30352 2009-10-14 04:12:11 -0700 [XSSAuditor] Add an exception for same-origin scripts 2009-10-14 19:14:39 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 sirdarckcat abarth abarth commit-queue dbates oldest_to_newest 154553 0 sirdarckcat 2009-10-14 04:12:11 -0700 I think something else can be done for XSSAuditor.. could it be an exception to src attributes on <script> tags if the URL is in the same domain and is a single file with no querystring? Something like: <script type="text/javascript" src="/acs.js"></script> Shouldn't be disabled by an attacker doing: http://victim.com/?disable_script=<script type="text/javascript" src="/acs.js"></script> The part where I say "with no querystring" is that we shouldnt allow: <script type="text/javascript" src="/index.php?asdf=asdf&asdf=asdf"></script> Since in some weeeird cases that may be a vulnerability (its very dangerous anyway, since if you can make valid JS, you could probably make valid XML and load a crossdomain file for flash).. anyway, to be sure, only adding the exception for "/acs.js" should be safe. I ask this since if a user is already able to modify the content of a file in the same domain then he can probably make a XSS directly anyway.. and if it's not done this way, the attack of disabling essential scripts for the page will be difficult. This should reduce in some degree the attack scenario where an attacker disable scripts on the guest page.. also this should increase compatibility.. Test case: http://eaea.sirdarckcat.net/testhtml.html?disable_script=%3Cscript%20type=%22text/javascript%22%20src=%22acs.js%22%3E%3C/script%3E Greetings!! 154577 1 abarth 2009-10-14 08:08:20 -0700 Building / testing a patch now. 154584 2 41162 abarth 2009-10-14 08:47:07 -0700 Created attachment 41162 Patch v1 154655 3 41162 darin 2009-10-14 14:21:31 -0700 Comment on attachment 41162 Patch v1 I don't understand the relationship of this patch with the bug title. Otherwise, it seems fine. > + // script. If the script has a query string, we're more suspicious, We use one space after a period, not two. r=me 154687 4 41199 abarth 2009-10-14 18:54:00 -0700 Created attachment 41199 patch without extra space Landing via commit-queue because my box is busy building / testing another patch. 