Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29917 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 10015 invoked by uid 1010); 30 May 2007 00:18:34 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 9999 invoked from network); 30 May 2007 00:18:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 May 2007 00:18:34 -0000 Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 63.205.162.114 as permitted sender) X-PHP-List-Original-Sender: stas@zend.com X-Host-Fingerprint: 63.205.162.114 unknown Windows 2000 SP4, XP SP1 Received: from [63.205.162.114] ([63.205.162.114:20554] helo=us-ex1.zend.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FB/00-10662-9D2CC564 for ; Tue, 29 May 2007 20:18:34 -0400 Received: from [127.0.0.1] ([192.168.16.180]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 29 May 2007 17:18:31 -0700 Message-ID: <465CC25E.9080309@zend.com> Date: Tue, 29 May 2007 17:16:30 -0700 Organization: Zend Technologies User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: php-dev References: <464DCB8C.90803@chiaraquartet.net> <464DEF23.3080503@zend.com> <464DF139.6090405@zend.com> <464E1AA8.9050600@php.net> In-Reply-To: <464E1AA8.9050600@php.net> Content-Type: multipart/mixed; boundary="------------080306080707030406050608" X-OriginalArrivalTime: 30 May 2007 00:18:31.0501 (UTC) FILETIME=[0DBE57D0:01C7A250] Subject: [PATCH] potential solution to user streams + allow_url_include=off From: stas@zend.com (Stanislav Malyshev) --------------080306080707030406050608 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit According to the plan below, attached is the patch that restricts user streams from executing dangerous operations inside include context. Please comment. >>> I think the problem could be solved this way: >>> 0. allow_url_include and allow_url_fopen renamed to >>> allow_remote_include and allow_remote_fopen (not really necessary, >>> just much cleaner, if you don't like it, ignore it for now). >>> 1. By default, allow_remote_inclue=0, allow_remote_fopen=1 >>> 2. Stream can be of three types - remote, local and user/local. >>> 3. User streams can be declared when registered as either remote or >>> user/local, remote being the default. >>> 4. When operation on