33549 2010-01-12 13:09:20 -0800 Disallow some sqlite functions that are not safe 2010-01-13 12:16:28 -0800 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 dumi dumi abarth beidson dglazkov michaeln scarybeasts oldest_to_newest 179955 0 dumi 2010-01-12 13:09:20 -0800 Some sqlite functions are not safe, and we should disallow them. The best way to do it is to have a list of whitelisted functions in the authorizer. That would guard us against new functions that might not be safe in future sqlite releases. 180016 1 46406 dumi 2010-01-12 16:09:49 -0800 Created attachment 46406 patch 180021 2 scarybeasts 2010-01-12 16:18:40 -0800 Patch looks good to me. Invoking Adam for 2nd look :) 180022 3 abarth 2010-01-12 16:20:48 -0800 Looks reasonable to me. I don't understand this change: - return auth->allowFunction(parameter1); + return auth->allowFunction(parameter2); Also, I'm not an expert on these functions. 180023 4 dumi 2010-01-12 16:22:54 -0800 (In reply to comment #3) > Looks reasonable to me. I don't understand this change: > > - return auth->allowFunction(parameter1); > + return auth->allowFunction(parameter2); > > Also, I'm not an expert on these functions. it was a bug. according to http://www.sqlite.org/c3ref/c_alter_table.html the function name is passed in the 4th parameter, not the 3rd. 180048 5 46406 abarth 2010-01-12 17:22:20 -0800 Comment on attachment 46406 patch I'm marking this r+ because this was discussed on webkit-dev. If folks have additional feedback, please me me or Dumitru know. 180071 6 46420 dumi 2010-01-12 19:18:52 -0800 Created attachment 46420 patch Same patch, with 3 new functions whitelisted: sqlite_rename_table: used by the ALTER TABLE command sqlite_rename_trigger: used by the ALTER TRIGGER command glob: used by the GLOB operator I've grep'd the sqlite source code for calls to sqlite3CreateFunc() and these were the only 3 "helper functions" that seem to be registered by the sqlite code. 180072 7 46420 abarth 2010-01-12 19:20:57 -0800 Comment on attachment 46420 patch ok 180073 8 dumi 2010-01-12 19:21:25 -0800 Forgot to add that if sqlite_rename_table is not whitelisted, then a command like 'ALTER TABLE Blah RENAME to BlahBlah;' will fail. Not whitelisting the other 2 functions has similar consequences. 180075 9 dumi 2010-01-12 19:30:16 -0800 Landed as r53177. 