Author: apo Date: 2018-01-09 20:42:28 +0000 (Tue, 09 Jan 2018) New Revision: 19310
Added: trunk/plexus-utils/debian/orig-tar.sh trunk/plexus-utils/debian/patches/ trunk/plexus-utils/debian/patches/CVE-2017-1000487.patch trunk/plexus-utils/debian/patches/series Modified: trunk/plexus-utils/debian/changelog trunk/plexus-utils/debian/compat trunk/plexus-utils/debian/control trunk/plexus-utils/debian/copyright trunk/plexus-utils/debian/rules trunk/plexus-utils/debian/watch Log: Release plexus-utils 1:1.5.15-5 Modified: trunk/plexus-utils/debian/changelog =================================================================== --- trunk/plexus-utils/debian/changelog 2018-01-04 00:30:56 UTC (rev 19309) +++ trunk/plexus-utils/debian/changelog 2018-01-09 20:42:28 UTC (rev 19310) @@ -1,16 +1,18 @@ -plexus-utils (1:1.5.15-5) UNRELEASED; urgency=low +plexus-utils (1:1.5.15-5) unstable; urgency=high * Team upload. - * debian/control: - - Use canonical URLs for the Vcs-* fields - - Updated Standards-Version to 3.9.4 (no changes) - - Removed Michael Koch from the uploaders (Closes: #654127) - * Build depend on debhelper >= 9 - * debian/rules: Improved the clean target - * debian/watch: Updated to watch the new release tags on Github - * Removed debian/orig-tar.sh and use the tarball from Github directly + * Switch to compat level 10. + * wrap-and-sort -sa. + * Declare compliance with Debian Policy 4.1.3. + * Remove Michael Koch from Uploaders because he is not active anymore. + (Closes: #654127) + * Use only Build-Depends field. + * Fix CVE-2017-1000487: Shell command injection vulnerability. + * Change homepage address to Git repository at github.com. + * Update watch file because codehaus.org is obsolete. + Use the same one as plexus-utils2. - -- Emmanuel Bourg <[email protected]> Wed, 23 Oct 2013 12:25:00 +0200 + -- Markus Koschany <[email protected]> Tue, 09 Jan 2018 20:59:32 +0100 plexus-utils (1:1.5.15-4) unstable; urgency=low @@ -40,8 +42,8 @@ * Add the Maven POM to the package, * Add a Build-Depends-Indep dependency on maven-repo-helper * Use mh_installpom and mh_installjar to install the POM and the jar to the - Maven repository - * Remove the dependency on default-java and java2-runtime as this is a + Maven repository + * Remove the dependency on default-java and java2-runtime as this is a library -- Ludovic Claude <[email protected]> Thu, 02 Jul 2009 14:41:15 +0000 Modified: trunk/plexus-utils/debian/compat =================================================================== --- trunk/plexus-utils/debian/compat 2018-01-04 00:30:56 UTC (rev 19309) +++ trunk/plexus-utils/debian/compat 2018-01-09 20:42:28 UTC (rev 19310) @@ -1 +1 @@ -9 +10 Modified: trunk/plexus-utils/debian/control =================================================================== --- trunk/plexus-utils/debian/control 2018-01-04 00:30:56 UTC (rev 19309) +++ trunk/plexus-utils/debian/control 2018-01-09 20:42:28 UTC (rev 19310) @@ -2,18 +2,30 @@ Section: java Priority: optional Maintainer: Debian Java Maintainers <[email protected]> -Uploaders: Torsten Werner <[email protected]>, Ludovic Claude <[email protected]> -Build-Depends-Indep: libplexus-interpolation-java, libxalan2-java, maven-repo-helper -Build-Depends: ant, cdbs (>= 0.4.5.3), debhelper (>= 9), default-jdk -Standards-Version: 3.9.4 +Uploaders: + Torsten Werner <[email protected]>, + Ludovic Claude <[email protected]> +Build-Depends: + ant, + cdbs (>= 0.4.5.3), + debhelper (>= 10), + default-jdk, + libplexus-interpolation-java, + libxalan2-java, + maven-repo-helper +Standards-Version: 4.1.3 +Homepage: https://github.com/codehaus-plexus/plexus-utils/ Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/plexus-utils -Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/plexus-utils -Homepage: http://plexus.codehaus.org +Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-java/trunk/plexus-utils