37781 2010-04-18 16:07:24 -0700 [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR 2010-07-04 10:55:18 -0700 1 1 1 Unclassified WebKit XML 528+ (Nightly build) PC OS X 10.5 RESOLVED FIXED InRadar P2 Normal --- 1 jchaffraix jchaffraix abarth ap cevans ddkilzer eric webkit.review.bot oldest_to_newest 213836 0 jchaffraix 2010-04-18 16:07:24 -0700 The cause of this is in DocumentThreadableLoader.cpp:loadRequest // FIXME: FrameLoader::loadSynchronously() does not tell us whether a redirect happened or not, so we guess by comparing the // request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was // requested. if (request.url() != response.url() && !isAllowedRedirect(response.url())) { m_client->didFailRedirectCheck(); return; } The request has credentials whereas the response does not, thus the failure. 214480 1 ap 2010-04-19 22:26:47 -0700 Do you have a test case? On Mac OS X, credentials are stripped from URLs before a connection is created: // Take user/pass out of the URL. // Credentials for ftp can only be passed in URL, the connection:didReceiveAuthenticationChallenge: delegate call won't be made. if ((delegate->m_user || delegate->m_pass) && url.protocolInHTTPFamily()) { ResourceRequest requestWithoutCredentials = request; requestWithoutCredentials.removeCredentials(); connection = [[NSURLConnection alloc] initWithRequest:requestWithoutCredentials.nsURLRequest() delegate:delegate startImmediately:NO]; 216766 2 jchaffraix 2010-04-24 17:09:03 -0700 > Do you have a test case? It took me quite so time to retrieve it but I have it now (I thought it was trivial enough to avoid writing one and I was wrong). I need to clean it up before posting it. > On Mac OS X, credentials are stripped from URLs before > a connection is created: > > // Take user/pass out of the URL. > // Credentials for ftp can only be passed in URL, the > connection:didReceiveAuthenticationChallenge: delegate call won't be made. > if ((delegate->m_user || delegate->m_pass) && url.protocolInHTTPFamily()) { > ResourceRequest requestWithoutCredentials = request; > requestWithoutCredentials.removeCredentials(); > connection = [[NSURLConnection alloc] > initWithRequest:requestWithoutCredentials.nsURLRequest() delegate:delegate > startImmediately:NO]; You are partly right. Currently the credentials are stripped at 3 levels: - the DocumentThreadableLoader code for cross-origin requests - the ResourceHandleInternal - the network level (it depends on the platform) I may have missed some call sites as our credential management is far from being straightforward. 216780 3 54228 jchaffraix 2010-04-24 21:27:53 -0700 Created attachment 54228 Proposed fix: Clear the credentials from the actual request Actually I went ahead a corrected the code. The test case is part of the patch FYI. 216850 4 54228 ap 2010-04-25 13:56:02 -0700 Comment on attachment 54228 Proposed fix: Clear the credentials from the actual request Good catch! This is a regression, and another fallback from XMLHttpRequest -> DocumentThreadableLoader code move. The test is ineffective in DRT - with ToT, it prints PASSED and calls notifyDone(), so failure printout is lost: PASSED FAILED: got exception NETWORK_ERR: XMLHttpRequest Exception 101 Your proposed change modifies the common code path - don't we need a regression test for async case? With this change, all code paths in DocumentThreadableLoader now remove credentials. Rather than duplicating the code, it seems that you could just move it to DocumentThreadableLoader constructor. + // request and response URLs (note: the comparison will fail if any credential is involved). This isn't a perfect test though, I don't understand this new comment in parentheses. Could you make it more specific? 216851 5 ap 2010-04-25 13:56:35 -0700 <rdar://problem/7905150> 217120 6 jchaffraix 2010-04-26 08:34:48 -0700 > The test is ineffective in DRT - with ToT, it prints PASSED and calls > notifyDone(), so failure printout is lost: > > PASSED > FAILED: got exception NETWORK_ERR: XMLHttpRequest Exception 101 I thought I had tested this and made sure it would fail badly in ToT. I will updated that. > Your proposed change modifies the common code path - don't we need a regression > test for async case? We do! > With this change, all code paths in DocumentThreadableLoader now remove > credentials. Rather than duplicating the code, it seems that you could just > move it to DocumentThreadableLoader constructor. Completely, it would prevent any more corner cases but like this bug. > + // request and response URLs (note: the comparison will fail if any > credential is involved). This isn't a perfect test though, > > I don't understand this new comment in parentheses. Could you make it more > specific? Yes. The idea is that comparing the request and response URLs as strings will fail if any credential is involved. 