Sync from SUSE:SLFO:Main velocity revision b45f9b9ca850fc160276408427de9aac

This commit is contained in:
Adrian Schröter 2024-05-04 01:44:35 +02:00
commit fdcdffee7e
9 changed files with 1138 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

View File

@ -0,0 +1,58 @@
--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
@@ -245,15 +245,15 @@
# accessed.
# ----------------------------------------------------------------------------
+# Prohibit reflection
introspector.restrict.packages = java.lang.reflect
-# The two most dangerous classes
+# ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
-introspector.restrict.classes = java.lang.Class
-introspector.restrict.classes = java.lang.ClassLoader
-
-# Restrict these for extra safety
+# Restrict these system classes. Note that anything in this list is matched exactly.
+# (Subclasses must be explicitly named to be included).
+introspector.restrict.classes = java.lang.Class
introspector.restrict.classes = java.lang.Compiler
introspector.restrict.classes = java.lang.InheritableThreadLocal
introspector.restrict.classes = java.lang.Package
@@ -262,8 +262,15 @@
introspector.restrict.classes = java.lang.RuntimePermission
introspector.restrict.classes = java.lang.SecurityManager
introspector.restrict.classes = java.lang.System
-introspector.restrict.classes = java.lang.Thread
introspector.restrict.classes = java.lang.ThreadGroup
introspector.restrict.classes = java.lang.ThreadLocal
+# Restrict instance managers for common servlet containers (Tomcat, JBoss, Jetty)
+
+introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager
+introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager
+introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager
+introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory
+
+
--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
+++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
@@ -122,6 +122,15 @@
}
/**
+ * Always disallow ClassLoader, Thread and subclasses
+ */
+ if (ClassLoader.class.isAssignableFrom(clazz) ||
+ Thread.class.isAssignableFrom(clazz))
+ {
+ return false;
+ }
+
+ /**
* check the classname (minus any array info)
* whether it matches disallowed classes or packages
*/

