47593 2010-10-13 07:22:07 -0700 Require a user gesture to open the file dialog 2011-12-30 04:21:50 -0800 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) PC OS X 10.5 RESOLVED FIXED P2 Normal --- 55102 55110 55104 0 jnd webkit-unassigned abarth aestes ap darin inferno j jschuh oldest_to_newest 293419 0 jnd 2010-10-13 07:22:07 -0700 <Input type=file> is represented as a file upload control in WebKit, it is a sensitive control since it can access users' local file(s). So ideally browser should only allow doing the file choosing behavior via user gesture, but so far only Firefox does.(Please refer to http://mxr.mozilla.org/mozilla/source/content/html/content/src/nsHTMLInputElement.cpp#1413) A chromium bug(http://crbug.com/58319) is related to this bug. For example, when running the following code, there is no file select dialog only in Firefox, other main-stream browsers show the file dialog. <input type="file" id="f"> <script>setTimeout("document.getElementById('f').click();", 1);</script> I suggest requiring a user gesture to open the file dialog in WebKit like Firefox does To do this, there are two ways. 1) Only direct user gesture event can open the file dialog. The direct user gesture event(key/mouse) means the event must dispatch on the <input type=file>, which can ensure the file dialog is opened by users' true intention. 2) The file dialog can be opened as long as a user gesture happens at that time, which means you can open the file dialog in user gesture event dispatched on other elements, which may be more convenient For example. when running the following code in WebKit, <input type="file" id="f"> <a onclick="document.getElementById('f').click();">click me</a> In way 1, clicking the text "click me" will not open the file dialog, but the file dialog does open in way 2. I personally prefer the way 1, since it's more safe. Any suggestions? 293456 1 abarth 2010-10-13 09:36:34 -0700 I think either would be fine. I'd go with the general user gesture approach first, but I don't feel strongly about it. 293587 2 ap 2010-10-13 12:10:49 -0700 Would that add any safety in the presence of FileReader? A site can read file content from a drop handler. 293633 3 abarth 2010-10-13 12:43:12 -0700 The Chromium bug is marked security sensitive because it has exploit details. The issue is that the web site can spam the user with file picker dialogs. 293637 4 ap 2010-10-13 12:48:45 -0700 > The Chromium bug is marked security sensitive because it has exploit details. I can't see the Chromium bug. > The issue is that the web site can spam the user with file picker dialogs. Is this different from spamming with alerts, confirms or modal dialogs? 293643 5 abarth 2010-10-13 12:54:16 -0700 > > The issue is that the web site can spam the user with file picker dialogs. > > Is this different from spamming with alerts, confirms or modal dialogs? Yes. For two reasons: (1) we have mitigations in place for all of those and (2) the file picker is non-modal. Requiring a user gesture here matches Firefox as well. We plan to put in other mitigations at the browser level, but this one seems worth doing at the WebCore level. 294055 6 70727 jnd 2010-10-14 05:07:46 -0700 Created attachment 70727 patch v1 Thanks for comments! Patch V1 is ready. 295037 7 inferno 2010-10-15 17:26:58 -0700 Adam, can you please review. 