61360 2011-05-24 06:17:23 -0700 Content Security Policy reports should be reported with content-type application/json 2012-05-06 23:02:55 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 53572 0 jeffstewart abarth abarth bmt eric jeffstewart mkwst ossy sam webkit.review.bot oldest_to_newest 408803 0 jeffstewart 2011-05-24 06:17:23 -0700 Using MacOS nightly webkit build 87124, Content-Security-Policy violations are being reported with content-type application/x-www-form-urlencoded (and the payload is indeed form encoded). The spec (http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#report-uri) says: The violation report must be sent via an HTTP POST request whose body is comprised of a JSON object containing violation information, and the request must have a Content-Type of application/json. On a related note, the report does not contain the blocked-uri field: http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#violation-report-syntax Shows that the following fields should be sent: request: HTTP request line of the protected resource whose policy was violated including method, URI and HTTP version request-headers: HTTP request headers sent with the request for the protected resource whose policy was violated blocked-uri: URI of the resource that was prevented from loading due to the policy violation violated-directive: The policy directive that was violated original-policy: The original policy as received by the user-agent. If the policy was received via more than one Content Security Policy response header, this field must contain a comma separated list of original policies. To reproduce: The python script at the end of this report will reproduce the problem. Here's an example capture of a CSP report sent to that server (Cookie header elided, hostnames blacked out): Host: XXXXXXXX.XXX.XXXX.XXXXXX.com:10000 Origin: null User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_4) AppleWebKit/535.1+ (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27 Content-Type: application/x-www-form-urlencoded Referer: http://XXXXXXXX.XXX.XXXX.XXXXXX.com:10002/ Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate Content-Length: 107 Connection: keep-alive document-url=http%3A%2F%2FXXXXXXXX.XXX.XXXX.XXXXXX.com%3A10000%2F&violated-directive=default-src+%27self%27 Here's a python script that can help reproduce the issue: from BaseHTTPServer import BaseHTTPRequestHandler import socket import SocketServer import sys DOCUMENT = """<html><head></head><body>Hi <img src="http://some.other.server/does/not/exist.jpg"></body></html>""" PORT = 10000 class MyHandler(BaseHTTPRequestHandler): def do_POST(self): print self.headers bytes = int(self.headers['Content-Length']) payload = self.rfile.read(bytes) print payload self.send_response(200) self.end_headers() def do_GET(self): path = self.path.split('?', 1)[0] path = path.split('#', 1)[0] if path != '/': self.send_response(404) return ctype = 'text/html' length = len(DOCUMENT) self.send_response(200) # This