View File

@ -0,0 +1,366 @@
--- velocity-1.7/pom.xml 2023-09-27 00:55:09.936941022 +0200
+++ velocity-1.7/pom.xml 2023-09-27 00:55:44.023830711 +0200
@@ -148,9 +148,9 @@
<version>3.2.1</version>
</dependency>
<dependency>
- <groupId>commons-lang</groupId>
- <artifactId>commons-lang</artifactId>
- <version>2.4</version>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-lang3</artifactId>
+ <version>3.9</version>
</dependency>
<dependency>
<groupId>oro</groupId>
--- velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeHtmlReference.java 2023-09-27 00:55:09.973607930 +0200
+++ velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeHtmlReference.java 2023-09-27 00:55:44.023830711 +0200
@@ -19,7 +19,7 @@
* under the License.
*/
-import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.StringEscapeUtils;
/**
* Escape all HTML entities.
@@ -39,7 +39,7 @@
*/
protected String escape(Object text)
{
- return StringEscapeUtils.escapeHtml(text.toString());
+ return StringEscapeUtils.escapeHtml4(text.toString());
}
/**
--- velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeJavaScriptReference.java 2023-09-27 00:55:09.973607930 +0200
+++ velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeJavaScriptReference.java 2023-09-27 00:55:44.023830711 +0200
@@ -19,7 +19,7 @@
* under the License.
*/
-import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.StringEscapeUtils;
/**
* Escapes the characters in a String to be suitable for use in JavaScript.
@@ -39,7 +39,7 @@
*/
protected String escape(Object text)
{
- return StringEscapeUtils.escapeJavaScript(text.toString());
+ return StringEscapeUtils.escapeEcmaScript(text.toString());
}
/**
--- velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeSqlReference.java 2023-09-27 00:55:09.973607930 +0200
+++ velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeSqlReference.java 2023-09-27 00:55:44.023830711 +0200
@@ -19,7 +19,7 @@
* under the License.
*/
-import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
/**
* Escapes the characters in a String to be suitable to pass to an SQL query.
@@ -39,7 +39,8 @@
*/
protected String escape(Object text)
{
- return StringEscapeUtils.escapeSql(text.toString());
+ // See https://commons.apache.org/proper/commons-lang/javadocs/api-2.6/org/apache/commons/lang/StringEscapeUtils.html#escapeSql(java.lang.String)
+ return StringUtils.replace(text.toString(), "'", "''");
}
/**
--- velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeXmlReference.java 2023-09-27 00:55:09.973607930 +0200
+++ velocity-1.7/src/java/org/apache/velocity/app/event/implement/EscapeXmlReference.java 2023-09-27 00:55:44.023830711 +0200
@@ -19,7 +19,7 @@
* under the License.
*/
-import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.StringEscapeUtils;
/**
* Escape all XML entities.
--- velocity-1.7/src/java/org/apache/velocity/runtime/directive/Block.java 2023-09-27 00:55:09.976941285 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/directive/Block.java 2023-09-27 00:55:44.023830711 +0200
@@ -23,7 +23,7 @@
import java.io.StringWriter;
import java.io.Writer;
-import org.apache.commons.lang.text.StrBuilder;
+import org.apache.commons.lang3.text.StrBuilder;
import org.apache.velocity.context.InternalContextAdapter;
import org.apache.velocity.exception.TemplateInitException;
import org.apache.velocity.runtime.Renderable;
--- velocity-1.7/src/java/org/apache/velocity/runtime/directive/RuntimeMacro.java 2023-09-27 00:55:09.976941285 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/directive/RuntimeMacro.java 2023-09-27 00:55:44.027164066 +0200
@@ -23,7 +23,7 @@
import java.io.Writer;
import java.util.List;
-import org.apache.commons.lang.text.StrBuilder;
+import org.apache.commons.lang3.text.StrBuilder;
import org.apache.velocity.context.InternalContextAdapter;
import org.apache.velocity.exception.MethodInvocationException;
import org.apache.velocity.exception.ParseErrorException;
--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/ASTDirective.java 2023-09-27 00:55:09.976941285 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/ASTDirective.java 2023-09-27 00:55:44.027164066 +0200
@@ -22,7 +22,7 @@
import java.io.IOException;
import java.io.Writer;
-import org.apache.commons.lang.builder.ToStringBuilder;
+import org.apache.commons.lang3.builder.ToStringBuilder;
import org.apache.velocity.context.InternalContextAdapter;
import org.apache.velocity.exception.MethodInvocationException;
import org.apache.velocity.exception.ParseErrorException;
--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/ASTMethod.java 2023-09-27 00:55:09.980274640 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/ASTMethod.java 2023-09-27 00:55:44.027164066 +0200
@@ -21,8 +21,8 @@
import java.lang.reflect.InvocationTargetException;
-import org.apache.commons.lang.ArrayUtils;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.ArrayUtils;
+import org.apache.commons.lang3.StringUtils;
import org.apache.velocity.app.event.EventHandlerUtil;
import org.apache.velocity.context.InternalContextAdapter;
import org.apache.velocity.exception.MethodInvocationException;
--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/ASTStringLiteral.java 2023-09-27 00:55:09.980274640 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/ASTStringLiteral.java 2023-09-27 00:55:44.027164066 +0200