180096 10 46420 darin 2010-01-12 23:05:29 -0800 Comment on attachment 46420 patch Code like this should use a case folding HashSet rather than calling lower each time it calls contains on the HashSet. See examples in DOMImplementation.cpp, ScriptElement.cpp, CrossOriginAccessControl.cpp, RenderEmbeddedObject.cpp, and XMLHttpRequest.cpp. I also see incorrect indenting, 2 spaces instead of 4, in the patch. > + if (m_securityEnabled && !m_whitelistedFunctions.contains(functionName.lower())) > + return SQLAuthDeny; > + > + return SQLAuthAllow; Incorrect indenting here. Two spaces instead of 4. 180330 11 dumi 2010-01-13 12:16:28 -0800 (In reply to comment #10) > (From update of attachment 46420 [details]) > Code like this should use a case folding HashSet rather than calling lower each > time it calls contains on the HashSet. See examples in DOMImplementation.cpp, > ScriptElement.cpp, CrossOriginAccessControl.cpp, RenderEmbeddedObject.cpp, and > XMLHttpRequest.cpp. > > I also see incorrect indenting, 2 spaces instead of 4, in the patch. > > > + if (m_securityEnabled && !m_whitelistedFunctions.contains(functionName.lower())) > > + return SQLAuthDeny; > > + > > + return SQLAuthAllow; > > Incorrect indenting here. Two spaces instead of 4. Opened bug 33612 to address Darin's comments. 46406 2010-01-12 16:09:49 -0800 2010-01-12 19:18:52 -0800 patch patch text/plain 5798 dumi SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA1MzE2OCkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMjAgQEAKKzIwMTAtMDEtMTIgIER1bWl0cnUgRGFuaWxpdWMgIDxkdW1pQGNocm9t aXVtLm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAg ICBBZGRpbmcgYSBsaXN0IG9mIHdoaXRlbGlzdGVkIHNxbGl0ZSBmdW5jdGlvbnMgdGhhdCB1c2Vy cyBhcmUKKyAgICAgICAgYWxsb3dlZCB0byB1c2UuCisKKyAgICAgICAgaHR0cHM6Ly9idWdzLndl YmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTMzNTQ5CisKKyAgICAgICAgKiBwbGF0Zm9ybS9zcWwv U1FMaXRlRGF0YWJhc2UuY3BwOgorICAgICAgICAoV2ViQ29yZTo6U1FMaXRlRGF0YWJhc2U6OmF1 dGhvcml6ZXJGdW5jdGlvbik6CisgICAgICAgICogc3RvcmFnZS9EYXRhYmFzZUF1dGhvcml6ZXIu Y3BwOgorICAgICAgICAoV2ViQ29yZTo6RGF0YWJhc2VBdXRob3JpemVyOjpEYXRhYmFzZUF1dGhv cml6ZXIpOgorICAgICAgICAoV2ViQ29yZTo6RGF0YWJhc2VBdXRob3JpemVyOjphZGRXaGl0ZWxp c3RlZEZ1bmN0aW9ucyk6CisgICAgICAgIChXZWJDb3JlOjpEYXRhYmFzZUF1dGhvcml6ZXI6OmFs bG93RnVuY3Rpb24pOgorICAgICAgICAqIHN0b3JhZ2UvRGF0YWJhc2VBdXRob3JpemVyLmg6CisK IDIwMTAtMDEtMTIgIEJyaWFuIFdlaW5zdGVpbiAgPGJ3ZWluc3RlaW5AYXBwbGUuY29tPgogCiAg ICAgICAgIFJldmlld2VkIGJ5IERhdmUgSHlhdHQuCkluZGV4OiBXZWJDb3JlL3BsYXRmb3JtL3Nx bC9TUUxpdGVEYXRhYmFzZS5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViQ29yZS9wbGF0Zm9ybS9zcWwv U1FMaXRlRGF0YWJhc2UuY3BwCShyZXZpc2lvbiA1MzE2OCkKKysrIFdlYkNvcmUvcGxhdGZvcm0v