Add 0.5.0 source tarball, d'oh

This is just temporary so we can do a final clean rebase of the
EL6 branch before they fork (0.5.0 drops Python 2.6 support so
it can't go to EL6).

.gitignore

@@ -1,2 +1,3 @@
 /defusedxml-0.4.tar.gz
 /defusedxml-0.4.1.tar.gz
+/defusedxml-0.5.0.tar.gz

0001-Fully-fix-iterparse-defusing-on-Python-3.6.patch

@@ -1,101 +0,0 @@
-From 9b9517ec7dfac674052d41ec96e4c85e197f3228 Mon Sep 17 00:00:00 2001
-From: Adam Williamson <awilliam@redhat.com>
-Date: Thu, 22 Dec 2016 12:38:03 -0800
-Subject: [PATCH] Fully fix iterparse() defusing on Python 3.6
-
-Python 3.3 did a very thorough job of hiding the pure-Python
-iterparse() from defusedxml, so we had to not use iterparse()
-directly, but find and use the pure-Python _IterParseIterator
-instead. This trick breaks with Python 3.6, though, because
-_IterParseIterator is no longer accessible externally at all.
-
-However, it turns out Python 3.3's approach to iterparse() was
-a one-off: the implementation of the C accelerator stuff was
-changed again in 3.4, and from 3.4 onwards we should be getting
-the pure-Python iterparse() again. So we can make the private
-iterator access dodge specific to Python 3.3, and just use the
-simple code which uses iterparse() directly - which we were
-only using for Python 2.7 until now - for Python 3.2 and 3.4+.
----
- defusedxml/ElementTree.py | 16 ++++++++++------
- defusedxml/common.py      |  7 +++++--
- 2 files changed, 15 insertions(+), 8 deletions(-)
-
-diff --git a/defusedxml/ElementTree.py b/defusedxml/ElementTree.py
-index 8c46064..28ffce0 100644
---- a/defusedxml/ElementTree.py
-+++ b/defusedxml/ElementTree.py
-@@ -8,7 +8,7 @@
- from __future__ import print_function, absolute_import
- 
- import sys
--from .common import PY3, PY26, PY31
-+from .common import PY3, PY26, PY31, PY33
- if PY3:
-     import importlib
- else:
-@@ -29,7 +29,7 @@ from .common import (DTDForbidden, EntitiesForbidden,
- __origin__ = "xml.etree.ElementTree"
- 
- def _get_py3_cls():
--    """Python 3.3 hides the pure Python code but defusedxml requires it.
-+    """Python 3.3+ hide the pure Python code but defusedxml requires it.
- 
-     The code is based on test.support.import_fresh_module().
-     """
-@@ -49,12 +49,16 @@ def _get_py3_cls():
- 
-     _XMLParser = pure_pymod.XMLParser
-     _iterparse = pure_pymod.iterparse
--    if PY31 or sys.version_info >= (3, 6):
--        _IterParseIterator = None
-+    ParseError = pure_pymod.ParseError
-+    _IterParseIterator = None
-+    if PY31:
-         from xml.parsers.expat import ExpatError as ParseError
--    else:
-+    if PY33:
-+        # Python 3.3 specifically did some shenanigans to hide the
-+        # pure-Python iterparse() entirely, so we need to use the
-+        # this private iterator instead. All other Pythons don't have
-+        # this problem
-         _IterParseIterator = pure_pymod._IterParseIterator
--        ParseError = pure_pymod.ParseError
- 
-     return _XMLParser, _iterparse, _IterParseIterator, ParseError
- 
-diff --git a/defusedxml/common.py b/defusedxml/common.py
-index 5e5f8a2..53a5326 100644
---- a/defusedxml/common.py
-+++ b/defusedxml/common.py
-@@ -11,6 +11,7 @@ from types import MethodType
- PY3 = sys.version_info[0] == 3
- PY26 = sys.version_info[:2] == (2, 6)
- PY31 = sys.version_info[:2] == (3, 1)
-+PY33 = sys.version_info[:2] == (3, 3)
- 
- 
- class DefusedXmlException(ValueError):
-@@ -126,7 +127,9 @@ def _generate_etree_functions(DefusedXMLParser, _TreeBuilder,
-                 bind(xmlparser, "defused_external_entity_ref_handler",
-                      "ExternalEntityRefHandler")
-             return it
--    elif PY3:
-+    elif PY33:
-+        # pure-Python iterparse() is completely hidden on Python 3.3,
-+        # we have to use the backing _IterParseIterator
-         def iterparse(source, events=None, parser=None, forbid_dtd=False,
-                       forbid_entities=True, forbid_external=True):
-             close_source = False
-@@ -140,7 +143,7 @@ def _generate_etree_functions(DefusedXMLParser, _TreeBuilder,
-                                           forbid_external=forbid_external)
-             return _IterParseIterator(source, events, parser, close_source)
-     else:
--        # Python 2.7
-+        # Python 2.7, Python 3.2, Python 3.4+
-         def iterparse(source, events=None, parser=None, forbid_dtd=False,
-                       forbid_entities=True, forbid_external=True):
-             if parser is None:
--- 
-2.11.0
-

