138492 2014-11-06 20:47:41 -0800 CSP is enforced for eval in report-only mode on first page load 2014-11-07 16:40:57 -0800 1 1 1 Unclassified WebKit Page Loading 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=111867 InRadar P2 Normal --- 1 ap ap abarth buildbot commit-queue dbates ddkilzer mkwst rniwa sam oldest_to_newest 1047012 0 ap 2014-11-06 20:47:41 -0800 If a page that disallows eval() in report-only mode is the first page to be loaded in a window, then the policy will actually be enforced. There are two code path for applying the eval policy. If we have a JS context already, then we apply it right away, checking for whether it report only. But if we didn't have a JS context when parsing the policy yet, then this is delayed until after the context is created. And in this code path, we don't check for report only mode. rdar://problem/15782525 1047019 1 241160 ap 2014-11-06 20:58:53 -0800 Created attachment 241160 proposed fix 1047020 2 commit-queue 2014-11-06 21:01:35 -0800 Attachment 241160 did not pass style-queue: ERROR: Source/WebCore/page/ContentSecurityPolicy.cpp:1015: Wrong number of spaces before statement. (expected: 12) [whitespace/indent] [4] ERROR: Source/WebCore/page/ContentSecurityPolicy.cpp:1023: Wrong number of spaces before statement. (expected: 12) [whitespace/indent] [4] ERROR: Source/WebCore/page/ContentSecurityPolicy.cpp:1031: Wrong number of spaces before statement. (expected: 12) [whitespace/indent] [4] ERROR: Source/WebCore/page/ContentSecurityPolicy.cpp:1038: Wrong number of spaces before statement. (expected: 12) [whitespace/indent] [4] ERROR: Source/WebCore/page/ContentSecurityPolicy.cpp:1045: Wrong number of spaces before statement. (expected: 12) [whitespace/indent] [4] ERROR: Source/WebCore/page/ContentSecurityPolicy.cpp:1054: Wrong number of spaces before statement. (expected: 12) [whitespace/indent] [4] ERROR: Source/WebCore/page/ContentSecurityPolicy.cpp:1063: Wrong number of spaces before statement. (expected: 12) [whitespace/indent] [4] ERROR: Source/WebCore/page/ContentSecurityPolicy.cpp:1070: Wrong number of spaces before statement. (expected: 12) [whitespace/indent] [4] ERROR: Source/WebCore/page/ContentSecurityPolicy.cpp:1077: Wrong number of spaces before statement. (expected: 12) [whitespace/indent] [4] ERROR: Source/WebCore/page/ContentSecurityPolicy.cpp:1084: Wrong number of spaces before statement. (expected: 12) [whitespace/indent] [4] ERROR: Source/WebCore/page/ContentSecurityPolicy.cpp:1091: Wrong number of spaces before statement. (expected: 12) [whitespace/indent] [4] ERROR: Source/WebCore/page/ContentSecurityPolicy.cpp:1098: Wrong number of spaces before statement. (expected: 12) [whitespace/indent] [4] ERROR: Source/WebCore/page/ContentSecurityPolicy.cpp:1111: Wrong number of spaces before statement. (expected: 12) [whitespace/indent] [4] ERROR: Source/WebCore/page/ContentSecurityPolicy.cpp:1118: Wrong number of spaces before statement. (expected: 12) [whitespace/indent] [4] Total errors found: 14 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style. 