101447 2012-11-07 04:45:48 -0800 Warn when parsing an invalid X-Frame-Options header. 2012-11-08 01:56:43 -0800 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED WebExposed P2 Normal --- 1 mkwst mkwst abarth japhet webkit.review.bot oldest_to_newest 760530 0 mkwst 2012-11-07 04:45:48 -0800 The report at http://www.veracode.com/blog/2012/11/security-headers-report/ notes that ~1.7% of the ~12k sites it found to be sending X-Frame-Options headers were invalid. Currently, if we see such a header with a value that is not a case-insensitive match for SAMEORIGIN or DENY, we ignore it completely. Interpreting an invalid X-Frame-Options header as DENY seems safer. Sites probably aren't setting an X-Frame-Options header with the intent of allowing frames (with the exception of 'Allow-From', I suppose... should we support that option?). If that's too draconian, we should still at least throw a warning that the header is being ignored. Adam, WDYT? 760817 1 abarth 2012-11-07 10:04:50 -0800 What does the spec say to do? http://tools.ietf.org/html/draft-ietf-websec-x-frame-options 760967 2 mkwst 2012-11-07 12:29:13 -0800 (In reply to comment #1) > What does the spec say to do? http://tools.ietf.org/html/draft-ietf-websec-x-frame-options So far as I can tell, the spec is silent on the issue of invalid header content. The closest I see is "Any data beyond the domain address (i.e. any data after the "/" separator) is to be ignored." when discussing the 'Allow-From' option. And actually, contrary to the article, it looks like Firefox exhibits the same behavior as WebKit and IE by ignoring invalid headers (assuming that I'm looking at the right code: http://mxr.mozilla.org/mozilla-aurora/source/docshell/base/nsDSURIContentListener.cpp#262). So, why don't we just send a warning, but keep the behavior the same as Firefox and IE? Implementing 'Allow-From' is a separate question. I'd lean towards yes. The functionality seems useful (and conceptually similar to CORS), it's specified, IE supports it, and it looks like Mozilla is playing with it (http://mxr.mozilla.org/mozilla-central/source/docshell/base/nsDSURIContentListener.cpp#375 (Is "Mozilla Central" older or newer than "Mozilla Aurora"?)). If you think it's reasonable to implement in WebKit, I'll put a patch together in a separate bug. 761018 3 abarth 2012-11-07 13:28:47 -0800 I don't think we should implement allow-from. I should email the working group and complain about its inclusion in the spec. 761020 4 mkwst 2012-11-07 13:31:17 -0800 (In reply to comment #3) > I don't think we should implement allow-from. I should email the working group and complain about its inclusion in the spec. How about the source list associated with the 'frame-options' directive in the UI Safety spec (assuming that becomes the place where frame options live)? 761025 5 abarth 2012-11-07 13:43:16 -0800 Yes, the reason not to implement allow-from is because we'd like to unify the handling with CSP and not have a separate code path. I've emailed the working group. The spec is only informational, so it's hard to get things removed. Instead I've asked for a note explaining that allow-from is an IE-only extension. 761043 6 172869 mkwst 2012-11-07 14:15:06 -0800 Created attachment 172869 Patch 761479 7 172869 webkit.review.bot 2012-11-08 01:43:47 -0800 Comment on attachment 172869 Patch Clearing flags on attachment: 172869 Committed r133868: <http://trac.webkit.org/changeset/133868> 761480 8 webkit.review.bot 2012-11-08 01:43:51 -0800 All reviewed patches have been landed. Closing bug. 172869 2012-11-07 14:15:06 -0800 2012-11-08 01:43:47 -0800 Patch bug-101447-20121107231316.patch text/plain 10592 mkwst U3VidmVyc2lvbiBSZXZpc2lvbjogMTMzNzkwCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZDU4YWMyNTI0ZGYyNjNm YjJhZjkyMTg5OGIxMDUwYjcwNGM4MDZlMy4uN2VkNmJkYmIyMjk2ZmQyNGM3ODQ1MzI4YmU1NWZh ZjE2NmFkODRiMCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDMyIEBACisyMDEyLTExLTA3ICBNaWtl IFdlc3QgIDxta3dzdEBjaHJvbWl1bS5vcmc+CisKKyAgICAgICAgV2FybiB3aGVuIHBhcnNpbmcg YW4gaW52YWxpZCBYLUZyYW1lLU9wdGlvbnMgaGVhZGVyLgorICAgICAgICBodHRwczovL2J1Z3Mu d2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTAxNDQ3CisKKyAgICAgICAgUmV2aWV3ZWQgYnkg Tk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgQW4gJ1gtRnJhbWUtT3B0aW9ucycgaGVhZGVyIHRo YXQgY29udGFpbnMgYW4gaW52YWxpZCBvcHRpb24gKHRoYXQgaXMsCisgICAgICAgIG5laXRoZXIg J0RFTlknIG5vciAnU0FNRU9SSUdJTicpIGlzIGlnbm9yZWQuIFRoaXMgcGF0Y2ggYWRkcyBhIGNv bnNvbGUKKyAgICAgICAgd2FybmluZyB0byBub3RpZnkgZGV2ZWxvcGVycyB0aGF0IHRoZXkndmUg