158589 CVE-2016-4760 2016-06-09 15:54:27 -0700 Restrict HTTP/0.9 responses to default ports and cancel HTTP/0.9 resource loads if the document was loaded with another HTTP protocol 2017-10-11 10:27:28 -0700 1 1 1 Unclassified WebKit WebCore Misc. WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 164530 1 wilander webkit-unassigned achristensen bfulgham dveditz jww webkit-bug-importer wilander oldest_to_newest 1201028 0 wilander 2016-06-09 15:54:27 -0700 Non-HTTP responses are interpreted as HTTP/0.9 which may allow exfiltration of data from non-HTTP services. Therefore cancel if the request was made to a non-default port. Also, cancel HTTP/0.9 resource responses if the document was loaded with a different HTTP version. 1201029 1 wilander 2016-06-09 15:55:17 -0700 rdar://problem/25757454 1201034 2 280961 wilander 2016-06-09 16:06:03 -0700 Created attachment 280961 Patch 1201036 3 280961 bfulgham 2016-06-09 16:13:48 -0700 Comment on attachment 280961 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=280961&action=review Looks good! r=me (assuming all tests continue to pass). > Source/WebCore/ChangeLog:12 > + HTTP/0.9 header tests for positive and negative cases. Could you please attach the Python script and instructions to the Bugzilla bug so others (e.g., GTK people) could do testing later if they need to? > Source/WebCore/loader/ResourceLoader.cpp:435 > + auto url = r.url(); This should really be "m_response.url()" for consistency. 1201063 4 bfulgham 2016-06-09 17:19:45 -0700 Committed r201895: <http://trac.webkit.org/changeset/201895> 1201067 5 280969 wilander 2016-06-09 17:26:08 -0700 Created attachment 280969 Manual test cases for main document and resource loads I made the Python test as a stand-alone file. Instructions as comments in the top of the file. 1202596 6 wilander 2016-06-15 10:02:04 -0700 Adding Dan Veditz from Mozilla and Joel Weinberger from Google to the CC list so as to facilitate coordination. 