From 244172e3bcea47aa3bd8ae2eec825941f5c54baa Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Mon, 4 Aug 2025 10:29:27 +0800
Subject: [PATCH] Fix CVE-2024-31573

(cherry picked from commit 280ebc6df17d891b385c1668730fcb1ab23b9091)
---
 CVE-2024-31573.patch | 107 +++++++++++++++++++++++++++++++++++++++++++
 xmlunit.spec         |   8 +++-
 2 files changed, 113 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2024-31573.patch

diff --git a/CVE-2024-31573.patch b/CVE-2024-31573.patch
new file mode 100644
index 0000000..c22742b
--- /dev/null
+++ b/CVE-2024-31573.patch
@@ -0,0 +1,107 @@
+From b81d48b71dfd2868bdfc30a3e17ff973f32bc15b Mon Sep 17 00:00:00 2001
+From: Stefan Bodewig <bodewig@apache.org>
+Date: Sun, 28 Apr 2024 15:01:19 +0200
+Subject: [PATCH] disable XSLT extension functions by default, add more
+ configurers
+
+Origin: https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b
+
+see #264
+---
+ .../util/TransformerFactoryConfigurer.java    | 60 ++++++++++++++++++-
+ 1 file changed, 58 insertions(+), 2 deletions(-)
+
+diff --git a/xmlunit-core/src/main/java/org/xmlunit/util/TransformerFactoryConfigurer.java b/xmlunit-core/src/main/java/org/xmlunit/util/TransformerFactoryConfigurer.java
+index 1976abf0..ba16bbdf 100644
+--- a/xmlunit-core/src/main/java/org/xmlunit/util/TransformerFactoryConfigurer.java
++++ b/xmlunit-core/src/main/java/org/xmlunit/util/TransformerFactoryConfigurer.java
+@@ -16,6 +16,7 @@
+ import java.util.Collections;
+ import java.util.HashMap;
+ import java.util.Map;
++import javax.xml.XMLConstants;
+ import javax.xml.transform.TransformerConfigurationException;
+ import javax.xml.transform.TransformerFactory;
+ 
+@@ -88,18 +89,51 @@ public static Builder builder() {
+     }
+ 
+     /**
+-     * The default instance which disables DTD loading but still
++     * The default instance which disables DTD loading and extension functions but still
+      * allows loading of external stylesheets.
+      */
+     public static final TransformerFactoryConfigurer Default = builder()
+         .withDTDLoadingDisabled()
++        .withExtensionFunctionsDisabled()
++        .build();
++
++    /**
++     * The instance which enables secure processing thus disables all external access as well as execution of extension
++     * functions.
++     *
++     * @since XMLUnit 2.10.0
++     */
++    public static final TransformerFactoryConfigurer SecureProcessing = builder()
++        .withSecureProcessingEnabled()
+         .build();
+ 
+     /**
+      * The instance which disables DTD loading as well as loading of
+-     * external stylesheets.
++     * external stylesheets or extension functions.
+      */
+     public static final TransformerFactoryConfigurer NoExternalAccess = builder()
++        .withDTDLoadingDisabled()
++        .withExternalStylesheetLoadingDisabled()
++        .withExtensionFunctionsDisabled()
++        .build();
++
++    /**
++     * The instance which disables DTD loading but still
++     * allows loading of external stylesheets and extension functions.
++     *
++     * @since XMLUnit 2.10.0
++     */
++    public static final TransformerFactoryConfigurer NoDtdButExtensionFunctions = builder()
++        .withDTDLoadingDisabled()
++        .build();
++
++    /**
++     * The instance which disables DTD loading as well as loading of
++     * external stylesheets but allows extension functions.
++     *
++     * @since XMLUnit 2.10.0
++     */
++    public static final TransformerFactoryConfigurer NoExternalAccessButExtensionFunctions = builder()
+         .withDTDLoadingDisabled()
+         .withExternalStylesheetLoadingDisabled()
+         .build();
+@@ -192,5 +226,27 @@ public Builder withExternalStylesheetLoadingDisabled() {
+             // XMLConstants.ACCESS_EXTERNAL_STYLESHEET is not available in Java 6
+             return withSafeAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
+         }
++
++        /**
++         * Configures the factory to not enable extension functions.
++         * @return this
++         *
++         * @since XMLUnit 2.10.0
++         */
++        public Builder withExtensionFunctionsDisabled() {
++            return withSafeAttribute("jdk.xml.enableExtensionFunctions", "false");
++        }
++
++        /**
++         * Configures the factory to enable secure processing which disables all external access as well as execution of
++         * extension functions.
++         * @return this
++         *
++         * @since XMLUnit 2.10.0
++         */
++        public Builder withSecureProcessingEnabled() {
++            return withFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
++        }
++
+     }
+ }
diff --git a/xmlunit.spec b/xmlunit.spec
index 7ae79a7..2c1abc3 100644
--- a/xmlunit.spec
+++ b/xmlunit.spec
@@ -1,13 +1,14 @@
 Name:           xmlunit
 Version:        2.7.0
-Release:        2
+Release:        3
 Summary:        Unit Testing XML for Java and .NET
-License:        Apache 2.0 and BSD
+License:        Apache-2.0 and BSD
 URL:            https://www.xmlunit.org/
 Source0:        https://github.com/xmlunit/xmlunit/releases/download/v%{version}/%{name}-%{version}-src.tar.gz
 Patch0:         0001-Disable-tests-requiring-network-access.patch
 Patch1:         xmlunit-2.7.0-ValueAssertTest-fix.patch
 Patch2:         0002-Port-to-hamcrest-2.1.patch
+Patch3:         CVE-2024-31573.patch
 BuildArch:      noarch
 
 BuildRequires:  maven-local
@@ -88,6 +89,9 @@ This package provides %{summary}.
 %files placeholders -f .mfiles-xmlunit-placeholders
 
 %changelog
+* Mon Aug 04 2025 wangkai <13474090681@163.com> - 2.7.0-3
+- Fix CVE-2024-31573
+
 * Wed Sep 27 2023 wangkai <13474090681@163.com> - 2.7.0-2
 - Fix build error for hamcrest-2.x
 
-- 
Gitee