bWFkZSBhIG1pc3Rha2UuCisKKyAgICAgICAgVGVzdDogaHR0cC90ZXN0cy9zZWN1cml0eS9YRnJh bWVPcHRpb25zL3gtZnJhbWUtb3B0aW9ucy1pbnZhbGlkLmh0bWwKKworICAgICAgICAqIGRvbS9E b2N1bWVudC5jcHA6CisgICAgICAgIChXZWJDb3JlOjpEb2N1bWVudDo6cHJvY2Vzc0h0dHBFcXVp dik6CisgICAgICAgICAgICBNb3ZlIHRoZSByZXF1ZXN0IGlkZW50aWZpZXIgZ2VuZXJhdGlvbiBv dXQgb2YgdGhlIGZhaWx1cmUgYmxvY2sgaW4KKyAgICAgICAgICAgIG9yZGVyIHRvIHBhc3MgaXQg aW50byAnc2hvdWxkSW50ZXJydXB0TG9hZEZvclhGcmFtZU9wdGlvbnMnLiBUaGlzCisgICAgICAg ICAgICBlbnN1cmVzIHRoYXQgdGhlIGNvbnNvbGUgbWVzc2FnZSBpcyBwcm9wZXJseSB0aWVkIHRv IGEgcmVxdWVzdC4KKyAgICAgICAgKiBsb2FkZXIvRnJhbWVMb2FkZXIuY3BwOgorICAgICAgICAo V2ViQ29yZTo6RnJhbWVMb2FkZXI6OnNob3VsZEludGVycnVwdExvYWRGb3JYRnJhbWVPcHRpb25z KToKKyAgICAgICAgKiBsb2FkZXIvRnJhbWVMb2FkZXIuaDoKKyAgICAgICAgKEZyYW1lTG9hZGVy KToKKyAgICAgICAgICAgICdzaG91bGRJbnRlcnJ1cHRMb2FkRm9yWEZyYW1lT3B0aW9ucycgbm93 IGFjY2VwdHMgYSByZXF1ZXN0CisgICAgICAgICAgICBpZGVudGlmaWVyIGFzIGEgcGFyYW1ldGVy LCBhbmQgZ2VuZXJhdGVzIGEgY29uc29sZSBtZXNzYWdlIGlmIHRoZQorICAgICAgICAgICAgbG9h ZCBpcyBibG9ja2VkLgorICAgICAgICAqIGxvYWRlci9NYWluUmVzb3VyY2VMb2FkZXIuY3BwOgor ICAgICAgICAoV2ViQ29yZTo6TWFpblJlc291cmNlTG9hZGVyOjpkaWRSZWNlaXZlUmVzcG9uc2Up OgorICAgICAgICAgICAgUGFzcyB0aGUgcmVxdWVzdCBpZGVudGlmaWVyIGludG8gJ3Nob3VsZElu dGVycnVwdExvYWRGb3JYRnJhbWVPcHRpb25zJy4KKwogMjAxMi0xMS0wNyAgRmFkeSBTYW11ZWwg IDxmc2FtdWVsQGNocm9taXVtLm9yZz4KIAogICAgICAgICBBdXRvcmVzaXplIHNob3VsZCB3b3Jr IGV2ZW4gaWYgdHVybmVkIG9uIHdoaWxlIHRoZSBwYWdlIGlzIGxvYWRpbmcuCmRpZmYgLS1naXQg YS9Tb3VyY2UvV2ViQ29yZS9kb20vRG9jdW1lbnQuY3BwIGIvU291cmNlL1dlYkNvcmUvZG9tL0Rv Y3VtZW50LmNwcAppbmRleCAzMWZkYmFlZDQ4OThkMmUwY2QxNTllYWM4NmI1ODdhNWY2OGU5YjI4 Li4wYmE4YzhiOGNkZDRjM2U2ZjdjZmE1MzRhMDY5NmRiNGRiMWM1ZmM4IDEwMDY0NAotLS0gYS9T b3VyY2UvV2ViQ29yZS9kb20vRG9jdW1lbnQuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL2RvbS9E b2N1bWVudC5jcHAKQEAgLTI5NDYsMTIgKzI5NDYsMTEgQEAgdm9pZCBEb2N1bWVudDo6cHJvY2Vz c0h0dHBFcXVpdihjb25zdCBTdHJpbmcmIGVxdWl2LCBjb25zdCBTdHJpbmcmIGNvbnRlbnQpCiAg ICAgZWxzZSBpZiAoZXF1YWxJZ25vcmluZ0Nhc2UoZXF1aXYsICJ4LWZyYW1lLW9wdGlvbnMiKSkg ewogICAgICAgICBpZiAoZnJhbWUpIHsKICAgICAgICAgICAgIEZyYW1lTG9hZGVyKiBmcmFtZUxv YWRlciA9IGZyYW1lLT5sb2FkZXIoKTsKLSAgICAgICAgICAgIGlmIChmcmFtZUxvYWRlci0+c2hv dWxkSW50ZXJydXB0TG9hZEZvclhGcmFtZU9wdGlvbnMoY29udGVudCwgdXJsKCkpKSB7Ci0gICAg