217123 7 54303 jchaffraix 2010-04-26 08:36:32 -0700 Created attachment 54303 Proposed fix - take 2: Address Alexey's comments 217226 8 54303 ap 2010-04-26 12:46:15 -0700 Comment on attachment 54303 Proposed fix - take 2: Address Alexey's comments r=me Do the tests pass in Firefox? 218042 9 ddkilzer 2010-04-27 16:47:51 -0700 (In reply to comment #8) > (From update of attachment 54303 [details]) > Do the tests pass in Firefox? http://127.0.0.1:8000/xmlhttprequest/access-control-preflight-credential-async.html FAILED: got exception Access to restricted URI denied http://127.0.0.1:8000/xmlhttprequest/access-control-preflight-credential-sync.html FAILED: got exception Access to restricted URI denied It looks to me like they pass, but throw a different type of exception in Firefox 3.6.3. Julien, can you land this soon? 218161 10 54303 jchaffraix 2010-04-27 19:32:11 -0700 Comment on attachment 54303 Proposed fix - take 2: Address Alexey's comments Clearing the cq flag as I will land it myself (the commit bot did not take it for some reason). 218170 11 jchaffraix 2010-04-27 20:10:17 -0700 > It looks to me like they pass, but throw a different type of exception in > Firefox 3.6.3. Thanks for the testing. The test should not throw any exception as we are doing legal cross-site requests. > Julien, can you land this soon? Landed in r58371 (skipped the test cases on Qt in r58372). Sorry for the delay. 218172 12 webkit.review.bot 2010-04-27 20:32:18 -0700 http://trac.webkit.org/changeset/58371 might have broken Tiger Intel Release 218175 13 jchaffraix 2010-04-27 20:45:04 -0700 I rolled out the changes as it rendered the Qt build bot unreliable and failed constantly on Tiger (see http://build.webkit.org/results/Tiger%20Intel%20Release/r58371%20%2811340%29/results.html). I will investigate the Qt issues. For Tiger, it looks like the patch did not change anything: it is still getting a NETWORK_ERR. 218432 14 jchaffraix 2010-04-28 09:35:24 -0700 > I will investigate the Qt issues. I could not reproduce the failure locally so I guess it must have been some noise on the bot. > For Tiger, it looks like the patch did not > change anything: it is still getting a NETWORK_ERR. Opened https://bugs.webkit.org/show_bug.cgi?id=38265 and added the 2 tests on the Skipped list. Committed the patch in r58409. 226881 15 ap 2010-05-17 13:31:18 -0700 > Thanks for the testing. The test should not throw any exception as we are doing legal cross-site requests. In other words, the credentials should be silently ignored, but Firefox raises an exception. The real wrong thing to do would be to honor the credentials. 246416 16 cevans 2010-07-04 08:07:59 -0700 Does anyone have a summary of the security impact of this? The bug title suggests that it's more of a failure that a security bug. 246427 17 ap 2010-07-04 10:55:18 -0700 A publicly visible bug is not a great place to discuss security, we should probably take it to security@webkit.org. 54228 2010-04-24 21:27:53 -0700 2010-04-26 08:36:32 -0700 Proposed fix: Clear the credentials from the actual request 37781-CORS-credential.diff text/plain 7669 jchaffraix ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCBmZmM5Zjk1Li41ZGY0ZTA2IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VM b2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDUgKzEsMTkgQEAKIDIwMTAtMDQt MjQgIEp1bGllbiBDaGFmZnJhaXggIDxqY2hhZmZyYWl4QHdlYmtpdC5vcmc+CiAKKyAgICAgICAg UmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgW1hIUl0gQ3Jvc3MtT3JpZ2lu IHN5bmNocm9ub3VzIHJlcXVlc3Qgd2l0aCBjcmVkZW50aWFsIHJhaXNlcyBORVRXT1JLX0VSUgor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9Mzc3ODEKKwor ICAgICAgICBUZXN0IHRoYXQgZG9pbmcgYSBzeW5jaHJvbm91cyBjcm9zcy1vcmlnaW4gcmVxdWVz dCB3aXRoIGEgcHJlZmxpZ2h0IGNoZWNrIGRvZXMKKyAgICAgICAgbm90IHJhaXNlIGFuIGV4Y2Vw dGlvbiBhbmQgZG9lcyBub3Qgc2VuZCB0aGUgY3JlZGVudGlhbHMuCisKKyAgICAgICAgKiBodHRw