c3FsL1NRTGl0ZURhdGFiYXNlLmNwcAkod29ya2luZyBjb3B5KQpAQCAtMzIwLDcgKzMyMCw3IEBA IGludCBTUUxpdGVEYXRhYmFzZTo6YXV0aG9yaXplckZ1bmN0aW9uKHYKICAgICAgICAgY2FzZSBT UUxJVEVfRFJPUF9WVEFCTEU6CiAgICAgICAgICAgICByZXR1cm4gYXV0aC0+ZHJvcFZUYWJsZShw YXJhbWV0ZXIxLCBwYXJhbWV0ZXIyKTsKICAgICAgICAgY2FzZSBTUUxJVEVfRlVOQ1RJT046Ci0g ICAgICAgICAgICByZXR1cm4gYXV0aC0+YWxsb3dGdW5jdGlvbihwYXJhbWV0ZXIxKTsKKyAgICAg ICAgICAgIHJldHVybiBhdXRoLT5hbGxvd0Z1bmN0aW9uKHBhcmFtZXRlcjIpOwogI2VuZGlmCiAg ICAgICAgIGRlZmF1bHQ6CiAgICAgICAgICAgICBBU1NFUlRfTk9UX1JFQUNIRUQoKTsKSW5kZXg6 IFdlYkNvcmUvc3RvcmFnZS9EYXRhYmFzZUF1dGhvcml6ZXIuY3BwCj09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdl YkNvcmUvc3RvcmFnZS9EYXRhYmFzZUF1dGhvcml6ZXIuY3BwCShyZXZpc2lvbiA1MzE2OCkKKysr IFdlYkNvcmUvc3RvcmFnZS9EYXRhYmFzZUF1dGhvcml6ZXIuY3BwCSh3b3JraW5nIGNvcHkpCkBA IC0zOCw2ICszOCw3IEBAIERhdGFiYXNlQXV0aG9yaXplcjo6RGF0YWJhc2VBdXRob3JpemVyKCkK ICAgICA6IG1fc2VjdXJpdHlFbmFibGVkKGZhbHNlKQogewogICAgIHJlc2V0KCk7CisgICAgYWRk V2hpdGVsaXN0ZWRGdW5jdGlvbnMoKTsKIH0KIAogdm9pZCBEYXRhYmFzZUF1dGhvcml6ZXI6OnJl c2V0KCkKQEAgLTQ3LDYgKzQ4LDYyIEBAIHZvaWQgRGF0YWJhc2VBdXRob3JpemVyOjpyZXNldCgp CiAgICAgbV9yZWFkT25seSA9IGZhbHNlOwogfQogCit2b2lkIERhdGFiYXNlQXV0aG9yaXplcjo6 YWRkV2hpdGVsaXN0ZWRGdW5jdGlvbnMoKQoreworICAgIC8vIFNRTGl0ZSBjb3JlIGZ1bmN0aW9u cworICAgIG1fd2hpdGVsaXN0ZWRGdW5jdGlvbnMuYWRkKCJhYnMiKTsKKyAgICBtX3doaXRlbGlz dGVkRnVuY3Rpb25zLmFkZCgiY2hhbmdlcyIpOworICAgIG1fd2hpdGVsaXN0ZWRGdW5jdGlvbnMu YWRkKCJjb2FsZXNjZSIpOworICAgIG1fd2hpdGVsaXN0ZWRGdW5jdGlvbnMuYWRkKCJnbG9iIik7 CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoImlmbnVsbCIpOworICAgIG1fd2hpdGVs aXN0ZWRGdW5jdGlvbnMuYWRkKCJoZXgiKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFk ZCgibGFzdF9pbnNlcnRfcm93aWQiKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgi bGVuZ3RoIik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoImxpa2UiKTsKKyAgICBt X3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgibG93ZXIiKTsKKyAgICBtX3doaXRlbGlzdGVkRnVu Y3Rpb25zLmFkZCgibHRyaW0iKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgibWF4 Iik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoIm1pbiIpOworICAgIG1fd2hpdGVs aXN0ZWRGdW5jdGlvbnMuYWRkKCJudWxsaWYiKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25z LmFkZCgicXVvdGUiKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgicmVwbGFjZSIp OworICAgIG1fd2hpdGVsaXN0ZWRGdW5jdGlvbnMuYWRkKCJyb3VuZCIpOworICAgIG1fd2hpdGVs aXN0ZWRGdW5jdGlvbnMuYWRkKCJydHJpbSIpOworICAgIG1fd2hpdGVsaXN0ZWRGdW5jdGlvbnMu