ICAgICAgICAgICAgdW5zaWduZWQgbG9uZyByZXF1ZXN0SWRlbnRpZmllciA9IDA7Ci0gICAgICAg ICAgICAgICAgaWYgKGZyYW1lTG9hZGVyLT5hY3RpdmVEb2N1bWVudExvYWRlcigpICYmIGZyYW1l TG9hZGVyLT5hY3RpdmVEb2N1bWVudExvYWRlcigpLT5tYWluUmVzb3VyY2VMb2FkZXIoKSkKLSAg ICAgICAgICAgICAgICAgICAgcmVxdWVzdElkZW50aWZpZXIgPSBmcmFtZUxvYWRlci0+YWN0aXZl RG9jdW1lbnRMb2FkZXIoKS0+bWFpblJlc291cmNlTG9hZGVyKCktPmlkZW50aWZpZXIoKTsKKyAg ICAgICAgICAgIHVuc2lnbmVkIGxvbmcgcmVxdWVzdElkZW50aWZpZXIgPSAwOworICAgICAgICAg ICAgaWYgKGZyYW1lTG9hZGVyLT5hY3RpdmVEb2N1bWVudExvYWRlcigpICYmIGZyYW1lTG9hZGVy LT5hY3RpdmVEb2N1bWVudExvYWRlcigpLT5tYWluUmVzb3VyY2VMb2FkZXIoKSkKKyAgICAgICAg ICAgICAgICByZXF1ZXN0SWRlbnRpZmllciA9IGZyYW1lTG9hZGVyLT5hY3RpdmVEb2N1bWVudExv YWRlcigpLT5tYWluUmVzb3VyY2VMb2FkZXIoKS0+aWRlbnRpZmllcigpOworICAgICAgICAgICAg aWYgKGZyYW1lTG9hZGVyLT5zaG91bGRJbnRlcnJ1cHRMb2FkRm9yWEZyYW1lT3B0aW9ucyhjb250 ZW50LCB1cmwoKSwgcmVxdWVzdElkZW50aWZpZXIpKSB7CiAgICAgICAgICAgICAgICAgU3RyaW5n IG1lc3NhZ2UgPSAiUmVmdXNlZCB0byBkaXNwbGF5ICciICsgdXJsKCkuc3RyaW5nKCkgKyAiJyBp biBhIGZyYW1lIGJlY2F1c2UgaXQgc2V0ICdYLUZyYW1lLU9wdGlvbnMnIHRvICciICsgY29udGVu dCArICInLiI7Ci0KICAgICAgICAgICAgICAgICBmcmFtZUxvYWRlci0+c3RvcEFsbExvYWRlcnMo KTsKICAgICAgICAgICAgICAgICBmcmFtZS0+bmF2aWdhdGlvblNjaGVkdWxlcigpLT5zY2hlZHVs ZUxvY2F0aW9uQ2hhbmdlKHNlY3VyaXR5T3JpZ2luKCksIGJsYW5rVVJMKCksIFN0cmluZygpKTsK ICAgICAgICAgICAgICAgICBhZGRDb25zb2xlTWVzc2FnZShKU01lc3NhZ2VTb3VyY2UsIExvZ01l c3NhZ2VUeXBlLCBFcnJvck1lc3NhZ2VMZXZlbCwgbWVzc2FnZSwgdXJsKCkuc3RyaW5nKCksIDAs IDAsIHJlcXVlc3RJZGVudGlmaWVyKTsKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL2xvYWRl ci9GcmFtZUxvYWRlci5jcHAgYi9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIvRnJhbWVMb2FkZXIuY3Bw CmluZGV4IGY1YzJhMzQzNjI1YmUzYTFhYzdkYjc4Y2E4MmNlODM0YzcyOTVmMjcuLmNjNTY5NmNk Y2M3NmY2MTdhMmFhMTliMjI2YmY1MDYzYmMzNTI5MDUgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJD b3JlL2xvYWRlci9GcmFtZUxvYWRlci5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvbG9hZGVyL0Zy YW1lTG9hZGVyLmNwcApAQCAtMjkwMCw3ICsyOTAwLDcgQEAgdm9pZCBGcmFtZUxvYWRlcjo6YXBw bHlVc2VyQWdlbnQoUmVzb3VyY2VSZXF1ZXN0JiByZXF1ZXN0KQogICAgIHJlcXVlc3Quc2V0SFRU UFVzZXJBZ2VudCh1c2VyQWdlbnQpOwogfQogCi1ib29sIEZyYW1lTG9hZGVyOjpzaG91bGRJbnRl cnJ1cHRMb2FkRm9yWEZyYW1lT3B0aW9ucyhjb25zdCBTdHJpbmcmIGNvbnRlbnQsIGNvbnN0IEtV