@@ -21,7 +21,7 @@
import java.io.StringReader;
import java.io.StringWriter;
-import org.apache.commons.lang.text.StrBuilder;
+import org.apache.commons.lang3.text.StrBuilder;
import org.apache.velocity.context.InternalContextAdapter;
import org.apache.velocity.exception.TemplateInitException;
import org.apache.velocity.exception.VelocityException;
--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/NodeUtils.java 2023-09-27 00:55:09.980274640 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/NodeUtils.java 2023-09-27 00:55:44.027164066 +0200
@@ -19,7 +19,7 @@
* under the License.
*/
-import org.apache.commons.lang.text.StrBuilder;
+import org.apache.commons.lang3.text.StrBuilder;
import org.apache.velocity.context.Context;
import org.apache.velocity.exception.MethodInvocationException;
import org.apache.velocity.runtime.parser.ParserConstants;
--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/PropertyExecutor.java 2023-09-27 00:55:09.980274640 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/PropertyExecutor.java 2023-09-27 00:55:44.027164066 +0200
@@ -21,7 +21,7 @@
import java.lang.reflect.InvocationTargetException;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
import org.apache.velocity.exception.VelocityException;
import org.apache.velocity.runtime.RuntimeLogger;
import org.apache.velocity.runtime.log.Log;
--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/SetPropertyExecutor.java 2023-09-27 00:55:09.980274640 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/SetPropertyExecutor.java 2023-09-27 00:55:44.030497422 +0200
@@ -21,8 +21,8 @@
import java.lang.reflect.InvocationTargetException;
-import org.apache.commons.lang.StringUtils;
-import org.apache.commons.lang.text.StrBuilder;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.text.StrBuilder;
import org.apache.velocity.exception.VelocityException;
import org.apache.velocity.runtime.log.Log;
import org.apache.velocity.util.introspection.Introspector;
--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/SimpleNode.java 2023-09-27 00:55:09.980274640 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/node/SimpleNode.java 2023-09-27 00:55:44.030497422 +0200
@@ -22,8 +22,8 @@
import java.io.IOException;
import java.io.Writer;
-import org.apache.commons.lang.builder.ToStringBuilder;
-import org.apache.commons.lang.text.StrBuilder;
+import org.apache.commons.lang3.builder.ToStringBuilder;
+import org.apache.commons.lang3.text.StrBuilder;
import org.apache.velocity.context.InternalContextAdapter;
import org.apache.velocity.exception.MethodInvocationException;
import org.apache.velocity.exception.ParseErrorException;
--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/Parser.java 2023-09-27 00:55:09.976941285 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/Parser.java 2023-09-27 00:55:44.027164066 +0200
@@ -10,7 +10,7 @@
import org.apache.velocity.runtime.directive.Macro;
import org.apache.velocity.runtime.directive.MacroParseException;
import org.apache.velocity.util.StringUtils;
-import org.apache.commons.lang.text.StrBuilder;
+import org.apache.commons.lang3.text.StrBuilder;
import org.apache.velocity.runtime.RuntimeConstants;
/**
--- velocity-1.7/src/java/org/apache/velocity/runtime/parser/ParserTokenManager.java 2023-09-27 00:55:09.976941285 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/parser/ParserTokenManager.java 2023-09-27 00:55:44.027164066 +0200
@@ -9,7 +9,7 @@
import org.apache.velocity.runtime.directive.Macro;
import org.apache.velocity.runtime.directive.MacroParseException;
import org.apache.velocity.util.StringUtils;
-import org.apache.commons.lang.text.StrBuilder;
+import org.apache.commons.lang3.text.StrBuilder;
import org.apache.velocity.runtime.RuntimeConstants;
/** Token Manager. */
--- velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/ClasspathResourceLoader.java 2023-09-27 00:55:09.980274640 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/ClasspathResourceLoader.java 2023-09-27 00:55:44.030497422 +0200
@@ -22,7 +22,7 @@
import java.io.InputStream;
import org.apache.commons.collections.ExtendedProperties;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
import org.apache.velocity.exception.ResourceNotFoundException;
import org.apache.velocity.runtime.resource.Resource;
import org.apache.velocity.util.ClassUtils;
--- velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java 2023-09-27 00:55:09.980274640 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/DataSourceResourceLoader.java 2023-09-27 00:55:44.030497422 +0200
@@ -218,7 +218,7 @@
public synchronized InputStream getResourceStream(final String name)
throws ResourceNotFoundException
{
- if (org.apache.commons.lang.StringUtils.isEmpty(name))
+ if (org.apache.commons.lang3.StringUtils.isEmpty(name))
{
throw new ResourceNotFoundException("DataSourceResourceLoader: Template name was empty or null");
}
--- velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/FileResourceLoader.java 2023-09-27 00:55:09.980274640 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/FileResourceLoader.java 2023-09-27 00:55:44.030497422 +0200
@@ -118,7 +118,7 @@
/*
* Make sure we have a valid templateName.
*/
- if (org.apache.commons.lang.StringUtils.isEmpty(templateName))
+ if (org.apache.commons.lang3.StringUtils.isEmpty(templateName))