280961 2016-06-09 16:06:03 -0700 2016-06-09 16:13:48 -0700 Patch bug-158589-20160609160732.patch text/plain 6850 wilander SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDIwMTg5MSkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDI1IEBACisyMDE2LTA2LTA5ICBKb2huIFdp bGFuZGVyICA8d2lsYW5kZXJAYXBwbGUuY29tPgorCisgICAgICAgIFJlc3RyaWN0IEhUVFAvMC45 IHJlc3BvbnNlcyB0byBkZWZhdWx0IHBvcnRzIGFuZCBjYW5jZWwgSFRUUC8wLjkgcmVzb3VyY2Ug bG9hZHMgaWYgdGhlIGRvY3VtZW50IHdhcyBsb2FkZWQgd2l0aCBhbm90aGVyIEhUVFAgcHJvdG9j b2wKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE1ODU4 OQorICAgICAgICA8cmRhcjovL3Byb2JsZW0vMjU3NTc0NTQ+CisKKyAgICAgICAgUmV2aWV3ZWQg YnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgTm8gbmV3IHRlc3RzLiBPdXIgbGF5b3V0IHRl c3QgZW52aXJvbm1lbnQgZG9lcyBub3QgYWxsb3cgZm9yIGhlYWRlcmxlc3MgcmVzcG9uc2VzCisg ICAgICAgIG5vciBkb2VzIGl0IGFsbG93IHlvdSB0byBzZXQgYW4gZXhwbGljaXQgSFRUUC8wLjkg c3RhdHVzIGhlYWRlciBpbiBQSFAuIEkgaGF2ZQorICAgICAgICBtYW51YWxseSB0ZXN0ZWQgdGhp cyBjaGFuZ2Ugd2l0aCBhIFB5dGhvbiBzb2NrZXQgc2V0dXAgZG9pbmcgYm90aCBoZWFkZXJsZXNz IGFuZAorICAgICAgICBIVFRQLzAuOSBoZWFkZXIgdGVzdHMgZm9yIHBvc2l0aXZlIGFuZCBuZWdh dGl2ZSBjYXNlcy4KKworICAgICAgICAqIGxvYWRlci9Eb2N1bWVudExvYWRlci5jcHA6CisgICAg ICAgIChXZWJDb3JlOjpEb2N1bWVudExvYWRlcjo6cmVzcG9uc2VSZWNlaXZlZCk6CisgICAgICAg ICAgICBDYW5jZWwgbG9hZHMgaWYgdGhlIHJlcXVlc3Qgd2FzIG1hZGUgdG8gYSBub24tZGVmYXVs dCBwb3J0LgorICAgICAgICAqIGxvYWRlci9SZXNvdXJjZUxvYWRlci5jcHA6CisgICAgICAgIChX ZWJDb3JlOjpSZXNvdXJjZUxvYWRlcjo6ZGlkUmVjZWl2ZVJlc3BvbnNlKToKKyAgICAgICAgICAg IENhbmNlbCBsb2FkcyBpZiB0aGUgcmVxdWVzdCB3YXMgbWFkZSB0byBhIG5vbi1kZWZhdWx0IHBv cnQgb3IgaWYgdGhlIGRvY3VtZW50CisgICAgICAgICAgICB3YXMgbG9hZGVkIHdpdGggYW5vdGhl ciBwcm90b2NvbC4gQ2FuY2VsYXRpb24gaXMgaGFuZGxlZCBhcyBhIGZhaWwgc28gYXMgdG8KKyAg ICAgICAgICAgIGZpcmUgdGhlIG9uZXJyb3IgZXZlbnQgYW5kIGFsbG93IHNpdGVzIHRvIGhhbmRs ZSBpdCBncmFjZWZ1bGx5LgorCiAyMDE2LTA2LTA5ICBBbnRvaW5lIFF1aW50ICA8Z3Jhb3V0c0Bh cHBsZS5jb20+CiAKICAgICAgICAgQ2hhbmdpbmcgY2FudmFzIGhlaWdodCBpbW1lZGlhdGVseSBh ZnRlciBwYWdlIGxvYWQgZG9lcyBub3QgcmVsYXlvdXQgY2FudmFzCkluZGV4OiBTb3VyY2UvV2Vi Q29yZS9sb2FkZXIvRG9jdW1lbnRMb2FkZXIuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJD b3JlL2xvYWRlci9Eb2N1bWVudExvYWRlci5jcHAJKHJldmlzaW9uIDIwMTg4NikKKysrIFNvdXJj ZS9XZWJDb3JlL2xvYWRlci9Eb2N1bWVudExvYWRlci5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTY1 MSwxMCArNjUxLDEyIEBAIHZvaWQgRG9jdW1lbnRMb2FkZXI6OnJlc3BvbnNlUmVjZWl2ZWQoQ2EK ICAgICBBU1NFUlQobV9pZGVudGlmaWVyRm9yTG9hZFdpdGhvdXRSZXNvdXJjZUxvYWRlciB8fCBt X21haW5SZXNvdXJjZSk7CiAgICAgdW5zaWduZWQgbG9uZyBpZGVudGlmaWVyID0gbV9pZGVudGlm