UkwmIHVybCkKK2Jvb2wgRnJhbWVMb2FkZXI6OnNob3VsZEludGVycnVwdExvYWRGb3JYRnJhbWVP cHRpb25zKGNvbnN0IFN0cmluZyYgY29udGVudCwgY29uc3QgS1VSTCYgdXJsLCB1bnNpZ25lZCBs b25nIHJlcXVlc3RJZGVudGlmaWVyKQogewogICAgIEZyYW1lKiB0b3BGcmFtZSA9IG1fZnJhbWUt PnRyZWUoKS0+dG9wKCk7CiAgICAgaWYgKG1fZnJhbWUgPT0gdG9wRnJhbWUpCkBAIC0yOTA4LDEx ICsyOTA4LDEzIEBAIGJvb2wgRnJhbWVMb2FkZXI6OnNob3VsZEludGVycnVwdExvYWRGb3JYRnJh bWVPcHRpb25zKGNvbnN0IFN0cmluZyYgY29udGVudCwgY29uCiAKICAgICBpZiAoZXF1YWxJZ25v cmluZ0Nhc2UoY29udGVudCwgImRlbnkiKSkKICAgICAgICAgcmV0dXJuIHRydWU7Ci0KLSAgICBp ZiAoZXF1YWxJZ25vcmluZ0Nhc2UoY29udGVudCwgInNhbWVvcmlnaW4iKSkgeworICAgIGVsc2Ug aWYgKGVxdWFsSWdub3JpbmdDYXNlKGNvbnRlbnQsICJzYW1lb3JpZ2luIikpIHsKICAgICAgICAg UmVmUHRyPFNlY3VyaXR5T3JpZ2luPiBvcmlnaW4gPSBTZWN1cml0eU9yaWdpbjo6Y3JlYXRlKHVy bCk7CiAgICAgICAgIGlmICghb3JpZ2luLT5pc1NhbWVTY2hlbWVIb3N0UG9ydCh0b3BGcmFtZS0+ ZG9jdW1lbnQoKS0+c2VjdXJpdHlPcmlnaW4oKSkpCiAgICAgICAgICAgICByZXR1cm4gdHJ1ZTsK KyAgICB9IGVsc2UgeworICAgICAgICBTdHJpbmcgbWVzc2FnZSA9ICJJbnZhbGlkICdYLUZyYW1l LU9wdGlvbnMnIGhlYWRlciBlbmNvdW50ZXJlZCB3aGVuIGxvYWRpbmcgJyIgKyB1cmwuc3RyaW5n KCkgKyAiJzogJyIgKyBjb250ZW50ICsgIicgaXMgbm90IGEgcmVjb2duaXplZCBkaXJlY3RpdmUu IFRoZSBoZWFkZXIgd2lsbCBiZSBpZ25vcmVkLiI7CisgICAgICAgIG1fZnJhbWUtPmRvY3VtZW50 KCktPmFkZENvbnNvbGVNZXNzYWdlKEpTTWVzc2FnZVNvdXJjZSwgTG9nTWVzc2FnZVR5cGUsIEVy cm9yTWVzc2FnZUxldmVsLCBtZXNzYWdlLCB1cmwuc3RyaW5nKCksIDAsIDAsIHJlcXVlc3RJZGVu dGlmaWVyKTsKICAgICB9CiAKICAgICByZXR1cm4gZmFsc2U7CmRpZmYgLS1naXQgYS9Tb3VyY2Uv V2ViQ29yZS9sb2FkZXIvRnJhbWVMb2FkZXIuaCBiL1NvdXJjZS9XZWJDb3JlL2xvYWRlci9GcmFt ZUxvYWRlci5oCmluZGV4IGU3OGVlNGU5ZTE0MDNjOTBjZGU4MTFmNDFkNmI4ZTBmOTFkODIwMzQu LjUxNjM2OWE4NjQyMzZmZGQ0YTVlNGEwOWJkNGU1Y2Q2MzA5N2U4YWQgMTAwNjQ0Ci0tLSBhL1Nv dXJjZS9XZWJDb3JlL2xvYWRlci9GcmFtZUxvYWRlci5oCisrKyBiL1NvdXJjZS9XZWJDb3JlL2xv YWRlci9GcmFtZUxvYWRlci5oCkBAIC0yNDYsNyArMjQ2LDcgQEAgcHVibGljOgogCiAgICAgdm9p ZCBhcHBseVVzZXJBZ2VudChSZXNvdXJjZVJlcXVlc3QmKTsKIAotICAgIGJvb2wgc2hvdWxkSW50 ZXJydXB0TG9hZEZvclhGcmFtZU9wdGlvbnMoY29uc3QgU3RyaW5nJiwgY29uc3QgS1VSTCYpOwor ICAgIGJvb2wgc2hvdWxkSW50ZXJydXB0TG9hZEZvclhGcmFtZU9wdGlvbnMoY29uc3QgU3RyaW5n JiwgY29uc3QgS1VSTCYsIHVuc2lnbmVkIGxvbmcgcmVxdWVzdElkZW50aWZpZXIpOwogCiAgICAg dm9pZCBjb21wbGV0ZWQoKTsKICAgICBib29sIGFsbEFuY2VzdG9yc0FyZUNvbXBsZXRlKCkgY29u