101683 2012-11-08 18:32:11 -0800 Merge isViewSource checks in ScriptController::executeIfJavaScriptURL and ScriptController::canExecuteScripts. 2013-01-25 09:50:28 -0800 1 1 1 Unclassified WebKit WebCore JavaScript 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 ap mkwst abarth mkwst thorton webkit.review.bot oldest_to_newest 762411 0 ap 2012-11-08 18:32:11 -0800 Most of these checks are there, so perhaps the CSP one should be there, too? Notably, isViewSource check seems to be duplicated in these locations... But one looks in Frame, and another in Document! 762414 1 abarth 2012-11-08 18:36:18 -0800 > Most of these checks are there, so perhaps the CSP one should be there, too? In CSP, you can have JavaScript URLs turned off but have script (more generally) turned on. CSP treats JavaScript URLs like inline script (e.g., <script>...</script>), the idea being that JavaScript URLs can be injected by attackers (e.g., <a href="$userSuppliedString">...</a>). The view-source bits do look dodgy though. 763334 2 ap 2012-11-09 14:34:41 -0800 Thank you Adam, reusing the bug to track the second issue then. 763612 3 mkwst 2012-11-09 23:42:47 -0800 I'll take a look at the isViewSource checks. 763613 4 mkwst 2012-11-10 00:15:39 -0800 Can JavaScript URLs ever execute if JavaScript is disabled? That is, could I simply replace some of the logic in executeIfJavaScriptURL with a call to canExecuteScripts? 763614 5 mkwst 2012-11-10 00:17:09 -0800 (In reply to comment #4) > Can JavaScript URLs ever execute if JavaScript is disabled? That is, could I simply replace some of the logic in executeIfJavaScriptURL with a call to canExecuteScripts? For instance, executeIfJavaScriptURL doesn't check settings, nor does it check sandbox status. It seems like it should do both. 763695 6 abarth 2012-11-10 11:45:55 -0800 > Can JavaScript URLs ever execute if JavaScript is disabled? Nope. > That is, could I simply replace some of the logic in executeIfJavaScriptURL with a call to canExecuteScripts? Yes, but we'll need the extra CSP check for 'unsafe-inline'. 