Package: libplexus-utils-java Architecture: all -Depends: libplexus-interpolation-java, libxalan2-java, ${misc:Depends} -Suggests: libplexus-utils-java-doc +Depends: + libplexus-interpolation-java, + libxalan2-java, + ${misc:Depends} +Suggests: + libplexus-utils-java-doc Description: utilities for the Plexus framework The Plexus project provides a full software stack for creating and executing software projects. Based on the Plexus container, the applications can @@ -36,8 +48,11 @@ Package: libplexus-utils-java-doc Architecture: all Section: doc -Depends: default-jdk-doc, ${misc:Depends} -Suggests: libplexus-utils-java +Depends: + default-jdk-doc, + ${misc:Depends} +Suggests: + libplexus-utils-java Description: API Documentation for plexus-utils The Plexus project provides a full software stack for creating and executing software projects. Based on the Plexus container, the applications can Modified: trunk/plexus-utils/debian/copyright =================================================================== --- trunk/plexus-utils/debian/copyright 2018-01-04 00:30:56 UTC (rev 19309) +++ trunk/plexus-utils/debian/copyright 2018-01-09 20:42:28 UTC (rev 19310) @@ -1,9 +1,9 @@ This package was debianized by Trygve Laugstøl <[email protected]> on Tue, 19 Aug 2005 00:26:30 +0100. -libplex-utils was downloaded from http://plexus.codehaus.org/ +The source for plexus-utils can be found at https://github.com/codehaus-plexus/plexus-utils/ -Upstream Authors: +Upstream Authors: Javolution ThoughtWorks, Inc The Apache Software Foundation @@ -44,33 +44,33 @@ Copyright (c) 2002 Extreme! Lab, Indiana University. All rights reserved. - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, + 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - 3. The end-user documentation included with the redistribution, if any, + 3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment: - "This product includes software developed by the Indiana University + "This product includes software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/)." - Alternately, this acknowledgment may appear in the software itself, + Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear. - 4. The names "Indiana Univeristy" and "Indiana Univeristy Extreme! Lab" - must not be used to endorse or promote products derived from this - software without prior written permission. For written permission, + 4. The names "Indiana Univeristy" and "Indiana Univeristy Extreme! Lab" + must not be used to endorse or promote products derived from this + software without prior written permission. For written permission, please contact http://www.extreme.indiana.edu/. - 5. Products derived from this software may not use "Indiana Univeristy" - name nor may "Indiana Univeristy" appear in their name, without prior + 5. Products derived from this software may not use "Indiana Univeristy" + name nor may "Indiana Univeristy" appear in their name, without prior written permission of the Indiana University. THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED @@ -99,17 +99,17 @@ and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR - ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR + ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - + /******************************************************************************** * CruiseControl, a Continuous Integration Toolkit * Copyright (c) 2001-2003, ThoughtWorks, Inc. Added: trunk/plexus-utils/debian/orig-tar.sh =================================================================== --- trunk/plexus-utils/debian/orig-tar.sh (rev 0) +++ trunk/plexus-utils/debian/orig-tar.sh 2018-01-09 20:42:28 UTC (rev 19310) @@ -0,0 +1,16 @@ +#!