user/local stream is run, allow_remote_fopen is >>> disabled if allow_remote_include was disabled. -- Stanislav Malyshev, Zend Products Engineer stas@zend.com http://www.zend.com/ --------------080306080707030406050608 Content-Type: text/plain; name="streams.diff" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="streams.diff" SW5kZXg6IGV4dC9zdGFuZGFyZC9iYXNpY19mdW5jdGlvbnMuYwo9PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09ClJD UyBmaWxlOiAvcmVwb3NpdG9yeS9waHAtc3JjL2V4dC9zdGFuZGFyZC9iYXNpY19mdW5jdGlv bnMuYyx2CnJldHJpZXZpbmcgcmV2aXNpb24gMS44NTgKZGlmZiAtdSAtcjEuODU4IGJhc2lj X2Z1bmN0aW9ucy5jCi0tLSBleHQvc3RhbmRhcmQvYmFzaWNfZnVuY3Rpb25zLmMJMjIgTWF5 IDIwMDcgMTQ6MzI6MzkgLTAwMDAJMS44NTgKKysrIGV4dC9zdGFuZGFyZC9iYXNpY19mdW5j dGlvbnMuYwkzMCBNYXkgMjAwNyAwMDoxNDowNyAtMDAwMApAQCAtMjM0Myw2ICsyMzQzLDEx IEBACiBaRU5EX0VORF9BUkdfSU5GTygpCiAKIHN0YXRpYworWkVORF9CRUdJTl9BUkdfSU5G TyhhcmdpbmZvX3N0cmVhbV9pc19sb2NhbCwgMCkKKwlaRU5EX0FSR19JTkZPKDAsIHN0cmVh bSkKK1pFTkRfRU5EX0FSR19JTkZPKCkKKworc3RhdGljCiBaRU5EX0JFR0lOX0FSR19JTkZP X0VYKGFyZ2luZm9fc3RyZWFtX3NlbGVjdCwgMCwgMCwgNCkKIAlaRU5EX0FSR19JTkZPKDEs IHJlYWRfc3RyZWFtcykgLyogQVJSQVlfSU5GTygxLCByZWFkX3N0cmVhbXMsIDEpICovCiAJ WkVORF9BUkdfSU5GTygxLCB3cml0ZV9zdHJlYW1zKSAvKiBBUlJBWV9JTkZPKDEsIHdyaXRl X3N0cmVhbXMsIDEpICovCkBAIC0zNTkxLDYgKzM1OTYsNyBAQAogCVBIUF9GRShzdHJlYW1f d3JhcHBlcl9yZXN0b3JlLAkJCQkJCQkJCQkJYXJnaW5mb19zdHJlYW1fd3JhcHBlcl9yZXN0 b3JlKQogCVBIUF9GRShzdHJlYW1fZ2V0X3dyYXBwZXJzLAkJCQkJCQkJCQkJCWFyZ2luZm9f c3RyZWFtX2dldF93cmFwcGVycykKIAlQSFBfRkUoc3RyZWFtX2dldF90cmFuc3BvcnRzLAkJ CQkJCQkJCQkJYXJnaW5mb19zdHJlYW1fZ2V0X3RyYW5zcG9ydHMpCisJUEhQX0ZFKHN0cmVh bV9pc19sb2NhbCwJCQkJCQkJCQkJCQlhcmdpbmZvX3N0cmVhbV9pc19sb2NhbCkKIAlQSFBf RkUoZ2V0X2hlYWRlcnMsCQkJCQkJCQkJCQkJCQlhcmdpbmZvX2dldF9oZWFkZXJzKQogCiAj aWYgSEFWRV9TWVNfVElNRV9IIHx8IGRlZmluZWQoUEhQX1dJTjMyKQpJbmRleDogZXh0L3N0 YW5kYXJkL3N0cmVhbXNmdW5jcy5jCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KUkNTIGZpbGU6IC9yZXBvc2l0 b3J5L3BocC1zcmMvZXh0L3N0YW5kYXJkL3N0cmVhbXNmdW5jcy5jLHYKcmV0cmlldmluZyBy ZXZpc2lvbiAxLjEwMwpkaWZmIC11IC1yMS4xMDMgc3RyZWFtc2Z1bmNzLmMKLS0tIGV4dC9z dGFuZGFyZC9zdHJlYW1zZnVuY3MuYwkxMiBBcHIgMjAwNyAxMzoxNToxNyAtMDAwMAkxLjEw MworKysgZXh0L3N0YW5kYXJkL3N0cmVhbXNmdW5jcy5jCTMwIE1heSAyMDA3IDAwOjE0OjEw