{
/*
* If we don't get a properly formed templateName then
--- velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/JarResourceLoader.java 2023-09-27 00:55:09.980274640 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/JarResourceLoader.java 2023-09-27 00:55:44.030497422 +0200
@@ -195,7 +195,7 @@
{
InputStream results = null;
- if (org.apache.commons.lang.StringUtils.isEmpty(source))
+ if (org.apache.commons.lang3.StringUtils.isEmpty(source))
{
throw new ResourceNotFoundException("Need to have a resource!");
}
--- velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/StringResourceLoader.java 2023-09-27 00:55:09.980274640 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/StringResourceLoader.java 2023-09-27 00:55:44.030497422 +0200
@@ -26,7 +26,7 @@
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import org.apache.commons.collections.ExtendedProperties;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
import org.apache.velocity.exception.ResourceNotFoundException;
import org.apache.velocity.exception.VelocityException;
import org.apache.velocity.runtime.resource.Resource;
--- velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/URLResourceLoader.java 2023-09-27 00:55:09.980274640 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/resource/loader/URLResourceLoader.java 2023-09-27 00:55:44.030497422 +0200
@@ -26,7 +26,7 @@
import java.net.URLConnection;
import java.util.HashMap;
import org.apache.commons.collections.ExtendedProperties;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
import org.apache.velocity.exception.VelocityException;
import org.apache.velocity.exception.ResourceNotFoundException;
import org.apache.velocity.runtime.resource.Resource;
--- velocity-1.7/src/java/org/apache/velocity/runtime/resource/ResourceManagerImpl.java 2023-09-27 00:55:09.980274640 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/resource/ResourceManagerImpl.java 2023-09-27 00:55:44.030497422 +0200
@@ -158,7 +158,7 @@
Object cacheObject = null;
- if (org.apache.commons.lang.StringUtils.isNotEmpty(cacheClassName))
+ if (org.apache.commons.lang3.StringUtils.isNotEmpty(cacheClassName))
{
try
{
@@ -534,7 +534,7 @@
* this strikes me as bad...
*/
- if (!org.apache.commons.lang.StringUtils.equals(resource.getEncoding(), encoding))
+ if (!org.apache.commons.lang3.StringUtils.equals(resource.getEncoding(), encoding))
{
log.warn("Declared encoding for template '" +
resource.getName() +
--- velocity-1.7/src/java/org/apache/velocity/runtime/RuntimeInstance.java 2023-09-27 00:55:09.976941285 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/RuntimeInstance.java 2023-09-27 00:55:44.023830711 +0200
@@ -32,7 +32,7 @@
import java.util.Properties;
import org.apache.commons.collections.ExtendedProperties;
-import org.apache.commons.lang.text.StrBuilder;
+import org.apache.commons.lang3.text.StrBuilder;
import org.apache.velocity.Template;
import org.apache.velocity.app.event.EventCartridge;
import org.apache.velocity.app.event.EventHandler;
--- velocity-1.7/src/java/org/apache/velocity/runtime/VelocimacroFactory.java 2023-09-27 00:55:09.976941285 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/VelocimacroFactory.java 2023-09-27 00:55:44.023830711 +0200
@@ -26,7 +26,7 @@
import java.util.Vector;
import java.util.ArrayList;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
import org.apache.velocity.Template;
import org.apache.velocity.exception.VelocityException;
import org.apache.velocity.runtime.directive.Directive;
--- velocity-1.7/src/java/org/apache/velocity/util/introspection/ClassMap.java 2023-09-27 00:55:09.980274640 +0200
+++ velocity-1.7/src/java/org/apache/velocity/util/introspection/ClassMap.java 2023-09-27 00:55:44.030497422 +0200
@@ -23,7 +23,7 @@
import java.lang.reflect.Modifier;
import java.util.HashMap;
import java.util.Map;
-import org.apache.commons.lang.text.StrBuilder;
+import org.apache.commons.lang3.text.StrBuilder;
import org.apache.velocity.runtime.log.Log;
import org.apache.velocity.util.MapFactory;
--- velocity-1.7/src/test/org/apache/velocity/io/UnicodeInputStreamTestCase.java 2023-09-27 00:55:09.983607995 +0200
+++ velocity-1.7/src/test/org/apache/velocity/io/UnicodeInputStreamTestCase.java 2023-09-27 00:55:44.030497422 +0200
@@ -27,7 +27,7 @@
import junit.framework.TestCase;
import junit.framework.TestSuite;
-import org.apache.commons.lang.ArrayUtils;
+import org.apache.commons.lang3.ArrayUtils;
/**
--- velocity-1.7/src/test/org/apache/velocity/test/BaseTestCase.java 2023-09-27 00:55:09.983607995 +0200
+++ velocity-1.7/src/test/org/apache/velocity/test/BaseTestCase.java 2023-09-27 00:55:44.030497422 +0200
@@ -353,7 +353,7 @@
buf.append(baseFile.getPath());
}
- if (org.apache.commons.lang.StringUtils.isNotEmpty(ext))
+ if (org.apache.commons.lang3.StringUtils.isNotEmpty(ext))
{
buf.append('.').append(ext);
}
--- velocity-1.7/src/test/org/apache/velocity/test/MethodCacheKeyTestCase.java 2023-09-27 00:55:09.983607995 +0200
+++ velocity-1.7/src/test/org/apache/velocity/test/MethodCacheKeyTestCase.java 2023-09-27 00:55:44.030497422 +0200
@@ -21,7 +21,7 @@
import junit.framework.TestCase;
-import org.apache.commons.lang.ArrayUtils;
+import org.apache.commons.lang3.ArrayUtils;
import org.apache.velocity.runtime.parser.node.ASTMethod;
/**