python-defusedxml-entity_loop.patch

@@ -1,52 +0,0 @@
-diff -ru defusedxml-0.4.1-orig/tests.py defusedxml-0.4.1/tests.py
---- defusedxml-0.4.1-orig/tests.py	2015-07-17 05:28:36.501213026 +0000
-+++ defusedxml-0.4.1/tests.py	2015-07-17 05:21:51.633843568 +0000
-@@ -133,11 +133,12 @@
-             self.iterparse(self.xml_simple_ns)
- 
-     def test_entities_forbidden(self):
--        self.assertRaises(EntitiesForbidden, self.parse, self.xml_bomb)
-+        self.assertRaises((EntitiesForbidden, XMLSyntaxError),
-+                          self.parse, self.xml_bomb)
-         self.assertRaises(EntitiesForbidden, self.parse, self.xml_quadratic)
-         self.assertRaises(EntitiesForbidden, self.parse, self.xml_external)
- 
--        self.assertRaises(EntitiesForbidden, self.parseString,
-+        self.assertRaises((EntitiesForbidden, XMLSyntaxError), self.parseString,
-                           self.get_content(self.xml_bomb))
-         self.assertRaises(EntitiesForbidden, self.parseString,
-                           self.get_content(self.xml_quadratic))
-@@ -157,8 +158,8 @@
-                           forbid_entities=False)
- 
-     def test_dtd_forbidden(self):
--        self.assertRaises(DTDForbidden, self.parse, self.xml_bomb,
--                          forbid_dtd=True)
-+        self.assertRaises((DTDForbidden, XMLSyntaxError), self.parse,
-+                          self.xml_bomb, forbid_dtd=True)
-         self.assertRaises(DTDForbidden, self.parse, self.xml_quadratic,
-                           forbid_dtd=True)
-         self.assertRaises(DTDForbidden, self.parse, self.xml_external,
-@@ -166,7 +167,7 @@
-         self.assertRaises(DTDForbidden, self.parse, self.xml_dtd,
-                           forbid_dtd=True)
- 
--        self.assertRaises(DTDForbidden, self.parseString,
-+        self.assertRaises((DTDForbidden, XMLSyntaxError), self.parseString,
-                           self.get_content(self.xml_bomb),
-                           forbid_dtd=True)
-         self.assertRaises(DTDForbidden, self.parseString,
-@@ -355,8 +356,11 @@
-         pass
- 
-     def test_restricted_element1(self):
--        tree = self.module.parse(self.xml_bomb, forbid_dtd=False,
--                                 forbid_entities=False)
-+        try:
-+            tree = self.module.parse(self.xml_bomb, forbid_dtd=False,
-+                                     forbid_entities=False)
-+        except XMLSyntaxError:
-+            return
-         root = tree.getroot()
-         self.assertEqual(root.text, None)
- 