c3Q7IC8vIGluY2x1ZGluZyB0aGlzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIv TWFpblJlc291cmNlTG9hZGVyLmNwcCBiL1NvdXJjZS9XZWJDb3JlL2xvYWRlci9NYWluUmVzb3Vy Y2VMb2FkZXIuY3BwCmluZGV4IDMzNGQ2NDg5NWJkZDE0MTdiMzM5NTVhZTcwMGZkMWU1ODg5ODBk N2IuLjgwNWNkMTVhYjA5Nzc4NTQwZjEzMmJlMjdjNWI3NDZhYjQ5YWEyM2IgMTAwNjQ0Ci0tLSBh L1NvdXJjZS9XZWJDb3JlL2xvYWRlci9NYWluUmVzb3VyY2VMb2FkZXIuY3BwCisrKyBiL1NvdXJj ZS9XZWJDb3JlL2xvYWRlci9NYWluUmVzb3VyY2VMb2FkZXIuY3BwCkBAIC0zNzEsNyArMzcxLDcg QEAgdm9pZCBNYWluUmVzb3VyY2VMb2FkZXI6OmRpZFJlY2VpdmVSZXNwb25zZShjb25zdCBSZXNv dXJjZVJlc3BvbnNlJiByKQogICAgIEhUVFBIZWFkZXJNYXA6OmNvbnN0X2l0ZXJhdG9yIGl0ID0g ci5odHRwSGVhZGVyRmllbGRzKCkuZmluZChBdG9taWNTdHJpbmcoIngtZnJhbWUtb3B0aW9ucyIp KTsKICAgICBpZiAoaXQgIT0gci5odHRwSGVhZGVyRmllbGRzKCkuZW5kKCkpIHsKICAgICAgICAg U3RyaW5nIGNvbnRlbnQgPSBpdC0+dmFsdWU7Ci0gICAgICAgIGlmIChtX2ZyYW1lLT5sb2FkZXIo KS0+c2hvdWxkSW50ZXJydXB0TG9hZEZvclhGcmFtZU9wdGlvbnMoY29udGVudCwgci51cmwoKSkp IHsKKyAgICAgICAgaWYgKG1fZnJhbWUtPmxvYWRlcigpLT5zaG91bGRJbnRlcnJ1cHRMb2FkRm9y WEZyYW1lT3B0aW9ucyhjb250ZW50LCByLnVybCgpLCBpZGVudGlmaWVyKCkpKSB7CiAgICAgICAg ICAgICBJbnNwZWN0b3JJbnN0cnVtZW50YXRpb246OmNvbnRpbnVlQWZ0ZXJYRnJhbWVPcHRpb25z RGVuaWVkKG1fZnJhbWUuZ2V0KCksIGRvY3VtZW50TG9hZGVyKCksIGlkZW50aWZpZXIoKSwgcik7 CiAgICAgICAgICAgICBTdHJpbmcgbWVzc2FnZSA9ICJSZWZ1c2VkIHRvIGRpc3BsYXkgJyIgKyBy LnVybCgpLnN0cmluZygpICsgIicgaW4gYSBmcmFtZSBiZWNhdXNlIGl0IHNldCAnWC1GcmFtZS1P cHRpb25zJyB0byAnIiArIGNvbnRlbnQgKyAiJy4iOwogICAgICAgICAgICAgbV9mcmFtZS0+ZG9j dW1lbnQoKS0+YWRkQ29uc29sZU1lc3NhZ2UoSlNNZXNzYWdlU291cmNlLCBMb2dNZXNzYWdlVHlw ZSwgRXJyb3JNZXNzYWdlTGV2ZWwsIG1lc3NhZ2UsIHIudXJsKCkuc3RyaW5nKCksIDAsIDAsIGlk ZW50aWZpZXIoKSk7CmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cgYi9MYXlvdXRU ZXN0cy9DaGFuZ2VMb2cKaW5kZXggMTViMzg4OGM0OWE1NzdjNDNhZDY5MjU4OWU1YTNkY2QwYzE0 ZDZiOS4uMDg2NmM4NGU0NTg1YWNiNDhlMDUzZDg2MTRkZDEyNmQ3NDZiNmQ0MSAxMDA2NDQKLS0t IGEvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCisrKyBiL0xheW91dFRlc3RzL0NoYW5nZUxvZwpAQCAt MSwzICsxLDE1IEBACisyMDEyLTExLTA3ICBNaWtlIFdlc3QgIDxta3dzdEBjaHJvbWl1bS5vcmc+ CisKKyAgICAgICAgV2FybiB3aGVuIHBhcnNpbmcgYW4gaW52YWxpZCBYLUZyYW1lLU9wdGlvbnMg aGVhZGVyLgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9 MTAxNDQ3CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAg KiBodHRwL3Rlc3RzL3NlY3VyaXR5L1hGcmFtZU9wdGlvbnMvcmVzb3VyY2VzL3gtZnJhbWUtb3B0 