Closed
Bug 786275
Opened 12 years ago
Closed 2 years ago
Block redirects to data: URIs to prevent phishing
Categories
(Core :: Networking: HTTP, defect, P5)
Core
Networking: HTTP
Tracking
()
RESOLVED
DUPLICATE
of bug 1380959
People
(Reporter: henning, Unassigned)
References
Details
(Whiteboard: [necko-would-take])
Attachments
(1 file)
473.52 KB,
application/pdf
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.83 Safari/537.1
Steps to reproduce:
A reproduction can be seen at http://tinyurl.com/9rvqjts
(view it with caution. It is not to be used as a Wikipedia login page)
Actual results:
As indicated in http://klevjers.com/papers/phishing.pdf, the data URI scheme can be exploited to host fully functional web pages, such as for login and handling private data. The entire web page's contents is hosted inside the data:URI, rather than at a location,
allowing the "phisher" to evade the issue of compromising a server.
Expected results:
In my opinion, it is dangerous to allow Firefox to host web pages: The URIs can be of arbitrary length, following an arbitrary amount of data.
Controls should be put in place to prevent this.
Summary: Vulnerability: Google Chrome is vulnerable to phishing stored in data URI → Vulnerability: Firefox is vulnerable to phishing stored in data URI
Comment 2•12 years ago
|
||
This report is public, so unhiding.
http://www.theregister.co.uk/2012/09/03/phishing_without_hosts_peril/
Also, Phishing Protection is the wrong component for this. However, I'm not sure if this is a Firefox-specific issue or something best handled at the Core level.
Group: core-security
Component: Phishing Protection → Location Bar
OS: Windows 7 → All
Hardware: x86_64 → All
Comment 3•12 years ago
|
||
While it is true that you can replicate a webpage hosted on a data: uri, I don't think that this increases the risk of a phishing attack. For one, the URL shown in the address bar are less believable than creating domain name similar to the target. (eg. wikipadia.com, taking the example from the paper). The behavior described above is the intended behavior for data: uris - there are no content type or size limitations. Length alone is not a good indicator of malicious intent, as there are many common use case for large data URIs, for example working with images and other media client side.
As an aside, I don't know why chrome blocks redirects to data: URIs. There was some discussion of this in firefox a long time ago in bug 211999. Maybe some sort of domain confusion mitigation, but that is a guess?
Comment 4•12 years ago
|
||
(In reply to Paul Theriault [:pauljt] from comment #3)
> While it is true that you can replicate a webpage hosted on a data: uri, I
> don't think that this increases the risk of a phishing attack. For one, the
> URL shown in the address bar are less believable than creating domain name
> similar to the target. (eg. wikipadia.com, taking the example from the
> paper).
To users who don't really understand URLs, the lack of an obvious domain won't necessarily make it unbelievable. They might just ignore it as noise and move on.
Blocks: 211999
Component: Location Bar → Networking: HTTP
Keywords: regression
Product: Firefox → Core
Summary: Vulnerability: Firefox is vulnerable to phishing stored in data URI → Block redirects to data: URIs to prevent phishing
Comment 5•12 years ago
|
||
I don't understand how this is any different from a link that just document.write()s out the page in question. Is it?
Comment 6•12 years ago
|
||
@Boris, same thing pretty much - I assume you mean a JavaScript link like javascript:document.write(....) In websites which allow link submission, often data URIs are not blocked when JavaScript URIs are, but to me that is a vulnerability in the website not the browser.
Comment 7•12 years ago
|
||
I don't see a reason why redirecting to a data: URI is helpful in any way? Thus we can exclude this case to protect against this attack.
I saw somewhere a way to "cloak" the URL thus one can use this attack and show another URL instead of the data: URL which in turn will fool users.
I'd just stop redirecting to data: URIs and be done with it. There is no reason to not prevent this, IMO.
Comment 8•12 years ago
|
||
not really a "regression", this was intended behavior. This bug is asking that we reconsider that decision, but still doesn't make it a regression IMHO.
Keywords: regression
Comment 9•12 years ago
|
||
Data on whether other browsers support redirects to data: would be nice here (and/or usage info on how often this happens in the wild). IE 7 doesn't support data: at all***, so sites need to work around it (if they care about IE support), so I'm guessing usage isn't rampant, but some subset of sites using it might also use redirects, too. None of which is to say we can't break this if it's a small number.
B2G note: we currently don't supported redirects from http->data in e10s (bug 707624 and bug 661604), and it looks like a non-trivial amount of work, so I'd love to not have to bother.
*** http://en.wikipedia.org/wiki/Data_URI_scheme#Disadvantages
Comment 10•12 years ago
|
||
> I don't see a reason why redirecting to a data: URI is helpful in any way?
Bug 253320?
Comment 11•12 years ago
|
||
I don't really see this in the type of phishing which steals credentials, but rather the type of phishing that exploits a browser. Rather it be flash, java, javascript, the browser, or some other sort of plugin exploit.
The attack vector I can see is this.
1. Hacker has an exploit.
2. Hacker uses tor to visit tinyurl or some other service with supports data urls.
3. Hacker pastes exploit.
4. Hacker sends bots to email phishing messages to people with the tiny url hidden by a hyperlink.
5. User clicks and browser is pwned by exploit.
In that case, it is an actual useful attack. The hacker doesn't need to have any server except for an IRC server which could be found by scanning the net for port 6667. The hacker cannot be easily tracked as he would be using tor for communication to tinyurl and for irc login. The hacker could use multiple IRC servers chosen by a cryptographic random number based on the day, which the hacker could know which time the bots will be in which channel/server and join ahead of time setting the command in the topic and receiving data back.
The hacker cannot be found by the email as he would be using bots to send them out ether by the user's own email address or by computers which has the ability to open port 25 via microsoft's awesome protocol UPnP. Or the bots could chat with their friends and analyze the messages sent and received to form a message which will best get their friend to click.
That is the attack vector I can see with this. I don't see this as a phishing exploit to get user's credentials as the hacker has to receive the credentials somehow within the javascript/html standard!
The reason it has to be done by tinyurl or some other service is because data urls do not get assigned to the browser. It's an internal url for the browsers only.
I do not see any reason anyone would be redirecting to an data url as they could just directly link to it.
NOTE: This could also apply to javascript window.location, and <meta>. Not just http redirects!
While we are at it, might as well also block redirection to javascript urls... Most url shorteners block it, but there is the case one may allow it. Such as my own. It's not a good idea and the same as data, none should be redirecting to javascript!
Just my thoughts. Hopefully this will give an idea of why this could be dangerous.
Comment 12•12 years ago
|
||
> might as well also block redirection to javascript urls.
That's blocked already.
Comment 13•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #10)
> > I don't see a reason why redirecting to a data: URI is helpful in any way?
>
> Bug 253320?
I don't see a simple bug as a reason to allow this. In this (and the connected) bug there's only theoretical talk but no indication about a real-life problem solved by redirecting to data: URIs.
Can anybody describe a useful use-case for an entity wanting to redirect to a data: URI?
Plus, as Chrome already blocks this, I don't believe there will be any web-wide use of such a feature.
Comment 14•12 years ago
|
||
(In reply to Florian Bender from comment #13)
> I don't see a simple bug as a reason to allow this. In this (and the
> connected) bug there's only theoretical talk but no indication about a
> real-life problem solved by redirecting to data: URIs.
>
> Can anybody describe a useful use-case for an entity wanting to redirect to
> a data: URI?
>
> Plus, as Chrome already blocks this, I don't believe there will be any
> web-wide use of such a feature.
A problem it solves... Hmm... Encode flash exploit into a data url, create a tinyurl to redirect the user to exploit, email the user or send on chat, and infect machine... That sounds the most useful reason to allow this to me, it makes my job as being a hacker a lot easier! It won't be easy to find out who I am, and it allows me to get a free host for the data! Free = awesome!
Note: I am no hacker, just making a joke as that's the only use case I can see with it. I have never see any website using this for anything other than embedding images into the actual HTML reducing the number of calls to a server.
Comment 15•12 years ago
|
||
Note that site in bug 253320 is now showing 404 for the URI. And unicyclists have never been a core target audience :)
If we really think there might be non-hacker use cases, I could see adding telemetry before nuking this. But if Chrome is banning it already I think we should go ahead and block these redirects.
Comment 16•12 years ago
|
||
The only other thing I saw was that javascript html data generator posted in bug 211999. Honestly, they could just re-write it to output into a clickable url or into a text field if we decide to block them. Chrome already blocks them, so I see no reason not to block.
Comment 17•12 years ago
|
||
How about adding telemetry now (if that's easily possible), and preparing a patch to fix this so it can be applied as soon as a conclusion is found?
Is it possible to just block redirecting to data: URIs for the URL bar, iFrame, window.location, object, …(?) and not e. g. IMG, VIDEO, AUDIO? That might circumvent problems with some useful appliances.
Comment 18•12 years ago
|
||
> Is it possible to just block redirecting to data: URIs for the URL bar, iFrame,
> window.location, object, …(?)
Yes, if necessary.
Comment 19•12 years ago
|
||
Are there any objections to block redirects to data: URIs in the URL bar, (i)frames, window.location, and <object>s? What about Workers, XMLHttpRequest, do they need that treatment as well?
Comment 20•12 years ago
|
||
Can we have this now for location bar, window.location, iFrame and objects?
Comment 21•12 years ago
|
||
Fixing this would break http://software.hixie.ch/utilities/cgi/data/data It's not entirely clear to me that's desirable.
Comment 22•12 years ago
|
||
This can be worked around by using iFrames (if they are not blocked) and textareas.
Concerning iFrames: Would auto-sandboxing help increasing the security?
Comment 23•12 years ago
|
||
(In reply to Paul Theriault [:pauljt] from comment #3)
> While it is true that you can replicate a webpage hosted on a data: uri, I
> don't think that this increases the risk of a phishing attack. For one, the
> URL shown in the address bar are less believable than creating domain name
The address isn't shown in the address bar on mobile, so we cannot consider the address bar as a security feature or an anti-phishing feature anymore.
Comment 24•12 years ago
|
||
afaict, Google Chrome only blocks redirects to data: URIs because they incorrectly think Firefox has a security bug and want to prevent sites from relying on it.
Comment 25•9 years ago
|
||
Comment 26•9 years ago
|
||
I don't think we should block redirects to data: URLs. They are used for many things and aren't especially useful for phishing.
It might make sense to enable the "Report phishing..." menu item, with options to include the entire data: page, the http(s) URL that directed there, and the http(s) URL that contained the initial link. But it would be tricky to make the privacy implications of each step clear.
Comment 27•9 years ago
|
||
And adding an alert message ?
