BR python-setuptools not python2-setuptools

This is just temporary so we can do a final clean rebase of the
EL6 branch before they fork (0.5.0 drops Python 2.6 support so
it can't go to EL6).

.gitignore

@@ -1,7 +1,2 @@
 /defusedxml-0.4.tar.gz
 /defusedxml-0.4.1.tar.gz
-/defusedxml-0.5.0.tar.gz
-/defusedxml-0.6.0.tar.gz
-/defusedxml-0.7.0rc1.tar.gz
-/defusedxml-0.7.0rc2.tar.gz
-/defusedxml-0.7.1.tar.gz

0001-Fully-fix-iterparse-defusing-on-Python-3.6.patch

@@ -0,0 +1,101 @@
+From 9b9517ec7dfac674052d41ec96e4c85e197f3228 Mon Sep 17 00:00:00 2001
+From: Adam Williamson <awilliam@redhat.com>
+Date: Thu, 22 Dec 2016 12:38:03 -0800
+Subject: [PATCH] Fully fix iterparse() defusing on Python 3.6
+
+Python 3.3 did a very thorough job of hiding the pure-Python
+iterparse() from defusedxml, so we had to not use iterparse()
+directly, but find and use the pure-Python _IterParseIterator
+instead. This trick breaks with Python 3.6, though, because
+_IterParseIterator is no longer accessible externally at all.
+
+However, it turns out Python 3.3's approach to iterparse() was
+a one-off: the implementation of the C accelerator stuff was
+changed again in 3.4, and from 3.4 onwards we should be getting
+the pure-Python iterparse() again. So we can make the private
+iterator access dodge specific to Python 3.3, and just use the
+simple code which uses iterparse() directly - which we were
+only using for Python 2.7 until now - for Python 3.2 and 3.4+.
+---
+ defusedxml/ElementTree.py | 16 ++++++++++------
+ defusedxml/common.py      |  7 +++++--
+ 2 files changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/defusedxml/ElementTree.py b/defusedxml/ElementTree.py
+index 8c46064..28ffce0 100644
+--- a/defusedxml/ElementTree.py
++++ b/defusedxml/ElementTree.py
+@@ -8,7 +8,7 @@
+ from __future__ import print_function, absolute_import
+ 
+ import sys
+-from .common import PY3, PY26, PY31
++from .common import PY3, PY26, PY31, PY33
+ if PY3:
+     import importlib
+ else:
+@@ -29,7 +29,7 @@ from .common import (DTDForbidden, EntitiesForbidden,
+ __origin__ = "xml.etree.ElementTree"
+ 
+ def _get_py3_cls():
+-    """Python 3.3 hides the pure Python code but defusedxml requires it.
++    """Python 3.3+ hide the pure Python code but defusedxml requires it.
+ 
+     The code is based on test.support.import_fresh_module().
+     """
+@@ -49,12 +49,16 @@ def _get_py3_cls():
+ 
+     _XMLParser = pure_pymod.XMLParser
+     _iterparse = pure_pymod.iterparse
+-    if PY31 or sys.version_info >= (3, 6):
+-        _IterParseIterator = None
++    ParseError = pure_pymod.ParseError
++    _IterParseIterator = None
++    if PY31:
+         from xml.parsers.expat import ExpatError as ParseError
+-    else:
++    if PY33:
++        # Python 3.3 specifically did some shenanigans to hide the
++        # pure-Python iterparse() entirely, so we need to use the
++        # this private iterator instead. All other Pythons don't have
++        # this problem
+         _IterParseIterator = pure_pymod._IterParseIterator
+-        ParseError = pure_pymod.ParseError
+ 
+     return _XMLParser, _iterparse, _IterParseIterator, ParseError
+ 
+diff --git a/defusedxml/common.py b/defusedxml/common.py
+index 5e5f8a2..53a5326 100644
+--- a/defusedxml/common.py
++++ b/defusedxml/common.py
+@@ -11,6 +11,7 @@ from types import MethodType
+ PY3 = sys.version_info[0] == 3
+ PY26 = sys.version_info[:2] == (2, 6)
+ PY31 = sys.version_info[:2] == (3, 1)
++PY33 = sys.version_info[:2] == (3, 3)
+ 
+ 
+ class DefusedXmlException(ValueError):
+@@ -126,7 +127,9 @@ def _generate_etree_functions(DefusedXMLParser, _TreeBuilder,
+                 bind(xmlparser, "defused_external_entity_ref_handler",
+                      "ExternalEntityRefHandler")
+             return it
+-    elif PY3:
++    elif PY33:
++        # pure-Python iterparse() is completely hidden on Python 3.3,
++        # we have to use the backing _IterParseIterator
+         def iterparse(source, events=None, parser=None, forbid_dtd=False,
+                       forbid_entities=True, forbid_external=True):
+             close_source = False
+@@ -140,7 +143,7 @@ def _generate_etree_functions(DefusedXMLParser, _TreeBuilder,
+                                           forbid_external=forbid_external)
+             return _IterParseIterator(source, events, parser, close_source)
+     else:
+-        # Python 2.7
++        # Python 2.7, Python 3.2, Python 3.4+
+         def iterparse(source, events=None, parser=None, forbid_dtd=False,
+                       forbid_entities=True, forbid_external=True):
+             if parser is None:
+-- 
+2.11.0
+

