155709 2016-03-20 20:52:15 -0700 CSP: Should only execute <script> or apply <style> if its hash appears in all policies 2016-03-22 14:27:12 -0700 1 1 1 Unclassified WebKit WebCore Misc. WebKit Local Build All All RESOLVED FIXED InRadar P2 Normal --- 1 dbates dbates aestes bfulgham commit-queue mkwst webkit-bug-importer oldest_to_newest 1176659 0 274568 dbates 2016-03-20 20:52:15 -0700 Created attachment 274568 Example (script hash) We should execute an inline script or apply an inline stylesheet only if its hash is listed in all of the policies on the page. Otherwise a malicious person can run/apply an arbitrary script/stylesheet s with hash h_s by injecting S together with a CSP that lists H_s on a page with an XSS vulnerability. The following demonstrates the issue with script hashes: Steps to reproduce: 1. Open the attached example. Then you will see three JavaScript alerts with messages (in order) "FAIL did execute first script", "FAIL did execute second script", and "PASS", respectively. But you should see exactly one JavaScript alert with message "PASS" because the inline script that shows this JavaScript alert is the only script on the page whose hash is listed in both of the CSP policies delivered with the page. 1176660 1 webkit-bug-importer 2016-03-20 20:53:26 -0700 <rdar://problem/25263368> 1176661 2 274569 dbates 2016-03-20 20:58:23 -0700 Created attachment 274569 Patch and Layout Tests 1177130 3 dbates 2016-03-22 14:27:12 -0700 Committed r198551: <http://trac.webkit.org/changeset/198551> 274568 2016-03-20 20:52:15 -0700 2016-03-20 20:52:15 -0700 Example (script hash) scripthash-multiple-policies.html text/html 1065 dbates PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KPHNjcmlwdD4KaWYgKHdpbmRvdy50ZXN0UnVu bmVyKQogICAgdGVzdFJ1bm5lci5kdW1wQXNUZXh0KCk7Cjwvc2NyaXB0Pgo8bWV0YSBodHRwLWVx dWl2PSJDb250ZW50LVNlY3VyaXR5LVBvbGljeSIgY29udGVudD0ic2NyaXB0LXNyYyAnc2hhMjU2 LUNZRkJsMGtkTDRqelY1ckpNSVVvRHR4Zkg5U1FUUDFKRmgyR09jdkFGR0E9JyAnc2hhMjU2LUYv b2pkTzdoRkNUTCtrUDlHQ2ZGVEdRamY0OEZ5SS9XSkl1cWdudEpoN1k9JyI+CjxtZXRhIGh0dHAt ZXF1aXY9IkNvbnRlbnQtU2VjdXJpdHktUG9saWN5IiBjb250ZW50PSJzY3JpcHQtc3JjICdzaGEz ODQtbEdTVUpZOFhNOXN3blo1ZEJBeisrbGYvQ2RKSmlMNU4xMmRJY1NJd1ZGZ0owVVdGRUpLRUFp cUE5REU1M2MvcicgJ3NoYTI1Ni1GL29qZE83aEZDVEwra1A5R0NmRlRHUWpmNDhGeUkvV0pJdXFn