154690 5 41199 commit-queue 2009-10-14 19:14:34 -0700 Comment on attachment 41199 patch without extra space Clearing flags on attachment: 41199 Committed r49605: <http://trac.webkit.org/changeset/49605> 154691 6 commit-queue 2009-10-14 19:14:39 -0700 All reviewed patches have been landed. Closing bug. 41162 2009-10-14 08:47:07 -0700 2009-10-14 18:54:00 -0700 Patch v1 bug-30352-20091014084706.patch text/plain 5805 abarth ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCA1NjMxYzZkLi42NDNmYzRmIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VM b2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTggQEAKKzIwMDktMTAt MTQgIEFkYW0gQmFydGggIDxhYmFydGhAd2Via2l0Lm9yZz4KKworICAgICAgICBSZXZpZXdlZCBi eSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBbWFNTQXVkaXRvcl0gQWRkIGFuIGV4Y2VwdGlv biBmb3IgbG9jYWwgZmlsZXMKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19i dWcuY2dpP2lkPTMwMzUyCisKKyAgICAgICAgVGVzdCB0aGF0IHdlIGFsbG93IHNpdGVzIHRvIGxv YWQgc2NyaXB0cyBmcm9tIHRoZWlyIG93biBkb21haW4gYXMgbG9uZworICAgICAgICBhcyB0aGV5 IGRvbid0IHVzZSBxdWVyeSBzdHJpbmdzLgorCisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0 eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0aC1zb3VyY2Utc2FtZS1ob3N0LWV4cGVjdGVkLnR4 dDogQWRkZWQuCisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3Njcmlw dC10YWctd2l0aC1zb3VyY2Utc2FtZS1ob3N0LXdpdGgtcXVlcnktZXhwZWN0ZWQudHh0OiBBZGRl ZC4KKyAgICAgICAgKiBodHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy13 aXRoLXNvdXJjZS1zYW1lLWhvc3Qtd2l0aC1xdWVyeS5odG1sOiBBZGRlZC4KKyAgICAgICAgKiBo dHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy13aXRoLXNvdXJjZS1zYW1l LWhvc3QuaHRtbDogQWRkZWQuCisKIDIwMDktMTAtMTMgIERpbWl0cmkgR2xhemtvdiAgPGRnbGF6 a292QGNocm9taXVtLm9yZz4KIAogICAgICAgICBObyByZXZpZXcsIHJvbGxpbmcgb3V0IHI0OTU1 NCwgYmVjYXVzZSBpdCBicm9rZSBXaW4gYW5kIENocm9taXVtIGJ1aWxkcy4KZGlmZiAtLWdpdCBh L0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9zY3JpcHQtdGFnLXdp dGgtc291cmNlLXNhbWUtaG9zdC1leHBlY3RlZC50eHQgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3Rz L3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy13aXRoLXNvdXJjZS1zYW1lLWhvc3QtZXhw ZWN0ZWQudHh0Cm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAuLjAwODhhMDUKLS0t IC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0 b3Ivc2NyaXB0LXRhZy13aXRoLXNvdXJjZS1zYW1lLWhvc3QtZXhwZWN0ZWQudHh0CkBAIC0wLDAg KzEsMiBAQAorQUxFUlQ6IFRoaXMgaXMgYSBzYWZlIHNjcmlwdC4KKwpkaWZmIC0tZ2l0IGEvTGF5 