python-defusedxml-entity_loop.patch

@@ -0,0 +1,52 @@
+diff -ru defusedxml-0.4.1-orig/tests.py defusedxml-0.4.1/tests.py
+--- defusedxml-0.4.1-orig/tests.py	2015-07-17 05:28:36.501213026 +0000
++++ defusedxml-0.4.1/tests.py	2015-07-17 05:21:51.633843568 +0000
+@@ -133,11 +133,12 @@
+             self.iterparse(self.xml_simple_ns)
+ 
+     def test_entities_forbidden(self):
+-        self.assertRaises(EntitiesForbidden, self.parse, self.xml_bomb)
++        self.assertRaises((EntitiesForbidden, XMLSyntaxError),
++                          self.parse, self.xml_bomb)
+         self.assertRaises(EntitiesForbidden, self.parse, self.xml_quadratic)
+         self.assertRaises(EntitiesForbidden, self.parse, self.xml_external)
+ 
+-        self.assertRaises(EntitiesForbidden, self.parseString,
++        self.assertRaises((EntitiesForbidden, XMLSyntaxError), self.parseString,
+                           self.get_content(self.xml_bomb))
+         self.assertRaises(EntitiesForbidden, self.parseString,
+                           self.get_content(self.xml_quadratic))
+@@ -157,8 +158,8 @@
+                           forbid_entities=False)
+ 
+     def test_dtd_forbidden(self):
+-        self.assertRaises(DTDForbidden, self.parse, self.xml_bomb,
+-                          forbid_dtd=True)
++        self.assertRaises((DTDForbidden, XMLSyntaxError), self.parse,
++                          self.xml_bomb, forbid_dtd=True)
+         self.assertRaises(DTDForbidden, self.parse, self.xml_quadratic,
+                           forbid_dtd=True)
+         self.assertRaises(DTDForbidden, self.parse, self.xml_external,
+@@ -166,7 +167,7 @@
+         self.assertRaises(DTDForbidden, self.parse, self.xml_dtd,
+                           forbid_dtd=True)
+ 
+-        self.assertRaises(DTDForbidden, self.parseString,
++        self.assertRaises((DTDForbidden, XMLSyntaxError), self.parseString,
+                           self.get_content(self.xml_bomb),
+                           forbid_dtd=True)
+         self.assertRaises(DTDForbidden, self.parseString,
+@@ -355,8 +356,11 @@
+         pass
+ 
+     def test_restricted_element1(self):
+-        tree = self.module.parse(self.xml_bomb, forbid_dtd=False,
+-                                 forbid_entities=False)
++        try:
++            tree = self.module.parse(self.xml_bomb, forbid_dtd=False,
++                                     forbid_entities=False)
++        except XMLSyntaxError:
++            return
+         root = tree.getroot()
+         self.assertEqual(root.text, None)
+ 