aWVyRm9yTG9hZFdpdGhvdXRSZXNvdXJjZUxvYWRlciA/IG1faWRlbnRpZmllckZvckxvYWRXaXRo b3V0UmVzb3VyY2VMb2FkZXIgOiBtX21haW5SZXNvdXJjZS0+aWRlbnRpZmllcigpOwogICAgIEFT U0VSVChpZGVudGlmaWVyKTsKKyAgICAKKyAgICBhdXRvIHVybCA9IHJlc3BvbnNlLnVybCgpOwog Ci0gICAgQ29udGVudFNlY3VyaXR5UG9saWN5IGNvbnRlbnRTZWN1cml0eVBvbGljeShTZWN1cml0 eU9yaWdpbjo6Y3JlYXRlKHJlc3BvbnNlLnVybCgpKSwgbV9mcmFtZSk7CisgICAgQ29udGVudFNl Y3VyaXR5UG9saWN5IGNvbnRlbnRTZWN1cml0eVBvbGljeShTZWN1cml0eU9yaWdpbjo6Y3JlYXRl KHVybCksIG1fZnJhbWUpOwogICAgIGNvbnRlbnRTZWN1cml0eVBvbGljeS5kaWRSZWNlaXZlSGVh ZGVycyhDb250ZW50U2VjdXJpdHlQb2xpY3lSZXNwb25zZUhlYWRlcnMocmVzcG9uc2UpKTsKLSAg ICBpZiAoIWNvbnRlbnRTZWN1cml0eVBvbGljeS5hbGxvd0ZyYW1lQW5jZXN0b3JzKCptX2ZyYW1l LCByZXNwb25zZS51cmwoKSkpIHsKKyAgICBpZiAoIWNvbnRlbnRTZWN1cml0eVBvbGljeS5hbGxv d0ZyYW1lQW5jZXN0b3JzKCptX2ZyYW1lLCB1cmwpKSB7CiAgICAgICAgIHN0b3BMb2FkaW5nQWZ0 ZXJYRnJhbWVPcHRpb25zT3JDb250ZW50U2VjdXJpdHlQb2xpY3lEZW5pZWQoaWRlbnRpZmllciwg cmVzcG9uc2UpOwogICAgICAgICByZXR1cm47CiAgICAgfQpAQCAtNjYzLDggKzY2NSw4IEBAIHZv aWQgRG9jdW1lbnRMb2FkZXI6OnJlc3BvbnNlUmVjZWl2ZWQoQ2EKICAgICBhdXRvIGl0ID0gY29t bW9uSGVhZGVycy5maW5kKEhUVFBIZWFkZXJOYW1lOjpYRnJhbWVPcHRpb25zKTsKICAgICBpZiAo aXQgIT0gY29tbW9uSGVhZGVycy5lbmQoKSkgewogICAgICAgICBTdHJpbmcgY29udGVudCA9IGl0 LT52YWx1ZTsKLSAgICAgICAgaWYgKGZyYW1lTG9hZGVyKCktPnNob3VsZEludGVycnVwdExvYWRG b3JYRnJhbWVPcHRpb25zKGNvbnRlbnQsIHJlc3BvbnNlLnVybCgpLCBpZGVudGlmaWVyKSkgewot ICAgICAgICAgICAgU3RyaW5nIG1lc3NhZ2UgPSAiUmVmdXNlZCB0byBkaXNwbGF5ICciICsgcmVz cG9uc2UudXJsKCkuc3RyaW5nQ2VudGVyRWxsaXBzaXplZFRvTGVuZ3RoKCkgKyAiJyBpbiBhIGZy YW1lIGJlY2F1c2UgaXQgc2V0ICdYLUZyYW1lLU9wdGlvbnMnIHRvICciICsgY29udGVudCArICIn LiI7CisgICAgICAgIGlmIChmcmFtZUxvYWRlcigpLT5zaG91bGRJbnRlcnJ1cHRMb2FkRm9yWEZy YW1lT3B0aW9ucyhjb250ZW50LCB1cmwsIGlkZW50aWZpZXIpKSB7CisgICAgICAgICAgICBTdHJp bmcgbWVzc2FnZSA9ICJSZWZ1c2VkIHRvIGRpc3BsYXkgJyIgKyB1cmwuc3RyaW5nQ2VudGVyRWxs aXBzaXplZFRvTGVuZ3RoKCkgKyAiJyBpbiBhIGZyYW1lIGJlY2F1c2UgaXQgc2V0ICdYLUZyYW1l LU9wdGlvbnMnIHRvICciICsgY29udGVudCArICInLiI7CiAgICAgICAgICAgICBtX2ZyYW1lLT5k b2N1bWVudCgpLT5hZGRDb25zb2xlTWVzc2FnZShNZXNzYWdlU291cmNlOjpTZWN1cml0eSwgTWVz c2FnZUxldmVsOjpFcnJvciwgbWVzc2FnZSwgaWRlbnRpZmllcik7CiAgICAgICAgICAgICBzdG9w TG9hZGluZ0FmdGVyWEZyYW1lT3B0aW9uc09yQ29udGVudFNlY3VyaXR5UG9saWN5RGVuaWVkKGlk ZW50aWZpZXIsIHJlc3BvbnNlKTsKICAgICAgICAgICAgIHJldHVybjsKQEAgLTcxMyw5ICs3MTUs