View File

@ -0,0 +1,11 @@
--- velocity-1.7/src/java/org/apache/velocity/runtime/defaults/velocity.properties 2023-09-27 00:55:09.976941285 +0200
+++ velocity-1.7/src/java/org/apache/velocity/runtime/defaults/velocity.properties 2023-09-27 00:57:58.884707172 +0200
@@ -23,7 +23,7 @@
# default LogChute to use: default: AvalonLogChute, Log4JLogChute, CommonsLogLogChute, ServletLogChute, JdkLogChute
# ----------------------------------------------------------------------------
-runtime.log.logsystem.class = org.apache.velocity.runtime.log.AvalonLogChute,org.apache.velocity.runtime.log.Log4JLogChute,org.apache.velocity.runtime.log.CommonsLogLogChute,org.apache.velocity.runtime.log.ServletLogChute,org.apache.velocity.runtime.log.JdkLogChute
+runtime.log.logsystem.class = org.apache.velocity.runtime.log.JdkLogChute
# ---------------------------------------------------------------------------
# This is the location of the Velocity Runtime log.

346
velocity-1.7.pom Normal file
View File

@ -0,0 +1,346 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.apache</groupId>
<artifactId>apache</artifactId>
<version>4</version>
</parent>
<groupId>org.apache.velocity</groupId>
<artifactId>velocity</artifactId>
<version>1.7</version>
<name>Apache Velocity</name>
<url>http://velocity.apache.org/engine/devel/</url>
<description>Apache Velocity is a general purpose template engine.</description>
<inceptionYear>2000</inceptionYear>
<packaging>jar</packaging>
<prerequisites>
<maven>2.0.9</maven>
</prerequisites>
<build>
<defaultGoal>install</defaultGoal>
<sourceDirectory>src/java</sourceDirectory>
<testSourceDirectory>src/test</testSourceDirectory>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<configuration>
<inputEncoding>UTF-8</inputEncoding>
<outputEncoding>UTF-8</outputEncoding>
<xdocDirectory>${basedir}/xdocs/docs</xdocDirectory>
</configuration>
</plugin>
</plugins>
<resources>
<resource>
<directory>src/java</directory>
<excludes>
<exclude>**/*.java</exclude>
</excludes>
</resource>
</resources>
</build>
<distributionManagement>
<site>
<id>velocity.apache.org</id>
<url>scpexe://people.apache.org/www/velocity.apache.org/engine/releases/velocity-1.7</url>
</site>
<repository>
<id>apache.releases</id>
<name>Apache Release Distribution Repository</name>
<url>scp://people.apache.org/www/people.apache.org/repo/m2-ibiblio-rsync-repository</url>
</repository>
<snapshotRepository>
<id>apache.snapshots</id>
<name>Apache Development Snapshot Repository</name>
<url>scp://people.apache.org/www/people.apache.org/repo/m2-snapshot-repository</url>
</snapshotRepository>
</distributionManagement>
<developers>
<developer>
<name>Will Glass-Husain</name>
<id>wglass</id>
<email>wglass@forio.com</email>
<organization>Forio Business Simulations</organization>
<roles>
<role>Java Developer</role>
</roles>
</developer>
<developer>
<name>Geir Magnusson Jr.</name>
<id>geirm</id>
<email>geirm@optonline.net</email>
<organization>Independent (DVSL Maven)</organization>
<roles>
<role>Java Developer</role>
</roles>
</developer>
<developer>
<name>Daniel Rall</name>
<id>dlr</id>
<email>dlr@finemaltcoding.com</email>
<organization>CollabNet, Inc.</organization>
<roles>
<role>Java Developer</role>
</roles>
</developer>
<developer>
<name>Henning P. Schmiedehausen</name>
<id>henning</id>
<email>hps@intermeta.de</email>
<organization>INTERMETA - Gesellschaft für Mehrwertdienste mbH</organization>
<roles>
<role>Java Developer</role>
</roles>
<timezone>2</timezone>
</developer>
<developer>
<name>Nathan Bubna</name>
<id>nbubna</id>
<email>nathan@esha.com</email>
<organization>ESHA Research</organization>
<roles>
<role>Java Developer</role>
</roles>
</developer>
</developers>
<dependencies>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
