Re:Re: [configuration] Release date for commons-configuration2 ?

2017-09-27 Thread mingleizhang 
Thanks Oliver! But I would ask, what you said "Properties.load()" ? What kind 
of Properties you mean ? If java.util.Properties ? I think NO I want it 
returns type belongs to java.util.Properties as an output. and input is a file 
name.


/Rice






At 2017-09-28 03:35:51, "Oliver Heger"  wrote:
>
>
>Am 27.09.2017 um 11:08 schrieb mingleizhang:
>> It seems I can not directly convert a file to a java Properties class in 
>> this package. I hope it like this.
>> 
>> 
>> read(fileName: String): Properties
>> 
>Wouldn't Properties.load() do the trick?
>
>Oliver
>
>> 
>> Rice.
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> At 2017-09-27 14:33:01, "Andreas Kuhtz"  wrote:
>>> Hi Gary,
>>>
>>> I wasn't aware that pushing a SNAPSHOT build needs the release process will
>>> all preparations to be executed, but I'll wait for the next release in this
>>> case.
>>> Thank you for all the good solutions that are provided by the configuration
>>> team.
>>>
>>> Andreas
>>>
>>> 2017-09-26 22:17 GMT+02:00 Gary Gregory :
>>>
 On Tue, Sep 26, 2017 at 2:07 PM, Andreas Kuhtz 
 wrote:

> Thank you for the response.
> I looked at http://repository.apache.org/snapshots/ already, but there
 is
> no 2.2-SNAPSHOT. If someone has permissions to publish the current
> 2.2-SNAPSHOT that would be great.
>

 Unfortunately, it's more complicated than that. We have a release process
 that requires a release manager from our team to volunteer and jump through
 a bunch of hoops.

 Gary

 
>
> 2017-09-26 21:59 GMT+02:00 Pascal Schumacher :
>
>> Sorry my response was less that clear. The public maven repo address
 is:
>> http://repository.apache.org/snapshots/
>>
>> See: https://www.apache.org/dev/repository-faq.html#basic
>>
>>
>> Am 26.09.2017 um 21:56 schrieb Pascal Schumacher:
>>
>>> No idea if there are concrete plans for a release date of
>>> commons-configuration 2.2 with the YAML feature.
>>>
>>> https://repository.apache.org/content/groups/snapshots/org/a
>>> pache/commons/commons-configuration2/ should have a snapshots with
 the
>>> feature.
>>>
>>> Kind regards,
>>> Pascal
>>>
>>> Am 26.09.2017 um 21:43 schrieb Andreas Kuhtz:
>>>
 Hello,

 Is there a planned release date for commons-configuration2 or is a
 SNAPSHOT
 available in a public maven repo?

 I would like to use the YAML configuration in my project.

 Best regards,
 Andreas


>>>
>>> -
>>> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
>>> For additional commands, e-mail: user-h...@commons.apache.org
>>>
>>>
>>
>> -
>> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
>> For additional commands, e-mail: user-h...@commons.apache.org
>>
>>
>

>
>-
>To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
>For additional commands, e-mail: user-h...@commons.apache.org
>

Re: Missing type information (not seen in visitor)

2017-09-27 Thread Guang Chao 
On Tue, Sep 26, 2017 at 7:05 AM, Showalter, Jim 
wrote:

> We have two classes like this:
>
> package com.intuit.foo;
>
> public class Foo {
> }
>
> public class FooHolder {
>private List foos = new ArrayList<>();
> }
>
> After visiting both classes and dumping out the info, I see this:
>
> com/intuit/foo/Foo:
>   class, lines 0 to ~2, deletable, public
>
> com/intuit/foo/Foos:
>   class, lines 0 to ~2, not-deletable, public
>   type references
> 
>   field declarations
> com/intuit/obill/v1/quote/response/Quote:chargeDetails:
> Ljava/util/List;
>
> Note that the type Foo is not seen in when visiting the Foos. Because
> there are no other references to Foo anywhere, this results in a
> false-positive delete of Foo.java.
>

I think that is expected for Generics if I am not mistaken.  The Foo in
List is just for compile time.  On runtime, it just knows that it is a
List, and do not know it is a list of Foo.


