This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch wheezy in repository libcommons-fileupload-java.
commit bc1cf6e3caa06acc558dc9641e9947e444451983 Merge: a51c452 7279fbb Author: Markus Koschany <[email protected]> Date: Sun Jun 26 17:41:55 2016 +0200 Imported Debian patch 1.2.2-1+deb7u3 LICENSE.txt | 202 +++ NOTICE.txt | 5 + build-gump.xml | 36 + build.xml | 298 +++++ debian/ant.properties | 3 - debian/changelog | 54 + debian/control | 27 +- debian/dirs | 1 - debian/docs | 1 - debian/libcommons-fileupload-java-doc.doc-base | 10 + debian/libcommons-fileupload-java-doc.install | 1 + debian/libcommons-fileupload-java.poms | 2 +- .../{maven.ignoreRules => maven.cleanIgnoreRules} | 2 +- debian/maven.ignoreRules | 4 + debian/maven.properties | 1 + debian/maven.rules | 1 + debian/patches/01-build-jar-without-test-fix.patch | 11 - debian/patches/02_java13.patch | 11 - debian/patches/03_disable-get-deps.patch | 20 - debian/patches/CVE-2013-2186.patch | 39 + debian/patches/CVE-2014-0050.patch | 91 ++ debian/patches/CVE-2016-3092.patch | 50 + debian/patches/remove-unused-test-classes.patch | 496 +++++++ debian/patches/series | 7 +- debian/rules | 16 +- doap_fileupload.rdf | 38 + gump.xml | 56 + pom.xml | 259 ++++ src/changes/changes.xml | 468 +++++++ src/checkstyle/fileupload_basic.xml | 25 + src/checkstyle/fileupload_checks.xml | 224 ++++ src/checkstyle/license-header.txt | 16 + src/conf/MANIFEST.MF | 5 + .../apache/commons/fileupload/DefaultFileItem.java | 80 ++ .../commons/fileupload/DefaultFileItemFactory.java | 107 ++ .../apache/commons/fileupload/DiskFileUpload.java | 212 +++ .../org/apache/commons/fileupload/FileItem.java | 227 ++++ .../apache/commons/fileupload/FileItemFactory.java | 50 + .../apache/commons/fileupload/FileItemHeaders.java | 77 ++ .../commons/fileupload/FileItemHeadersSupport.java | 47 + .../commons/fileupload/FileItemIterator.java | 48 + .../apache/commons/fileupload/FileItemStream.java | 97 ++ .../org/apache/commons/fileupload/FileUpload.java | 106 ++ .../apache/commons/fileupload/FileUploadBase.java | 1379 ++++++++++++++++++++ .../commons/fileupload/FileUploadException.java | 99 ++ .../fileupload/InvalidFileNameException.java | 50 + .../apache/commons/fileupload/MultipartStream.java | 1006 ++++++++++++++ .../apache/commons/fileupload/ParameterParser.java | 329 +++++ .../commons/fileupload/ProgressListener.java | 34 + .../apache/commons/fileupload/RequestContext.java | 64 + .../commons/fileupload/disk/DiskFileItem.java | 744 +++++++++++ .../fileupload/disk/DiskFileItemFactory.java | 229 ++++ .../apache/commons/fileupload/disk/package.html | 58 + .../org/apache/commons/fileupload/package.html | 90 ++ .../fileupload/portlet/PortletFileUpload.java | 142 ++ .../fileupload/portlet/PortletRequestContext.java | 108 ++ .../apache/commons/fileupload/portlet/package.html | 49 + .../fileupload/servlet/FileCleanerCleanup.java | 83 ++ .../fileupload/servlet/ServletFileUpload.java | 150 +++ .../fileupload/servlet/ServletRequestContext.java | 107 ++ .../apache/commons/fileupload/servlet/package.html | 49 + .../apache/commons/fileupload/util/Closeable.java | 38 + .../fileupload/util/FileItemHeadersImpl.java | 89 ++ .../fileupload/util/LimitedInputStream.java | 155 +++ .../apache/commons/fileupload/util/Streams.java | 198 +++ .../apache/commons/fileupload/util/package.html | 29 + src/main/assembly/bin.xml | 39 + src/main/assembly/src.xml | 40 + src/media/logo.xcf | Bin 0 -> 25435 bytes src/site/fml/faq.fml | 125 ++ src/site/resources/images/jakarta-logo-blue.gif | Bin 0 -> 4481 bytes src/site/resources/images/logo.gif | Bin 0 -> 4848 bytes src/site/resources/images/logo.png | Bin 0 -> 13786 bytes src/site/site.xml | 42 + src/site/xdoc/customizing.xml | 35 + src/site/xdoc/download_fileupload.xml | 138 ++ src/site/xdoc/index.xml | 132 ++ src/site/xdoc/issue-tracking.xml | 102 ++ src/site/xdoc/mail-lists.xml | 202 +++ src/site/xdoc/overview.xml | 64 + src/site/xdoc/streaming.xml | 88 ++ src/site/xdoc/tasks.xml | 137 ++ src/site/xdoc/using.xml | 444 +++++++ .../commons/fileupload/DefaultFileItemTest.java | 373 ++++++ .../fileupload/DiskFileItemSerializeTest.java | 269 ++++ .../commons/fileupload/FileItemHeadersTest.java | 84 ++ .../commons/fileupload/FileUploadTestCase.java | 54 + .../fileupload/HttpServletRequestFactory.java | 66 + .../commons/fileupload/MockHttpServletRequest.java | 553 ++++++++ .../commons/fileupload/MockPortletRequest.java | 316 +++++ .../commons/fileupload/MockPortletSession.java | 171 +++ .../commons/fileupload/MultipartStreamTest.java | 57 + .../commons/fileupload/ParameterParserTest.java | 129 ++ .../commons/fileupload/ProgressListenerTest.java | 110 ++ .../commons/fileupload/ServletFileUploadTest.java | 304 +++++ .../org/apache/commons/fileupload/SizesTest.java | 117 ++ .../apache/commons/fileupload/StreamingTest.java | 274 ++++ 97 files changed, 13204 insertions(+), 71 deletions(-) diff --cc debian/changelog index c610ed4,0000000..12ca2d4 mode 100644,000000..100644 --- a/debian/changelog +++ b/debian/changelog @@@ -1,224 -1,0 +1,278 @@@ ++libcommons-fileupload-java (1.2.2-1+deb7u3) wheezy-security; urgency=high ++ ++ * Team upload ++ * Fix CVE-2016-3092: ++ A denial of service vulnerability was identified in Commons FileUpload that ++ occurred when the length of the multipart boundary was just below the size ++ of the buffer (4096 bytes) used to read the uploaded file. This caused the ++ file upload process to take several orders of magnitude longer than if the ++ boundary was the typical tens of bytes long. ++ ++ -- Markus Koschany <[email protected]> Sun, 26 Jun 2016 17:41:55 +0200 ++ ++libcommons-fileupload-java (1.2.2-1+deb7u2) wheezy-security; urgency=high ++ ++ * Team upload. ++ * Fix CVE-2014-0050: Specially crafted input can trigger an infinite loop ++ if the buffer used by the MultipartStream is not big enough. When ++ constructing MultipartStream enforce the requirements for buffer size ++ by throwing an IllegalArgumentException if the requested buffer size is ++ too small. This prevents the DoS. ++ * Enable the unit tests ++ ++ -- Emmanuel Bourg <[email protected]> Fri, 07 Feb 2014 17:12:35 +0100 ++ ++libcommons-fileupload-java (1.2.2-1+deb7u1) wheezy-security; urgency=high ++ ++ * Non-maintainer upload by the Security Team. ++ * Add CVE-2013-2186.patch patch. ++ CVE-2013-2186: Arbitrary file upload via deserialization. Properly ++ validate repository in org.apache.commons.fileupload.disk.DiskFileItem. ++ Thanks to Marc Deslauriers <[email protected]> (Closes: #726601) ++ * Add --java-lib to libcommons-fileupload-java.poms. ++ In the resulting binary package the file commons-fileupload.jar in ++ /usr/share/java is missing when rebuilding the package under wheezy. ++ Thanks to Emmanuel Bourg <[email protected]> ++ ++ -- Salvatore Bonaccorso <[email protected]> Sat, 21 Dec 2013 22:33:27 +0100 ++ ++libcommons-fileupload-java (1.2.2-1) unstable; urgency=low ++ ++ * New upstream release. ++ * New libcommons-fileupload-java-doc package for Javadoc. ++ * Bump Standards-Version to 3.9.1: ++ - Add recommended get-orig-source target in d/rules. ++ * d/dirs: Remove, uneeded. ++ * Switch to maven-debian-helper for build: ++ - Drop all patches on old Ant build. ++ - Add maven-debian-helper to B-D. ++ - Drop ant from B-D. ++ * Don't Depends on a JRE (not requested anymore by Java Policy for ++ libraries packages). ++ ++ -- Damien Raude-Morvan <[email protected]> Wed, 04 Aug 2010 13:57:04 +0200 ++ +libcommons-fileupload-java (1.2.1-5) unstable; urgency=low + + * (Build-)Depend on libservlet2.5-java instead of libservlet2.4-java + + -- Thierry Carrez <[email protected]> Fri, 11 Jun 2010 15:19:56 +0200 + +libcommons-fileupload-java (1.2.1-4) unstable; urgency=low + + [ Thierry Carrez ] + * Minimal dependency on default-jre-headless | java2-runtime-headless + * debian/ant.properties: Force Java2 code to match dependency + + [ Damien Raude-Morvan ] + * Remove Arnaud from Uploaders. + * Add myself to Uploaders. + * Bump Standards-Version to 3.8.4: no changes needed + * Bump debhelper to >= 7 + * Remove version criteria from cdbs B-D (even stable match version) + * Enable portlet support: + - Remove debian/patches/04_disable-portlet.patch + - Add B-D-I on libportlet-api-2.0-spec-java + - Remove debian/README.Debian + (Closes: #577474) + * Convert to source format 3.0 (quilt) + - Refresh all patches + - Add DEP3 headers to patches + * Register in maven repository: + - B-D-I on maven-repo-helper + - Use mh_installpoms and mh_installjar + + -- Damien Raude-Morvan <[email protected]> Mon, 12 Apr 2010 12:42:16 +0200 + +libcommons-fileupload-java (1.2.1-3) unstable; urgency=low + + * (Build-)Depends on default-jdk. + * (Build-)Depends on libservlet2.4-java. + + -- Michael Koch <[email protected]> Wed, 16 Sep 2009 22:15:26 +0200 + +libcommons-fileupload-java (1.2.1-2) unstable; urgency=low + + [ Emmanuel Bourg ] + * Update of the URLs + * Rename Jakarta Commons to Apache Commons. + * debian/copyright: Switch to Apache License 2.0. Closes: #532889. + + [ Michael Koch ] + * Add '${misc:Depends}' to Depends of libcommons-fileupload-java. + * Converted debian/copyright to UTF-8. + * Move package to section 'java'. + * Update debhelper to >= 5. + * Update Standards-Version 3.8.3. + + -- Michael Koch <[email protected]> Sun, 06 Sep 2009 21:39:24 +0200 + +libcommons-fileupload-java (1.2.1-1) unstable; urgency=low + + [ Michael Koch ] + * New upstream release + * Updated Standards-Version to 3.7.3. + + [ Kumar Appaiah ] + * Update watch file. + * debian/control: + + Add Vcs-{Svn,Browser}. + + Add Homepage field. + + -- Michael Koch <[email protected]> Thu, 14 Feb 2008 17:41:57 +0100 + +libcommons-fileupload-java (1.2-2) unstable; urgency=low + + * Added Depends on libcommons-io-java. Closes: #439860. + + -- Michael Koch <[email protected]> Sat, 01 Sep 2007 22:19:03 +0200 + +libcommons-fileupload-java (1.2-1) unstable; urgency=low + + * New upstream release. Closes: #429638. + - added README.Debian with info about disabled portlet support + - updated patches/01-build-jar-without-test-fix.patch + * Use java-gcj-compat instead of kaffe. + * Renamed