295051 8 70727 abarth 2010-10-15 17:38:53 -0700 Comment on attachment 70727 patch v1 View in context: https://bugs.webkit.org/attachment.cgi?id=70727&action=review > WebCore/rendering/RenderFileUploadControl.cpp:128 > + if (!(frame() && frame()->loader()->isProcessingUserGesture())) We usually say !frame() || !frame() ... 295062 9 inferno 2010-10-15 17:51:49 -0700 Thanks a lot Adam for the quick response. Johnny, i can fix the style nit and commit it for you ? Also, did anyone nominate you for committer access yet ? 295130 10 jnd 2010-10-16 07:46:09 -0700 (In reply to comment #9) > Thanks a lot Adam for the quick response. > > Johnny, i can fix the style nit and commit it for you ? Also, did anyone nominate you for committer access yet ? Abhishek, please help me fix the nit and land it. Thanks very much for the helps from you and Adam! So far no-body nominated me for committer yet. I have 10+ changes on WebKit, you can refer to them from http://trac.webkit.org/search?q=jnd%40chromium&noquickjump=1&changeset=on http://trac.webkit.org/search?q=johnnyding.webkit%40gmail.com&noquickjump=1&changeset=on 295151 11 inferno 2010-10-16 09:48:30 -0700 Committed r69914: <http://trac.webkit.org/changeset/69914> 355652 12 aestes 2011-02-22 15:26:52 -0800 (In reply to comment #5) > > > The issue is that the web site can spam the user with file picker dialogs. > > > > Is this different from spamming with alerts, confirms or modal dialogs? > > Requiring a user gesture here matches Firefox as well. We plan to put in other mitigations at the browser level, but this one seems worth doing at the WebCore level. Interestingly, this will no longer be true in Firefox 4. They now allow .click() to be called programmatically on input elements (see <https://bugzilla.mozilla.org/show_bug.cgi?id=61098>) without an underlying user gesture. IE also allows this. I think we should revert this change. It makes us incompatible with other major engines and with at least one major JavaScript framework that I'm aware of (SproutCore), which I think outweighs the benefits of mitigating file chooser spamming. 355653 13 aestes 2011-02-22 15:30:36 -0800 I will note that from reading the mozilla bug it seems like Firefox has mitigation against creating modal dialogs in a loop, which they apply to file chooser dialogs as well. I'm not sure if we do something similar. This is the type of exploit they wish to avoid (copied from the bug): myFileControl = doc.getElementById('file'); do { myFileControl.click(); } while (!fileContainsDirectionsToSecretVolcanoLair(myFileControl.files[0])); 355877 14 jnd 2011-02-22 22:33:55 -0800 (In reply to comment #13) > I will note that from reading the mozilla bug it seems like Firefox has mitigation against creating modal dialogs in a loop, which they apply to file chooser dialogs as well. I'm not sure if we do something similar. This is the type of exploit they wish to avoid (copied from the bug): > > myFileControl = doc.getElementById('file'); > do { > myFileControl.click(); > } while (!fileContainsDirectionsToSecretVolcanoLair(myFileControl.files[0])); Thanks Andy. After reading mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=61098, I think it is to deal with how to avoid creating endless model dialog like alert, like you said it applies to file chooser dialogs as well in Firefox, but this webkit change is to disallow javascript to open the