Updated•9 years ago
|
Whiteboard: [necko-would-take]
Comment 28•8 years ago
|
||
Is there anyway to add a disable option or ask before redirect to this kind?
Since there is no IP or file to download there isn't a way for me to block it or prevent it. It's very annoying when they load with sound
Here is an example what I ran into. Constantly popping up alert message that won't go away and play alert sound in the background.
Don't click or paste the following (Chrome won't render it due to it's length)
data:text/html;base64,PGh0bWwgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPg0KPCEtLSBNaXJyb3JlZCBmcm9tIHdpbmZpcmV3YWxsd2FybmluZy5pbi8gYnkgSFRUcmFjayBXZWJzaXRlIENvcGllci8zLnggW1hSJkNPJzIwMTRdLCBUdWUsIDI2IEFwciAyMDE2IDE4OjM3OjUwIEdNVCAtLT4NCjxoZWFkPjxtZXRhIG5hbWU9InJvYm90cyIgY29udGVudD0ibm9pbmRleCxub2ZvbGxvdyI+DQo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD13aW5kb3dzLTEyNTIiPg0KDQo8dGl0bGU+TWljcm9zb2Z0IE9mZmljaWFsIFN1cHBvcnQ8L3RpdGxlPg0KDQogICAgPGxpbmsgaHJlZj0iaHR0cHM6Ly9zdG9yYWdlLmdvb2dsZWFwaXMuY29tL2Fzc2V0cy1tb3ppbGlpYS1uZXcvYm9vdHN0cmFwLmNzcyIgcmVsPSJzdHlsZXNoZWV0Ij4NCg0KICAgIDxsaW5rIGhyZWY9Imh0dHBzOi8vc3RvcmFnZS5nb29nbGVhcGlzLmNvbS9hc3NldHMtbW96aWxpaWEtbmV3L3N0eWxlLmNzcyIgcmVsPSJzdHlsZXNoZWV0Ij4NCiAgICANCiAgICANCiAgICAJPHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPg0KCQl3aW5kb3cub25rZXlkb3duID0gZnVuY3Rpb24oZXZ0KQ0KCQl7DQoJCQlpZihldnQua2V5Q29kZSA9PSAyNyB8fCBldnQua2V5Q29kZSA9PSAxOCB8fCBldnQua2V5Q29kZSA9PSAxMjMgfHwgZXZ0LmtleUNvZGUgPT0gODUgfHwgZXZ0LmtleUNvZGUgPT0gOSB8fCBldnQua2V5Q29kZSA9PSAxMTUgfHwgZXZ0LmtleUNvZGUgPT0gMTE2IHx8IGV2dC5rZXlDb2RlID09IDExMiB8fCBldnQua2V5Q29kZSA9PSAxMTQgfHwgZXZ0LmtleUNvZGUgPT0gMTcpDQoJCQl7DQoJCQkJcmV0dXJuIGZhbHNlOw0KDQoJCQl9DQoNCgkJfTsNCgkJd2luZG93Lm9ua2V5cHJlc3MgPSBmdW5jdGlvbihldm4pDQoJCXsNCgkJCWlmKGV2bi5rZXlDb2RlID09IDEyMyB8fCBldm4ua2V5Q29kZSA9PSAxMTcpIHJldHVybiBmYWxzZTsNCg0KCQl9Ow0KCTwvc2NyaXB0Pg0KICAgIA0KICAgIDxzY3JpcHQ+DQogICAgZnVuY3Rpb24gRGV0ZWN0TW9iaWxlKCkgew0KICAgICAgICBpZiAoL0FuZHJvaWR8d2ViT1N8aVBob25lfGlQYWR8aVBvZHxCbGFja0JlcnJ5fElFTW9iaWxlfE9wZXJhIE1pbmkvaS50ZXN0KG5hdmlnYXRvci51c2VyQWdlbnQpKSB7IHJldHVybiB0cnVlOyB9IGVsc2UgeyByZXR1cm4gZmFsc2U7IH0NCiAgICB9DQoNCiAgICBmdW5jdGlvbiBteUZ1bmN0aW9uKCkgew0KICAgICAgICBpZiAoIURldGVjdE1vYmlsZSgpKSB7DQogICAgICAgICAgICBzZXRJbnRlcnZhbChmdW5jdGlvbiAoKSB7IGFsZXJ0KCIgKiogWU9VUiBDT01QVVRFUiBIQVMgQkVFTiBCTE9DS0VEICoqXG5cbkVycm9yICMgU0w5RFc2MVxuXG5QbGVhc2UgY2FsbCB1cyBpbW1lZGlhdGVseSBhdDogMS04NDQtNjkyLTYzMDVcbkRvIG5vdCBpZ25vcmUgdGhpcyBjcml0aWNhbCBhbGVydC5cbiBJZiB5b3UgY2xvc2UgdGhpcyBwYWdlLCB5b3VyIGNvbXB1dGVyIGFjY2VzcyB3aWxsIGJlIGRpc2FibGVkIHRvIHByZXZlbnQgZnVydGhlciBkYW1hZ2UgdG8gb3VyIG5ldHdvcmsuXG5cbllvdXIgY29tcHV0ZXIgaGFzIGFsZXJ0ZWQgdXMgdGhhdCBpdCBoYXMgYmVlbiBpbmZlY3RlZCB3aXRoIGEgdmlydXMgYW5kIHNweXdhcmUuICBUaGUgZm9sbG93aW5nIGluZm9ybWF0aW9uIGlzIGJlaW5nIHN0b2xlbi4uLlxuXG4+IEZhY2Vib29rIExvZ2luXG4+IENyZWRpdCBDYXJkIERldGFpbHNcbj4gRW1haWwgQWNjb3VudCBMb2dpblxuPiBQaG90b3Mgc3RvcmVkIG9uIHRoaXMgY29tcHV0ZXJcbllvdSBtdXN0IGNvbnRhY3QgdXMgaW1tZWRpYXRlbHkgc28gdGhhdCBvdXIgZW5naW5lZXJzIGNhbiB3YWxrIHlvdSB0aHJvdWdoIHRoZSByZW1vdmFsIHByb2Nlc3Mgb3ZlciB0aGUgcGhvbmUuICBQbGVhc2UgY2FsbCB1cyB3aXRoaW4gdGhlIG5leHQgNSBtaW51dGVzIHRvIHByZXZlbnQgeW91ciBjb21wdXRlciBmcm9tIGJlaW5nIGRpc2FibGVkLlxuXG5Ub2xsIEZyZWU6IDEtODQ0LTY5Mi02MzA1XG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG5cblxuXG4iKSB9LCAxMDAwKTsNCiAgICAgICAgfQ0KICAgIH0NCiAgICBpZiAoRGV0ZWN0TW9iaWxlKCkpIHsgZG9jdW1lbnQuYm9keS5zdHlsZS5iYWNrZ3JvdW5kSW1hZ2UgPSAnbm9uZScgfQ0KCQ0KCXdpbmRvdy5vbmxvYWQgPSBteUZ1bmN0aW9uKCk7DQoNCiAgICANCjwvc2NyaXB0Pg0KDQoNCg0KDQoNCjxzY3JpcHQgc3JjPSJodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vYXNzZXRzLW1vemlsaWlhLW5ldy9yZXRyZWF2ZXIubWluLmpzIiB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPjwvc2NyaXB0Pg0KDQogICAgPHNjcmlwdCBzcmM9Imh0dHBzOi8vc3RvcmFnZS5nb29nbGVhcGlzLmNvbS9hc3NldHMtbW96aWxpaWEtbmV3L2pxdWVyeS0xLjExLjIubWluLmpzIiB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPjwvc2NyaXB0Pg0KDQoNCjxzY3JpcHQ+DQogICAgICAgIGZ1bmN0aW9uIGdldFVSTFBhcmFtZXRlcihuYW1lKSB7DQogICAgICAgICAgICByZXR1cm4gZGVjb2RlVVJJKA0KICAgICAgICAgICAgICAgIChSZWdFeHAobmFtZSArICc9JyArICcoLis/KSgmfCQpJykuZXhlYyhsb2NhdGlvbi5zZWFyY2gpfHxbLG51bGxdKVsxXSB8fCAnJw0KICAgICAgICAgICAgKTsNCiAgICAgICAgfQ0KICAgIDwvc2NyaXB0Pg0KDQogICA8c2NyaXB0Pg0KICAgICAgICBmdW5jdGlvbiBnZXRTeXN0ZW1JbmZvKCkgew0KDQoNCiAgICAgICAgfQ0KPC9zY3JpcHQ+DQoNCg0KICA8c2NyaXB0Pg0KDQogICAgICAgIHZhciByYW4gPSBmYWxzZTsgIC8vRmxhZyB3ZSBoYXZlIG5vdCBydW4gdGhlIHNjcmlwdCB0byBwdWxsIHRoZSBudW1iZXIgeWV0DQoNCiAgICAgICAgdmFyIGxvY28gPSAiIjsgLy9UaGUgbG9jYXRpb24gb2YgdGhlIHBhZ2UgdGhhdCB3ZSB3aWxsIGxvYWQgb24gYSBzZWNvbmQgcG9wDQoNCiAgICAgICAgdmFyIG1zZyA9ICIiOw0KDQoNCg0KICAgICAgICAvL2ZpZ3VyZSBvdXQgd2hhdCB0byB1c2UgZm9yIGRlZmF1bHQgbnVtYmVyIGFuZCBudW1iZXIgbG9hZGVkIG9uIHN1YnNlcXVlbnQgbG9hZCAoQW55IG51bWJlciBmcm9tIHRoZSBjYW1wYWlnbiB0aGF0IGlzIHN0YXRpYyBjYW4gYmUgdXNlZCAob3IgZXZlbiBkaXJlY3QgbGluZSB0byBjbGllbnQgY2VudGVyKQ0KDQogICAgICAgIHZhciBkZWZhdWx0X251bWJlciA9ICIxIDgwMCA5ODQgMzIyIjsgLy93aWxsIGJlIHVzZWQgd2hlbiBudW1iZXIgcG9vbCBpcyBmdWxsIGFzIHRoZSBkZWZhdWx0IG51bWJlciAoVXNlIFdoYXRldmVyIENvdW50cnkgRm9ybWF0IHRoZSBudW1iZXIgaXMgZm9yKQ0KDQogICAgICAgIHZhciBkZWZhdWx0X3BsYWluX251bWJlciA9ICIxODAwOTg0MzIyMSI7IC8vd2lsbCBiZSB1c2VkIGFzIHRoZSB1bmZvcm1hdHRlZCBkZWZhdWx0IG51bWJlciBmb3IgaHlwZXJsaW5raW5nIHRoZSBudW1iZXIvaW1hZ2UvdGV4dA0KDQogICAgICAgIHZhciBudW1iZXIgPSAiMSA4MDAgOTg0IDMyMiI7IC8vdXNlIHRoaXMgdmFyaWFibGUgZm9yIHRoZSBmb3JtYXR0ZWQgbnVtYmVyIHRvIGRpc3BsYXkNCg0KICAgICAgICB2YXIgcGxhaW5fbnVtYmVyID0gIjE4MDA5ODQzMjIiOyAvL3VzZSB0aGlzIHZhcmlhYmxlIGZvciB0aGUgaHlwZXJsaW5rIGlmIHVzZWQgPGEgaHJlZj0idGVsOisxIisgcGxhaW5fbnVtYmVyICsiIj4NCg0KDQoNCiAgICAgICAgLy9hbGxvdyBmb3IgdGhlIHRyYWZmaWMgc291cmNlIHRvIHNlbmQgaW4gdGhlaXIgb3duIGRlZmF1bHQgbnVtYmVyIGlmIGEgbnVtYmVyIGNhbid0IGJlIG9idGFpbmVkIGZyb20gdGhlIHBvb2wNCg0KICAgICAgICB2YXIgZG4gPSBnZXRVUkxQYXJhbWV0ZXIoJ2RuJyk7DQoNCiAgICAgICAgaWYgKGRuICE9ICcnKSB7IC8vaWYgd2UgZ29pbmcgdG8gdXNlIGEgZGVmYXVsdCBudW1iZXIgZGlmZmVyZW50IGZvciBlYWNoIGFmZmlsaWF0ZQ0KDQogICAgICAgICAgICBkZWZhdWx0X3BsYWluX251bWJlciA9IGRuOw0KDQogICAgICAgICAgICBwbGFpbl9udW1iZXIgPSBkbjsNCg0KICAgICAgICAgICAgdmFyIGRmbiA9IGdldFVSTFBhcmFtZXRlcignZGZuJyk7IC8vZ2V0IHRoZSBkZWZhdWx0IGZvcm1hdHRlZCBudW1iZXIgc2VudCBpbg0KDQogICAgICAgICAgICBpZiAoZGZuID09ICIiKSBkZm4gPSBkbjsgLy9pZiBubyBmb3JtYXR0ZWQgbnVtYmVyIGp1c3QgdXNlIGl0IHVuZm9ybWF0dGVkDQoNCiAgICAgICAgICAgIGRlZmF1bHRfbnVtYmVyID0gZGZuOyAvL3NvIHdlIGhhdmUgaXQgaW4gYSBnb29kIGZvcm1hdCBhcyB3ZWxsDQoNCiAgICAgICAgICAgIG51bWJlciA9IGRmbjsNCg0KICAgICAgICB9DQoNCg0KDQogICAgICAgIC8vaWYgd2UgYWxyZWFkeSBsb2FkZWQgdGhlIHBhZ2UgYmVmb3JlIE9SIHRoZSBzb3VyY2UgaXMganVzdCB0cnlpbmcgdG8gdXNlIGEgc3RhdGljIG51bWJlciBhdCB5b3VyIHNpdGUNCg0KICAgICAgICB2YXIgZnRmbiA9IGdldFVSTFBhcmFtZXRlcignZnRmbicpOyAvL2lmIHlvdSBzZWUgYSBmb3JtYXR0ZWQgbnVtYmVyIHRvIHVzZSBpbiB0aGUgVVJMLCB1c2UgdGhhdCwgZG9uJ3QgY2FsbCBmb3IgYSBuZXcgbnVtYmVyDQoNCiAgICAgICAgaWYgKGdldFVSTFBhcmFtZXRlcignZnRmbicpKSB7IC8vaWYgd2UgYXJlIHJlbG9hZGluZyB0aGUgcGFnZSwgZG9uJ3QgY2FsbCB0aGUgc3lzdGVtIHRvIGdldCBhIG5ldyBudW1iZXINCg0KICAgICAgICAgICAgbnVtYmVyID0gZnRmbjsgLy93ZSB3aWxsIHVzZSB0aGlzIGFzIHRoZSBmb3JtYXR0ZWQgbnVtYmVyIGFuZCBub3QgY2FsbCBzeXN0ZW0gZm9yIGEgbmV3IG51bWJlcg0KDQogICAgICAgICAgICB2YXIgcHRmbiA9IGdldFVSTFBhcmFtZXRlcigncHRmbicpOyAvL2dldCB0aGUgdW5mb3JtYXR0ZWQgbnVtYmVyIHRvIHVzZSBmb3IgaHlwZXJsaW5raW5nDQoNCiAgICAgICAgICAgIGlmIChnZXRVUkxQYXJhbWV0ZXIoJ2Z0Zm4nKSkNCg0KICAgICAgICAgICAgICAgIHB0Zm4gPSBmdGZuOyAvL2lmIG5vIHVuZm9ybWF0dGVkIG51bWJlciBqdXN0IHVzZSBpdCBmb3JtYXR0ZWQgZm9yIGh5cGVybGlua2luZw0KDQogICAgICAgICAgICBwbGFpbl9udW1iZXIgPSBwdGZuOyAvL3NvIHdlIGhhdmUgaXQgaW4gYSBnb29kIGh5cGVybGluayBmb3JtYXQgYXMgd2VsbA0KDQogICAgICAgIH0NCg0KICAgIDwvc2NyaXB0Pg0KDQogPHNjcmlwdD4NCg0KICAgICAgICBmdW5jdGlvbiBnZXRTeXN0ZW1JbmZvKCkgew0KDQogICAgICAgICAgICANCiAgICAgICAgfQ0KDQogICAgPC9zY3JpcHQ+DQogICAgDQogICAgPHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIGRlZmVyPg0KDQogICAgICAgIGZ1bmN0aW9uIGxvYWROdW1iZXIoKSB7DQoNCiAgICAgICAgICAgIGdldFN5c3RlbUluZm8oKTsNCg0KDQoNCiAgICAgICAgICAgIGlmICghcmFuKSB7IC8vaWYgd2UgaGF2ZW4ndCByYW4gdGhpcyBmdW5jdGlvbiBiZWZvcmUsIGdldCBhIG5ldyBudW1iZXINCg0KICAgICAgICAgICAgICAgIGlmICghZ2V0VVJMUGFyYW1ldGVyKCdmdGZuJykpIHsgLy9pZiB3ZSBkb24ndCBoYXZlIHRoZSBwaG9uZSMgaW4gdGhlIFVSTCwgZ2V0IGl0IHRoZSBmaXJzdCB0aW1lDQoNCi8vIEluaXRpYWxpemUgdGhlIGNhbXBhaWduIHVzaW5nIHRoZSBjYW1wYWlnbiBrZXkgZnJvbSB5b3VyIGNhbXBhaWduIHBhZ2UuICBPbiB0aGUgbGluZSBiZWxvdywgbm90aGluZyBzaG91bGQgZXZlciBuZWVkIHRvIGNoYW5nZSBidXQgdGhlIGtleQ0KDQogICAgICAgICAgICAgICAgICAgIHZhciBjYW1wYWlnbiA9IG5ldyBDYWxscGl4ZWxzLkNhbXBhaWduKHtjYW1wYWlnbl9rZXk6ICcyYjNmYzgxYTQxNWQ2NWMzZmQ3YTVmYzQ3Mzk1NjE3Nid9KTsNCg0KDQoNCi8vIFNldCB0aGUgdGFncyB3ZSB3YW50IHRvIHVzZSBpbiBvcmRlciB0byBmaW5kIGEgbWF0Y2hpbmcgbnVtYmVyLiAgRm9ybWF0OiAgIHZhciB0YWdzID0ge2NhbGxpbmdfYWJvdXQ6ICdzYWxlcycsIGN1cnJlbnRseV9pbnN1cmVkOiAnbm8nfTsgZm9ybWF0IGlzIGJhc2ljYWxseSB2YXIgdGFncyA9IHt0YWcxOiAndmFsdWUxJywgdGFnMjogJ3ZhbHVlMicsIGV0Y307DQoNCiAgICAgICAgICAgICAgICAgICAgdmFyIHRhZ3MgPSB7DQoNCiAgICAgICAgICAgICAgICAgICAgICAgIGxhbmRlcjogJ3JlZHNvZCcsDQoNCiAgICAgICAgICAgICAgICAgICAgICAgIG9zOiAnVW5rbm93bicNCg0KICAgICAgICAgICAgICAgICAgICB9OyAvL2xlYXZlIGxpa2UgdGhpcyBpZiB5b3UgYXJlIG5vdCB0cnlpbmcgdG8gc2VuZCBhbnkgdGFncywgb3IgcmVwbGFjZSB3aXRoIGFib3ZlIGZvcm1hdC4NCg0KDQoNCi8vIHJlcXVlc3QgYSBudW1iZXIgdGhhdCBtYXRjaGVzIHRoZSB0YWdzLiBGb3JtYXQ6IGNhbXBhaWduLnJlcXVlc3RfbnVtYmVyKHRhZ3MsIGZ1bmN0aW9uIChtYXRjaGluZ19udW1iZXIpe30sIGZ1bmN0aW9uKGVycm9yKXt9KTsNCg0KICAgICAgICAgICAgICAgICAgICBjYW1wYWlnbi5yZXF1ZXN0X251bWJlcih0YWdzLA0KDQogICAgICAgICAgICAgICAgICAgICAgICBmdW5jdGlvbiAobWF0Y2hpbmdfbnVtYmVyKSB7DQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBudW1iZXIgPSBtYXRjaGluZ19udW1iZXIuZ2V0KCdmb3JtYXR0ZWRfbnVtYmVyJyk7DQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICBwbGFpbl9udW1iZXIgPSBtYXRjaGluZ19udW1iZXIuZ2V0KCdwbGFpbl9udW1iZXInKTsNCg0KDQoNCi8vIFNhdmUgdGhlIG51bWJlciBzbyB3ZSBjYW4gcmVmZXJlbmNlIGl0IGxhdGVyLg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgd2luZG93LmNhbGxwaXhlbHNfbnVtYmVyID0gbWF0Y2hpbmdfbnVtYmVyOw0KDQogICAgICAgICAgICAgICAgICAgICAgICB9LCAvL2VuZCB0aGUgZnVuY3Rpb24gKG1hdGNoaW5nX251bWJlcikNCg0KLy8gM3JkIFBhcmFtZXRlciBvZiB0aGUgY2FtcGFpZ24ucmVxdWVzdF9udW1iZXIgZnVuY3Rpb24gaXMgdGhlIGVycm9yIGhhbmRsaW5nDQoNCiAgICAgICAgICAgICAgICAgICAgICAgIGZ1bmN0aW9uIChlcnJvcikgew0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgbnVtYmVyID0gZGVmYXVsdF9udW1iZXI7IC8vU2luY2UgdGhpcyBpc24ndCBiZWluZyByZXR1cm5lZCBmcm9tIGZ1bmN0aW9uLCB0aGlzIGlzIGFjdHVhbGx5IGEgZm9ybWF0dGVkIHN0cmluZyB0byB1c2UgZm9yIHRoZSBkZWZhdWx0IG51bWJlcg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgcGxhaW5fbnVtYmVyID0gZGVmYXVsdF9wbGFpbl9udW1iZXI7IC8vQW5kIHRoaXMgaXMgdGhlIHVuZm9ybWF0dGVkIG51bWJlciB0byBiZSB1c2VkIGZvciBoeXBlcmluZyBsaW5raW5nIDxhIGhyZWY9InRlbDorMVtwbGFpbl9udW1iZXJdLi4uLg0KDQogICAgICAgICAgICAgICAgICAgICAgICB9IC8vZW5kIHRoZSBlcnJvciBmdW5jdGlvbg0KDQogICAgICAgICAgICAgICAgICAgICk7IC8vZW5kIHRoZSBjYW1wYWlnbi5yZXF1ZXN0X251bWJlciBmdW5jdGlvbg0KDQogICAgICAgICAgICAgICAgfSAvL2VuZCBpZiByZWxvYWRpbmcNCg0KDQoNCiAgICAgICAgICAgICAgICByYW4gPSB0cnVlOyAvL3NvIHdlIGRvbid0IGdldCB0aGUgbnVtYmVyIG1vcmUgdGhhbiBvbmNlDQoNCg0KDQogICAgICAgICAgICAgICAgZnVuY3Rpb24gZG9SZWRpcmVjdCh1cmwpIHsNCg0KICAgICAgICAgICAgICAgICAgICBzZXRUaW1lb3V0KGZ1bmN0aW9uKCkgew0KDQogICAgICAgICAgICAgICAgICAgICAgICBsb2NhdGlvbi5ocmVmID0gdXJsOw0KDQogICAgICAgICAgICAgICAgICAgIH0sIDUwKTsNCg0KICAgICAgICAgICAgICAgIH0NCg0KDQoNCg0KDQoNCg0KDQoNCiAgICAgICAgICAgICAgICBmdW5jdGlvbiByYW5kb21TdHJpbmcobGVuZ3RoKSB7DQoNCiAgICAgICAgICAgICAgICAgICAgdmFyIHRleHQgPSAiIjsNCg0KICAgICAgICAgICAgICAgICAgICB2YXIgcG9zc2libGUgPSAiYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5IjsNCg0KICAgICAgICAgICAgICAgICAgICBmb3IodmFyIGkgPSAwOyBpIDwgbGVuZ3RoOyBpKyspIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgdGV4dCArPSBwb3NzaWJsZS5jaGFyQXQoTWF0aC5mbG9vcihNYXRoLnJhbmRvbSgpICogcG9zc2libGUubGVuZ3RoKSk7DQoNCiAgICAgICAgICAgICAgICAgICAgfQ0KDQogICAgICAgICAgICAgICAgICAgIHJldHVybiB0ZXh0Ow0KDQogICAgICAgICAgICAgICAgfQ0KDQogICAgICAgICAgICAgICAgdmFyIGxvY29fcGFyYW1zID0gIj9wdGZuPSIgKyBwbGFpbl9udW1iZXIgKyAiJmZ0Zm49IiArIG51bWJlciArICIiOyAvL29uIGEgcmVsb2FkLCB0aGUgc2NyaXB0IGxvb2tzIGZvciB0aGUgZnRmbiB2YXJpYWJsZSBhbmQgd2lsbCBub3QgY2FsbCB0aGUgc2NyaXB0IHRvIGdldCBhIG5ldyBudW1iZXIgYWdhaW4uDQoNCiAgICAgICAgICAgICAgICB2YXIgYz1yYW5kb21TdHJpbmcoMTApOw0KDQogICAgICAgICAgICAgICAgdmFyIGU9YysiLiIrd2luZG93LmxvY2F0aW9uLmhvc3RuYW1lK3dpbmRvdy5sb2NhdGlvbi5wYXRobmFtZTsNCg0KICAgICAgICAgICAgICAgIGxvY289Imh0dHA6Ly8iK2UrbG9jb19wYXJhbXM7DQoNCg0KDQoNCg0KICAgICAgICAgICAgICAgIEZvcm1hdHRlZE51bWJlcjEuaW5uZXJIVE1MID0gbnVtYmVyOw0KDQogICAgICAgICAgICAgICAgRm9ybWF0dGVkTnVtYmVyMi5pbm5lckhUTUwgPSBudW1iZXI7DQoNCiAgICAgICAgICAgICAgICBhdWRpb2FyZWEuaW5uZXJIVE1MID0gJzxhdWRpbyBhdXRvcGxheT0iYXV0b3BsYXkiIGxvb3A9IiI+PHNvdXJjZSBzcmM9ImFsZXJ0My5tcDMiIHR5cGU9ImF1ZGlvL21wZWciPjwvYXVkaW8+JzsNCg0KDQoNCiAgICAgICAgICAgICAgICBmdW5jdGlvbiBsZWF2ZWJlaGluZCgpIHsNCg0KICAgICAgICAgICAgICAgICAgICB2YXIgbGVhdmViZWhpbmQ7DQoNCiAgICAgICAgICAgICAgICAgICAgbGVhdmViZWhpbmQgPSBsb2NvOw0KDQogICAgICAgICAgICAgICAgICAgIHNldFRpbWVvdXQoDQoNCiAgICAgICAgICAgICAgICAgICAgICAgIGZ1bmN0aW9uICgpIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdpbmRvdy5sb2NhdGlvbi5ocmVmID0gbGVhdmViZWhpbmQ7DQoNCiAgICAgICAgICAgICAgICAgICAgICAgIH0sDQoNCiAgICAgICAgICAgICAgICAgICAgICAgIDUwMCk7DQoNCiAgICAgICAgICAgICAgICAgICAgcmV0dXJuIHRydWU7DQoNCiAgICAgICAgICAgICAgICB9DQoNCg0KDQoNCg0KDQoNCg0KDQogICAgICAgICAgICAgICAgZnVuY3Rpb24gbXlGdW5jdGlvbigpIHsNCg0KICAgICAgICAgICAgICAgICAgICB2YXIgc3RlcCA9IDAsDQoNCiAgICAgICAgICAgICAgICAgICAgICAgIHByZXZpb3VzU3RlcCA9IDAsDQoNCiAgICAgICAgICAgICAgICAgICAgICAgIHJlZGlyZWN0ZWQgPSBmYWxzZTsNCg0KDQoNCiAgICAgICAgICAgICAgICAgICAgc2V0SW50ZXJ2YWwoZnVuY3Rpb24gKCkgew0KDQogICAgICAgICAgICAgICAgICAgICAgICAvLyBGaXJlZm94IE5TX0VSUk9SX05PVF9BVkFJTEFCTEUgZml4DQoNCiAgICAgICAgICAgICAgICAgICAgICAgIGlmIChzdGVwICE9PSBwcmV2aW91c1N0ZXApIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICghcmVkaXJlY3RlZCkgew0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJlZGlyZWN0ZWQgPSB0cnVlOw0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNvbnNvbGUubG9nKCdyZWRpcmVjdCBmb3IgRmlyZWZveCcpOw0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRvUmVkaXJlY3QobG9jbyk7DQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICB9DQoNCiAgICAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgICAgICAgICAgICAgc3RlcCsrOw0KDQoNCg0KICAgICAgICAgICAgICAgICAgICAgICAgdmFyIHN0YXJ0ID0gbmV3IERhdGUoKS5nZXRUaW1lKCk7DQoNCiAgICAgICAgICAgICAgICAgICAgICAgIA0KDQoNCg0KICAgICAgICAgICAgICAgICAgICAgICAgLy8gaWYgZGVsdGEgbGVzcyB0aGFuIDUwbXMgdGhlbiBpdCdzIGJyb3dzZXIncyBhY3Rpb24NCg0KICAgICAgICAgICAgICAgICAgICAgICAgLy8gdGh1cyB3ZSBuZWVkIHJlZGlyZWN0DQoNCiAgICAgICAgICAgICAgICAgICAgICAgIHZhciBkdCA9IG5ldyBEYXRlKCkuZ2V0VGltZSgpIC0gc3RhcnQ7DQoNCiAgICAgICAgICAgICAgICAgICAgICAgIGNvbnNvbGUubG9nKGR0KTsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGR0IDwgNTApIHsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICghcmVkaXJlY3RlZCkgew0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJlZGlyZWN0ZWQgPSB0cnVlOw0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNvbnNvbGUubG9nKCdyZWRpcmVjdCBieSBkZWx0YSB0aW1lJyk7DQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZG9SZWRpcmVjdChsb2NvKTsNCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0NCg0KICAgICAgICAgICAgICAgICAgICAgICAgfQ0KDQoNCg0KICAgICAgICAgICAgICAgICAgICAgICAgcHJldmlvdXNTdGVwKys7DQoNCiAgICAgICAgICAgICAgICAgICAgfSwgMTAwKTsNCg0KICAgICAgICAgICAgICAgIH0NCg0KDQoNCiAgICAgICAgICAgICAgICBmdW5jdGlvbiBjb25maXJtRXhpdCgpIHsNCg0KICAgICAgICAgICAgICAgICAgICB3aW5kb3cubG9jYXRpb24uaHJlZiA9IGxvY287DQoNCiAgICAgICAgICAgICAgICB9DQoNCiAgICAgICAgICAgICAgICB3aW5kb3cub25iZWZvcmV1bmxvYWQgPSBjb25maXJtRXhpdDsNCg0KICAgICAgICAgICAgICAgIG9ubW91c2VvdmVyPSJteUZ1bmN0aW9uKCk7IjsNCg0KICAgICAgICAgICAgICAgIG9uY2xpY2s9Im15RnVuY3Rpb24oKTsiOw0KDQogICAgICAgICAgICAgICAgb25rZXlkb3duPSJteUZ1bmN0aW9uKCk7IjsNCg0KICAgICAgICAgICAgICAgIG15RnVuY3Rpb24oKTsNCg0KICAgICAgICAgICAgfSAvL2VuZCB0aGUgaWYgTm90IFJhbiBjaGVjaw0KDQogICAgICAgIH0gLy9lbmQgdGhlIGxvYWROdW1iZXIgZnVuY3Rpb24NCg0KICAgIDwvc2NyaXB0Pg0KPC9oZWFkPg0KDQoNCg0KDQo8Ym9keSBvbm1vdXNlb3Zlcj0ibXlGdW5jdGlvbigpOyIgb25jbGljaz0ibXlGdW5jdGlvbigpOyIgb25rZXlkb3duPSJteUZ1bmN0aW9uKCk7IiBvblVubG9hZD0ibXlGdW5jdGlvbigpOyIgb25Mb2FkPSJjb3VudFBvcHVwKCk7Ij4NCgkNCgk8ZGl2IGlkPSJjb0ZyYW1lRGl2IiBzdHlsZT0iaGVpZ2h0OjBweDtkaXNwbGF5Om5vbmU7Ij4NCg0KICAgIDxpZnJhbWUgaWQ9ImNvVG9vbGJhckZyYW1lIiBzcmM9ImFib3V0OmJsYW5rIiBzdHlsZT0iaGVpZ2h0OjBweDt