python-defusedxml-format_strings.patch

@@ -0,0 +1,63 @@
+diff -ru defusedxml-0.4.1-orig/defusedxml/common.py defusedxml-0.4.1/defusedxml/common.py
+--- defusedxml-0.4.1-orig/defusedxml/common.py	2015-07-17 05:28:36.502213030 +0000
++++ defusedxml-0.4.1/defusedxml/common.py	2015-07-22 11:22:24.203648541 +0000
+@@ -30,7 +30,7 @@
+         self.pubid = pubid
+ 
+     def __str__(self):
+-        tpl = "DTDForbidden(name='{}', system_id={!r}, public_id={!r})"
++        tpl = "DTDForbidden(name='{0}', system_id={1!r}, public_id={2!r})"
+         return tpl.format(self.name, self.sysid, self.pubid)
+ 
+ 
+@@ -47,7 +47,7 @@
+         self.notation_name = notation_name
+ 
+     def __str__(self):
+-        tpl = "EntitiesForbidden(name='{}', system_id={!r}, public_id={!r})"
++        tpl = "EntitiesForbidden(name='{0}', system_id={1!r}, public_id={2!r})"
+         return tpl.format(self.name, self.sysid, self.pubid)
+ 
+ 
+@@ -62,7 +62,7 @@
+         self.pubid = pubid
+ 
+     def __str__(self):
+-        tpl = "ExternalReferenceForbidden(system_id='{}', public_id={})"
++        tpl = "ExternalReferenceForbidden(system_id='{0}', public_id={1})"
+         return tpl.format(self.sysid, self.pubid)
+ 
+ 
+diff -ru defusedxml-0.4.1-orig/other/exploit_webdav.py defusedxml-0.4.1/other/exploit_webdav.py
+--- defusedxml-0.4.1-orig/other/exploit_webdav.py	2015-07-17 05:28:36.503213033 +0000
++++ defusedxml-0.4.1/other/exploit_webdav.py	2015-07-22 11:23:15.893964297 +0000
+@@ -9,7 +9,7 @@
+ import httplib
+ 
+ if len(sys.argv) != 2:
+-    sys.exit("{} http://user:password@host:port/".format(sys.argv[0]))
++    sys.exit("{0} http://user:password@host:port/".format(sys.argv[0]))
+ 
+ url = urlparse.urlparse(sys.argv[1])
+ 
+diff -ru defusedxml-0.4.1-orig/other/exploit_xmlrpc.py defusedxml-0.4.1/other/exploit_xmlrpc.py
+--- defusedxml-0.4.1-orig/other/exploit_xmlrpc.py	2015-07-17 05:28:36.502213030 +0000
++++ defusedxml-0.4.1/other/exploit_xmlrpc.py	2015-07-22 11:23:59.536230889 +0000
+@@ -7,7 +7,7 @@
+ import urllib2
+ 
+ if len(sys.argv) != 2:
+-    sys.exit("{} url".format(sys.argv[0]))
++    sys.exit("{0} url".format(sys.argv[0]))
+ 
+ url = sys.argv[1]
+ 
+@@ -32,7 +32,7 @@
+ 
+ req = urllib2.Request(url, data=xml, headers=headers)
+ 
+-print("Sending request to {}".format(url))
++print("Sending request to {0}".format(url))
+ 
+ resp = urllib2.urlopen(req)
+

python-defusedxml-python36-broken.patch

@@ -0,0 +1,22 @@
+From 1d342237b560e29e8401d0a22a776b52b09e0ae2 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Wed, 24 Aug 2016 10:08:34 +0200
+Subject: [PATCH] Python 3.6 no _IterParseIterator class
+
+---
+ defusedxml/ElementTree.py | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletion(-)
+
+diff --git a/defusedxml/ElementTree.py b/defusedxml/ElementTree.py
+index a2f1f58..8c46064 100644
+--- a/defusedxml/ElementTree.py
++++ b/defusedxml/ElementTree.py
+@@ -49,7 +49,7 @@ def _get_py3_cls():
+ 
+     _XMLParser = pure_pymod.XMLParser
+     _iterparse = pure_pymod.iterparse
+-    if PY31:
++    if PY31 or sys.version_info >= (3, 6):
+         _IterParseIterator = None
+         from xml.parsers.expat import ExpatError as ParseError
+     else:

python-defusedxml.spec

@@ -1,19 +1,35 @@
-%global pypi_name    defusedxml
-%global base_version 0.7.1
-#global prerel       ...
-%global upstream_version %{base_version}%{?prerel}
+%global with_python3 0
+%global pypi_name defusedxml
+
 Name:           python-%{pypi_name}
-Version:        %{base_version}%{?prerel:~%{prerel}}
-Release:        3%{?dist}
+Version:        0.4.1
+Release:        9%{?dist}
 Summary:        XML bomb protection for Python stdlib modules
 License:        Python
-URL:            https://github.com/tiran/defusedxml
-Source0:        %{pypi_source %{pypi_name} %{upstream_version}}
+# Note: upstream git now appears to be at https://github.com/tiran/defusedxml
+# not bitbucket as pypi says
+URL:            https://bitbucket.org/tiran/defusedxml
+Source0:        http://pypi.python.org/packages/source/d/%{pypi_name}/%{pypi_name}-%{version}.tar.gz
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=927883#c14
+Patch0:         %{name}-entity_loop.patch
+Patch1:         %{name}-format_strings.patch
+# This is https://github.com/tiran/defusedxml/commit/1d342237b560e29e8401d0a22a776b52b09e0ae2
+# rediffed on 0.4.1 . It doesn't really fix anything, but is necessary
+# for the real fix to apply without rediffing.
+Patch2:         %{name}-python36-broken.patch
+# Real fix for Python 3.6: https://github.com/tiran/defusedxml/pull/4
+Patch3:         0001-Fully-fix-iterparse-defusing-on-Python-3.6.patch
 
 BuildArch:      noarch
 
-BuildRequires:  python%{python3_pkgversion}-devel
-BuildRequires:  python%{python3_pkgversion}-setuptools
+BuildRequires:  python2-devel
+BuildRequires:  python-setuptools
+
+%if 0%{with_python3}
+BuildRequires:  python3-devel
+BuildRequires:  python3-setuptools
+%endif
 
 %description
 The defusedxml package contains several Python-only workarounds and fixes for
@@ -22,109 +38,84 @@ to benefit from the protection you just have to import and use the listed
 functions / classes from the right defusedxml module instead of the original
 module.
 
+%package -n python2-%{pypi_name}
+Summary:        XML bomb protection for Python stdlib modules
+%{?python_provide:%python_provide python2-%{pypi_name}}
 
-%package -n python%{python3_pkgversion}-%{pypi_name}
-Summary:        %{summary}
-%{?python_provide:%python_provide python%{python3_pkgversion}-%{pypi_name}}
-
-%description -n python%{python3_pkgversion}-%{pypi_name}
+%description -n python2-%{pypi_name}
 The defusedxml package contains several Python-only workarounds and fixes for
 denial of service and other vulnerabilities in Python's XML libraries. In order
 to benefit from the protection you just have to import and use the listed
 functions / classes from the right defusedxml module instead of the original
-module. This is the python%{python3_pkgversion} build.
+module.
 
+%if 0%{?with_python3}
+%package -n python3-%{pypi_name}
+Summary:        XML bomb protection for Python stdlib modules
+%{?python_provide:%python_provide python3-%{pypi_name}}
+
+%description -n python3-%{pypi_name}
+The defusedxml package contains several Python-only workarounds and fixes for
+denial of service and other vulnerabilities in Python's XML libraries. In order
+to benefit from the protection you just have to import and use the listed
+functions / classes from the right defusedxml module instead of the original
+module.
+%endif # with_python3
 
 %prep
-%autosetup -p1 -n %{pypi_name}-%{upstream_version}
+%setup -q -n %{pypi_name}-%{version}
+%if 0%{?rhel}
+%patch0 -p1
+%endif
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+
+%if 0%{?with_python3}
+rm -rf %{py3dir}
+cp -a . %{py3dir}
+find %{py3dir} -name '*.py' | xargs sed -i '1s|^#!/bin/env python|#!%{__python3}|'
+%endif # with_python3
 