763745 7 mkwst 2012-11-10 15:25:39 -0800 (In reply to comment #6) > > That is, could I simply replace some of the logic in executeIfJavaScriptURL with a call to canExecuteScripts? > > Yes, but we'll need the extra CSP check for 'unsafe-inline'. Right. I've put a patch together that simply replaces the viewsource check with a call to canExecuteScripts. That works correctly, so far as I can tell, but I'm having trouble identifying a testable change in behavior. The two missing tests (settings and sandbox) seem both to be taken care of somewhere else in the code; I haven't had any luck constructing a test that failed without the patch. Do you see anything relevant? 763897 8 abarth 2012-11-11 15:20:08 -0800 I don't expect there will be any change in behavior. 764066 9 173563 mkwst 2012-11-11 22:47:47 -0800 Created attachment 173563 Patch 764875 10 173563 abarth 2012-11-12 15:12:36 -0800 Comment on attachment 173563 Patch I'm looking at the call site in FrameLoader::urlSelected. Is there some way that was checking that JavaScript was disabled before? I don't see where that check would have been. data:text/html,<iframe sandbox srcdoc="<a href=javascript:alert(1)>click me</a>"><iframe> That doesn't seem to execute when clicked.... 764876 11 abarth 2012-11-12 15:14:25 -0800 I see, the check is in ScriptController::executeScript, which is called by executeIfJavaScriptURL 764877 12 173563 abarth 2012-11-12 15:16:45 -0800 Comment on attachment 173563 Patch So, this does the wrong thing for view-source documents. It's too bad we don't have a test for that. (We should add one.) Notice that ScriptController::canExecuteScripts returns true when isViewSource, but executeIfJavaScriptURL used to abort execution if inViewSourceMode 764882 13 abarth 2012-11-12 15:21:15 -0800 As for the relation between isViewSource and inViewSourceMode, it looks like the Document freezes the inViewSourceMode from the Frame on creation (i.e., in DocumentWriter::createDocument). The inViewSourceMode is at the mercy of the frame's attributes (i.e., in HTMLFrameElementBase::parseAttribute). That means this teh call site in executeIfJavaScriptURL should use isViewSource from the Document rather than inViewSourceMode from the frame. The way to write a test is to create a frame with a javascript URL in it, after the frame loads, set the viewsource attribute on the frame, then try to execute the javascript URL. Currently, the javascript URL will be blocked (the Frame is in view source mode but the document is not), but there isn't any reason that it should be blocked. 