1047132 3 241160 dbates 2014-11-07 11:41:20 -0800 Comment on attachment 241160 proposed fix View in context: https://bugs.webkit.org/attachment.cgi?id=241160&action=review > Source/WebCore/ChangeLog:9 > + This is covered by existing tests when running as one test per process invocation. I take it that we don't have test coverage for the CSP script interface since you didn't include any rebased test results in this patch. I suggest that we add test coverage to ensure we don't regress the results returned using the CSP script interface (e.g. document.securityPolicy.allowEval()). Additional remarks: Notice that the CSP script interface is only available when building WebKit with ENABLE_CSP_NEXT enabled. We have some existing tests in directory LayoutTests/http/tests/security/contentSecurityPolicy/1.1 (http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1). For instance, we test the value of document.securityPolicy.allowsEval with different CSP policies in <http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-alloweval.html?rev=133620>. We cannot use the same logic for injecting the report-only CSP policy as we do for other CSP policies because the Content-Security-Policy-Report-Only directive is only honored when specified as an HTTP header according to the note in section Content-Security-Policy-Report-Only Header Field of the Content Security Policy spec (Editor’s Draft, 3 November 2014) <https://w3c.github.io/webappsec/specs/content-security-policy/#content-security-policy-report-only-header-field>. 1047137 4 dbates 2014-11-07 11:57:24 -0800 (In reply to comment #3) > I take it that we don't have test coverage for the CSP script interface > since you didn't include any rebased test results in this patch. I meant to write: I take it that we don't have test coverage for the CSP script interface when using a report-only policy since you didn't include any rebased test results in this patch. > that we add test coverage to ensure we don't regress the results returned > using the CSP script interface (e.g. document.securityPolicy.allowEval()). > > Additional remarks: > > [...] > We cannot use the same logic for injecting the report-only CSP policy as we do > for other CSP policies because the Content-Security-Policy-Report-Only > directive is only honored when specified as an HTTP header according to the > note in section Content-Security-Policy-Report-Only Header Field of the > Content Security Policy spec (Editor’s Draft, 3 November 2014) > <https://w3c.github.io/webappsec/specs/content-security-policy/#content- > security-policy-report-only-header-field>. For completeness, this restriction that the Content-Security-Policy-Report-Only header must be specified as a HTTP header was added in Content Security Policy 1.1 (W3C Working Draft 04 June 2013): <http://www.w3.org/TR/2013/WD-CSP11-20130604/>. That is, earlier drafts recognized the Content-Security-Policy-Report-Only header when specified in a HTML Meta element. When we choose to update WebKit's implementation of CSP to conform the latest draft and remove our support for recognizing the Content-Security-Policy-Report-Only header when specified using the HTML Meta element then we will need to update the test <http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode.html?rev=145268> (included in the patch for bug #111867). 