>
> I collect all of the referred-to types in the visitor like this:
>
>@Override
>public void visitConstantClass(final ConstantClass obj) {
>   String className = JavaUtils.dotsToSlashes(
> javaClass().getConstantPool().getConstant(obj.getNameIndex()).toString().replace("\")",
> "").replaceAll("^.*\"", ""));
>   if (ignore(className)) {
>  return;
>   }
>   type().addTypeReference(className);
>}
>
> What am I doing wrong?
>
> Jim Showalter
> Programmer
> Intuit, 2003H-265Z
> Garcia Avenue
> Mountain View, CA 94043
> (408) 353-4954 [home]
> (408) 204-1661 [personal cell]
> (669) 271-2257 [work cell]
>
>


-- 
Guang

Re: [configuration] Release date for commons-configuration2 ?

2017-09-27 Thread Oliver Heger 


Am 27.09.2017 um 11:08 schrieb mingleizhang:
> It seems I can not directly convert a file to a java Properties class in this 
> package. I hope it like this.
> 
> 
> read(fileName: String): Properties
> 
Wouldn't Properties.load() do the trick?

Oliver

> 
> Rice.
> 
> 
> 
> 
> 
> 
> 
> At 2017-09-27 14:33:01, "Andreas Kuhtz"  wrote:
>> Hi Gary,
>>
>> I wasn't aware that pushing a SNAPSHOT build needs the release process will
>> all preparations to be executed, but I'll wait for the next release in this
>> case.
>> Thank you for all the good solutions that are provided by the configuration
>> team.
>>
>> Andreas
>>
>> 2017-09-26 22:17 GMT+02:00 Gary Gregory :
>>
>>> On Tue, Sep 26, 2017 at 2:07 PM, Andreas Kuhtz 
>>> wrote:
>>>
 Thank you for the response.
 I looked at http://repository.apache.org/snapshots/ already, but there
>>> is
 no 2.2-SNAPSHOT. If someone has permissions to publish the current
 2.2-SNAPSHOT that would be great.

>>>
>>> Unfortunately, it's more complicated than that. We have a release process
>>> that requires a release manager from our team to volunteer and jump through
>>> a bunch of hoops.
>>>
>>> Gary
>>>
>>> 

 2017-09-26 21:59 GMT+02:00 Pascal Schumacher :

> Sorry my response was less that clear. The public maven repo address
>>> is:
> http://repository.apache.org/snapshots/
>
> See: https://www.apache.org/dev/repository-faq.html#basic
>
>
> Am 26.09.2017 um 21:56 schrieb Pascal Schumacher:
>
>> No idea if there are concrete plans for a release date of
>> commons-configuration 2.2 with the YAML feature.
>>
>> https://repository.apache.org/content/groups/snapshots/org/a
>> pache/commons/commons-configuration2/ should have a snapshots with
>>> the
>> feature.
>>
>> Kind regards,
>> Pascal
>>
>> Am 26.09.2017 um 21:43 schrieb Andreas Kuhtz:
>>
>>> Hello,
>>>
>>> Is there a planned release date for commons-configuration2 or is a
>>> SNAPSHOT
>>> available in a public maven repo?
>>>
>>> I would like to use the YAML configuration in my project.
>>>
>>> Best regards,
>>> Andreas
>>>
>>>
>>
>> -
>> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
>> For additional commands, e-mail: user-h...@commons.apache.org
>>
>>
>
> -
> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> For additional commands, e-mail: user-h...@commons.apache.org
>
>

>>>

-
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org

[SECURITY] CVE-2017-12621 Apache Commons Jelly connects to URL with custom doctype definitions.

2017-09-27 Thread Rob Tompkins 
CVE-2017-12621: Apache Commons Jelly connects to URL with custom doctype 
definitions.