L3Rlc3RzL3htbGh0dHByZXF1ZXN0L2FjY2Vzcy1jb250cm9sLWJhc2ljLWNyZWRlbnRpYWwtc3lu Yy1leHBlY3RlZC50eHQ6IEFkZGVkLgorICAgICAgICAqIGh0dHAvdGVzdHMveG1saHR0cHJlcXVl c3QvYWNjZXNzLWNvbnRyb2wtYmFzaWMtY3JlZGVudGlhbC1zeW5jLmh0bWw6IEFkZGVkLgorICAg ICAgICAqIGh0dHAvdGVzdHMveG1saHR0cHJlcXVlc3QvcmVzb3VyY2VzL2Jhc2ljLWF1dGgvYWNj ZXNzLWNvbnRyb2wtYXV0aC1iYXNpYy5waHA6IEFkZGVkLgorCisyMDEwLTA0LTI0ICBKdWxpZW4g Q2hhZmZyYWl4ICA8amNoYWZmcmFpeEB3ZWJraXQub3JnPgorCiAgICAgICAgIFJldmlld2VkIGJ5 IEFsZXhleSBQcm9za3VyeWFrb3YuCiAKICAgICAgICAgcHJvdG9jb2xIb3N0QW5kUG9ydEVxdWFs cyBob3N0IGNoZWNrIG1ha2VzIGEgd3JvbmcgYXNzdW1wdGlvbgpkaWZmIC0tZ2l0IGEvTGF5b3V0 VGVzdHMvaHR0cC90ZXN0cy94bWxodHRwcmVxdWVzdC9hY2Nlc3MtY29udHJvbC1iYXNpYy1jcmVk ZW50aWFsLXN5bmMtZXhwZWN0ZWQudHh0IGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy94bWxodHRw cmVxdWVzdC9hY2Nlc3MtY29udHJvbC1iYXNpYy1jcmVkZW50aWFsLXN5bmMtZXhwZWN0ZWQudHh0 Cm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAuLjRmNTQ3MWUKLS0tIC9kZXYvbnVs bAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3htbGh0dHByZXF1ZXN0L2FjY2Vzcy1jb250 cm9sLWJhc2ljLWNyZWRlbnRpYWwtc3luYy1leHBlY3RlZC50eHQKQEAgLTAsMCArMSw0IEBACitU ZXN0IGNhc2UgZm9yIGJ1ZyAzNzc4MTogW1hIUl0gQ3Jvc3MtT3JpZ2luIHN5bmNocm9ub3VzIHJl cXVlc3Qgd2l0aCBjcmVkZW50aWFsIHJhaXNlcyBORVRXT1JLX0VSUgorCitQQVNTRUQKKwpkaWZm IC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy94bWxodHRwcmVxdWVzdC9hY2Nlc3MtY29u dHJvbC1iYXNpYy1jcmVkZW50aWFsLXN5bmMuaHRtbCBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMv eG1saHR0cHJlcXVlc3QvYWNjZXNzLWNvbnRyb2wtYmFzaWMtY3JlZGVudGlhbC1zeW5jLmh0bWwK bmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMC4uZWU2Y2RkMgotLS0gL2Rldi9udWxs CisrKyBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMveG1saHR0cHJlcXVlc3QvYWNjZXNzLWNvbnRy b2wtYmFzaWMtY3JlZGVudGlhbC1zeW5jLmh0bWwKQEAgLTAsMCArMSwzMiBAQAorPGh0bWw+Cis8 Ym9keT4KKzxwPlRlc3QgY2FzZSBmb3IgYnVnIDxhIGhyZWY9Imh0dHBzOi8vYnVncy53ZWJraXQu b3JnL3Nob3dfYnVnLmNnaT9pZD0zNzc4MSI+Mzc3ODE8L2E+OiBbWEhSXSBDcm9zcy1PcmlnaW4g c3luY2hyb25vdXMgcmVxdWVzdCB3aXRoIGNyZWRlbnRpYWwgcmFpc2VzIE5FVFdPUktfRVJSPC9w PgorPHByZSBpZD0nY29uc29sZSc+PC9wcmU+Cis8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlw dCI+CitmdW5jdGlvbiBsb2cobWVzc2FnZSkKK3sKKyAgICBkb2N1bWVudC5nZXRFbGVtZW50QnlJ ZCgnY29uc29sZScpLmFwcGVuZENoaWxkKGRvY3VtZW50LmNyZWF0ZVRleHROb2RlKG1lc3NhZ2Ug KyAiXG4iKSk7Cit9CisKK2lmICh3aW5kb3cubGF5b3V0VGVzdENvbnRyb2xsZXIpIHsKKyAgICBs YXlvdXRUZXN0Q29udHJvbGxlci5kdW1wQXNUZXh0KCk7CisgICAgbGF5b3V0VGVzdENvbnRyb2xs ZXIud2FpdFVudGlsRG9uZSgpOworfQorCit0cnkgeworICAgIHZhciB4aHIgPSBuZXcgWE1MSHR0 cFJlcXVlc3Q7CisgICAgeGhyLm9wZW4oIlBVVCIsICJodHRwOi8vbG9jYWxob3N0OjgwMDAveG1s aHR0cHJlcXVlc3QvcmVzb3VyY2VzL2Jhc2ljLWF1dGgvYWNjZXNzLWNvbnRyb2wtYXV0aC1iYXNp Yy5waHA/dWlkPWZvb1VzZXIiLCBmYWxzZSwgImZvb1VzZXIiLCAiYmFyUGFzcyIpOworICAgIHho ci5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdGlvbiAoKSB7CisgICAgICAgIGlmICh4aHIucmVh ZHlTdGF0ZSA9PSA0KSB7CisgICAgICAgICAgICBsb2coKHhoci5yZXNwb25zZVRleHQuaW5kZXhP ZigiZm9vVXNlciIpID09IC0xKSA/ICJQQVNTRUQiIDogIkZBSUxFRDogY3JlZGVudGlhbCBzZW5k ISIpOworICAgICAgICAgICAgaWYgKHdpbmRvdy5sYXlvdXRUZXN0Q29udHJvbGxlcikKKyAgICAg ICAgICAgICAgICBsYXlvdXRUZXN0Q29udHJvbGxlci5ub3RpZnlEb25lKCk7CisgICAgICAgIH0K KyAgICB9OworICAgIHhoci5zZW5kKCk7Cit9IGNhdGNoKGUpIHsKKyAgICBsb2coIkZBSUxFRDog Z290IGV4Y2VwdGlvbiAiICsgZS5tZXNzYWdlKTsKK30KKzwvc2NyaXB0PgorPC9ib2R5PgorPC9o dG1sPgpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy94bWxodHRwcmVxdWVzdC9y ZXNvdXJjZXMvYmFzaWMtYXV0aC9hY2Nlc3MtY29udHJvbC1hdXRoLWJhc2ljLnBocCBiL0xheW91 dFRlc3RzL2h0dHAvdGVzdHMveG1saHR0cHJlcXVlc3QvcmVzb3VyY2VzL2Jhc2ljLWF1dGgvYWNj ZXNzLWNvbnRyb2wtYXV0aC1iYXNpYy5waHAKbmV3IGZpbGUgbW9kZSAxMDA3NTUKaW5kZXggMDAw MDAwMC4uNjBhOWZhOAotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMv eG1saHR0cHJlcXVlc3QvcmVzb3VyY2VzL2Jhc2ljLWF1dGgvYWNjZXNzLWNvbnRyb2wtYXV0aC1i YXNpYy5waHAKQEAgLTAsMCArMSwxNyBAQAorPD9waHAKKworaGVhZGVyKCJBY2Nlc3MtQ29udHJv bC1BbGxvdy1PcmlnaW46IGh0dHA6Ly8xMjcuMC4wLjE6ODAwMC8iKTsKK2hlYWRlcigiQWNjZXNz LUNvbnRyb2wtQWxsb3ctQ3JlZGVudGlhbHM6IHRydWUiKTsKK2hlYWRlcigiQWNjZXNzLUNvbnRy b2wtQWxsb3ctTWV0aG9kczogUFVUIik7CisKK2lmICgkX1NFUlZFUlsnUkVRVUVTVF9NRVRIT0Qn XSAhPSAiT1BUSU9OUyIpIHsKKyAgICBpZiAoIWlzc2V0KCRfU0VSVkVSWydQSFBfQVVUSF9VU0VS J10pIHx8ICFpc3NldCgkX1JFUVVFU1RbJ3VpZCddKSB8fCAoJF9SRVFVRVNUWyd1aWQnXSAhPSAk X1NFUlZFUlsnUEhQX0FVVEhfVVNFUiddKSkgeworICAgICAgICBoZWFkZXIoJ1dXVy1BdXRoZW50 aWNhdGU6IEJhc2ljIHJlYWxtPSJXZWJLaXQgVGVzdCBSZWFsbS9Dcm9zcyBPcmlnaW4iJyk7Cisg