MTggQEAgdm9pZCBEb2N1bWVudExvYWRlcjo6cmVzcG9uc2VSZWNlaXZlZChDYQogI2VuZGlmCiAK ICAgICBpZiAobV9yZXNwb25zZS5pc0h0dHBWZXJzaW9uMF85KCkpIHsKKyAgICAgICAgLy8gTm9u LUhUVFAgcmVzcG9uc2VzIGFyZSBpbnRlcnByZXRlZCBhcyBIVFRQLzAuOSB3aGljaCBtYXkgYWxs b3cgZXhmaWx0cmF0aW9uIG9mIGRhdGEKKyAgICAgICAgLy8gZnJvbSBub24tSFRUUCBzZXJ2aWNl cy4gVGhlcmVmb3JlIGNhbmNlbCBpZiB0aGUgcmVxdWVzdCB3YXMgdG8gYSBub24tZGVmYXVsdCBw b3J0LgorICAgICAgICBpZiAoIWlzRGVmYXVsdFBvcnRGb3JQcm90b2NvbCh1cmwucG9ydCgpLCB1 cmwucHJvdG9jb2woKSkpIHsKKyAgICAgICAgICAgIFN0cmluZyBtZXNzYWdlID0gIlN0b3BwZWQg ZG9jdW1lbnQgbG9hZCBmcm9tICciICsgdXJsLnN0cmluZygpICsgIicgYmVjYXVzZSBpdCBpcyB1 c2luZyBIVFRQLzAuOSBvbiBhIG5vbi1kZWZhdWx0IHBvcnQuIjsKKyAgICAgICAgICAgIG1fZnJh bWUtPmRvY3VtZW50KCktPmFkZENvbnNvbGVNZXNzYWdlKE1lc3NhZ2VTb3VyY2U6OlNlY3VyaXR5 LCBNZXNzYWdlTGV2ZWw6OkVycm9yLCBtZXNzYWdlLCBpZGVudGlmaWVyKTsKKyAgICAgICAgICAg IHN0b3BMb2FkaW5nKCk7CisgICAgICAgICAgICByZXR1cm47CisgICAgICAgIH0KKwogICAgICAg ICBBU1NFUlQobV9pZGVudGlmaWVyRm9yTG9hZFdpdGhvdXRSZXNvdXJjZUxvYWRlciB8fCBtX21h aW5SZXNvdXJjZSk7CiAgICAgICAgIHVuc2lnbmVkIGxvbmcgaWRlbnRpZmllciA9IG1faWRlbnRp ZmllckZvckxvYWRXaXRob3V0UmVzb3VyY2VMb2FkZXIgPyBtX2lkZW50aWZpZXJGb3JMb2FkV2l0 aG91dFJlc291cmNlTG9hZGVyIDogbV9tYWluUmVzb3VyY2UtPmlkZW50aWZpZXIoKTsKLSAgICAg ICAgU3RyaW5nIG1lc3NhZ2UgPSAiU2FuZGJveGluZyAnIiArIHJlc3BvbnNlLnVybCgpLnN0cmlu ZygpICsgIicgYmVjYXVzZSBpdCBpcyB1c2luZyBIVFRQLzAuOS4iOworICAgICAgICBTdHJpbmcg bWVzc2FnZSA9ICJTYW5kYm94aW5nICciICsgdXJsLnN0cmluZygpICsgIicgYmVjYXVzZSBpdCBp cyB1c2luZyBIVFRQLzAuOS4iOwogICAgICAgICBtX2ZyYW1lLT5kb2N1bWVudCgpLT5hZGRDb25z b2xlTWVzc2FnZShNZXNzYWdlU291cmNlOjpTZWN1cml0eSwgTWVzc2FnZUxldmVsOjpFcnJvciwg bWVzc2FnZSwgaWRlbnRpZmllcik7CiAgICAgICAgIGZyYW1lTG9hZGVyKCktPmZvcmNlU2FuZGJv eEZsYWdzKFNhbmRib3hTY3JpcHRzIHwgU2FuZGJveFBsdWdpbnMpOwogICAgIH0KSW5kZXg6IFNv dXJjZS9XZWJDb3JlL2xvYWRlci9SZXNvdXJjZUxvYWRlci5jcHAKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL1dlYkNvcmUvbG9hZGVyL1Jlc291cmNlTG9hZGVyLmNwcAkocmV2aXNpb24gMjAxODg2KQor KysgU291cmNlL1dlYkNvcmUvbG9hZGVyL1Jlc291cmNlTG9hZGVyLmNwcAkod29ya2luZyBjb3B5 KQpAQCAtNDMyLDYgKzQzMiwyNSBAQCB2b2lkIFJlc291cmNlTG9hZGVyOjpkaWRSZWNlaXZlUmVz cG9uc2UoCiAgICAgbV9yZXNwb25zZSA9IHI7CiAKICAgICBpZiAobV9yZXNwb25zZS5pc0h0dHBW ZXJzaW9uMF85KCkpIHsKKyAgICAgICAgYXV0byB1cmwgPSByLnVybCgpOworICAgICAgICAvLyBO