b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0aC1z b3VyY2Utc2FtZS1ob3N0LXdpdGgtcXVlcnktZXhwZWN0ZWQudHh0IGIvTGF5b3V0VGVzdHMvaHR0 cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0aC1zb3VyY2Utc2FtZS1o b3N0LXdpdGgtcXVlcnktZXhwZWN0ZWQudHh0Cm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAw MDAwMDAuLjUxM2UyZjgKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3Rz L3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy13aXRoLXNvdXJjZS1zYW1lLWhvc3Qtd2l0 aC1xdWVyeS1leHBlY3RlZC50eHQKQEAgLTAsMCArMSwzIEBACitDT05TT0xFIE1FU1NBR0U6IGxp bmUgMTogUmVmdXNlZCB0byBleGVjdXRlIGEgSmF2YVNjcmlwdCBzY3JpcHQuIFNvdXJjZSBjb2Rl IG9mIHNjcmlwdCBmb3VuZCB3aXRoaW4gcmVxdWVzdC4KKworCmRpZmYgLS1naXQgYS9MYXlvdXRU ZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy13aXRoLXNvdXJj ZS1zYW1lLWhvc3Qtd2l0aC1xdWVyeS5odG1sIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1 cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0aC1zb3VyY2Utc2FtZS1ob3N0LXdpdGgtcXVl cnkuaHRtbApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwLi5lNjdjZmZiCi0tLSAv ZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9y L3NjcmlwdC10YWctd2l0aC1zb3VyY2Utc2FtZS1ob3N0LXdpdGgtcXVlcnkuaHRtbApAQCAtMCww ICsxLDE1IEBACis8IURPQ1RZUEUgaHRtbD4KKzxodG1sPgorPGhlYWQ+Cis8c2NyaXB0PgoraWYg KHdpbmRvdy5sYXlvdXRUZXN0Q29udHJvbGxlcikgeworICBsYXlvdXRUZXN0Q29udHJvbGxlci5k dW1wQXNUZXh0KCk7CisgIGxheW91dFRlc3RDb250cm9sbGVyLnNldFhTU0F1ZGl0b3JFbmFibGVk KHRydWUpOworfQorPC9zY3JpcHQ+Cis8L2hlYWQ+Cis8Ym9keT4KKzxpZnJhbWUgc3JjPSJodHRw Oi8vbG9jYWxob3N0OjgwMDAvc2VjdXJpdHkveHNzQXVkaXRvci9yZXNvdXJjZXMvZWNoby1pbnRl cnRhZy5wbD9xPTxzY3JpcHQgc3JjPSd4c3MuanM/bWF5YmUrZGFuZ2Vyb3VzK3F1ZXJ5K3N0cmlu Zyc+PC9zY3JpcHQ+Ij4KKzwvaWZyYW1lPgorPC9ib2R5PgorPC9odG1sPgpkaWZmIC0tZ2l0IGEv TGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0 aC1zb3VyY2Utc2FtZS1ob3N0Lmh0bWwgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5 L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy13aXRoLXNvdXJjZS1zYW1lLWhvc3QuaHRtbApuZXcgZmls ZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwLi4zNjIxMWNhCi0tLSAvZGV2L251bGwKKysrIGIv TGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0 aC1zb3VyY2Utc2FtZS1ob3N0Lmh0bWwKQEAgLTAsMCArMSwxNSBAQAorPCFET0NUWVBFIGh0bWw+ Cis8aHRtbD4KKzxoZWFkPgorPHNjcmlwdD4KK2lmICh3aW5kb3cubGF5b3V0VGVzdENvbnRyb2xs ZXIpIHsKKyAgbGF5b3V0VGVzdENvbnRyb2xsZXIuZHVtcEFzVGV4dCgpOworICBsYXlvdXRUZXN0 