YWRkKCJzb3VuZGV4Iik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoInNxbGl0ZV9z b3VyY2VfaWQiKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgic3FsaXRlX3ZlcnNp b24iKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgic3Vic3RyIik7CisgICAgbV93 aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoInRvdGFsX2NoYW5nZXMiKTsKKyAgICBtX3doaXRlbGlz dGVkRnVuY3Rpb25zLmFkZCgidHJpbSIpOworICAgIG1fd2hpdGVsaXN0ZWRGdW5jdGlvbnMuYWRk KCJ0eXBlb2YiKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgidXBwZXIiKTsKKyAg ICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgiemVyb2Jsb2IiKTsKKworICAgIC8vIFNRTGl0 ZSBkYXRlIGFuZCB0aW1lIGZ1bmN0aW9ucworICAgIG1fd2hpdGVsaXN0ZWRGdW5jdGlvbnMuYWRk KCJkYXRlIik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoInRpbWUiKTsKKyAgICBt X3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgiZGF0ZXRpbWUiKTsKKyAgICBtX3doaXRlbGlzdGVk RnVuY3Rpb25zLmFkZCgianVsaWFuZGF5Iik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5h ZGQoInN0cmZ0aW1lIik7CisKKyAgICAvLyBTUUxpdGUgYWdncmVnYXRlIGZ1bmN0aW9ucworICAg IC8vIG1heCgpIGFuZCBtaW4oKSBhcmUgYWxyZWFkeSBpbiB0aGUgbGlzdAorICAgIG1fd2hpdGVs aXN0ZWRGdW5jdGlvbnMuYWRkKCJhdmciKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFk ZCgiY291bnQiKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgiZ3JvdXBfY29uY2F0 Iik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoInN1bSIpOworICAgIG1fd2hpdGVs aXN0ZWRGdW5jdGlvbnMuYWRkKCJ0b3RhbCIpOworCisgICAgLy8gU1FMaXRlIEZUUyBmdW5jdGlv bnMKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgic25pcHBldCIpOworICAgIG1fd2hp dGVsaXN0ZWRGdW5jdGlvbnMuYWRkKCJvZmZzZXRzIik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0 aW9ucy5hZGQoIm9wdGltaXplIik7CisKKyAgICAvLyBTUUxpdGUgSUNVIGZ1bmN0aW9ucworICAg IC8vIGxpa2UoKSwgbG93ZXIoKSBhbmQgdXBwZXIoKSBhcmUgYWxyZWFkeSBpbiB0aGUgbGlzdAor ICAgIG1fd2hpdGVsaXN0ZWRGdW5jdGlvbnMuYWRkKCJyZWdleHAiKTsKK30KKwogaW50IERhdGFi YXNlQXV0aG9yaXplcjo6Y3JlYXRlVGFibGUoY29uc3QgU3RyaW5nJiB0YWJsZU5hbWUpCiB7CiAg ICAgaWYgKG1fcmVhZE9ubHkgJiYgbV9zZWN1cml0eUVuYWJsZWQpCkBAIC0yNzgsMTIgKzMzNSwx MiBAQCBpbnQgRGF0YWJhc2VBdXRob3JpemVyOjphbGxvd0RldGFjaChjb25zCiAgICAgcmV0dXJu IG1fc2VjdXJpdHlFbmFibGVkID8gU1FMQXV0aERlbnkgOiBTUUxBdXRoQWxsb3c7CiB9CiAKLWlu dCBEYXRhYmFzZUF1dGhvcml6ZXI6OmFsbG93RnVuY3Rpb24oY29uc3QgU3RyaW5nJikKK2ludCBE YXRhYmFzZUF1dGhvcml6ZXI6OmFsbG93RnVuY3Rpb24oY29uc3QgU3RyaW5nJiBmdW5jdGlvbk5h bWUpCiB7Ci0gICAgLy8gRklYTUU6IEFyZSB0aGVyZSBhbnkgb2YgdGhlc2Ugd2UgbmVlZCB0byBw cmV2ZW50PyAgT25lIG1pZ2h0IGd1ZXNzIGN1cnJlbnRfZGF0ZSwgY3VycmVudF90aW1lLCBjdXJy