1047215 5 241160 dbates 2014-11-07 15:31:49 -0800 Comment on attachment 241160 proposed fix r=me This patch seems reasonable to me. Alexey Proskuryakov pointed out that there are issues with our implementation of ENABLE_CSP_NEXT, including discrepancies between the names of functions we expose on document.securityPolicy compared to the spec at the time of writing (e.g. SecurityPolicy.allowEval() vs SecurityPolicy.allowsEval() in the spec and OpenSource code, respectively). He also suspects there are likely build issue when ENABLE_CSP_NEXT is enabled (since there is no OpenSource builder that enables it). Ideally, we should either remove this feature (and existing tests for it) or complete the implementation of it. For now, it seems reasonable to land this patch without additional tests. Should we look to complete the ENABLE_CSP_NEXT feature then we can add more comprehensive test coverage. 1047222 6 dbates 2014-11-07 15:37:09 -0800 For completeness, the Content Security Policy spec (Editor’s Draft, 3 November 2014), <https://w3c.github.io/webappsec/specs/content-security-policy/#script-interfaces>, doesn't describe the expected behavior of the SecurityPolicy script interface for a report-only CSP policy. Should the script interface behave as if no policy is specified? In particular, should SecurityPolicy.allow{Request, Node, Eval, InlineEventHandler}() always return true for a report-only policy? Or are we looking to carry out the illusion that the report-only CSP policy is being enforced and return appropriate return values? I suspect the former since we ultimately want the server operator to switch from a report-only (non-enforced) CSP policy to an non-report-only (enforced) CSP policy. 1047246 7 241160 commit-queue 2014-11-07 16:40:53 -0800 Comment on attachment 241160 proposed fix Clearing flags on attachment: 241160 Committed r175771: <http://trac.webkit.org/changeset/175771> 1047247 8 commit-queue 2014-11-07 16:40:57 -0800 All reviewed patches have been landed. Closing bug. 241160 2014-11-06 20:58:53 -0800 2014-11-07 16:40:53 -0800 proposed fix FirstLoadCSP.txt text/plain 11743 ap SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE3NTc0MCkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDM1IEBACisyMDE0LTExLTA2ICBBbGV4ZXkg UHJvc2t1cnlha292ICA8YXBAYXBwbGUuY29tPgorCisgICAgICAgIENTUCBpcyBlbmZvcmNlZCBm b3IgZXZhbCBpbiByZXBvcnQtb25seSBtb2RlIG9uIGZpcnN0IHBhZ2UgbG9hZAorICAgICAgICBo dHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTM4NDkyCisgICAgICAgIHJk YXI6Ly9wcm9ibGVtLzE1NzgyNTI1CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BT ISkuCisKKyAgICAgICAgVGhpcyBpcyBjb3ZlcmVkIGJ5IGV4aXN0aW5nIHRlc3RzIHdoZW4gcnVu