Q29udHJvbGxlci5zZXRYU1NBdWRpdG9yRW5hYmxlZCh0cnVlKTsKK30KKzwvc2NyaXB0PgorPC9o ZWFkPgorPGJvZHk+Cis8aWZyYW1lIHNyYz0iaHR0cDovL2xvY2FsaG9zdDo4MDAwL3NlY3VyaXR5 L3hzc0F1ZGl0b3IvcmVzb3VyY2VzL2VjaG8taW50ZXJ0YWcucGw/cT08c2NyaXB0IHNyYz0nc2Fm ZS1zY3JpcHQuanMnPjwvc2NyaXB0PiI+Cis8L2lmcmFtZT4KKzwvYm9keT4KKzwvaHRtbD4KZGlm ZiAtLWdpdCBhL1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZGM1 NzJlYS4uMDljYzI0NyAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvV2ViQ29y ZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwyNSBAQAorMjAwOS0xMC0xNCAgQWRhbSBCYXJ0aCAgPGFi YXJ0aEB3ZWJraXQub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgor CisgICAgICAgIFtYU1NBdWRpdG9yXSBBZGQgYW4gZXhjZXB0aW9uIGZvciBsb2NhbCBmaWxlcwor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MzAzNTIKKwor ICAgICAgICBSZWR1Y2UgWFNTIGF1ZGl0b3IgZmFsc2UgcG9zaXRpdmVzIGJ5IGFsd2F5cyBsZXR0 aW5nIHBhZ2VzIGxvYWQgc2NyaXB0cworICAgICAgICBmcm9tIHRoZWlyIG93biBob3N0LiAgV2Ug ZG9uJ3QgYWN0dWFsbHkga25vdyBvZiBhbnkgZmFsc2UgcG9zaXRpdmVzCisgICAgICAgIHRoYXQg dGhpcyBwcmV2ZW50cywgYnV0IGl0IHNlZW1zIGxpa2UgYSBnb29kIGlkZWEuCisKKyAgICAgICAg T25lIHN1YnRseSBpcyB0aGF0IHdlIGRvbid0IGFkZCB0aGlzIGV4Y2VwdGlvbiBmb3Igc2NyaXB0 cyB0aGF0IGhhdmUgYQorICAgICAgICBxdWVyeSBzdHJpbmcgYmVjYXVzZSAoMSkgVVJMcyB3aXRo IHF1ZXJ5IHN0cmluZ3MgYXJlIG1vcmUgYXB0IHRvCisgICAgICAgIGNvbmZ1c2Ugc2VydmVycyBh bmQgKDIpIGl0IGlzIG11Y2ggbGVzcyBjb21tb24gdG8gbG9hZCBzY3JpcHRzIHdpdGggYQorICAg ICAgICBxdWVyeSBzdHJpbmcuCisKKyAgICAgICAgVGVzdHM6IGh0dHAvdGVzdHMvc2VjdXJpdHkv eHNzQXVkaXRvci9zY3JpcHQtdGFnLXdpdGgtc291cmNlLXNhbWUtaG9zdC13aXRoLXF1ZXJ5Lmh0 bWwKKyAgICAgICAgICAgICAgIGh0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9zY3JpcHQt dGFnLXdpdGgtc291cmNlLXNhbWUtaG9zdC5odG1sCisKKyAgICAgICAgKiBwYWdlL1hTU0F1ZGl0 b3IuY3BwOgorICAgICAgICAoV2ViQ29yZTo6WFNTQXVkaXRvcjo6Y2FuTG9hZEV4dGVybmFsU2Ny aXB0RnJvbVNyYyk6CisKIDIwMDktMTAtMTQgIFBhdmVsIEZlbGRtYW4gIDxwZmVsZG1hbkBjaHJv bWl1bS5vcmc+CiAKICAgICAgICAgTm90IHJldmlld2VkLCByZXZlcnRpbmcgcjQ5NTU4IHNpbmNl IGl0IGJyb2tlIHByb2ZpbGVyIHRlc3RzLgpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9wYWdlL1hTU0F1 ZGl0b3IuY3BwIGIvV2ViQ29yZS9wYWdlL1hTU0F1ZGl0b3IuY3BwCmluZGV4IDM0OTUwNzcuLjY4 OWUwNGEgMTAwNjQ0Ci0tLSBhL1dlYkNvcmUvcGFnZS9YU1NBdWRpdG9yLmNwcAorKysgYi9XZWJD b3JlL3BhZ2UvWFNTQXVkaXRvci5jcHAKQEAgLTE0NCw2ICsxNDQsMTYgQEAgYm9vbCBYU1NBdWRp dG9yOjpjYW5Mb2FkRXh0ZXJuYWxTY3JpcHRGcm9tU3JjKGNvbnN0IFN0cmluZyYgY29udGV4dCwg