is supposed to be default-src rather than allow. # It will probably break sometime in the future. self.send_header('X-Content-Security-Policy-Report-Only', 'allow https: data:; ' 'report-uri http://%s:%s/csp-report' % ( socket.gethostname(), PORT)) # Report-Only is not in the Chrome canary build yet. self.send_header('X-WebKit-CSP', 'default-src \'self\'; ' 'report-uri http://%s:%d/csp-report' % ( socket.gethostname(), PORT)) self.send_header('Content-Type', ctype) self.send_header('Content-Length', str(length)) self.end_headers() print >>self.wfile, DOCUMENT, def main(argv): global PORT if len(argv) > 1: PORT = int(argv[1]) print 'Listening at http://%s:%d/' % (socket.gethostname(), PORT) httpd = SocketServer.TCPServer(("", PORT), MyHandler) httpd.serve_forever() if __name__ == '__main__': main(sys.argv) 410468 1 abarth 2011-05-26 08:53:51 -0700 Thanks for the report. > Using MacOS nightly webkit build 87124, Content-Security-Policy violations are being reported with content-type application/x-www-form-urlencoded (and the payload is indeed form encoded). The spec (http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#report-uri) says: This is intentional (at least for the moment). We've recommended to the working group that the report should be sent form-urlencoded. > On a related note, the report does not contain the blocked-uri field: This is also intentional. There are some subtle security issues with sending the blocked-uri, especially if cross-origin redirects are involved. There's a spec change in the works to address this issue, which we'll implement once all the details are in the spec. Thanks! 483574 2 abarth 2011-10-13 15:45:26 -0700 Sam said he might be interested in tackling this issue. 616747 3 140347 abarth 2012-05-04 15:49:11 -0700 Created attachment 140347 Patch 616751 4 140347 eric 2012-05-04 15:50:54 -0700 Comment on attachment 140347 Patch LGTM. 616756 5 140347 webkit.review.bot 2012-05-04 15:55:37 -0700 Comment on attachment 140347 Patch Rejecting attachment 140347 from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 2 Last 500 characters of output: y/report-only-from-header-expected.txt patching file LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt patching file LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt patching file LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', u'--force', u'--reviewer', u'Eric Seidel']" exit_code: 1 cwd: /mnt/git/webkit-commit-queue/ Full output: http://queues.webkit.org/results/12630290 616758 6 abarth 2012-05-04 15:58:19 -0700 This patch depends on the patch in Bug 85561. 616782 7 abarth 2012-05-04 16:17:27 -0700 Containing all the required fields is Bug 85682. 