BR python-setuptools not python2-setuptools

This is just temporary so we can do a final clean rebase of the
EL6 branch before they fork (0.5.0 drops Python 2.6 support so
it can't go to EL6).

.gitignore

@@ -1 +1,2 @@
 /defusedxml-0.4.tar.gz
+/defusedxml-0.4.1.tar.gz

0001-Fully-fix-iterparse-defusing-on-Python-3.6.patch

@@ -0,0 +1,101 @@
+From 9b9517ec7dfac674052d41ec96e4c85e197f3228 Mon Sep 17 00:00:00 2001
+From: Adam Williamson <awilliam@redhat.com>
+Date: Thu, 22 Dec 2016 12:38:03 -0800
+Subject: [PATCH] Fully fix iterparse() defusing on Python 3.6
+
+Python 3.3 did a very thorough job of hiding the pure-Python
+iterparse() from defusedxml, so we had to not use iterparse()
+directly, but find and use the pure-Python _IterParseIterator
+instead. This trick breaks with Python 3.6, though, because
+_IterParseIterator is no longer accessible externally at all.
+
+However, it turns out Python 3.3's approach to iterparse() was
+a one-off: the implementation of the C accelerator stuff was
+changed again in 3.4, and from 3.4 onwards we should be getting
+the pure-Python iterparse() again. So we can make the private
+iterator access dodge specific to Python 3.3, and just use the
+simple code which uses iterparse() directly - which we were
+only using for Python 2.7 until now - for Python 3.2 and 3.4+.
+---
+ defusedxml/ElementTree.py | 16 ++++++++++------
+ defusedxml/common.py      |  7 +++++--
+ 2 files changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/defusedxml/ElementTree.py b/defusedxml/ElementTree.py
+index 8c46064..28ffce0 100644
+--- a/defusedxml/ElementTree.py
++++ b/defusedxml/ElementTree.py
+@@ -8,7 +8,7 @@
+ from __future__ import print_function, absolute_import
+ 
+ import sys
+-from .common import PY3, PY26, PY31
++from .common import PY3, PY26, PY31, PY33
+ if PY3:
+     import importlib
+ else:
+@@ -29,7 +29,7 @@ from .common import (DTDForbidden, EntitiesForbidden,
+ __origin__ = "xml.etree.ElementTree"
+ 
+ def _get_py3_cls():
+-    """Python 3.3 hides the pure Python code but defusedxml requires it.
++    """Python 3.3+ hide the pure Python code but defusedxml requires it.
+ 
+     The code is based on test.support.import_fresh_module().
+     """
+@@ -49,12 +49,16 @@ def _get_py3_cls():
+ 
+     _XMLParser = pure_pymod.XMLParser
+     _iterparse = pure_pymod.iterparse
+-    if PY31 or sys.version_info >= (3, 6):
+-        _IterParseIterator = None
++    ParseError = pure_pymod.ParseError
++    _IterParseIterator = None
++    if PY31:
+         from xml.parsers.expat import ExpatError as ParseError
+-    else:
++    if PY33:
++        # Python 3.3 specifically did some shenanigans to hide the
++        # pure-Python iterparse() entirely, so we need to use the
++        # this private iterator instead. All other Pythons don't have
++        # this problem
+         _IterParseIterator = pure_pymod._IterParseIterator
+-        ParseError = pure_pymod.ParseError
+ 
+     return _XMLParser, _iterparse, _IterParseIterator, ParseError
+ 
+diff --git a/defusedxml/common.py b/defusedxml/common.py
+index 5e5f8a2..53a5326 100644
+--- a/defusedxml/common.py
++++ b/defusedxml/common.py
+@@ -11,6 +11,7 @@ from types import MethodType
+ PY3 = sys.version_info[0] == 3
+ PY26 = sys.version_info[:2] == (2, 6)
+ PY31 = sys.version_info[:2] == (3, 1)
++PY33 = sys.version_info[:2] == (3, 3)
+ 
+ 
+ class DefusedXmlException(ValueError):
+@@ -126,7 +127,9 @@ def _generate_etree_functions(DefusedXMLParser, _TreeBuilder,
+                 bind(xmlparser, "defused_external_entity_ref_handler",
+                      "ExternalEntityRefHandler")
+             return it
+-    elif PY3:
++    elif PY33:
++        # pure-Python iterparse() is completely hidden on Python 3.3,
++        # we have to use the backing _IterParseIterator
+         def iterparse(source, events=None, parser=None, forbid_dtd=False,
+                       forbid_entities=True, forbid_external=True):
+             close_source = False
+@@ -140,7 +143,7 @@ def _generate_etree_functions(DefusedXMLParser, _TreeBuilder,
+                                           forbid_external=forbid_external)
+             return _IterParseIterator(source, events, parser, close_source)
+     else:
+-        # Python 2.7
++        # Python 2.7, Python 3.2, Python 3.4+
+         def iterparse(source, events=None, parser=None, forbid_dtd=False,
+                       forbid_entities=True, forbid_external=True):
+             if parser is None:
+-- 
+2.11.0
+