b24tSFRUUCByZXNwb25zZXMgYXJlIGludGVycHJldGVkIGFzIEhUVFAvMC45IHdoaWNoIG1heSBh bGxvdyBleGZpbHRyYXRpb24gb2YgZGF0YQorICAgICAgICAvLyBmcm9tIG5vbi1IVFRQIHNlcnZp Y2VzLiBUaGVyZWZvcmUgY2FuY2VsIGlmIHRoZSBkb2N1bWVudCB3YXMgbG9hZGVkIHdpdGggZGlm ZmVyZW50CisgICAgICAgIC8vIEhUVFAgdmVyc2lvbiBvciBpZiB0aGUgcmVzb3VyY2UgcmVxdWVz dCB3YXMgdG8gYSBub24tZGVmYXVsdCBwb3J0LgorICAgICAgICBpZiAoIW1fZG9jdW1lbnRMb2Fk ZXItPnJlc3BvbnNlKCkuaXNIdHRwVmVyc2lvbjBfOSgpKSB7CisgICAgICAgICAgICBTdHJpbmcg bWVzc2FnZSA9ICJDYW5jZWxsZWQgcmVzb3VyY2UgbG9hZCBmcm9tICciICsgdXJsLnN0cmluZygp ICsgIicgYmVjYXVzZSBpdCBpcyB1c2luZyBIVFRQLzAuOSBhbmQgdGhlIGRvY3VtZW50IHdhcyBs b2FkZWQgd2l0aCBhIGRpZmZlcmVudCBIVFRQIHZlcnNpb24uIjsKKyAgICAgICAgICAgIG1fZnJh bWUtPmRvY3VtZW50KCktPmFkZENvbnNvbGVNZXNzYWdlKE1lc3NhZ2VTb3VyY2U6OlNlY3VyaXR5 LCBNZXNzYWdlTGV2ZWw6OkVycm9yLCBtZXNzYWdlLCBpZGVudGlmaWVyKCkpOworICAgICAgICAg ICAgUmVzb3VyY2VFcnJvciBlcnJvcigiIiwgMCwgdXJsLCBtZXNzYWdlKTsKKyAgICAgICAgICAg IGRpZEZhaWwoZXJyb3IpOworICAgICAgICAgICAgcmV0dXJuOworICAgICAgICB9CisgICAgICAg IGlmICghaXNEZWZhdWx0UG9ydEZvclByb3RvY29sKHVybC5wb3J0KCksIHVybC5wcm90b2NvbCgp KSkgeworICAgICAgICAgICAgU3RyaW5nIG1lc3NhZ2UgPSAiQ2FuY2VsbGVkIHJlc291cmNlIGxv YWQgZnJvbSAnIiArIHVybC5zdHJpbmcoKSArICInIGJlY2F1c2UgaXQgaXMgdXNpbmcgSFRUUC8w Ljkgb24gYSBub24tZGVmYXVsdCBwb3J0LiI7CisgICAgICAgICAgICBtX2ZyYW1lLT5kb2N1bWVu dCgpLT5hZGRDb25zb2xlTWVzc2FnZShNZXNzYWdlU291cmNlOjpTZWN1cml0eSwgTWVzc2FnZUxl dmVsOjpFcnJvciwgbWVzc2FnZSwgaWRlbnRpZmllcigpKTsKKyAgICAgICAgICAgIFJlc291cmNl RXJyb3IgZXJyb3IoIiIsIDAsIHVybCwgbWVzc2FnZSk7CisgICAgICAgICAgICBkaWRGYWlsKGVy cm9yKTsKKyAgICAgICAgICAgIHJldHVybjsKKyAgICAgICAgfQorICAgICAgICAgICAgCiAgICAg ICAgIFN0cmluZyBtZXNzYWdlID0gIlNhbmRib3hpbmcgJyIgKyBtX3Jlc3BvbnNlLnVybCgpLnN0 cmluZygpICsgIicgYmVjYXVzZSBpdCBpcyB1c2luZyBIVFRQLzAuOS4iOwogICAgICAgICBtX2Zy YW1lLT5kb2N1bWVudCgpLT5hZGRDb25zb2xlTWVzc2FnZShNZXNzYWdlU291cmNlOjpTZWN1cml0 eSwgTWVzc2FnZUxldmVsOjpFcnJvciwgbWVzc2FnZSwgbV9pZGVudGlmaWVyKTsKICAgICAgICAg ZnJhbWVMb2FkZXIoKS0+Zm9yY2VTYW5kYm94RmxhZ3MoU2FuZGJveFNjcmlwdHMgfCBTYW5kYm94 UGx1Z2lucyk7Cg== 280969 2016-06-09 17:26:08 -0700 2016-06-10 00:07:28 -0700 Manual test cases for main document and resource loads http_0_9_responder.py text/x-python-script 5004 wilander IyBMYXVuY2ggdGhlIHRlc3Qgc2VydmVyIHdpdGggJ3B5dGhvbiBodHRwXzBfOV9yZXNwb25kZXIu