ZW50X3RpbWVzdGFtcCBiZWNhdXNlCi0gICAgLy8gdGhleSB3b3VsZCB2aW9sYXRlIHRoZSAic2Fu ZGJveCBlbnZpcm9ubWVudCIgcGFydCBvZiA0LjExLjMsIGJ1dCBzY3JpcHRzIGNhbiBnZW5lcmF0 ZSB0aGUgbG9jYWwgY2xpZW50IHNpZGUgaW5mb3JtYXRpb24gdmlhCi0gICAgLy8gamF2YXNjcmlw dCBkaXJlY3RseSwgYW55d2F5cy4gIEFyZSB0aGVyZSBhbnkgb3RoZXIgYnVpbHQtaW5zIHdlIG5l ZWQgdG8gYmUgd29ycmllZCBhYm91dD8KLSAgICByZXR1cm4gU1FMQXV0aEFsbG93OworICBpZiAo bV9zZWN1cml0eUVuYWJsZWQgJiYgIW1fd2hpdGVsaXN0ZWRGdW5jdGlvbnMuY29udGFpbnMoZnVu Y3Rpb25OYW1lLmxvd2VyKCkpKQorICAgIHJldHVybiBTUUxBdXRoRGVueTsKKworICByZXR1cm4g U1FMQXV0aEFsbG93OwogfQogCiB2b2lkIERhdGFiYXNlQXV0aG9yaXplcjo6ZGlzYWJsZSgpCklu ZGV4OiBXZWJDb3JlL3N0b3JhZ2UvRGF0YWJhc2VBdXRob3JpemVyLmgKPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0g V2ViQ29yZS9zdG9yYWdlL0RhdGFiYXNlQXV0aG9yaXplci5oCShyZXZpc2lvbiA1MzE2OCkKKysr IFdlYkNvcmUvc3RvcmFnZS9EYXRhYmFzZUF1dGhvcml6ZXIuaAkod29ya2luZyBjb3B5KQpAQCAt MjgsNiArMjgsOCBAQAogI2lmbmRlZiBEYXRhYmFzZUF1dGhvcml6ZXJfaAogI2RlZmluZSBEYXRh YmFzZUF1dGhvcml6ZXJfaAogCisjaW5jbHVkZSAiU3RyaW5nSGFzaC5oIgorI2luY2x1ZGUgPHd0 Zi9IYXNoU2V0Lmg+CiAjaW5jbHVkZSA8d3RmL1Bhc3NSZWZQdHIuaD4KICNpbmNsdWRlIDx3dGYv VGhyZWFkaW5nLmg+CiAKQEAgLTk0LDEyICs5NiwxNSBAQCBwdWJsaWM6CiAKIHByaXZhdGU6CiAg ICAgRGF0YWJhc2VBdXRob3JpemVyKCk7CisgICAgdm9pZCBhZGRXaGl0ZWxpc3RlZEZ1bmN0aW9u cygpOwogICAgIGludCBkZW55QmFzZWRPblRhYmxlTmFtZShjb25zdCBTdHJpbmcmKTsKIAogICAg IGJvb2wgbV9zZWN1cml0eUVuYWJsZWQgOiAxOwogICAgIGJvb2wgbV9sYXN0QWN0aW9uV2FzSW5z ZXJ0IDogMTsKICAgICBib29sIG1fbGFzdEFjdGlvbkNoYW5nZWREYXRhYmFzZSA6IDE7CiAgICAg Ym9vbCBtX3JlYWRPbmx5IDogMTsKKworICAgIEhhc2hTZXQ8U3RyaW5nPiBtX3doaXRlbGlzdGVk RnVuY3Rpb25zOwogfTsKIAogfSAvLyBuYW1lc3BhY2UgV2ViQ29yZQo= 46420 2010-01-12 19:18:52 -0800 2010-01-12 23:05:29 -0800 patch patch text/plain 6060 dumi SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA1MzE3MikKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMjAgQEAKKzIwMTAtMDEtMTIgIER1bWl0cnUgRGFuaWxpdWMgIDxkdW1pQGNocm9t aXVtLm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAg ICBBZGRpbmcgYSBsaXN0IG9mIHdoaXRlbGlzdGVkIHNxbGl0ZSBmdW5jdGlvbnMgdGhhdCB1c2Vy cyBhcmUKKyAgICAgICAgYWxsb3dlZCB0byB1c2UuCisKKyAgICAgICAgaHR0cHM6Ly9idWdzLndl YmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTMzNTQ5CisKKyAgICAgICAgKiBwbGF0Zm9ybS9zcWwv U1FMaXRlRGF0YWJhc2UuY3BwOgorICAgICAgICAoV2ViQ29yZTo6U1FMaXRlRGF0YWJhc2U6OmF1 dGhvcml6ZXJGdW5jdGlvbik6CisgICAgICAgICogc3RvcmFnZS9EYXRhYmFzZUF1dGhvcml6ZXIu Y3BwOgorICAgICAgICAoV2ViQ29yZTo6RGF0YWJhc2VBdXRob3JpemVyOjpEYXRhYmFzZUF1dGhv cml6ZXIpOgorICAgICAgICAoV2ViQ29yZTo6RGF0YWJhc2VBdXRob3JpemVyOjphZGRXaGl0ZWxp