bmluZyBhcyBvbmUgdGVzdCBwZXIgcHJvY2VzcyBpbnZvY2F0aW9uLgorCisgICAgICAgICogcGFn ZS9Db250ZW50U2VjdXJpdHlQb2xpY3kuY3BwOgorICAgICAgICAoV2ViQ29yZTo6Q1NQRGlyZWN0 aXZlTGlzdDo6YWxsb3dFdmFsKTogQWxsb3cgd2hlbiBpbiByZXBvcnQgb25seSBtb2RlLiBUaGUg YWxsb3dFdmFsCisgICAgICAgIGZ1bmN0aW9uIGl0c2VsZiBuZWVkcyB0byByZXR1cm4gZmFsc2Us IGJlY2F1c2UgaXQncyB1c2VkIGluIGNoZWNrRXZhbEFuZFJlcG9ydFZpb2xhdGlvbigpLgorICAg ICAgICAoV2ViQ29yZTo6Q1NQRGlyZWN0aXZlTGlzdDo6YWxsb3dKYXZhU2NyaXB0VVJMcyk6IEFw cGx5IHRoZSBzYW1lIGZpeCwgYWx0aG91Z2ggaXQncworICAgICAgICBub3QgY2hhbmdpbmcgdGhl IGJlaGF2aW9yIC0gdGhpcyBmdW5jdGlvbiBpcyBuZXZlciBjYWxsZWQgd2l0aCBDb250ZW50U2Vj dXJpdHlQb2xpY3k6OlN1cHByZXNzUmVwb3J0LgorICAgICAgICAoV2ViQ29yZTo6Q1NQRGlyZWN0 aXZlTGlzdDo6YWxsb3dJbmxpbmVFdmVudEhhbmRsZXJzKTogRGl0dG8uCisgICAgICAgIChXZWJD b3JlOjpDU1BEaXJlY3RpdmVMaXN0OjphbGxvd0lubGluZVNjcmlwdCk6IERpdHRvLgorICAgICAg ICAoV2ViQ29yZTo6Q1NQRGlyZWN0aXZlTGlzdDo6YWxsb3dJbmxpbmVTdHlsZSk6IERpdHRvLgor ICAgICAgICAoV2ViQ29yZTo6Q1NQRGlyZWN0aXZlTGlzdDo6YWxsb3dQbHVnaW5UeXBlKTogRGl0 dG8uCisgICAgICAgIChXZWJDb3JlOjpDU1BEaXJlY3RpdmVMaXN0OjphbGxvd1NjcmlwdEZyb21T b3VyY2UpOiBEaXR0by4KKyAgICAgICAgKFdlYkNvcmU6OkNTUERpcmVjdGl2ZUxpc3Q6OmFsbG93 T2JqZWN0RnJvbVNvdXJjZSk6IERpdHRvLgorICAgICAgICAoV2ViQ29yZTo6Q1NQRGlyZWN0aXZl TGlzdDo6YWxsb3dDaGlsZEZyYW1lRnJvbVNvdXJjZSk6IERpdHRvLgorICAgICAgICAoV2ViQ29y ZTo6Q1NQRGlyZWN0aXZlTGlzdDo6YWxsb3dJbWFnZUZyb21Tb3VyY2UpOiBEaXR0by4KKyAgICAg ICAgKFdlYkNvcmU6OkNTUERpcmVjdGl2ZUxpc3Q6OmFsbG93U3R5bGVGcm9tU291cmNlKTogRGl0 dG8uCisgICAgICAgIChXZWJDb3JlOjpDU1BEaXJlY3RpdmVMaXN0OjphbGxvd0ZvbnRGcm9tU291 cmNlKTogRGl0dG8uCisgICAgICAgIChXZWJDb3JlOjpDU1BEaXJlY3RpdmVMaXN0OjphbGxvd01l ZGlhRnJvbVNvdXJjZSk6IERpdHRvLgorICAgICAgICAoV2ViQ29yZTo6Q1NQRGlyZWN0aXZlTGlz dDo6YWxsb3dDb25uZWN0VG9Tb3VyY2UpOiBEaXR0by4KKyAgICAgICAgKFdlYkNvcmU6OkNTUERp cmVjdGl2ZUxpc3Q6OmFsbG93Rm9ybUFjdGlvbik6IERpdHRvLgorICAgICAgICAoV2ViQ29yZTo6 Q1NQRGlyZWN0aXZlTGlzdDo6YWxsb3dCYXNlVVJJKTogRGl0dG8uCisgICAgICAgIChXZWJDb3Jl OjpDb250ZW50U2VjdXJpdHlQb2xpY3k6OmRpZFJlY2VpdmVIZWFkZXIpOiBSZW1vdmUgaXNSZXBv cnRPbmx5KCkgY2hlY2ssCisgICAgICAgIHdoaWNoIGlzIG5vdyBpbnNpZGUgYWxsb3dFdmFsKCku CisKIDIwMTQtMTEtMDYgIERhcmluIEFkbGVyICA8ZGFyaW5AYXBwbGUuY29tPgogCiAgICAgICAg IFJFR1JFU1NJT04gKHIxNzU1NDkpOiBodHRwL3Rlc3RzL211bHRpcGFydC9zdG9wLWNyYXNoLmh0 bWwgZmFpbGluZyAoYXNzZXJ0aW9uIGZhaWx1cmUgaW4gQ2FjaGVkUmVzb3VyY2U6OnNldEVuY29k ZWRTaXplKQpJbmRleDogU291cmNlL1dlYkNvcmUvcGFnZS9Db250ZW50U2VjdXJpdHlQb2xpY3ku Y3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJDb3JlL3BhZ2UvQ29udGVudFNlY3VyaXR5UG9s aWN5LmNwcAkocmV2aXNpb24gMTc1NDc3KQorKysgU291cmNlL1dlYkNvcmUvcGFnZS9Db250ZW50 U2VjdXJpdHlQb2xpY3kuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC05OTYsNyArOTk2LDcgQEAgYm9v bCBDU1BEaXJlY3RpdmVMaXN0OjphbGxvd0phdmFTY3JpcHRVUgogICAgIERFUFJFQ0FURURfREVG SU5FX1NUQVRJQ19MT0NBTChTdHJpbmcsIGNvbnNvbGVNZXNzYWdlLCAoQVNDSUlMaXRlcmFsKCJS ZWZ1c2VkIHRvIGV4ZWN1dGUgSmF2YVNjcmlwdCBVUkwgYmVjYXVzZSBpdCB2aW9sYXRlcyB0aGUg Zm9sbG93aW5nIENvbnRlbnQgU2VjdXJpdHkgUG9saWN5IGRpcmVjdGl2ZTogIikpKTsKICAgICBy ZXR1cm4gcmVwb3J0aW5nU3RhdHVzID09IENvbnRlbnRTZWN1cml0eVBvbGljeTo6U2VuZFJlcG9y