bnRKaDdZPSciPgo8L2hlYWQ+Cjxib2R5Pgo8cD5UZXN0cyB0aGF0IGFuIGlubGluZSBzY3JpcHQg aXMgYWxsb3dlZCB0byBleGVjdXRlIG9ubHkgaWYgaXRzIGhhc2ggYXBwZWFycyBpbiBhbGwgcG9s aWNpZXMuIFRoaXMgdGVzdCBQQVNTRUQgaWYgdGhlcmUgYXJlIHR3byBjb25zb2xlIHdhcm5pbmdz IGFuZCBhIEphdmFTY3JpcHQgYWxlcnQgd2l0aCBtZXNzYWdlIFBBU1MuIE90aGVyd2lzZSwgaXQg RkFJTEVELjwvcD4KPHNjcmlwdD5hbGVydCgiRkFJTCBkaWQgZXhlY3V0ZSBmaXJzdCBzY3JpcHQi KTwvc2NyaXB0PiA8IS0tICdzaGEyNTYtQ1lGQmwwa2RMNGp6VjVySk1JVW9EdHhmSDlTUVRQMUpG aDJHT2N2QUZHQT0nIC0tPgo8c2NyaXB0PmFsZXJ0KCJGQUlMIGRpZCBleGVjdXRlIHNlY29uZCBz Y3JpcHQiKTwvc2NyaXB0PiA8IS0tICdzaGEzODQtbEdTVUpZOFhNOXN3blo1ZEJBeisrbGYvQ2RK SmlMNU4xMmRJY1NJd1ZGZ0owVVdGRUpLRUFpcUE5REU1M2MvcicgLS0+CjxzY3JpcHQ+YWxlcnQo IlBBU1MiKTwvc2NyaXB0PiA8IS0tICdzaGEyNTYtRi9vamRPN2hGQ1RMK2tQOUdDZkZUR1FqZjQ4 RnlJL1dKSXVxZ250Smg3WT0nIC0tPgo8L2JvZHk+CjwvaHRtbD4K 274569 2016-03-20 20:58:23 -0700 2016-03-20 21:36:41 -0700 Patch and Layout Tests bug-155709-20160320205824.patch text/plain 11232 dbates U3VidmVyc2lvbiBSZXZpc2lvbjogMTk4NDY3CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggYTE1YTFiMjJmMGEyMThk YWJiNGUzNTdkYTMzNWI5ZTQ0MDg4ZWQ0Yi4uZmEyYmNhYTFiY2ZhOGQ5M2RjZTNmZjYxNzkxNjcz Y2RlY2YzN2FjMSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDIzIEBACisyMDE2LTAzLTIwICBEYW5p ZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KKworICAgICAgICBDU1A6IFNob3VsZCBvbmx5 IGV4ZWN1dGUgPHNjcmlwdD4gb3IgYXBwbHkgPHN0eWxlPiBpZiBpdHMgaGFzaCBhcHBlYXJzIGlu IGFsbCBwb2xpY2llcworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5j Z2k/aWQ9MTU1NzA5CisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS8yNTI2MzM2OD4KKworICAgICAg ICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBGaXhlcyBhbiBpc3N1ZSB3 aGVyZSBhIDxzY3JpcHQ+LzxzdHlsZT4gd2FzIGFsbG93ZWQgdG8gZXhlY3V0ZS9iZSBhcHBsaWVk IGlmIGl0cyBoYXNoIGlzIGxpc3RlZAorICAgICAgICBpbiBhdCBsZWFzdCBvbmUgQ29udGVudCBT ZWN1cml0eSBQb2xpY3kgKENTUCkgZGVsaXZlcmVkIHdpdGggdGhlIHBhZ2UuIFdlIHNob3VsZCBv bmx5IGV4ZWN1dGUvYXBwbHkKKyAgICAgICAgc3VjaCBhIHNjcmlwdC9zdHlsZXNoZWV0IGlmIGl0 cyBoYXNoIGlzIGxpc3RlZCBpbiBhbGwgQ1NQcyBkZWxpdmVyZWQgd2l0aCB0aGUgcGFnZS4KKwor ICAgICAgICBUZXN0czogaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kv MS4xL3NjcmlwdGhhc2gtbXVsdGlwbGUtcG9saWNpZXMuaHRtbAorICAgICAgICAgICAgICAgaHR0 cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvMS4xL3N0eWxlaGFzaC1tdWx0 