cHknCiMgU3RhcnQgdGhlIHRlc3RzIGJ5IGJyb3dzaW5nIHRvIGh0dHA6Ly9sb2NhbGhvc3Q6ODg4 MS9sYXVuY2hQYWQKCmZyb20gc29ja2V0IGltcG9ydCAqCgpzb2NrID0gc29ja2V0KEFGX0lORVQs IFNPQ0tfU1RSRUFNKQpzb2NrLmJpbmQoKCcnLCA4ODgxKSkgCnNvY2subGlzdGVuKFNPTUFYQ09O TikgCgpIVFRQXzBfOV9XSVRIX0hFQURFUlMgPSAiSFRUUC8wLjkgMjAwIE9LXHJcbkNvbnRlbnQt VHlwZTogdGV4dC9odG1sXHJcblxyXG48IURPQ1RZUEUgaHRtbD5cclxuPGh0bWw+XHJcbjxoZWFk PlxyXG48dGl0bGU+XHJcbkxlZ2FjeSBGVFdcclxuPC90aXRsZT5cclxuPC9oZWFkPlxyXG48Ym9k eT5cclxuTGVnYWN5IHdpbGwgd2luIGluIHRoZSBlbmQuXHJcbjwvYm9keT5cclxuPC9odG1sPlxy XG4iCkhUVFBfMF85X1dJVEhPVVRfSEVBREVSUyA9ICI8IURPQ1RZUEUgaHRtbD5cclxuPGh0bWw+ XHJcbjxoZWFkPlxyXG48dGl0bGU+XHJcbkxlZ2FjeSBGVFdcclxuPC90aXRsZT5cclxuPC9oZWFk PlxyXG48Ym9keT5cclxuTGVnYWN5IHdpbGwgd2luIGluIHRoZSBlbmQuXHJcbjwvYm9keT5cclxu PC9odG1sPlxyXG4iCgpIVFRQXzFfMV8yMDAgPSAiSFRUUC8xLjEgMjAwIE9LXHJcbkNvbnRlbnQt VHlwZTogdGV4dC9odG1sXHJcbkNvbm5lY3Rpb246IENsb3NlZFxyXG4iCkhUVFBfMV8xX0VSUk9S X01FU1NBR0UgPSAiSFRUUC8xLjEgNDAwIEJhZCBSZXF1ZXN0XHJcbkNvbnRlbnQtVHlwZTogdGV4 dC9odG1sXHJcbkNvbm5lY3Rpb246IENsb3NlZFxyXG4iCgpIVFRQXzFfMV9URVNUX0NBU0VfUlVO TkVSID0gIiIiSFRUUC8xLjEgMjAwIE9LXHJcbkNvbnRlbnQtVHlwZTogdGV4dC9odG1sXHJcblxy XG48IURPQ1RZUEUgaHRtbD48aHRtbCBsYW5nPSJlbiI+CjxoZWFkPgogICAgPG1ldGEgY2hhcnNl dD0iVVRGLTgiPgogICAgPHRpdGxlPlhIUiBmcm9tIEhUVFAvMS4xIGRvY3VtZW50IHRvIEhUVFAv MC45IHJlc291cmNlPC90aXRsZT4KPC9oZWFkPgo8Ym9keT4KPHNjcmlwdCBzcmM9Imh0dHA6Ly9s b2NhbGhvc3Q6ODg4MS90ZXN0U2NyaXB0Ij48L3NjcmlwdD4KPC9ib2R5Pgo8L2h0bWw+IiIiCgpI VFRQXzBfOV9URVNUX0NBU0VfUlVOTkVSX1dJVEhfSEVBREVSUyA9ICIiIkhUVFAvMC45IDIwMCBP S1xyXG5Db250ZW50LVR5cGU6IHRleHQvaHRtbFxyXG5cclxuPCFET0NUWVBFIGh0bWw+PGh0bWwg bGFuZz0iZW4iPgo8aGVhZD4KICAgIDxtZXRhIGNoYXJzZXQ9IlVURi04Ij4KICAgIDx0aXRsZT5Y SFIgZnJvbSBIVFRQLzAuOSBkb2N1bWVudCB3aXRoIGhlYWRlcnMgdG8gSFRUUC8wLjkgcmVzb3Vy Y2U8L3RpdGxlPgo8L2hlYWQ+Cjxib2R5Pgo8c2NyaXB0IHNyYz0iaHR0cDovL2xvY2FsaG9zdDo4 ODgxL3Rlc3RTY3JpcHQiPjwvc2NyaXB0Pgo8L2JvZHk+CjwvaHRtbD4iIiIKCkhUVFBfMF85X1RF U1RfQ0FTRV9SVU5ORVJfV0lUSE9VVF9IRUFERVJTID0gIiIiPCFET0NUWVBFIGh0bWw+PGh0bWwg bGFuZz0iZW4iPgo8aGVhZD4KICAgIDxtZXRhIGNoYXJzZXQ9IlVURi04Ij4KICAgIDx0aXRsZT5Y SFIgZnJvbSBIVFRQLzAuOSBkb2N1bWVudCB3aXRob3V0IGhlYWRlcnMgdG8gSFRUUC8wLjkgcmVz b3VyY2U8L3RpdGxlPgo8L2hlYWQ+Cjxib2R5Pgo8c2NyaXB0IHNyYz0iaHR0cDovL2xvY2FsaG9z