dCA/CiAgICAgICAgIGNoZWNrSW5saW5lQW5kUmVwb3J0VmlvbGF0aW9uKG9wZXJhdGl2ZURpcmVj dGl2ZShtX3NjcmlwdFNyYy5nZXQoKSksIGNvbnNvbGVNZXNzYWdlLCBjb250ZXh0VVJMLCBjb250 ZXh0TGluZSwgdHJ1ZSkKLSAgICAgICAgOiBjaGVja0lubGluZShvcGVyYXRpdmVEaXJlY3RpdmUo bV9zY3JpcHRTcmMuZ2V0KCkpKTsKKyAgICAgICAgOiAobV9yZXBvcnRPbmx5IHx8IGNoZWNrSW5s aW5lKG9wZXJhdGl2ZURpcmVjdGl2ZShtX3NjcmlwdFNyYy5nZXQoKSkpKTsKIH0KIAogYm9vbCBD U1BEaXJlY3RpdmVMaXN0OjphbGxvd0lubGluZUV2ZW50SGFuZGxlcnMoY29uc3QgU3RyaW5nJiBj b250ZXh0VVJMLCBjb25zdCBXVEY6Ok9yZGluYWxOdW1iZXImIGNvbnRleHRMaW5lLCBDb250ZW50 U2VjdXJpdHlQb2xpY3k6OlJlcG9ydGluZ1N0YXR1cyByZXBvcnRpbmdTdGF0dXMpIGNvbnN0CkBA IC0xMDA0LDcgKzEwMDQsNyBAQCBib29sIENTUERpcmVjdGl2ZUxpc3Q6OmFsbG93SW5saW5lRXZl bnRICiAgICAgREVQUkVDQVRFRF9ERUZJTkVfU1RBVElDX0xPQ0FMKFN0cmluZywgY29uc29sZU1l c3NhZ2UsIChBU0NJSUxpdGVyYWwoIlJlZnVzZWQgdG8gZXhlY3V0ZSBpbmxpbmUgZXZlbnQgaGFu ZGxlciBiZWNhdXNlIGl0IHZpb2xhdGVzIHRoZSBmb2xsb3dpbmcgQ29udGVudCBTZWN1cml0eSBQ b2xpY3kgZGlyZWN0aXZlOiAiKSkpOwogICAgIHJldHVybiByZXBvcnRpbmdTdGF0dXMgPT0gQ29u dGVudFNlY3VyaXR5UG9saWN5OjpTZW5kUmVwb3J0ID8KICAgICAgICAgY2hlY2tJbmxpbmVBbmRS ZXBvcnRWaW9sYXRpb24ob3BlcmF0aXZlRGlyZWN0aXZlKG1fc2NyaXB0U3JjLmdldCgpKSwgY29u c29sZU1lc3NhZ2UsIGNvbnRleHRVUkwsIGNvbnRleHRMaW5lLCB0cnVlKQotICAgICAgICA6IGNo ZWNrSW5saW5lKG9wZXJhdGl2ZURpcmVjdGl2ZShtX3NjcmlwdFNyYy5nZXQoKSkpOworICAgICAg ICA6IChtX3JlcG9ydE9ubHkgfHwgY2hlY2tJbmxpbmUob3BlcmF0aXZlRGlyZWN0aXZlKG1fc2Ny aXB0U3JjLmdldCgpKSkpOwogfQogCiBib29sIENTUERpcmVjdGl2ZUxpc3Q6OmFsbG93SW5saW5l U2NyaXB0KGNvbnN0IFN0cmluZyYgY29udGV4dFVSTCwgY29uc3QgV1RGOjpPcmRpbmFsTnVtYmVy JiBjb250ZXh0TGluZSwgQ29udGVudFNlY3VyaXR5UG9saWN5OjpSZXBvcnRpbmdTdGF0dXMgcmVw b3J0aW5nU3RhdHVzKSBjb25zdApAQCAtMTAxMiw3ICsxMDEyLDcgQEAgYm9vbCBDU1BEaXJlY3Rp dmVMaXN0OjphbGxvd0lubGluZVNjcmlwdAogICAgIERFUFJFQ0FURURfREVGSU5FX1NUQVRJQ19M T0NBTChTdHJpbmcsIGNvbnNvbGVNZXNzYWdlLCAoQVNDSUlMaXRlcmFsKCJSZWZ1c2VkIHRvIGV4 ZWN1dGUgaW5saW5lIHNjcmlwdCBiZWNhdXNlIGl0IHZpb2xhdGVzIHRoZSBmb2xsb3dpbmcgQ29u dGVudCBTZWN1cml0eSBQb2xpY3kgZGlyZWN0aXZlOiAiKSkpOwogICAgIHJldHVybiByZXBvcnRp bmdTdGF0dXMgPT0gQ29udGVudFNlY3VyaXR5UG9saWN5OjpTZW5kUmVwb3J0ID8KICAgICAgICAg Y2hlY2tJbmxpbmVBbmRSZXBvcnRWaW9sYXRpb24ob3BlcmF0aXZlRGlyZWN0aXZlKG1fc2NyaXB0 U3JjLmdldCgpKSwgY29uc29sZU1lc3NhZ2UsIGNvbnRleHRVUkwsIGNvbnRleHRMaW5lLCB0cnVl KSA6Ci0gICAgICAgIGNoZWNrSW5saW5lKG9wZXJhdGl2ZURpcmVjdGl2ZShtX3NjcmlwdFNyYy5n ZXQoKSkpOworICAgICAgICAobV9yZXBvcnRPbmx5IHx8IGNoZWNrSW5saW5lKG9wZXJhdGl2ZURp cmVjdGl2ZShtX3NjcmlwdFNyYy5nZXQoKSkpKTsKIH0KIAogYm9vbCBDU1BEaXJlY3RpdmVMaXN0 OjphbGxvd0lubGluZVN0eWxlKGNvbnN0IFN0cmluZyYgY29udGV4dFVSTCwgY29uc3QgV1RGOjpP cmRpbmFsTnVtYmVyJiBjb250ZXh0TGluZSwgQ29udGVudFNlY3VyaXR5UG9saWN5OjpSZXBvcnRp bmdTdGF0dXMgcmVwb3J0aW5nU3RhdHVzKSBjb25zdApAQCAtMTAyMCw3ICsxMDIwLDcgQEAgYm9v bCBDU1BEaXJlY3RpdmVMaXN0OjphbGxvd0lubGluZVN0eWxlKAogICAgIERFUFJFQ0FURURfREVG SU5FX1NUQVRJQ19MT0NBTChTdHJpbmcsIGNvbnNvbGVNZXNzYWdlLCAoQVNDSUlMaXRlcmFsKCJS ZWZ1c2VkIHRvIGFwcGx5IGlubGluZSBzdHlsZSBiZWNhdXNlIGl0IHZpb2xhdGVzIHRoZSBmb2xs b3dpbmcgQ29udGVudCBTZWN1cml0eSBQb2xpY3kgZGlyZWN0aXZlOiAiKSkpOwogICAgIHJldHVy