file dialog without user gesture. See the following test. <input type=button value="click" onclick="open_file_dialog()" /> <input type=file id="file"> <script> function open_file_dialog() { while (1) { document.getElementById("file").click(); } } // try to open a file dialog in load stage. document.getElementById("file").click(); </script> In above test, function open_file_dialog opens file dialog in infinite loop. In Firefox4, when loading the test, there is no file dialog, which is blocked because of no user gesture (we follow it from this webkit bug). When calling the function in user gesture stage, the patch for mozilla bug 61098 can allow only a few file dialogs (model dialog) to be popped up. I test the following test case in Firefox4 and Safari with enabling popup blocker, they have same behavior. I think we should keep this patch. Please correct me if I am wrong. 355901 15 aestes 2011-02-22 23:28:57 -0800 Hi Johnny, (In reply to comment #14) > (In reply to comment #13) > After reading mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=61098, I think it is to deal with how to avoid creating endless model dialog like alert, like you said it applies to file chooser dialogs as well in Firefox, but this webkit change is to disallow javascript to open the file dialog without user gesture. Sorry, I linked to the wrong bug. The bug I meant to link to was <https://bugzilla.mozilla.org/show_bug.cgi?id=36619>, which tracks adding a click() method to file input elements. <https://bugzilla.mozilla.org/show_bug.cgi?id=61098> is also relevant here, but wasn't what I was basing my analysis on. Firefox 4 integrates their implementation with their pop-up blocker, which (if enabled) allows programatic clicks to open a file picker after user confirmation. We don't, so such attempts are blocked regardless of the state of our pop-up blocker. Firefox 4 also allows file pickers even if the programatic click() and the user gesture are separated by a timeout. Take the following test case for example: <script> window.addEventListener('load', function() { document.getElementById('the-link').addEventListener('click', function() { setTimeout(function() { document.getElementById('the-file-input').click(); },1000); }, false); }, false); </script> <input id="the-file-input" type="file"> <a id='the-link' href="#">Programatically click the input.</a> Firefox 4 will display a file picker one second after clicking 'Programatically click the input'; we won't, again regardless of pop-up blocker state. There are valid reasons for content authors to programmatically send click events to file input elements via setTimeout() and I think we shouldn't break those use cases. 355907 16 aestes 2011-02-23 00:00:06 -0800 Perhaps timers could remember the user gesture state of the event loop iteration that initiated them, then set the user gesture state accordingly when the timer fires. This would allow the click-via-setTimeout use case without allowing non-gesture-initiated clicks in general. Depending on how careful we want to be we could add protections like only forwarding gestures for timers less than a certain maximum delay and/or only propagating one level deep. 355966 17 jnd 2011-02-23 03:00:09 -0800 (In reply to comment #16) > Perhaps timers could remember the user gesture state of the event loop iteration that initiated them, then set the