dDo4ODgxL3Rlc3RTY3JpcHQiPjwvc2NyaXB0Pgo8L2JvZHk+CjwvaHRtbD4iIiIKCkhUVFBfMV8x X0xBVU5DSF9QQUQgPSAiIiJIVFRQLzEuMSAyMDAgT0tcclxuQ29udGVudC1UeXBlOiB0ZXh0L2h0 bWxcclxuXHJcbjwhRE9DVFlQRSBodG1sPjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ+CiAgICA8bWV0 YSBjaGFyc2V0PSJVVEYtOCI+CiAgICA8dGl0bGU+SFRUUC8wLjkgUmVzb3VyY2UgVGVzdCBMYXVu Y2ggUGFkPC90aXRsZT4KPC9oZWFkPgo8Ym9keT4KPGEgaHJlZj0iaHR0cDovL2xvY2FsaG9zdDo4 ODgxL2h0dHAxXzFUZXN0Q2FzZVJ1bm5lciI+SFRUUC8xLjEgZG9jdW1lbnQ8L2E+IChTaG91bGQg bG9hZCBhbmQgdGhlbiBwcm9kdWNlIHRlc3QgcmVzdWx0cyBmb3IgcmVzb3VyY2UgbG9hZHMpPGJy Pgo8YSBocmVmPSJodHRwOi8vbG9jYWxob3N0Ojg4ODEvaHR0cDBfOVRlc3RDYXNlUnVubmVyV2l0 aEhlYWRlcnMiPkhUVFAvMC45IGRvY3VtZW50IHdpdGggaGVhZGVyczwvYT4gKFNob3VsZCBub3Qg bG9hZCBzaW5jZSB0aGUgcG9ydCBpcyBub24tZGVmYXVsdCk8YnI+CjxhIGhyZWY9Imh0dHA6Ly9s b2NhbGhvc3Q6ODg4MS9odHRwMF85VGVzdENhc2VSdW5uZXJXaXRob3V0SGVhZGVycyI+SFRUUC8w LjkgZG9jdW1lbnQgd2l0aG91dCBoZWFkZXJzPC9hPiAoU2hvdWxkIG5vdCBsb2FkIHNpbmNlIHRo ZSBwb3J0IGlzIG5vbi1kZWZhdWx0KTxicj4KPC9ib2R5Pgo8L2h0bWw+IiIiCgpTQ1JJUFQgPSAi IiJIVFRQLzEuMSAyMDAgT0tcclxuQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LWphdmFzY3Jp cHRcclxuXHJcbgp2YXIgTk9UX1JVTl9ZRVQgPSAibm90UnVuWWV0IjsKdmFyIHRlc3RSZXN1bHRz ID0gW05PVF9SVU5fWUVULCBOT1RfUlVOX1lFVCwgTk9UX1JVTl9ZRVRdOwoKZnVuY3Rpb24gY2hl Y2tSZXN1bHRzKCkgewogICAgdmFyIHJlc3VsdFN0cmluZyA9ICIiOwoKICAgIGZvciAodmFyIGkg PSAwOyBpIDwgdGVzdFJlc3VsdHMubGVuZ3RoOyBpKyspIHsKICAgICAgICB2YXIgcmVzdWx0ID0g dGVzdFJlc3VsdHNbaV07CiAgICAgICAgaWYgKHJlc3VsdCA9PT0gTk9UX1JVTl9ZRVQpIHsKICAg ICAgICAgICAgcmV0dXJuOwogICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgIHJlc3VsdFN0cmlu ZyArPSByZXN1bHQuZGVzY3JpcHRpb24gKyAiOiAiICsgcmVzdWx0LnJlc3VsdCArICI8YnI+IjsK ICAgICAgICB9CiAgICB9CiAgICBkb2N1bWVudC53cml0ZSgiPHA+IiArIHJlc3VsdFN0cmluZyAr ICI8L3A+Iik7Cn0KCmZ1bmN0aW9uIHRlc3QoZGVzY3JpcHRpb24sIHVybCwgdGVzdENhc2VJbmRl eCwgc2hvdWxkUGFzcykgewogICAgdmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOwoKICAg IHhoci5vbmVycm9yID0gKGZ1bmN0aW9uIChkZXNjcmlwdGlvbiwgdXJsLCB0ZXN0Q2FzZUluZGV4 LCBzaG91bGRQYXNzKSB7CiAgICAgICAgcmV0dXJuIGZ1bmN0aW9uICgpIHsKICAgICAgICAgICAg dGVzdFJlc3VsdHNbdGVzdENhc2VJbmRleF0gPSB7CiAgICAgICAgICAgICAgICAgICAgdXJsIDog dXJsLAogICAgICAgICAgICAgICAgICAgIHJlc3VsdCA6IChzaG91bGRQYXNzID8gIkZBSUwiIDog