aXBsZS1wb2xpY2llcy5odG1sCisKKyAgICAgICAgKiBwYWdlL2NzcC9Db250ZW50U2VjdXJpdHlQ b2xpY3kuY3BwOgorICAgICAgICAoV2ViQ29yZTo6aXNBbGxvd2VkQnlBbGxXaXRoSGFzaCk6IEFk ZGVkLiBDaGVja3MgaWYgdGhlIHNwZWNpZmllZCBoYXNoIGlzIGFsbG93ZWQgYnkgYWxsIHBvbGlj aWVzLgorICAgICAgICAoV2ViQ29yZTo6aXNBbGxvd2VkQnlBbGxXaXRoSGFzaEZyb21Db250ZW50 KTogTW9kaWZpZWQgdG8gY2FsbCBXZWJDb3JlOjppc0FsbG93ZWRCeUFsbFdpdGhIYXNoKCkKKyAg ICAgICAgdG8gZGV0ZXJtaW5lIGlmIHRoZSA8c2NyaXB0Pi88c3R5bGU+IGlzIGFsbG93ZWQgYnkg YWxsIENTUHMgZGVsaXZlcmVkIHdpdGggdGhlIHBhZ2UuCisKIDIwMTYtMDMtMTggIFpodW8gTGkg IDx6YWNobGlAYXBwbGUuY29tPgogCiAgICAgICAgIFVwZGF0ZSBBdXRvRmlsbCBidXR0b24gaW4g aW5wdXQgZmllbGRzLgpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvcGFnZS9jc3AvQ29udGVu dFNlY3VyaXR5UG9saWN5LmNwcCBiL1NvdXJjZS9XZWJDb3JlL3BhZ2UvY3NwL0NvbnRlbnRTZWN1 cml0eVBvbGljeS5jcHAKaW5kZXggMWZhMzAxZjdmZDhmMDYzZjA4MDdmMmRiMjE5YzJhZDJiMDA3 ZGM0Yy4uZjI5ODk5ODE0YTk1NDk5NDM2YzQ2ZTViOGRhNDNlMWJmOTUxNDNkNSAxMDA2NDQKLS0t IGEvU291cmNlL1dlYkNvcmUvcGFnZS9jc3AvQ29udGVudFNlY3VyaXR5UG9saWN5LmNwcAorKysg Yi9Tb3VyY2UvV2ViQ29yZS9wYWdlL2NzcC9Db250ZW50U2VjdXJpdHlQb2xpY3kuY3BwCkBAIC0y MzksNiArMjM5LDE2IEBAIHN0YXRpYyBDcnlwdG9EaWdlc3Q6OkFsZ29yaXRobSB0b0NyeXB0b0Rp Z2VzdEFsZ29yaXRobShDb250ZW50U2VjdXJpdHlQb2xpY3lIYXNoCiB9CiAKIHRlbXBsYXRlPGJv b2wgKENvbnRlbnRTZWN1cml0eVBvbGljeURpcmVjdGl2ZUxpc3Q6OiphbGxvd2VkKShjb25zdCBD b250ZW50U2VjdXJpdHlQb2xpY3lIYXNoJikgY29uc3Q+CitzdGF0aWMgYm9vbCBpc0FsbG93ZWRC eUFsbFdpdGhIYXNoKGNvbnN0IENTUERpcmVjdGl2ZUxpc3RWZWN0b3ImIHBvbGljaWVzLCBjb25z dCBDb250ZW50U2VjdXJpdHlQb2xpY3lIYXNoJiBoYXNoKQoreworICAgIGZvciAoYXV0byYgcG9s aWN5IDogcG9saWNpZXMpIHsKKyAgICAgICAgaWYgKCEocG9saWN5LmdldCgpLT4qYWxsb3dlZCko aGFzaCkpCisgICAgICAgICAgICByZXR1cm4gZmFsc2U7CisgICAgfQorICAgIHJldHVybiB0cnVl OworfQorCit0ZW1wbGF0ZTxib29sIChDb250ZW50U2VjdXJpdHlQb2xpY3lEaXJlY3RpdmVMaXN0 OjoqYWxsb3dlZCkoY29uc3QgQ29udGVudFNlY3VyaXR5UG9saWN5SGFzaCYpIGNvbnN0Pgogc3Rh dGljIGJvb2wgaXNBbGxvd2VkQnlBbGxXaXRoSGFzaEZyb21Db250ZW50KGNvbnN0IENTUERpcmVj dGl2ZUxpc3RWZWN0b3ImIHBvbGljaWVzLCBjb25zdCBTdHJpbmcmIGNvbnRlbnQsIGNvbnN0IFRl eHRFbmNvZGluZyYgZW5jb2RpbmcsIE9wdGlvblNldDxDb250ZW50U2VjdXJpdHlQb2xpY3lIYXNo QWxnb3JpdGhtPiBhbGdvcml0aG1zKQogewogICAgIC8vIEZJWE1FOiBDb21wdXRlIHRoZSBkaWdl c3Qgd2l0aCByZXNwZWN0IHRvIHRoZSByYXcgYnl0ZXMgcmVjZWl2ZWQgZnJvbSB0aGUgcGFnZS4K QEAgLTI0OCwxMCArMjU4LDggQEAgc3RhdGljIGJvb2wgaXNBbGxvd2VkQnlBbGxXaXRoSGFzaEZy