biByZXBvcnRpbmdTdGF0dXMgPT0gQ29udGVudFNlY3VyaXR5UG9saWN5OjpTZW5kUmVwb3J0ID8K ICAgICAgICAgY2hlY2tJbmxpbmVBbmRSZXBvcnRWaW9sYXRpb24ob3BlcmF0aXZlRGlyZWN0aXZl KG1fc3R5bGVTcmMuZ2V0KCkpLCBjb25zb2xlTWVzc2FnZSwgY29udGV4dFVSTCwgY29udGV4dExp bmUsIGZhbHNlKSA6Ci0gICAgICAgIGNoZWNrSW5saW5lKG9wZXJhdGl2ZURpcmVjdGl2ZShtX3N0 eWxlU3JjLmdldCgpKSk7CisgICAgICAgIChtX3JlcG9ydE9ubHkgfHwgY2hlY2tJbmxpbmUob3Bl cmF0aXZlRGlyZWN0aXZlKG1fc3R5bGVTcmMuZ2V0KCkpKSk7CiB9CiAKIGJvb2wgQ1NQRGlyZWN0 aXZlTGlzdDo6YWxsb3dFdmFsKEpTQzo6RXhlY1N0YXRlKiBzdGF0ZSwgQ29udGVudFNlY3VyaXR5 UG9saWN5OjpSZXBvcnRpbmdTdGF0dXMgcmVwb3J0aW5nU3RhdHVzKSBjb25zdApAQCAtMTAyOCwy MSArMTAyOCwyMSBAQCBib29sIENTUERpcmVjdGl2ZUxpc3Q6OmFsbG93RXZhbChKU0M6OkV4CiAg ICAgREVQUkVDQVRFRF9ERUZJTkVfU1RBVElDX0xPQ0FMKFN0cmluZywgY29uc29sZU1lc3NhZ2Us IChBU0NJSUxpdGVyYWwoIlJlZnVzZWQgdG8gZXZhbHVhdGUgc2NyaXB0IGJlY2F1c2UgaXQgdmlv bGF0ZXMgdGhlIGZvbGxvd2luZyBDb250ZW50IFNlY3VyaXR5IFBvbGljeSBkaXJlY3RpdmU6ICIp KSk7CiAgICAgcmV0dXJuIHJlcG9ydGluZ1N0YXR1cyA9PSBDb250ZW50U2VjdXJpdHlQb2xpY3k6 OlNlbmRSZXBvcnQgPwogICAgICAgICBjaGVja0V2YWxBbmRSZXBvcnRWaW9sYXRpb24ob3BlcmF0 aXZlRGlyZWN0aXZlKG1fc2NyaXB0U3JjLmdldCgpKSwgY29uc29sZU1lc3NhZ2UsIFN0cmluZygp LCBXVEY6Ok9yZGluYWxOdW1iZXI6OmJlZm9yZUZpcnN0KCksIHN0YXRlKSA6Ci0gICAgICAgIGNo ZWNrRXZhbChvcGVyYXRpdmVEaXJlY3RpdmUobV9zY3JpcHRTcmMuZ2V0KCkpKTsKKyAgICAgICAg KG1fcmVwb3J0T25seSB8fCBjaGVja0V2YWwob3BlcmF0aXZlRGlyZWN0aXZlKG1fc2NyaXB0U3Jj LmdldCgpKSkpOwogfQogCiBib29sIENTUERpcmVjdGl2ZUxpc3Q6OmFsbG93UGx1Z2luVHlwZShj b25zdCBTdHJpbmcmIHR5cGUsIGNvbnN0IFN0cmluZyYgdHlwZUF0dHJpYnV0ZSwgY29uc3QgVVJM JiB1cmwsIENvbnRlbnRTZWN1cml0eVBvbGljeTo6UmVwb3J0aW5nU3RhdHVzIHJlcG9ydGluZ1N0 YXR1cykgY29uc3QKIHsKICAgICByZXR1cm4gcmVwb3J0aW5nU3RhdHVzID09IENvbnRlbnRTZWN1 cml0eVBvbGljeTo6U2VuZFJlcG9ydCA/CiAgICAgICAgIGNoZWNrTWVkaWFUeXBlQW5kUmVwb3J0 VmlvbGF0aW9uKG1fcGx1Z2luVHlwZXMuZ2V0KCksIHR5cGUsIHR5cGVBdHRyaWJ1dGUsICJSZWZ1 c2VkIHRvIGxvYWQgJyIgKyB1cmwuc3RyaW5nQ2VudGVyRWxsaXBzaXplZFRvTGVuZ3RoKCkgKyAi JyAoTUlNRSB0eXBlICciICsgdHlwZUF0dHJpYnV0ZSArICInKSBiZWNhdXNlIGl0IHZpb2xhdGVz IHRoZSBmb2xsb3dpbmcgQ29udGVudCBTZWN1cml0eSBQb2xpY3kgRGlyZWN0aXZlOiAiKSA6Ci0g ICAgICAgIGNoZWNrTWVkaWFUeXBlKG1fcGx1Z2luVHlwZXMuZ2V0KCksIHR5cGUsIHR5cGVBdHRy aWJ1dGUpOworICAgICAgICAobV9yZXBvcnRPbmx5IHx8IGNoZWNrTWVkaWFUeXBlKG1fcGx1Z2lu VHlwZXMuZ2V0KCksIHR5cGUsIHR5cGVBdHRyaWJ1dGUpKTsKIH0KIAogYm9vbCBDU1BEaXJlY3Rp dmVMaXN0OjphbGxvd1NjcmlwdEZyb21Tb3VyY2UoY29uc3QgVVJMJiB1cmwsIENvbnRlbnRTZWN1 cml0eVBvbGljeTo6UmVwb3J0aW5nU3RhdHVzIHJlcG9ydGluZ1N0YXR1cykgY29uc3QKIHsKICAg ICByZXR1cm4gcmVwb3J0aW5nU3RhdHVzID09IENvbnRlbnRTZWN1cml0eVBvbGljeTo6U2VuZFJl cG9ydCA/CiAgICAgICAgIGNoZWNrU291cmNlQW5kUmVwb3J0VmlvbGF0aW9uKG9wZXJhdGl2ZURp cmVjdGl2ZShtX3NjcmlwdFNyYy5nZXQoKSksIHVybCwgc2NyaXB0U3JjKSA6Ci0gICAgICAgIGNo ZWNrU291cmNlKG9wZXJhdGl2ZURpcmVjdGl2ZShtX3NjcmlwdFNyYy5nZXQoKSksIHVybCk7Cisg ICAgICAgIChtX3JlcG9ydE9ubHkgfHwgY2hlY2tTb3VyY2Uob3BlcmF0aXZlRGlyZWN0aXZlKG1f c2NyaXB0U3JjLmdldCgpKSwgdXJsKSk7CiB9CiAKIGJvb2wgQ1NQRGlyZWN0aXZlTGlzdDo6YWxs b3dPYmplY3RGcm9tU291cmNlKGNvbnN0IFVSTCYgdXJsLCBDb250ZW50U2VjdXJpdHlQb2xpY3k6 