</dependency>
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>2.4</version>
</dependency>
<dependency>
<groupId>oro</groupId>
<artifactId>oro</artifactId>
<version>2.0.8</version>
<optional>true</optional>
</dependency>
<dependency>
<groupId>jdom</groupId>
<artifactId>jdom</artifactId>
<version>1.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1</version>
<scope>provided</scope>
<exclusions>
<exclusion>
<groupId>avalon-framework</groupId>
<artifactId>avalon-framework</artifactId>
</exclusion>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.12</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.3</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>logkit</groupId>
<artifactId>logkit</artifactId>
<version>2.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>ant</groupId>
<artifactId>ant</artifactId>
<version>1.6</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>werken-xpath</groupId>
<artifactId>werken-xpath</artifactId>
<version>0.9.4</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>hsqldb</groupId>
<artifactId>hsqldb</artifactId>
<version>1.7.1</version>
<scope>test</scope>
</dependency>
</dependencies>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.1</version>
<reportSets>
<reportSet>
<reports>
<report>dependencies</report>
<report>issue-tracking</report>
<report>license</report>
<report>summary</report>
<report>scm</report>
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-changes-plugin</artifactId>
<version>2.0</version>
<reportSets>
<reportSet>
<reports>
<report>changes-report</report>
<report>jira-report</report>
</reports>
</reportSet>
</reportSets>
<configuration>
<issueLinkTemplate>${jira.browse.url}/%ISSUE%</issueLinkTemplate>
<!-- Apache JIRA, Component Engine -->
<component>12311337</component>
<!-- FixFor 1.6 -->
<filter>fixfor=12310290&amp;sorter/field=issuekey&amp;sorter/order=ASC</filter>
<maxEntries>100</maxEntries>
<teamlist>http://velocity.apache.org/who-we-are.html</teamlist>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
<version>2.2</version>
<configuration>
<tag>TODO</tag>
<tag>FIXME</tag>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>2.1</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.5</version>
<configuration>
<links>
<link>http://java.sun.com/j2se/1.4.2/docs/api</link>
<link>http://jakarta.apache.org/oro/api</link>
<link>http://jakarta.apache.org/commons/lang/api-release</link>
<link>http://jakarta.apache.org/commons/collections/api-release</link>
<link>http://www.jdom.org/docs/apidocs</link>
<link>http://logging.apache.org/log4j/docs/api</link>
<link>http://excalibur.apache.org/apidocs</link>
<link>http://tomcat.apache.org/tomcat-4.1-doc/servletapi</link>
</links>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-changelog-plugin</artifactId>
<version>2.1</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>1.2</version>
<configuration>
<xmlOutput>true</xmlOutput>
<threshold>Low</threshold>
<effort>Max</effort>
<excludeFilterFile>build/findbugs-exclude.xml</excludeFilterFile>
<findbugsXmlOutputDirectory>xdocs</findbugsXmlOutputDirectory>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.4</source>
<target>1.4</target>
</configuration>
</plugin>
</plugins>
</reporting>
<scm>
<connection>scm:svn:http://svn.apache.org/repos/asf/velocity/engine/trunk</connection>
<developerConnection>scm:svn:https://svn.apache.org/repos/asf/velocity/engine/trunk</developerConnection>
<tag>HEAD</tag>
<url>http://svn.apache.org/viewvc/velocity/engine/trunk</url>
</scm>
<properties>
<jira.browse.url>https://issues.apache.org/jira/browse</jira.browse.url>
</properties>
<issueManagement>
<system>JIRA</system>
<url>${jira.browse.url}/VELOCITY</url>
</issueManagement>
</project>