617365 8 abarth 2012-05-06 21:33:36 -0700 Committed r116268: <http://trac.webkit.org/changeset/116268> 617395 9 ossy 2012-05-06 22:40:14 -0700 Reopen, because it broke the !INSPECTOR builds: ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp: In member function 'void WebCore::CSPDirectiveList::reportViolation(const WTF::String&, const WTF::String&) const': ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:605: error: incomplete type 'WebCore::InspectorObject' used in nested name specifier ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:606: error: invalid use of incomplete type 'struct WebCore::InspectorObject' ../../../../Source/WebCore/inspector/ScriptCallFrame.h:43: error: forward declaration of 'struct WebCore::InspectorObject' ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:608: error: invalid use of incomplete type 'struct WebCore::InspectorObject' ../../../../Source/WebCore/inspector/ScriptCallFrame.h:43: error: forward declaration of 'struct WebCore::InspectorObject' ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:610: error: incomplete type 'WebCore::InspectorObject' used in nested name specifier ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:611: error: invalid use of incomplete type 'struct WebCore::InspectorObject' ../../../../Source/WebCore/inspector/ScriptCallFrame.h:43: error: forward declaration of 'struct WebCore::InspectorObject' ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:613: error: invalid use of incomplete type 'struct WebCore::InspectorObject' ../../../../Source/WebCore/inspector/ScriptCallFrame.h:43: error: forward declaration of 'struct WebCore::InspectorObject' In file included from ../../../../Source/WTF/wtf/RefPtr.h:29, from ../../../../Source/WTF/wtf/VectorTraits.h:26, from ../../../../Source/WTF/wtf/Vector.h:31, from ../../../../Source/WebCore/page/ContentSecurityPolicy.h:32, from ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:28: ../../../../Source/WTF/wtf/PassRefPtr.h: In function 'void WTF::derefIfNotNull(T*) [with T = WebCore::InspectorObject]': ../../../../Source/WTF/wtf/RefPtr.h:56: instantiated from 'WTF::RefPtr<T>::~RefPtr() [with T = WebCore::InspectorObject]' ../../../../Source/WebCore/page/ContentSecurityPolicy.cpp:605: instantiated from here ../../../../Source/WTF/wtf/PassRefPtr.h:52: error: invalid use of incomplete type 'struct WebCore::InspectorObject' ../../../../Source/WebCore/inspector/ScriptCallFrame.h:43: error: forward declaration of 'struct WebCore::InspectorObject' 617402 10 abarth 2012-05-06 22:48:16 -0700 Hum... Maybe InspectorValues need to be defined even without the inspector. 617403 11 abarth 2012-05-06 22:55:25 -0700 Attempted fix in http://trac.webkit.org/changeset/116275 617405 12 abarth 2012-05-06 23:02:55 -0700 That seems to have worked. 140347 2012-05-04 15:49:11 -0700 2012-05-04 15:55:37 -0700 Patch bug-61360-20120504154910.patch text/plain 11187 abarth U3VidmVyc2lvbiBSZXZpc2lvbjogMTE2MTI2CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggMDQwZTYzN2EzNjVkNmQ5 ODZiNDYyNzc1NTNjNzZhMjJhZWFkOWQyYi4uZjZlN2Y2ZGRiMTFhYWJjZjFjZTQyNjhiODE4YjQ4 ZDBmMDE1N2ZjYiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSw1ICsxLDIyIEBACiAyMDEyLTA1LTA0ICBBZGFt IEJhcnRoICA8YWJhcnRoQHdlYmtpdC5vcmc+CiAKKyAgICAgICAgQ29udGVudCBTZWN1cml0eSBQ b2xpY3kgcmVwb3J0cyBzaG91bGQgYmUgcmVwb3J0ZWQgd2l0aCBjb250ZW50LXR5cGUgYXBwbGlj YXRpb24vanNvbiwgc2hvdWxkIGNvbnRhaW4gYWxsIHJlcXVpcmVkIGZpZWxkcworICAgICAgICBo dHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NjEzNjAKKworICAgICAgICBS ZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBUaGlzIHBhdGNoIGNoYW5nZXMg Q29udGVudFNlY3VyaXR5UG9saWN5IHRvIHVzZSBKU09OIGZvcm1hdCBmb3Igc2VuZGluZworICAg ICAgICB2aW9sYXRpb24gcmVwb3J0cyByYXRoZXIgdGhhbiB3d3dmb3JtLWVuY29kaW5nLiAgVGhp cyBwYXRjaCBhbGlnbnMgb3VyCisgICAgICAgIGJlaGF2aW9yIHdpdGggdGhlIHNwZWNpZmljYXRp b24gYW5kIHdpdGggTW96aWxsYS4gIEEgZm9sbG93IHVwIHBhdGNoCisgICAgICAgIHdpbGwgdXBk YXRlIHRoZSBsaXN0IG9mIGZpZWxkcyBpbiB0aGUgcmVwb3J0IHRvIG1hdGNoIHRoZSBzcGVjLgor CisgICAgICAgICogbG9hZGVyL1BpbmdMb2FkZXIuY3BwOgorICAgICAgICAoV2ViQ29yZTo6UGlu Z0xvYWRlcjo6cmVwb3J0Q29udGVudFNlY3VyaXR5UG9saWN5VmlvbGF0aW9uKToKKyAgICAgICAg KiBwYWdlL0NvbnRlbnRTZWN1cml0eVBvbGljeS5jcHA6CisgICAgICAgIChXZWJDb3JlOjpDU1BE aXJlY3RpdmVMaXN0OjpyZXBvcnRWaW9sYXRpb24pOgorCisyMDEyLTA1LTA0ICBBZGFtIEJhcnRo ICA8YWJhcnRoQHdlYmtpdC5vcmc+CisKICAgICAgICAgQ1NQIHNob3VsZCBsZXQgc2l0ZXMgYm90 aCBlbmZvcmNlIG9uZSBwb2xpY3kgYW5kIG1vbml0b3IgYW5vdGhlcgogICAgICAgICBodHRwczov L2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9ODU1NjEKIApkaWZmIC0tZ2l0IGEvU291 cmNlL1dlYkNvcmUvbG9hZGVyL1BpbmdMb2FkZXIuY3BwIGIvU291cmNlL1dlYkNvcmUvbG9hZGVy L1BpbmdMb2FkZXIuY3BwCmluZGV4IDczMjhmNWI0Zjk0MGRmNzM4MGIzZmVjNGRiMzhhNzgyYmU1 NGI1NWEuLjM4YjczNDk3YjFhYjgwMmNhMGQ3OGM3MWQ1MTVmYzRmNzAwM2QyY2EgMTAwNjQ0Ci0t LSBhL1NvdXJjZS9XZWJDb3JlL2xvYWRlci9QaW5nTG9hZGVyLmNwcAorKysgYi9Tb3VyY2UvV2Vi Q29yZS9sb2FkZXIvUGluZ0xvYWRlci5jcHAKQEAgLTExMCw3ICsxMTAsNyBAQCB2b2lkIFBpbmdM b2FkZXI6OnJlcG9ydENvbnRlbnRTZWN1cml0eVBvbGljeVZpb2xhdGlvbihGcmFtZSogZnJhbWUs IGNvbnN0IEtVUkwmCiAgICAgcmVxdWVzdC5zZXRUYXJnZXRUeXBlKFJlc291cmNlUmVxdWVzdDo6 VGFyZ2V0SXNTdWJyZXNvdXJjZSk7CiAjZW5kaWYKICAgICByZXF1ZXN0LnNldEhUVFBNZXRob2Qo IlBPU1QiKTsKLSAgICByZXF1ZXN0LnNldEhUVFBDb250ZW50VHlwZSgiYXBwbGljYXRpb24veC13 d3ctZm9ybS11cmxlbmNvZGVkIik7CisgICAgcmVxdWVzdC5zZXRIVFRQQ29udGVudFR5cGUoImFw cGxpY2F0aW9uL2pzb24iKTsKICAgICByZXF1ZXN0LnNldEhUVFBCb2R5KHJlcG9ydCk7CiAgICAg ZnJhbWUtPmxvYWRlcigpLT5hZGRFeHRyYUZpZWxkc1RvU3VicmVzb3VyY2VSZXF1ZXN0KHJlcXVl c3QpOwogCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9wYWdlL0NvbnRlbnRTZWN1cml0eVBv bGljeS5jcHAgYi9Tb3VyY2UvV2ViQ29yZS9wYWdlL0NvbnRlbnRTZWN1cml0eVBvbGljeS5jcHAK aW5kZXggMjY3ZTZkZGY4MGU4NTRiNjBhZDBjMTk3OTQ3NTU1NzY4OWRlZWE1Yy4uMWE0ZDFkYTNl Y2I1MTg5OWQ1ZmYxMWNiZGU5MTU4N2NlZGMzZWE4YiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNv cmUvcGFnZS9Db250ZW50U2VjdXJpdHlQb2xpY3kuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL3Bh Z2UvQ29udGVudFNlY3VyaXR5UG9saWN5LmNwcApAQCAtMzEsNiArMzEsNyBAQAogI2luY2x1ZGUg IkZvcm1EYXRhLmgiCiAjaW5jbHVkZSAiRm9ybURhdGFMaXN0LmgiCiAjaW5jbHVkZSAiRnJhbWUu aCIKKyNpbmNsdWRlICJJbnNwZWN0b3JWYWx1ZXMuaCIKICNpbmNsdWRlICJQaW5nTG9hZGVyLmgi CiAjaW5jbHVkZSAiU2NyaXB0Q2FsbFN0YWNrLmgiCiAjaW5jbHVkZSAiU2VjdXJpdHlPcmlnaW4u aCIKQEAgLTYwMSwxMiArNjAyLDE1IEBAIHZvaWQgQ1NQRGlyZWN0aXZlTGlzdDo6cmVwb3J0Vmlv