27239 2009-07-13 15:32:51 -0700 Do not do HTTP Refresh to javascript: or other dangerous URI schemes 2009-10-23 19:07:00 -0700 1 1 1 Unclassified WebKit Page Loading 528+ (Nightly build) PC OS X 10.5 RESOLVED FIXED P2 Normal --- 1 scarybeasts webkit-unassigned abarth collinj commit-queue eric sam scarybeasts oldest_to_newest 131425 0 scarybeasts 2009-07-13 15:32:51 -0700 Patch to follow. It brings WebKit in line with IE, Firefox and Opera. See: http://code.google.com/p/browsersec/wiki/Part2#Redirection_restrictions The proposed whitelist is fairly restrictive. We could feasibly add "data" if you wanted, since the data: protocol causes a change of document.domain. 131428 1 32686 scarybeasts 2009-07-13 15:50:31 -0700 Created attachment 32686 Fix that limits which schemes we will Refresh to 131430 2 32686 scarybeasts 2009-07-13 15:51:39 -0700 Comment on attachment 32686 Fix that limits which schemes we will Refresh to Sam / Adam, something like this? 131625 3 32686 darin 2009-07-14 11:56:56 -0700 Comment on attachment 32686 Fix that limits which schemes we will Refresh to If we think there will be other places where "HTTP family plus FTP" is the set we'll care about, then we may want a new function to do this. A protocolIs function already exists that works on a string without creating and parsing a KURL, so there's no need to make a KURL in the new code. But we would need a version of protocolInHTTPFamily that worked on a plain string. The change log lists the file changed, but not the function name. It should list the function name. 131627 4 abarth 2009-07-14 12:02:15 -0700 Poor gopher. Always getting left out. 131749 5 ap 2009-07-14 16:47:04 -0700 Do we need to add a layout test for META refreshes, as well? 138049 6 32686 eric 2009-08-07 12:40:41 -0700 Comment on attachment 32686 Fix that limits which schemes we will Refresh to r-, awaiting Chris's replies to the above comments. 138680 7 abarth 2009-08-10 08:57:53 -0700 Chris, are you planning to update the patch to address Darin's comments? If you're working on higher priority issues, we can find someone else to look at this bug. 138683 8 abarth 2009-08-10 09:12:57 -0700 Comment from a user on the Chromium issue tracker: [[ Comment 6 by sbjesse, Today (1 minute ago) @abarth thx for the pointer. but i think the most direct fix is on the view-source scheme, where no redirection/refresh is expected, not restricting refresh-target schemes (although either a hardcoded or a tunable list will be quite cool) ]] Should we restrict this change to view source frames only? We should test interoperability here. 138765 9 scarybeasts 2009-08-10 12:14:45 -0700 @adam: at this time, I am pretty buried auditing some of the new features for the next version of Chrome. If you wanted this addressed sooner, I'd gladly accept the offer of help. Re: comment #8, I agree with sbjesse. This is not the proper fix for the view-source: Refresh interaction; even with this restriction in place, someone could simply Refresh: 0;http://www.evil.com/ which still hijacks window.location (which could then execute script, as per the original complaint that it should not be possible for a view-source: URL to render active content). This fix still has individual merit, however. Looks like Firefox just made this change as a defense-in-depth measure for web apps, such that careless construction of Refresh: headers cannot lead to XSS. 156779 10 41636 scarybeasts 2009-10-21 21:26:25 -0700 Created attachment 41636 A much better fix. A substantially better fix. i.e. it actually covers Refresh to an http URL. 156780 11 scarybeasts 2009-10-21 21:27:52 -0700 Ok, can we land this? I fiddled with a layout test but I'm not sure it can be done, so I request an exemption. Best I can tell, you can't navigate to or iframe a view-source: URL in a layout test. 156781 12 scarybeasts 2009-10-21 21:33:18 -0700 One more comment - the bug title isn't really accurate any more. It's now more like "Don't execute javascript in view-source mode". 156788 13 41636 abarth 2009-10-21 22:36:45 -0700 Comment on attachment 41636 A much better fix. Nice. Yeah, I don't know how to test it. 156791 14 41636 abarth 2009-10-21 23:01:55 -0700 Comment on attachment 41636 A much better fix. Actually, I just made a big deal on webkit-dev about how we couldn't change FrameLoader any more without tests. Can you make a manual-test? 156794 15 abarth 2009-10-21 23:10:55 -0700 Wait, isn't there some attribute you can put on frames to put them in view-source mode? http://trac.webkit.org/browser/trunk/LayoutTests/fast/frames/viewsource-unfinished-tags.html 156796 16 scarybeasts 2009-10-21 23:16:31 -0700 view-source:https://cevans-app.appspot.com/refresh Success: you see HTML source. Fail: a redirect to www.google.com This tests both the HTTP header and the meta tag method. n.b. on my Linux dev channel Chrome, the above URL does nothing (blank page) if the page is not in the cache. If you see that, hitting refresh will get you a success or fail condition as outlined above. But let me first investigate that weird viewsource iframe attribute (my grep was for view-source so I missed the hyphenless version... 157052 17 41700 scarybeasts 2009-10-22 17:18:28 -0700 Created attachment 41700 Simple fix plus test 157053 18 scarybeasts 2009-10-22 17:18:47 -0700 Now with more test.... 157067 19 41700 abarth 2009-10-22 17:48:10 -0700 Comment on attachment 41700 Simple fix plus test This test will make Julie sad, but I'm glad to have it. 157087 20 scarybeasts 2009-10-22 19:30:34 -0700 Can you land it Adam? 157112 21 abarth 2009-10-22 23:56:08 -0700 (In reply to comment #20) > Can you land it Adam? Yes. Probably tomorrow morning. The commit-queue doesn't work for security bugs. 157290 22 41700 eric 2009-10-23 14:01:31 -0700 Comment on attachment 41700 Simple fix plus test This isn't a Security bug. 157295 23 scarybeasts 2009-10-23 14:05:10 -0700 I agree it has no particular security consequence. Regrettably, it was incorrectly reported in a media story as a noteworthy vulnerability. A few lower-tier security professionals have also misunderstood this. I'll pull the fix into Chromium when it is landed, just to keep everyone placated. 