/bin/sh -e + +TAR=../libplexus-utils_$2.orig.tar.gz +DIR=plexus-utils-$2 +TAG=plexus-utils-$2 + +svn export http://svn.codehaus.org/plexus/plexus-utils/tags/$TAG $DIR +tar -c -z -f $TAR $DIR +rm -rf $DIR ../$TAG + +# move to directory 'tarballs' +if [ -r .svn/deb-layout ]; then + . .svn/deb-layout + mv $TAR $origDir + echo "moved $TAR to $origDir" +fi Property changes on: trunk/plexus-utils/debian/orig-tar.sh ___________________________________________________________________ Added: svn:executable + * Added: trunk/plexus-utils/debian/patches/CVE-2017-1000487.patch =================================================================== --- trunk/plexus-utils/debian/patches/CVE-2017-1000487.patch (rev 0) +++ trunk/plexus-utils/debian/patches/CVE-2017-1000487.patch 2018-01-09 20:42:28 UTC (rev 19310) @@ -0,0 +1,524 @@ +From: Markus Koschany <[email protected]> +Date: Tue, 9 Jan 2018 20:45:31 +0100 +Subject: CVE-2017-1000487 + +Bug-Upstream: https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522 +Origin: https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41 +--- + .../org/codehaus/plexus/util/cli/Commandline.java | 38 +++++++++++--- + .../plexus/util/cli/shell/BourneShell.java | 60 +++++++--------------- + .../org/codehaus/plexus/util/cli/shell/Shell.java | 35 ++++++++++--- + .../codehaus/plexus/util/cli/CommandlineTest.java | 37 +++++++------ + .../plexus/util/cli/shell/BourneShellTest.java | 17 +++--- + 5 files changed, 106 insertions(+), 81 deletions(-) + +diff --git a/src/main/java/org/codehaus/plexus/util/cli/Commandline.java b/src/main/java/org/codehaus/plexus/util/cli/Commandline.java +index 5e0d5af..7346c7e 100644 +--- a/src/main/java/org/codehaus/plexus/util/cli/Commandline.java ++++ b/src/main/java/org/codehaus/plexus/util/cli/Commandline.java +@@ -139,6 +139,8 @@ public class Commandline + * Create a new command line object. + * Shell is autodetected from operating system + * ++ * Shell usage is only desirable when generating code for remote execution. ++ * + * @param toProcess + */ + public Commandline( String toProcess, Shell shell ) +@@ -167,6 +169,8 @@ public class Commandline + /** + * Create a new command line object. + * Shell is autodetected from operating system ++ * ++ * Shell usage is only desirable when generating code for remote execution. + */ + public Commandline( Shell shell ) + { +@@ -174,8 +178,7 @@ public class Commandline + } + + /** +- * Create a new command line object. +- * Shell is autodetected from operating system ++ * Create a new command line object, given a command following POSIX sh quoting rules + * + * @param toProcess + */ +@@ -203,7 +206,6 @@ public class Commandline + + /** + * Create a new command line object. +- * Shell is autodetected from operating system + */ + public Commandline() + { +@@ -253,7 +255,7 @@ public class Commandline + { + if ( realPos == -1 ) + { +- realPos = ( getExecutable() == null ? 0 : 1 ); ++ realPos = ( getLiteralExecutable() == null ? 0 : 1 ); + for ( int i = 0; i < position; i++ ) + { + Arg arg = (Arg) arguments.elementAt( i ); +@@ -404,6 +406,21 @@ public class Commandline + this.executable = executable; + } + ++ /** ++ * @return Executable to be run, as a literal string (no shell quoting/munging) ++ */ ++ public String getLiteralExecutable() ++ { ++ return executable; ++ } ++ ++ /** ++ * Return an executable name, quoted for shell use. ++ * ++ * Shell usage is only desirable when generating code for remote execution. ++ * ++ * @return Executable to be run, quoted for shell interpretation ++ */ + public String getExecutable() + { + String exec = shell.getExecutable(); +@@ -483,7 +500,7 @@ public class Commandline + public String[] getCommandline() + { + final String[] args = getArguments(); +- String executable = getExecutable(); ++ String executable = getLiteralExecutable(); + + if ( executable == null ) + { +@@ -497,6 +514,8 @@ public class Commandline + + /** + * Returns the shell, executable and all defined arguments. ++ * ++ * Shell usage is only