c3RlZEZ1bmN0aW9ucyk6CisgICAgICAgIChXZWJDb3JlOjpEYXRhYmFzZUF1dGhvcml6ZXI6OmFs bG93RnVuY3Rpb24pOgorICAgICAgICAqIHN0b3JhZ2UvRGF0YWJhc2VBdXRob3JpemVyLmg6CisK IDIwMTAtMDEtMTIgIFRvbnkgQ2hhbmcgIDx0b255QGNocm9taXVtLm9yZz4KIAogICAgICAgICBS ZXZpZXdlZCBieSBBZGFtIEJhcnRoLgpJbmRleDogV2ViQ29yZS9wbGF0Zm9ybS9zcWwvU1FMaXRl RGF0YWJhc2UuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvcGxhdGZvcm0vc3FsL1NRTGl0ZURh dGFiYXNlLmNwcAkocmV2aXNpb24gNTMxNzIpCisrKyBXZWJDb3JlL3BsYXRmb3JtL3NxbC9TUUxp dGVEYXRhYmFzZS5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTMyMCw3ICszMjAsNyBAQCBpbnQgU1FM aXRlRGF0YWJhc2U6OmF1dGhvcml6ZXJGdW5jdGlvbih2CiAgICAgICAgIGNhc2UgU1FMSVRFX0RS T1BfVlRBQkxFOgogICAgICAgICAgICAgcmV0dXJuIGF1dGgtPmRyb3BWVGFibGUocGFyYW1ldGVy MSwgcGFyYW1ldGVyMik7CiAgICAgICAgIGNhc2UgU1FMSVRFX0ZVTkNUSU9OOgotICAgICAgICAg ICAgcmV0dXJuIGF1dGgtPmFsbG93RnVuY3Rpb24ocGFyYW1ldGVyMSk7CisgICAgICAgICAgICBy ZXR1cm4gYXV0aC0+YWxsb3dGdW5jdGlvbihwYXJhbWV0ZXIyKTsKICNlbmRpZgogICAgICAgICBk ZWZhdWx0OgogICAgICAgICAgICAgQVNTRVJUX05PVF9SRUFDSEVEKCk7CkluZGV4OiBXZWJDb3Jl L3N0b3JhZ2UvRGF0YWJhc2VBdXRob3JpemVyLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL3N0 b3JhZ2UvRGF0YWJhc2VBdXRob3JpemVyLmNwcAkocmV2aXNpb24gNTMxNzIpCisrKyBXZWJDb3Jl L3N0b3JhZ2UvRGF0YWJhc2VBdXRob3JpemVyLmNwcAkod29ya2luZyBjb3B5KQpAQCAtMzgsNiAr MzgsNyBAQCBEYXRhYmFzZUF1dGhvcml6ZXI6OkRhdGFiYXNlQXV0aG9yaXplcigpCiAgICAgOiBt X3NlY3VyaXR5RW5hYmxlZChmYWxzZSkKIHsKICAgICByZXNldCgpOworICAgIGFkZFdoaXRlbGlz dGVkRnVuY3Rpb25zKCk7CiB9CiAKIHZvaWQgRGF0YWJhc2VBdXRob3JpemVyOjpyZXNldCgpCkBA IC00Nyw2ICs0OCw2OSBAQCB2b2lkIERhdGFiYXNlQXV0aG9yaXplcjo6cmVzZXQoKQogICAgIG1f cmVhZE9ubHkgPSBmYWxzZTsKIH0KIAordm9pZCBEYXRhYmFzZUF1dGhvcml6ZXI6OmFkZFdoaXRl bGlzdGVkRnVuY3Rpb25zKCkKK3sKKyAgICAvLyBTUUxpdGUgZnVuY3Rpb25zIHVzZWQgdG8gaGVs cCBpbXBsZW1lbnQgc29tZSBvcGVyYXRpb25zCisgICAgLy8gQUxURVIgVEFCTEUgaGVscGVycwor ICAgIG1fd2hpdGVsaXN0ZWRGdW5jdGlvbnMuYWRkKCJzcWxpdGVfcmVuYW1lX3RhYmxlIik7Cisg ICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoInNxbGl0ZV9yZW5hbWVfdHJpZ2dlciIpOwor ICAgIC8vIEdMT0IgaGVscGVycworICAgIG1fd2hpdGVsaXN0ZWRGdW5jdGlvbnMuYWRkKCJnbG9i Iik7CisKKyAgICAvLyBTUUxpdGUgY29yZSBmdW5jdGlvbnMKKyAgICBtX3doaXRlbGlzdGVkRnVu Y3Rpb25zLmFkZCgiYWJzIik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoImNoYW5n ZXMiKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgiY29hbGVzY2UiKTsKKyAgICBt X3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgiZ2xvYiIpOworICAgIG1fd2hpdGVsaXN0ZWRGdW5j dGlvbnMuYWRkKCJpZm51bGwiKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgiaGV4 