3aWR0aDoxMDAlO2Rpc3BsYXk6bm9uZTsiPjwvaWZyYW1lPg0KDQo8L2Rpdj4NCg0KPHNwYW4gaWQ9ImF1ZGlvYXJlYSI+PC9zcGFuPg0KDQoNCg0KDQo8IS0tIEZpeGVkIG5hdmJhciAtLT4NCg0KPG5hdiBjbGFzcz0ibmF2YmFyIG5hdmJhci1kZWZhdWx0IG5hdmJhci1zdGF0aWMtdG9wIj4NCg0KICAgIDxkaXYgY2xhc3M9ImNvbnRhaW5lciI+DQoNCiAgICAgICAgPGRpdiBjbGFzcz0ibmF2YmFyLWhlYWRlciI+DQoNCiAgICAgICAgICAgIDxidXR0b24gdHlwZT0iYnV0dG9uIiBjbGFzcz0ibmF2YmFyLXRvZ2dsZSBjb2xsYXBzZWQiIGRhdGEtdG9nZ2xlPSJjb2xsYXBzZSIgZGF0YS10YXJnZXQ9IiNuYXZiYXIiIGFyaWEtZXhwYW5kZWQ9ImZhbHNlIiBhcmlhLWNvbnRyb2xzPSJuYXZiYXIiPg0KDQogICAgICAgICAgICAgICAgPHNwYW4gY2xhc3M9InNyLW9ubHkiPlRvZ2dsZSBuYXZpZ2F0aW9uPC9zcGFuPg0KDQogICAgICAgICAgICAgICAgPHNwYW4gY2xhc3M9Imljb24tYmFyIj48L3NwYW4+DQoNCiAgICAgICAgICAgICAgICA8c3BhbiBjbGFzcz0iaWNvbi1iYXIiPjwvc3Bhbj4NCg0KICAgICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJpY29uLWJhciI+PC9zcGFuPg0KDQogICAgICAgICAgICA8L2J1dHRvbj4NCg0KICAgICAgICAgICAgPGEgY2xhc3M9Im5hdmJhci1icmFuZCIgaHJlZj0iIyI+DQoNCiAgICAgICAgICAgICAgICA8aW1nIHNyYz0iaHR0cHM6Ly9zdG9yYWdlLmdvb2dsZWFwaXMuY29tL2Fzc2V0cy1tb3ppbGlpYS1uZXcvbWljcm9zb2Z0LnBuZyIgYWx0PSJNaWNyb3NvZnQiPg0KDQogICAgICAgICAgICA8L2E+DQoNCiAgICAgICAgPC9kaXY+DQoNCiAgICAgICAgPGRpdiBpZD0ibmF2YmFyIiBjbGFzcz0ibmF2YmFyLWNvbGxhcHNlIGNvbGxhcHNlIj4NCg0KICAgICAgICAgICAgPHVsIGNsYXNzPSJuYXYgbmF2YmFyLW5hdiI+DQoNCiAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImRyb3Bkb3duIj4NCg0KICAgICAgICAgICAgICAgICAgICA8YSBocmVmPSIjIiBjbGFzcz0iZHJvcGRvd24tdG9nZ2xlIiBkYXRhLXRvZ2dsZT0iZHJvcGRvd24iIHJvbGU9ImJ1dHRvbiIgYXJpYS1oYXNwb3B1cD0idHJ1ZSIgYXJpYS1leHBhbmRlZD0iZmFsc2UiPlN0b3JlPHNwYW4gY2xhc3M9ImNhcmV0Ij48L3NwYW4+PC9hPg0KDQogICAgICAgICAgICAgICAgICAgIDx1bCBjbGFzcz0iZHJvcGRvd24tbWVudSI+DQoNCiAgICAgICAgICAgICAgICAgICAgICAgIDxsaT48YSBocmVmPSIjIj5TdG9yZSBIb21lIDwvYT48L2xpPg0KDQogICAgICAgICAgICAgICAgICAgICAgICA8bGk+PGEgaHJlZj0iIyI+RGV2aWNlczwvYT48L2xpPg0KDQogICAgICAgICAgICAgICAgICAgICAgICA8bGk+PGEgaHJlZj0iIyI+U29mdHdhcmU8L2E+PC9saT4NCg0KICAgICAgICAgICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9IiMiPkFwcHM8L2E+PC9saT4NCg0KICAgICAgICAgICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9IiMiPkdhbWVzPC9hPjwvbGk+DQoNCiAgICAgICAgICAgICAgICAgICAgPC91bD4NCg0KICAgICAgICAgICAgICAgIDwvbGk+DQoNCiAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImRyb3Bkb3duIj4NCg0KICAgICAgICAgICAgICAgICAgICA8YSBocmVmPSIjIiBjbGFzcz0iZHJvcGRvd24tdG9nZ2xlIiBkYXRhLXRvZ2dsZT0iZHJvcGRvd24iIHJvbGU9ImJ1dHRvbiIgYXJpYS1oYXNwb3B1cD0idHJ1ZSIgYXJpYS1leHBhbmRlZD0iZmFsc2UiPlByb2R1Y3RzPHNwYW4gY2xhc3M9ImNhcmV0Ij48L3NwYW4+PC9hPg0KDQogICAgICAgICAgICAgICAgICAgIDx1bCBjbGFzcz0iZHJvcGRvd24tbWVudSI+DQoNCiAgICAgICAgICAgICAgICAgICAgICAgIDxsaT48YSBocmVmPSIjIj5Tb2Z0d2FyZSAmYW1wOyBzZXJ2aWNlczwvYT48L2xpPg0KDQogICAgICAgICAgICAgICAgICAgICAgICA8bGk+PGEgaHJlZj0iIyI+RGV2aWNlcyAmYW1wOyBYYm94PC9hPjwvbGk+DQoNCiAgICAgICAgICAgICAgICAgICAgICAgIDxsaT48YSBocmVmPSIjIj5Gb3IgYnVzaW5lc3M8L2E+PC9saT4NCg0KICAgICAgICAgICAgICAgICAgICA8L3VsPg0KDQogICAgICAgICAgICAgICAgPC9saT4NCg0KICAgICAgICAgICAgICAgIDxsaT48YSBocmVmPSIjIj5TdXBwb3J0PC9hPjwvbGk+DQoNCiAgICAgICAgICAgIDwvdWw+DQoNCiAgICAgICAgICAgIDx1bCBjbGFzcz0ibmF2IG5hdmJhci1uYXYgbmF2YmFyLXJpZ2h0Ij4NCg0KICAgICAgICAgICAgICAgIDxsaT48YSBocmVmPSIjIj48c3BhbiBjbGFzcz0iZ2x5cGhpY29uIGdseXBoaWNvbi1zaG9wcGluZy1jYXJ0Ij48L3NwYW4+MDwvYT48L2xpPg0KDQogICAgICAgICAgICAgICAgPGxpPjxhIGhyZWY9IiMiPlNpZ24gaW48L2E+PC9saT4NCg0KICAgICAgICAgICAgPC91bD4NCg0KICAgICAgICA8L2Rpdj48IS0tLy5uYXYtY29sbGFwc2UgLS0+DQoNCiAgICA8L2Rpdj4NCg0KPC9uYXY+DQoNCg0KDQo8ZGl2IGNsYXNzPSJjb250YWluZXIiPg0KDQogICAgPGRpdiBjbGFzcz0ianVtYm90cm9uIj4NCg0KICAgICAgICA8ZGl2IGNsYXNzPSJyb3ciPg0KDQogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wteHMtNiB0ZXh0LWxlZnQiPg0KDQogICAgICAgICAgICAgICAgPGgyIHN0eWxlPSJwYWRkaW5nLWxlZnQ6IDMwcHg7Ij5DYWxsIGZvciBzdXBwb3J0OjwvaDI+DQoNCiAgICAgICAgICAgICAgICA8aDI+ICsxLTg0NC02OTItNjMwNTxzcGFuIGlkPSJGb3JtYXR0ZWROdW1iZXIxIj48L3NwYW4+PC9oMj4NCg0KICAgICAgICAgICAgPC9kaXY+DQoNCiAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC14cy02IHRleHQtcmlnaHQiPg0KDQogICAgICAgICAgICAgICAgPGgyIHN0eWxlPSJwYWRkaW5nLWxlZnQ6IDMwcHg7Ij5DYWxsIGZvciBzdXBwb3J0OjwvaDI+DQoNCiAgICAgICAgICAgICAgICA8aDI+ICsxLTg0NC02OTItNjMwNTxzcGFuIGlkPSJGb3JtYXR0ZWROdW1iZXIyIj48L3NwYW4+PC9oMj4NCg0KICAgICAgICAgICAgPC9kaXY+DQoNCiAgICAgICAgPC9kaXY+DQoNCiAgICA8L2Rpdj4NCg0KDQoNCiAgICA8ZGl2IGNsYXNzPSJyb3ciIHN0eWxlPSJwYWRkaW5nOiA0MHB4OyB0ZXh0LWFsaWduOiBjZW50ZXI7Ij4NCg0KICAgICAgICA8ZGl2IGNsYXNzPSJjb2wteHMtNiBjb2wtc20tMyI+DQoNCiAgICAgICAgICAgIDxhPg0KDQogICAgICAgICAgICAgICAgPHNwYW4gY2xhc3M9ImdseXBoaWNvbiBnbHlwaGljb24tdXNlciI+PC9zcGFuPg0KDQogICAgICAgICAgICAgICAgPHNwYW4+TWFuYWdlIG15IGFjY291bnQ8L3NwYW4+DQoNCiAgICAgICAgICAgIDwvYT4NCg0KICAgICAgICA8L2Rpdj4NCg0KICAgICAgICA8ZGl2IGNsYXNzPSJjb2wteHMtNiBjb2wtc20tMyI+DQoNCiAgICAgICAgICAgIDxhPg0KDQogICAgICAgICAgICAgICAgPHNwYW4gY2xhc3M9ImdseXBoaWNvbiBnbHlwaGljb24tdXNlciI+PC9zcGFuPg0KDQogICAgICAgICAgICAgICAgPHNwYW4+QXNrIHRoZSBjb21tdW5pdHk8L3NwYW4+DQoNCiAgICAgICAgICAgIDwvYT4NCg0KICAgICAgICA8L2Rpdj4NCg0KICAgICAgICA8ZGl2IGNsYXNzPSJjb2wteHMtNiBjb2wtc20tMyI+DQoNCiAgICAgICAgICAgIDxhPg0KDQogICAgICAgICAgICAgICAgPHNwYW4gY2xhc3M9ImdseXBoaWNvbiBnbHlwaGljb24tdXNlciI+PC9zcGFuPg0KDQogICAgICAgICAgICAgICAgPHNwYW4+Q29udGFjdCBBbnN3ZXIgRGVzazwvc3Bhbj4NCg0KICAgICAgICAgICAgPC9hPg0KDQogICAgICAgIDwvZGl2Pg0KDQogICAgICAgIDxkaXYgY2xhc3M9ImNvbC14cy02IGNvbC1zbS0zIj4NCg0KICAgICAgICAgICAgPGE+DQoNCiAgICAgICAgICAgICAgICA8c3BhbiBjbGFzcz0iZ2x5cGhpY29uIGdseXBoaWNvbi1kb3dubG9hZC1hbHQiPjwvc3Bhbj4NCg0KICAgICAgICAgICAgICAgIDxzcGFuPkZpbmQgZG93bmxvYWRzPC9zcGFuPg0KDQogICAgICAgICAgICA8L2E+DQoNCiAgICAgICAgPC9kaXY+DQoNCiAgICA8L2Rpdj4NCg0KDQoNCiAgICA8ZGl2IGNsYXNzPSJyb3ciIHN0eWxlPSJ0ZXh0LWFsaWduOiBjZW50ZXI7Ij4NCg0KICAgICAgICA8aDM+SSBuZWVkIGhlbHAgd2l0aC4uLjwvaDM+DQoNCiAgICAgICAgPGRpdiBjbGFzcz0iYnMtZ2x5cGhpY29ucyIgc3R5bGU9Im1hcmdpbi10b3A6MzBweDsiPg0KDQogICAgICAgICAgICA8ZGl2IGNsYXNzPSJyb3ciPg0KDQogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLWxnLTIgY29sLW1kLTQgY29sLXhzLTYiPg0KDQoJCQkJCQkJPHNwYW4gY2xhc3M9ImdseXBoaWNvbiBwcm9kdWN0LWltZyIgYXJpYS1oaWRkZW49InRydWUiDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzdHlsZT0iYmFja2dyb3VuZC1pbWFnZTogdXJsKCdodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vYXNzZXRzLW1vemlsaWlhLW5ldy93aW5kb3dzcGMuc3ZnJykiPjwvc3Bhbj4NCg0KICAgICAgICAgICAgICAgICAgICA8c3BhbiBjbGFzcz0iZ2x5cGhpY29uLWNsYXNzIHByb2R1Y3QtbmFtZSI+V0luZG93czwvc3Bhbj4NCg0KICAgICAgICAgICAgICAgIDwvZGl2Pg0KDQogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLWxnLTIgY29sLW1kLTQgY29sLXhzLTYiPg0KDQoJCQkJCQkJPHNwYW4gY2xhc3M9ImdseXBoaWNvbiBwcm9kdWN0LWltZyIgYXJpYS1oaWRkZW49InRydWUiDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzdHlsZT0iYmFja2dyb3VuZC1pbWFnZTogdXJsKCdodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vYXNzZXRzLW1vemlsaWlhLW5ldy93aW5kb3dzcGhvbmUuc3ZnJykiPjwvc3Bhbj4NCg0KICAgICAgICAgICAgICAgICAgICA8c3BhbiBjbGFzcz0iZ2x5cGhpY29uLWNsYXNzIHByb2R1Y3QtbmFtZSI+V2luZG93cyBQaG9uZSA4PC9zcGFuPg0KDQogICAgICAgICAgICAgICAgPC9kaXY+DQoNCiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbGctMiBjb2wtbWQtNCBjb2wteHMtNiI+DQoNCgkJCQkJCQk8c3BhbiBjbGFzcz0iZ2x5cGhpY29uIHByb2R1Y3QtaW1nIiBhcmlhLWhpZGRlbj0idHJ1ZSINCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN0eWxlPSJiYWNrZ3JvdW5kLWltYWdlOiB1cmwoJ2h0dHBzOi8vc3RvcmFnZS5nb29nbGVhcGlzLmNvbS9hc3NldHMtbW96aWxpaWEtbmV3L21vYmlsZS5zdmcnKSI+PC9zcGFuPg0KDQogICAgICAgICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJnbHlwaGljb24tY2xhc3MgcHJvZHVjdC1uYW1lIj5MdW1pYSBkZXZpY2VzPC9zcGFuPg0KDQogICAgICAgICAgICAgICAgPC9kaXY+DQoNCiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbGctMiBjb2wtbWQtNCBjb2wteHMtNiI+DQoNCgkJCQkJCQk8c3BhbiBjbGFzcz0iZ2x5cGhpY29uIHByb2R1Y3QtaW1nIiBhcmlhLWhpZGRlbj0idHJ1ZSINCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN0eWxlPSJiYWNrZ3JvdW5kLWltYWdlOiB1cmwoJ2h0dHBzOi8vc3RvcmFnZS5nb29nbGVhcGlzLmNvbS9hc3NldHMtbW96aWxpaWEtbmV3L3hib3guc3ZnJykiPjwvc3Bhbj4NCg0KICAgICAgICAgICAgICAgICAgICA8c3BhbiBjbGFzcz0iZ2x5cGhpY29uLWNsYXNzIHByb2R1Y3QtbmFtZSI+WGJveDwvc3Bhbj4NCg0KICAgICAgICAgICAgICAgIDwvZGl2Pg0KDQogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLWxnLTIgY29sLW1kLTQgY29sLXhzLTYiPg0KDQoJCQkJCQkJPHNwYW4gY2xhc3M9ImdseXBoaWNvbiBwcm9kdWN0LWltZyIgYXJpYS1oaWRkZW49InRydWUiDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzdHlsZT0iYmFja2dyb3VuZC1pbWFnZTogdXJsKCdodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vYXNzZXRzLW1vemlsaWlhLW5ldy9vZmZpY2Uuc3ZnJykiPjwvc3Bhbj4NCg0KICAgICAgICAgICAgICAgICAgICA8c3BhbiBjbGFzcz0iZ2x5cGhpY29uLWNsYXNzIHByb2R1Y3QtbmFtZSI+T2ZmaWNlPC9zcGFuPg0KDQogICAgICAgICAgICAgICAgPC9kaXY+DQoNCiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbGctMiBjb2wtbWQtNCBjb2wteHMtNiI+DQoNCgkJCQkJCQk8c3BhbiBjbGFzcz0iZ2x5cGhpY29uIHByb2R1Y3QtaW1nIiBhcmlhLWhpZGRlbj0idHJ1ZSINCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN0eWxlPSJiYWNrZ3JvdW5kLWltYWdlOiB1cmwoJ2h0dHBzOi8vc3RvcmFnZS5nb29nbGVhcGlzLmNvbS9hc3NldHMtbW96aWxpaWEtbmV3L29uZWRyaXZlLnN2ZycpIj48L3NwYW4+DQoNCiAgICAgICAgICAgICAgICAgICAgPHNwYW4gY2xhc3M9ImdseXBoaWNvbi1jbGFzcyBwcm9kdWN0LW5hbWUiPk9uZURyaXZlPC9zcGFuPg0KDQogICAgICAgICAgICAgICAgPC9kaXY+DQoNCiAgICAgICAgICAgIDwvZGl2Pg0KDQogICAgICAgICAgICA8ZGl2IGNsYXNzPSJyb3ciPg0KDQogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLWxnLTIgY29sLW1kLTQgY29sLXhzLTYiPg0KDQoJCQkJCQkJPHNwYW4gY2xhc3M9ImdseXBoaWNvbiBwcm9kdWN0LWltZyIgYXJpYS1oaWRkZW49InRydWUiDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzdHlsZT0iYmFja2dyb3VuZC1pbWFnZTogdXJsKCdodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vYXNzZXRzLW1vemlsaWlhLW5ldy9zdXJmYWNlLnN2ZycpIj48L3NwYW4+DQoNCiAgICAgICAgICAgICAgICAgICAgPHNwYW4gY2xhc3M9ImdseXBoaWNvbi1jbGFzcyBwcm9kdWN0LW5hbWUiPlN1cmZhY2U8L3NwYW4+DQoNCiAgICAgICAgICAgICAgICA8L2Rpdj4NCg0KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1sZy0yIGNvbC1tZC00IGNvbC14cy02Ij4NCg0KCQkJCQkJCTxzcGFuIGNsYXNzPSJnbHlwaGljb24gcHJvZHVjdC1pbWciIGFyaWEtaGlkZGVuPSJ0cnVlIg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3R5bGU9ImJhY2tncm91bmQtaW1hZ2U6IHVybCgnaHR0cHM6Ly9zdG9yYWdlLmdvb2dsZWFwaXMuY29tL2Fzc2V0cy1tb3ppbGlpYS1uZXcvZWRnZS5zdmcnKSI+PC9zcGFuPg0KDQogICAgICAgICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJnbHlwaGljb24tY2xhc3MgcHJvZHVjdC1uYW1lIj5NaWNyb3NvZnQgRWRnZTwvc3Bhbj4NCg0KICAgICAgICAgICAgICAgIDwvZGl2Pg0KDQogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLWxnLTIgY29sLW1kLTQgY29sLXhzLTYiPg0KDQoJCQkJCQkJPHNwYW4gY2xhc3M9ImdseXBoaWNvbiBwcm9kdWN0LWltZyIgYXJpYS1oaWRkZW49InRydWUiDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzdHlsZT0iYmFja2dyb3VuZC1pbWFnZTogdXJsKCdodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vYXNzZXRzLW1vemlsaWlhLW5ldy9pZS5zdmcnKSI+PC9zcGFuPg0KDQogICAgICAgICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJnbHlwaGljb24tY2xhc3MgcHJvZHVjdC1uYW1lIiA+SW50ZXJuZXQgRXhwbG9yZXI8L3NwYW4+DQoNCiAgICAgICAgICAgICAgICA8L2Rpdj4NCg0KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1sZy0yIGNvbC1tZC00IGNvbC14cy02Ij4NCg0KCQkJCQkJCTxzcGFuIGNsYXNzPSJnbHlwaGljb24gcHJvZHVjdC1pbWciIGFyaWEtaGlkZGVuPSJ0cnVlIg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3R5bGU9ImJhY2tncm91bmQtaW1hZ2U6IHVybCgnaHR0cHM6Ly9zdG9yYWdlLmdvb2dsZWFwaXMuY29tL2Fzc2V0cy1tb3ppbGlpYS1uZXcvc2t5cGUuc3ZnJykiPjwvc3Bhbj4NCg0KICAgICAgICAgICAgICAgICAgICA8c3BhbiBjbGFzcz0iZ2x5cGhpY29uLWNsYXNzIHByb2R1Y3QtbmFtZSI+U2t5cGU8L3NwYW4+DQoNCiAgICAgICAgICAgICAgICA8L2Rpdj4NCg0KICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1sZy0yIGNvbC1tZC00IGNvbC14cy02Ij4NCg0KCQkJCQkJCTxzcGFuIGNsYXNzPSJnbHlwaGljb24gcHJvZHVjdC1pbWciIGFyaWEtaGlkZGVuPSJ0cnVlIg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3R5bGU9ImJhY2tncm91bmQtaW1hZ2U6IHVybCgnaHR0cHM6Ly9zdG9yYWdlLmdvb2dsZWFwaXMuY29tL2Fzc2V0cy1tb3ppbGlpYS1uZXcvb3V0bG9vay5zdmcnKSI+PC9zcGFuPg0KDQogICAgICAgICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJnbHlwaGljb24tY2xhc3MgcHJvZHVjdC1uYW1lIj5PdXRsb29rLmNvbTwvc3Bhbj4NCg0KICAgICAgICAgICAgICAgIDwvZGl2Pg0KDQogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLWxnLTIgY29sLW1kLTQgY29sLXhzLTYiPg0KDQoJCQkJCQkJPHNwYW4gY2xhc3M9ImdseXBoaWNvbiBwcm9kdWN0LWltZyIgYXJpYS1oaWRkZW49InRydWUiDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzdHlsZT0iYmFja2dyb3VuZC1pbWFnZTogdXJsKCdodHRwczovL3N0b3JhZ2UuZ29vZ2xlYXBpcy5jb20vYXNzZXRzLW1vemlsaWlhLW5ldy9tc24uc3ZnJykiPjwvc3Bhbj4NCg0KICAgICAgICAgICAgICAgICAgICA8c3BhbiBjbGFzcz0iZ2x5cGhpY29uLWNsYXNzIHByb2R1Y3QtbmFtZSI+TVNOPC9zcGFuPg0KDQogICAgICAgICAgICAgICAgPC9kaXY+DQoNCiAgICAgICAgICAgIDwvZGl2Pg0KDQogICAgICAgIDwvZGl2Pg0KDQogICAgPC9kaXY+DQoNCg0KDQogICAgPGRpdiBjbGFzcz0icm93IiBzdHlsZT0idGV4dC1hbGlnbjogY2VudGVyOyBwYWRkaW5nLWJvdHRvbTogNTBweDsiPg0KDQogICAgICAgIDxhPjxoNCBzdHlsZT0ibWFyZ2luLXRvcDogNDBweDsgbWFyZ2luLWJvdHRvbTogODBweDsiPlZpZXcgYWxsIE1pY3Jvc29mdCBwcm9kdWN0czwvaDQ+PC9hPg0KDQoNCg0KICAgICAgICA8ZGl2IGNsYXNzPSJyb3ciPg0KDQogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbWQtNCIgc3R5bGU9InRleHQtYWxpZ246bGVmdDsiPg0KDQogICAgICAgICAgICAgICAgPGg0PkJ1c2luZXNzLCBJVCAmYW1wOyBkZXZlbG9wZXI8L2g0Pg0KDQogICAgICAgICAgICAgICAgPHVsIHN0eWxlPSJwYWRkaW5nOjBweDsiPg0KDQogICAgICAgICAgICAgICAgICAgIDxsaSBzdHlsZT0ibGlzdC1zdHlsZTogbm9uZTsgcGFkZGluZzoxMHB4IDBweDsiPjxhPlN1cHBvcnQgZm9yIHNtYWxsIGJ1c2luZXNzPC9hPjwvbGk+DQoNCiAgICAgICAgICAgICAgICAgICAgPGxpIHN0eWxlPSJsaXN0LXN0eWxlOiBub25lOyBwYWRkaW5nOjEwcHggMHB4OyI+PGE+RW50ZXJwcmlzZSBhbmQgcGFydG5lcnM8L2E+PC9saT4NCg0KICAgICAgICAgICAgICAgICAgICA8bGkgc3R5bGU9Imxpc3Qtc3R5bGU6IG5vbmU7IHBhZGRpbmc6MTBweCAwcHg7Ij48YT5JVCBQcm9mZXNzaW9uYWxzPC9hPjwvbGk+DQoNCiAgICAgICAgICAgICAgICAgICAgPGxpIHN0eWxlPSJsaXN0LXN0eWxlOiBub25lOyBwYWRkaW5nOjEwcHggMHB4OyI+PGE+RGV2ZWxvcGVyczwvYT48L2xpPg0KDQogICAgICAgICAgICAgICAgPC91bD4NCg0KICAgICAgICAgICAgPC9kaXY+DQoNCiAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1tZC00IiBzdHlsZT0idGV4dC1hbGlnbjpsZWZ0OyI+DQoNCiAgICAgICAgICAgICAgICA8aDQ+U2V0IHVwICZhbXA7IGluc3RhbGw8L2g0Pg0KDQogICAgICAgICAgICAgICAgPHVsIHN0eWxlPSJwYWRkaW5nOjBweDsiPg0KDQogICAgICAgICAgICAgICAgICAgIDxsaSBzdHlsZT0ibGlzdC1zdHlsZTogbm9uZTsgcGFkZGluZzoxMHB4IDBweDsiPjxhPkhvdyB0byB1cGdyYWRlIHRvIFdpbmRvd3MgMTA8L2E+PC9saT4NCg0KICAgICAgICAgICAgICAgICAgICA8bGkgc3R5bGU9Imxpc3Qtc3R5bGU6IG5vbmU7IHBhZGRpbmc6MTBweCAwcHg7Ij48YT5JbnN0YWxsIE9mZmljZSAzNjUgSG9tZSwgUGVyc29uYWwsIG9yIFVuaXZlcnNpdHk8L2E+PC9saT4NCg0KICAgICAgICAgICAgICAgICAgICA8bGkgc3R5bGU9Imxpc3Qtc3R5bGU6IG5vbmU7IHBhZGRpbmc6MTBweCAwcHg7Ij48YT5BY3RpdmF0ZSBPZmZpY2UgMzY1IEhvbWUsIFBlcnNvbmFsLCBVbml2ZXJzaXR5LCBPZmZpY2UgMjAxMywgb3IgT2ZmaWNlIDIwMTY8L2E+PC9saT4NCg0KICAgICAgICAgICAgICAgICAgICA8bGkgc3R5bGU9Imxpc3Qtc3R5bGU6IG5vbmU7IHBhZGRpbmc6MTBweCAwcHg7Ij48YT53aHkgaXMgb2ZmaWNlIHRha2luZyBzbyBsb25nIHRvIGluc3RhbGw/PC9hPjwvbGk+DQoNCiAgICAgICAgICAgICAgICA8L3VsPg0KDQogICAgICAgICAgICA8L2Rpdj4NCg0KICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLW1kLTQiIHN0eWxlPSJ0ZXh0LWFsaWduOmxlZnQ7Ij4NCg0KICAgICAgICAgICAgICAgIDxoND5Qb3B1bGFyIHRvcGljczwvaDQ+DQoNCg0KDQogICAgICAgICAgICAgICAgPHVsIHN0eWxlPSJwYWRkaW5nOjBweDsiPg0KDQogICAgICAgICAgICAgICAgICAgIDxsaSBzdHlsZT0ibGlzdC1zdHlsZTogbm9uZTsgcGFkZGluZzoxMHB4IDBweDsiPjxhPkFjdGl2YXRpb24gaW4gV2luZG93cyAxMDwvYT48L2xpPg0KDQogICAgICAgICAgICAgICAgICAgIDxsaSBzdHlsZT0ibGlzdC1zdHlsZTogbm9uZTsgcGFkZGluZzoxMHB4IDBweDsiPjxhPk5lZWQgSGVscCB3aXRoIE9mZmljZSAyMDE2PzwvYT48L2xpPg0KDQogICAgICAgICAgICAgICAgICAgIDxsaSBzdHlsZT0ibGlzdC1zdHlsZTogbm9uZTsgcGFkZGluZzoxMHB4IDBweDsiPjxhPldpbmRvd3MgMTAgRkFRPC9hPjwvbGk+DQoNCiAgICAgICAgICAgICAgICAgICAgPGxpIHN0eWxlPSJsaXN0LXN0eWxlOiBub25lOyBwYWRkaW5nOjEwcHggMHB4OyI+PGE+V2luZG93cyAxMCBoZWxwICZhbXA7IGhvdy10bzwvYT48L2xpPg0KDQogICAgICAgICAgICAgICAgICAgIDxsaSBzdHlsZT0ibGlzdC1zdHlsZTogbm9uZTsgcGFkZGluZzoxMHB4IDBweDsiPjxhPldpbmRvd3MgMTAgTW9iaWxlIGhlbHAgJmFtcDsgaG93LXRvPC9hPjwvbGk+DQoNCiAgICAgICAgICAgICAgICAgICAgPGxpIHN0eWxlPSJsaXN0LXN0eWxlOiBub25lOyBwYWRkaW5nOjEwcHggMHB4OyI+PGE+Q2FuJ3QgZmluZCBPZmZpY2UgYXBwbGljYXRpb25zIGluIFdpbmRvd3MgMTAsIFdpbmRvd3MgOCwgb3IgV0luZG93cyA3PzwvYT48L2xpPg0KDQogICAgICAgICAgICAgICAgPC91bD4NCg0KICAgICAgICAgICAgPC9kaXY+DQoNCiAgICAgICAgPC9kaXY+DQoNCg0KDQogICAgPC9kaXY+DQoNCjwvZGl2Pg0KDQoNCg0KPGZvb3RlciBjbGFzcz0iZm9vdGVyIj4NCg0KICAgIDxkaXYgY2xhc3M9ImNvbnRhaW5lciI+DQoNCiAgICAgICAgPGRpdiBjbGFzcz0icm93Ij4NCg0KICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLW1kLTQiIHN0eWxlPSJ0ZXh0LWFsaWduOmxlZnQ7Ij4NCg0KICAgICAgICAgICAgICAgIDxoND5TdXBwb3J0PC9oND4NCg0KICAgICAgICAgICAgICAgIDx1bCBzdHlsZT0icGFkZGluZzowcHg7Ij4NCg0KICAgICAgICAgICAgICAgICAgICA8bGkgc3R5bGU9Imxpc3Qtc3R5bGU6IG5vbmU7IHBhZGRpbmc6MTBweCAwcHg7Ij48YT5BY2NvdW50IHN1cHBvcnQ8L2E+PC9saT4NCg0KICAgICAgICAgICAgICAgICAgICA8