python-defusedxml-entity_loop.patch

@@ -0,0 +1,52 @@
+diff -ru defusedxml-0.4.1-orig/tests.py defusedxml-0.4.1/tests.py
+--- defusedxml-0.4.1-orig/tests.py	2015-07-17 05:28:36.501213026 +0000
++++ defusedxml-0.4.1/tests.py	2015-07-17 05:21:51.633843568 +0000
+@@ -133,11 +133,12 @@
+             self.iterparse(self.xml_simple_ns)
+ 
+     def test_entities_forbidden(self):
+-        self.assertRaises(EntitiesForbidden, self.parse, self.xml_bomb)
++        self.assertRaises((EntitiesForbidden, XMLSyntaxError),
++                          self.parse, self.xml_bomb)
+         self.assertRaises(EntitiesForbidden, self.parse, self.xml_quadratic)
+         self.assertRaises(EntitiesForbidden, self.parse, self.xml_external)
+ 
+-        self.assertRaises(EntitiesForbidden, self.parseString,
++        self.assertRaises((EntitiesForbidden, XMLSyntaxError), self.parseString,
+                           self.get_content(self.xml_bomb))
+         self.assertRaises(EntitiesForbidden, self.parseString,
+                           self.get_content(self.xml_quadratic))
+@@ -157,8 +158,8 @@
+                           forbid_entities=False)
+ 
+     def test_dtd_forbidden(self):
+-        self.assertRaises(DTDForbidden, self.parse, self.xml_bomb,
+-                          forbid_dtd=True)
++        self.assertRaises((DTDForbidden, XMLSyntaxError), self.parse,
++                          self.xml_bomb, forbid_dtd=True)
+         self.assertRaises(DTDForbidden, self.parse, self.xml_quadratic,
+                           forbid_dtd=True)
+         self.assertRaises(DTDForbidden, self.parse, self.xml_external,
+@@ -166,7 +167,7 @@
+         self.assertRaises(DTDForbidden, self.parse, self.xml_dtd,
+                           forbid_dtd=True)
+ 
+-        self.assertRaises(DTDForbidden, self.parseString,
++        self.assertRaises((DTDForbidden, XMLSyntaxError), self.parseString,
+                           self.get_content(self.xml_bomb),
+                           forbid_dtd=True)
+         self.assertRaises(DTDForbidden, self.parseString,
+@@ -355,8 +356,11 @@
+         pass
+ 
+     def test_restricted_element1(self):
+-        tree = self.module.parse(self.xml_bomb, forbid_dtd=False,
+-                                 forbid_entities=False)
++        try:
++            tree = self.module.parse(self.xml_bomb, forbid_dtd=False,
++                                     forbid_entities=False)
++        except XMLSyntaxError:
++            return
+         root = tree.getroot()
+         self.assertEqual(root.text, None)
+ 