157298 24 41700 commit-queue 2009-10-23 14:09:55 -0700 Comment on attachment 41700 Simple fix plus test Rejecting patch 41700 from commit-queue. Failed to run "['WebKitTools/Scripts/run-webkit-tests', '--no-launch-safari', '--quiet', '--exit-after-n-failures=1']" exit_code: 1 Running build-dumprendertree Running tests from /Users/eseidel/Projects/CommitQueue/LayoutTests Testing 11510 test cases. http/tests/security/view-source-no-refresh.html -> failed Exiting early after 1 failures. 8791 tests run. 248.69s total testing time 8790 test cases (99%) succeeded 1 test case (<1%) had incorrect layout 5 test cases (<1%) had stderr output 157302 25 scarybeasts 2009-10-23 14:27:27 -0700 Grr :) Obviously, it runs for me... how do I get at the output for the failure case? Failure reason, any simplified text diffs, ... 157314 26 eric 2009-10-23 14:39:51 -0700 (In reply to comment #25) > Grr :) Obviously, it runs for me... how do I get at the output for the failure > case? Failure reason, any simplified text diffs, ... --- /tmp/layout-test-results/http/tests/security/view-source-no-refresh-expected.txt 2009-10-23 14:09:49.000000000 -0700 +++ /tmp/layout-test-results/http/tests/security/view-source-no-refresh-actual.txt 2009-10-23 14:09:49.000000000 -0700 @@ -1 +1,3 @@ Success - did not redirect to Javascript + + bugzilla-tool isn't smart enough to upload the failure diffs yet. Not sure where it would upload them to. 157400 27 41771 scarybeasts 2009-10-23 18:47:12 -0700 Created attachment 41771 Simple fix plus test v2 157401 28 scarybeasts 2009-10-23 18:48:29 -0700 Weird, looks like a simple whitespace issue. My local "run_webkit_tests" does not care but the commit queue obviously does, so can you see if the latest patch (identical apart from the addition of two blank lines) passes? 157402 29 41771 abarth 2009-10-23 18:56:21 -0700 Comment on attachment 41771 Simple fix plus test v2 The commit queue will freak out if a non-reviewer sets the review+ flag. 157403 30 eric 2009-10-23 19:02:24 -0700 I've been told that run_webkit_tests (chromium's python script) may produce different expected results from run-webkit-tests (webkit's script). That may be causing the line spacing. 157404 31 41771 commit-queue 2009-10-23 19:06:55 -0700 Comment on attachment 41771 Simple fix plus test v2 Clearing flags on attachment: 41771 Committed r50018: <http://trac.webkit.org/changeset/50018> 157405 32 commit-queue 2009-10-23 19:07:00 -0700 All reviewed patches have been landed. Closing bug. 32686 2009-07-13 15:50:31 -0700 2009-10-21 21:26:25 -0700 Fix that limits which schemes we will Refresh to refreshjs.diff text/plain 3147 scarybeasts SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA0NTczOCkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTUgQEAKKzIwMDktMDctMTMgIENocmlzIEV2YW5zICA8Y2V2YW5zQGNocm9taXVt