ICAgICAgIGhlYWRlcignSFRUUC8xLjAgNDAxIFVuYXV0aG9yaXplZCcpOworICAgICAgICBlY2hv ICdBdXRoZW50aWNhdGlvbiBjYW5jZWxlZCc7CisgICAgICAgIGV4aXQ7CisgICAgfSBlbHNlIHsK KyAgICAgICAgZWNobyAiVXNlcjogeyRfU0VSVkVSWydQSFBfQVVUSF9VU0VSJ119LCBwYXNzd29y ZDogeyRfU0VSVkVSWydQSFBfQVVUSF9QVyddfS4iOworICAgIH0KK30KKz8+CmRpZmYgLS1naXQg YS9XZWJDb3JlL0NoYW5nZUxvZyBiL1dlYkNvcmUvQ2hhbmdlTG9nCmluZGV4IGFiZTNmNDEuLmFh ZGIwMmUgMTAwNjQ0Ci0tLSBhL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1dlYkNvcmUvQ2hhbmdl TG9nCkBAIC0xLDUgKzEsMjEgQEAKIDIwMTAtMDQtMjQgIEp1bGllbiBDaGFmZnJhaXggIDxqY2hh ZmZyYWl4QHdlYmtpdC5vcmc+CiAKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISku CisKKyAgICAgICAgW1hIUl0gQ3Jvc3MtT3JpZ2luIHN5bmNocm9ub3VzIHJlcXVlc3Qgd2l0aCBj cmVkZW50aWFsIHJhaXNlcyBORVRXT1JLX0VSUgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0 Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9Mzc3ODEKKworICAgICAgICBUZXN0OiBodHRwL3Rlc3RzL3ht bGh0dHByZXF1ZXN0L2FjY2Vzcy1jb250cm9sLWJhc2ljLWNyZWRlbnRpYWwtc3luYy5odG1sCisK KyAgICAgICAgKiBsb2FkZXIvRG9jdW1lbnRUaHJlYWRhYmxlTG9hZGVyLmNwcDoKKyAgICAgICAg KFdlYkNvcmU6OkRvY3VtZW50VGhyZWFkYWJsZUxvYWRlcjo6RG9jdW1lbnRUaHJlYWRhYmxlTG9h ZGVyKTogUmVtb3ZlIHRoZSBjcmVkZW50aWFsCisgICAgICAgIHdoZW4gc3RvcmluZyB0aGUgcmVh bCByZXF1ZXN0IHRoYXQgd2lsbCBiZSBleGVjdXRlZCBpZiB0aGUgcHJlZmxpZ2h0IGlzIHN1Y2Nl c3NmdWwuCisgICAgICAgIChXZWJDb3JlOjpEb2N1bWVudFRocmVhZGFibGVMb2FkZXI6OmxvYWRS ZXF1ZXN0KTogQWRkZWQgc29tZSBhc3NlcnRpb25zIGhlcmUgdG8gYXZvaWQKKyAgICAgICAgbGVh a2luZyBjcmVkZW50aWFscy4gQWxzbyB0d2Vha2VkIGEgY29tbWVudCB0byBtYWtlIGl0IGNsZWFy IHRoYXQgdGhlIFVSTCBjaGVjayBoYXMgaXNzdWUKKyAgICAgICAgd2hlbiBjcmVkZW50aWFsIGlz IGludm9sdmVkLgorCisyMDEwLTA0LTI0ICBKdWxpZW4gQ2hhZmZyYWl4ICA8amNoYWZmcmFpeEB3 ZWJraXQub3JnPgorCiAgICAgICAgIFJldmlld2VkIGJ5IEFsZXhleSBQcm9za3VyeWFrb3YuCiAK ICAgICAgICAgcHJvdG9jb2xIb3N0QW5kUG9ydEVxdWFscyBob3N0IGNoZWNrIG1ha2VzIGEgd3Jv bmcgYXNzdW1wdGlvbgpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9sb2FkZXIvRG9jdW1lbnRUaHJlYWRh YmxlTG9hZGVyLmNwcCBiL1dlYkNvcmUvbG9hZGVyL0RvY3VtZW50VGhyZWFkYWJsZUxvYWRlci5j cHAKaW5kZXggM2JlYmJlNi4uNWI2NGJkMyAxMDA2NDQKLS0tIGEvV2ViQ29yZS9sb2FkZXIvRG9j dW1lbnRUaHJlYWRhYmxlTG9hZGVyLmNwcAorKysgYi9XZWJDb3JlL2xvYWRlci9Eb2N1bWVudFRo cmVhZGFibGVMb2FkZXIuY3BwCkBAIC04NSw2ICs4NSw3IEBAIERvY3VtZW50VGhyZWFkYWJsZUxv YWRlcjo6RG9jdW1lbnRUaHJlYWRhYmxlTG9hZGVyKERvY3VtZW50KiBkb2N1bWVudCwgVGhyZWFk YWJsCiAgICAgICAgIG1ha2VTaW1wbGVDcm9zc09yaWdpbkFjY2Vzc1JlcXVlc3QocmVxdWVzdCk7 CiAgICAgZWxzZSB7CiAgICAgICAgIG1fYWN0dWFsUmVxdWVzdC5zZXQobmV3IFJlc291cmNlUmVx dWVzdChyZXF1ZXN0KSk7CisgICAgICAgIG1fYWN0dWFsUmVxdWVzdC0+cmVtb3ZlQ3JlZGVudGlh bHMoKTsKICAgICAgICAgbV9hY3R1YWxSZXF1ZXN0LT5zZXRBbGxvd0Nvb2tpZXMobV9vcHRpb25z LmFsbG93Q3JlZGVudGlhbHMpOwogCiAgICAgICAgIGlmIChDcm9zc09yaWdpblByZWZsaWdodFJl c3VsdENhY2hlOjpzaGFyZWQoKS5jYW5Ta2lwUHJlZmxpZ2h0KGRvY3VtZW50LT5zZWN1cml0eU9y aWdpbigpLT50b1N0cmluZygpLCByZXF1ZXN0LnVybCgpLCBtX29wdGlvbnMuYWxsb3dDcmVkZW50 aWFscywgcmVxdWVzdC5odHRwTWV0aG9kKCksIHJlcXVlc3QuaHR0cEhlYWRlckZpZWxkcygpKSkK QEAgLTI5Nyw2ICsyOTgsMTEgQEAgdm9pZCBEb2N1bWVudFRocmVhZGFibGVMb2FkZXI6OnByZWZs aWdodEZhaWx1cmUoKQogCiB2b2lkIERvY3VtZW50VGhyZWFkYWJsZUxvYWRlcjo6bG9hZFJlcXVl c3QoY29uc3QgUmVzb3VyY2VSZXF1ZXN0JiByZXF1ZXN0LCBTZWN1cml0eUNoZWNrUG9saWN5IHNl Y3VyaXR5Q2hlY2spCiB7CisgICAgLy8gQW55IGNyZWRlbnRpYWwgc2hvdWxkIGhhdmUgYmVlbiBy ZW1vdmVkIGZyb20gdGhlIGNyb3NzLXNpdGUgcmVxdWVzdHMuCisgICAgY29uc3QgS1VSTCYgcmVx dWVzdFVSTCA9IHJlcXVlc3QudXJsKCk7CisgICAgQVNTRVJUKG1fc2FtZU9yaWdpblJlcXVlc3Qg fHwgcmVxdWVzdFVSTC51c2VyKCkuaXNFbXB0eSgpKTsKKyAgICBBU1NFUlQobV9zYW1lT3JpZ2lu UmVxdWVzdCB8fCByZXF1ZXN0VVJMLnBhc3MoKS5pc0VtcHR5KCkpOworCiAgICAgaWYgKG1fYXN5 bmMpIHsKICAgICAgICAgLy8gRG9uJ3Qgc25pZmYgY29udGVudCBvciBzZW5kIGxvYWQgY2FsbGJh Y2tzIGZvciB0aGUgcHJlZmxpZ2h0IHJlcXVlc3QuCiAgICAgICAgIGJvb2wgc2VuZExvYWRDYWxs YmFja3MgPSBtX29wdGlvbnMuc2VuZExvYWRDYWxsYmFja3MgJiYgIW1fYWN0dWFsUmVxdWVzdDsK QEAgLTMyMCwxNSArMzI2LDE1IEBAIHZvaWQgRG9jdW1lbnRUaHJlYWRhYmxlTG9hZGVyOjpsb2Fk UmVxdWVzdChjb25zdCBSZXNvdXJjZVJlcXVlc3QmIHJlcXVlc3QsIFNlY3VyCiAKICAgICAvLyBO byBleGNlcHRpb24gZm9yIGZpbGU6Ly8vIHJlc291cmNlcywgc2VlIDxyZGFyOi8vcHJvYmxlbS80 OTYyMjk4Pi4KICAgICAvLyBBbHNvLCBpZiB3ZSBoYXZlIGFuIEhUVFAgcmVzcG9uc2UsIHRoZW4g aXQgd2Fzbid0IGEgbmV0d29yayBlcnJvciBpbiBmYWN0LgotICAgIGlmICghZXJyb3IuaXNOdWxs KCkgJiYgIXJlcXVlc3QudXJsKCkuaXNMb2NhbEZpbGUoKSAmJiByZXNwb25zZS5odHRwU3RhdHVz Q29kZSgpIDw9IDApIHsKKyAgICBpZiAoIWVycm9yLmlzTnVsbCgpICYmICFyZXF1ZXN0VVJMLmlz