OlJlcG9ydGluZ1N0YXR1cyByZXBvcnRpbmdTdGF0dXMpIGNvbnN0CkBAIC0xMDUxLDcgKzEwNTEs NyBAQCBib29sIENTUERpcmVjdGl2ZUxpc3Q6OmFsbG93T2JqZWN0RnJvbVNvCiAgICAgICAgIHJl dHVybiB0cnVlOwogICAgIHJldHVybiByZXBvcnRpbmdTdGF0dXMgPT0gQ29udGVudFNlY3VyaXR5 UG9saWN5OjpTZW5kUmVwb3J0ID8KICAgICAgICAgY2hlY2tTb3VyY2VBbmRSZXBvcnRWaW9sYXRp b24ob3BlcmF0aXZlRGlyZWN0aXZlKG1fb2JqZWN0U3JjLmdldCgpKSwgdXJsLCBvYmplY3RTcmMp IDoKLSAgICAgICAgY2hlY2tTb3VyY2Uob3BlcmF0aXZlRGlyZWN0aXZlKG1fb2JqZWN0U3JjLmdl dCgpKSwgdXJsKTsKKyAgICAgICAgKG1fcmVwb3J0T25seSB8fCBjaGVja1NvdXJjZShvcGVyYXRp dmVEaXJlY3RpdmUobV9vYmplY3RTcmMuZ2V0KCkpLCB1cmwpKTsKIH0KIAogYm9vbCBDU1BEaXJl Y3RpdmVMaXN0OjphbGxvd0NoaWxkRnJhbWVGcm9tU291cmNlKGNvbnN0IFVSTCYgdXJsLCBDb250 ZW50U2VjdXJpdHlQb2xpY3k6OlJlcG9ydGluZ1N0YXR1cyByZXBvcnRpbmdTdGF0dXMpIGNvbnN0 CkBAIC0xMDYwLDQyICsxMDYwLDQyIEBAIGJvb2wgQ1NQRGlyZWN0aXZlTGlzdDo6YWxsb3dDaGls ZEZyYW1lRnIKICAgICAgICAgcmV0dXJuIHRydWU7CiAgICAgcmV0dXJuIHJlcG9ydGluZ1N0YXR1 cyA9PSBDb250ZW50U2VjdXJpdHlQb2xpY3k6OlNlbmRSZXBvcnQgPwogICAgICAgICBjaGVja1Nv dXJjZUFuZFJlcG9ydFZpb2xhdGlvbihvcGVyYXRpdmVEaXJlY3RpdmUobV9mcmFtZVNyYy5nZXQo KSksIHVybCwgZnJhbWVTcmMpIDoKLSAgICAgICAgY2hlY2tTb3VyY2Uob3BlcmF0aXZlRGlyZWN0 aXZlKG1fZnJhbWVTcmMuZ2V0KCkpLCB1cmwpOworICAgICAgICAobV9yZXBvcnRPbmx5IHx8IGNo ZWNrU291cmNlKG9wZXJhdGl2ZURpcmVjdGl2ZShtX2ZyYW1lU3JjLmdldCgpKSwgdXJsKSk7CiB9 CiAKIGJvb2wgQ1NQRGlyZWN0aXZlTGlzdDo6YWxsb3dJbWFnZUZyb21Tb3VyY2UoY29uc3QgVVJM JiB1cmwsIENvbnRlbnRTZWN1cml0eVBvbGljeTo6UmVwb3J0aW5nU3RhdHVzIHJlcG9ydGluZ1N0 YXR1cykgY29uc3QKIHsKICAgICByZXR1cm4gcmVwb3J0aW5nU3RhdHVzID09IENvbnRlbnRTZWN1 cml0eVBvbGljeTo6U2VuZFJlcG9ydCA/CiAgICAgICAgIGNoZWNrU291cmNlQW5kUmVwb3J0Vmlv bGF0aW9uKG9wZXJhdGl2ZURpcmVjdGl2ZShtX2ltZ1NyYy5nZXQoKSksIHVybCwgaW1nU3JjKSA6 Ci0gICAgICAgIGNoZWNrU291cmNlKG9wZXJhdGl2ZURpcmVjdGl2ZShtX2ltZ1NyYy5nZXQoKSks IHVybCk7CisgICAgICAgIChtX3JlcG9ydE9ubHkgfHwgY2hlY2tTb3VyY2Uob3BlcmF0aXZlRGly ZWN0aXZlKG1faW1nU3JjLmdldCgpKSwgdXJsKSk7CiB9CiAKIGJvb2wgQ1NQRGlyZWN0aXZlTGlz dDo6YWxsb3dTdHlsZUZyb21Tb3VyY2UoY29uc3QgVVJMJiB1cmwsIENvbnRlbnRTZWN1cml0eVBv bGljeTo6UmVwb3J0aW5nU3RhdHVzIHJlcG9ydGluZ1N0YXR1cykgY29uc3QKIHsKICAgICByZXR1 cm4gcmVwb3J0aW5nU3RhdHVzID09IENvbnRlbnRTZWN1cml0eVBvbGljeTo6U2VuZFJlcG9ydCA/ CiAgICAgICAgIGNoZWNrU291cmNlQW5kUmVwb3J0VmlvbGF0aW9uKG9wZXJhdGl2ZURpcmVjdGl2 ZShtX3N0eWxlU3JjLmdldCgpKSwgdXJsLCBzdHlsZVNyYykgOgotICAgICAgICBjaGVja1NvdXJj ZShvcGVyYXRpdmVEaXJlY3RpdmUobV9zdHlsZVNyYy5nZXQoKSksIHVybCk7CisgICAgICAgICht X3JlcG9ydE9ubHkgfHwgY2hlY2tTb3VyY2Uob3BlcmF0aXZlRGlyZWN0aXZlKG1fc3R5bGVTcmMu Z2V0KCkpLCB1cmwpKTsKIH0KIAogYm9vbCBDU1BEaXJlY3RpdmVMaXN0OjphbGxvd0ZvbnRGcm9t U291cmNlKGNvbnN0IFVSTCYgdXJsLCBDb250ZW50U2VjdXJpdHlQb2xpY3k6OlJlcG9ydGluZ1N0 YXR1cyByZXBvcnRpbmdTdGF0dXMpIGNvbnN0CiB7CiAgICAgcmV0dXJuIHJlcG9ydGluZ1N0YXR1 cyA9PSBDb250ZW50U2VjdXJpdHlQb2xpY3k6OlNlbmRSZXBvcnQgPwogICAgICAgICBjaGVja1Nv dXJjZUFuZFJlcG9ydFZpb2xhdGlvbihvcGVyYXRpdmVEaXJlY3RpdmUobV9mb250U3JjLmdldCgp KSwgdXJsLCBmb250U3JjKSA6Ci0gICAgICAgIGNoZWNrU291cmNlKG9wZXJhdGl2ZURpcmVjdGl2 ZShtX2ZvbnRTcmMuZ2V0KCkpLCB1cmwpOworICAgICAgICAobV9yZXBvcnRPbmx5IHx8IGNoZWNr U291cmNlKG9wZXJhdGl2ZURpcmVjdGl2ZShtX2ZvbnRTcmMuZ2V0KCkpLCB1cmwpKTsKIH0KIAog