python-defusedxml-format_strings.patch

@@ -0,0 +1,63 @@
+diff -ru defusedxml-0.4.1-orig/defusedxml/common.py defusedxml-0.4.1/defusedxml/common.py
+--- defusedxml-0.4.1-orig/defusedxml/common.py	2015-07-17 05:28:36.502213030 +0000
++++ defusedxml-0.4.1/defusedxml/common.py	2015-07-22 11:22:24.203648541 +0000
+@@ -30,7 +30,7 @@
+         self.pubid = pubid
+ 
+     def __str__(self):
+-        tpl = "DTDForbidden(name='{}', system_id={!r}, public_id={!r})"
++        tpl = "DTDForbidden(name='{0}', system_id={1!r}, public_id={2!r})"
+         return tpl.format(self.name, self.sysid, self.pubid)
+ 
+ 
+@@ -47,7 +47,7 @@
+         self.notation_name = notation_name
+ 
+     def __str__(self):
+-        tpl = "EntitiesForbidden(name='{}', system_id={!r}, public_id={!r})"
++        tpl = "EntitiesForbidden(name='{0}', system_id={1!r}, public_id={2!r})"
+         return tpl.format(self.name, self.sysid, self.pubid)
+ 
+ 
+@@ -62,7 +62,7 @@
+         self.pubid = pubid
+ 
+     def __str__(self):
+-        tpl = "ExternalReferenceForbidden(system_id='{}', public_id={})"
++        tpl = "ExternalReferenceForbidden(system_id='{0}', public_id={1})"
+         return tpl.format(self.sysid, self.pubid)
+ 
+ 
+diff -ru defusedxml-0.4.1-orig/other/exploit_webdav.py defusedxml-0.4.1/other/exploit_webdav.py
+--- defusedxml-0.4.1-orig/other/exploit_webdav.py	2015-07-17 05:28:36.503213033 +0000
++++ defusedxml-0.4.1/other/exploit_webdav.py	2015-07-22 11:23:15.893964297 +0000
+@@ -9,7 +9,7 @@
+ import httplib
+ 
+ if len(sys.argv) != 2:
+-    sys.exit("{} http://user:password@host:port/".format(sys.argv[0]))
++    sys.exit("{0} http://user:password@host:port/".format(sys.argv[0]))
+ 
+ url = urlparse.urlparse(sys.argv[1])
+ 
+diff -ru defusedxml-0.4.1-orig/other/exploit_xmlrpc.py defusedxml-0.4.1/other/exploit_xmlrpc.py
+--- defusedxml-0.4.1-orig/other/exploit_xmlrpc.py	2015-07-17 05:28:36.502213030 +0000
++++ defusedxml-0.4.1/other/exploit_xmlrpc.py	2015-07-22 11:23:59.536230889 +0000
+@@ -7,7 +7,7 @@
+ import urllib2
+ 
+ if len(sys.argv) != 2:
+-    sys.exit("{} url".format(sys.argv[0]))
++    sys.exit("{0} url".format(sys.argv[0]))
+ 
+ url = sys.argv[1]
+ 
+@@ -32,7 +32,7 @@
+ 
+ req = urllib2.Request(url, data=xml, headers=headers)
+ 
+-print("Sending request to {}".format(url))
++print("Sending request to {0}".format(url))
+ 
+ resp = urllib2.urlopen(req)
+

python-defusedxml-python36-broken.patch

@@ -0,0 +1,22 @@
+From 1d342237b560e29e8401d0a22a776b52b09e0ae2 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Wed, 24 Aug 2016 10:08:34 +0200
+Subject: [PATCH] Python 3.6 no _IterParseIterator class
+
+---
+ defusedxml/ElementTree.py | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletion(-)
+
+diff --git a/defusedxml/ElementTree.py b/defusedxml/ElementTree.py
+index a2f1f58..8c46064 100644
+--- a/defusedxml/ElementTree.py
++++ b/defusedxml/ElementTree.py
+@@ -49,7 +49,7 @@ def _get_py3_cls():
+ 
+     _XMLParser = pure_pymod.XMLParser
+     _iterparse = pure_pymod.iterparse
+-    if PY31:
++    if PY31 or sys.version_info >= (3, 6):
+         _IterParseIterator = None
+         from xml.parsers.expat import ExpatError as ParseError
+     else:

python-defusedxml.spec

@@ -1,13 +1,26 @@
-%global with_python3 1
+%global with_python3 0
 %global pypi_name defusedxml
 
