testing/py3-unoconv: upgrade to 0.8.2

Patch:https://github.com/unoconv/unoconv/commit/acfac594e643f9c44f1c3b8d6d8957190a4d76f2
CVE:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197

2 files changed, 132 insertions, 10 deletions

diff --git a/testing/py3-unoconv/APKBUILD b/testing/py3-unoconv/APKBUILD
index 92cb41cd6c..edddab67ac 100644
--- a/testing/py3-unoconv/APKBUILD
+++ b/testing/py3-unoconv/APKBUILD
@@ -1,32 +1,37 @@
 # Contributor: TBK <tbk@jjtc.eu>
 pkgname=py3-unoconv
-pkgver=0.7
-pkgrel=1
+pkgver=0.8.2
+pkgrel=0
 pkgdesc="Tool to convert between any document format supported by LibreOffice"
 url="http://dag.wieers.com/home-made/unoconv/"
 # libreoffice is not built on s390x
 arch="noarch !s390x"
 license="GPL-2.0"
 depends="libreoffice python3"
-makedepends="python3-dev py-setuptools"
-subpackages=""
-source="unoconv-${pkgver}.tar.gz::https://github.com/dagwieers/unoconv/archive/$pkgver.tar.gz
-        setup.py"
+makedepends="py3-setuptools"
+options="!check"
+source="unoconv-$pkgver.tar.gz::https://github.com/dagwieers/unoconv/archive/$pkgver.tar.gz
+	setup.py CVE-2019-17400.patch"
+
 builddir="$srcdir"/unoconv-$pkgver
 
+# secfixes:
+#   0.8.2-r0:
+#     - CVE-2019-17400
+
 prepare() {
 	cp "$srcdir"/setup.py "$builddir"/
+	default_prepare
 }
 
 build() {
-	cd "$builddir"
 	python3 setup.py build
 }
 
 package() {
-	cd "$builddir"
 	python3 setup.py install --prefix=/usr --root="$pkgdir"
 }
 