TG9jYWxGaWxlKCkgJiYgcmVzcG9uc2UuaHR0cFN0YXR1c0NvZGUoKSA8PSAwKSB7CiAgICAgICAg IG1fY2xpZW50LT5kaWRGYWlsKGVycm9yKTsKICAgICAgICAgcmV0dXJuOwogICAgIH0KIAogICAg IC8vIEZJWE1FOiBGcmFtZUxvYWRlcjo6bG9hZFN5bmNocm9ub3VzbHkoKSBkb2VzIG5vdCB0ZWxs IHVzIHdoZXRoZXIgYSByZWRpcmVjdCBoYXBwZW5lZCBvciBub3QsIHNvIHdlIGd1ZXNzIGJ5IGNv bXBhcmluZyB0aGUKLSAgICAvLyByZXF1ZXN0IGFuZCByZXNwb25zZSBVUkxzLiBUaGlzIGlzbid0 IGEgcGVyZmVjdCB0ZXN0IHRob3VnaCwgc2luY2UgYSBzZXJ2ZXIgY2FuIHNlcnZlIGEgcmVkaXJl Y3QgdG8gdGhlIHNhbWUgVVJMIHRoYXQgd2FzCi0gICAgLy8gcmVxdWVzdGVkLgotICAgIGlmIChy ZXF1ZXN0LnVybCgpICE9IHJlc3BvbnNlLnVybCgpICYmICFpc0FsbG93ZWRSZWRpcmVjdChyZXNw b25zZS51cmwoKSkpIHsKKyAgICAvLyByZXF1ZXN0IGFuZCByZXNwb25zZSBVUkxzIChub3RlOiB0 aGUgY29tcGFyaXNvbiB3aWxsIGZhaWwgaWYgYW55IGNyZWRlbnRpYWwgaXMgaW52b2x2ZWQpLiBU aGlzIGlzbid0IGEgcGVyZmVjdCB0ZXN0IHRob3VnaCwKKyAgICAvLyBzaW5jZSBhIHNlcnZlciBj YW4gc2VydmUgYSByZWRpcmVjdCB0byB0aGUgc2FtZSBVUkwgdGhhdCB3YXMgcmVxdWVzdGVkLgor ICAgIGlmIChyZXF1ZXN0VVJMICE9IHJlc3BvbnNlLnVybCgpICYmICFpc0FsbG93ZWRSZWRpcmVj dChyZXNwb25zZS51cmwoKSkpIHsKICAgICAgICAgbV9jbGllbnQtPmRpZEZhaWxSZWRpcmVjdENo ZWNrKCk7CiAgICAgICAgIHJldHVybjsKICAgICB9Cg== 54303 2010-04-26 08:36:32 -0700 2010-04-27 19:32:11 -0700 Proposed fix - take 2: Address Alexey's comments 37781-CORS-credential-take2.diff text/plain 11736 jchaffraix ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCBmZmM5Zjk1Li43OWNlNjAxIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VM b2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMjAgQEAKKzIwMTAtMDQt MjYgIEp1bGllbiBDaGFmZnJhaXggIDxqY2hhZmZyYWl4QHdlYmtpdC5vcmc+CisKKyAgICAgICAg UmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgW1hIUl0gQ3Jvc3MtT3JpZ2lu IHN5bmNocm9ub3VzIHJlcXVlc3Qgd2l0aCBjcmVkZW50aWFsIHJhaXNlcyBORVRXT1JLX0VSUgor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9Mzc3ODEKKyAg ICAgICAgPHJkYXI6Ly9wcm9ibGVtLzc5MDUxNTA+CisKKyAgICAgICAgVGVzdCB0aGF0IGRvaW5n IGEgY3Jvc3Mtb3JpZ2luIHJlcXVlc3Qgd2l0aCBhIHByZWZsaWdodCBjaGVjayBkb2VzCisgICAg ICAgIG5vdCByYWlzZSBhIE5FVFdPUktfRVJSIGV4Y2VwdGlvbiBhbmQgZG9lcyBub3Qgc2VuZCB0 aGUgY3JlZGVudGlhbHMuCisKKyAgICAgICAgKiBodHRwL3Rlc3RzL3htbGh0dHByZXF1ZXN0L2Fj Y2Vzcy1jb250cm9sLXByZWZsaWdodC1jcmVkZW50aWFsLWFzeW5jLWV4cGVjdGVkLnR4dDogQWRk ZWQuCisgICAgICAgICogaHR0cC90ZXN0cy94bWxodHRwcmVxdWVzdC9hY2Nlc3MtY29udHJvbC1w cmVmbGlnaHQtY3JlZGVudGlhbC1hc3luYy5odG1sOiBBZGRlZC4KKyAgICAgICAgKiBodHRwL3Rl c3RzL3htbGh0dHByZXF1ZXN0L2FjY2Vzcy1jb250cm9sLXByZWZsaWdodC1jcmVkZW50aWFsLXN5 bmMtZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAgICAgKiBodHRwL3Rlc3RzL3htbGh0dHByZXF1 ZXN0L2FjY2Vzcy1jb250cm9sLXByZWZsaWdodC1jcmVkZW50aWFsLXN5bmMuaHRtbDogQWRkZWQu CisgICAgICAgICogaHR0cC90ZXN0cy94bWxodHRwcmVxdWVzdC9yZXNvdXJjZXMvYmFzaWMtYXV0 aC9hY2Nlc3MtY29udHJvbC1hdXRoLWJhc2ljLnBocDogQWRkZWQuCisKIDIwMTAtMDQtMjQgIEp1 bGllbiBDaGFmZnJhaXggIDxqY2hhZmZyYWl4QHdlYmtpdC5vcmc+CiAKICAgICAgICAgUmV2aWV3 ZWQgYnkgQWxleGV5IFByb3NrdXJ5YWtvdi4KZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAv dGVzdHMveG1saHR0cHJlcXVlc3QvYWNjZXNzLWNvbnRyb2wtcHJlZmxpZ2h0LWNyZWRlbnRpYWwt YXN5bmMtZXhwZWN0ZWQudHh0IGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy94bWxodHRwcmVxdWVz dC9hY2Nlc3MtY29udHJvbC1wcmVmbGlnaHQtY3JlZGVudGlhbC1hc3luYy1leHBlY3RlZC50eHQK bmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMC4uNGY1NDcxZQotLS0gL2Rldi9udWxs CisrKyBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMveG1saHR0cHJlcXVlc3QvYWNjZXNzLWNvbnRy b2wtcHJlZmxpZ2h0LWNyZWRlbnRpYWwtYXN5bmMtZXhwZWN0ZWQudHh0CkBAIC0wLDAgKzEsNCBA QAorVGVzdCBjYXNlIGZvciBidWcgMzc3ODE6IFtYSFJdIENyb3NzLU9yaWdpbiBzeW5jaHJvbm91 cyByZXF1ZXN0IHdpdGggY3JlZGVudGlhbCByYWlzZXMgTkVUV09SS19FUlIKKworUEFTU0VECisK ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMveG1saHR0cHJlcXVlc3QvYWNjZXNz LWNvbnRyb2wtcHJlZmxpZ2h0LWNyZWRlbnRpYWwtYXN5bmMuaHRtbCBiL0xheW91dFRlc3RzL2h0 dHAvdGVzdHMveG1saHR0cHJlcXVlc3QvYWNjZXNzLWNvbnRyb2wtcHJlZmxpZ2h0LWNyZWRlbnRp YWwtYXN5bmMuaHRtbApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwLi45YmYxYmMw Ci0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy94bWxodHRwcmVxdWVz dC9hY2Nlc3MtY29udHJvbC1wcmVmbGlnaHQtY3JlZGVudGlhbC1hc3luYy5odG1sCkBAIC0wLDAg KzEsMzcgQEAKKzxodG1sPgorPGJvZHk+Cis8cD5UZXN0IGNhc2UgZm9yIGJ1ZyA8YSBocmVmPSJo dHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9Mzc3ODEiPjM3NzgxPC9hPjog W1hIUl0gQ3Jvc3MtT3JpZ2luIHN5bmNocm9ub3VzIHJlcXVlc3Qgd2l0aCBjcmVkZW50aWFsIHJh aXNlcyBORVRXT1JLX0VSUjwvcD4KKzxwcmUgaWQ9J2NvbnNvbGUnPjwvcHJlPgorPHNjcmlwdCB0 eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgorZnVuY3Rpb24gbG9nKG1lc3NhZ2UpCit7CisgICAgZG9j dW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2NvbnNvbGUnKS5hcHBlbmRDaGlsZChkb2N1bWVudC5jcmVh dGVUZXh0Tm9kZShtZXNzYWdlICsgIlxuIikpOworfQorCitpZiAod2luZG93LmxheW91dFRlc3RD b250cm9sbGVyKSB7CisgICAgbGF5b3V0VGVzdENvbnRyb2xsZXIuZHVtcEFzVGV4dCgpOworICAg IGxheW91dFRlc3RDb250cm9sbGVyLndhaXRVbnRpbERvbmUoKTsKK30KKwordHJ5IHsKKyAgICB2 YXIgeGhyID0gbmV3IFhNTEh0dHBSZXF1ZXN0OworICAgIHhoci5vcGVuKCJQVVQiLCAiaHR0cDov L2xvY2FsaG9zdDo4MDAwL3htbGh0dHByZXF1ZXN0L3Jlc291cmNlcy9iYXNpYy1hdXRoL2FjY2Vz cy1jb250cm9sLWF1dGgtYmFzaWMucGhwP3VpZD1mb29Vc2VyIiwgZmFsc2UsICJmb29Vc2VyIiwg ImJhclBhc3MiKTsKKyAgICB4aHIub25lcnJvciA9IGZ1bmN0aW9uIChlKSB7CisgICAgICAgIGxv ZygiRkFJTEVEOiByZWNlaXZlZCBlcnJvciIpOworICAgICAgICBpZiAod2luZG93LmxheW91dFRl c3RDb250cm9sbGVyKQorICAgICAgICAgICAgbGF5b3V0VGVzdENvbnRyb2xsZXIubm90aWZ5RG9u ZSgpOworICAgIH07CisgICAgeGhyLm9ucmVhZHlzdGF0ZWNoYW5nZSA9IGZ1bmN0aW9uICgpIHsK KyAgICAgICAgaWYgKHhoci5yZWFkeVN0YXRlID09IDQpIHsKKyAgICAgICAgICAgIGxvZygoeGhy LnN0YXR1cyA9PSA0MDEpID8gIlBBU1NFRCIgOiAiRkFJTEVEOiBjcmVkZW50aWFsIHNlbmQhIik7 CisgICAgICAgICAgICBpZiAod2luZG93LmxheW91dFRlc3RDb250cm9sbGVyKQorICAgICAgICAg ICAgICAgIGxheW91dFRlc3RDb250cm9sbGVyLm5vdGlmeURvbmUoKTsKKyAgICAgICAgfQorICAg IH07CisgICAgeGhyLnNlbmQoKTsKK30gY2F0Y2goZSkgeworICAgIGxvZygiRkFJTEVEOiBnb3Qg ZXhjZXB0aW9uICIgKyBlLm1lc3NhZ2UpOworfQorPC9zY3JpcHQ+Cis8L2JvZHk+Cis8L2h0bWw+ CmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3htbGh0dHByZXF1ZXN0L2FjY2Vz cy1jb250cm9sLXByZWZsaWdodC1jcmVkZW50aWFsLXN5bmMtZXhwZWN0ZWQudHh0IGIvTGF5b3V0 VGVzdHMvaHR0cC90ZXN0cy94bWxodHRwcmVxdWVzdC9hY2Nlc3MtY29udHJvbC1wcmVmbGlnaHQt Y3JlZGVudGlhbC1zeW5jLWV4cGVjdGVkLnR4dApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAw MDAwMDAwLi40ZjU0NzFlCi0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0 cy94bWxodHRwcmVxdWVzdC9hY2Nlc3MtY29udHJvbC1wcmVmbGlnaHQtY3JlZGVudGlhbC1zeW5j LWV4cGVjdGVkLnR4dApAQCAtMCwwICsxLDQgQEAKK1Rlc3QgY2FzZSBmb3IgYnVnIDM3NzgxOiBb WEhSXSBDcm9zcy1PcmlnaW4gc3luY2hyb25vdXMgcmVxdWVzdCB3aXRoIGNyZWRlbnRpYWwgcmFp c2VzIE5FVFdPUktfRVJSCisKK1BBU1NFRAorCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9odHRw L3Rlc3RzL3htbGh0dHByZXF1ZXN0L2FjY2Vzcy1jb250cm9sLXByZWZsaWdodC1jcmVkZW50aWFs LXN5bmMuaHRtbCBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMveG1saHR0cHJlcXVlc3QvYWNjZXNz LWNvbnRyb2wtcHJlZmxpZ2h0LWNyZWRlbnRpYWwtc3luYy5odG1sCm5ldyBmaWxlIG1vZGUgMTAw NjQ0CmluZGV4IDAwMDAwMDAuLjliZjFiYzAKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0 cy9odHRwL3Rlc3RzL3htbGh0dHByZXF1ZXN0L2FjY2Vzcy1jb250cm9sLXByZWZsaWdodC1jcmVk ZW50aWFsLXN5bmMuaHRtbApAQCAtMCwwICsxLDM3IEBACis8aHRtbD4KKzxib2R5PgorPHA+VGVz dCBjYXNlIGZvciBidWcgPGEgaHJlZj0iaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcu Y2dpP2lkPTM3NzgxIj4zNzc4MTwvYT46IFtYSFJdIENyb3NzLU9yaWdpbiBzeW5jaHJvbm91cyBy ZXF1ZXN0IHdpdGggY3JlZGVudGlhbCByYWlzZXMgTkVUV09SS19FUlI8L3A+Cis8cHJlIGlkPSdj b25zb2xlJz48L3ByZT4KKzxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4KK2Z1bmN0aW9u IGxvZyhtZXNzYWdlKQoreworICAgIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdjb25zb2xlJyku YXBwZW5kQ2hpbGQoZG9jdW1lbnQuY3JlYXRlVGV4dE5vZGUobWVzc2FnZSArICJcbiIpKTsKK30K KworaWYgKHdpbmRvdy5sYXlvdXRUZXN0Q29udHJvbGxlcikgeworICAgIGxheW91dFRlc3RDb250 cm9sbGVyLmR1bXBBc1RleHQoKTsKKyAgICBsYXlvdXRUZXN0Q29udHJvbGxlci53YWl0VW50aWxE b25lKCk7Cit9CisKK3RyeSB7CisgICAgdmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdDsKKyAg ICB4aHIub3BlbigiUFVUIiwgImh0dHA6Ly9sb2NhbGhvc3Q6ODAwMC94bWxodHRwcmVxdWVzdC9y ZXNvdXJjZXMvYmFzaWMtYXV0aC9hY2Nlc3MtY29udHJvbC1hdXRoLWJhc2ljLnBocD91aWQ9Zm9v VXNlciIsIGZhbHNlLCAiZm9vVXNlciIsICJiYXJQYXNzIik7CisgICAgeGhyLm9uZXJyb3IgPSBm dW5jdGlvbiAoZSkgeworICAgICAgICBsb2coIkZBSUxFRDogcmVjZWl2ZWQgZXJyb3IiKTsKKyAg ICAgICAgaWYgKHdpbmRvdy5sYXlvdXRUZXN0Q29udHJvbGxlcikKKyAgICAgICAgICAgIGxheW91 dFRlc3RDb250cm9sbGVyLm5vdGlmeURvbmUoKTsKKyAgICB9OworICAgIHhoci5vbnJlYWR5c3Rh dGVjaGFuZ2UgPSBmdW5jdGlvbiAoKSB7CisgICAgICAgIGlmICh4aHIucmVhZHlTdGF0ZSA9PSA0 KSB7CisgICAgICAgICAgICBsb2coKHhoci5zdGF0dXMgPT0gNDAxKSA/ICJQQVNTRUQiIDogIkZB SUxFRDogY3JlZGVudGlhbCBzZW5kISIpOworICAgICAgICAgICAgaWYgKHdpbmRvdy5sYXlvdXRU ZXN0Q29udHJvbGxlcikKKyAgICAgICAgICAgICAgICBsYXlvdXRUZXN0Q29udHJvbGxlci5ub3Rp ZnlEb25lKCk7CisgICAgICAgIH0KKyAgICB9OworICAgIHhoci5zZW5kKCk7Cit9IGNhdGNoKGUp IHsKKyAgICBsb2coIkZBSUxFRDogZ290IGV4Y2VwdGlvbiAiICsgZS5tZXNzYWdlKTsKK30KKzwv