816408 14 mkwst 2013-01-25 02:21:47 -0800 (In reply to comment #13) > As for the relation between isViewSource and inViewSourceMode, it looks like the Document freezes the inViewSourceMode from the Frame on creation (i.e., in DocumentWriter::createDocument). The inViewSourceMode is at the mercy of the frame's attributes (i.e., in HTMLFrameElementBase::parseAttribute). > > That means this teh call site in executeIfJavaScriptURL should use isViewSource from the Document rather than inViewSourceMode from the frame. The way to write a test is to create a frame with a javascript URL in it, after the frame loads, set the viewsource attribute on the frame, then try to execute the javascript URL. Currently, the javascript URL will be blocked (the Frame is in view source mode but the document is not), but there isn't any reason that it should be blocked. Sorry, I missed this response way back in November. Given that executeIfJavaScriptURL ends up calling canExecuteScripts (via executeScript), I think we can safely drop the isViewSource check from the former entirely. I'll attach a patch in a moment that does just that, and adds a small test to verify that the document's viewsource bit is checked. 816418 15 184709 mkwst 2013-01-25 02:46:01 -0800 Created attachment 184709 Patch 816649 16 184709 abarth 2013-01-25 09:25:37 -0800 Comment on attachment 184709 Patch Ok 816674 17 184709 webkit.review.bot 2013-01-25 09:50:23 -0800 Comment on attachment 184709 Patch Clearing flags on attachment: 184709 Committed r140839: <http://trac.webkit.org/changeset/140839> 816675 18 webkit.review.bot 2013-01-25 09:50:28 -0800 All reviewed patches have been landed. Closing bug. 173563 2012-11-11 22:47:47 -0800 2013-01-25 02:45:57 -0800 Patch bug-101683-20121112074550.patch text/plain 2181 mkwst U3VidmVyc2lvbiBSZXZpc2lvbjogMTM0MTY1CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggYzFmYmYzNmZmYzNlNTEz YWYxOGRjNzhhZjI3MmJlMTc3M2VhMjhkZS4uNGYzMGRjNDRiMTgyOWVhMjA5MDE1OWExMDU4YTI1 OWU4NDQ1NjI5ZiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDI0IEBACisyMDEyLTExLTExICBNaWtl IFdlc3QgIDxta3dzdEBjaHJvbWl1bS5vcmc+CisKKyAgICAgICAgU2NyaXB0Q29udHJvbGxlcjo6 ZXhlY3V0ZUlmSmF2YVNjcmlwdFVSTCBzaG91bGQgY2hlY2sgdGhhdCBzY3JpcHQgaXMgZXhlY3V0 YWJsZS4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTEw MTY4MworCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFNj cmlwdENvbnRyb2xsZXI6OmV4ZWN1dGVJZkphdmFTY3JpcHRVUkwgY3VycmVudGx5IGNoZWNrcyB3 aGV0aGVyIHRoZQorICAgICAgICBjdXJyZW50IGZyYW1lIGlzIGluIFZpZXcgU291cmNlIG1vZGUu