-sha512sums="3b0837e11f22733e0fbef93dc6aeabd0e2d3d59b6c35a6f7b29b86506a5842bcbffb3e889864d6e14c1e53dd306354690a699257fe60f36ce1d4455ab52b5df7  unoconv-0.7.tar.gz
-b4fa76011fb96ba9521bb09d1a5c43dbd457c50bb2c6d66a5bc65928cde1e1d8174e43ad86f8f53755f222127cc5b0084b4564c248ce1fca56f9acfb4c03d86d  setup.py"
+sha512sums="cd6a4d06559895c0aebb5fda51ca86928474dd0ca0aa908e81762643186c29cf8436c889eedbb18bc74ed6016414d1aa831cd034614244d5aae677a6b4cdd4c9  unoconv-0.8.2.tar.gz
+b4fa76011fb96ba9521bb09d1a5c43dbd457c50bb2c6d66a5bc65928cde1e1d8174e43ad86f8f53755f222127cc5b0084b4564c248ce1fca56f9acfb4c03d86d  setup.py
+ab3a9aad6c14190083364c7430a4a0ed3eaad54225ae88ea72b7ee940b80767298152f5fad4a0e17a506c7dbc85733a9910d2ed1a48c4c95bd078f139ec8f54c  CVE-2019-17400.patch"
diff --git a/testing/py3-unoconv/CVE-2019-17400.patch b/testing/py3-unoconv/CVE-2019-17400.patch
new file mode 100644
index 0000000000..ba1f8287b3
--- /dev/null
+++ b/testing/py3-unoconv/CVE-2019-17400.patch
@@ -0,0 +1,117 @@
+From 467aa125cbe8f99346daeb2e94ce75c62f69c702 Mon Sep 17 00:00:00 2001
+From: Samuel Erb <samrerb@erbbysam.com>
+Date: Tue, 17 Sep 2019 12:22:12 -0400
+Subject: [PATCH] change default updateDocMode behavior and add new option to
+ keep old behavior (#510)
+
+---
+ unoconv | 51 ++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 30 insertions(+), 21 deletions(-)
+
+diff --git a/unoconv b/unoconv
+index f844d0f..762dc85 100755
+--- a/unoconv
++++ b/unoconv
+@@ -543,6 +543,8 @@ class Options:
+         self.template = None
+         self.timeout = 6
+         self.verbose = 0
++        self.userProfile = None
++        self.updateDocMode = NO_UPDATE
+ 
+         self.setprinter = False
+         self.paperformat = None
+@@ -555,8 +557,8 @@ class Options:
+                 ['connection=', 'debug', 'doctype=', 'export=', 'field=', 'format=',
+                  'help', 'import=', 'import-filter-name=', 'listener', 'meta=', 'no-launch',
+                  'output=', 'outputpath', 'password=', 'pipe=', 'port=', 'preserve',
+-                 'server=', 'timeout=', 'show', 'stdin', 'stdout', 'template', 'printer=',
+-                 'verbose', 'version'] )
++                 'server=', 'timeout=', 'user-profile=', 'show', 'stdin',
++                 'stdout', 'template', 'printer=', 'unsafe-quiet-update', 'verbose', 'version'] )
+         except getopt.error as exc:
+             print('unoconv: %s, try unoconv -h for a list of all the options' % str(exc))
+             sys.exit(255)
+@@ -646,6 +648,10 @@ class Options:
+                 self.template = arg
+             elif opt in ['-T', '--timeout']:
+                 self.timeout = int(arg)
++            elif opt in ['--unsafe-quiet-update']:
++                # ref https://www.openoffice.org/api/docs/common/ref/com/sun/star/document/UpdateDocMode.html
++                print('Warning: Do not use the option --unsafe-quiet-update with untrusted input.')
++                self.updateDocMode = QUIET_UPDATE
+             elif opt in ['-v', '--verbose']:
+                 self.verbose = self.verbose + 1
+             elif opt in ['-V', '--version']:
+@@ -760,6 +766,7 @@ unoconv options:
+       --stdout                        write output to stdout
+   -t, --template=file                 import the styles from template (.ott)
+   -T, --timeout=secs                  timeout after secs if connection to listener fails
++      --unsafe-quiet-update           allow rendered document to fetch external resources (Warning: this is unsafe with untrusted input)
+   -v, --verbose                       be more and more verbose (-vvv for debugging)
+       --version                       display version number of unoconv, OOo/LO and platform details
+   -P, --printer                       printer options
+@@ -930,7 +937,7 @@ class Convertor:
+             phase = "import"
+ 
+             ### Load inputfile
+-            inputprops = UnoProps(Hidden=True, ReadOnly=True, UpdateDocMode=QUIET_UPDATE)
++            inputprops = UnoProps(Hidden=True, ReadOnly=True, UpdateDocMode=op.updateDocMode)
+ 
+             if op.password:
+                 inputprops += UnoProps(Password=op.password)
+@@ -983,23 +990,25 @@ class Convertor:
+ #            except AttributeError:
+ #                pass
+ 
+-            ### Update document links
+-            phase = "update-links"
+-            try:
+-                document.updateLinks()
+-                # Found that when converting HTML files with external images, OO would only load five or six of
+-                # the images in the file. In the resulting document, the rest of the images did not appear. Cycling
+-                # through all the image references in the document seems to force OO to actually load them. Found
+-                # some helpful guidance in this thread:
+-                # https://forum.openoffice.org/en/forum/viewtopic.php?f=30&t=23909
+-                # Ideally we would like to have the option to embed the images into the document, but I have not been
+-                # able to figure out how to do this yet.
+-                graphObjs = document.GraphicObjects
+-                for i in range(0, graphObjs.getCount()):
+-                    graphObj = graphObjs.getByIndex(i)
+-            except AttributeError:
+-                # the document doesn't implement the XLinkUpdate interface
+-                pass
++            ### Update document links if appropriate
++            if op.updateDocMode != NO_UPDATE:
++                phase = "update-links"
++                try:
++                    document.updateLinks()
++                    # Found that when converting HTML files with external images, OO would only load five or six of
++                    # the images in the file. In the resulting document, the rest of the images did not appear. Cycling
++                    # through all the image references in the document seems to force OO to actually load them. Found
++                    # some helpful guidance in this thread:
++                    # https://forum.openoffice.org/en/forum/viewtopic.php?f=30&t=23909
++                    # Ideally we would like to have the option to embed the images into the document, but I have not been
++                    # able to figure out how to do this yet.
++                    if op.updatehtmllinks:
++                        graphObjs = document.GraphicObjects
++                        for i in range(0, graphObjs.getCount()):
++                            graphObj = graphObjs.getByIndex(i)
++                except AttributeError:
++                    # the document doesn't implement the XLinkUpdate interface
++                    pass
+ 
+             ### Add/Replace variables
+             phase = "replace-fields"
+@@ -1347,7 +1356,7 @@ if __name__ == '__main__':
+     ### Now that we have found a working pyuno library, let's import some classes
+     from com.sun.star.beans import PropertyValue
+     from com.sun.star.connection import NoConnectException
+-    from com.sun.star.document.UpdateDocMode import QUIET_UPDATE
++    from com.sun.star.document.UpdateDocMode import NO_UPDATE, QUIET_UPDATE
+     from com.sun.star.lang import DisposedException, IllegalArgumentException
+     from com.sun.star.io import IOException, XOutputStream
+     from com.sun.star.script import CannotConvertException
+-- 
+2.23.0
+