debian/patches/02_jikes_1.3.patch to + debian/patches/02_java13.patch and to make sure to have compatibility with + Java 1.3. + * Moved cdbs and debhelper from Build-Depends-Indep to Build-Depends. + * Fixed usage of Homepage: tag in package description. + * Removed Wolfgang and added myself to Uploads + * Updated Standards-Version. + * Removed ant-launcher.jar from explicit list of jars. + * Removed debian/libcommons-fileupload-java.links, debian/install and + debian/links and do the needed stuff in debian/rules. + + -- Michael Koch <[email protected]> Sat, 21 Jul 2007 13:08:32 +0200 + +libcommons-fileupload-java (1.0-14) unstable; urgency=low + + * kaffe compiler transition + * Bump debhelper version to fix linda error + * Removed version constraints already fulfilled by stable + * Formatted description + * Removed unused and wrong README.Debian + * Standards-Version 3.6.2 (no changes) + * Added myself to uploaders + + -- Wolfgang Baer <[email protected]> Wed, 1 Feb 2006 22:44:18 +0100 + +libcommons-fileupload-java (1.0-13) unstable; urgency=low + + * libant1.6-java to ant transition + + -- Arnaud Vandyck <[email protected]> Sat, 20 Aug 2005 19:52:56 +0200 + +libcommons-fileupload-java (1.0-12) unstable; urgency=low + + * debian/control (Build-Depends-Indep, Depends): changed the kaffe + version (closes: #302015) + * Standards-Version: 3.6.1, nothing to change + + -- Arnaud Vandyck <[email protected]> Tue, 5 Apr 2005 16:38:16 +0200 + +libcommons-fileupload-java (1.0-11) unstable; urgency=low + + * build with kaffe + * generate the javadoc + + -- Arnaud Vandyck <[email protected]> Wed, 2 Mar 2005 23:10:46 +0100 + +libcommons-fileupload-java (1.0-10) unstable; urgency=low + + * added a build-dep on libgnujaxp-java because sablevm does not embed + gnujaxp at the moment! (closes: #272387). + + -- Arnaud Vandyck <[email protected]> Tue, 28 Sep 2004 11:34:15 +0200 + +libcommons-fileupload-java (1.0-9) unstable; urgency=low + + * added a patch to force jikes to build against 1.3 (closes: #269254) + * sablevm is used to launch ant and jikes. + * no javadoc at the moment + + -- Arnaud Vandyck <[email protected]> Tue, 14 Sep 2004 13:25:23 +0200 + +libcommons-fileupload-java (1.0-8) unstable; urgency=low + + * debian/watch: added. + + -- Arnaud Vandyck <[email protected]> Sun, 15 Aug 2004 01:54:04 +0200 + +libcommons-fileupload-java (1.0-7) unstable; urgency=low + + * Now really move to main! + + -- Arnaud Vandyck <[email protected]> Sun, 25 Jul 2004 18:36:30 +0200 + +libcommons-fileupload-java (1.0-6) unstable; urgency=low + + * Move to main! Now that libservlet2.3-java is in main, this lib can + move to main + + -- Arnaud Vandyck <[email protected]> Sun, 25 Jul 2004 17:56:26 +0200 + +libcommons-fileupload-java (1.0-5) unstable; urgency=low + + * Removed the dependency to dpatch, update kaffe dependency to 1.1.3, + removed the junit dependency. I now use the cdbs simple-patchsys. + * debian/rules: clean up. + + -- Arnaud Vandyck <[email protected]> Sat, 24 Jan 2004 01:12:16 +0100 + +libcommons-fileupload-java (1.0-4) unstable; urgency=low + + * debian/links: changed the symlink. Thanks to Giuseppe Sacco (closes: + #226928). + + -- Arnaud Vandyck <[email protected]> Sat, 10 Jan 2004 01:05:23 +0100 + +libcommons-fileupload-java (1.0-3) unstable; urgency=low + + * debian/control (Maintainer) (Uploaders): Debian Java Maintainers is + now the maintainer and I added my debian email address to the + Uploaders field. + * debian/README.Debian: Added an explanation why in contrib. + + -- Arnaud Vandyck <[email protected]> Wed, 7 Jan 2004 17:33:53 +0100 + +libcommons-fileupload-java (1.0-2) unstable; urgency=low + + * Build system is now cdbs! the junit test is no more perform at the + moment, a patch has been applyied to suppress it from the build file + * junit is not needed when running (only for test at build time), kaffe + maybe used to run the library, libant-1.5-java is used to build + * I patched build.xml to remove entities because of a bug in kaffe-1.1.1 + (gnujaxp) so now it builds with kaffe... + * Waiting for libservlet2.3-java in main to be in main + + -- Arnaud Vandyck <[email protected]> Sun, 5 Oct 2003 01:58:49 +0200 + +libcommons-fileupload-java (1.0-1) unstable; urgency=low + + * New upstream release + * I do not need to patch build.xml anymore because upstream changed + it. I just have to override the libdir property in + debian/rules. Thanks to Martin Cooper. + * There is no more a libcommons-fileupload-java-doc package because it's + to small, so I merged it with the library (dist/doc/*). + * The jar is now in dist directory. + + -- Arnaud Vandyck <[email protected]> Mon, 30 Jun 2003 15:10:36 +0200 + +libcommons-fileupload-java (0.99beta1-2) unstable; urgency=low + + * Library compiled by jikes. Does not need JAVA_HOME anymore + * Typo in description + * Correct version dependency (beanutils) + * Correct the CLASSPATH (do not use version number of the jars) + + -- Arnaud Vandyck <[email protected]> Fri, 30 May 2003 10:18:57 +0200 + +libcommons-fileupload-java (0.99beta1-1) unstable; urgency=low + + * Initial Release. + + -- Arnaud Vandyck <[email protected]> Sun, 13 Apr 2003 18:45:44 +0200 + diff --cc debian/control index 4f47792,0000000..e525757 mode 100644,000000..100644 --- a/debian/control +++ b/debian/control @@@ -1,26 -1,0 +1,41 @@@ +Source: libcommons-fileupload-java +Section: java +Priority: optional +Maintainer: Debian Java Maintainers <[email protected]> +Uploaders: Michael Koch <[email protected]>, Damien Raude-Morvan <[email protected]> - Build-Depends: debhelper (>= 7), cdbs, default-jdk, ant - Build-Depends-Indep: libcommons-beanutils-java, libservlet2.5-java, libcommons-io-java, - libportlet-api-2.0-spec-java, maven-repo-helper - Standards-Version: 3.8.4 ++Build-Depends: debhelper (>= 7), cdbs, default-jdk, maven-debian-helper ++Build-Depends-Indep: libservlet2.5-java, libcommons-io-java, libportlet-api-2.0-spec-java, ++ maven-repo-helper, libmaven-javadoc-plugin-java ++Standards-Version: 3.9.1 +Vcs-Svn: svn://svn.debian.org/svn/pkg-java/trunk/libcommons-fileupload-java/ +Vcs-Browser: http://svn.debian.org/wsvn/pkg-java/trunk/libcommons-fileupload-java/ +Homepage: http://commons.apache.org/fileupload/ + +Package: libcommons-fileupload-java +Architecture: all - Depends: default-jre-headless | java2-runtime-headless, libcommons-beanutils-java, libservlet2.5-java, libcommons-io-java, ${misc:Depends} - Recommends: libportlet-api-2.0-spec-java ++Depends: ${misc:Depends}, ${maven:Depends} ++Recommends: ${maven:OptionalDepends} +Description: File upload capability to your servlets and web applications + The Commons FileUpload package makes it easy to add robust, high-performance, + file upload capability to your servlets and web applications. + . + FileUpload parses HTTP requests which conform to RFC 1867, "Form-based File + Upload in HTML". That is, if an HTTP request is submitted using the POST + method, and with a content type of "multipart/form-data", then FileUpload + can parse that request, and make the results available in a manner easily + used by the caller. ++ ++Package: libcommons-fileupload-java-doc ++Architecture: all ++Section: doc ++Depends: ${misc:Depends}, ${maven:DocDepends} ++Recommends: ${maven:DocOptionalDepends} ++Suggests: libcommons-fileupload-java ++Description: Javadoc API documentation for Commons FileUploads ++ FileUpload parses HTTP requests which conform to RFC 1867, "Form-based File ++ Upload in HTML". That is, if an HTTP request is submitted using the POST ++ method, and with a content type of "multipart/form-data", then FileUpload ++ can parse that request, and make the results available in a manner easily ++ used by the caller. ++ . ++ This package contains Javadoc API documentation for Commons FileUpload. diff --cc debian/libcommons-fileupload-java-doc.doc-base index 0000000,0000000..865ee9b new file mode 100644 --- /dev/null +++ b/debian/libcommons-fileupload-java-doc.doc-base @@@ -1,0 -1,0 +1,10 @@@ ++Document: libcommons-fileupload-javadoc ++Title: API Javadoc for commons-fileupload ++Author: commons-fileupload developers ++Abstract: This is the API Javadoc provided by the commons-upload library. ++Section: Programming ++ ++Format: HTML ++Index: /usr/share/doc/libcommons-fileupload-java/api/index.html ++Files: /usr/share/doc/libcommons-fileupload-java/api/* ++ diff --cc debian/libcommons-fileupload-java-doc.install index 0000000,0000000..8b5219b new file mode 100644 --- /dev/null +++ b/debian/libcommons-fileupload-java-doc.install @@@ -1,0 -1,0 +1,1 @@@ ++target/apidocs/* /usr/share/doc/libcommons-fileupload-java/api/ diff --cc debian/libcommons-fileupload-java.poms index 43e746b,0000000..89f648d mode 100644,000000..100644 --- a/debian/libcommons-fileupload-java.poms +++ b/debian/libcommons-fileupload-java.poms @@@ -1,1 -1,0 +1,1 @@@ - pom.xml --no-parent ++pom.xml --no-parent --java-lib diff --cc debian/maven.cleanIgnoreRules index 2ade134,0000000..f35b818 mode 100644,000000..100644 --- a/debian/maven.cleanIgnoreRules +++ b/debian/maven.cleanIgnoreRules @@@ -1,2 -1,0 +1,2 @@@ - junit junit maven-plugin * +org.apache.maven.plugins maven-assembly-plugin maven-plugin * ++org.apache.maven.plugins maven-release-plugin maven-plugin * diff --cc debian/maven.ignoreRules index 2ade134,0000000..727a61b mode 100644,000000..100644 --- a/debian/maven.ignoreRules +++ b/debian/maven.ignoreRules @@@ -1,2 -1,0 +1,6 @@@ +junit junit maven-plugin * +org.apache.maven.plugins maven-assembly-plugin maven-plugin * ++org.apache.maven.plugins maven-release-plugin maven-plugin * ++org.apache.maven.plugins maven-changes-plugin maven-plugin * ++org.apache.maven.plugins maven-checkstyle-plugin maven-plugin * ++org.apache.maven.plugins maven-pmd-plugin maven-plugin * diff --cc debian/maven.properties index 0000000,0000000..d823014 new file mode 100644 --- /dev/null +++ b/debian/maven.properties @@@ -1,0 -1,0 +1,1 @@@ ++maven.test.skip = true diff --cc debian/maven.rules index b1adaf4,0000000..df3bb3f mode 100644,000000..100644 --- a/debian/maven.rules +++ b/debian/maven.rules @@@ -1,2 -1,0 +1,3 @@@ +junit junit jar s/3\..