python-defusedxml-format_strings.patch

@@ -1,63 +0,0 @@
-diff -ru defusedxml-0.4.1-orig/defusedxml/common.py defusedxml-0.4.1/defusedxml/common.py
---- defusedxml-0.4.1-orig/defusedxml/common.py	2015-07-17 05:28:36.502213030 +0000
-+++ defusedxml-0.4.1/defusedxml/common.py	2015-07-22 11:22:24.203648541 +0000
-@@ -30,7 +30,7 @@
-         self.pubid = pubid
- 
-     def __str__(self):
--        tpl = "DTDForbidden(name='{}', system_id={!r}, public_id={!r})"
-+        tpl = "DTDForbidden(name='{0}', system_id={1!r}, public_id={2!r})"
-         return tpl.format(self.name, self.sysid, self.pubid)
- 
- 
-@@ -47,7 +47,7 @@
-         self.notation_name = notation_name
- 
-     def __str__(self):
--        tpl = "EntitiesForbidden(name='{}', system_id={!r}, public_id={!r})"
-+        tpl = "EntitiesForbidden(name='{0}', system_id={1!r}, public_id={2!r})"
-         return tpl.format(self.name, self.sysid, self.pubid)
- 
- 
-@@ -62,7 +62,7 @@
-         self.pubid = pubid
- 
-     def __str__(self):
--        tpl = "ExternalReferenceForbidden(system_id='{}', public_id={})"
-+        tpl = "ExternalReferenceForbidden(system_id='{0}', public_id={1})"
-         return tpl.format(self.sysid, self.pubid)
- 
- 
-diff -ru defusedxml-0.4.1-orig/other/exploit_webdav.py defusedxml-0.4.1/other/exploit_webdav.py
---- defusedxml-0.4.1-orig/other/exploit_webdav.py	2015-07-17 05:28:36.503213033 +0000
-+++ defusedxml-0.4.1/other/exploit_webdav.py	2015-07-22 11:23:15.893964297 +0000
-@@ -9,7 +9,7 @@
- import httplib
- 
- if len(sys.argv) != 2:
--    sys.exit("{} http://user:password@host:port/".format(sys.argv[0]))
-+    sys.exit("{0} http://user:password@host:port/".format(sys.argv[0]))
- 
- url = urlparse.urlparse(sys.argv[1])
- 
-diff -ru defusedxml-0.4.1-orig/other/exploit_xmlrpc.py defusedxml-0.4.1/other/exploit_xmlrpc.py
---- defusedxml-0.4.1-orig/other/exploit_xmlrpc.py	2015-07-17 05:28:36.502213030 +0000
-+++ defusedxml-0.4.1/other/exploit_xmlrpc.py	2015-07-22 11:23:59.536230889 +0000
-@@ -7,7 +7,7 @@
- import urllib2
- 
- if len(sys.argv) != 2:
--    sys.exit("{} url".format(sys.argv[0]))
-+    sys.exit("{0} url".format(sys.argv[0]))
- 
- url = sys.argv[1]
- 
-@@ -32,7 +32,7 @@
- 
- req = urllib2.Request(url, data=xml, headers=headers)
- 
--print("Sending request to {}".format(url))
-+print("Sending request to {0}".format(url))
- 
- resp = urllib2.urlopen(req)
-

python-defusedxml-python36-broken.patch

@@ -1,22 +0,0 @@
-From 1d342237b560e29e8401d0a22a776b52b09e0ae2 Mon Sep 17 00:00:00 2001
-From: Christian Heimes <christian@python.org>
-Date: Wed, 24 Aug 2016 10:08:34 +0200
-Subject: [PATCH] Python 3.6 no _IterParseIterator class
-
----
- defusedxml/ElementTree.py | 2 +-
- 1 files changed, 1 insertions(+), 1 deletion(-)
-
-diff --git a/defusedxml/ElementTree.py b/defusedxml/ElementTree.py
-index a2f1f58..8c46064 100644
---- a/defusedxml/ElementTree.py
-+++ b/defusedxml/ElementTree.py
-@@ -49,7 +49,7 @@ def _get_py3_cls():
- 
-     _XMLParser = pure_pymod.XMLParser
-     _iterparse = pure_pymod.iterparse
--    if PY31:
-+    if PY31 or sys.version_info >= (3, 6):
-         _IterParseIterator = None
-         from xml.parsers.expat import ExpatError as ParseError
-     else:

python-defusedxml.spec

@@ -1,35 +1,40 @@
-%global with_python3 0
+# Enable Python 3 builds for Fedora + EPEL >6
+%if 0%{?fedora} || 0%{?rhel} > 6
+# If the definition isn't available for python3_pkgversion, define it
+%{?!python3_pkgversion:%global python3_pkgversion 3}
+%bcond_without  python3
+%else
+%bcond_with     python3
+%endif
+
 %global pypi_name defusedxml
+# define the license macro as doc if licensedir is not defined for
+# compatibility with EPEL
+%{!?_licensedir:%global license %%doc}
 
 Name:           python-%{pypi_name}
-Version:        0.4.1
-Release:        9%{?dist}
+Version:        0.5.0
+Release:        1%{?dist}
 Summary:        XML bomb protection for Python stdlib modules
 License:        Python
-# Note: upstream git now appears to be at https://github.com/tiran/defusedxml
-# not bitbucket as pypi says
-URL:            https://bitbucket.org/tiran/defusedxml
-Source0:        http://pypi.python.org/packages/source/d/%{pypi_name}/%{pypi_name}-%{version}.tar.gz
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=927883#c14
-Patch0:         %{name}-entity_loop.patch
-Patch1:         %{name}-format_strings.patch
-# This is https://github.com/tiran/defusedxml/commit/1d342237b560e29e8401d0a22a776b52b09e0ae2
-# rediffed on 0.4.1 . It doesn't really fix anything, but is necessary
-# for the real fix to apply without rediffing.
-Patch2:         %{name}-python36-broken.patch
-# Real fix for Python 3.6: https://github.com/tiran/defusedxml/pull/4
-Patch3:         0001-Fully-fix-iterparse-defusing-on-Python-3.6.patch
+URL:            https://github.com/tiran/defusedxml
+Source0:        https://files.pythonhosted.org/packages/source/d/%{pypi_name}/%{pypi_name}-%{version}.tar.gz
 
 BuildArch:      noarch
 
 BuildRequires:  python2-devel
+# No python2-setuptools on EL 7
 BuildRequires:  python-setuptools
 
 %if 0%{with_python3}
-BuildRequires:  python3-devel
-BuildRequires:  python3-setuptools
-%endif
+BuildRequires:  python%{python3_pkgversion}-devel
+BuildRequires:  python%{python3_pkgversion}-setuptools
+
+%if 0%{?with_python3_other}
+BuildRequires:  python%{python3_other_pkgversion}-setuptools
+BuildRequires:  python%{python3_other_pkgversion}-devel
+%endif # with_python3_other
+%endif # with_python3
 
 %description
 The defusedxml package contains several Python-only workarounds and fixes for
@@ -47,58 +52,59 @@ The defusedxml package contains several Python-only workarounds and fixes for
 denial of service and other vulnerabilities in Python's XML libraries. In order
 to benefit from the protection you just have to import and use the listed
 functions / classes from the right defusedxml module instead of the original
-module.
+module. This is the Python 2 build.
 
-%if 0%{?with_python3}
-%package -n python3-%{pypi_name}
+%if 0%{with_python3}
+%package -n python%{python3_pkgversion}-%{pypi_name}
 Summary:        XML bomb protection for Python stdlib modules
-%{?python_provide:%python_provide python3-%{pypi_name}}
+%{?python_provide:%python_provide python%{python3_pkgversion}-%{pypi_name}}
 