user gesture state accordingly when the timer fires. This would allow the click-via-setTimeout use case without allowing non-gesture-initiated clicks in general. Depending on how careful we want to be we could add protections like only forwarding gestures for timers less than a certain maximum delay and/or only propagating one level deep. I see, looks like a feature for gesture management. Make sense to me for supporting it, but we should avoid contents authors to abuse this feature, I will suggest that only a timer can remember the user gesture state and the new timeouts created inside that timeout can not inherit this gesture. Adam, what do you think about Andy's suggestion? 356513 18 abarth 2011-02-23 16:00:22 -0800 > Adam, what do you think about Andy's suggestion? Sounds reasonable. We might want to check what other browsers do. The long term solution here is probably to write a spec for all these cases and socialize it with other browser vendors. Otherwise we're going to be continually chasing our tail w.r.t. what web sites expect us to do. 356536 19 aestes 2011-02-23 16:32:15 -0800 I'll do a little more research into how Firefox handles the setTimeout() case. I'll also file new bugs for these enhancements. 356554 20 aestes 2011-02-23 16:52:28 -0800 (In reply to comment #19) > I'll do a little more research into how Firefox handles the setTimeout() case. I'll also file new bugs for these enhancements. I filed <https://bugs.webkit.org/show_bug.cgi?id=55102> and <https://bugs.webkit.org/show_bug.cgi?id=55104>. 356608 21 aestes 2011-02-23 18:12:12 -0800 Johnny, while looking into this I noticed that the test for this patch passes even if I comment out the early return in RenderFileUploadControl::click(). This isn't so great :( I was thinking about how to make this test more obvious, and I think the right thing to do is to have DumpRenderTree implement the UI delegates for the open panel (webView:runOpenPanelForFileButtonWithResultListener:allowMultipleFiles: and webView:runOpenPanelForFileButtonWithResultListener on the Mac) and have them log a message. Layout test expectations could then be based around the presence/absence of this log message. That technique could be useful for this test as well as for the tests that will be necessary for the two dependent bugs. 356615 22 aestes 2011-02-23 18:17:07 -0800 (In reply to comment #21) > Johnny, while looking into this I noticed that the test for this patch passes even if I comment out the early return in RenderFileUploadControl::click(). This isn't so great :( > > I was thinking about how to make this test more obvious, and I think the right thing to do is to have DumpRenderTree implement the UI delegates for the open panel (webView:runOpenPanelForFileButtonWithResultListener:allowMultipleFiles: and webView:runOpenPanelForFileButtonWithResultListener on the Mac) and have them log a message. Layout test expectations could then be based around the presence/absence of this log message. > > That technique could be useful for this test as well as for the tests that will be necessary for the two dependent bugs. I filed <https://bugs.webkit.org/show_bug.cgi?id=55110> about this. 528121 23 j 2011-12-30 04:21:50 -0800 FWIW, this change causes problems with programmatically adding files in QtWebKit. See https://bugs.webkit.org/show_bug.cgi?id=75385. 