Iik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoImxhc3RfaW5zZXJ0X3Jvd2lkIik7 CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoImxlbmd0aCIpOworICAgIG1fd2hpdGVs aXN0ZWRGdW5jdGlvbnMuYWRkKCJsaWtlIik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5h ZGQoImxvd2VyIik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoImx0cmltIik7Cisg ICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoIm1heCIpOworICAgIG1fd2hpdGVsaXN0ZWRG dW5jdGlvbnMuYWRkKCJtaW4iKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgibnVs bGlmIik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoInF1b3RlIik7CisgICAgbV93 aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoInJlcGxhY2UiKTsKKyAgICBtX3doaXRlbGlzdGVkRnVu Y3Rpb25zLmFkZCgicm91bmQiKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgicnRy aW0iKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgic291bmRleCIpOworICAgIG1f d2hpdGVsaXN0ZWRGdW5jdGlvbnMuYWRkKCJzcWxpdGVfc291cmNlX2lkIik7CisgICAgbV93aGl0 ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoInNxbGl0ZV92ZXJzaW9uIik7CisgICAgbV93aGl0ZWxpc3Rl ZEZ1bmN0aW9ucy5hZGQoInN1YnN0ciIpOworICAgIG1fd2hpdGVsaXN0ZWRGdW5jdGlvbnMuYWRk KCJ0b3RhbF9jaGFuZ2VzIik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoInRyaW0i KTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgidHlwZW9mIik7CisgICAgbV93aGl0 ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoInVwcGVyIik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9u cy5hZGQoInplcm9ibG9iIik7CisKKyAgICAvLyBTUUxpdGUgZGF0ZSBhbmQgdGltZSBmdW5jdGlv bnMKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgiZGF0ZSIpOworICAgIG1fd2hpdGVs aXN0ZWRGdW5jdGlvbnMuYWRkKCJ0aW1lIik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5h ZGQoImRhdGV0aW1lIik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoImp1bGlhbmRh eSIpOworICAgIG1fd2hpdGVsaXN0ZWRGdW5jdGlvbnMuYWRkKCJzdHJmdGltZSIpOworCisgICAg Ly8gU1FMaXRlIGFnZ3JlZ2F0ZSBmdW5jdGlvbnMKKyAgICAvLyBtYXgoKSBhbmQgbWluKCkgYXJl IGFscmVhZHkgaW4gdGhlIGxpc3QKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgiYXZn Iik7CisgICAgbV93aGl0ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoImNvdW50Iik7CisgICAgbV93aGl0 ZWxpc3RlZEZ1bmN0aW9ucy5hZGQoImdyb3VwX2NvbmNhdCIpOworICAgIG1fd2hpdGVsaXN0ZWRG dW5jdGlvbnMuYWRkKCJzdW0iKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgidG90 YWwiKTsKKworICAgIC8vIFNRTGl0ZSBGVFMgZnVuY3Rpb25zCisgICAgbV93aGl0ZWxpc3RlZEZ1 bmN0aW9ucy5hZGQoInNuaXBwZXQiKTsKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rpb25zLmFkZCgi