars +install -d -m 755 %{buildroot}%{_javadir} +install -p -m 644 bin/%{name}-%{version}.jar %{buildroot}%{_javadir}/%{name}.jar +# pom +install -d -m 755 %{buildroot}%{_mavenpomdir} +%{mvn_install_pom} pom.xml \ + %{buildroot}%{_mavenpomdir}/JPP-%{name}.pom +%add_maven_depmap -a velocity:velocity + +# javadoc +install -d -m 755 %{buildroot}%{_javadocdir}/%{name} +cp -pr docs/api/* %{buildroot}%{_javadocdir}/%{name} +%fdupes -s %{buildroot}%{_javadocdir} + +rm -rf docs/api + +# zero-length file +rm -r test/issues/velocity-537/compare/velocity537.vm.cmp +# data +install -d -m 755 %{buildroot}%{_datadir}/%{name} +cp -pr examples test %{buildroot}%{_datadir}/%{name} +%fdupes -s %{buildroot}%{_datadir}/%{name} + +%files -f .mfiles +%license LICENSE NOTICE +%doc README.txt + +%files manual +%doc docs/* + +%files javadoc +%{_javadocdir}/%{name} + +%files demo +%{_datadir}/%{name} + +%changelog