IC0wMDAwCkBAIC0xNjQ3LDYgKzE2NDcsMzcgQEAKIH0KIC8qIH19fSAqLwogCisvKiB7e3sg cHJvdG8gYm9vbCBzdHJlYW1faXNfbG9jYWwocmVzb3VyY2Ugc3RyZWFtfHN0cmluZyB1cmwp IFUKKyovCitQSFBfRlVOQ1RJT04oc3RyZWFtX2lzX2xvY2FsKQoreworCXp2YWwgKnpzdHJl YW07CisJcGhwX3N0cmVhbSAqc3RyZWFtID0gTlVMTDsKKwlwaHBfc3RyZWFtX3dyYXBwZXIg KndyYXBwZXIgPSBOVUxMOworCisJaWYgKHplbmRfcGFyc2VfcGFyYW1ldGVycyhaRU5EX05V TV9BUkdTKCkgVFNSTUxTX0NDLCAieiIsICZ6c3RyZWFtKSA9PSBGQUlMVVJFKSB7CisJCVJF VFVSTl9GQUxTRTsKKwl9CisKKwlpZihaX1RZUEVfUCh6c3RyZWFtKSA9PSBJU19SRVNPVVJD RSkgeworCQlwaHBfc3RyZWFtX2Zyb21fenZhbChzdHJlYW0sICZ6c3RyZWFtKTsKKwkJaWYo c3RyZWFtID09IE5VTEwpIHsKKwkJCVJFVFVSTl9GQUxTRTsKKwkJfQorCQl3cmFwcGVyID0g c3RyZWFtLT53cmFwcGVyOworCX0gZWxzZSB7CisJCWNvbnZlcnRfdG9fc3RyaW5nX2V4KCZ6 c3RyZWFtKTsKKwkJd3JhcHBlciA9IHBocF9zdHJlYW1fbG9jYXRlX3VybF93cmFwcGVyKFpf U1RSVkFMX1AoenN0cmVhbSksIE5VTEwsIFNUUkVBTV9MT0NBVEVfV1JBUFBFUlNfT05MWSBU U1JNTFNfQ0MpOworCX0KKworCWlmKCF3cmFwcGVyKSB7CisJCVJFVFVSTl9GQUxTRTsKKwl9 CisKKwlSRVRVUk5fQk9PTCh3cmFwcGVyLT5pc191cmw9PTApOworfQorLyogfX19ICovCisK ICNpZmRlZiBIQVZFX1NIVVRET1dOCiAvKiB7e3sgcHJvdG8gaW50IHN0cmVhbV9zb2NrZXRf c2h1dGRvd24ocmVzb3VyY2Ugc3RyZWFtLCBpbnQgaG93KSBVCiAJY2F1c2VzIGFsbCBvciBw YXJ0IG9mIGEgZnVsbC1kdXBsZXggY29ubmVjdGlvbiBvbiB0aGUgc29ja2V0IGFzc29jaWF0 ZWQKSW5kZXg6IGV4dC9zdGFuZGFyZC9zdHJlYW1zZnVuY3MuaAo9PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09ClJD UyBmaWxlOiAvcmVwb3NpdG9yeS9waHAtc3JjL2V4dC9zdGFuZGFyZC9zdHJlYW1zZnVuY3Mu aCx2CnJldHJpZXZpbmcgcmV2aXNpb24gMS4xOQpkaWZmIC11IC1yMS4xOSBzdHJlYW1zZnVu Y3MuaAotLS0gZXh0L3N0YW5kYXJkL3N0cmVhbXNmdW5jcy5oCTEgSmFuIDIwMDcgMDk6Mjk6 MzIgLTAwMDAJMS4xOQorKysgZXh0L3N0YW5kYXJkL3N0cmVhbXNmdW5jcy5oCTMwIE1heSAy MDA3IDAwOjE0OjEwIC0wMDAwCkBAIC01Nyw2ICs1Nyw3IEBACiBQSFBfRlVOQ1RJT04oc3Ry ZWFtX3NvY2tldF9zaHV0ZG93bik7CiBQSFBfRlVOQ1RJT04oc3RyZWFtX3NvY2tldF9wYWly KTsKIFBIUF9GVU5DVElPTihzdHJlYW1fcmVzb2x2ZV9pbmNsdWRlX3BhdGgpOworUEhQX0ZV TkNUSU9OKHN0cmVhbV9pc19sb2NhbCk7CiAKIC8qCiAgKiBMb2NhbCB2YXJpYWJsZXM6Cklu ZGV4OiBtYWluL2ludGVybmFsX2Z1bmN0aW9uc193aW4zMi5jCj09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KUkNT IGZpbGU6IC9yZXBvc2l0b3J5L3BocC1zcmMvbWFpbi9pbnRlcm5hbF9mdW5jdGlvbnNfd2lu MzIuYyx2CnJldHJpZXZpbmcgcmV2aXNpb24gMS45MApkaWZmIC11IC1yMS45MCBpbnRlcm5h bF9mdW5jdGlvbnNfd2luMzIuYwotLS0gbWFpbi9pbnRlcm5hbF9mdW5jdGlvbnNfd2luMzIu