-%description -n python3-%{pypi_name}
+%description -n python%{python3_pkgversion}-%{pypi_name}
 The defusedxml package contains several Python-only workarounds and fixes for
 denial of service and other vulnerabilities in Python's XML libraries. In order
 to benefit from the protection you just have to import and use the listed
 functions / classes from the right defusedxml module instead of the original
-module.
+module. This is the python%{python3_pkgversion} build.
+
+%if 0%{?with_python3_other}
+%package -n python%{python3_other_pkgversion}-%{pypi_name}
+Summary:        XML bomb protection for Python stdlib modules
+%{?python_provide:%python_provide python%{python3_pkgversion}-%{pypi_name}}
+
+%description -n python%{python3_other_pkgversion}-%{pypi_name}
+The defusedxml package contains several Python-only workarounds and fixes for
+denial of service and other vulnerabilities in Python's XML libraries. In order
+to benefit from the protection you just have to import and use the listed
+functions / classes from the right defusedxml module instead of the original
+module. This is the python%{python3_other_pkgversion} build.
+%endif # with_python3_other
 %endif # with_python3
 
 %prep
 %setup -q -n %{pypi_name}-%{version}
-%if 0%{?rhel}
-%patch0 -p1
-%endif
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-
-%if 0%{?with_python3}
-rm -rf %{py3dir}
-cp -a . %{py3dir}
-find %{py3dir} -name '*.py' | xargs sed -i '1s|^#!/bin/env python|#!%{__python3}|'
-%endif # with_python3
 
 %build
-%{__python} setup.py build
-%if 0%{?with_python3}
-pushd %{py3dir}
-%{__python3} setup.py build
-popd
+%py2_build
+%if 0%{with_python3}
+%py3_build
+%if 0%{?with_python3_other}
+%py3_other_build
+%endif # with_python3_other
 %endif # with_python3
 
 %install
-%{__python} setup.py install --skip-build --root %{buildroot}
-%if 0%{?with_python3}
-pushd %{py3dir}
-%{__python3} setup.py install --skip-build --root %{buildroot}
-popd
+%py2_install
+%if 0%{with_python3}
+%py3_install
+%if 0%{?with_python3_other}
+%py3_other_install
+%endif # with_python3_other
 %endif # with_python3
 
 %check
-%{__python} tests.py
-%if 0%{?with_python3}
-pushd %{py3dir}
+%{__python2} tests.py
+%if 0%{with_python3}
 %{__python3} tests.py
-popd
 %endif # with_python3
 
 %files -n python2-%{pypi_name}
@@ -107,15 +113,30 @@ popd
 %{python2_sitelib}/%{pypi_name}
 %{python2_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info
 
-%if 0%{?with_python3}
-%files -n python3-%{pypi_name}
+%if 0%{with_python3}
+%files -n python%{python3_pkgversion}-%{pypi_name}
 %doc README.txt README.html CHANGES.txt
 %license LICENSE
 %{python3_sitelib}/%{pypi_name}
 %{python3_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info
+
+%if 0%{?with_python3_other}
+%files -n python%{python3_other_pkgversion}-%{pypi_name}
+%doc README.txt README.html CHANGES.txt
+%license LICENSE
+%{python3_other_sitelib}/%{pypi_name}
+%{python3__other_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info
+%endif # with_python3_other
 %endif # with_python3
 
 %changelog
+* Fri Feb 10 2017 Adam Williamson <awilliam@redhat.com> - 0.5.0-1
+- Update to 0.5.0, drop merged/superseded patches
+- Enable Python 3 build for EPEL 7, per https://fedoraproject.org/wiki/PackagingDrafts:Python3EPEL
+- Drop format-string patch as Python 2.6 is no longer supported anyway
+- Update URL to github
+- Update source URL for pypi changes
+
 * Thu Dec 22 2016 Adam Williamson <awilliam@redhat.com> - 0.4.1-9
 - Fix incompatibility with Python 3.6 (gh#3 / gh#4)
 

sources

@@ -1 +1 @@
-230a5eff64f878b392478e30376d673a  defusedxml-0.4.1.tar.gz
+SHA512 (defusedxml-0.5.0.tar.gz) = 71e1a604df9be41ded454bcdfa63610e897eb405295d7365fcddfc5f50f7572c36f0bd91a4a1fdf47d1b097637bd9fdcf08f1cdb73e2fe64eea0320a7532e452