BIN
velocity-1.7.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

12
velocity-build_xml.patch Normal file
View File

@ -0,0 +1,12 @@
--- build/build.xml.sav 2007-08-25 16:17:48.000000000 +0200
+++ build/build.xml 2007-08-25 16:18:14.000000000 +0200
@@ -139,7 +139,9 @@
<!-- sets up the build environment (classpath and libs) -->
<!-- =================================================================== -->
<target name="build-prepare">
+<!--
<ant antfile="${velocity.build.dir}/download.xml" target="build-download" />
+-->
<!-- Build classpath -->
<path id="velocity.build.classpath">

106
velocity.changes Normal file
View File

@ -0,0 +1,106 @@
-------------------------------------------------------------------
Wed Sep 27 04:36:41 UTC 2023 - Fridrich Strba <fstrba@suse.com>
- Reduce considerably the dependencies graph
- Added patches:
* velocity-1.7-commons-lang3.patch
+ port from apache-commons-lang to apache-commons-lang3
* velocity-1.7-log-chute.patch
+ make JDK's own logging provider as default so that the others
can be removed and dependencies on other logging frameworks
with them
-------------------------------------------------------------------
Tue Mar 22 15:13:03 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Build with java source and target levels 8
-------------------------------------------------------------------
Tue Feb 22 18:59:05 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Do not build against the log4j12 packages, use the new reload4j
-------------------------------------------------------------------
Fri Mar 12 08:18:50 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Added patch:
* velocity-1.7-CVE-2020-13936.patch
+ Backport fixes for bsc#1183360, CVE-2020-13936: arbitrary
code execution when attacker is able to modify templates
-------------------------------------------------------------------
Tue Oct 1 11:35:09 UTC 2019 - Fridrich Strba <fstrba@suse.com>
- Build against the compatibility package log4j12
-------------------------------------------------------------------
Mon Apr 8 11:39:35 UTC 2019 - Fridrich Strba <fstrba@suse.com>
- Do not depend on the apache-parent, since we are not building
using Maven.
-------------------------------------------------------------------
Thu Feb 14 08:35:38 UTC 2019 - Fridrich Strba <fstrba@suse.com>
- Build against the new plexus-classworlds package
-------------------------------------------------------------------
Mon Nov 5 22:15:24 UTC 2018 - Fridrich Strba <fstrba@suse.com>
- Add alias "velocity:velocity" to the maven artifact
-------------------------------------------------------------------
Tue Sep 19 08:36:49 UTC 2017 - fstrba@suse.com
- Fix buid with jdk9: specify java source and target level 1.6
-------------------------------------------------------------------
Fri May 19 16:41:19 UTC 2017 - tchvatal@suse.com
- Remove unneeded deps
-------------------------------------------------------------------
Fri May 19 09:23:26 UTC 2017 - dziolkowski@suse.com
- New build dependency: javapackages-local
-------------------------------------------------------------------
Wed Mar 18 09:46:23 UTC 2015 - tchvatal@suse.com
- Fix build with new javapackages-tools
-------------------------------------------------------------------
Fri Dec 5 14:34:48 UTC 2014 - p.drouand@gmail.com
- Update to version 1.7
+ No changelog available
- Add requirement to commons-logging; new dependency
- Remove java-devel >= 1.6.0 requirement; not needed anymore
- Do not copy convert folder; doesn't exist anymore
-------------------------------------------------------------------
Fri Jun 27 14:17:29 UTC 2014 - tchvatal@suse.com
- Fix build on SLE11
-------------------------------------------------------------------
Wed Sep 11 08:47:42 UTC 2013 - mvyskocil@suse.com
- use add_maven_depmap from javapackages-tools
-------------------------------------------------------------------
Mon Sep 9 11:06:25 UTC 2013 - tchvatal@suse.com
- Move from jpackage-utils to javapackage-tools
-------------------------------------------------------------------
Mon Dec 17 12:17:24 UTC 2012 - mvyskocil@suse.com
- require avalon-logkit
* drop excalibur from Factory
-------------------------------------------------------------------
Wed Jun 3 17:14:32 CEST 2009 - mvyskocil@suse.cz
- Initial SUSE packaging