b21Db250ZW50KGNvbnN0IENTUERpcmVjdGl2ZUxpc3RWZWN0b3ImIHBvbGkKICAgICAgICAgYXV0 byBjcnlwdG9EaWdlc3QgPSBDcnlwdG9EaWdlc3Q6OmNyZWF0ZSh0b0NyeXB0b0RpZ2VzdEFsZ29y aXRobShhbGdvcml0aG0pKTsKICAgICAgICAgY3J5cHRvRGlnZXN0LT5hZGRCeXRlcyhjb250ZW50 Q1N0cmluZy5kYXRhKCksIGNvbnRlbnRDU3RyaW5nLmxlbmd0aCgpKTsKICAgICAgICAgVmVjdG9y PHVpbnQ4X3Q+IGRpZ2VzdCA9IGNyeXB0b0RpZ2VzdC0+Y29tcHV0ZUhhc2goKTsKLSAgICAgICAg Zm9yIChhdXRvJiBwb2xpY3kgOiBwb2xpY2llcykgewotICAgICAgICAgICAgaWYgKChwb2xpY3ku Z2V0KCktPiphbGxvd2VkKShzdGQ6Om1ha2VfcGFpcihhbGdvcml0aG0sIGRpZ2VzdCkpKQotICAg ICAgICAgICAgICAgIHJldHVybiB0cnVlOwotICAgICAgICB9CisgICAgICAgIGlmIChpc0FsbG93 ZWRCeUFsbFdpdGhIYXNoPGFsbG93ZWQ+KHBvbGljaWVzLCB7IGFsZ29yaXRobSwgZGlnZXN0IH0p KQorICAgICAgICAgICAgcmV0dXJuIHRydWU7CiAgICAgfQogICAgIHJldHVybiBmYWxzZTsKIH0K ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCA4NWFjMzExNzBjMTVmYjc1MDNkOWJlYTZiNzA0Nzg1YzdkNGNiZDYzLi5iYTNmNGI0 NjU5MmJhZTRjNzk0NDg0MDViMjg5MDk3MjAwMTU2MzU3IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0 cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMjAgQEAK KzIwMTYtMDMtMjAgIERhbmllbCBCYXRlcyAgPGRhYmF0ZXNAYXBwbGUuY29tPgorCisgICAgICAg IENTUDogU2hvdWxkIG9ubHkgZXhlY3V0ZSA8c2NyaXB0PiBvciBhcHBseSA8c3R5bGU+IGlmIGl0 cyBoYXNoIGFwcGVhcnMgaW4gYWxsIHBvbGljaWVzCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNTU3MDkKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzI1 MjYzMzY4PgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAg IEFkZCB0ZXN0cyB0byBlbnN1cmUgdGhhdCB3ZSBvbmx5IGV4ZWN1dGUvYXBwbHkgYSA8c2NyaXB0 Pi88c3R5bGU+IGlmIGl0cyBoYXNoIGlzIGxpc3RlZCBpbiBhbGwgQ1NQcworICAgICAgICBkZWxp dmVyZWQgd2l0aCB0aGUgcGFnZS4KKworICAgICAgICAqIFRlc3RFeHBlY3RhdGlvbnM6IE1hcmsg YWRkZWQgdGVzdHMgYXMgUEFTUyBzbyB0aGF0IHdlIHJ1biB0aGVtLgorICAgICAgICAqIGh0dHAv dGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5LzEuMS9zY3JpcHRoYXNoLW11bHRp cGxlLXBvbGljaWVzLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogaHR0cC90ZXN0cy9z ZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvMS4xL3NjcmlwdGhhc2gtbXVsdGlwbGUtcG9s aWNpZXMuaHRtbDogQWRkZWQuCisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50 U2VjdXJpdHlQb2xpY3kvMS4xL3N0eWxlaGFzaC1tdWx0aXBsZS1wb2xpY2llcy1leHBlY3RlZC5o dG1sOiBBZGRlZC4KKyAgICAgICAgKiBodHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0 eVBvbGljeS8xLjEvc3R5bGVoYXNoLW11bHRpcGxlLXBvbGljaWVzLmh0bWw6IEFkZGVkLgorCiAy