IEl0IGRvZXNuJ3QgY2hlY2sgbWFueSBvZiB0aGUgb3RoZXIKKyAgICAgICAgY29uZGl0aW9ucyB3 aGljaCBzaG91bGQgZ292ZXJuIHNjcmlwdCBleGVjdXRpb24gKHNhbmRib3hpbmcsIGZvcgorICAg ICAgICBpbnN0YW5jZSkuIFJhdGhlciB0aGFuIHJlbHlpbmcgb24gb3RoZXIgZXh0ZXJuYWwgY2hl Y2tzLCB3ZSBzaG91bGQgYmUKKyAgICAgICAgZXhwbGljaXQgaGVyZSB0aGF0IEphdmFTY3JpcHQg VVJMcyBjYW4gb25seSBleGVjdXRlIHdoZW4gYWxsIHRoZQorICAgICAgICBjb25kaXRpb25zIGZv ciBTY3JpcHRDb250cm9sbGVyOjpjYW5FeGVjdXRlU2NyaXB0IGFyZSBtZXQuCisKKyAgICAgICAg SW4gYSBwZXJmZWN0IHdvcmxkLCB0aGlzIHdvbid0IG1ha2UgYW55IHZpc2libGUgY2hhbmdlIHRv IFdlYktpdCdzCisgICAgICAgIGJlaGF2aW9yLCBhbmQgd2lsbCBiZSBjb3ZlcmVkIGJ5IGV4aXN0 aW5nIHRlc3RzLgorCisgICAgICAgICogYmluZGluZ3MvU2NyaXB0Q29udHJvbGxlckJhc2UuY3Bw OgorICAgICAgICAoV2ViQ29yZTo6U2NyaXB0Q29udHJvbGxlcjo6ZXhlY3V0ZUlmSmF2YVNjcmlw dFVSTCk6CisgICAgICAgICAgICBEcm9wIHRoZSBpc1ZpZXdTb3VyY2VNb2RlIGNoZWNrLCByZXBs YWNlIGl0IHdpdGggY2FuRXhlY3V0ZVNjcmlwdC4KKwogMjAxMi0xMS0xMCAgTWlrZSBXZXN0ICA8 bWt3c3RAY2hyb21pdW0ub3JnPgogCiAgICAgICAgIEluY2x1ZGluZyA8Q29yZVRleHQvQ29yZVRl eHQuaD4gYnJlYWtzIHRoZSBjaHJvbWl1bS9tYWMgYnVpbGQuCmRpZmYgLS1naXQgYS9Tb3VyY2Uv V2ViQ29yZS9iaW5kaW5ncy9TY3JpcHRDb250cm9sbGVyQmFzZS5jcHAgYi9Tb3VyY2UvV2ViQ29y ZS9iaW5kaW5ncy9TY3JpcHRDb250cm9sbGVyQmFzZS5jcHAKaW5kZXggY2M1MjQ2MzYyMWUwNDEw ZjdiYjM1YzViOWJjYmM5ODY2YzFiN2Y3MC4uOTRkMTdiOWYyN2VkMWI2NDc3NGM4ZWI2MzE3MGIw YjQwOTBkOWQyMyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvYmluZGluZ3MvU2NyaXB0Q29u dHJvbGxlckJhc2UuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL2JpbmRpbmdzL1NjcmlwdENvbnRy b2xsZXJCYXNlLmNwcApAQCAtNzYsNyArNzYsNyBAQCBib29sIFNjcmlwdENvbnRyb2xsZXI6OmV4 ZWN1dGVJZkphdmFTY3JpcHRVUkwoY29uc3QgS1VSTCYgdXJsLCBTaG91bGRSZXBsYWNlRG9jdQog CiAgICAgaWYgKCFtX2ZyYW1lLT5wYWdlKCkKICAgICAgICAgfHwgIW1fZnJhbWUtPmRvY3VtZW50 KCktPmNvbnRlbnRTZWN1cml0eVBvbGljeSgpLT5hbGxvd0phdmFTY3JpcHRVUkxzKG1fZnJhbWUt PmRvY3VtZW50KCktPnVybCgpLCBldmVudEhhbmRsZXJQb3NpdGlvbigpLm1fbGluZSkKLSAgICAg ICAgfHwgbV9mcmFtZS0+aW5WaWV3U291cmNlTW9kZSgpKQorICAgICAgICB8fCAhY2FuRXhlY3V0 ZVNjcmlwdHMoQWJvdXRUb0V4ZWN1dGVTY3JpcHQpKQogICAgICAgICByZXR1cm4gdHJ1ZTsKIAog ICAgIC8vIFdlIG5lZWQgdG8gaG9sZCBvbnRvIHRoZSBGcmFtZSBoZXJlIGJlY2F1c2UgZXhlY3V0 aW5nIHNjcmlwdCBjYW4K 184709 2013-01-25 02:46:01 -0800 2013-01-25 09:50:23 -0800 Patch bug-101683-20130125114251.patch text/plain 5461 mkwst U3VidmVyc2lvbiBSZXZpc2lvbjogMTQwNzk3CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggMDUwNzRkNGY1MDlhMmU3 YzllYmU4MzU2OTczZGU0MjgxNTYwZWJiMy4uMDdkZjVmYjM5MmRkNjA1MGZjNjgyMGZhY2M3NzNh