bGF0aW9uKGNvbnN0IFN0cmluZyYgZGlyZWN0aXZlVGV4dCwgY29uc3QgU3RyaW5nCiAgICAgLy8g c2VudCBleHBsaWNpdGx5LiBBcyBmb3Igd2hpY2ggZGlyZWN0aXZlIHdhcyB2aW9sYXRlZCwgdGhh dCdzIHByZXR0eQogICAgIC8vIGhhcm1sZXNzIGluZm9ybWF0aW9uLgogCi0gICAgRm9ybURhdGFM aXN0IHJlcG9ydExpc3QoVVRGOEVuY29kaW5nKCkpOwotICAgIHJlcG9ydExpc3QuYXBwZW5kRGF0 YSgiZG9jdW1lbnQtdXJsIiwgZG9jdW1lbnQtPnVybCgpKTsKKyAgICBSZWZQdHI8SW5zcGVjdG9y T2JqZWN0PiBjc3BSZXBvcnQgPSBJbnNwZWN0b3JPYmplY3Q6OmNyZWF0ZSgpOworICAgIGNzcFJl cG9ydC0+c2V0U3RyaW5nKCJkb2N1bWVudC11cmkiLCBkb2N1bWVudC0+dXJsKCkpOwogICAgIGlm ICghZGlyZWN0aXZlVGV4dC5pc0VtcHR5KCkpCi0gICAgICAgIHJlcG9ydExpc3QuYXBwZW5kRGF0 YSgidmlvbGF0ZWQtZGlyZWN0aXZlIiwgZGlyZWN0aXZlVGV4dCk7CisgICAgICAgIGNzcFJlcG9y dC0+c2V0U3RyaW5nKCJ2aW9sYXRlZC1kaXJlY3RpdmUiLCBkaXJlY3RpdmVUZXh0KTsKIAotICAg IFJlZlB0cjxGb3JtRGF0YT4gcmVwb3J0ID0gRm9ybURhdGE6OmNyZWF0ZShyZXBvcnRMaXN0LCBV VEY4RW5jb2RpbmcoKSk7CisgICAgUmVmUHRyPEluc3BlY3Rvck9iamVjdD4gcmVwb3J0T2JqZWN0 ID0gSW5zcGVjdG9yT2JqZWN0OjpjcmVhdGUoKTsKKyAgICByZXBvcnRPYmplY3QtPnNldE9iamVj dCgiY3NwLXJlcG9ydCIsIGNzcFJlcG9ydC5yZWxlYXNlKCkpOworCisgICAgUmVmUHRyPEZvcm1E YXRhPiByZXBvcnQgPSBGb3JtRGF0YTo6Y3JlYXRlKHJlcG9ydE9iamVjdC0+dG9KU09OU3RyaW5n KCkudXRmOCgpKTsKIAogICAgIGZvciAoc2l6ZV90IGkgPSAwOyBpIDwgbV9yZXBvcnRVUkxzLnNp emUoKTsgKytpKQogICAgICAgICBQaW5nTG9hZGVyOjpyZXBvcnRDb250ZW50U2VjdXJpdHlQb2xp Y3lWaW9sYXRpb24oZnJhbWUsIG1fcmVwb3J0VVJMc1tpXSwgcmVwb3J0KTsKZGlmZiAtLWdpdCBh L0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxvZwppbmRleCAzN2Ew Yzc2MWYwODkzYzBiMGM3ODFiNDk3ZDUxYjRkNGIwYzI3NjdmLi44NDdmYmE3NGFkM2FjMzAxZjU4 MGI5MmRiNmU5ZTc1NGFkYzFhZmQ1IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cK KysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDUgKzEsMjEgQEAKIDIwMTItMDUtMDQg IEFkYW0gQmFydGggIDxhYmFydGhAd2Via2l0Lm9yZz4KIAorICAgICAgICBDb250ZW50IFNlY3Vy aXR5IFBvbGljeSByZXBvcnRzIHNob3VsZCBiZSByZXBvcnRlZCB3aXRoIGNvbnRlbnQtdHlwZSBh cHBsaWNhdGlvbi9qc29uLCBzaG91bGQgY29udGFpbiBhbGwgcmVxdWlyZWQgZmllbGRzCisgICAg ICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD02MTM2MAorCisgICAg ICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFVwZGF0ZSByZXN1bHRz IHRvIHNob3cgSlNPTiBmb3JtYXQuCisKKyAgICAgICAgKiBodHRwL3Rlc3RzL3NlY3VyaXR5L2Nv bnRlbnRTZWN1cml0eVBvbGljeS9yZXBvcnQtYW5kLWVuZm9yY2UtZXhwZWN0ZWQudHh0OgorICAg ICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L3JlcG9ydC1v bmx5LWV4cGVjdGVkLnR4dDoKKyAgICAgICAgKiBodHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRT ZWN1cml0eVBvbGljeS9yZXBvcnQtb25seS1mcm9tLWhlYWRlci1leHBlY3RlZC50eHQ6CisgICAg ICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvcmVwb3J0LXVy aS1leHBlY3RlZC50eHQ6CisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2Vj dXJpdHlQb2xpY3kvcmVwb3J0LXVyaS1mcm9tLWNoaWxkLWZyYW1lLWV4cGVjdGVkLnR4dDoKKyAg ICAgICAgKiBodHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9yZXNvdXJj ZXMvc2F2ZS1yZXBvcnQucGhwOgorCisyMDEyLTA1LTA0ICBBZGFtIEJhcnRoICA8YWJhcnRoQHdl YmtpdC5vcmc+CisKICAgICAgICAgQ1NQIHNob3VsZCBsZXQgc2l0ZXMgYm90aCBlbmZvcmNlIG9u ZSBwb2xpY3kgYW5kIG1vbml0b3IgYW5vdGhlcgogICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0 Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9ODU1NjEKIApkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0 cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvcmVwb3J0LWFuZC1lbmZvcmNl LWV4cGVjdGVkLnR4dCBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNl Y3VyaXR5UG9saWN5L3JlcG9ydC1hbmQtZW5mb3JjZS1leHBlY3RlZC50eHQKaW5kZXggZWZhM2Y3 NzdiMGY2N2QxOTRjZWNhNGQ5MzhjODY4NmY0YjNiYzYwNC4uNmE4YWVkYzdhMmRlMjI0Y2Y4YWM2 MWY1MGFiNmNhYTJmZGIwYWE4OSAxMDA2NDQKLS0tIGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9z ZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvcmVwb3J0LWFuZC1lbmZvcmNlLWV4cGVjdGVk LnR4dAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0 eVBvbGljeS9yZXBvcnQtYW5kLWVuZm9yY2UtZXhwZWN0ZWQudHh0CkBAIC00LDkgKzQsOCBAQCBB TEVSVDogUEFTUwogQ09OU09MRSBNRVNTQUdFOiBSZWZ1c2VkIHRvIGxvYWQgaW1hZ2UgZnJvbSAn aHR0cDovLzEyNy4wLjAuMTo4MDAwL3NlY3VyaXR5L3Jlc291cmNlcy9hYmUucG5nJyBiZWNhdXNl IG9mIENvbnRlbnQtU2VjdXJpdHktUG9saWN5LgogCiBDU1AgcmVwb3J0IHJlY2VpdmVkOgotQ09O VEVOVF9UWVBFOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQKK0NPTlRFTlRfVFlQ RTogYXBwbGljYXRpb24vanNvbgogSFRUUF9SRUZFUkVSOiBodHRwOi8vMTI3LjAuMC4xOjgwMDAv c2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L3JlcG9ydC1hbmQtZW5mb3JjZS5odG1sCiBS RVFVRVNUX01FVEhPRDogUE9TVAogPT09IFBPU1QgREFUQSA9PT0KLWRvY3VtZW50LXVybDogaHR0 cDovLzEyNy4wLjAuMTo4MDAwL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9yZXBvcnQt YW5kLWVuZm9yY2UuaHRtbAotdmlvbGF0ZWQtZGlyZWN0aXZlOiBzY3JpcHQtc3JjICdzZWxmJwor eyJjc3AtcmVwb3J0Ijp7ImRvY3VtZW50LXVyaSI6Imh0dHA6Ly8xMjcuMC4wLjE6ODAwMC9zZWN1 cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvcmVwb3J0LWFuZC1lbmZvcmNlLmh0bWwiLCJ2aW9s YXRlZC1kaXJlY3RpdmUiOiJzY3JpcHQtc3JjICdzZWxmJyJ9fQpkaWZmIC0tZ2l0IGEvTGF5b3V0 VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvcmVwb3J0LW9u bHktZXhwZWN0ZWQudHh0IGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50 U2VjdXJpdHlQb2xpY3kvcmVwb3J0LW9ubHktZXhwZWN0ZWQudHh0CmluZGV4IDkzMjBlZDkxMzRh ZDQyNjQwNzA4ZGQ4ZTkwMWM2NjJjZDNjODE2MjYuLmRmMjgyYWU1MTEyMWNlYmMxOTQwYzlhNzEy YmFiYWUyNDE0YWNjNjggMTAwNjQ0Ci0tLSBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJp dHkvY29udGVudFNlY3VyaXR5UG9saWN5L3JlcG9ydC1vbmx5LWV4cGVjdGVkLnR4dAorKysgYi9M YXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9yZXBv cnQtb25seS1leHBlY3RlZC50eHQKQEAgLTIsOSArMiw4IEBAIENPTlNPTEUgTUVTU0FHRTogW1Jl cG9ydCBPbmx5XSBSZWZ1c2VkIHRvIGV4ZWN1dGUgaW5saW5lIHNjcmlwdCBiZWNhdXNlIG9mIENv bnRlCiAKIEFMRVJUOiBQQVNTCiBDU1AgcmVwb3J0IHJlY2VpdmVkOgotQ09OVEVOVF9UWVBFOiBh cHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQKK0NPTlRFTlRfVFlQRTogYXBwbGljYXRp b24vanNvbgogSFRUUF9SRUZFUkVSOiBodHRwOi8vMTI3LjAuMC4xOjgwMDAvc2VjdXJpdHkvY29u dGVudFNlY3VyaXR5UG9saWN5L3JlcG9ydC1vbmx5Lmh0bWwKIFJFUVVFU1RfTUVUSE9EOiBQT1NU CiA9PT0gUE9TVCBEQVRBID09PQotZG9jdW1lbnQtdXJsOiBodHRwOi8vMTI3LjAuMC4xOjgwMDAv c2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L3JlcG9ydC1vbmx5Lmh0bWwKLXZpb2xhdGVk LWRpcmVjdGl2ZTogc2NyaXB0LXNyYyAnc2VsZicKK3siY3NwLXJlcG9ydCI6eyJkb2N1bWVudC11 