70727 2010-10-14 05:07:46 -0700 2010-10-15 17:38:53 -0700 patch v1 patch003.txt text/plain 5116 jnd SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA2OTc1NykKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTUgQEAKKzIwMTAtMTAtMTQgIEpvaG5ueSBEaW5nICA8am5kQGNocm9taXVtLm9y Zz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBSZXF1 aXJlcyBhIHVzZXIgZ2VzdHVyZSB3aGVuIG9wZW5pbmcgZmlsZSBjaG9vc2UgZGlhbG9nLgorICAg ICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NDc1OTMKKworICAg ICAgICBUZXN0OiBmYXN0L2Zvcm1zL2lucHV0LWZpbGUtbm90LW9wZW4td2l0aG91dC1nZXN0dXJl Lmh0bWwKKworICAgICAgICAqIHJlbmRlcmluZy9SZW5kZXJGaWxlVXBsb2FkQ29udHJvbC5jcHA6 CisgICAgICAgIChXZWJDb3JlOjpSZW5kZXJGaWxlVXBsb2FkQ29udHJvbDo6Y2xpY2spOgorCiAy MDEwLTEwLTA4ICBQYXZlbCBGZWxkbWFuICA8cGZlbGRtYW5AY2hyb21pdW0ub3JnPgogCiAgICAg ICAgIFJldmlld2VkIGJ5IFl1cnkgU2VtaWtoYXRza3kuCkluZGV4OiBXZWJDb3JlL3JlbmRlcmlu Zy9SZW5kZXJGaWxlVXBsb2FkQ29udHJvbC5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViQ29yZS9yZW5k ZXJpbmcvUmVuZGVyRmlsZVVwbG9hZENvbnRyb2wuY3BwCShyZXZpc2lvbiA2OTY0NykKKysrIFdl YkNvcmUvcmVuZGVyaW5nL1JlbmRlckZpbGVVcGxvYWRDb250cm9sLmNwcAkod29ya2luZyBjb3B5 KQpAQCAtMTI0LDggKzEyNCwxMSBAQCB2b2lkIFJlbmRlckZpbGVVcGxvYWRDb250cm9sOjpjaG9v c2VJY29uCiAKIHZvaWQgUmVuZGVyRmlsZVVwbG9hZENvbnRyb2w6OmNsaWNrKCkKIHsKKyAgICAv LyBSZXF1aXJlcyBhIHVzZXIgZ2VzdHVyZSB0byBvcGVuIHRoZSBmaWxlIGRpYWxvZy4KKyAgICBp ZiAoIShmcmFtZSgpICYmIGZyYW1lKCktPmxvYWRlcigpLT5pc1Byb2Nlc3NpbmdVc2VyR2VzdHVy ZSgpKSkKKyAgICAgICAgcmV0dXJuOwogICAgIGlmIChDaHJvbWUqIGNocm9tZVBvaW50ZXIgPSBj aHJvbWUoKSkKLSAgICAgICAgY2hyb21lUG9pbnRlci0+cnVuT3BlblBhbmVsKG5vZGUoKS0+ZG9j dW1lbnQoKS0+ZnJhbWUoKSwgbV9maWxlQ2hvb3Nlcik7CisgICAgICAgIGNocm9tZVBvaW50ZXIt PnJ1bk9wZW5QYW5lbChmcmFtZSgpLCBtX2ZpbGVDaG9vc2VyKTsKIH0KIAogQ2hyb21lKiBSZW5k ZXJGaWxlVXBsb2FkQ29udHJvbDo6Y2hyb21lKCkgY29uc3QKSW5kZXg6IExheW91dFRlc3RzL0No YW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHJldmlzaW9uIDY5 NzU3KQorKysgTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEs MTMgQEAKKzIwMTAtMTAtMTQgIEpvaG5ueSBEaW5nICA8am5kQGNocm9taXVtLm9yZz4KKworICAg ICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBSZXF1aXJlcyBhIHVz ZXIgZ2VzdHVyZSB3aGVuIG9wZW5pbmcgZmlsZSBjaG9vc2UgZGlhbG9nLgorICAgICAgICBodHRw czovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NDc1OTMKKworICAgICAgICAqIGZh c3QvZm9ybXMvaW5wdXQtZmlsZS1ub3Qtb3Blbi13aXRob3V0LWdlc3R1cmUtZXhwZWN0ZWQudHh0 OiBBZGRlZC4KKyAgICAgICAgKiBmYXN0L2Zvcm1zL2lucHV0LWZpbGUtbm90LW9wZW4td2l0aG91 dC1nZXN0dXJlLmh0bWw6IEFkZGVkLgorCiAyMDEwLTEwLTE0ICBIYXlhdG8gSXRvICA8aGF5YXRv QGNocm9taXVtLm9yZz4KIAogICAgICAgICBVbnJldmlld2VkLCBidWlsZCBmaXguCkluZGV4OiBM YXlvdXRUZXN0cy9mYXN0L2Zvcm1zL2lucHV0LWZpbGUtbm90LW9wZW4td2l0aG91dC1nZXN0dXJl LWV4cGVjdGVkLnR4dAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9mYXN0L2Zvcm1zL2lucHV0 LWZpbGUtbm90LW9wZW4td2l0aG91dC1nZXN0dXJlLWV4cGVjdGVkLnR4dAkocmV2aXNpb24gMCkK KysrIExheW91dFRlc3RzL2Zhc3QvZm9ybXMvaW5wdXQtZmlsZS1ub3Qtb3Blbi13aXRob3V0LWdl c3R1cmUtZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAwKQpAQCAtMCwwICsxLDQgQEAKKworVGhpcyBm aWxlIGlzIHRvIHRlc3QgdGhhdCBvcGVuaW5nIGZpbGUgZGlhbG9nIHJlcXVpcmVzIGEgdXNlciBn ZXN0dXJlLiBQbGVhc2UgcmVmZXIgdG8gaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcu Y2dpP2lkPTQ3NTkzIGZvciBtb3JlIGRldGFpbHMuCitUZXN0IG9wZW5pbmcgZmlsZSBkaWFsb2cg d2l0aG91dCB1c2VyIGdlc3R1cmUgaXMgUEFTU0VECisKSW5kZXg6IExheW91dFRlc3RzL2Zhc3Qv