NWZjNGNmYTg1ZCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDMwIEBACisyMDEzLTAxLTI1ICBNaWtl IFdlc3QgIDxta3dzdEBjaHJvbWl1bS5vcmc+CisKKyAgICAgICAgU2NyaXB0Q29udHJvbGxlcjo6 ZXhlY3V0ZUlmSmF2YVNjcmlwdFVSTCBpbmNvcnJlY3RseSBjaGVja3Mgdmlld3NvdXJjZSBtb2Rl LgorICAgICAgICBpbmNvcnJlY3RseSBibG9ja3MgZXhlY3V0aW9uIGJhc2VkIG9uIHRoZSBmcmFt ZSdzIHZpZXdzb3VyY2Ugc3RhdGUuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3No b3dfYnVnLmNnaT9pZD0xMDE2ODMKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMh KS4KKworICAgICAgICBTY3JpcHRDb250cm9sbGVyOjpleGVjdXRlSWZKYXZhU2NyaXB0VVJMIGN1 cnJlbnRseSBjaGVja3Mgd2hldGhlciB0aGUKKyAgICAgICAgZnJhbWUgaW4gd2hpY2ggYSAnamF2 YXNjcmlwdDonIFVSTCBtaWdodCBiZSBleGVjdXRlZCBpcyBpbiB2aWV3c291cmNlCisgICAgICAg IG1vZGUuIFRoaXMgaW5jb3JyZWN0bHkgaGFuZGxlcyB0aGUgY2FzZSB3aGVyZSB0aGUgdmlld3Nv dXJjZSBhdHRyaWJ1dGUKKyAgICAgICAgaXMgYWRkZWQgYWZ0ZXIgYSBkb2N1bWVudCBsb2Fkczog dGhlIF9mcmFtZV8gaXMgaW4gdmlld3NvdXJjZSBtb2RlLCB0aGUKKyAgICAgICAgX2RvY3VtZW50 XyBpcyBub3QuIFRoZSBsYXR0ZXIgc2hvdWxkIGNvbnRyb2wgZXhlY3V0aW9uLCBub3QgdGhlIGZv cm1lci4KKworICAgICAgICBUaGlzIHBhdGNoIGRyb3BzIHRoZSBpblZpZXdTb3VyY2VNb2RlIGNo ZWNrIGZyb20gZXhlY3V0ZUlmSmF2YVNjcmlwdFVSTAorICAgICAgICBlbnRpcmVseSwgYXMgdGhl IGRvY3VtZW50J3Mgdmlld3NvdXJjZSBzdGF0ZSBpcyBjaGVja2VkIGluCisgICAgICAgIGNhbkV4 ZWN1dGVTY3JpcHRzLCB3aGljaCBpcyBhbHJlYWR5IGNhbGxlZCB3aGVuIHRoZSAnamF2YXNjcmlw dDonIFVSTCBpcworICAgICAgICBwYXNzZWQgdG8gZXhlY3V0ZVNjcmlwdC4gVGhlIGNoZWNrcyBz aG91bGQgcmVtYWluIGNlbnRyYWxpemVkIHRoZXJlLgorCisgICAgICAgIFRlc3Q6IGh0dHAvdGVz dHMvc2VjdXJpdHkvdmlldy1zb3VyY2UtamF2YXNjcmlwdC11cmwtaW4tZG9jdW1lbnQuaHRtbAor CisgICAgICAgICogYmluZGluZ3MvU2NyaXB0Q29udHJvbGxlckJhc2UuY3BwOgorICAgICAgICAo V2ViQ29yZTo6U2NyaXB0Q29udHJvbGxlcjo6ZXhlY3V0ZUlmSmF2YVNjcmlwdFVSTCk6CisgICAg ICAgICAgICBEcm9wIHRoZSBpbmNvcnJlY3QgY2hlY2sgYWdhaW5zdCB0aGUgRnJhbWUncyB2aWV3 c291cmNlIG1vZGUuIFRoZQorICAgICAgICAgICAgY29ycmVjdCBjaGVjayBhZ2FpbnN0IHRoZSBE b2N1bWVudCdzIHZpZXdzb3VyY2UgbW9kZSBpcyBwZXJmb3JtZWQKKyAgICAgICAgICAgIGluIGNh bkV4ZWN1dGVTY3JpcHRzICh3aGljaCBpcyBjYWxsZWQgdmlhIGV4ZWN1dGVTY3JpcHQpLgorCiAy MDEzLTAxLTI1ICBEb21pbmljIE1henpvbmkgIDxkbWF6em9uaUBnb29nbGUuY29tPgogCiAgICAg ICAgIFJFR1JFU1NJT04gKHIxNDA2NTgpOiBNdWx0aXBsZSBhY2Nlc3NpYmlsaXR5IGZhaWx1cmVz IG9uIEdUSwpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvYmluZGluZ3MvU2NyaXB0Q29udHJv bGxlckJhc2UuY3BwIGIvU291cmNlL1dlYkNvcmUvYmluZGluZ3MvU2NyaXB0Q29udHJvbGxlckJh