IlBBU1MiKSwKICAgICAgICAgICAgICAgICAgICBkZXNjcmlwdGlvbiA6IGRlc2NyaXB0aW9uCiAg ICAgICAgICAgICAgICB9OwogICAgICAgICAgICBjaGVja1Jlc3VsdHMoKTsKICAgICAgICB9CiAg ICB9KShkZXNjcmlwdGlvbiwgdXJsLCB0ZXN0Q2FzZUluZGV4LCBzaG91bGRQYXNzKTsKCiAgICB4 aHIub25sb2FkID0gKGZ1bmN0aW9uIChkZXNjcmlwdGlvbiwgdXJsLCB0ZXN0Q2FzZUluZGV4LCBz aG91bGRQYXNzKSB7CiAgICAgICAgcmV0dXJuIGZ1bmN0aW9uICgpIHsKICAgICAgICAgICAgdGVz dFJlc3VsdHNbdGVzdENhc2VJbmRleF0gPSB7CiAgICAgICAgICAgICAgICAgICAgdXJsIDogdXJs LAogICAgICAgICAgICAgICAgICAgIHJlc3VsdCA6IChzaG91bGRQYXNzID8gIlBBU1MiIDogIkZB SUwiKSwKICAgICAgICAgICAgICAgICAgICBkZXNjcmlwdGlvbiA6IGRlc2NyaXB0aW9uCiAgICAg ICAgICAgICAgICB9OwogICAgICAgICAgICBjaGVja1Jlc3VsdHMoKTsKICAgICAgICB9CiAgICB9 KShkZXNjcmlwdGlvbiwgdXJsLCB0ZXN0Q2FzZUluZGV4LCBzaG91bGRQYXNzKTsKCiAgICB4aHIu b3BlbigiR0VUIiwgdXJsLCB0cnVlKTsKICAgIHhoci5zZW5kKCk7Cn0KCnRlc3QoIkhUVFAvMS4x IHJlc3BvbnNlIGhlYWRlcnMgc2hvdWxkIGJlIGFjY2VwdGVkIiwgIi9ub3JtYWxIdHRwMV8xIiwg MCwgdHJ1ZSk7Cgp0ZXN0KCJIVFRQLzAuOSByZXNwb25zZSBoZWFkZXJzIHNob3VsZCBub3QgYmUg YWNjZXB0ZWQiLCAiL3dpdGhIZWFkZXJzIiwgMSwgZmFsc2UpOwoKdGVzdCgiSGVhZGVybGVzcyBI VFRQLzAuOSByZXNwb25zZSBzaG91bGQgbm90IGJlIGFjY2VwdGVkIiwgIi93aXRob3V0SGVhZGVy cyIsIDIsIGZhbHNlKTsiIiIKCgp3aGlsZSBUcnVlOgoJY2xpZW50LCBhZGRyID0gc29jay5hY2Nl cHQoKSAKCWRhdGEgPSBjbGllbnQucmVjdig0MDk2KSAKCXN0ckRhdGEgPSBzdHIoZGF0YSkKCWlm ICJ0ZXN0U2NyaXB0IiBpbiBzdHJEYXRhOgoJCWNsaWVudC5zZW5kKFNDUklQVCkKCWVsaWYgIndp dGhIZWFkZXJzIiBpbiBzdHJEYXRhOgoJCWNsaWVudC5zZW5kKEhUVFBfMF85X1dJVEhfSEVBREVS UykKCWVsaWYgIndpdGhvdXRIZWFkZXJzIiBpbiBzdHJEYXRhOiAKCQljbGllbnQuc2VuZChIVFRQ XzBfOV9XSVRIT1VUX0hFQURFUlMpCgllbGlmICJub3JtYWxIdHRwMV8xIiBpbiBzdHJEYXRhOiAK CQljbGllbnQuc2VuZChIVFRQXzFfMV8yMDApCgllbGlmICJodHRwMV8xVGVzdENhc2VSdW5uZXIi IGluIHN0ckRhdGE6CgkJY2xpZW50LnNlbmQoSFRUUF8xXzFfVEVTVF9DQVNFX1JVTk5FUikKCWVs aWYgImh0dHAwXzlUZXN0Q2FzZVJ1bm5lcldpdGhIZWFkZXJzIiBpbiBzdHJEYXRhOgoJCWNsaWVu dC5zZW5kKEhUVFBfMF85X1RFU1RfQ0FTRV9SVU5ORVJfV0lUSF9IRUFERVJTKQoJZWxpZiAiaHR0 cDBfOVRlc3RDYXNlUnVubmVyV2l0aG91dEhlYWRlcnMiIGluIHN0ckRhdGE6CgkJY2xpZW50LnNl bmQoSFRUUF8wXzlfVEVTVF9DQVNFX1JVTk5FUl9XSVRIT1VUX0hFQURFUlMpCgllbGlmICJsYXVu Y2hQYWQiIGluIHN0ckRhdGE6CgkJY2xpZW50LnNlbmQoSFRUUF8xXzFfTEFVTkNIX1BBRCkKCWVs c2U6CgkJY2xpZW50LnNlbmQoSFRUUF8xXzFfRVJST1JfTUVTU0FHRSkKCXByaW50ICJTZW50IHNv bWUgZGF0YSBiYWNrIHRvIHRoZSBjbGllbnQiCgoJY2xpZW50LmNsb3NlKCkK