MDE2LTAzLTE4ICBEYW5pZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KIAogICAgICAgICBV cGRhdGUgQXV0b0ZpbGwgYnV0dG9uIGluIGlucHV0IGZpZWxkcwpkaWZmIC0tZ2l0IGEvTGF5b3V0 VGVzdHMvVGVzdEV4cGVjdGF0aW9ucyBiL0xheW91dFRlc3RzL1Rlc3RFeHBlY3RhdGlvbnMKaW5k ZXggNGFkNmI4NDQ5MmI1YjM0MjdjZmI5MDYwZDRlMDI3MTQyYmFmOWQ5NS4uNDBjNmU1YWNiZWU5 ZmE5ZGQ3MTVmYjZlNWE3MGVmZDAwYWZkMWQ5OSAxMDA2NDQKLS0tIGEvTGF5b3V0VGVzdHMvVGVz dEV4cGVjdGF0aW9ucworKysgYi9MYXlvdXRUZXN0cy9UZXN0RXhwZWN0YXRpb25zCkBAIC04MzAs NiArODMwLDcgQEAgaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvMS4x L3NjcmlwdGhhc2gtYmFzaWMtYmxvY2tlZC5odG1sIFsgUGEKIGh0dHAvdGVzdHMvc2VjdXJpdHkv Y29udGVudFNlY3VyaXR5UG9saWN5LzEuMS9zY3JpcHRoYXNoLWRlZmF1bHQtc3JjLmh0bWwgWyBQ YXNzIF0KIGh0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5LzEuMS9zY3Jp cHRoYXNoLWlnbm9yZS11bnNhZmVpbmxpbmUuaHRtbCBbIFBhc3MgXQogaHR0cC90ZXN0cy9zZWN1 cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvMS4xL3NjcmlwdGhhc2gtbWFsZm9ybWVkLmh0bWwg WyBQYXNzIF0KK2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5LzEuMS9z Y3JpcHRoYXNoLW11bHRpcGxlLXBvbGljaWVzLmh0bWwgWyBQYXNzIF0KIGh0dHAvdGVzdHMvc2Vj dXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5LzEuMS9zY3JpcHRoYXNoLXRlc3RzLmh0bWwgWyBQ YXNzIF0KIGh0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5LzEuMS9zY3Jp cHRoYXNoLXVuaWNvZGUtbm9ybWFsaXphdGlvbi5odG1sIFsgUGFzcyBdCiBodHRwL3Rlc3RzL3Nl Y3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS8xLjEvc2NyaXB0bm9uY2UtYWxsb3dlZC5odG1s IFsgUGFzcyBdCkBAIC04NDcsNiArODQ4LDcgQEAgaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50 U2VjdXJpdHlQb2xpY3kvMS4xL3NlY3VyaXR5cG9saWN5dmlvbGF0aW9uLWJsb2NrLWltYWcKIGh0 dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5LzEuMS9zZWN1cml0eXBvbGlj eXZpb2xhdGlvbi1ibG9jay1pbWFnZS5odG1sIFsgUGFzcyBdCiBodHRwL3Rlc3RzL3NlY3VyaXR5 L2NvbnRlbnRTZWN1cml0eVBvbGljeS8xLjEvc3R5bGVoYXNoLWFsbG93ZWQuaHRtbCBbIFBhc3Mg XQogaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvMS4xL3N0eWxlaGFz aC1iYXNpYy1ibG9ja2VkLmh0bWwgWyBQYXNzIF0KK2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVu dFNlY3VyaXR5UG9saWN5LzEuMS9zdHlsZWhhc2gtbXVsdGlwbGUtcG9saWNpZXMuaHRtbCBbIFBh c3MgXQogaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvMS4xL3N0eWxl bm9uY2UtYWxsb3dlZC5odG1sIFsgUGFzcyBdCiBodHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRT ZWN1cml0eVBvbGljeS8xLjEvc3R5bGVub25jZS1ibG9ja2VkLmh0bWwgWyBQYXNzIF0KIGh0dHAv dGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5LzEuMS9wbHVnaW50eXBlcy1hZmZl Y3RzLWNoaWxkLmh0bWwgWyBQYXNzIF0KZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAvdGVz dHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5LzEuMS9zY3JpcHRoYXNoLW11bHRpcGxl LXBvbGljaWVzLWV4cGVjdGVkLnR4dCBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkv Y29udGVudFNlY3VyaXR5UG9saWN5LzEuMS9zY3JpcHRoYXNoLW11bHRpcGxlLXBvbGljaWVzLWV4 cGVjdGVkLnR4dApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwLi5kYWRjZTlkNzRmYzJjM2M5NjY0OTQxZGM3MTJjMjFhMDk1 ZjQ3N2IzCi0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0 eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvMS4xL3NjcmlwdGhhc2gtbXVsdGlwbGUtcG9saWNpZXMt ZXhwZWN0ZWQudHh0CkBAIC0wLDAgKzEsNiBAQAorQ09OU09MRSBNRVNTQUdFOiBsaW5lIDEzOiBS ZWZ1c2VkIHRvIGV4ZWN1dGUgaW5saW5lIHNjcmlwdCBiZWNhdXNlIGl0IHZpb2xhdGVzIHRoZSBm b2xsb3dpbmcgQ29udGVudCBTZWN1cml0eSBQb2xpY3kgZGlyZWN0aXZlOiAic2NyaXB0LXNyYyAn c2hhMjU2LUNZRkJsMGtkTDRqelY1ckpNSVVvRHR4Zkg5U1FUUDFKRmgyR09jdkFGR0E9JyAnc2hh MjU2LUYvb2pkTzdoRkNUTCtrUDlHQ2ZGVEdRamY0OEZ5SS9XSkl1cWdudEpoN1k9JyIuCisKK0NP TlNPTEUgTUVTU0FHRTogbGluZSAxNDogUmVmdXNlZCB0byBleGVjdXRlIGlubGluZSBzY3JpcHQg YmVjYXVzZSBpdCB2aW9sYXRlcyB0aGUgZm9sbG93aW5nIENvbnRlbnQgU2VjdXJpdHkgUG9saWN5 IGRpcmVjdGl2ZTogInNjcmlwdC1zcmMgJ3NoYTI1Ni1DWUZCbDBrZEw0anpWNXJKTUlVb0R0eGZI OVNRVFAxSkZoMkdPY3ZBRkdBPScgJ3NoYTI1Ni1GL29qZE83aEZDVEwra1A5R0NmRlRHUWpmNDhG eUkvV0pJdXFnbnRKaDdZPSciLgorCitBTEVSVDogUEFTUworVGVzdHMgdGhhdCBhbiBpbmxpbmUg c2NyaXB0IGlzIGFsbG93ZWQgdG8gZXhlY3V0ZSBvbmx5IGlmIGl0cyBoYXNoIGFwcGVhcnMgaW4g YWxsIHBvbGljaWVzLiBUaGlzIHRlc3QgUEFTU0VEIGlmIHRoZXJlIGFyZSB0d28gY29uc29sZSB3 YXJuaW5ncyBhbmQgYSBKYXZhU2NyaXB0IGFsZXJ0IHdpdGggbWVzc2FnZSBQQVNTLiBPdGhlcndp c2UsIGl0IEZBSUxFRC4KZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJp dHkvY29udGVudFNlY3VyaXR5UG9saWN5LzEuMS9zY3JpcHRoYXNoLW11bHRpcGxlLXBvbGljaWVz Lmh0bWwgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBv bGljeS8xLjEvc2NyaXB0aGFzaC1tdWx0aXBsZS1wb2xpY2llcy5odG1sCm5ldyBmaWxlIG1vZGUg MTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLjE5 NTg2NzY2MDMzYzNjMTIzZGM0YjVlNzExMThjYWRlZjY3NDJjZGIKLS0tIC9kZXYvbnVsbAorKysg Yi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS8x