213
velocity.spec Normal file
View File

@ -0,0 +1,213 @@
#
# spec file for package velocity
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: velocity
Version: 1.7
Release: 0
Summary: Java-based template engine
License: Apache-2.0
Group: Development/Libraries/Java
URL: https://velocity.apache.org/
Source0: https://archive.apache.org/dist/velocity/engine/%{version}/%{name}-%{version}.tar.gz
Source1: %{name}-%{version}.pom
Patch0: velocity-build_xml.patch
Patch1: velocity-1.7-CVE-2020-13936.patch
Patch2: velocity-1.7-commons-lang3.patch
Patch3: velocity-1.7-log-chute.patch
BuildRequires: ant
BuildRequires: commons-collections
BuildRequires: commons-lang3
BuildRequires: fdupes
BuildRequires: java-devel >= 1.8
BuildRequires: javapackages-local >= 6
BuildArch: noarch
%description
Velocity is a Java-based template engine. It permits anyone to use the
simple yet powerful template language to reference objects defined in
Java code.
When Velocity is used for web development, Web designers can work in
parallel with Java programmers to develop web sites according to the
Model-View-Controller (MVC) model, meaning that web page designers can
focus solely on creating a site that looks good, and programmers can
focus solely on writing top-notch code. Velocity separates Java code
from the web pages, making the web site more maintainable over the long
run and providing a viable alternative to Java Server Pages (JSPs) or
PHP.
Velocity's capabilities reach well beyond the realm of web sites; for
example, it can generate SQL and PostScript and XML (see Anakia for more
information on XML transformations) from templates. It can be used
either as a standalone utility for generating source code and reports,
or as an integrated component of other systems. Velocity also provides
template services for the Turbine web application framework.
Velocity+Turbine provides a template service that will allow web
applications to be developed according to a true MVC model.
%package manual
Summary: Manual for %{name}
Group: Development/Libraries/Java
%description manual
Velocity is a Java-based template engine. It permits anyone to use the
simple yet powerful template language to reference objects defined in
Java code.
When Velocity is used for web development, Web designers can work in
parallel with Java programmers to develop web sites according to the
Model-View-Controller (MVC) model, meaning that web page designers can
focus solely on creating a site that looks good, and programmers can
focus solely on writing top-notch code. Velocity separates Java code
from the web pages, making the web site more maintainable over the long
run and providing a viable alternative to Java Server Pages (JSPs) or
PHP.
Velocity's capabilities reach well beyond the realm of web sites; for
example, it can generate SQL and PostScript and XML (see Anakia for more
information on XML transformations) from templates. It can be used
either as a standalone utility for generating source code and reports,
or as an integrated component of other systems. Velocity also provides
template services for the Turbine web application framework.
Velocity+Turbine provides a template service that will allow web
applications to be developed according to a true MVC model.
%package javadoc
Summary: Javadoc for %{name}
Group: Documentation/HTML
%description javadoc
Velocity is a Java-based template engine. It permits anyone to use the
simple yet powerful template language to reference objects defined in
Java code.
When Velocity is used for web development, Web designers can work in
parallel with Java programmers to develop web sites according to the
Model-View-Controller (MVC) model, meaning that web page designers can
focus solely on creating a site that looks good, and programmers can
focus solely on writing top-notch code. Velocity separates Java code
from the web pages, making the web site more maintainable over the long
run and providing a viable alternative to Java Server Pages (JSPs) or
PHP.
Velocity's capabilities reach well beyond the realm of web sites; for
example, it can generate SQL and PostScript and XML (see Anakia for more
information on XML transformations) from templates. It can be used
either as a standalone utility for generating source code and reports,
or as an integrated component of other systems. Velocity also provides
template services for the Turbine web application framework.
Velocity+Turbine provides a template service that will allow web
applications to be developed according to a true MVC model.
%package demo
Summary: Demo for %{name}
Group: Development/Libraries/Java
Requires: %{name} = %{version}-%{release}
%description demo
Velocity is a Java-based template engine. It permits anyone to use the
simple yet powerful template language to reference objects defined in
Java code.
When Velocity is used for web development, Web designers can work in
parallel with Java programmers to develop web sites according to the
Model-View-Controller (MVC) model, meaning that web page designers can
focus solely on creating a site that looks good, and programmers can
focus solely on writing top-notch code. Velocity separates Java code
from the web pages, making the web site more maintainable over the long
run and providing a viable alternative to Java Server Pages (JSPs) or
PHP.
Velocity's capabilities reach well beyond the realm of web sites; for
example, it can generate SQL and PostScript and XML (see Anakia for more
information on XML transformations) from templates. It can be used
either as a standalone utility for generating source code and reports,
or as an integrated component of other systems. Velocity also provides
template services for the Turbine web application framework.
Velocity+Turbine provides a template service that will allow web
applications to be developed according to a true MVC model.
%prep
%setup -q
cp %{SOURCE1} pom.xml
%patch0 -b .sav0
%patch1 -p1
%patch2 -p1
%patch3 -p1
find . -name '*.jar' -print -delete
find . -name '*.class' -print -delete
# Disable unneeded features
rm -r src/java/org/apache/velocity/{anakia,texen,servlet,convert}
rm src/java/org/apache/velocity/runtime/log/{Avalon,Log4J}Log{Chute,System}.java
rm src/java/org/apache/velocity/runtime/log/{CommonsLog,Servlet}LogChute.java
rm src/java/org/apache/velocity/runtime/log/SimpleLog4JLogSystem.java
rm src/java/org/apache/velocity/runtime/log/VelocityFormatter.java
rm src/java/org/apache/velocity/app/event/implement/Escape{Html,JavaScript,Sql,Xml,}Reference.java
%pom_remove_dep :oro
%pom_remove_dep :jdom
%pom_remove_dep :commons-logging
%pom_remove_dep :log4j
%pom_remove_dep :servlet-api
%pom_remove_dep :logkit
%pom_remove_dep :ant
%pom_remove_dep :werken-xpath
%build
mkdir -p bin/lib
build-jar-repository -s -p bin/lib commons-collections commons-lang3
export CLASSPATH=$(build-classpath commons-collections commons-lang3)
ant \
-Djavac.source=1.8 -Djavac.target=1.8 \
-buildfile build/build.xml \
jar javadocs
%install
# jars
install -d -m 755 %{buildroot}%{_javadir}
install -p -m 644 bin/%{name}-%{version}.jar %{buildroot}%{_javadir}/%{name}.jar
# pom
install -d -m 755 %{buildroot}%{_mavenpomdir}
%{mvn_install_pom} pom.xml \
%{buildroot}%{_mavenpomdir}/JPP-%{name}.pom
%add_maven_depmap -a velocity:velocity
# javadoc
install -d -m 755 %{buildroot}%{_javadocdir}/%{name}
cp -pr docs/api/* %{buildroot}%{_javadocdir}/%{name}
%fdupes -s %{buildroot}%{_javadocdir}
rm -rf docs/api
# zero-length file
rm -r test/issues/velocity-537/compare/velocity537.vm.cmp
# data
install -d -m 755 %{buildroot}%{_datadir}/%{name}
cp -pr examples test %{buildroot}%{_datadir}/%{name}
%fdupes -s %{buildroot}%{_datadir}/%{name}
%files -f .mfiles
%license LICENSE NOTICE
%doc README.txt
%files manual
%doc docs/*
%files javadoc
%{_javadocdir}/%{name}
%files demo
%{_datadir}/%{name}
%changelog