YwkxIEphbiAyMDA3IDA5OjI5OjM1IC0wMDAwCTEuOTAKKysrIG1haW4vaW50ZXJuYWxfZnVu Y3Rpb25zX3dpbjMyLmMJMzAgTWF5IDIwMDcgMDA6MTQ6MTAgLTAwMDAKQEAgLTk4LDEyICs5 OCwxOCBAQAogI2luY2x1ZGUgImV4dC9zcWxpdGUvcGhwX3NxbGl0ZS5oIgogI2VuZGlmCiAj aW5jbHVkZSAiZXh0L2NvbV9kb3RuZXQvcGhwX2NvbV9kb3RuZXQuaCIKKyNpbmNsdWRlICJl eHQvc3BsL3BocF9zcGwuaCIKKyNpbmNsdWRlICJleHQvZGF0ZS9waHBfZGF0ZS5oIgorI2lu Y2x1ZGUgImV4dC91bmljb2RlL3BocF91bmljb2RlLmgiCiAvKiB9fX0gKi8KIAogLyoge3t7 IHBocF9idWlsdGluX2V4dGVuc2lvbnNbXQogICovCiBzdGF0aWMgemVuZF9tb2R1bGVfZW50 cnkgKnBocF9idWlsdGluX2V4dGVuc2lvbnNbXSA9IHsKIAlwaHBleHRfc3RhbmRhcmRfcHRy CisJLHBocGV4dF9zcGxfcHRyCisJLHBocGV4dF9kYXRlX3B0cgorCSxwaHBleHRfdW5pY29k ZV9wdHIKICNpZiBIQVZFX0JDTUFUSAogCSxwaHBleHRfYmNtYXRoX3B0cgogI2VuZGlmCklu ZGV4OiBtYWluL3N0cmVhbXMvdXNlcnNwYWNlLmMKPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTog L3JlcG9zaXRvcnkvcGhwLXNyYy9tYWluL3N0cmVhbXMvdXNlcnNwYWNlLmMsdgpyZXRyaWV2 aW5nIHJldmlzaW9uIDEuNDIKZGlmZiAtdSAtcjEuNDIgdXNlcnNwYWNlLmMKLS0tIG1haW4v c3RyZWFtcy91c2Vyc3BhY2UuYwkxNSBNYXkgMjAwNyAxMzowMTo0NyAtMDAwMAkxLjQyCisr KyBtYWluL3N0cmVhbXMvdXNlcnNwYWNlLmMJMzAgTWF5IDIwMDcgMDA6MTQ6MTAgLTAwMDAK QEAgLTIxNSw2ICsyMTUsNyBAQAogCWludCBjYWxsX3Jlc3VsdDsKIAlwaHBfc3RyZWFtICpz dHJlYW0gPSBOVUxMOwogCXp2YWwgKnpjb250ZXh0ID0gTlVMTDsKKwljaGFyICpvbGRfYWxs b3dfdmFsdWUgPSBOVUxMOwogCiAJLyogVHJ5IHRvIGNhdGNoIGJhZCB1c2FnZSB3aXRob3V0 IHByZXZlbnRpbmcgZmxleGliaWxpdHkgKi8KIAlpZiAoRkcodXNlcl9zdHJlYW1fY3VycmVu dF9maWxlbmFtZSkgIT0gTlVMTCAmJiBzdHJjbXAoZmlsZW5hbWUsIEZHKHVzZXJfc3RyZWFt X2N1cnJlbnRfZmlsZW5hbWUpKSA9PSAwKSB7CkBAIC0yMjMsNiArMjI0LDI4IEBACiAJfQog CUZHKHVzZXJfc3RyZWFtX2N1cnJlbnRfZmlsZW5hbWUpID0gZmlsZW5hbWU7CiAJCisJLyog aWYgdGhlIHVzZXIgc3RyZWFtIHdhcyByZWdpc3RlcmVkIGFzIGxvY2FsIGFuZCB3ZSBhcmUg aW4gaW5jbHVkZSBjb250ZXh0LAorCQl3ZSBhZGQgYWxsb3dfdXJsX2luY2x1ZGUgcmVzdHJp Y3Rpb25zIHRvIGFsbG93X3VybF9mb3BlbiBvbmVzICovCisJLyogd2UgbmVlZCBvbmx5IGlz X3VybCA9PSAwIGhlcmUgc2luY2UgaWYgaXNfdXJsID09IDEgYW5kIHJlbW90ZSB3cmFwcGVy cworCQl3ZXJlIHJlc3RyaWN0ZWQgd2Ugd291bGRuJ3QgZ2V0IGhlcmUgKi8KKwlpZih1d3Jh cC0+d3JhcHBlci5pc191cmwgPT0gMCAmJiAKKwkJKG9wdGlvbnMgJiBTVFJFQU1fT1BFTl9G T1JfSU5DTFVERSkgJiYgCisJCShQRyhhbGxvd191cmxfaW5jbHVkZV9saXN0KSA9PSBOVUxM IHx8IHN0cmxlbihQRyhhbGxvd191cmxfaW5jbHVkZV9saXN0KSkgIT0xIHx8IFBHKGFsbG93 