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
commons-jelly-1.0 (core), namely commons-jelly-1.0.jar

Description:
During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity 
is declared with a “SYSTEM” entity with a URL and that entity is used in the 
body of the Jelly file, during parser instantiation the parser will attempt to 
connect to said URL. This could lead to XML External Entity (XXE) attacks. The 
Open Web Application Security Project suggests that the fix be 
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader

Mitigation:
1.0 users should migrate to 1.0.1.

Example:

example.jelly
--



http://127.0.0.1:/;>
]>



--

ExampleParser.java
--
public class ExampleParser {

public static void main(String[] args) throws JellyException, 
IOException, 
NoSuchMethodException, 
IllegalAccessException,IllegalArgumentException, 
InvocationTargetException {
JellyContext context = new JellyContext();
context.runScript("example.jelly", null);
}
}

Credit:
This was discovered by Luca Carettoni of Doyensec.

References:
[1] http://commons.apache.org/jelly/security-reports.html
[2] https://issues.apache.org/jira/browse/JELLY-293


-
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org

[ANNOUNCE] Apache Commons Jelly 1.0.1 released!

2017-09-27 Thread Rob Tompkins 
The Apache Commons Team is pleased to announce the release of Apache
Commons Jelly 1.0.1.

Jelly is a tool for turning XML into executable code. So Jelly is a 
Java and XML based scripting and processing engine. Jelly can be used 
as a more flexible and powerful front end to Ant such as in the Maven 1.X 
project, as a testing framework such as JellyUnit, in an intergration 
or workflow system such as werkflow or as a page templating system 
inside engines like Cocoon.

1.0.1 is fully binary compatible to the last release. No client code
changes are required to migrate from version 1.0 to 1.0.1.

This release only includes one bug fix, JELLY-293: Accommodate toggling 
off DTD external entities.

Source and binary distributions are available for download from the Apache
Commons download site:
  http://commons.apache.org/proper/commons-jelly/download_jelly.cgi

When downloading, please verify signatures using the KEYS file available at
the above location when downloading the release.

Alternatively the release can be pulled via maven:
  commons-jelly
  commons-jelly
  1.0.1

Full details of all the changes in 1.0.1 can be found in the changelog:
  http://commons.apache.org/proper/commons-jelly/changes-report.html

For complete information on Commons Jelly, including instructions on how to
submit bug reports, patches, or suggestions for improvement, see the Apache
Commons Jelly website:

http://commons.apache.org/proper/commons-jelly/

Rob Tompkins,
on behalf of the Apache Commons community

-
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org

Re:Re: [configuration] Release date for commons-configuration2 ?

2017-09-27 Thread mingleizhang 
It seems I can not directly convert a file to a java Properties class in this 
package. I hope it like this.


read(fileName: String): Properties


Rice.