cmkiOiJodHRwOi8vMTI3LjAuMC4xOjgwMDAvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5 L3JlcG9ydC1vbmx5Lmh0bWwiLCJ2aW9sYXRlZC1kaXJlY3RpdmUiOiJzY3JpcHQtc3JjICdzZWxm JyJ9fQpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50 U2VjdXJpdHlQb2xpY3kvcmVwb3J0LW9ubHktZnJvbS1oZWFkZXItZXhwZWN0ZWQudHh0IGIvTGF5 b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvcmVwb3J0 LW9ubHktZnJvbS1oZWFkZXItZXhwZWN0ZWQudHh0CmluZGV4IGJiYzMwYWQzYTY3YzUzYzM3NmYy NmU0MGQzNTYyMWMxNmExN2Q3NjQuLmZhYzU5ODEwOTEyODBhMDg3NDk2NjIyN2UzNzJmOWNkOWRm ZjRkYzggMTAwNjQ0Ci0tLSBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVu dFNlY3VyaXR5UG9saWN5L3JlcG9ydC1vbmx5LWZyb20taGVhZGVyLWV4cGVjdGVkLnR4dAorKysg Yi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9y ZXBvcnQtb25seS1mcm9tLWhlYWRlci1leHBlY3RlZC50eHQKQEAgLTIsOSArMiw4IEBAIENPTlNP TEUgTUVTU0FHRTogW1JlcG9ydCBPbmx5XSBSZWZ1c2VkIHRvIGV4ZWN1dGUgaW5saW5lIHNjcmlw dCBiZWNhdXNlIG9mIENvbnRlCiAKIEFMRVJUOiBQQVNTCiBDU1AgcmVwb3J0IHJlY2VpdmVkOgot Q09OVEVOVF9UWVBFOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQKK0NPTlRFTlRf VFlQRTogYXBwbGljYXRpb24vanNvbgogSFRUUF9SRUZFUkVSOiBodHRwOi8vMTI3LjAuMC4xOjgw MDAvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L3JlcG9ydC1vbmx5LWZyb20taGVhZGVy LnBocAogUkVRVUVTVF9NRVRIT0Q6IFBPU1QKID09PSBQT1NUIERBVEEgPT09Ci1kb2N1bWVudC11 cmw6IGh0dHA6Ly8xMjcuMC4wLjE6ODAwMC9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kv cmVwb3J0LW9ubHktZnJvbS1oZWFkZXIucGhwCi12aW9sYXRlZC1kaXJlY3RpdmU6IHNjcmlwdC1z cmMgJ3NlbGYnCit7ImNzcC1yZXBvcnQiOnsiZG9jdW1lbnQtdXJpIjoiaHR0cDovLzEyNy4wLjAu MTo4MDAwL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9yZXBvcnQtb25seS1mcm9tLWhl YWRlci5waHAiLCJ2aW9sYXRlZC1kaXJlY3RpdmUiOiJzY3JpcHQtc3JjICdzZWxmJyJ9fQpkaWZm IC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQ b2xpY3kvcmVwb3J0LXVyaS1leHBlY3RlZC50eHQgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3Nl Y3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9yZXBvcnQtdXJpLWV4cGVjdGVkLnR4dAppbmRl eCBhMTNjMDBhYWVjMjA1YWJmY2FmODJjY2JjMjlkNWU0NDAwZGIzMWI1Li4zNTY5MDYzODEyZTg3 OTdkNjY1YzFkYWFjMWY1NWM1Mzc3NDRiMzM3IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9odHRw L3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9yZXBvcnQtdXJpLWV4cGVjdGVk LnR4dAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0 eVBvbGljeS9yZXBvcnQtdXJpLWV4cGVjdGVkLnR4dApAQCAtMSw5ICsxLDggQEAKIENPTlNPTEUg TUVTU0FHRTogUmVmdXNlZCB0byBleGVjdXRlIGlubGluZSBzY3JpcHQgYmVjYXVzZSBvZiBDb250 ZW50LVNlY3VyaXR5LVBvbGljeS4KIAogQ1NQIHJlcG9ydCByZWNlaXZlZDoKLUNPTlRFTlRfVFlQ RTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkCitDT05URU5UX1RZUEU6IGFwcGxp Y2F0aW9uL2pzb24KIEhUVFBfUkVGRVJFUjogaHR0cDovLzEyNy4wLjAuMTo4MDAwL3NlY3VyaXR5 L2NvbnRlbnRTZWN1cml0eVBvbGljeS9yZXBvcnQtdXJpLmh0bWwKIFJFUVVFU1RfTUVUSE9EOiBQ T1NUCiA9PT0gUE9TVCBEQVRBID09PQotZG9jdW1lbnQtdXJsOiBodHRwOi8vMTI3LjAuMC4xOjgw MDAvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L3JlcG9ydC11cmkuaHRtbAotdmlvbGF0 ZWQtZGlyZWN0aXZlOiBzY3JpcHQtc3JjICdzZWxmJworeyJjc3AtcmVwb3J0Ijp7ImRvY3VtZW50 