desirable when generating code for remote execution. + */ + public String[] getShellCommandline() + { +@@ -633,7 +652,7 @@ public class Commandline + { + if ( workingDir == null ) + { +- process = Runtime.getRuntime().exec( getShellCommandline(), environment ); ++ process = Runtime.getRuntime().exec( getCommandline(), environment, workingDir ); + } + else + { +@@ -648,7 +667,7 @@ public class Commandline + + "\" does not specify a directory." ); + } + +- process = Runtime.getRuntime().exec( getShellCommandline(), environment, workingDir ); ++ process = Runtime.getRuntime().exec( getCommandline(), environment, workingDir ); + } + } + catch ( IOException ex ) +@@ -669,7 +688,7 @@ public class Commandline + shell.setWorkingDirectory( workingDir ); + } + +- if ( shell.getExecutable() == null ) ++ if ( shell.getOriginalExecutable() == null ) + { + shell.setExecutable( executable ); + } +@@ -684,6 +703,8 @@ public class Commandline + /** + * Allows to set the shell to be used in this command line. + * ++ * Shell usage is only desirable when generating code for remote execution. ++ * + * @param shell + * @since 1.2 + */ +@@ -695,6 +716,7 @@ public class Commandline + /** + * Get the shell to be used in this command line. + * ++ * Shell usage is only desirable when generating code for remote execution. + * @since 1.2 + */ + public Shell getShell() +diff --git a/src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java b/src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java +index afde64f..325ba0e 100644 +--- a/src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java ++++ b/src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java +@@ -17,7 +17,6 @@ package org.codehaus.plexus.util.cli.shell; + */ + + import org.codehaus.plexus.util.Os; +-import org.codehaus.plexus.util.StringUtils; + + import java.util.ArrayList; + import java.util.List; +@@ -29,34 +28,18 @@ import java.util.List; + public class BourneShell + extends Shell + { +- private static final char[] BASH_QUOTING_TRIGGER_CHARS = { +- ' ', +- '$', +- ';', +- '&', +- '|', +- '<', +- '>', +- '*', +- '?', +- '(', +- ')', +- '[', +- ']', +- '{', +- '}', +- '`' }; + + public BourneShell() + { +- this( false ); ++ this(false); + } + + public BourneShell( boolean isLoginShell ) + { ++ setUnconditionalQuoting( true ); + setShellCommand( "/bin/sh" ); + setArgumentQuoteDelimiter( '\'' ); +- setExecutableQuoteDelimiter( '\"' ); ++ setExecutableQuoteDelimiter( '\'' ); + setSingleQuotedArgumentEscaped( true ); + setSingleQuotedExecutableEscaped( false ); + setQuotedExecutableEnabled( true ); +@@ -75,7 +58,7 @@ public class BourneShell + return super.getExecutable(); + } + +- return unifyQuotes( super.getExecutable()); ++ return quoteOneItem( super.getOriginalExecutable(), true ); + } + + public List getShellArgsList() +@@ -125,46 +108,41 @@ public class BourneShell + StringBuffer sb = new StringBuffer(); + sb.append( "cd " ); + +- sb.append( unifyQuotes( dir ) ); ++ sb.append( quoteOneItem( dir, false ) ); + sb.append( " && " ); + + return sb.toString(); + } + +- protected char[] getQuotingTriggerChars() +- { +- return BASH_QUOTING_TRIGGER_CHARS; +- } +- + /** + * <p>Unify quotes in a path for the Bourne Shell.</p> + * + * <pre> +- * BourneShell.unifyQuotes(null) = null +- * BourneShell.unifyQuotes("") = (empty) +- * BourneShell.unifyQuotes("/test/quotedpath'abc") = /test/quotedpath\'abc +- * BourneShell.unifyQuotes("/test/quoted path'abc") = "/test/quoted path'abc" +- * BourneShell.unifyQuotes("/test/quotedpath\"abc") = "/test/quotedpath\"abc" +- * BourneShell.unifyQuotes("/test/quoted path\"abc") = "/test/quoted path\"abc" +- * BourneShell.unifyQuotes("/test/quotedpath\"'abc") = "/test/quotedpath\"'abc" +- * BourneShell.unifyQuotes("/test/quoted path\"'abc") = "/test/quoted path\"'abc" ++ * BourneShell.quoteOneItem(null) = null ++ * BourneShell.quoteOneItem("") = '' ++ * BourneShell.quoteOneItem("/test/quotedpath'abc") = '/test/quotedpath'"'"'abc' ++ * BourneShell.quoteOneItem("/test/quoted path'abc") = '/test/quoted pat'"'"'habc' ++ * BourneShell.quoteOneItem("/test/quotedpath\"abc") = '/test/quotedpath"abc' ++ * BourneShell.quoteOneItem("/test/quoted path\"abc") = '/test/quoted path"abc' ++ * BourneShell.quoteOneItem("/test/quotedpath\"'abc") = '/test/quotedpath"'"'"'abc' ++ * BourneShell.quoteOneItem("/test/quoted path\"'abc") = '/test/quoted path"'"'"'abc' + * </pre> + * + * @param path not null path. + * @return the path unified correctly for the Bourne shell. + */ +- protected static String unifyQuotes( String path ) ++ protected String quoteOneItem( String path, boolean isExecutable ) + { + if ( path == null ) + { + return null; + } + +- if ( path.indexOf( " " ) == -1 && path.indexOf( "'" ) != -1 && path.indexOf( "\"" ) == -1 ) +- { +- return StringUtils.escape( path ); +- } ++ StringBuilder sb = new StringBuilder(); ++ sb.append( "'" ); ++ sb.append( path.replace( "'", "'\"'\"'" ) ); ++ sb.append( "'" ); + +- return StringUtils.quoteAndEscape( path, '\"', BASH_QUOTING_TRIGGER_CHARS ); ++ return sb.toString(); + } + } +diff --git a/src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java b/src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java +index f51f6ad..7041e28 100644 +--- a/src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java ++++ b/src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java +@@ -48,6 +48,8 @@ public class Shell + + private boolean quotedArgumentsEnabled = true; + ++ private boolean unconditionallyQuote = false; ++ + private String executable; + + private String workingDir; +@@ -66,6 +68,16 @@ public class Shell + + private char exeQuoteDelimiter = '\"'; + ++ /** ++ * Toggle unconditional quoting ++ * ++ * @param unconditionallyQuote ++ */ ++ public void setUnconditionalQuoting(boolean unconditionallyQuote) ++ { ++ this.unconditionallyQuote = unconditionallyQuote; ++ } ++ + /** + * Set the command to execute the shell (eg. COMMAND.COM, /bin/bash,...) + * +@@ -98,6 +110,19 @@ public class Shell + this.shellArgs.addAll( Arrays.asList( shellArgs ) ); + } + ++ protected String quoteOneItem(String inputString, boolean isExecutable) ++ { ++ char[] escapeChars = getEscapeChars( isSingleQuotedExecutableEscaped(), isDoubleQuotedExecutableEscaped() ); ++ return StringUtils.quoteAndEscape( ++ inputString, ++ isExecutable ? getExecutableQuoteDelimiter() : getArgumentQuoteDelimiter(), ++ escapeChars, ++ getQuotingTriggerChars(), ++ '\\', ++ unconditionallyQuote ++ ); ++ } ++ + /** + * Get the shell arguments + * +@@ -142,9 +167,7 @@ public class Shell + + if ( isQuotedExecutableEnabled() ) + { +- char[] escapeChars = getEscapeChars( isSingleQuotedExecutableEscaped(), isDoubleQuotedExecutableEscaped() ); +- +- sb.append( StringUtils.quoteAndEscape( getExecutable(), getExecutableQuoteDelimiter(), escapeChars, getQuotingTriggerChars(), '\\', false ) ); ++ sb.append( quoteOneItem( getOriginalExecutable(), true ) ); + } + else + { +@@ -160,9 +183,7 @@ public class Shell + + if ( isQuotedArgumentsEnabled() ) + { +- char[] escapeChars = getEscapeChars( isSingleQuotedExecutableEscaped(), isDoubleQuotedExecutableEscaped() ); +- +- sb.append( StringUtils.quoteAndEscape( arguments[i], getArgumentQuoteDelimiter(), escapeChars, getQuotingTriggerChars(), '\\', false ) ); ++ sb.append( quoteOneItem( arguments[i], false ) ); + } + else + { +@@ -267,7 +288,7 @@ public class Shell + commandLine.addAll( getShellArgsList() ); + } + +- commandLine.addAll( getCommandLine( getExecutable(), arguments ) ); ++ commandLine.addAll( getCommandLine( getOriginalExecutable(), arguments ) ); + + return commandLine; + +diff --git a/src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java