Y29uc3QgU3RyaW4KICAgICBpZiAoIWlzRW5hYmxlZCgpKQogICAgICAgICByZXR1cm4gdHJ1ZTsK IAorICAgIC8vIElmIHRoZSBzY3JpcHQgaXMgbG9hZGVkIGZyb20gdGhlIHNhbWUgVVJMIGFzIHRo ZSBlbmNsb3NpbmcgcGFnZSwgaXQncworICAgIC8vIHByb2JhYmx5IG5vdCBhbiBYU1MgYXR0YWNr LCBzbyB3ZSByZWR1Y2UgZmFsc2UgcG9zaXRpdmVzIGJ5IGFsbG93aW5nIHRoZQorICAgIC8vIHNj cmlwdC4gIElmIHRoZSBzY3JpcHQgaGFzIGEgcXVlcnkgc3RyaW5nLCB3ZSdyZSBtb3JlIHN1c3Bp Y2lvdXMsCisgICAgLy8gaG93ZXZlciwgYmVjYXVzZSB0aGF0J3MgcHJldHR5IHJhcmUgYW5kIHRo ZSBhdHRhY2tlciBtaWdodCBiZSBhYmxlIHRvCisgICAgLy8gdHJpY2sgYSBzZXJ2ZXItc2lkZSBz Y3JpcHQgaW50byBkb2luZyBzb21ldGhpbmcgZGFuZ2Vyb3VzIHdpdGggdGhlIHF1ZXJ5CisgICAg Ly8gc3RyaW5nLgorICAgIEtVUkwgc2NyaXB0VVJMKG1fZnJhbWUtPmRvY3VtZW50KCktPnVybCgp LCB1cmwpOworICAgIGlmIChtX2ZyYW1lLT5kb2N1bWVudCgpLT51cmwoKS5ob3N0KCkgPT0gc2Ny aXB0VVJMLmhvc3QoKSAmJiBzY3JpcHRVUkwucXVlcnkoKS5pc0VtcHR5KCkpCisgICAgICAgIHJl dHVybiB0cnVlOworCiAgICAgaWYgKGZpbmRJblJlcXVlc3QoY29udGV4dCArIHVybCkpIHsKICAg ICAgICAgREVGSU5FX1NUQVRJQ19MT0NBTChTdHJpbmcsIGNvbnNvbGVNZXNzYWdlLCAoIlJlZnVz ZWQgdG8gZXhlY3V0ZSBhIEphdmFTY3JpcHQgc2NyaXB0LiBTb3VyY2UgY29kZSBvZiBzY3JpcHQg Zm91bmQgd2l0aGluIHJlcXVlc3QuXG4iKSk7CiAgICAgICAgIG1fZnJhbWUtPmRvbVdpbmRvdygp LT5jb25zb2xlKCktPmFkZE1lc3NhZ2UoSlNNZXNzYWdlU291cmNlLCBMb2dNZXNzYWdlVHlwZSwg RXJyb3JNZXNzYWdlTGV2ZWwsIGNvbnNvbGVNZXNzYWdlLCAxLCBTdHJpbmcoKSk7 41199 2009-10-14 18:54:00 -0700 2009-10-14 19:14:34 -0700 patch without extra space ttt text/plain 5798 abarth ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCA1NjMxYzZkLi42NDNmYzRmIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VM b2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTggQEAKKzIwMDktMTAt MTQgIEFkYW0gQmFydGggIDxhYmFydGhAd2Via2l0Lm9yZz4KKworICAgICAgICBSZXZpZXdlZCBi eSBEYXJpbiBBZGxlci4KKworICAgICAgICBbWFNTQXVkaXRvcl0gQWRkIGFuIGV4Y2VwdGlvbiBm b3IgbG9jYWwgZmlsZXMKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcu Y2dpP2lkPTMwMzUyCisKKyAgICAgICAgVGVzdCB0aGF0IHdlIGFsbG93IHNpdGVzIHRvIGxvYWQg c2NyaXB0cyBmcm9tIHRoZWlyIG93biBkb21haW4gYXMgbG9uZworICAgICAgICBhcyB0aGV5IGRv bid0IHVzZSBxdWVyeSBzdHJpbmdzLgorCisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS94 c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0aC1zb3VyY2Utc2FtZS1ob3N0LWV4cGVjdGVkLnR4dDog QWRkZWQuCisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10 YWctd2l0aC1zb3VyY2Utc2FtZS1ob3N0LXdpdGgtcXVlcnktZXhwZWN0ZWQudHh0OiBBZGRlZC4K KyAgICAgICAgKiBodHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy13aXRo LXNvdXJjZS1zYW1lLWhvc3Qtd2l0aC1xdWVyeS5odG1sOiBBZGRlZC4KKyAgICAgICAgKiBodHRw L3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy13aXRoLXNvdXJjZS1zYW1lLWhv c3QuaHRtbDogQWRkZWQuCisKIDIwMDktMTAtMTMgIERpbWl0cmkgR2xhemtvdiAgPGRnbGF6a292 QGNocm9taXVtLm9yZz4KIAogICAgICAgICBObyByZXZpZXcsIHJvbGxpbmcgb3V0IHI0OTU1NCwg YmVjYXVzZSBpdCBicm9rZSBXaW4gYW5kIENocm9taXVtIGJ1aWxkcy4KZGlmZiAtLWdpdCBhL0xh eW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9zY3JpcHQtdGFnLXdpdGgt c291cmNlLXNhbWUtaG9zdC1leHBlY3RlZC50eHQgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3Nl Y3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy13aXRoLXNvdXJjZS1zYW1lLWhvc3QtZXhwZWN0 ZWQudHh0Cm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAuLjAwODhhMDUKLS0tIC9k ZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Iv c2NyaXB0LXRhZy13aXRoLXNvdXJjZS1zYW1lLWhvc3QtZXhwZWN0ZWQudHh0CkBAIC0wLDAgKzEs MiBAQAorQUxFUlQ6IFRoaXMgaXMgYSBzYWZlIHNjcmlwdC4KKwpkaWZmIC0tZ2l0IGEvTGF5b3V0 VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0aC1zb3Vy Y2Utc2FtZS1ob3N0LXdpdGgtcXVlcnktZXhwZWN0ZWQudHh0IGIvTGF5b3V0VGVzdHMvaHR0cC90 ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0aC1zb3VyY2Utc2FtZS1ob3N0 LXdpdGgtcXVlcnktZXhwZWN0ZWQudHh0Cm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAw MDAuLjUxM2UyZjgKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3Nl Y3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy13aXRoLXNvdXJjZS1zYW1lLWhvc3Qtd2l0aC1x dWVyeS1leHBlY3RlZC50eHQKQEAgLTAsMCArMSwzIEBACitDT05TT0xFIE1FU1NBR0U6IGxpbmUg MTogUmVmdXNlZCB0byBleGVjdXRlIGEgSmF2YVNjcmlwdCBzY3JpcHQuIFNvdXJjZSBjb2RlIG9m IHNjcmlwdCBmb3VuZCB3aXRoaW4gcmVxdWVzdC4KKworCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0 cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy13aXRoLXNvdXJjZS1z YW1lLWhvc3Qtd2l0aC1xdWVyeS5odG1sIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0 eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0aC1zb3VyY2Utc2FtZS1ob3N0LXdpdGgtcXVlcnku aHRtbApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwLi5lNjdjZmZiCi0tLSAvZGV2 L251bGwKKysrIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3Nj cmlwdC10YWctd2l0aC1zb3VyY2Utc2FtZS1ob3N0LXdpdGgtcXVlcnkuaHRtbApAQCAtMCwwICsx LDE1IEBACis8IURPQ1RZUEUgaHRtbD4KKzxodG1sPgorPGhlYWQ+Cis8c2NyaXB0PgoraWYgKHdp