Lm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBE byBub3QgcmVmcmVzaCB0byBKYXZhc2NyaXB0LiBCcmluZ3MgV2ViS2l0IGlubGluZSB3aXRoIG90 aGVyIGJyb3dzZXJzOgorICAgICAgICBodHRwOi8vY29kZS5nb29nbGUuY29tL3AvYnJvd3NlcnNl Yy93aWtpL1BhcnQyI1JlZGlyZWN0aW9uX3Jlc3RyaWN0aW9ucworICAgICAgICBodHRwczovL2J1 Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjcyMzkKKworICAgICAgICBUZXN0OiBodHRw L3Rlc3RzL21pc2MvcmVkaXJlY3QtdG8tanMucGhwCisKKyAgICAgICAgKiBsb2FkZXIvRnJhbWVM b2FkZXIuY3BwOiBpZ25vcmUgUmVmcmVzaCByZXF1ZXN0cyB0byBKYXZhc2NyaXB0LgorCiAyMDA5 LTA3LTEwICBCcmFkeSBFaWRzb24gIDxiZWlkc29uQGFwcGxlLmNvbT4KIAogICAgICAgICBTdHls ZSBjbGVhbnVwIG92ZXIgbXkgbGFzdCBwYXRjaC4KSW5kZXg6IFdlYkNvcmUvbG9hZGVyL0ZyYW1l TG9hZGVyLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL2xvYWRlci9GcmFtZUxvYWRlci5jcHAJ KHJldmlzaW9uIDQ1NzM4KQorKysgV2ViQ29yZS9sb2FkZXIvRnJhbWVMb2FkZXIuY3BwCSh3b3Jr aW5nIGNvcHkpCkBAIC0xMzE4LDYgKzEzMTgsMTAgQEAKICAgICBpZiAodXJsLmlzRW1wdHkoKSkK ICAgICAgICAgcmV0dXJuOwogCisgICAgS1VSTCBwYXJzZWRVUkwodXJsKTsKKyAgICBpZiAoIXBh cnNlZFVSTC5wcm90b2NvbEluSFRUUEZhbWlseSgpICYmICFwYXJzZWRVUkwucHJvdG9jb2xJcygi ZnRwIikpCisgICAgICAgIHJldHVybjsKKwogICAgIC8vIFdlIHdhbnQgYSBuZXcgaGlzdG9yeSBp dGVtIGlmIHRoZSByZWZyZXNoIHRpbWVvdXQgaXMgPiAxIHNlY29uZC4KICAgICBpZiAoIW1fc2No ZWR1bGVkUmVkaXJlY3Rpb24gfHwgZGVsYXkgPD0gbV9zY2hlZHVsZWRSZWRpcmVjdGlvbi0+ZGVs YXkpCiAgICAgICAgIHNjaGVkdWxlUmVkaXJlY3Rpb24obmV3IFNjaGVkdWxlZFJlZGlyZWN0aW9u KGRlbGF5LCB1cmwsIHRydWUsIGRlbGF5IDw9IDEsIGZhbHNlLCBmYWxzZSkpOwpJbmRleDogTGF5 b3V0VGVzdHMvaHR0cC90ZXN0cy9taXNjL3JlZGlyZWN0LXRvLWpzLnBocAo9PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0t LSBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL21pc2MvcmVkaXJlY3QtdG8tanMucGhwCShyZXZpc2lv biAwKQorKysgTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9taXNjL3JlZGlyZWN0LXRvLWpzLnBocAko cmV2aXNpb24gMCkKQEAgLTAsMCArMSwyNSBAQAorPD9waHAKKyAgLy8gVGVzdCB0aGF0IGEgcmVk aXJlY3QgdG8gSmF2YXNjcmlwdCBpcyBpZ25vcmVkLgorCisgIGhlYWRlcignQ29udGVudC10eXBl OiB0ZXh0L2h0bWwnKTsKKyAgaGVhZGVyKCdSZWZyZXNoOiAwO1VSTD1qYXZhc2NyaXB0OmRvY3Vt ZW50LndyaXRlbG4oIjxodG1sPjxib2R5PkZBSUw8L2JvZHk+PC9odG1sIiknKTsKKz8+CisKKzxi b2R5PgorPHNjcmlwdD4KK2lmICh3aW5kb3cubGF5b3V0VGVzdENvbnRyb2xsZXIpIHsKKyAgbGF5 b3V0VGVzdENvbnRyb2xsZXIud2FpdFVudGlsRG9uZSgpOworICBsYXlvdXRUZXN0Q29udHJvbGxl ci5kdW1wQXNUZXh0KCk7Cit9Cis8L3NjcmlwdD4KKyAgIAorPHA+U3VjY2VzcyAtIGRpZCBub3Qg cmVkaXJlY3QgdG8gSmF2YXNjcmlwdDxwPgorCis8c2NyaXB0PgorZnVuY3Rpb24gZG9uZSgpIHsK KyAgaWYgKHdpbmRvdy5sYXlvdXRUZXN0Q29udHJvbGxlcikKKyAgICBsYXlvdXRUZXN0Q29udHJv bGxlci5ub3RpZnlEb25lKCk7Cit9CitzZXRUaW1lb3V0KCJkb25lKCkiLCAxMDAwKTsKKzwvc2Ny aXB0PgorPC9ib2R5PgpJbmRleDogTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9taXNjL3JlZGlyZWN0 LXRvLWpzLWV4cGVjdGVkLnR4dAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9odHRwL3Rlc3Rz L21pc2MvcmVkaXJlY3QtdG8tanMtZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAwKQorKysgTGF5b3V0 VGVzdHMvaHR0cC90ZXN0cy9taXNjL3JlZGlyZWN0LXRvLWpzLWV4cGVjdGVkLnR4dAkocmV2aXNp b24gMCkKQEAgLTAsMCArMSBAQAorU3VjY2VzcyAtIGRpZCBub3QgcmVkaXJlY3QgdG8gSmF2YXNj cmlwdApJbmRleDogTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRl c3RzL0NoYW5nZUxvZwkocmV2aXNpb24gNDU3MzgpCisrKyBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJ KHdvcmtpbmcgY29weSkKQEAgLTEsMyArMSwxMyBAQAorMjAwOS0wNy0xMyAgQ2hyaXMgRXZhbnMg IDxjZXZhbnNAY2hyb21pdW0ub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09Q UyEpLgorCisgICAgICAgIEFkZGVkIHRlc3QgZm9yIGJ1ZyAyNzIzOSAoZG9uJ3QgcmVmcmVzaCB0 byBKYXZhc2NyaXB0KS4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcu Y2dpP2lkPTI3MjM5CisKKyAgICAgICAgKiBodHRwL3Rlc3RzL21pc2MvcmVkaXJlY3QtdG8tanMt ZXhwZWN0ZWQudHh0OiBBZGRlZAorICAgICAgICAqIGh0dHAvdGVzdHMvbWlzYy9yZWRpcmVjdC10 by1qcy5waHA6IEFkZGVkCisKIDIwMDktMDctMTAgIFNpbW9uIEhhdXNtYW5uICA8aGF1c21hbm5A d2Via2l0Lm9yZz4KIAogICAgICAgICBObyBSZXZpZXcsIGp1c3QgcmUtb3JkZXJpbmcgUXQgRFJU IHNraXAgbGlzdC4K 41636 2009-10-21 21:26:25 -0700 2009-10-22 17:18:28 -0700 A much better fix. w.diff text/plain 1079 scarybeasts SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA0OTkyNikKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTMgQEAKKzIwMDktMDctMTMgIENocmlzIEV2YW5zICA8Y2V2YW5zQGNocm9taXVt Lm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBJ Z25vcmUgdGhlIFJlZnJlc2ggaGVhZGVyIGlmIHdlJ3JlIGluIHZpZXctc291cmNlIG1vZGUuCisK KyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTI3MjM5CisK KyAgICAgICAgKiBsb2FkZXIvRnJhbWVMb2FkZXIuY3BwOiBpZ25vcmUgUmVmcmVzaCBpbiB2aWV3 LXNvdXJjZSBtb2RlLgorCiAyMDA5LTEwLTIxICBEYXJpbiBBZGxlciAgPGRhcmluQGFwcGxlLmNv bT4KIAogICAgICAgICBTd2VkaXNoIHNlYXJjaCAoYW5kIG90aGVyIGxhbmd1YWdlcyBhcyB3ZWxs KSBpcyBicm9rZW4gd2hpbGUgZml4aW5nIEphcGFuZXNlIHNlYXJjaApJbmRleDogV2ViQ29yZS9s b2FkZXIvRnJhbWVMb2FkZXIuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvbG9hZGVyL0ZyYW1l TG9hZGVyLmNwcAkocmV2aXNpb24gNDk5MjYpCisrKyBXZWJDb3JlL2xvYWRlci9GcmFtZUxvYWRl ci5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTc1Nyw2ICs3NTcsOCBAQAogICAgIFN0cmluZyB1cmw7 CiAgICAgaWYgKCFtX2RvY3VtZW50TG9hZGVyKQogICAgICAgICByZXR1cm47CisgICAgaWYgKG1f ZnJhbWUtPmluVmlld1NvdXJjZU1vZGUoKSkKKyAgICAgICAgcmV0dXJuOwogICAgIGlmICghcGFy c2VIVFRQUmVmcmVzaChtX2RvY3VtZW50TG9hZGVyLT5yZXNwb25zZSgpLmh0dHBIZWFkZXJGaWVs ZCgiUmVmcmVzaCIpLCBmYWxzZSwgZGVsYXksIHVybCkpCiAgICAgICAgIHJldHVybjsKIAo= 41700 2009-10-22 17:18:28 -0700 2009-10-23 18:47:12 -0700 Simple fix plus test w.diff text/plain 3827 scarybeasts SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA0OTkyNikKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTUgQEAKKzIwMDktMDctMTMgIENocmlzIEV2YW5zICA8Y2V2YW5zQGNocm9taXVt Lm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBJ Z25vcmUgdGhlIFJlZnJlc2ggaGVhZGVyIGlmIHdlJ3JlIGluIHZpZXcgc291cmNlIG1vZGUuCisK KyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTI3MjM5CisK KyAgICAgICAgVGVzdDogaHR0cC90ZXN0cy9zZWN1cml0eS92aWV3LXNvdXJjZS1uby1yZWZyZXNo Lmh0bWwKKworICAgICAgICAqIGxvYWRlci9GcmFtZUxvYWRlci5jcHA6IGlnbm9yZSBSZWZyZXNo IGluIHZpZXctc291cmNlIG1vZGUuCisKIDIwMDktMTAtMjEgIERhcmluIEFkbGVyICA8ZGFyaW5A YXBwbGUuY29tPgogCiAgICAgICAgIFN3ZWRpc2ggc2VhcmNoIChhbmQgb3RoZXIgbGFuZ3VhZ2Vz IGFzIHdlbGwpIGlzIGJyb2tlbiB3aGlsZSBmaXhpbmcgSmFwYW5lc2Ugc2VhcmNoCkluZGV4OiBX