b/src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java +index b22814b..42bbb7f 100644 +--- a/src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java ++++ b/src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java +@@ -16,6 +16,7 @@ package org.codehaus.plexus.util.cli; + * limitations under the License. + */ + ++import junit.framework.TestCase; + import org.codehaus.plexus.util.IOUtil; + import org.codehaus.plexus.util.Os; + import org.codehaus.plexus.util.StringUtils; +@@ -23,15 +24,7 @@ import org.codehaus.plexus.util.cli.shell.BourneShell; + import org.codehaus.plexus.util.cli.shell.CmdShell; + import org.codehaus.plexus.util.cli.shell.Shell; + +-import java.io.File; +-import java.io.FileWriter; +-import java.io.IOException; +-import java.io.InputStreamReader; +-import java.io.Reader; +-import java.io.StringWriter; +-import java.io.Writer; +- +-import junit.framework.TestCase; ++import java.io.*; + + public class CommandlineTest + extends TestCase +@@ -252,7 +245,7 @@ public class CommandlineTest + + assertEquals( "/bin/sh", shellCommandline[0] ); + assertEquals( "-c", shellCommandline[1] ); +- String expectedShellCmd = "/bin/echo \'hello world\'"; ++ String expectedShellCmd = "'/bin/echo' 'hello world'"; + if ( Os.isFamily( Os.FAMILY_WINDOWS ) ) + { + expectedShellCmd = "\\bin\\echo \'hello world\'"; +@@ -282,12 +275,12 @@ public class CommandlineTest + + assertEquals( "/bin/sh", shellCommandline[0] ); + assertEquals( "-c", shellCommandline[1] ); +- String expectedShellCmd = "cd \"" + root.getAbsolutePath() +- + "path with spaces\" && /bin/echo \'hello world\'"; ++ String expectedShellCmd = "cd '" + root.getAbsolutePath() ++ + "path with spaces' && '/bin/echo' 'hello world'"; + if ( Os.isFamily( Os.FAMILY_WINDOWS ) ) + { +- expectedShellCmd = "cd \"" + root.getAbsolutePath() +- + "path with spaces\" && \\bin\\echo \'hello world\'"; ++ expectedShellCmd = "cd '" + root.getAbsolutePath() ++ + "path with spaces' && '\\bin\\echo' 'hello world'"; + } + assertEquals( expectedShellCmd, shellCommandline[2] ); + } +@@ -311,7 +304,7 @@ public class CommandlineTest + + assertEquals( "/bin/sh", shellCommandline[0] ); + assertEquals( "-c", shellCommandline[1] ); +- String expectedShellCmd = "/bin/echo \'hello world\'"; ++ String expectedShellCmd = "'/bin/echo' ''\"'\"'hello world'\"'\"''"; + if ( Os.isFamily( Os.FAMILY_WINDOWS ) ) + { + expectedShellCmd = "\\bin\\echo \'hello world\'"; +@@ -341,7 +334,7 @@ public class CommandlineTest + } + else + { +- assertEquals( "/usr/bin a b", shellCommandline[2] ); ++ assertEquals( "'/usr/bin' 'a' 'b'", shellCommandline[2] ); + } + } + +@@ -387,6 +380,18 @@ public class CommandlineTest + createAndCallScript( dir, "echo Quoted" ); + } + ++ /** ++ * Test an executable with shell-expandable content in its path. ++ * ++ * @throws Exception ++ */ ++ public void testPathWithShellExpansionStrings() ++ throws Exception ++ { ++ File dir = new File( System.getProperty( "basedir" ), "target/test/dollar$test" ); ++ createAndCallScript( dir, "echo Quoted" ); ++ } ++ + /** + * Test an executable with a single quotation mark <code>\"</code> in its path only for non Windows box. + * +diff --git a/src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java b/src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java +index 807bff5..f1645b6 100644 +--- a/src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java ++++ b/src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java +@@ -16,14 +16,13 @@ package org.codehaus.plexus.util.cli.shell; + * limitations under the License. + */ + ++import junit.framework.TestCase; + import org.codehaus.plexus.util.StringUtils; + import org.codehaus.plexus.util.cli.Commandline; + + import java.util.Arrays; + import java.util.List; + +-import junit.framework.TestCase; +- + public class BourneShellTest + extends TestCase + { +@@ -42,7 +41,7 @@ public class BourneShellTest + + String executable = StringUtils.join( sh.getShellCommandLine( new String[]{} ).iterator(), " " ); + +- assertEquals( "/bin/sh -c cd /usr/local/bin && chmod", executable ); ++ assertEquals( "/bin/sh -c cd '/usr/local/bin' && 'chmod'", executable ); + } + + public void testQuoteWorkingDirectoryAndExecutable_WDPathWithSingleQuotes() +@@ -54,7 +53,7 @@ public class BourneShellTest + + String executable = StringUtils.join( sh.getShellCommandLine( new String[]{} ).iterator(), " " ); + +- assertEquals( "/bin/sh -c cd \"/usr/local/\'something else\'\" && chmod", executable ); ++ assertEquals( "/bin/sh -c cd '/usr/local/'\"'\"'something else'\"'\"'' && 'chmod'", executable ); + } + + public void testQuoteWorkingDirectoryAndExecutable_WDPathWithSingleQuotes_BackslashFileSep() +@@ -66,7 +65,7 @@ public class BourneShellTest + + String executable = StringUtils.join( sh.getShellCommandLine( new String[]{} ).iterator(), " " ); + +- assertEquals( "/bin/sh -c cd \"\\usr\\local\\\'something else\'\" && chmod", executable ); ++ assertEquals( "/bin/sh -c cd '\\usr\\local\\\'\"'\"'something else'\"'\"'' && 'chmod'", executable ); + } + + public void testPreserveSingleQuotesOnArgument() +@@ -82,7 +81,7 @@ public class BourneShellTest + + String cli = StringUtils.join( shellCommandLine.iterator(), " " ); + System.out.println( cli ); +- assertTrue( cli.endsWith( args[0] ) ); ++ assertTrue( cli.endsWith("''\"'\"'some arg with spaces'\"'\"''")); + } + + public void testAddSingleQuotesOnArgumentWithSpaces() +@@ -130,7 +129,7 @@ public class BourneShellTest + + assertEquals( "/bin/sh", lines[0] ); + assertEquals( "-c", lines[1] ); +- assertEquals( "chmod --password ';password'", lines[2] ); ++ assertEquals( "'chmod' '--password' ';password'", lines[2] ); + + commandline = new Commandline( newShell() ); + commandline.setExecutable( "chmod" ); +@@ -142,7 +141,7 @@ public class BourneShellTest + + assertEquals( "/bin/sh", lines[0] ); + assertEquals( "-c", lines[1] ); +- assertEquals( "chmod --password ';password'", lines[2] ); ++ assertEquals( "'chmod' '--password' ';password'", lines[2] ); + + commandline = new Commandline( new CmdShell() ); + commandline.getShell().setQuotedArgumentsEnabled( true ); +@@ -190,7 +189,7 @@ public class BourneShellTest + + assertEquals( "/bin/sh", lines[0] ); + assertEquals( "-c", lines[1] ); +- assertEquals( "chmod ' ' '|' '&&' '||' ';' ';;' '&' '()' '<' '<<' '>' '>>' '*' '?' '[' ']' '{' '}' '`'", ++ assertEquals( "'chmod' ' ' '|' '&&' '||' ';' ';;' '&' '()' '<' '<<' '>' '>>' '*' '?' '[' ']' '{' '}' '`'", + lines[2] ); + + } Added: trunk/plexus-utils/debian/patches/series =================================================================== --- trunk/plexus-utils/debian/patches/series (rev 0) +++ trunk/plexus-utils/debian/patches/series 2018-01-09 20:42:28 UTC (rev 19310) @@ -0,0 +1 @@ +CVE-2017-1000487.patch Modified: trunk/plexus-utils/debian/rules =================================================================== --- trunk/plexus-utils/debian/rules 2018-01-04 00:30:56 UTC (rev 19309) +++ trunk/plexus-utils/debian/rules 2018-01-09 20:42:28 UTC (rev 19310) @@ -24,6 +24,5 @@ dh_install -plibplexus-utils-java-doc $(API_DOCS) usr/share/doc/libplexus-utils-java clean:: - mh_clean -rm -rf debian/tmp Modified: trunk/plexus-utils/debian/watch =================================================================== --- trunk/plexus-utils/debian/watch 2018-01-04 00:30:56 UTC (rev 19309) +++ trunk/plexus-utils/debian/watch 2018-01-09 20:42:28 UTC (rev 19310) @@ -1,2 +1,4 @@ version=3 -https://github.com/sonatype/plexus-utils/releases .*/plexus-utils-(.*).tar.gz +opts="uversionmangle=s/-(alpha|beta)-/~$1/" \ + https://github.com/codehaus-plexus/plexus-utils/tags .*/plexus-utils-(\d.*).tar.gz + _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