 Name:           python-%{pypi_name}
-Version:        0.4
-Release:        1%{?dist}
+Version:        0.4.1
+Release:        9%{?dist}
 Summary:        XML bomb protection for Python stdlib modules
 License:        Python
+# Note: upstream git now appears to be at https://github.com/tiran/defusedxml
+# not bitbucket as pypi says
 URL:            https://bitbucket.org/tiran/defusedxml
 Source0:        http://pypi.python.org/packages/source/d/%{pypi_name}/%{pypi_name}-%{version}.tar.gz
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=927883#c14
+Patch0:         %{name}-entity_loop.patch
+Patch1:         %{name}-format_strings.patch
+# This is https://github.com/tiran/defusedxml/commit/1d342237b560e29e8401d0a22a776b52b09e0ae2
+# rediffed on 0.4.1 . It doesn't really fix anything, but is necessary
+# for the real fix to apply without rediffing.
+Patch2:         %{name}-python36-broken.patch
+# Real fix for Python 3.6: https://github.com/tiran/defusedxml/pull/4
+Patch3:         0001-Fully-fix-iterparse-defusing-on-Python-3.6.patch
+
 BuildArch:      noarch
 
 BuildRequires:  python2-devel
@@ -18,7 +31,6 @@ BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools
 %endif
 
-
 %description
 The defusedxml package contains several Python-only workarounds and fixes for
 denial of service and other vulnerabilities in Python's XML libraries. In order
@@ -26,9 +38,21 @@ to benefit from the protection you just have to import and use the listed
 functions / classes from the right defusedxml module instead of the original
 module.
 
+%package -n python2-%{pypi_name}
+Summary:        XML bomb protection for Python stdlib modules
+%{?python_provide:%python_provide python2-%{pypi_name}}
+
+%description -n python2-%{pypi_name}
+The defusedxml package contains several Python-only workarounds and fixes for
+denial of service and other vulnerabilities in Python's XML libraries. In order
+to benefit from the protection you just have to import and use the listed
+functions / classes from the right defusedxml module instead of the original
+module.
+
 %if 0%{?with_python3}
 %package -n python3-%{pypi_name}
 Summary:        XML bomb protection for Python stdlib modules
+%{?python_provide:%python_provide python3-%{pypi_name}}
 
 %description -n python3-%{pypi_name}
 The defusedxml package contains several Python-only workarounds and fixes for
@@ -40,6 +64,13 @@ module.
 
 %prep
 %setup -q -n %{pypi_name}-%{version}
+%if 0%{?rhel}
+%patch0 -p1
+%endif
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+
 %if 0%{?with_python3}
 rm -rf %{py3dir}
 cp -a . %{py3dir}
@@ -70,18 +101,58 @@ pushd %{py3dir}
 popd
 %endif # with_python3
 
-%files
-%doc README.txt README.html LICENSE CHANGES.txt
-%{python_sitelib}/%{pypi_name}
-%{python_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info
+%files -n python2-%{pypi_name}
+%doc README.txt README.html CHANGES.txt
+%license LICENSE
+%{python2_sitelib}/%{pypi_name}
+%{python2_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info
 
 %if 0%{?with_python3}
 %files -n python3-%{pypi_name}
-%doc README.txt README.html LICENSE CHANGES.txt
+%doc README.txt README.html CHANGES.txt
+%license LICENSE
 %{python3_sitelib}/%{pypi_name}
 %{python3_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info
 %endif # with_python3
 
 %changelog
+* Thu Dec 22 2016 Adam Williamson <awilliam@redhat.com> - 0.4.1-9
+- Fix incompatibility with Python 3.6 (gh#3 / gh#4)
+
+* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com>
+- Rebuild for Python 3.6
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-8
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Sun Nov 15 2015 Ralph Bean <rbean@redhat.com> - 0.4.1-6
+- Added explicit python2 subpackage with modern provides statement.
+- Only apply the entity_loop patch on enterprisey builds.
+
+* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
+
+* Wed Aug 05 2015 Miro Hrončok <mhroncok@redhat.com> - 0.4.1-4
+- Add patches by Avram Lubkin
+- https://bugzilla.redhat.com/show_bug.cgi?id=927883#c14
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Mon May 26 2014 Miro Hrončok <mhroncok@redhat.com> - 0.4.1-1
+- Updated to 0.4.1 (#1100730)
+
+* Tue May 13 2014 Bohuslav Kabrda <bkabrda@redhat.com> - 0.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4
+
+* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
 * Tue Mar 26 2013 Miro Hrončok <mhroncok@redhat.com> - 0.4-1
 - Initial package.

sources

@@ -1 +1 @@
-09873c31ce773d48b8a4759571655a2c  defusedxml-0.4.tar.gz
+230a5eff64f878b392478e30376d673a  defusedxml-0.4.1.tar.gz