From 0e9da96decf0f73f2fca35684b97c074f22d48d4 Mon Sep 17 00:00:00 2001
From: zhanghua1831 <zhanghua1831@163.com>
Date: Sat, 20 Mar 2021 15:06:49 +0800
Subject: [PATCH] fix CVE-2020-13959

(cherry picked from commit 33813f9a087d0473ce746abf284cfc6a74823968)
---
 CVE-2020-13959.patch | 25 +++++++++++++++++++++++++
 velocity-tools.spec  |  7 ++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-13959.patch

diff --git a/CVE-2020-13959.patch b/CVE-2020-13959.patch
new file mode 100644
index 0000000..2d1fbd8
--- /dev/null
+++ b/CVE-2020-13959.patch
@@ -0,0 +1,25 @@
+From e141828a4eb03e4b0224535eed12b5c463a24152 Mon Sep 17 00:00:00 2001
+From: Jackson Henry <54763344+JHHAX@users.noreply.github.com>
+Date: Thu, 8 Oct 2020 14:18:25 +1100
+Subject: [PATCH] Fixed Reflected XSS Vuln
+
+Velocity Tools has an automatically generated error page, which echoes back the file name unescaped. This commit sanitizes user input and fixes the XSS Vulnerability!
+
+Updated XSS Vuln fix (used StringEscapeUtils)
+---
+ .../org/apache/velocity/tools/view/VelocityViewServlet.java     | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java b/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java
+index aff9b71d7..325ab0bba 100644
+--- a/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java
++++ b/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java
+@@ -460,7 +460,7 @@ protected void error(HttpServletRequest request,
+             html.append("<head><title>Error</title></head>\n");
+             html.append("<body>\n");
+             html.append("<h2>VelocityView : Error processing a template for path '");
+-            html.append(path);
++            html.append(StringEscapeUtils.escapeHtml(path));
+             html.append("'</h2>\n");
+ 
+             Throwable cause = e;
diff --git a/velocity-tools.spec b/velocity-tools.spec
index ed0b979..3f38fb5 100644
--- a/velocity-tools.spec
+++ b/velocity-tools.spec
@@ -1,6 +1,6 @@
 Name:                velocity-tools
 Version:             2.0
-Release:             1
+Release:             2
 Summary:             Collection of useful tools for Velocity template engine
 License:             ASL 2.0
 Url:                 http://velocity.apache.org/tools/releases/2.0/
@@ -9,6 +9,7 @@ Patch0:              %{name}-%{version}-junit4.patch
 Patch1:              %{name}-%{version}-dont_copy_test_lib.patch
 Patch2:              %{name}-%{version}-servlet.patch
 Patch3:              %{name}-%{version}-port-to-dom4j-2.0.patch
+Patch4:              CVE-2020-13959.patch
 BuildRequires:       maven-local mvn(commons-beanutils:commons-beanutils)
 BuildRequires:       mvn(commons-chain:commons-chain) mvn(commons-collections:commons-collections)
 BuildRequires:       mvn(commons-digester:commons-digester) mvn(commons-lang:commons-lang)
@@ -48,6 +49,7 @@ find . -name "*.class" -delete
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 sed -i 's/\r//' LICENSE NOTICE WHY_THREE_JARS.txt
 %pom_remove_dep javax.servlet:servlet-api
 %pom_add_dep org.apache.tomcat:tomcat-servlet-api::provided
@@ -76,5 +78,8 @@ sed -i 's/\r//' LICENSE NOTICE WHY_THREE_JARS.txt
 %license LICENSE NOTICE
 
 %changelog
+* Sat Mar 20 2021 zhanghua <zhanghua40@huawei.com> - 2.0-2
+- fix CVE-2020-13959
+
 * Wed Aug 19 2020 maminjie <maminjie1@huawei.com> - 2.0-1
 - package init