At 2017-09-27 14:33:01, "Andreas Kuhtz"  wrote:
>Hi Gary,
>
>I wasn't aware that pushing a SNAPSHOT build needs the release process will
>all preparations to be executed, but I'll wait for the next release in this
>case.
>Thank you for all the good solutions that are provided by the configuration
>team.
>
>Andreas
>
>2017-09-26 22:17 GMT+02:00 Gary Gregory :
>
>> On Tue, Sep 26, 2017 at 2:07 PM, Andreas Kuhtz 
>> wrote:
>>
>> > Thank you for the response.
>> > I looked at http://repository.apache.org/snapshots/ already, but there
>> is
>> > no 2.2-SNAPSHOT. If someone has permissions to publish the current
>> > 2.2-SNAPSHOT that would be great.
>> >
>>
>> Unfortunately, it's more complicated than that. We have a release process
>> that requires a release manager from our team to volunteer and jump through
>> a bunch of hoops.
>>
>> Gary
>>
>> 
>> >
>> > 2017-09-26 21:59 GMT+02:00 Pascal Schumacher :
>> >
>> > > Sorry my response was less that clear. The public maven repo address
>> is:
>> > > http://repository.apache.org/snapshots/
>> > >
>> > > See: https://www.apache.org/dev/repository-faq.html#basic
>> > >
>> > >
>> > > Am 26.09.2017 um 21:56 schrieb Pascal Schumacher:
>> > >
>> > >> No idea if there are concrete plans for a release date of
>> > >> commons-configuration 2.2 with the YAML feature.
>> > >>
>> > >> https://repository.apache.org/content/groups/snapshots/org/a
>> > >> pache/commons/commons-configuration2/ should have a snapshots with
>> the
>> > >> feature.
>> > >>
>> > >> Kind regards,
>> > >> Pascal
>> > >>
>> > >> Am 26.09.2017 um 21:43 schrieb Andreas Kuhtz:
>> > >>
>> > >>> Hello,
>> > >>>
>> > >>> Is there a planned release date for commons-configuration2 or is a
>> > >>> SNAPSHOT
>> > >>> available in a public maven repo?
>> > >>>
>> > >>> I would like to use the YAML configuration in my project.
>> > >>>
>> > >>> Best regards,
>> > >>> Andreas
>> > >>>
>> > >>>
>> > >>
>> > >> -
>> > >> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
>> > >> For additional commands, e-mail: user-h...@commons.apache.org
>> > >>
>> > >>
>> > >
>> > > -
>> > > To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
>> > > For additional commands, e-mail: user-h...@commons.apache.org
>> > >
>> > >
>> >
>>

Re: [configuration] Release date for commons-configuration2 ?

2017-09-27 Thread Andreas Kuhtz 
Hi Gary,

I wasn't aware that pushing a SNAPSHOT build needs the release process will
all preparations to be executed, but I'll wait for the next release in this
case.
Thank you for all the good solutions that are provided by the configuration
team.

Andreas

2017-09-26 22:17 GMT+02:00 Gary Gregory :

> On Tue, Sep 26, 2017 at 2:07 PM, Andreas Kuhtz 
> wrote:
>
> > Thank you for the response.
> > I looked at http://repository.apache.org/snapshots/ already, but there
> is
> > no 2.2-SNAPSHOT. If someone has permissions to publish the current
> > 2.2-SNAPSHOT that would be great.
> >
>
> Unfortunately, it's more complicated than that. We have a release process
> that requires a release manager from our team to volunteer and jump through
> a bunch of hoops.
>
> Gary
>
> 
> >
> > 2017-09-26 21:59 GMT+02:00 Pascal Schumacher :
> >
> > > Sorry my response was less that clear. The public maven repo address
> is:
> > > http://repository.apache.org/snapshots/
> > >
> > > See: https://www.apache.org/dev/repository-faq.html#basic
> > >
> > >
> > > Am 26.09.2017 um 21:56 schrieb Pascal Schumacher:
> > >
> > >> No idea if there are concrete plans for a release date of
> > >> commons-configuration 2.2 with the YAML feature.
> > >>
> > >> https://repository.apache.org/content/groups/snapshots/org/a
> > >> pache/commons/commons-configuration2/ should have a snapshots with
> the
> > >> feature.
> > >>
> > >> Kind regards,
> > >> Pascal
> > >>
> > >> Am 26.09.2017 um 21:43 schrieb Andreas Kuhtz:
> > >>
> > >>> Hello,
> > >>>
> > >>> Is there a planned release date for commons-configuration2 or is a
> > >>> SNAPSHOT
> > >>> available in a public maven repo?
> > >>>
> > >>> I would like to use the YAML configuration in my project.
> > >>>
> > >>> Best regards,
> > >>> Andreas
> > >>>
> > >>>
> > >>
> > >> -
> > >> To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> > >> For additional commands, e-mail: user-h...@commons.apache.org
> > >>
> > >>
> > >
> > > -
> > > To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
> > > For additional commands, e-mail: user-h...@commons.apache.org
> > >
> > >
> >
>