*/3.x/ +s/portlet-api/javax.portlet/ portlet-api jar s/.*/2.0/ ++javax.servlet servlet-api jar s/.*/2.5/ diff --cc debian/patches/CVE-2013-2186.patch index 0000000,0000000..b4eb4d3 new file mode 100644 --- /dev/null +++ b/debian/patches/CVE-2013-2186.patch @@@ -1,0 -1,0 +1,39 @@@ ++Description: fix arbitrary file overwrite via poison null byte ++Origin: backport, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048 ++Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601 ++Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174 ++Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814 ++ ++WARNING: this patch contains CRLF line endings, editing it may break it ++ ++Index: libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java ++=================================================================== ++--- libcommons-fileupload-java-1.2.2.orig/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 10:56:14.286994776 -0500 +++++ libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 11:03:26.963005854 -0500 ++@@ -712,6 +712,26 @@ ++ // read values ++ in.defaultReadObject(); ++ +++ /* One expected use of serialization is to migrate HTTP sessions +++ * containing a DiskFileItem between JVMs. Particularly if the JVMs are +++ * on different machines It is possible that the repository location is +++ * not valid so validate it. +++ */ +++ if (repository != null) { +++ if (repository.isDirectory()) { +++ // Check path for nulls +++ if (repository.getPath().contains("\0")) { +++ throw new IOException("The repository [" + +++ repository.getPath() + +++ "] contains a null character"); +++ } +++ } else { +++ throw new IOException("The repository [" + +++ repository.getAbsolutePath() + +++ "] is not a directory"); +++ } +++ } +++ ++ OutputStream output = getOutputStream(); ++ if (cachedContent != null) { ++ output.write(cachedContent); diff --cc debian/patches/CVE-2014-0050.patch index 0000000,0000000..0f25961 new file mode 100644 --- /dev/null +++ b/debian/patches/CVE-2014-0050.patch @@@ -1,0 -1,0 +1,91 @@@ ++Description: Fixes an infinite loop caused by invalid MIME boundaries ++Author: Mark Thomas <[email protected]>, backported by Emmanuel Bourg <[email protected]> ++Origin: backport from Commons FileUpload 1.3.1, http://svn.apache.org/r1565143 ++--- a/src/java/org/apache/commons/fileupload/FileUploadBase.java +++++ b/src/java/org/apache/commons/fileupload/FileUploadBase.java ++@@ -958,7 +958,11 @@ ++ ++ notifier = new MultipartStream.ProgressNotifier(listener, ++ ctx.getContentLength()); ++- multi = new MultipartStream(input, boundary, notifier); +++ try { +++ multi = new MultipartStream(input, boundary, notifier); +++ } catch (IllegalArgumentException iae) { +++ throw new InvalidContentTypeException("The boundary specified in the " + CONTENT_TYPE + " header is too long", iae); +++ } ++ multi.setHeaderEncoding(charEncoding); ++ ++ skipPreamble = true; ++@@ -1129,7 +1133,7 @@ ++ * detail message. ++ */ ++ public InvalidContentTypeException() { ++- // Nothing to do. +++ super(); ++ } ++ ++ /** ++@@ -1141,6 +1145,10 @@ ++ public InvalidContentTypeException(String message) { ++ super(message); ++ } +++ +++ public InvalidContentTypeException(String msg, Throwable cause) { +++ super(msg, cause); +++ } ++ } ++ ++ /** ++--- a/src/java/org/apache/commons/fileupload/MultipartStream.java +++++ b/src/java/org/apache/commons/fileupload/MultipartStream.java ++@@ -333,8 +333,11 @@ ++ ++ // We prepend CR/LF to the boundary to chop trailng CR/LF from ++ // body-data tokens. ++- this.boundary = new byte[boundary.length + BOUNDARY_PREFIX.length]; ++ this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length; +++ if (bufSize < this.boundaryLength + 1) { +++ throw new IllegalArgumentException("The buffer size specified for the MultipartStream is too small"); +++ } +++ this.boundary = new byte[this.boundaryLength]; ++ this.keepRegion = this.boundary.length; ++ System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0, ++ BOUNDARY_PREFIX.length); ++--- a/src/test/org/apache/commons/fileupload/MultipartStreamTest.java +++++ b/src/test/org/apache/commons/fileupload/MultipartStreamTest.java ++@@ -36,7 +36,7 @@ ++ final byte[] contents = strData.getBytes(); ++ InputStream input = new ByteArrayInputStream(contents); ++ byte[] boundary = BOUNDARY_TEXT.getBytes(); ++- int iBufSize = boundary.length; +++ int iBufSize = boundary.length + MultipartStream.BOUNDARY_PREFIX.length + 1; ++ MultipartStream ms = new MultipartStream( ++ input, ++ boundary, ++@@ -44,6 +44,26 @@ ++ new MultipartStream.ProgressNotifier(null, contents.length)); ++ } ++ +++ public void testSmallBuffer() throws Exception { +++ try { +++ final String strData = "foobar"; +++ final byte[] contents = strData.getBytes(); +++ InputStream input = new ByteArrayInputStream(contents); +++ byte[] boundary = BOUNDARY_TEXT.getBytes(); +++ int iBufSize = 1; +++ +++ MultipartStream ms = new MultipartStream( +++ input, +++ boundary, +++ iBufSize, +++ new MultipartStream.ProgressNotifier(null, contents.length)); +++ +++ fail("IllegalArgumentException