Update for 1.7.12 release.

mozilla · Jan 13, 2020 · d4021ee · d4021ee
1 parent 7bf6a37
commit d4021ee
Show file tree

Hide file tree

Showing 7 changed files with 133 additions and 50 deletions.
diff --git a/README.md b/README.md
@@ -20,6 +20,7 @@ Rhino is licensed under the [MPL 2.0](./LICENSE.txt).
 <tr><td><a href="https://github.com/mozilla/rhino/releases/tag/Rhino1_7_9_Release">Rhino 1.7.9</a></td><td>March 15, 2018</td></tr>
 <tr><td><a href="https://github.com/mozilla/rhino/releases/tag/Rhino1_7_10_Release">Rhino 1.7.10</a></td><td>April 9, 2018</td></tr>
 <tr><td><a href="https://github.com/mozilla/rhino/releases/tag/Rhino1_7_11_Release">Rhino 1.7.11</a></td><td>May 30, 2019</td></tr>
+<tr><td><a href="https://github.com/mozilla/rhino/releases/tag/Rhino1_7_12_Release">Rhino 1.7.11</a></td><td>January 13, 2020</td></tr>
 </table>
 
 [Release Notes](./RELEASE-NOTES.md) for recent releases.
@@ -84,7 +85,7 @@ mavenReleaseRepo=
 