Ym9vbCBDU1BEaXJlY3RpdmVMaXN0OjphbGxvd01lZGlhRnJvbVNvdXJjZShjb25zdCBVUkwmIHVy bCwgQ29udGVudFNlY3VyaXR5UG9saWN5OjpSZXBvcnRpbmdTdGF0dXMgcmVwb3J0aW5nU3RhdHVz KSBjb25zdAogewogICAgIHJldHVybiByZXBvcnRpbmdTdGF0dXMgPT0gQ29udGVudFNlY3VyaXR5 UG9saWN5OjpTZW5kUmVwb3J0ID8KICAgICAgICAgY2hlY2tTb3VyY2VBbmRSZXBvcnRWaW9sYXRp b24ob3BlcmF0aXZlRGlyZWN0aXZlKG1fbWVkaWFTcmMuZ2V0KCkpLCB1cmwsIG1lZGlhU3JjKSA6 Ci0gICAgICAgIGNoZWNrU291cmNlKG9wZXJhdGl2ZURpcmVjdGl2ZShtX21lZGlhU3JjLmdldCgp KSwgdXJsKTsKKyAgICAgICAgKG1fcmVwb3J0T25seSB8fCBjaGVja1NvdXJjZShvcGVyYXRpdmVE aXJlY3RpdmUobV9tZWRpYVNyYy5nZXQoKSksIHVybCkpOwogfQogCiBib29sIENTUERpcmVjdGl2 ZUxpc3Q6OmFsbG93Q29ubmVjdFRvU291cmNlKGNvbnN0IFVSTCYgdXJsLCBDb250ZW50U2VjdXJp dHlQb2xpY3k6OlJlcG9ydGluZ1N0YXR1cyByZXBvcnRpbmdTdGF0dXMpIGNvbnN0CiB7CiAgICAg cmV0dXJuIHJlcG9ydGluZ1N0YXR1cyA9PSBDb250ZW50U2VjdXJpdHlQb2xpY3k6OlNlbmRSZXBv cnQgPwogICAgICAgICBjaGVja1NvdXJjZUFuZFJlcG9ydFZpb2xhdGlvbihvcGVyYXRpdmVEaXJl Y3RpdmUobV9jb25uZWN0U3JjLmdldCgpKSwgdXJsLCBjb25uZWN0U3JjKSA6Ci0gICAgICAgIGNo ZWNrU291cmNlKG9wZXJhdGl2ZURpcmVjdGl2ZShtX2Nvbm5lY3RTcmMuZ2V0KCkpLCB1cmwpOwor ICAgICAgICAobV9yZXBvcnRPbmx5IHx8IGNoZWNrU291cmNlKG9wZXJhdGl2ZURpcmVjdGl2ZSht X2Nvbm5lY3RTcmMuZ2V0KCkpLCB1cmwpKTsKIH0KIAogdm9pZCBDU1BEaXJlY3RpdmVMaXN0Ojpn YXRoZXJSZXBvcnRVUklzKERPTVN0cmluZ0xpc3QmIGxpc3QpIGNvbnN0CkBAIC0xMTA4LDE0ICsx MTA4LDE0IEBAIGJvb2wgQ1NQRGlyZWN0aXZlTGlzdDo6YWxsb3dGb3JtQWN0aW9uKGMKIHsKICAg ICByZXR1cm4gcmVwb3J0aW5nU3RhdHVzID09IENvbnRlbnRTZWN1cml0eVBvbGljeTo6U2VuZFJl cG9ydCA/CiAgICAgICAgIGNoZWNrU291cmNlQW5kUmVwb3J0VmlvbGF0aW9uKG1fZm9ybUFjdGlv bi5nZXQoKSwgdXJsLCBmb3JtQWN0aW9uKSA6Ci0gICAgICAgIGNoZWNrU291cmNlKG1fZm9ybUFj dGlvbi5nZXQoKSwgdXJsKTsKKyAgICAgICAgKG1fcmVwb3J0T25seSB8fCBjaGVja1NvdXJjZSht X2Zvcm1BY3Rpb24uZ2V0KCksIHVybCkpOwogfQogCiBib29sIENTUERpcmVjdGl2ZUxpc3Q6OmFs bG93QmFzZVVSSShjb25zdCBVUkwmIHVybCwgQ29udGVudFNlY3VyaXR5UG9saWN5OjpSZXBvcnRp bmdTdGF0dXMgcmVwb3J0aW5nU3RhdHVzKSBjb25zdAogewogICAgIHJldHVybiByZXBvcnRpbmdT dGF0dXMgPT0gQ29udGVudFNlY3VyaXR5UG9saWN5OjpTZW5kUmVwb3J0ID8KICAgICAgICAgY2hl Y2tTb3VyY2VBbmRSZXBvcnRWaW9sYXRpb24obV9iYXNlVVJJLmdldCgpLCB1cmwsIGJhc2VVUkkp IDoKLSAgICAgICAgY2hlY2tTb3VyY2UobV9iYXNlVVJJLmdldCgpLCB1cmwpOworICAgICAgICAo bV9yZXBvcnRPbmx5IHx8IGNoZWNrU291cmNlKG1fYmFzZVVSSS5nZXQoKSwgdXJsKSk7CiB9CiAK IC8vIHBvbGljeSAgICAgICAgICAgID0gZGlyZWN0aXZlLWxpc3QKQEAgLTEzNzEsNyArMTM3MSw3 IEBAIHZvaWQgQ29udGVudFNlY3VyaXR5UG9saWN5OjpkaWRSZWNlaXZlSGUKICAgICAgICAgLy8g aGVhZGVyMSxoZWFkZXIyIE9SIGhlYWRlcjEKICAgICAgICAgLy8gICAgICAgIF4gICAgICAgICAg ICAgICAgICBeCiAgICAgICAgIHN0ZDo6dW5pcXVlX3B0cjxDU1BEaXJlY3RpdmVMaXN0PiBwb2xp Y3kgPSBDU1BEaXJlY3RpdmVMaXN0OjpjcmVhdGUodGhpcywgU3RyaW5nKGJlZ2luLCBwb3NpdGlv biAtIGJlZ2luKSwgdHlwZSk7Ci0gICAgICAgIGlmICghcG9saWN5LT5pc1JlcG9ydE9ubHkoKSAm JiAhcG9saWN5LT5hbGxvd0V2YWwoMCwgU3VwcHJlc3NSZXBvcnQpKQorICAgICAgICBpZiAoIXBv bGljeS0+YWxsb3dFdmFsKDAsIFN1cHByZXNzUmVwb3J0KSkKICAgICAgICAgICAgIG1fc2NyaXB0 RXhlY3V0aW9uQ29udGV4dC0+ZGlzYWJsZUV2YWwocG9saWN5LT5ldmFsRGlzYWJsZWRFcnJvck1l c3NhZ2UoKSk7CiAKICAgICAgICAgbV9wb2xpY2llcy5hcHBlbmQocG9saWN5LnJlbGVhc2UoKSk7 Cg==