LjEvc2NyaXB0aGFzaC1tdWx0aXBsZS1wb2xpY2llcy5odG1sCkBAIC0wLDAgKzEsMTcgQEAKKzwh RE9DVFlQRSBodG1sPgorPGh0bWw+Cis8aGVhZD4KKzxzY3JpcHQ+CitpZiAod2luZG93LnRlc3RS dW5uZXIpCisgICAgdGVzdFJ1bm5lci5kdW1wQXNUZXh0KCk7Cis8L3NjcmlwdD4KKzxtZXRhIGh0 dHAtZXF1aXY9IkNvbnRlbnQtU2VjdXJpdHktUG9saWN5IiBjb250ZW50PSJzY3JpcHQtc3JjICdz aGEyNTYtQ1lGQmwwa2RMNGp6VjVySk1JVW9EdHhmSDlTUVRQMUpGaDJHT2N2QUZHQT0nICdzaGEy NTYtRi9vamRPN2hGQ1RMK2tQOUdDZkZUR1FqZjQ4RnlJL1dKSXVxZ250Smg3WT0nIj4KKzxtZXRh IGh0dHAtZXF1aXY9IkNvbnRlbnQtU2VjdXJpdHktUG9saWN5IiBjb250ZW50PSJzY3JpcHQtc3Jj ICdzaGEzODQtbEdTVUpZOFhNOXN3blo1ZEJBeisrbGYvQ2RKSmlMNU4xMmRJY1NJd1ZGZ0owVVdG RUpLRUFpcUE5REU1M2MvcicgJ3NoYTI1Ni1GL29qZE83aEZDVEwra1A5R0NmRlRHUWpmNDhGeUkv V0pJdXFnbnRKaDdZPSciPgorPC9oZWFkPgorPGJvZHk+Cis8cD5UZXN0cyB0aGF0IGFuIGlubGlu ZSBzY3JpcHQgaXMgYWxsb3dlZCB0byBleGVjdXRlIG9ubHkgaWYgaXRzIGhhc2ggYXBwZWFycyBp biBhbGwgcG9saWNpZXMuIFRoaXMgdGVzdCBQQVNTRUQgaWYgdGhlcmUgYXJlIHR3byBjb25zb2xl IHdhcm5pbmdzIGFuZCBhIEphdmFTY3JpcHQgYWxlcnQgd2l0aCBtZXNzYWdlIFBBU1MuIE90aGVy d2lzZSwgaXQgRkFJTEVELjwvcD4KKzxzY3JpcHQ+YWxlcnQoIkZBSUwgZGlkIGV4ZWN1dGUgZmly c3Qgc2NyaXB0Iik8L3NjcmlwdD4gPCEtLSAnc2hhMjU2LUNZRkJsMGtkTDRqelY1ckpNSVVvRHR4 Zkg5U1FUUDFKRmgyR09jdkFGR0E9JyAtLT4KKzxzY3JpcHQ+YWxlcnQoIkZBSUwgZGlkIGV4ZWN1 dGUgc2Vjb25kIHNjcmlwdCIpPC9zY3JpcHQ+IDwhLS0gJ3NoYTM4NC1sR1NVSlk4WE05c3duWjVk QkF6KytsZi9DZEpKaUw1TjEyZEljU0l3VkZnSjBVV0ZFSktFQWlxQTlERTUzYy9yJyAtLT4KKzxz Y3JpcHQ+YWxlcnQoIlBBU1MiKTwvc2NyaXB0PiA8IS0tICdzaGEyNTYtRi9vamRPN2hGQ1RMK2tQ OUdDZkZUR1FqZjQ4RnlJL1dKSXVxZ250Smg3WT0nIC0tPgorPC9ib2R5PgorPC9odG1sPgpkaWZm IC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQ b2xpY3kvMS4xL3N0eWxlaGFzaC1tdWx0aXBsZS1wb2xpY2llcy1leHBlY3RlZC5odG1sIGIvTGF5 b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvMS4xL3N0 eWxlaGFzaC1tdWx0aXBsZS1wb2xpY2llcy1leHBlY3RlZC5odG1sCm5ldyBmaWxlIG1vZGUgMTAw NjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLjAxMzM2 NDY5MDA2ODU1Y2M5MmIzYzVhODU4YzE4NGI4NWFhMTdhMDIKLS0tIC9kZXYvbnVsbAorKysgYi9M YXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS8xLjEv c3R5bGVoYXNoLW11bHRpcGxlLXBvbGljaWVzLWV4cGVjdGVkLmh0bWwKQEAgLTAsMCArMSw3IEBA Cis8IURPQ1RZUEUgaHRtbD4KKzxodG1sPgorPGJvZHk+Cis8cD5UZXN0cyB0aGF0IGFuIGlubGlu ZSBzdHlsZXNoZWV0IGlzIGFsbG93ZWQgdG8gYmUgYXBwbGllZCBvbmx5IGlmIGl0cyBoYXNoIGFw cGVhcnMgaW4gYWxsIHBvbGljaWVzLiBUaGlzIHRlc3QgUEFTU0VEIGlmIHlvdSBzZWUgYSBncmVl