ZWJDb3JlL2xvYWRlci9GcmFtZUxvYWRlci5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViQ29yZS9sb2Fk ZXIvRnJhbWVMb2FkZXIuY3BwCShyZXZpc2lvbiA0OTkyNikKKysrIFdlYkNvcmUvbG9hZGVyL0Zy YW1lTG9hZGVyLmNwcAkod29ya2luZyBjb3B5KQpAQCAtNzU3LDYgKzc1Nyw4IEBACiAgICAgU3Ry aW5nIHVybDsKICAgICBpZiAoIW1fZG9jdW1lbnRMb2FkZXIpCiAgICAgICAgIHJldHVybjsKKyAg ICBpZiAobV9mcmFtZS0+aW5WaWV3U291cmNlTW9kZSgpKQorICAgICAgICByZXR1cm47CiAgICAg aWYgKCFwYXJzZUhUVFBSZWZyZXNoKG1fZG9jdW1lbnRMb2FkZXItPnJlc3BvbnNlKCkuaHR0cEhl YWRlckZpZWxkKCJSZWZyZXNoIiksIGZhbHNlLCBkZWxheSwgdXJsKSkKICAgICAgICAgcmV0dXJu OwogCkluZGV4OiBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3Jlc291cmNlcy92aWV3 LXNvdXJjZS1uby1yZWZyZXNoLnBocAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9odHRwL3Rl c3RzL3NlY3VyaXR5L3Jlc291cmNlcy92aWV3LXNvdXJjZS1uby1yZWZyZXNoLnBocAkocmV2aXNp b24gMCkKKysrIExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvcmVzb3VyY2VzL3ZpZXct c291cmNlLW5vLXJlZnJlc2gucGhwCShyZXZpc2lvbiAwKQpAQCAtMCwwICsxLDEyIEBACis8P3Bo cAorICBoZWFkZXIoJ0hUVFAvMS4wIDIwMCBPSycpOworICBoZWFkZXIoJ0NvbnRlbnQtdHlwZTog dGV4dC9odG1sJyk7CisgIGhlYWRlcignUmVmcmVzaDogMDtVUkw9amF2YXNjcmlwdDp3aW5kb3cu dG9wLmxvY2F0aW9uPSJhYm91dDpibGFuayInKTsKKz8+CisKKzxoZWFkPgorPG1ldGEgaHR0cC1l cXVpdj0ncmVmcmVzaCcgY29udGVudD0nMDtVUkw9amF2YXNjcmlwdDp3aW5kb3cudG9wLmxvY2F0 aW9uPSJhYm91dDpibGFuayInLz4KKzwvaGVhZD4KKzxib2R5PgorVGhpcyBpcyB0aGUgdmlld3Nv dXJjZSBpZnJhbWUuCis8L2JvZHk+CkluZGV4OiBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3Vy aXR5L3ZpZXctc291cmNlLW5vLXJlZnJlc2gtZXhwZWN0ZWQudHh0Cj09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExh eW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvdmlldy1zb3VyY2Utbm8tcmVmcmVzaC1leHBl Y3RlZC50eHQJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5 L3ZpZXctc291cmNlLW5vLXJlZnJlc2gtZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAwKQpAQCAtMCww ICsxIEBACitTdWNjZXNzIC0gZGlkIG5vdCByZWRpcmVjdCB0byBKYXZhc2NyaXB0CkluZGV4OiBM YXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3ZpZXctc291cmNlLW5vLXJlZnJlc2guaHRt bAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3ZpZXctc291 cmNlLW5vLXJlZnJlc2guaHRtbAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2h0dHAvdGVz dHMvc2VjdXJpdHkvdmlldy1zb3VyY2Utbm8tcmVmcmVzaC5odG1sCShyZXZpc2lvbiAwKQpAQCAt MCwwICsxLDI1IEBACis8aHRtbD4KKzxib2R5PgorPHNjcmlwdD4KK2lmICh3aW5kb3cubGF5b3V0 VGVzdENvbnRyb2xsZXIpIHsKKyAgbGF5b3V0VGVzdENvbnRyb2xsZXIud2FpdFVudGlsRG9uZSgp OworICBsYXlvdXRUZXN0Q29udHJvbGxlci5kdW1wQXNUZXh0KCk7Cit9Cis8L3NjcmlwdD4KKzxz Y3JpcHQ+CitmdW5jdGlvbiBkb25lKCkgeworICBpZiAod2luZG93LmxheW91dFRlc3RDb250cm9s bGVyKQorICAgIGxheW91dFRlc3RDb250cm9sbGVyLm5vdGlmeURvbmUoKTsKK30KKworZnVuY3Rp b24gbG9hZGVkKCkgeworICAvLyBVbmZvcnR1bmF0ZWx5IG5lZWQgdG8gd2FpdCBhIGxpdHRsZSB0 byBlbnN1cmUgdGhlIHRvcCBsZXZlbCBwYWdlCisgIC8vIHRyYW5zaXRpb24gb2NjdXJzIGluIHRo ZSBmYWlsdXJlIGNhc2UuCisgIHNldFRpbWVvdXQoImRvbmUoKSIsIDEwMDApOworfQorPC9zY3Jp cHQ+Cis8cD5TdWNjZXNzIC0gZGlkIG5vdCByZWRpcmVjdCB0byBKYXZhc2NyaXB0PC9wPgorPGlm cmFtZSB2aWV3c291cmNlIHNyYz0icmVzb3VyY2VzL3ZpZXctc291cmNlLW5vLXJlZnJlc2gucGhw