Zm9ybXMvaW5wdXQtZmlsZS1ub3Qtb3Blbi13aXRob3V0LWdlc3R1cmUuaHRtbAo9PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 Ci0tLSBMYXlvdXRUZXN0cy9mYXN0L2Zvcm1zL2lucHV0LWZpbGUtbm90LW9wZW4td2l0aG91dC1n ZXN0dXJlLmh0bWwJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9mYXN0L2Zvcm1zL2lucHV0 LWZpbGUtbm90LW9wZW4td2l0aG91dC1nZXN0dXJlLmh0bWwJKHJldmlzaW9uIDApCkBAIC0wLDAg KzEsNjAgQEAKKzwhRE9DVFlQRSBodG1sPgorPGh0bWw+Cis8aGVhZD4KKzxzY3JpcHQ+CitpZiAo d2luZG93LmxheW91dFRlc3RDb250cm9sbGVyKSB7CisgICAgbGF5b3V0VGVzdENvbnRyb2xsZXIu ZHVtcEFzVGV4dCgpOworICAgIGxheW91dFRlc3RDb250cm9sbGVyLndhaXRVbnRpbERvbmUoKTsK K30KK2NvbnN0IElOSVRJQUw9IDA7Citjb25zdCBPUEVOX0ZJTEVfV0lUSE9VVF9HRVNUVVJFID0g MTsKK3dpbmRvdy50ZXN0U3RhZ2UgPSBJTklUSUFMOword2luZG93LmNsaWNrUmVjZWl2ZWQgPSBm YWxzZTsKK3dpbmRvdy5jbGlja0ZpcmVkID0gZmFsc2U7CisKK2Z1bmN0aW9uIGNoZWNrUmVzdWx0 KGNvbnRpbnVlRnVuYykgeworICAgIGlmICghY2xpY2tGaXJlZCkKKyAgICAgICAgcmV0dXJuOwor ICAgIGlmIChjbGlja1JlY2VpdmVkKSB7CisgICAgICAgIC8vIFdoZW4gdGhlIGZpbGUgc2VsZWN0 IGRpYWxvZyBzaG93cyB1cCwgaXQncyBhIG1vZGVsIHdpbmRvdyB3aGljaCByZWNlaXZlcworICAg ICAgICAvLyBhbGwgVUkgZXZlbnRzIHNlbnQgdG8gd2luZG93LCBzbyB0aGUgY2xpY2sgZXZlbnQg Y2FuIG5vdCBiZSByZWNlaXZlZCBieSBib2R5LgorICAgICAgICAvLyBJZiB3ZSByZWNlaXZlZCB0 aGUgY2xpY2sgZXZlbnQsIGl0IG1lYW5zIHRoZSBmaWxlIGRpYWxvZyB3YXMgbm90IG9wZW5lZC4K KyAgICAgICAgaWYgKHRlc3RTdGFnZSA9PSBPUEVOX0ZJTEVfV0lUSE9VVF9HRVNUVVJFKQorICAg ICAgICAgICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoIm9wZW5fd2l0aG91dF9nZXN0dXJlIiku aW5uZXJIVE1MID0gIlBBU1NFRCI7CisgICAgICAgIGNsaWNrUmVjZWl2ZWQgPSBmYWxzZTsKKyAg ICB9IAorICAgIGNsaWNrRmlyZWQgPSBmYWxzZTsKKyAgICBjb250aW51ZUZ1bmMoKTsKK30KKwor ZnVuY3Rpb24gb3BlbkZpbGVEaWFsb2dXaXRob3V0VXNlckdlc3R1cmUoKSB7CisgICAgLy8gVHJp ZXMgdG8gY2FsbCA8aW5wdXQgdHlwZT1maWxlPi5jbGljayB0byBvcGVuIHRoZSBmaWxlIGRpYWxv ZyB3aXRob3V0IGEgdXNlciBnZXN0dXJlLgorICAgIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdm JykuY2xpY2soKTsKKyAgICAvLyBGaXJlcyBhIGNsaWNrIGV2ZW50LgorICAgIHNldFRpbWVvdXQo ZnVuY3Rpb24oKSB7CisgICAgICAgIGV2ZW50U2VuZGVyLm1vdXNlTW92ZVRvKDEwLCAxMDApOwor ICAgICAgICBldmVudFNlbmRlci5tb3VzZURvd24oKTsKKyAgICAgICAgZXZlbnRTZW5kZXIubW91 c2VVcCgpOworICAgICAgICBjbGlja0ZpcmVkID0gdHJ1ZTsKKyAgICAgICAgdGVzdFN0YWdlID0g T1BFTl9GSUxFX1dJVEhPVVRfR0VTVFVSRTsKKyAgICAgICAgLy8gV2FpdHMgZm9yIG9wZW5pbmcg dGhlIGZpbGUgZGlhbG9nIGFuZCBjaGVja3Mgd2hldGhlciB0aGUgY2xpY2sgZXZlbnQgY2FuIHN0 aWxsIGJlIHJlY2VpdmVkIGJ5IGRvY3VtZW50LgorICAgICAgICBzZXRUaW1lb3V0KCJjaGVja1Jl c3VsdChmdW5jdGlvbigpIHsgbGF5b3V0VGVzdENvbnRyb2xsZXIubm90aWZ5RG9uZSgpOyB9KSIs IDUwMCk7CisgICAgfSwgMSk7Cit9CisKK2Z1bmN0aW9uIHN0YXJ0VGVzdCgpIHsKKyAgICBpZiAo IXdpbmRvdy5sYXlvdXRUZXN0Q29udHJvbGxlcikKKyAgICAgICAgcmV0dXJuOworICAgIGRvY3Vt ZW50LmJvZHkuYWRkRXZlbnRMaXN0ZW5lcigiY2xpY2siLCBmdW5jdGlvbigpIHsgd2luZG93LmNs aWNrUmVjZWl2ZWQgPSB0cnVlIH0sIHRydWUpOworICAgIHNldFRpbWVvdXQob3BlbkZpbGVEaWFs b2dXaXRob3V0VXNlckdlc3R1cmUsIDEpOworfQorPC9zY3JpcHQ+Cis8L2hlYWQ+Cis8Ym9keSBz dHlsZT0ibWFyZ2luOjBweDsgcGFkZGluZzowcHgiIG9ubG9hZD0ic3RhcnRUZXN0KCk7Ij4KKzxm b3JtPgorPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImZpbGUiIGlkPSJmIj4KKzwvZm9ybT4KK1Ro aXMgZmlsZSBpcyB0byB0ZXN0IHRoYXQgb3BlbmluZyBmaWxlIGRpYWxvZyByZXF1aXJlcyBhIHVz ZXIgZ2VzdHVyZS4gUGxlYXNlIHJlZmVyIHRvIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3df YnVnLmNnaT9pZD00NzU5MyBmb3IgbW9yZSBkZXRhaWxzLjxicj4KK1Rlc3Qgb3BlbmluZyBmaWxl IGRpYWxvZyB3aXRob3V0IHVzZXIgZ2VzdHVyZSBpcyA8c3BhbiBpZD0ib3Blbl93aXRob3V0X2dl c3R1cmUiPkZBSUxFRDwvc3Bhbj48YnI+Cis8L2JvZHk+Cis8L2h0bWw+Cg==