biBzcXVhcmUgYmVsb3cuIE90aGVyd2lzZSwgaXQgRkFJTEVELjwvcD4KKzxkaXYgc3R5bGU9ImJh Y2tncm91bmQtY29sb3I6IGdyZWVuOyBoZWlnaHQ6IDEyOHB4OyB3aWR0aDogMTI4cHgiPjwvZGl2 PgorPC9ib2R5PgorPC9odG1sPgpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9z ZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvMS4xL3N0eWxlaGFzaC1tdWx0aXBsZS1wb2xp Y2llcy5odG1sIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJp dHlQb2xpY3kvMS4xL3N0eWxlaGFzaC1tdWx0aXBsZS1wb2xpY2llcy5odG1sCm5ldyBmaWxlIG1v ZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAu LjM3NDNlZDcyZmIxYmQ2YjQ0YWQzYzIwMmE5MWI2NmI0Mzc1NTIzYzEKLS0tIC9kZXYvbnVsbAor KysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGlj eS8xLjEvc3R5bGVoYXNoLW11bHRpcGxlLXBvbGljaWVzLmh0bWwKQEAgLTAsMCArMSwyMCBAQAor PCFET0NUWVBFIGh0bWw+Cis8aHRtbD4KKzxoZWFkPgorPHN0eWxlPgorI3Rlc3QgeworICAgIGhl aWdodDogMTI4cHg7CisgICAgd2lkdGg6IDEyOHB4OworfQorPC9zdHlsZT4KKzxtZXRhIGh0dHAt ZXF1aXY9IkNvbnRlbnQtU2VjdXJpdHktUG9saWN5IiBjb250ZW50PSJzdHlsZS1zcmMgJ3NoYTI1 Ni1VbEhGK0x5aHpGc3pERVZjZ3JyNEpOZ2gzaC9lQldKczVyMkhJY1Vnazc0PScgJ3NoYTI1Ni10 enAwUk1xblgvOGs0dUU0R1o5LzNzeFNaMWhlTElmYVBqNnQrM1pMaExFPSciPgorPG1ldGEgaHR0 cC1lcXVpdj0iQ29udGVudC1TZWN1cml0eS1Qb2xpY3kiIGNvbnRlbnQ9InN0eWxlLXNyYyAnc2hh Mzg0LTdoRXZRUm1vczNmVjFoZVNTOWUxNDRlV29MNjN3OXR5ZTE5MXpneFZKcWlrTGJJOVRqRkhN VThkMkxCQWtIZVAnICdzaGEyNTYtdHpwMFJNcW5YLzhrNHVFNEdaOS8zc3hTWjFoZUxJZmFQajZ0 KzNaTGhMRT0nIj4KKzxzdHlsZT4jdGVzdCB7IGJhY2tncm91bmQtY29sb3I6IGdyZWVuICFpbXBv cnRhbnQ7IH08L3N0eWxlPiA8IS0tICdzaGEyNTYtdHpwMFJNcW5YLzhrNHVFNEdaOS8zc3hTWjFo ZUxJZmFQajZ0KzNaTGhMRT0nIC0tPgorPHN0eWxlPiN0ZXN0IHsgYmFja2dyb3VuZC1jb2xvcjog cmVkICFpbXBvcnRhbnQ7IH0gLyogRmlyc3Qgc3R5bGVzaGVldCAqLzwvc3R5bGU+IDwhLS0gJ3No YTI1Ni1tUkw4M1BWK1Z4ZG1UZTNMRUNIQVdqTEl6Y2ZVb2xpcDhqRHB3YzNxQzM4PScgLS0+Cis8 c3R5bGU+I3Rlc3QgeyBiYWNrZ3JvdW5kLWNvbG9yOiByZWQgIWltcG9ydGFudDsgfSAvKiBTZWNv bmQgc3R5bGVzaGVldCAqLzwvc3R5bGU+IDwhLS0gJ3NoYTM4NC03aEV2UVJtb3MzZlYxaGVTUzll MTQ0ZVdvTDYzdzl0eWUxOTF6Z3hWSnFpa0xiSTlUakZITVU4ZDJMQkFrSGVQJyAtLT4KKzwvaGVh ZD4KKzxib2R5PgorPHA+VGVzdHMgdGhhdCBhbiBpbmxpbmUgc3R5bGVzaGVldCBpcyBhbGxvd2Vk IHRvIGJlIGFwcGxpZWQgb25seSBpZiBpdHMgaGFzaCBhcHBlYXJzIGluIGFsbCBwb2xpY2llcy4g VGhpcyB0ZXN0IFBBU1NFRCBpZiB5b3Ugc2VlIGEgZ3JlZW4gc3F1YXJlIGJlbG93LiBPdGhlcndp c2UsIGl0IEZBSUxFRC48L3A+Cis8ZGl2IGlkPSJ0ZXN0Ij48L2Rpdj4KKzwvYm9keT4KKzwvaHRt bD4K