aW9ucy1pbnZhbGlkLmNnaTogQWRkZWQuCisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS9Y RnJhbWVPcHRpb25zL3gtZnJhbWUtb3B0aW9ucy1pbnZhbGlkLWV4cGVjdGVkLnR4dDogQWRkZWQu CisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS9YRnJhbWVPcHRpb25zL3gtZnJhbWUtb3B0 aW9ucy1pbnZhbGlkLmh0bWw6IEFkZGVkLgorICAgICAgICAgICAgTmV3IHRlc3Qgd2l0aCBhbiBp bnZhbGlkIGZyYW1lIG9wdGlvbiB2YWx1ZS4KKwogMjAxMi0xMS0wNyAgUGhpbGlwIFJvZ2VycyAg PHBkckBnb29nbGUuY29tPgogCiAgICAgICAgIFNraXAgU1ZHIHJlcGFpbnQgdHJhY2tpbmcgd2hl biBwYXJlbnQgY29udGFpbmVyIHRyYW5zZm9ybXMKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0 dHAvdGVzdHMvc2VjdXJpdHkvWEZyYW1lT3B0aW9ucy9yZXNvdXJjZXMveC1mcmFtZS1vcHRpb25z LWludmFsaWQuY2dpIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9YRnJhbWVPcHRp b25zL3Jlc291cmNlcy94LWZyYW1lLW9wdGlvbnMtaW52YWxpZC5jZ2kKbmV3IGZpbGUgbW9kZSAx MDA3NTUKaW5kZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC4uNmVi NTU3ZTUwNmI2NjM5MmM3MjA2YmY1ZjA5NTIzYjliYTVlNzVlNgotLS0gL2Rldi9udWxsCisrKyBi L0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvWEZyYW1lT3B0aW9ucy9yZXNvdXJjZXMv eC1mcmFtZS1vcHRpb25zLWludmFsaWQuY2dpCkBAIC0wLDAgKzEsOCBAQAorIyEvdXNyL2Jpbi9w ZXJsIC13VAordXNlIHN0cmljdDsKKworcHJpbnQgIkNvbnRlbnQtVHlwZTogdGV4dC9odG1sXG4i OworcHJpbnQgIkNhY2hlLUNvbnRyb2w6IG5vLWNhY2hlLCBuby1zdG9yZVxuIjsKK3ByaW50ICJY LUZSQU1FLU9QVElPTlM6IElOVkFMSUQgSU5WQUxJRCBJTlZBTElEXG5cbiI7CisKK3ByaW50ICI8 cD5QQVNTOiBUaGlzIHRleHQgc2hvdWxkIHNob3cgdXAuPC9wPlxuIjsKZGlmZiAtLWdpdCBhL0xh eW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvWEZyYW1lT3B0aW9ucy94LWZyYW1lLW9wdGlv bnMtaW52YWxpZC1leHBlY3RlZC50eHQgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5 L1hGcmFtZU9wdGlvbnMveC1mcmFtZS1vcHRpb25zLWludmFsaWQtZXhwZWN0ZWQudHh0Cm5ldyBm aWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAuLmY1Y2E0NjJiMmViZDAwYmZiZjliZDg5ZDk2YWNhNThmYzFjMDZmODcKLS0tIC9kZXYv bnVsbAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L1hGcmFtZU9wdGlvbnMv eC1mcmFtZS1vcHRpb25zLWludmFsaWQtZXhwZWN0ZWQudHh0CkBAIC0wLDAgKzEsMTIgQEAKK2h0 dHA6Ly8xMjcuMC4wLjE6ODAwMC9zZWN1cml0eS9YRnJhbWVPcHRpb25zL3Jlc291cmNlcy94LWZy YW1lLW9wdGlvbnMtaW52YWxpZC5jZ2kgLSB3aWxsU2VuZFJlcXVlc3QgPE5TVVJMUmVxdWVzdCBV UkwgaHR0cDovLzEyNy4wLjAuMTo4MDAwL3NlY3VyaXR5L1hGcmFtZU9wdGlvbnMvcmVzb3VyY2Vz