 Rhino can run as a stand-alone interpreter from the command line:
 ```
-java -jar buildGradle/libs/rhino-1.7.11.jar -debug -version 200
+java -jar buildGradle/libs/rhino-1.7.12.jar -debug -version 200
 Rhino 1.7.9 2018 03 15
 js> print('Hello, World!');
 Hello, World!

diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
@@ -1,3 +1,99 @@
+# Rhino 1.7.12
+## January 13, 2020
+
+### XML external entities disabled by default
+
+As of this release, Rhino makes "XML external entity injections" more difficult
+by disabling fetching of external DTDs and stylesheets by default,
+as recommended in the (OWASP Cheat Sheet)
+[https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md]. 
+Even though this may break some existing projects, the fact that this
+vulnerability is in the OWASP top 10 makes it important enough to change
+the default.
+
+Developers who still need this old capability can re-enable it by setting the
+Context feature flag FEATURE_ENABLE_XML_SECURE_PARSING to false. (The default
+is true.)
+
+### New JAR for embedding use cases
+
+This release also includes a second JAR artifact, "rhino-runtime.jar". This is
+simply the existing Rhino JAR with the "tools" source directory excluded. 
+This directory includes the Rhino shell as well as the default "Global" 
+object, which includes capabilities to load and process external source
+code.
+
+Since some automated source-scanning tools mark these capabilties as insecure,
+this new JAR provides a way to only include the parts of Rhino that embedders
+typically need without pulling in additional capabilities.
+
+Developers who typically embed "rhino.jar" might consider embedding "rhino-runtime.jar"
+instead if they do not need all this.
+
+Thanks to the following developers for the contributions below!
+
+Aditya Pal (1):
+*     Fix syntax error for comments in array (#607)
+
+Chris Smith (1):
+*     Adding secure configuration for XML parsers (#600)
+
+Gregory Brail (12):
+*     Update versions for 1.7.12 release.
+*     Fix a code generation bug for generators.
+*     Fix "fall through" comment.
+*     Fix static analysis around NaN values.
+*     More isNaN fixes and one rounding bug.
+*     Make XML processor configuration more robust.
+*     Enable SpotBugs plugin.
+*     Fix minor static analysis findings.
+*     Increase Travis timeout.
+*     Disable more flaky "BigO" tests.
+*     Fix handling of "return" in iterators.
+*     Undo setting some members "final".
+
+Ivan Di Francesco (1):
+*     Fix warnings (#596)
+
+Roland Praml (2):
+*     FIX: NativeJavaObject.getDefaultValue recognizes numbers correctly
+*     #511 fixing InterfaceAdapter abstract name lookup.
+
+Stijn Kliemesch (7):
+*     Private static method ScriptRuntime.enumInitOrder(Context,IdEnumeration) no longer expects given IdEnumeration's property obj to be of type ScriptableObject specifically, only of type SymbolScriptable.
+*     Added testclass IterableTest to test iterable implementations, currently with one testcase for a host object, specifically one that uses Array Iterator.
+*     Added more tests to IterableTest.
+*     Fix for #616 (#617)
+*     Fixes for calling several Object.prototype members.
+*     Fixed dynamic scoping for implementations of Object.create and Object.defineProperties
+*     Testcase for dynamic scoping and Object.create.
+
+nename0 (2):
+*     Fix Array.include return a wrapped Boolean
+*     implement Array.includes to align to specs
+
+RBRi (20):
+*     fix for Map/Set working with ConsString as key also; closes #583
+*     fix propertyIsEnumerable when using an index to access string; closes #582
+*     ignore surplus search/match/replace parameters; closes #581
+*     add support for setPrototypeOf
+*     fixed imports
+*     RangeError should be throw if the argument of Number.prototype.toFixed is less than 0 fixes #587
+*     fix interpreter fallback when using streams (fixes #592)
+*     Parser already always reads the reader into a string. Move this reader handling to the Context to be able to fall back to the interpreter in all cases.
+*     fix imports
+*     functions declared as var f = function f() {...} within a function should not impact higher scope variable with the same name
+*     functions declared as var f = function f() {...} within a function should not impact higher scope variable with the same name
+*     fix Boolean(document.all)
+*     many more tests are passing already and some cleanup
+*     add tests for built-ins/ThrowTypeError and built-ins/TypedArray
+*     add tests for built-ins/TypedArrays
+*     fix BYTES_PER_ELEMENT property
+*     fix BYTES_PER_ELEMENT prototype property
+*     fix TypedArray constructor arity
+*     Fix issue with parseInt's handling of leading zeroes
+*     #529 (#628)
+
 # Rhino 1.7.11
 ## May 30, 2019
 

diff --git a/build.gradle b/build.gradle
@@ -331,4 +331,4 @@ distributions {
     }
 }
 
-distZip.dependsOn javadoc, jar
+distZip.dependsOn javadoc, jar, sourceJar, runtimeSourceJar
diff --git a/gradle.properties b/gradle.properties
@@ -1,6 +1,6 @@
 rootProject.name=rhino
 group=org.mozilla
-version=1.7.12-SNAPSHOT
+version=1.7.12
 buildDir=buildGradle
 mavenSnapshotRepo=https://oss.sonatype.org/content/repositories/snapshots
 mavenReleaseRepo=https://oss.sonatype.org/service/local/staging/deploy/maven
diff --git a/maven/maven-pom.xml b/maven/maven-pom.xml
@@ -12,7 +12,7 @@
   <groupId>org.mozilla</groupId>
   <artifactId>rhino</artifactId>
   <name>Mozilla Rhino</name>
-  <version>1.7.12-SNAPSHOT</version>
+  <version>1.7.12</version>
 
   <packaging>jar</packaging>
   <description>

diff --git a/maven/maven-staging-deploy.sh b/maven/maven-staging-deploy.sh
@@ -1,51 +1,37 @@
 #!/bin/sh
 
+function deploy {
+  if [ ! -f $1 ]
+  then
+    echo "Missing $1"
+    exit 1
+  fi
+
+  tf=/var/tmp/file.$$.jar
+  rm -f ${tf}
+  cp $1 ${tf}
+
+  mvn gpg:sign-and-deploy-file \
+  -Dfile=${tf} \
+  -DpomFile=${2} \
+  -DrepositoryId=sonatype-nexus-staging \
+  -Durl=https://oss.sonatype.org/service/local/staging/deploy/maven2/ \
+  -Dclassifier=${3}
+
+  rm ${tf}
+}
+
 vers=`egrep '^version=' ../gradle.properties | awk -F = '{print $2}'`
+base=${HOME}/.m2/repository/org/mozilla
 
 echo "Deploying ${vers}"
 
-pom=maven-pom.xml
-jsjar=../buildGradle/libs/rhino-${vers}.jar
-echo "Installing ${jsjar}"
-srczip=../buildGradle/libs/rhino-${vers}-sources.jar
-echo "Sources are ${srczip}"
-doczip=../buildGradle/libs/rhino-${vers}-javadoc.jar
-echo "Javadoc is ${doczip}"
-
-if [ ! -f $jsjar ]
-then
-  echo "Missing js.jar"
-  exit 1
-fi
-
-if [ ! -f $srczip ]
-then
-  echo "Missing rhino-${vers}-sources.zip. Run \"ant source-zip\"."
-  exit 2
-fi
-
-if [ ! -f $doczip ]
-then
-  echo "Missing javadoc.zip. Run \"ant javadoc\"."
-  exit 3
-fi
+rb=${base}/rhino/${vers}
+deploy ${rb}/rhino-${vers}.jar maven-pom.xml
+deploy ${rb}/rhino-${vers}-sources.jar maven-pom.xml sources
+deploy ${rb}/rhino-${vers}-javadoc.jar maven-pom.xml javadoc
 
-mvn gpg:sign-and-deploy-file \
-  -Dfile=${jsjar} \
-  -DpomFile=${pom} \
-  -DrepositoryId=sonatype-nexus-staging \
-  -Durl=https://oss.sonatype.org/service/local/staging/deploy/maven2/ 
-
-mvn gpg:sign-and-deploy-file \
-  -Dfile=${srczip} \
-  -DpomFile=${pom} \
-  -DrepositoryId=sonatype-nexus-staging \
-  -Durl=https://oss.sonatype.org/service/local/staging/deploy/maven2/  \
-  -Dclassifier=sources
-
-mvn gpg:sign-and-deploy-file \
-  -Dfile=${doczip} \
-  -DpomFile=${pom} \
-  -DrepositoryId=sonatype-nexus-staging \
-  -Durl=https://oss.sonatype.org/service/local/staging/deploy/maven2/  \
-  -Dclassifier=javadoc
+rb=${base}/rhino-runtime/${vers}
+deploy ${rb}/rhino-runtime-${vers}.jar maven-runtime-pom.xml
+deploy ${rb}/rhino-runtime-${vers}-sources.jar maven-runtime-pom.xml sources
+deploy ${rb}/rhino-runtime-${vers}-javadoc.jar maven-runtime-pom.xml javadoc
diff --git a/src/manifest b/src/manifest
@@ -1,6 +1,6 @@
 Manifest-Version: 1.0
 Main-Class: org.mozilla.javascript.tools.shell.Main
-Implementation-Version: 1.7.12-SNAPSHOT
-Implementation-Title: Mozilla Rhino 1.7.12-SNAPSHOT
+Implementation-Version: 1.7.12
+Implementation-Title: Mozilla Rhino 1.7.12
 Implementation-Vendor: Mozilla Foundation
 Implementation-URL: http://www.mozilla.org/rhino