c2UuY3BwCmluZGV4IDgxYjJmNTI5MzYwZGVlMTk5OWI2MGU4ZGQ0MTljZjBiNjU4MWYwOWMuLmM1 N2I4NWZlYWY5MzJiZDIxNmI2ZDVmNWI5MWU0NjAxMTEyNTNlZGYgMTAwNjQ0Ci0tLSBhL1NvdXJj ZS9XZWJDb3JlL2JpbmRpbmdzL1NjcmlwdENvbnRyb2xsZXJCYXNlLmNwcAorKysgYi9Tb3VyY2Uv V2ViQ29yZS9iaW5kaW5ncy9TY3JpcHRDb250cm9sbGVyQmFzZS5jcHAKQEAgLTc5LDggKzc5LDcg QEAgYm9vbCBTY3JpcHRDb250cm9sbGVyOjpleGVjdXRlSWZKYXZhU2NyaXB0VVJMKGNvbnN0IEtV UkwmIHVybCwgU2hvdWxkUmVwbGFjZURvY3UKICAgICAgICAgcmV0dXJuIGZhbHNlOwogCiAgICAg aWYgKCFtX2ZyYW1lLT5wYWdlKCkKLSAgICAgICAgfHwgIW1fZnJhbWUtPmRvY3VtZW50KCktPmNv bnRlbnRTZWN1cml0eVBvbGljeSgpLT5hbGxvd0phdmFTY3JpcHRVUkxzKG1fZnJhbWUtPmRvY3Vt ZW50KCktPnVybCgpLCBldmVudEhhbmRsZXJQb3NpdGlvbigpLm1fbGluZSkKLSAgICAgICAgfHwg bV9mcmFtZS0+aW5WaWV3U291cmNlTW9kZSgpKQorICAgICAgICB8fCAhbV9mcmFtZS0+ZG9jdW1l bnQoKS0+Y29udGVudFNlY3VyaXR5UG9saWN5KCktPmFsbG93SmF2YVNjcmlwdFVSTHMobV9mcmFt ZS0+ZG9jdW1lbnQoKS0+dXJsKCksIGV2ZW50SGFuZGxlclBvc2l0aW9uKCkubV9saW5lKSkKICAg ICAgICAgcmV0dXJuIHRydWU7CiAKICAgICAvLyBXZSBuZWVkIHRvIGhvbGQgb250byB0aGUgRnJh bWUgaGVyZSBiZWNhdXNlIGV4ZWN1dGluZyBzY3JpcHQgY2FuCmRpZmYgLS1naXQgYS9MYXlvdXRU ZXN0cy9DaGFuZ2VMb2cgYi9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKaW5kZXggNzIyZGRkY2EwMjFi MDI4MGNhZmU0MTlhOGE5ZjQ0MWYxZDYyMTJmZC4uOGMxZDAzZTZjZTUzZTViYWM2Y2FmZDljYTU0 YzdmZWI3N2Y4YTgzYiAxMDA2NDQKLS0tIGEvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCisrKyBiL0xh eW91dFRlc3RzL0NoYW5nZUxvZwpAQCAtMSwzICsxLDEzIEBACisyMDEzLTAxLTI1ICBNaWtlIFdl c3QgIDxta3dzdEBjaHJvbWl1bS5vcmc+CisKKyAgICAgICAgTWVyZ2UgaXNWaWV3U291cmNlIGNo ZWNrcyBpbiBTY3JpcHRDb250cm9sbGVyOjpleGVjdXRlSWZKYXZhU2NyaXB0VVJMIGFuZCBTY3Jp cHRDb250cm9sbGVyOjpjYW5FeGVjdXRlU2NyaXB0cy4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndl YmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTEwMTY4MworCisgICAgICAgIFJldmlld2VkIGJ5IE5P Qk9EWSAoT09QUyEpLgorCisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS92aWV3LXNvdXJj ZS1qYXZhc2NyaXB0LXVybC1pbi1kb2N1bWVudC1leHBlY3RlZC50eHQ6IEFkZGVkLgorICAgICAg ICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkvdmlldy1zb3VyY2UtamF2YXNjcmlwdC11cmwtaW4tZG9j dW1lbnQuaHRtbDogQWRkZWQuCisKIDIwMTMtMDEtMjUgIFJ5b3N1a2UgTml3YSAgPHJuaXdhQHdl YmtpdC5vcmc+CiAKICAgICAgICAgTWFjIFdLMSByZWJhc2VsaW5lcyBmb3IgcjE0MDcyOC4KZGlm ZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvdmlldy1zb3VyY2UtamF2 YXNjcmlwdC11cmwtaW4tZG9jdW1lbnQtZXhwZWN0ZWQudHh0IGIvTGF5b3V0VGVzdHMvaHR0cC90 