LXVyaSI6Imh0dHA6Ly8xMjcuMC4wLjE6ODAwMC9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xp Y3kvcmVwb3J0LXVyaS5odG1sIiwidmlvbGF0ZWQtZGlyZWN0aXZlIjoic2NyaXB0LXNyYyAnc2Vs ZicifX0KZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVu dFNlY3VyaXR5UG9saWN5L3JlcG9ydC11cmktZnJvbS1jaGlsZC1mcmFtZS1leHBlY3RlZC50eHQg Yi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9y ZXBvcnQtdXJpLWZyb20tY2hpbGQtZnJhbWUtZXhwZWN0ZWQudHh0CmluZGV4IDg3ZGFlYTFjNWE1 ZGYzOGRkZWQ0YjZmZDkxY2FmOWZmZjcxMjczZTcuLmEwMDgyZGQ5ZTE3NzUzMGY3MTk3OWFhZGM2 NmIxYmFlOTQxZWZkYWUgMTAwNjQ0Ci0tLSBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJp dHkvY29udGVudFNlY3VyaXR5UG9saWN5L3JlcG9ydC11cmktZnJvbS1jaGlsZC1mcmFtZS1leHBl Y3RlZC50eHQKKysrIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2Vj dXJpdHlQb2xpY3kvcmVwb3J0LXVyaS1mcm9tLWNoaWxkLWZyYW1lLWV4cGVjdGVkLnR4dApAQCAt Niw5ICs2LDggQEAgQ09OU09MRSBNRVNTQUdFOiBSZWZ1c2VkIHRvIGV4ZWN1dGUgaW5saW5lIHNj cmlwdCBiZWNhdXNlIG9mIENvbnRlbnQtU2VjdXJpdHktUG8KIEZyYW1lOiAnPCEtLWZyYW1lUGF0 aCAvLzwhLS1mcmFtZTAtLT4tLT4nCiAtLS0tLS0tLQogQ1NQIHJlcG9ydCByZWNlaXZlZDoKLUNP TlRFTlRfVFlQRTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkCitDT05URU5UX1RZ UEU6IGFwcGxpY2F0aW9uL2pzb24KIEhUVFBfUkVGRVJFUjogaHR0cDovLzEyNy4wLjAuMTo4MDAw L3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9yZXNvdXJjZXMvZ2VuZXJhdGUtY3NwLXJl cG9ydC5odG1sCiBSRVFVRVNUX01FVEhPRDogUE9TVAogPT09IFBPU1QgREFUQSA9PT0KLWRvY3Vt ZW50LXVybDogaHR0cDovLzEyNy4wLjAuMTo4MDAwL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBv bGljeS9yZXNvdXJjZXMvZ2VuZXJhdGUtY3NwLXJlcG9ydC5odG1sCi12aW9sYXRlZC1kaXJlY3Rp dmU6IHNjcmlwdC1zcmMgJ3NlbGYnCit7ImNzcC1yZXBvcnQiOnsiZG9jdW1lbnQtdXJpIjoiaHR0 cDovLzEyNy4wLjAuMTo4MDAwL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9yZXNvdXJj ZXMvZ2VuZXJhdGUtY3NwLXJlcG9ydC5odG1sIiwidmlvbGF0ZWQtZGlyZWN0aXZlIjoic2NyaXB0 LXNyYyAnc2VsZicifX0KZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJp dHkvY29udGVudFNlY3VyaXR5UG9saWN5L3Jlc291cmNlcy9zYXZlLXJlcG9ydC5waHAgYi9MYXlv dXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9yZXNvdXJj ZXMvc2F2ZS1yZXBvcnQucGhwCmluZGV4IGJiMjk4YTJlMDAwYjU1MTgyM2JlYWIzODIxZDVlNzgw ZDljMTk0M2IuLjgwMjk5MWYwMTJjY2U5NjVjMjJlODUzNzczNDY0NDA4NGE2MjY4Y2EgMTAwNjQ0 Ci0tLSBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9s aWN5L3Jlc291cmNlcy9zYXZlLXJlcG9ydC5waHAKKysrIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0 cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvcmVzb3VyY2VzL3NhdmUtcmVwb3J0LnBo cApAQCAtMTUsMTEgKzE1LDcgQEAgZm9yZWFjaCAoJGh0dHBIZWFkZXJzIGFzICRuYW1lID0+ICR2 YWx1ZSkgewogICAgIH0KIH0KIGZ3cml0ZSgkcmVwb3J0RmlsZSwgIj09PSBQT1NUIERBVEEgPT09 XG4iKTsKLWZvcmVhY2ggKCRfUE9TVCBhcyAkbmFtZSA9PiAkdmFsdWUpIHsKLSAgICAkbmFtZSA9 IHVuZG9NYWdpY1F1b3RlcygkbmFtZSk7Ci0gICAgJHZhbHVlID0gdW5kb01hZ2ljUXVvdGVzKCR2 YWx1ZSk7Ci0gICAgZndyaXRlKCRyZXBvcnRGaWxlLCAiJG5hbWU6ICR2YWx1ZVxuIik7Ci19Citm d3JpdGUoJHJlcG9ydEZpbGUsIGZpbGVfZ2V0X2NvbnRlbnRzKCJwaHA6Ly9pbnB1dCIpKTsKIGZj bG9zZSgkcmVwb3J0RmlsZSk7CiByZW5hbWUoImNzcC1yZXBvcnQudHh0LnRtcCIsICJjc3AtcmVw b3J0LnR4dCIpOwogPz4K