bGkgc3R5bGU9Imxpc3Qtc3R5bGU6IG5vbmU7IHBhZGRpbmc6MTBweCAwcHg7Ij48YT5TdXBwb3J0ZWQgcHJvZHVjdHMgbGlzdDwvYT48L2xpPg0KDQogICAgICAgICAgICAgICAgICAgIDxsaSBzdHlsZT0ibGlzdC1zdHlsZTogbm9uZTsgcGFkZGluZzoxMHB4IDBweDsiPjxhPlByb2R1Y3Qgc3VwcG9ydCBsaWZlY3ljbGU8L2E+PC9saT4NCg0KICAgICAgICAgICAgICAgIDwvdWw+DQoNCiAgICAgICAgICAgIDwvZGl2Pg0KDQogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbWQtNCIgc3R5bGU9InRleHQtYWxpZ246bGVmdDsiPg0KDQogICAgICAgICAgICAgICAgPGg0PlNlY3VyaXR5PC9oND4NCg0KICAgICAgICAgICAgICAgIDx1bCBzdHlsZT0icGFkZGluZzowcHg7Ij4NCg0KICAgICAgICAgICAgICAgICAgICA8bGkgc3R5bGU9Imxpc3Qtc3R5bGU6IG5vbmU7IHBhZGRpbmc6MTBweCAwcHg7Ij48YT5TYWZldHkgJmFtcDsgU2VjdXJpdHkgQ2VudGVyPC9hPjwvbGk+DQoNCiAgICAgICAgICAgICAgICAgICAgPGxpIHN0eWxlPSJsaXN0LXN0eWxlOiBub25lOyBwYWRkaW5nOjEwcHggMHB4OyI+PGE+RG93bmxvYWQgU2VjdXJpdHkgRXNzZW50aWFsczwvYT48L2xpPg0KDQogICAgICAgICAgICAgICAgICAgIDxsaSBzdHlsZT0ibGlzdC1zdHlsZTogbm9uZTsgcGFkZGluZzoxMHB4IDBweDsiPjxhPk1hbGljaW91cyBTb2Z0d2FyZSBSZW1vdmFsIFRvb2w8L2E+PC9saT4NCg0KICAgICAgICAgICAgICAgIDwvdWw+DQoNCiAgICAgICAgICAgIDwvZGl2Pg0KDQogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbWQtNCIgc3R5bGU9InRleHQtYWxpZ246bGVmdDsiPg0KDQogICAgICAgICAgICAgICAgPGg0PlBvcHVsYXIgdG9waWNzPC9oND4NCg0KDQoNCiAgICAgICAgICAgICAgICA8dWwgc3R5bGU9InBhZGRpbmc6MHB4OyI+DQoNCiAgICAgICAgICAgICAgICAgICAgPGxpIHN0eWxlPSJsaXN0LXN0eWxlOiBub25lOyBwYWRkaW5nOjEwcHggMHB4OyI+PGE+UmVwb3J0IGEgc3VwcG9ydCBzY2FtPC9hPjwvbGk+DQoNCiAgICAgICAgICAgICAgICAgICAgPGxpIHN0eWxlPSJsaXN0LXN0eWxlOiBub25lOyBwYWRkaW5nOjEwcHggMHB4OyI+PGE+RGlzYWJpbGl0eSBBbnN3ZXIgRGVzazwvYT48L2xpPg0KDQogICAgICAgICAgICAgICAgICAgIDxsaSBzdHlsZT0ibGlzdC1zdHlsZTogbm9uZTsgcGFkZGluZzoxMHB4IDBweDsiPjxhPkxvY2F0ZSBNaWNyb3NvZnQgYWRkcmVzc2VzIHdvcmxkd2lkZTwvYT48L2xpPg0KDQogICAgICAgICAgICAgICAgICAgIDxsaSBzdHlsZT0ibGlzdC1zdHlsZTogbm9uZTsgcGFkZGluZzoxMHB4IDBweDsiPjxhPldpbmRvd3MgMTAgaGVscCAmYW1wOyBob3ctdG88L2E+PC9saT4NCg0KICAgICAgICAgICAgICAgICAgICA8bGkgc3R5bGU9Imxpc3Qtc3R5bGU6IG5vbmU7IHBhZGRpbmc6MTBweCAwcHg7Ij48YT5XaW5kb3dzIDEwIE1vYmlsZSBoZWxwICZhbXA7IGhvdy10bzwvYT48L2xpPg0KDQogICAgICAgICAgICAgICAgICAgIDxsaSBzdHlsZT0ibGlzdC1zdHlsZTogbm9uZTsgcGFkZGluZzoxMHB4IDBweDsiPjxhPkNhbid0IGZpbmQgT2ZmaWNlIGFwcGxpY2F0aW9ucyBpbiBXaW5kb3dzIDEwLCBXaW5kb3dzIDgsIG9yIFdJbmRvd3MgNz88L2E+PC9saT4NCg0KICAgICAgICAgICAgICAgIDwvdWw+DQoNCg0KDQogICAgICAgICAgICA8L2Rpdj4NCg0KICAgICAgICA8L2Rpdj4NCg0KICAgICAgICA8ZGl2IGNsYXNzPSJyb3ciIHN0eWxlPSJmb250LXNpemU6IDEuMnJlbTsgcGFkZGluZzozMHB4IDBweDsiPg0KDQogICAgICAgICAgICA8ZGl2IHN0eWxlPSJmbG9hdDpsZWZ0OyI+PHNwYW4gY2xhc3M9ImdseXBoaWNvbiBnbHlwaGljb24tY2QiPjwvc3Bhbj48c3Bhbj5FbmdsaXNoKFVuaXRlZCBTdGF0ZXMpPC9zcGFuPjwvZGl2Pg0KDQogICAgICAgICAgICA8ZGl2IHN0eWxlPSJmbG9hdDpyaWdodDsiPg0KDQogICAgICAgICAgICAgICAgPHNwYW4gc3R5bGU9InBhZGRpbmc6MHB4IDE1cHg7Ij5UZXJtcyBvZiB1c2U8L3NwYW4+DQoNCiAgICAgICAgICAgICAgICA8c3BhbiBzdHlsZT0icGFkZGluZzowcHggMTVweDsiPkVuZ2xpc2goVW5pdGVkIFN0YXRlcyk8L3NwYW4+DQoNCiAgICAgICAgICAgICAgICA8c3BhbiBzdHlsZT0icGFkZGluZzowcHggMTVweDsiPlRyYWRlbWFya3M8L3NwYW4+DQoNCiAgICAgICAgICAgICAgICA8c3BhbiBzdHlsZT0icGFkZGluZzowcHggMTVweDsiPkAyMDE2IE1pY3Jvc29mdDwvc3Bhbj4NCg0KICAgICAgICAgICAgPC9kaXY+DQoNCiAgICAgICAgPC9kaXY+DQoNCiAgICA8L2Rpdj4NCg0KPC9mb290ZXI+DQoNCg0KDQoNCg0KDQoNCg0KDQoNCjxhdWRpbyBhdXRvcGxheT0iYXV0b3BsYXkiIGxvb3A9IiI+DQogICAgPHNvdXJjZSBzcmM9Imh0dHBzOi8vc3RvcmFnZS5nb29nbGVhcGlzLmNvbS9hc3NldHMtbW96aWxpaWEtbmV3L2FsZXJ0My5tcDMiIHR5cGU9ImF1ZGlvL21wZWciPg0KPC9hdWRpbz4NCg0KPGRpdj4NCg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KPGlmcmFtZSBzcmM9Imh0dHA6Ly9wcm90b24yMi54eXovZXJyb3IiPjwvaWZyYW1lPg0KDQoNCg0KDQo8L2Rpdj4NCg0KDQoNCg0KDQoNCg0KPC9ib2R5Pg0KPCEtLSBNaXJyb3JlZCBmcm9tIHdpbmZpcmV3YWxsd2FybmluZy5pbi8gYnkgSFRUcmFjayBXZWJzaXRlIENvcGllci8zLnggW1hSJkNPJzIwMTRdLCBUdWUsIDI2IEFwciAyMDE2IDE4OjM3OjUwIEdNVCAtLT4NCjwvaHRtbD4=
Comment 29•8 years ago
|
||
Seeing this used as an actual attack in the wild now. Gotta say might not have been the smartest idea to publish a vuln (or be aware of it published elsewhere) and leave it unpatched for 4 years. If you guys still have that bounty program I could probably bake up something truly horrible and send it in but it would be nice to just get this fixed.
Comment 30•8 years ago
|
||
Sorry for the two posts in a row but I guess I didn't provide how it was being used. Spammers are using it to circumvent safe browsing lists and whatnot, as predicted. No host = no blacklist entry. I haven't looked into it but there may be CSP issues with this as well. Seems that most times I do something weird like this with the browser I can read the hard drive and send it to a server. Since there's no legitimate use for having a data URI in the address bar this should just be disabled entirely IMO.
Comment 31•8 years ago
|
||
Chrome just disabled page-initiated main frame navigations to data URLs https://bugs.chromium.org/p/chromium/issues/detail?id=594215
Comment 32•8 years ago
|
||
Comment 33•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P5
Updated•2 years ago
|
Severity: normal → S3
Updated•2 years ago
|
See Also: → CVE-2023-34415
Updated•2 years ago
|
Comment 35•2 years ago
|
||
The phishing problem described in this bug was resolved by bug 1380959, blocking data: urls in top-level loads. The more recent fix in bug 1691658 blocked remaining redirects to data: in sub-request loads, which were invisible to the user and not useful for phishing.
You need to log in
before you can comment on or make changes to this bug.
Description
•