ZXN0cy9zZWN1cml0eS92aWV3LXNvdXJjZS1qYXZhc2NyaXB0LXVybC1pbi1kb2N1bWVudC1leHBl Y3RlZC50eHQKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMC4uNjA4MGRiMmU1NDdjYjEzYjIwZTkyMTRkOTUzZTk5NDUzOTY5 OWFmOQotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkv dmlldy1zb3VyY2UtamF2YXNjcmlwdC11cmwtaW4tZG9jdW1lbnQtZXhwZWN0ZWQudHh0CkBAIC0w LDAgKzEsNCBAQAorQUxFUlQ6IFBBU1M6IEZ1bmN0aW9uIGNhbGxlZC4KK0FkZGluZyAndmlld3Nv dXJjZScgdG8gYSBmcmFtZSBhZnRlciBhIGRvY3VtZW50IGhhcyBsb2FkZWQgc2hvdWxkIG5vdCBi bG9jayBKYXZhU2NyaXB0IFVSTCBleGVjdXRpb24gaW4gdGhlIGFscmVhZHktbG9hZGVkIGRvY3Vt ZW50LgorCisKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvdmll dy1zb3VyY2UtamF2YXNjcmlwdC11cmwtaW4tZG9jdW1lbnQuaHRtbCBiL0xheW91dFRlc3RzL2h0 dHAvdGVzdHMvc2VjdXJpdHkvdmlldy1zb3VyY2UtamF2YXNjcmlwdC11cmwtaW4tZG9jdW1lbnQu aHRtbApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwLi5hMWQyMzVkZTRkYjM3YTYwNDJlNGM1NmRiNTllYTRmMDVhNThlM2Ex Ci0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS92aWV3 LXNvdXJjZS1qYXZhc2NyaXB0LXVybC1pbi1kb2N1bWVudC5odG1sCkBAIC0wLDAgKzEsMzQgQEAK KzwhRE9DVFlQRSBodG1sPgorPGh0bWw+Cis8aGVhZD4KKyAgICA8c2NyaXB0PgorICAgICAgICBp ZiAod2luZG93LnRlc3RSdW5uZXIpIHsKKyAgICAgICAgICAgIHRlc3RSdW5uZXIuZHVtcEFzVGV4 dCgpOworICAgICAgICAgICAgdGVzdFJ1bm5lci53YWl0VW50aWxEb25lKCk7CisgICAgICAgIH0K KyAgICA8L3NjcmlwdD4KKzwvaGVhZD4KKzxib2R5PgorICAgIDxwPkFkZGluZyAndmlld3NvdXJj ZScgdG8gYSBmcmFtZSBhZnRlciBhIGRvY3VtZW50IGhhcyBsb2FkZWQgc2hvdWxkIG5vdAorICAg IGJsb2NrIEphdmFTY3JpcHQgVVJMIGV4ZWN1dGlvbiBpbiB0aGUgYWxyZWFkeS1sb2FkZWQgZG9j dW1lbnQuPC9wPgorICAgIDxpZnJhbWUgc3JjZG9jPSIKKyAgICAgICAgPHNjcmlwdD4KKyAgICAg ICAgICAgIHdpbmRvdy5vbmxvYWQgPSBmdW5jdGlvbigpIHsKKyAgICAgICAgICAgICAgICB3aW5k b3cucGFyZW50LmRvY3VtZW50LnF1ZXJ5U2VsZWN0b3IoJ2lmcmFtZScpLnNldEF0dHJpYnV0ZSgn dmlld3NvdXJjZScsICcnKTsKKworICAgICAgICAgICAgICAgIGRvY3VtZW50LnF1ZXJ5U2VsZWN0 b3IoJ2EnKS5jbGljaygpOworCisgICAgICAgICAgICAgICAgYWxlcnQoY2FsbGVkRnVuY3Rpb24g PyAnUEFTUzogRnVuY3Rpb24gY2FsbGVkLicgOiAnRkFJTDogRnVuY3Rpb24gbm90IGNhbGxlZC4n KTsKKworICAgICAgICAgICAgICAgIGlmICh3aW5kb3cudGVzdFJ1bm5lcikKKyAgICAgICAgICAg ICAgICAgICAgdGVzdFJ1bm5lci5ub3RpZnlEb25lKCk7CisgICAgICAgICAgICB9OworCisgICAg ICAgICAgICB2YXIgY2FsbGVkRnVuY3Rpb24gPSBmYWxzZTsKKyAgICAgICAgICAgIGZ1bmN0aW9u IHBhc3MoKSB7CisgICAgICAgICAgICAgICAgY2FsbGVkRnVuY3Rpb24gPSB0cnVlOworICAgICAg ICAgICAgfQorICAgICAgICA8L3NjcmlwdD4KKyAgICAgICAgPGEgaHJlZj0namF2YXNjcmlwdDpw YXNzKCk7Jz5ZYXkhPC9hPiI+PC9pZnJhbWU+Cis8L2JvZHk+Cis8L2h0bWw+Cg==