b2Zmc2V0cyIpOworICAgIG1fd2hpdGVsaXN0ZWRGdW5jdGlvbnMuYWRkKCJvcHRpbWl6ZSIpOwor CisgICAgLy8gU1FMaXRlIElDVSBmdW5jdGlvbnMKKyAgICAvLyBsaWtlKCksIGxvd2VyKCkgYW5k IHVwcGVyKCkgYXJlIGFscmVhZHkgaW4gdGhlIGxpc3QKKyAgICBtX3doaXRlbGlzdGVkRnVuY3Rp b25zLmFkZCgicmVnZXhwIik7Cit9CisKIGludCBEYXRhYmFzZUF1dGhvcml6ZXI6OmNyZWF0ZVRh YmxlKGNvbnN0IFN0cmluZyYgdGFibGVOYW1lKQogewogICAgIGlmIChtX3JlYWRPbmx5ICYmIG1f c2VjdXJpdHlFbmFibGVkKQpAQCAtMjc4LDEyICszNDIsMTIgQEAgaW50IERhdGFiYXNlQXV0aG9y aXplcjo6YWxsb3dEZXRhY2goY29ucwogICAgIHJldHVybiBtX3NlY3VyaXR5RW5hYmxlZCA/IFNR TEF1dGhEZW55IDogU1FMQXV0aEFsbG93OwogfQogCi1pbnQgRGF0YWJhc2VBdXRob3JpemVyOjph bGxvd0Z1bmN0aW9uKGNvbnN0IFN0cmluZyYpCitpbnQgRGF0YWJhc2VBdXRob3JpemVyOjphbGxv d0Z1bmN0aW9uKGNvbnN0IFN0cmluZyYgZnVuY3Rpb25OYW1lKQogewotICAgIC8vIEZJWE1FOiBB cmUgdGhlcmUgYW55IG9mIHRoZXNlIHdlIG5lZWQgdG8gcHJldmVudD8gIE9uZSBtaWdodCBndWVz cyBjdXJyZW50X2RhdGUsIGN1cnJlbnRfdGltZSwgY3VycmVudF90aW1lc3RhbXAgYmVjYXVzZQot ICAgIC8vIHRoZXkgd291bGQgdmlvbGF0ZSB0aGUgInNhbmRib3ggZW52aXJvbm1lbnQiIHBhcnQg b2YgNC4xMS4zLCBidXQgc2NyaXB0cyBjYW4gZ2VuZXJhdGUgdGhlIGxvY2FsIGNsaWVudCBzaWRl IGluZm9ybWF0aW9uIHZpYQotICAgIC8vIGphdmFzY3JpcHQgZGlyZWN0bHksIGFueXdheXMuICBB cmUgdGhlcmUgYW55IG90aGVyIGJ1aWx0LWlucyB3ZSBuZWVkIHRvIGJlIHdvcnJpZWQgYWJvdXQ/ Ci0gICAgcmV0dXJuIFNRTEF1dGhBbGxvdzsKKyAgaWYgKG1fc2VjdXJpdHlFbmFibGVkICYmICFt X3doaXRlbGlzdGVkRnVuY3Rpb25zLmNvbnRhaW5zKGZ1bmN0aW9uTmFtZS5sb3dlcigpKSkKKyAg ICByZXR1cm4gU1FMQXV0aERlbnk7CisKKyAgcmV0dXJuIFNRTEF1dGhBbGxvdzsKIH0KIAogdm9p ZCBEYXRhYmFzZUF1dGhvcml6ZXI6OmRpc2FibGUoKQpJbmRleDogV2ViQ29yZS9zdG9yYWdlL0Rh dGFiYXNlQXV0aG9yaXplci5oCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvc3RvcmFnZS9EYXRhYmFz ZUF1dGhvcml6ZXIuaAkocmV2aXNpb24gNTMxNzIpCisrKyBXZWJDb3JlL3N0b3JhZ2UvRGF0YWJh c2VBdXRob3JpemVyLmgJKHdvcmtpbmcgY29weSkKQEAgLTI4LDYgKzI4LDggQEAKICNpZm5kZWYg RGF0YWJhc2VBdXRob3JpemVyX2gKICNkZWZpbmUgRGF0YWJhc2VBdXRob3JpemVyX2gKIAorI2lu Y2x1ZGUgIlN0cmluZ0hhc2guaCIKKyNpbmNsdWRlIDx3dGYvSGFzaFNldC5oPgogI2luY2x1ZGUg PHd0Zi9QYXNzUmVmUHRyLmg+CiAjaW5jbHVkZSA8d3RmL1RocmVhZGluZy5oPgogCkBAIC05NCwx MiArOTYsMTUgQEAgcHVibGljOgogCiBwcml2YXRlOgogICAgIERhdGFiYXNlQXV0aG9yaXplcigp OworICAgIHZvaWQgYWRkV2hpdGVsaXN0ZWRGdW5jdGlvbnMoKTsKICAgICBpbnQgZGVueUJhc2Vk T25UYWJsZU5hbWUoY29uc3QgU3RyaW5nJik7CiAKICAgICBib29sIG1fc2VjdXJpdHlFbmFibGVk IDogMTsKICAgICBib29sIG1fbGFzdEFjdGlvbldhc0luc2VydCA6IDE7CiAgICAgYm9vbCBtX2xh c3RBY3Rpb25DaGFuZ2VkRGF0YWJhc2UgOiAxOwogICAgIGJvb2wgbV9yZWFkT25seSA6IDE7CisK KyAgICBIYXNoU2V0PFN0cmluZz4gbV93aGl0ZWxpc3RlZEZ1bmN0aW9uczsKIH07CiAKIH0gLy8g bmFtZXNwYWNlIFdlYkNvcmUK