IiBvbmxvYWQ9ImxvYWRlZCgpIj4KKzwvaWZyYW1lPgorPC9ib2R5PgorPC9odG1sPgpJbmRleDog TGF5b3V0VGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL0NoYW5nZUxv ZwkocmV2aXNpb24gNDk5MjYpCisrKyBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHdvcmtpbmcgY29w eSkKQEAgLTEsMyArMSwxNCBAQAorMjAwOS0xMC0yMiAgQ2hyaXMgRXZhbnMgIDxjZXZhbnNAY2hy b21pdW0ub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAg ICAgIEFkZGVkIHRlc3QgZm9yIGJ1ZyAyNzIzOSAoaWdub3JlIFJlZnJlc2ggZm9yIHZpZXcgc291 cmNlIG1vZGUpLgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/ aWQ9MjcyMzkKKworICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkvdmlldy1zb3VyY2Utbm8t cmVmcmVzaC5odG1sOiBBZGRlZAorICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkvdmlldy1z b3VyY2Utbm8tcmVmcmVzaC1leHBlY3RlZC50eHQ6IEFkZGVkCisgICAgICAgICogaHR0cC90ZXN0 cy9zZWN1cml0eS9yZXNvdXJjZXMvdmlldy1zb3VyY2Utbm8tcmVmcmVzaC5waHA6IEFkZGVkCisK IDIwMDktMTAtMjEgIERhcmluIEFkbGVyICA8ZGFyaW5AYXBwbGUuY29tPgogCiAgICAgICAgIFVw ZGF0ZSBzaW5jZSB3ZSByb2xsZWQgSmFwYW5lc2UgdGFpbG9yaW5nIG91dCB0aGF0IHdhcyBkb25l IHRvIGZpeAo= 41771 2009-10-23 18:47:12 -0700 2009-10-23 19:06:55 -0700 Simple fix plus test v2 w.diff text/plain 3833 scarybeasts SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA0OTkyNikKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTUgQEAKKzIwMDktMDctMTMgIENocmlzIEV2YW5zICA8Y2V2YW5zQGNocm9taXVt Lm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBJ Z25vcmUgdGhlIFJlZnJlc2ggaGVhZGVyIGlmIHdlJ3JlIGluIHZpZXcgc291cmNlIG1vZGUuCisK KyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTI3MjM5CisK KyAgICAgICAgVGVzdDogaHR0cC90ZXN0cy9zZWN1cml0eS92aWV3LXNvdXJjZS1uby1yZWZyZXNo Lmh0bWwKKworICAgICAgICAqIGxvYWRlci9GcmFtZUxvYWRlci5jcHA6IGlnbm9yZSBSZWZyZXNo IGluIHZpZXctc291cmNlIG1vZGUuCisKIDIwMDktMTAtMjEgIERhcmluIEFkbGVyICA8ZGFyaW5A YXBwbGUuY29tPgogCiAgICAgICAgIFN3ZWRpc2ggc2VhcmNoIChhbmQgb3RoZXIgbGFuZ3VhZ2Vz IGFzIHdlbGwpIGlzIGJyb2tlbiB3aGlsZSBmaXhpbmcgSmFwYW5lc2Ugc2VhcmNoCkluZGV4OiBX ZWJDb3JlL2xvYWRlci9GcmFtZUxvYWRlci5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViQ29yZS9sb2Fk ZXIvRnJhbWVMb2FkZXIuY3BwCShyZXZpc2lvbiA0OTkyNikKKysrIFdlYkNvcmUvbG9hZGVyL0Zy YW1lTG9hZGVyLmNwcAkod29ya2luZyBjb3B5KQpAQCAtNzU3LDYgKzc1Nyw4IEBACiAgICAgU3Ry aW5nIHVybDsKICAgICBpZiAoIW1fZG9jdW1lbnRMb2FkZXIpCiAgICAgICAgIHJldHVybjsKKyAg ICBpZiAobV9mcmFtZS0+aW5WaWV3U291cmNlTW9kZSgpKQorICAgICAgICByZXR1cm47CiAgICAg aWYgKCFwYXJzZUhUVFBSZWZyZXNoKG1fZG9jdW1lbnRMb2FkZXItPnJlc3BvbnNlKCkuaHR0cEhl YWRlckZpZWxkKCJSZWZyZXNoIiksIGZhbHNlLCBkZWxheSwgdXJsKSkKICAgICAgICAgcmV0dXJu OwogCkluZGV4OiBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3Jlc291cmNlcy92aWV3 LXNvdXJjZS1uby1yZWZyZXNoLnBocAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9odHRwL3Rl c3RzL3NlY3VyaXR5L3Jlc291cmNlcy92aWV3LXNvdXJjZS1uby1yZWZyZXNoLnBocAkocmV2aXNp b24gMCkKKysrIExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvcmVzb3VyY2VzL3ZpZXct c291cmNlLW5vLXJlZnJlc2gucGhwCShyZXZpc2lvbiAwKQpAQCAtMCwwICsxLDEyIEBACis8P3Bo cAorICBoZWFkZXIoJ0hUVFAvMS4wIDIwMCBPSycpOworICBoZWFkZXIoJ0NvbnRlbnQtdHlwZTog