L3gtZnJhbWUtb3B0aW9ucy1pbnZhbGlkLmNnaSwgbWFpbiBkb2N1bWVudCBVUkwgaHR0cDovLzEy Ny4wLjAuMTo4MDAwL3NlY3VyaXR5L1hGcmFtZU9wdGlvbnMveC1mcmFtZS1vcHRpb25zLWludmFs aWQuaHRtbCwgaHR0cCBtZXRob2QgR0VUPiByZWRpcmVjdFJlc3BvbnNlIChudWxsKQorPHVua25v d24+IC0gZGlkRmluaXNoTG9hZGluZworQ09OU09MRSBNRVNTQUdFOiBJbnZhbGlkICdYLUZyYW1l LU9wdGlvbnMnIGhlYWRlciBlbmNvdW50ZXJlZCB3aGVuIGxvYWRpbmcgJ2h0dHA6Ly8xMjcuMC4w LjE6ODAwMC9zZWN1cml0eS9YRnJhbWVPcHRpb25zL3Jlc291cmNlcy94LWZyYW1lLW9wdGlvbnMt aW52YWxpZC5jZ2knOiAnSU5WQUxJRCBJTlZBTElEIElOVkFMSUQnIGlzIG5vdCBhIHJlY29nbml6 ZWQgZGlyZWN0aXZlLiBUaGUgaGVhZGVyIHdpbGwgYmUgaWdub3JlZC4KK2h0dHA6Ly8xMjcuMC4w LjE6ODAwMC9zZWN1cml0eS9YRnJhbWVPcHRpb25zL3Jlc291cmNlcy94LWZyYW1lLW9wdGlvbnMt aW52YWxpZC5jZ2kgLSBkaWRSZWNlaXZlUmVzcG9uc2UgPE5TVVJMUmVzcG9uc2UgaHR0cDovLzEy Ny4wLjAuMTo4MDAwL3NlY3VyaXR5L1hGcmFtZU9wdGlvbnMvcmVzb3VyY2VzL3gtZnJhbWUtb3B0 aW9ucy1pbnZhbGlkLmNnaSwgaHR0cCBzdGF0dXMgY29kZSAyMDA+CitUaGUgZnJhbWUgYmVsb3cg c2hvdWxkIGxvYWQsIGFuZCBhIGNvbnNvbGUgbWVzc2FnZSBzaG91bGQgYmUgZ2VuZXJhdGVkIHRo YXQgbm90ZXMgdGhlIGludmFsaWQgaGVhZGVyLgorCisKKworLS0tLS0tLS0KK0ZyYW1lOiAnPCEt LWZyYW1lUGF0aCAvLzwhLS1mcmFtZTAtLT4tLT4nCistLS0tLS0tLQorUEFTUzogVGhpcyB0ZXh0 IHNob3VsZCBzaG93IHVwLgpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1 cml0eS9YRnJhbWVPcHRpb25zL3gtZnJhbWUtb3B0aW9ucy1pbnZhbGlkLmh0bWwgYi9MYXlvdXRU ZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L1hGcmFtZU9wdGlvbnMveC1mcmFtZS1vcHRpb25zLWlu dmFsaWQuaHRtbApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwLi5hZDMzMTgzYzkyNjYzYmJmNDljOGJhZDU0ZWQzZWMyNGFl ZDU5NTU4Ci0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0 eS9YRnJhbWVPcHRpb25zL3gtZnJhbWUtb3B0aW9ucy1pbnZhbGlkLmh0bWwKQEAgLTAsMCArMSwx MSBAQAorPHNjcmlwdD4KKyAgICBpZiAod2luZG93LnRlc3RSdW5uZXIpIHsKKyAgICAgICAgdGVz dFJ1bm5lci5kdW1wQXNUZXh0KCk7CisgICAgICAgIHRlc3RSdW5uZXIuZHVtcENoaWxkRnJhbWVz QXNUZXh0KCk7CisgICAgICAgIHRlc3RSdW5uZXIuZHVtcFJlc291cmNlTG9hZENhbGxiYWNrcygp OworICAgIH0KKzwvc2NyaXB0PgorCis8cD5UaGUgZnJhbWUgYmVsb3cgc2hvdWxkIGxvYWQsIGFu ZCBhIGNvbnNvbGUgbWVzc2FnZSBzaG91bGQgYmUgZ2VuZXJhdGVkCit0aGF0IG5vdGVzIHRoZSBp bnZhbGlkIGhlYWRlci48L3A+Cis8aWZyYW1lIHN0eWxlPSJ3aWR0aDo1MDBweDsgaGVpZ2h0OjUw MHB4IiBzcmM9Imh0dHA6Ly8xMjcuMC4wLjE6ODAwMC9zZWN1cml0eS9YRnJhbWVPcHRpb25zL3Jl c291cmNlcy94LWZyYW1lLW9wdGlvbnMtaW52YWxpZC5jZ2kiPjwvaWZyYW1lPgo=