expected"); +++ } catch (IllegalArgumentException e) { +++ // expected +++ } +++ } +++ ++ public void testTwoParamConstructor() throws Exception { ++ final String strData = "foobar"; ++ final byte[] contents = strData.getBytes(); diff --cc debian/patches/CVE-2016-3092.patch index 0000000,0000000..1152001 new file mode 100644 --- /dev/null +++ b/debian/patches/CVE-2016-3092.patch @@@ -1,0 -1,0 +1,50 @@@ ++From: Markus Koschany <[email protected]> ++Date: Sun, 26 Jun 2016 17:34:37 +0200 ++Subject: CVE-2016-3092 ++ ++A denial of service vulnerability was identified in Commons FileUpload that ++occurred when the length of the multipart boundary was just below the size of ++the buffer (4096 bytes) used to read the uploaded file. This caused the file ++upload process to take several orders of magnitude longer than if the boundary ++was the typical tens of bytes long. ++ ++Upstream advisory: ++http://markmail.org/message/oyxfv73jb2g7rjg3 ++ ++Origin: https://svn.apache.org/r1743480 ++--- ++ .../org/apache/commons/fileupload/MultipartStream.java | 14 ++++++++++---- ++ 1 file changed, 10 insertions(+), 4 deletions(-) ++ ++diff --git a/src/java/org/apache/commons/fileupload/MultipartStream.java b/src/java/org/apache/commons/fileupload/MultipartStream.java ++index 1412d01..e324081 100644 ++--- a/src/java/org/apache/commons/fileupload/MultipartStream.java +++++ b/src/java/org/apache/commons/fileupload/MultipartStream.java ++@@ -326,10 +326,10 @@ public class MultipartStream { ++ byte[] boundary, ++ int bufSize, ++ ProgressNotifier pNotifier) { ++- this.input = input; ++- this.bufSize = bufSize; ++- this.buffer = new byte[bufSize]; ++- this.notifier = pNotifier; +++ +++ if (boundary == null) { +++ throw new IllegalArgumentException("boundary may not be null"); +++ } ++ ++ // We prepend CR/LF to the boundary to chop trailng CR/LF from ++ // body-data tokens. ++@@ -337,6 +337,12 @@ public class MultipartStream { ++ if (bufSize < this.boundaryLength + 1) { ++ throw new IllegalArgumentException("The buffer size specified for the MultipartStream is too small"); ++ } +++ +++ this.input = input; +++ this.bufSize = Math.max(bufSize, boundaryLength*2); +++ this.buffer = new byte[this.bufSize]; +++ this.notifier = pNotifier; +++ ++ this.boundary = new byte[this.boundaryLength]; ++ this.keepRegion = this.boundary.length; ++ System.arraycopy(BOUNDARY_PREFIX, 0, this.boundary, 0, diff --cc debian/patches/remove-unused-test-classes.patch index 0000000,0000000..3b554c0 new file mode 100644 --- /dev/null +++ b/debian/patches/remove-unused-test-classes.patch @@@ -1,0 -1,0 +1,496 @@@ ++Description: Removes unused test classes that prevent the tests from compiling ++Author: Emmanuel Bourg <[email protected]> ++Forwarded: yes ++--- a/src/test/org/apache/commons/fileupload/MockPortletRequest.java +++++ /dev/null ++@@ -1,316 +0,0 @@ ++-/* ++- * Licensed to the Apache Software Foundation (ASF) under one or more ++- * contributor license agreements. See the NOTICE file distributed with ++- * this work for additional information regarding copyright ownership. ++- * The ASF licenses this file to You under the Apache License, Version 2.0 ++- * (the "License"); you may not use this file except in compliance with ++- * the License. You may obtain a copy of the License at ++- * ++- * http://www.apache.org/licenses/LICENSE-2.0 ++- * ++- * Unless required by applicable law or agreed to in writing, software ++- * distributed under the License is distributed on an "AS IS" BASIS, ++- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++- * See the License for the specific language governing permissions and ++- * limitations under the License. ++- */ ++-package org.apache.commons.fileupload; ++- ++-import java.security.Principal; ++-import java.util.Enumeration; ++-import java.util.Locale; ++-import java.util.Map; ++- ++-import javax.portlet.PortalContext; ++-import javax.portlet.PortletMode; ++-import javax.portlet.PortletPreferences; ++-import javax.portlet.PortletRequest; ++-import javax.portlet.PortletSession; ++-import javax.portlet.WindowState; ++- ++-/** ++- * A mock portlet request, useful for unit testing and offline utilities ++- * ++- * @author <a href="mailto:[email protected]";>David Sean Taylor</a> ++- * @version $Id: MockPortletRequest.java 479262 2006-11-26 03:09:24Z niallp $ ++- */ ++-public class MockPortletRequest implements PortletRequest ++-{ ++- MockPortletSession session = null; ++- ++- public MockPortletRequest() ++- { ++- session = new MockPortletSession(); ++- } ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#isWindowStateAllowed(javax.portlet.WindowState) ++- */ ++- public boolean isWindowStateAllowed(WindowState state) ++- { ++- // TODO Auto-generated method stub ++- return false; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#isPortletModeAllowed(javax.portlet.PortletMode) ++- */ ++- public boolean isPortletModeAllowed(PortletMode mode) ++- { ++- // TODO Auto-generated method stub ++- return false; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getPortletMode() ++- */ ++- public PortletMode getPortletMode() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getWindowState() ++- */ ++- public WindowState getWindowState() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getPreferences() ++- */ ++- public PortletPreferences getPreferences() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getPortletSession() ++- */ ++- public PortletSession getPortletSession() ++- { ++- return session; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getPortletSession(boolean) ++- */ ++- public PortletSession getPortletSession(boolean create) ++- { ++- if (session == null) ++- { ++- session = new MockPortletSession(); ++- } ++- return session; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getProperty(java.lang.String) ++- */ ++- public String getProperty(String name) ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getProperties(java.lang.String) ++- */ ++- public Enumeration getProperties(String name) ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getPropertyNames() ++- */ ++- public Enumeration getPropertyNames() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getPortalContext() ++- */ ++- public PortalContext getPortalContext() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getAuthType() ++- */ ++- public String getAuthType() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getContextPath() ++- */ ++- public String getContextPath() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getRemoteUser() ++- */ ++- public String getRemoteUser() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getUserPrincipal() ++- */ ++- public Principal getUserPrincipal() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#isUserInRole(java.lang.String) ++- */ ++- public boolean isUserInRole(String role) ++- { ++- // TODO Auto-generated method stub ++- return false; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getAttribute(java.lang.String) ++- */ ++- public Object getAttribute(String name) ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getAttributeNames() ++- */ ++- public Enumeration getAttributeNames() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getParameter(java.lang.String) ++- */ ++- public String getParameter(String name) ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getParameterNames() ++- */ ++- public Enumeration getParameterNames() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getParameterValues(java.lang.String) ++- */ ++- public String[] getParameterValues(String name) ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getParameterMap() ++- */ ++- public Map getParameterMap() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#isSecure() ++- */ ++- public boolean isSecure() ++- { ++- // TODO Auto-generated method stub ++- return false; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#setAttribute(java.lang.String, java.lang.Object) ++- */ ++- public void setAttribute(String name, Object o) ++- { ++- // TODO Auto-generated method stub ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#removeAttribute(java.lang.String) ++- */ ++- public void removeAttribute(String name) ++- { ++- // TODO Auto-generated method stub ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getRequestedSessionId() ++- */ ++- public String getRequestedSessionId() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#isRequestedSessionIdValid() ++- */ ++- public boolean isRequestedSessionIdValid() ++- { ++- // TODO Auto-generated method stub ++- return false; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getResponseContentType() ++- */ ++- public String getResponseContentType() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getResponseContentTypes() ++- */ ++- public Enumeration getResponseContentTypes() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getLocale() ++- */ ++- public Locale getLocale() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getScheme() ++- */ ++- public String getScheme() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getServerName() ++- */ ++- public String getServerName() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletRequest#getServerPort() ++- */ ++- public int getServerPort() ++- { ++- // TODO Auto-generated method stub ++- return 0; ++- } ++- ++- public Enumeration getLocales() ++- { ++- return null; ++- } ++- ++-} ++--- a/src/test/org/apache/commons/fileupload/MockPortletSession.java +++++ /dev/null ++@@ -1,171 +0,0 @@ ++-/* ++- * Licensed to the Apache Software Foundation (ASF) under one or more ++- * contributor license agreements. See the NOTICE file distributed with ++- * this work for additional information regarding copyright ownership. ++- * The ASF licenses this file to You under the Apache License, Version 2.0 ++- * (the "License"); you may not use this file except in compliance with ++- * the License. You may obtain a copy of the License at ++- * ++- * http://www.apache.org/licenses/LICENSE-2.0 ++- * ++- * Unless required by applicable law or agreed to in writing, software ++- * distributed under the License is distributed on an "AS IS" BASIS, ++- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++- * See the License for the specific language governing permissions and ++- * limitations under the License. ++- */ ++-package org.apache.commons.fileupload; ++- ++-import java.util.Enumeration; ++-import java.util.Hashtable; ++-import javax.portlet.PortletContext; ++-import javax.portlet.PortletSession; ++- ++-/** ++- * A mock portlet session, useful for unit testing and offline utilities ++- * Note: currently doesn't support scoping ++- * ++- * @author <a href="mailto:[email protected]";>David Sean Taylor</a> ++- * @version $Id: MockPortletSession.java 479262 2006-11-26 03:09:24Z niallp $ ++- */ ++-public class MockPortletSession implements PortletSession ++-{ ++- // Hashtable (not HashMap) makes enumerations easier to work with ++- Hashtable attributes = new Hashtable(); ++- ++- public MockPortletSession() ++- { ++- } ++- ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#getAttribute(java.lang.String) ++- */ ++- public Object getAttribute(String name) ++- { ++- return attributes.get(name); ++- } ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#getAttribute(java.lang.String, int) ++- */ ++- public Object getAttribute(String name, int scope) ++- { ++- return attributes.get(name); ++- } ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#getAttributeNames(int) ++- */ ++- public Enumeration getAttributeNames(int scope) ++- { ++- return attributes.keys(); ++- } ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#getCreationTime() ++- */ ++- public long getCreationTime() ++- { ++- // TODO Auto-generated method stub ++- return 0; ++- } ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#getId() ++- */ ++- public String getId() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#getLastAccessedTime() ++- */ ++- public long getLastAccessedTime() ++- { ++- // TODO Auto-generated method stub ++- return 0; ++- } ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#getMaxInactiveInterval() ++- */ ++- public int getMaxInactiveInterval() ++- { ++- // TODO Auto-generated method stub ++- return 0; ++- } ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#invalidate() ++- */ ++- public void invalidate() ++- { ++- // TODO Auto-generated method stub ++- } ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#isNew() ++- */ ++- public boolean isNew() ++- { ++- // TODO Auto-generated method stub ++- return false; ++- } ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#removeAttribute(java.lang.String) ++- */ ++- public void removeAttribute(String name) ++- { ++- attributes.remove(name); ++- } ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#removeAttribute(java.lang.String, int) ++- */ ++- public void removeAttribute(String name, int scope) ++- { ++- attributes.remove(name); ++- } ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#setAttribute(java.lang.String, java.lang.Object) ++- */ ++- public void setAttribute(String name, Object value) ++- { ++- attributes.put(name, value); ++- } ++- ++- public Enumeration getAttributeNames() ++- { ++- return this.getAttributeNames(PortletSession.PORTLET_SCOPE); ++- } ++- ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#setAttribute(java.lang.String, java.lang.Object, int) ++- */ ++- public void setAttribute(String name, Object value, int scope) ++- { ++- attributes.put(name, value); ++- } ++- ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#setMaxInactiveInterval(int) ++- */ ++- public void setMaxInactiveInterval(int interval) ++- { ++- // TODO Auto-generated method stub ++- } ++- /* (non-Javadoc) ++- * @see javax.portlet.PortletSession#getPortletContext() ++- */ ++- public PortletContext getPortletContext() ++- { ++- // TODO Auto-generated method stub ++- return null; ++- } ++-} diff --cc debian/patches/series index 0960211,0000000..3544b27 mode 100644,000000..100644 --- a/debian/patches/series +++ b/debian/patches/series @@@ -1,3 -1,0 +1,4 @@@ - 01-build-jar-without-test-fix.patch - 02_java13.patch - 03_disable-get-deps.patch ++CVE-2013-2186.patch ++CVE-2014-0050.patch ++remove-unused-test-classes.patch ++CVE-2016-3092.patch diff --cc debian/rules index 9392d85,0000000..d35b4e9 mode 100755,000000..100755 --- a/debian/rules +++ b/debian/rules @@@ -1,20 -1,0 +1,10 @@@ +#!/usr/bin/make -f +# debian/rules for Commons Fileupload (uses CDBS) + +include /usr/share/cdbs/1/rules/debhelper.mk - include /usr/share/cdbs/1/class/ant.mk ++include /usr/share/cdbs/1/class/maven.mk + +JAVA_HOME_DIRS := /usr/lib/jvm/default-java + - DEB_JARS := servlet-api-2.5 commons-io portlet-api - DEB_ANT_BUILD_TARGET := dist - - LIBRARY=commons-fileupload - - install/libcommons-fileupload-java:: - mh_installpoms -plibcommons-fileupload-java - mh_installjar -plibcommons-fileupload-java -l pom.xml dist/$(LIBRARY)-$(DEB_UPSTREAM_VERSION).jar - - clean:: - -rm -fr lib - -rm -rf debian/tmp ++get-orig-source: ++ uscan --force-download --rename -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libcommons-fileupload-java.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