dGV4dC9odG1sJyk7CisgIGhlYWRlcignUmVmcmVzaDogMDtVUkw9amF2YXNjcmlwdDp3aW5kb3cu dG9wLmxvY2F0aW9uPSJhYm91dDpibGFuayInKTsKKz8+CisKKzxoZWFkPgorPG1ldGEgaHR0cC1l cXVpdj0ncmVmcmVzaCcgY29udGVudD0nMDtVUkw9amF2YXNjcmlwdDp3aW5kb3cudG9wLmxvY2F0 aW9uPSJhYm91dDpibGFuayInLz4KKzwvaGVhZD4KKzxib2R5PgorVGhpcyBpcyB0aGUgdmlld3Nv dXJjZSBpZnJhbWUuCis8L2JvZHk+CkluZGV4OiBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3Vy aXR5L3ZpZXctc291cmNlLW5vLXJlZnJlc2gtZXhwZWN0ZWQudHh0Cj09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExh eW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvdmlldy1zb3VyY2Utbm8tcmVmcmVzaC1leHBl Y3RlZC50eHQgKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5 L3ZpZXctc291cmNlLW5vLXJlZnJlc2gtZXhwZWN0ZWQudHh0IChyZXZpc2lvbiAwKQpAQCAtMCww ICsxLDMgQEAKK1N1Y2Nlc3MgLSBkaWQgbm90IHJlZGlyZWN0IHRvIEphdmFzY3JpcHQKKworCklu ZGV4OiBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3ZpZXctc291cmNlLW5vLXJlZnJl c2guaHRtbAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3Zp ZXctc291cmNlLW5vLXJlZnJlc2guaHRtbAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2h0 dHAvdGVzdHMvc2VjdXJpdHkvdmlldy1zb3VyY2Utbm8tcmVmcmVzaC5odG1sCShyZXZpc2lvbiAw KQpAQCAtMCwwICsxLDI1IEBACis8aHRtbD4KKzxib2R5PgorPHNjcmlwdD4KK2lmICh3aW5kb3cu bGF5b3V0VGVzdENvbnRyb2xsZXIpIHsKKyAgbGF5b3V0VGVzdENvbnRyb2xsZXIud2FpdFVudGls RG9uZSgpOworICBsYXlvdXRUZXN0Q29udHJvbGxlci5kdW1wQXNUZXh0KCk7Cit9Cis8L3Njcmlw dD4KKzxzY3JpcHQ+CitmdW5jdGlvbiBkb25lKCkgeworICBpZiAod2luZG93LmxheW91dFRlc3RD b250cm9sbGVyKQorICAgIGxheW91dFRlc3RDb250cm9sbGVyLm5vdGlmeURvbmUoKTsKK30KKwor ZnVuY3Rpb24gbG9hZGVkKCkgeworICAvLyBVbmZvcnR1bmF0ZWx5IG5lZWQgdG8gd2FpdCBhIGxp dHRsZSB0byBlbnN1cmUgdGhlIHRvcCBsZXZlbCBwYWdlCisgIC8vIHRyYW5zaXRpb24gb2NjdXJz IGluIHRoZSBmYWlsdXJlIGNhc2UuCisgIHNldFRpbWVvdXQoImRvbmUoKSIsIDEwMDApOworfQor PC9zY3JpcHQ+Cis8cD5TdWNjZXNzIC0gZGlkIG5vdCByZWRpcmVjdCB0byBKYXZhc2NyaXB0PC9w PgorPGlmcmFtZSB2aWV3c291cmNlIHNyYz0icmVzb3VyY2VzL3ZpZXctc291cmNlLW5vLXJlZnJl c2gucGhwIiBvbmxvYWQ9ImxvYWRlZCgpIj4KKzwvaWZyYW1lPgorPC9ib2R5PgorPC9odG1sPgpJ bmRleDogTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL0No YW5nZUxvZwkocmV2aXNpb24gNDk5MjYpCisrKyBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHdvcmtp bmcgY29weSkKQEAgLTEsMyArMSwxNCBAQAorMjAwOS0xMC0yMiAgQ2hyaXMgRXZhbnMgIDxjZXZh bnNAY2hyb21pdW0ub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgor CisgICAgICAgIEFkZGVkIHRlc3QgZm9yIGJ1ZyAyNzIzOSAoaWdub3JlIFJlZnJlc2ggZm9yIHZp ZXcgc291cmNlIG1vZGUpLgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1 Zy5jZ2k/aWQ9MjcyMzkKKworICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkvdmlldy1zb3Vy Y2Utbm8tcmVmcmVzaC5odG1sOiBBZGRlZAorICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkv dmlldy1zb3VyY2Utbm8tcmVmcmVzaC1leHBlY3RlZC50eHQ6IEFkZGVkCisgICAgICAgICogaHR0 cC90ZXN0cy9zZWN1cml0eS9yZXNvdXJjZXMvdmlldy1zb3VyY2Utbm8tcmVmcmVzaC5waHA6IEFk ZGVkCisKIDIwMDktMTAtMjEgIERhcmluIEFkbGVyICA8ZGFyaW5AYXBwbGUuY29tPgogCiAgICAg ICAgIFVwZGF0ZSBzaW5jZSB3ZSByb2xsZWQgSmFwYW5lc2UgdGFpbG9yaW5nIG91dCB0aGF0IHdh cyBkb25lIHRvIGZpeAo=