bmRvdy5sYXlvdXRUZXN0Q29udHJvbGxlcikgeworICBsYXlvdXRUZXN0Q29udHJvbGxlci5kdW1w QXNUZXh0KCk7CisgIGxheW91dFRlc3RDb250cm9sbGVyLnNldFhTU0F1ZGl0b3JFbmFibGVkKHRy dWUpOworfQorPC9zY3JpcHQ+Cis8L2hlYWQ+Cis8Ym9keT4KKzxpZnJhbWUgc3JjPSJodHRwOi8v bG9jYWxob3N0OjgwMDAvc2VjdXJpdHkveHNzQXVkaXRvci9yZXNvdXJjZXMvZWNoby1pbnRlcnRh Zy5wbD9xPTxzY3JpcHQgc3JjPSd4c3MuanM/bWF5YmUrZGFuZ2Vyb3VzK3F1ZXJ5K3N0cmluZyc+ PC9zY3JpcHQ+Ij4KKzwvaWZyYW1lPgorPC9ib2R5PgorPC9odG1sPgpkaWZmIC0tZ2l0IGEvTGF5 b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0aC1z b3VyY2Utc2FtZS1ob3N0Lmh0bWwgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hz c0F1ZGl0b3Ivc2NyaXB0LXRhZy13aXRoLXNvdXJjZS1zYW1lLWhvc3QuaHRtbApuZXcgZmlsZSBt b2RlIDEwMDY0NAppbmRleCAwMDAwMDAwLi4zNjIxMWNhCi0tLSAvZGV2L251bGwKKysrIGIvTGF5 b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0aC1z b3VyY2Utc2FtZS1ob3N0Lmh0bWwKQEAgLTAsMCArMSwxNSBAQAorPCFET0NUWVBFIGh0bWw+Cis8 aHRtbD4KKzxoZWFkPgorPHNjcmlwdD4KK2lmICh3aW5kb3cubGF5b3V0VGVzdENvbnRyb2xsZXIp IHsKKyAgbGF5b3V0VGVzdENvbnRyb2xsZXIuZHVtcEFzVGV4dCgpOworICBsYXlvdXRUZXN0Q29u dHJvbGxlci5zZXRYU1NBdWRpdG9yRW5hYmxlZCh0cnVlKTsKK30KKzwvc2NyaXB0PgorPC9oZWFk PgorPGJvZHk+Cis8aWZyYW1lIHNyYz0iaHR0cDovL2xvY2FsaG9zdDo4MDAwL3NlY3VyaXR5L3hz c0F1ZGl0b3IvcmVzb3VyY2VzL2VjaG8taW50ZXJ0YWcucGw/cT08c2NyaXB0IHNyYz0nc2FmZS1z Y3JpcHQuanMnPjwvc2NyaXB0PiI+Cis8L2lmcmFtZT4KKzwvYm9keT4KKzwvaHRtbD4KZGlmZiAt LWdpdCBhL1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZGM1NzJl YS4uMDljYzI0NyAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvV2ViQ29yZS9D aGFuZ2VMb2cKQEAgLTEsMyArMSwyNSBAQAorMjAwOS0xMC0xNCAgQWRhbSBCYXJ0aCAgPGFiYXJ0 aEB3ZWJraXQub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IERhcmluIEFkbGVyLgorCisgICAg ICAgIFtYU1NBdWRpdG9yXSBBZGQgYW4gZXhjZXB0aW9uIGZvciBsb2NhbCBmaWxlcworICAgICAg ICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MzAzNTIKKworICAgICAg ICBSZWR1Y2UgWFNTIGF1ZGl0b3IgZmFsc2UgcG9zaXRpdmVzIGJ5IGFsd2F5cyBsZXR0aW5nIHBh Z2VzIGxvYWQgc2NyaXB0cworICAgICAgICBmcm9tIHRoZWlyIG93biBob3N0LiBXZSBkb24ndCBh Y3R1YWxseSBrbm93IG9mIGFueSBmYWxzZSBwb3NpdGl2ZXMKKyAgICAgICAgdGhhdCB0aGlzIHBy ZXZlbnRzLCBidXQgaXQgc2VlbXMgbGlrZSBhIGdvb2QgaWRlYS4KKworICAgICAgICBPbmUgc3Vi dGx5IGlzIHRoYXQgd2UgZG9uJ3QgYWRkIHRoaXMgZXhjZXB0aW9uIGZvciBzY3JpcHRzIHRoYXQg aGF2ZSBhCisgICAgICAgIHF1ZXJ5IHN0cmluZyBiZWNhdXNlICgxKSBVUkxzIHdpdGggcXVlcnkg c3RyaW5ncyBhcmUgbW9yZSBhcHQgdG8KKyAgICAgICAgY29uZnVzZSBzZXJ2ZXJzIGFuZCAoMikg