c2NyaXB0PgorPC9ib2R5PgorPC9odG1sPgpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90 ZXN0cy94bWxodHRwcmVxdWVzdC9yZXNvdXJjZXMvYmFzaWMtYXV0aC9hY2Nlc3MtY29udHJvbC1h dXRoLWJhc2ljLnBocCBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMveG1saHR0cHJlcXVlc3QvcmVz b3VyY2VzL2Jhc2ljLWF1dGgvYWNjZXNzLWNvbnRyb2wtYXV0aC1iYXNpYy5waHAKbmV3IGZpbGUg bW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMC4uNjBhOWZhOAotLS0gL2Rldi9udWxsCisrKyBiL0xh eW91dFRlc3RzL2h0dHAvdGVzdHMveG1saHR0cHJlcXVlc3QvcmVzb3VyY2VzL2Jhc2ljLWF1dGgv YWNjZXNzLWNvbnRyb2wtYXV0aC1iYXNpYy5waHAKQEAgLTAsMCArMSwxNyBAQAorPD9waHAKKwor aGVhZGVyKCJBY2Nlc3MtQ29udHJvbC1BbGxvdy1PcmlnaW46IGh0dHA6Ly8xMjcuMC4wLjE6ODAw MC8iKTsKK2hlYWRlcigiQWNjZXNzLUNvbnRyb2wtQWxsb3ctQ3JlZGVudGlhbHM6IHRydWUiKTsK K2hlYWRlcigiQWNjZXNzLUNvbnRyb2wtQWxsb3ctTWV0aG9kczogUFVUIik7CisKK2lmICgkX1NF UlZFUlsnUkVRVUVTVF9NRVRIT0QnXSAhPSAiT1BUSU9OUyIpIHsKKyAgICBpZiAoIWlzc2V0KCRf U0VSVkVSWydQSFBfQVVUSF9VU0VSJ10pIHx8ICFpc3NldCgkX1JFUVVFU1RbJ3VpZCddKSB8fCAo JF9SRVFVRVNUWyd1aWQnXSAhPSAkX1NFUlZFUlsnUEhQX0FVVEhfVVNFUiddKSkgeworICAgICAg ICBoZWFkZXIoJ1dXVy1BdXRoZW50aWNhdGU6IEJhc2ljIHJlYWxtPSJXZWJLaXQgVGVzdCBSZWFs bS9Dcm9zcyBPcmlnaW4iJyk7CisgICAgICAgIGhlYWRlcignSFRUUC8xLjAgNDAxIFVuYXV0aG9y aXplZCcpOworICAgICAgICBlY2hvICdBdXRoZW50aWNhdGlvbiBjYW5jZWxlZCc7CisgICAgICAg IGV4aXQ7CisgICAgfSBlbHNlIHsKKyAgICAgICAgZWNobyAiVXNlcjogeyRfU0VSVkVSWydQSFBf QVVUSF9VU0VSJ119LCBwYXNzd29yZDogeyRfU0VSVkVSWydQSFBfQVVUSF9QVyddfS4iOworICAg IH0KK30KKz8+CmRpZmYgLS1naXQgYS9XZWJDb3JlL0NoYW5nZUxvZyBiL1dlYkNvcmUvQ2hhbmdl TG9nCmluZGV4IGFiZTNmNDEuLmYzNTk2YTIgMTAwNjQ0Ci0tLSBhL1dlYkNvcmUvQ2hhbmdlTG9n CisrKyBiL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMjMgQEAKKzIwMTAtMDQtMjYgIEp1 bGllbiBDaGFmZnJhaXggIDxqY2hhZmZyYWl4QHdlYmtpdC5vcmc+CisKKyAgICAgICAgUmV2aWV3 ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgW1hIUl0gQ3Jvc3MtT3JpZ2luIHN5bmNo cm9ub3VzIHJlcXVlc3Qgd2l0aCBjcmVkZW50aWFsIHJhaXNlcyBORVRXT1JLX0VSUgorICAgICAg ICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9Mzc3ODEKKyAgICAgICAg PHJkYXI6Ly9wcm9ibGVtLzc5MDUxNTA+CisKKyAgICAgICAgVGVzdHM6IGh0dHAvdGVzdHMveG1s aHR0cHJlcXVlc3QvYWNjZXNzLWNvbnRyb2wtcHJlZmxpZ2h0LWNyZWRlbnRpYWwtYXN5bmMuaHRt bAorICAgICAgICAgICAgICAgaHR0cC90ZXN0cy94bWxodHRwcmVxdWVzdC9hY2Nlc3MtY29udHJv bC1wcmVmbGlnaHQtY3JlZGVudGlhbC1zeW5jLmh0bWwKKworICAgICAgICAqIGxvYWRlci9Eb2N1 bWVudFRocmVhZGFibGVMb2FkZXIuY3BwOgorICAgICAgICAoV2ViQ29yZTo6RG9jdW1lbnRUaHJl YWRhYmxlTG9hZGVyOjpEb2N1bWVudFRocmVhZGFibGVMb2FkZXIpOiBOb3cgd2UgcmVtb3ZlIHRo ZQorICAgICAgICBjcmVkZW50aWFsIGZyb20gdGhlIHJlcXVlc3QgaGVyZSB0byBhdm9pZCBmb3Jn ZXR0aW5nIHRvIGRvIHNvIGluIHRoZSBkaWZmZXJlbnQgY29kZSBwYXRoLgorICAgICAgICAoV2Vi Q29yZTo6RG9jdW1lbnRUaHJlYWRhYmxlTG9hZGVyOjptYWtlU2ltcGxlQ3Jvc3NPcmlnaW5BY2Nl c3NSZXF1ZXN0KTogSnVzdCBhZGQgdGhlCisgICAgICAgICJPcmlnaW4iIGhlYWRlci4KKyAgICAg ICAgKFdlYkNvcmU6OkRvY3VtZW50VGhyZWFkYWJsZUxvYWRlcjo6bG9hZFJlcXVlc3QpOiBDaGVj ayBoZXJlIHRoZSB0aGUgY3JlZGVudGlhbCBoYXZlCisgICAgICAgIGJlZW4gcmVtb3ZlZCBzbyB0 aGF0IHdlIGRvbid0IGxlYWsgdGhlbS4gQWxzbyB0d2Vha2VkIGEgY29tbWVudCB0byBtYWtlIGl0 IGNsZWFyIHRoYXQKKyAgICAgICAgdGhlIFVSTCBjaGVjayBoYXMgaXNzdWUgd2hlbiBjcmVkZW50 aWFsIGlzIGludm9sdmVkLgorCiAyMDEwLTA0LTI0ICBKdWxpZW4gQ2hhZmZyYWl4ICA8amNoYWZm cmFpeEB3ZWJraXQub3JnPgogCiAgICAgICAgIFJldmlld2VkIGJ5IEFsZXhleSBQcm9za3VyeWFr b3YuCmRpZmYgLS1naXQgYS9XZWJDb3JlL2xvYWRlci9Eb2N1bWVudFRocmVhZGFibGVMb2FkZXIu Y3BwIGIvV2ViQ29yZS9sb2FkZXIvRG9jdW1lbnRUaHJlYWRhYmxlTG9hZGVyLmNwcAppbmRleCAz YmViYmU2Li5lZTkyNmIxIDEwMDY0NAotLS0gYS9XZWJDb3JlL2xvYWRlci9Eb2N1bWVudFRocmVh ZGFibGVMb2FkZXIuY3BwCisrKyBiL1dlYkNvcmUvbG9hZGVyL0RvY3VtZW50VGhyZWFkYWJsZUxv YWRlci5jcHAKQEAgLTgxLDE2ICs4MSwxOSBAQCBEb2N1bWVudFRocmVhZGFibGVMb2FkZXI6OkRv Y3VtZW50VGhyZWFkYWJsZUxvYWRlcihEb2N1bWVudCogZG9jdW1lbnQsIFRocmVhZGFibAogICAg IAogICAgIEFTU0VSVChtX29wdGlvbnMuY3Jvc3NPcmlnaW5SZXF1ZXN0UG9saWN5ID09IFVzZUFj Y2Vzc0NvbnRyb2wpOwogCi0gICAgaWYgKCFtX29wdGlvbnMuZm9yY2VQcmVmbGlnaHQgJiYgaXNT aW1wbGVDcm9zc09yaWdpbkFjY2Vzc1JlcXVlc3QocmVxdWVzdC5odHRwTWV0aG9kKCksIHJlcXVl c3QuaHR0cEhlYWRlckZpZWxkcygpKSkKLSAgICAgICAgbWFrZVNpbXBsZUNyb3NzT3JpZ2luQWNj ZXNzUmVxdWVzdChyZXF1ZXN0KTsKKyAgICBPd25QdHI8UmVzb3VyY2VSZXF1ZXN0PiBjcm9zc09y aWdpblJlcXVlc3QobmV3IFJlc291cmNlUmVxdWVzdChyZXF1ZXN0KSk7CisgICAgY3Jvc3NPcmln aW5SZXF1ZXN0LT5yZW1vdmVDcmVkZW50aWFscygpOworICAgIGNyb3NzT3JpZ2luUmVxdWVzdC0+ c2V0QWxsb3dDb29raWVzKG1fb3B0aW9ucy5hbGxvd0NyZWRlbnRpYWxzKTsKKworICAgIGlmICgh bV9vcHRpb25zLmZvcmNlUHJlZmxpZ2h0ICYmIGlzU2ltcGxlQ3Jvc3NPcmlnaW5BY2Nlc3NSZXF1 