 %build
-%py3_build
+%{__python} setup.py build
+%if 0%{?with_python3}
+pushd %{py3dir}
+%{__python3} setup.py build
+popd
+%endif # with_python3
 
 %install
-%py3_install
+%{__python} setup.py install --skip-build --root %{buildroot}
+%if 0%{?with_python3}
+pushd %{py3dir}
+%{__python3} setup.py install --skip-build --root %{buildroot}
+popd
+%endif # with_python3
 
 %check
-%{python3} tests.py
+%{__python} tests.py
+%if 0%{?with_python3}
+pushd %{py3dir}
+%{__python3} tests.py
+popd
+%endif # with_python3
 
-
-%files -n python%{python3_pkgversion}-%{pypi_name}
+%files -n python2-%{pypi_name}
 %doc README.txt README.html CHANGES.txt
 %license LICENSE
-%{python3_sitelib}/%{pypi_name}/
-%{python3_sitelib}/%{pypi_name}-%{upstream_version}-py%{python3_version}.egg-info/
+%{python2_sitelib}/%{pypi_name}
+%{python2_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info
 
+%if 0%{?with_python3}
+%files -n python3-%{pypi_name}
+%doc README.txt README.html CHANGES.txt
+%license LICENSE
+%{python3_sitelib}/%{pypi_name}
+%{python3_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info
+%endif # with_python3
 
 %changelog
-* Tue Jul 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.1-3
-- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 0.7.1-2
-- Rebuilt for Python 3.10
-
-* Mon May 03 2021 Tomas Hrnciar <thrnciar@redhat.com> - 0.7.1-1
-- Update to 0.7.1
-- Fixes: rhbz#1935032
-
-* Wed Jan 27 2021 Miro Hrončok <mhroncok@redhat.com> - 0.7.0~rc2-1
-- Update to 0.7.0rc2
-- Fixes: rhbz#1915522
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0~rc1-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0~rc1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Sun May 24 2020 Miro Hrončok <mhroncok@redhat.com> - 0.7.0~rc1-2
-- Rebuilt for Python 3.9
-
-* Mon May 04 2020 Miro Hrončok <mhroncok@redhat.com> - 0.7.0~rc1-1
-- Update to 0.7.0rc1
-
-* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.0-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.6.0-4
-- Rebuilt for Python 3.8.0rc1 (#1748018)
-
-* Sun Aug 18 2019 Miro Hrončok <mhroncok@redhat.com> - 0.6.0-3
-- Rebuilt for Python 3.8
-
-* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Thu May 09 2019 Miro Hrončok <mhroncok@redhat.com> - 0.6.0-1
-- Update to 0.6.0 (#1699639)
-- Remove Python 2 subpackage
-
-* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.0-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.0-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Mon Jun 18 2018 Miro Hrončok <mhroncok@redhat.com> - 0.5.0-5
-- Rebuilt for Python 3.7
-
-* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 0.5.0-4
-- Update Python 2 dependency declarations to new packaging standards
-  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
-
-* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Fri Feb 10 2017 Adam Williamson <awilliam@redhat.com> - 0.5.0-1
-- Update to 0.5.0, drop merged/superseded patches
-- Enable Python 3 build for EPEL 7, per https://fedoraproject.org/wiki/PackagingDrafts:Python3EPEL
-- Drop format-string patch as Python 2.6 is no longer supported anyway
-- Update URL to github
-- Update source URL for pypi changes
-
 * Thu Dec 22 2016 Adam Williamson <awilliam@redhat.com> - 0.4.1-9
 - Fix incompatibility with Python 3.6 (gh#3 / gh#4)
 

sources

@@ -1 +1 @@
-SHA512 (defusedxml-0.7.1.tar.gz) = 93c1e077b22a278011497f3b3f4409b5259e0077768caa121e0f078f80f39c082f3870eaaf4bad5166fe8c3b2d169ccdea62c2840ba6969240a8371cef34c4d5
+230a5eff64f878b392478e30376d673a  defusedxml-0.4.1.tar.gz