aXQgaXMgbXVjaCBsZXNzIGNvbW1vbiB0byBsb2FkIHNjcmlwdHMgd2l0aCBhCisgICAgICAgIHF1 ZXJ5IHN0cmluZy4KKworICAgICAgICBUZXN0czogaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRp dG9yL3NjcmlwdC10YWctd2l0aC1zb3VyY2Utc2FtZS1ob3N0LXdpdGgtcXVlcnkuaHRtbAorICAg ICAgICAgICAgICAgaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0 aC1zb3VyY2Utc2FtZS1ob3N0Lmh0bWwKKworICAgICAgICAqIHBhZ2UvWFNTQXVkaXRvci5jcHA6 CisgICAgICAgIChXZWJDb3JlOjpYU1NBdWRpdG9yOjpjYW5Mb2FkRXh0ZXJuYWxTY3JpcHRGcm9t U3JjKToKKwogMjAwOS0xMC0xNCAgUGF2ZWwgRmVsZG1hbiAgPHBmZWxkbWFuQGNocm9taXVtLm9y Zz4KIAogICAgICAgICBOb3QgcmV2aWV3ZWQsIHJldmVydGluZyByNDk1NTggc2luY2UgaXQgYnJv a2UgcHJvZmlsZXIgdGVzdHMuCmRpZmYgLS1naXQgYS9XZWJDb3JlL3BhZ2UvWFNTQXVkaXRvci5j cHAgYi9XZWJDb3JlL3BhZ2UvWFNTQXVkaXRvci5jcHAKaW5kZXggMzQ5NTA3Ny4uNjg5ZTA0YSAx MDA2NDQKLS0tIGEvV2ViQ29yZS9wYWdlL1hTU0F1ZGl0b3IuY3BwCisrKyBiL1dlYkNvcmUvcGFn ZS9YU1NBdWRpdG9yLmNwcApAQCAtMTQ0LDYgKzE0NCwxNiBAQCBib29sIFhTU0F1ZGl0b3I6OmNh bkxvYWRFeHRlcm5hbFNjcmlwdEZyb21TcmMoY29uc3QgU3RyaW5nJiBjb250ZXh0LCBjb25zdCBT dHJpbgogICAgIGlmICghaXNFbmFibGVkKCkpCiAgICAgICAgIHJldHVybiB0cnVlOwogCisgICAg Ly8gSWYgdGhlIHNjcmlwdCBpcyBsb2FkZWQgZnJvbSB0aGUgc2FtZSBVUkwgYXMgdGhlIGVuY2xv c2luZyBwYWdlLCBpdCdzCisgICAgLy8gcHJvYmFibHkgbm90IGFuIFhTUyBhdHRhY2ssIHNvIHdl IHJlZHVjZSBmYWxzZSBwb3NpdGl2ZXMgYnkgYWxsb3dpbmcgdGhlCisgICAgLy8gc2NyaXB0LiBJ ZiB0aGUgc2NyaXB0IGhhcyBhIHF1ZXJ5IHN0cmluZywgd2UncmUgbW9yZSBzdXNwaWNpb3VzLAor ICAgIC8vIGhvd2V2ZXIsIGJlY2F1c2UgdGhhdCdzIHByZXR0eSByYXJlIGFuZCB0aGUgYXR0YWNr ZXIgbWlnaHQgYmUgYWJsZSB0bworICAgIC8vIHRyaWNrIGEgc2VydmVyLXNpZGUgc2NyaXB0IGlu dG8gZG9pbmcgc29tZXRoaW5nIGRhbmdlcm91cyB3aXRoIHRoZSBxdWVyeQorICAgIC8vIHN0cmlu Zy4KKyAgICBLVVJMIHNjcmlwdFVSTChtX2ZyYW1lLT5kb2N1bWVudCgpLT51cmwoKSwgdXJsKTsK KyAgICBpZiAobV9mcmFtZS0+ZG9jdW1lbnQoKS0+dXJsKCkuaG9zdCgpID09IHNjcmlwdFVSTC5o b3N0KCkgJiYgc2NyaXB0VVJMLnF1ZXJ5KCkuaXNFbXB0eSgpKQorICAgICAgICByZXR1cm4gdHJ1 ZTsKKwogICAgIGlmIChmaW5kSW5SZXF1ZXN0KGNvbnRleHQgKyB1cmwpKSB7CiAgICAgICAgIERF RklORV9TVEFUSUNfTE9DQUwoU3RyaW5nLCBjb25zb2xlTWVzc2FnZSwgKCJSZWZ1c2VkIHRvIGV4 ZWN1dGUgYSBKYXZhU2NyaXB0IHNjcmlwdC4gU291cmNlIGNvZGUgb2Ygc2NyaXB0IGZvdW5kIHdp dGhpbiByZXF1ZXN0LlxuIikpOwogICAgICAgICBtX2ZyYW1lLT5kb21XaW5kb3coKS0+Y29uc29s ZSgpLT5hZGRNZXNzYWdlKEpTTWVzc2FnZVNvdXJjZSwgTG9nTWVzc2FnZVR5cGUsIEVycm9yTWVz c2FnZUxldmVsLCBjb25zb2xlTWVzc2FnZSwgMSwgU3RyaW5nKCkpOwo=