ZXN0KGNyb3NzT3JpZ2luUmVxdWVzdC0+aHR0cE1ldGhvZCgpLCBjcm9zc09yaWdpblJlcXVlc3Qt Pmh0dHBIZWFkZXJGaWVsZHMoKSkpCisgICAgICAgIG1ha2VTaW1wbGVDcm9zc09yaWdpbkFjY2Vz c1JlcXVlc3QoKmNyb3NzT3JpZ2luUmVxdWVzdCk7CiAgICAgZWxzZSB7Ci0gICAgICAgIG1fYWN0 dWFsUmVxdWVzdC5zZXQobmV3IFJlc291cmNlUmVxdWVzdChyZXF1ZXN0KSk7Ci0gICAgICAgIG1f YWN0dWFsUmVxdWVzdC0+c2V0QWxsb3dDb29raWVzKG1fb3B0aW9ucy5hbGxvd0NyZWRlbnRpYWxz KTsKKyAgICAgICAgbV9hY3R1YWxSZXF1ZXN0LnNldChjcm9zc09yaWdpblJlcXVlc3QucmVsZWFz ZSgpKTsKIAotICAgICAgICBpZiAoQ3Jvc3NPcmlnaW5QcmVmbGlnaHRSZXN1bHRDYWNoZTo6c2hh cmVkKCkuY2FuU2tpcFByZWZsaWdodChkb2N1bWVudC0+c2VjdXJpdHlPcmlnaW4oKS0+dG9TdHJp bmcoKSwgcmVxdWVzdC51cmwoKSwgbV9vcHRpb25zLmFsbG93Q3JlZGVudGlhbHMsIHJlcXVlc3Qu aHR0cE1ldGhvZCgpLCByZXF1ZXN0Lmh0dHBIZWFkZXJGaWVsZHMoKSkpCisgICAgICAgIGlmIChD cm9zc09yaWdpblByZWZsaWdodFJlc3VsdENhY2hlOjpzaGFyZWQoKS5jYW5Ta2lwUHJlZmxpZ2h0 KGRvY3VtZW50LT5zZWN1cml0eU9yaWdpbigpLT50b1N0cmluZygpLCBtX2FjdHVhbFJlcXVlc3Qt PnVybCgpLCBtX29wdGlvbnMuYWxsb3dDcmVkZW50aWFscywgbV9hY3R1YWxSZXF1ZXN0LT5odHRw TWV0aG9kKCksIG1fYWN0dWFsUmVxdWVzdC0+aHR0cEhlYWRlckZpZWxkcygpKSkKICAgICAgICAg ICAgIHByZWZsaWdodFN1Y2Nlc3MoKTsKICAgICAgICAgZWxzZQotICAgICAgICAgICAgbWFrZUNy b3NzT3JpZ2luQWNjZXNzUmVxdWVzdFdpdGhQcmVmbGlnaHQocmVxdWVzdCk7CisgICAgICAgICAg ICBtYWtlQ3Jvc3NPcmlnaW5BY2Nlc3NSZXF1ZXN0V2l0aFByZWZsaWdodCgqbV9hY3R1YWxSZXF1 ZXN0KTsKICAgICB9CiB9CiAKQEAgLTEwNiw4ICsxMDksNiBAQCB2b2lkIERvY3VtZW50VGhyZWFk YWJsZUxvYWRlcjo6bWFrZVNpbXBsZUNyb3NzT3JpZ2luQWNjZXNzUmVxdWVzdChjb25zdCBSZXNv dXJjZQogCiAgICAgLy8gTWFrZSBhIGNvcHkgb2YgdGhlIHBhc3NlZCByZXF1ZXN0IHNvIHRoYXQg d2UgY2FuIG1vZGlmeSBzb21lIGRldGFpbHMuCiAgICAgUmVzb3VyY2VSZXF1ZXN0IGNyb3NzT3Jp Z2luUmVxdWVzdChyZXF1ZXN0KTsKLSAgICBjcm9zc09yaWdpblJlcXVlc3QucmVtb3ZlQ3JlZGVu dGlhbHMoKTsKLSAgICBjcm9zc09yaWdpblJlcXVlc3Quc2V0QWxsb3dDb29raWVzKG1fb3B0aW9u cy5hbGxvd0NyZWRlbnRpYWxzKTsKICAgICBjcm9zc09yaWdpblJlcXVlc3Quc2V0SFRUUE9yaWdp bihtX2RvY3VtZW50LT5zZWN1cml0eU9yaWdpbigpLT50b1N0cmluZygpKTsKIAogICAgIGxvYWRS ZXF1ZXN0KGNyb3NzT3JpZ2luUmVxdWVzdCwgRG9TZWN1cml0eUNoZWNrKTsKQEAgLTI5Nyw2ICsy OTgsMTEgQEAgdm9pZCBEb2N1bWVudFRocmVhZGFibGVMb2FkZXI6OnByZWZsaWdodEZhaWx1cmUo KQogCiB2b2lkIERvY3VtZW50VGhyZWFkYWJsZUxvYWRlcjo6bG9hZFJlcXVlc3QoY29uc3QgUmVz b3VyY2VSZXF1ZXN0JiByZXF1ZXN0LCBTZWN1cml0eUNoZWNrUG9saWN5IHNlY3VyaXR5Q2hlY2sp CiB7CisgICAgLy8gQW55IGNyZWRlbnRpYWwgc2hvdWxkIGhhdmUgYmVlbiByZW1vdmVkIGZyb20g dGhlIGNyb3NzLXNpdGUgcmVxdWVzdHMuCisgICAgY29uc3QgS1VSTCYgcmVxdWVzdFVSTCA9IHJl cXVlc3QudXJsKCk7CisgICAgQVNTRVJUKG1fc2FtZU9yaWdpblJlcXVlc3QgfHwgcmVxdWVzdFVS TC51c2VyKCkuaXNFbXB0eSgpKTsKKyAgICBBU1NFUlQobV9zYW1lT3JpZ2luUmVxdWVzdCB8fCBy ZXF1ZXN0VVJMLnBhc3MoKS5pc0VtcHR5KCkpOworCiAgICAgaWYgKG1fYXN5bmMpIHsKICAgICAg ICAgLy8gRG9uJ3Qgc25pZmYgY29udGVudCBvciBzZW5kIGxvYWQgY2FsbGJhY2tzIGZvciB0aGUg cHJlZmxpZ2h0IHJlcXVlc3QuCiAgICAgICAgIGJvb2wgc2VuZExvYWRDYWxsYmFja3MgPSBtX29w dGlvbnMuc2VuZExvYWRDYWxsYmFja3MgJiYgIW1fYWN0dWFsUmVxdWVzdDsKQEAgLTMyMCwxNSAr MzI2LDE1IEBAIHZvaWQgRG9jdW1lbnRUaHJlYWRhYmxlTG9hZGVyOjpsb2FkUmVxdWVzdChjb25z dCBSZXNvdXJjZVJlcXVlc3QmIHJlcXVlc3QsIFNlY3VyCiAKICAgICAvLyBObyBleGNlcHRpb24g Zm9yIGZpbGU6Ly8vIHJlc291cmNlcywgc2VlIDxyZGFyOi8vcHJvYmxlbS80OTYyMjk4Pi4KICAg ICAvLyBBbHNvLCBpZiB3ZSBoYXZlIGFuIEhUVFAgcmVzcG9uc2UsIHRoZW4gaXQgd2Fzbid0IGEg bmV0d29yayBlcnJvciBpbiBmYWN0LgotICAgIGlmICghZXJyb3IuaXNOdWxsKCkgJiYgIXJlcXVl c3QudXJsKCkuaXNMb2NhbEZpbGUoKSAmJiByZXNwb25zZS5odHRwU3RhdHVzQ29kZSgpIDw9IDAp IHsKKyAgICBpZiAoIWVycm9yLmlzTnVsbCgpICYmICFyZXF1ZXN0VVJMLmlzTG9jYWxGaWxlKCkg JiYgcmVzcG9uc2UuaHR0cFN0YXR1c0NvZGUoKSA8PSAwKSB7CiAgICAgICAgIG1fY2xpZW50LT5k aWRGYWlsKGVycm9yKTsKICAgICAgICAgcmV0dXJuOwogICAgIH0KIAogICAgIC8vIEZJWE1FOiBG cmFtZUxvYWRlcjo6bG9hZFN5bmNocm9ub3VzbHkoKSBkb2VzIG5vdCB0ZWxsIHVzIHdoZXRoZXIg YSByZWRpcmVjdCBoYXBwZW5lZCBvciBub3QsIHNvIHdlIGd1ZXNzIGJ5IGNvbXBhcmluZyB0aGUK ICAgICAvLyByZXF1ZXN0IGFuZCByZXNwb25zZSBVUkxzLiBUaGlzIGlzbid0IGEgcGVyZmVjdCB0 ZXN0IHRob3VnaCwgc2luY2UgYSBzZXJ2ZXIgY2FuIHNlcnZlIGEgcmVkaXJlY3QgdG8gdGhlIHNh bWUgVVJMIHRoYXQgd2FzCi0gICAgLy8gcmVxdWVzdGVkLgotICAgIGlmIChyZXF1ZXN0LnVybCgp ICE9IHJlc3BvbnNlLnVybCgpICYmICFpc0FsbG93ZWRSZWRpcmVjdChyZXNwb25zZS51cmwoKSkp IHsKKyAgICAvLyByZXF1ZXN0ZWQuIEFsc28gY29tcGFyaW5nIHRoZSByZXF1ZXN0IGFuZCByZXNw b25zZSBVUkxzIGFzIHN0cmluZ3Mgd2lsbCBmYWlsIGlmIHRoZSByZXF1ZXN0VVJMIHN0aWxsIGhh cyBpdHMgY3JlZGVudGlhbHMuCisgICAgaWYgKHJlcXVlc3RVUkwgIT0gcmVzcG9uc2UudXJsKCkg JiYgIWlzQWxsb3dlZFJlZGlyZWN0KHJlc3BvbnNlLnVybCgpKSkgewogICAgICAgICBtX2NsaWVu dC0+ZGlkRmFpbFJlZGlyZWN0Q2hlY2soKTsKICAgICAgICAgcmV0dXJuOwogICAgIH0K