X3VybF9pbmNsdWRlX2xpc3QpWzBdICE9ICcqJykpIHsKKwkJLyogd2UgYXJlIGluIGluY2x1 ZGUgYW5kIGFsbG93X3VybF9pbmNsdWRlIGlzIHJlc3RyaWN0aXZlICovCisJCWNoYXIgKmlu Y2x1ZGVfdmFsdWUgPSB6ZW5kX2luaV9zdHJpbmcoImFsbG93X3VybF9pbmNsdWRlIiwgc2l6 ZW9mKCJhbGxvd191cmxfaW5jbHVkZSIpLCAwKTsKKwkJb2xkX2FsbG93X3ZhbHVlID0gemVu ZF9pbmlfc3RyaW5nKCJhbGxvd191cmxfZm9wZW4iLCBzaXplb2YoImFsbG93X3VybF9mb3Bl biIpLCAwKTsKKwkJaWYob2xkX2FsbG93X3ZhbHVlKSB7CisJCQlvbGRfYWxsb3dfdmFsdWUg PSBlc3RyZHVwKG9sZF9hbGxvd192YWx1ZSk7CisJCX0KKwkJaWYgKHplbmRfYWx0ZXJfaW5p X2VudHJ5KCJhbGxvd191cmxfZm9wZW4iLCBzaXplb2YoImFsbG93X3VybF9mb3BlbiIpLCAK KwkJCQkJCWluY2x1ZGVfdmFsdWUsIHN0cmxlbihpbmNsdWRlX3ZhbHVlKSwKKwkJCQkJCVBI UF9JTklfVVNFUiwgUEhQX0lOSV9TVEFHRV9SVU5USU1FKSA9PSBGQUlMVVJFKSB7CisJCQlw aHBfc3RyZWFtX3dyYXBwZXJfbG9nX2Vycm9yKHdyYXBwZXIsIG9wdGlvbnMgVFNSTUxTX0ND LCAiYWxsb3dfdXJsX2ZvcGVuIGlzIG1vcmUgcmVzdHJpY3RpdmUgdGhhbiBhbGxvd191cmxf aW5jbHVkZSIpOworCQkJZWZyZWUob2xkX2FsbG93X3ZhbHVlKTsKKwkJCXJldHVybiBOVUxM OworCQl9CisJfQorCiAJdXMgPSBlbWFsbG9jKHNpemVvZigqdXMpKTsKIAl1cy0+d3JhcHBl ciA9IHV3cmFwOwkKIApAQCAtMjU4LDYgKzI4MSwxNSBAQAogCQkJRlJFRV9aVkFMKHVzLT5v YmplY3QpOwogCQkJZWZyZWUodXMpOwogCQkJRkcodXNlcl9zdHJlYW1fY3VycmVudF9maWxl bmFtZSkgPSBOVUxMOworCQkJaWYob2xkX2FsbG93X3ZhbHVlKSB7CisJCQkJemVuZF9hbHRl cl9pbmlfZW50cnkoImFsbG93X3VybF9mb3BlbiIsIHNpemVvZigiYWxsb3dfdXJsX2ZvcGVu IiksIAorCQkJCQlvbGRfYWxsb3dfdmFsdWUsIHN0cmxlbihvbGRfYWxsb3dfdmFsdWUpLAor CQkJCQlQSFBfSU5JX1VTRVIsIFBIUF9JTklfU1RBR0VfU1RBUlRVUCk7CisJCQkJLyogaGFj ayBoZXJlIC0gdXNpbmcgUEhQX0lOSV9TVEFHRV9TVEFSVFVQIHNpbmNlIHdlIG5lZWQgdGhl IHZhbHVlIGJhY2sgCisJCQkJYnV0IHdlIGNhbid0IGp1c3QgdXNlIHJlc3RvcmVfaW5pX2Vu dHJ5IHNpbmNlIGl0IHdpbGwgcmVzdG9yZSAKKwkJCQlkZWZhdWx0IHZhbHVlLCBub3QgY3Vy cmVudCB2YWx1ZSAqLworCQkJCWVmcmVlKG9sZF9hbGxvd192YWx1ZSk7CisJCQl9CiAJCQly ZXR1cm4gTlVMTDsKIAkJfSBlbHNlIHsKIAkJCWlmIChyZXR2YWxfcHRyKSB7CkBAIC0zMzgs NyArMzcwLDE2IEBACiAJenZhbF9wdHJfZHRvcigmemZpbGVuYW1lKTsKIAogCUZHKHVzZXJf c3RyZWFtX2N1cnJlbnRfZmlsZW5hbWUpID0gTlVMTDsKLQkJCisKKwlpZihvbGRfYWxsb3df dmFsdWUpIHsKKwkJemVuZF9hbHRlcl9pbmlfZW50cnkoImFsbG93X3VybF9mb3BlbiIsIHNp emVvZigiYWxsb3dfdXJsX2ZvcGVuIiksIAorCQkJCQkJCQlvbGRfYWxsb3dfdmFsdWUsIHN0 cmxlbihvbGRfYWxsb3dfdmFsdWUpLAorCQkJCQkJCQlQSFBfSU5JX1VTRVIsIFBIUF9JTklf U1RBR0VfU1RBUlRVUCk7CisJCQkvKiBoYWNrIGhlcmUgLSB1c2luZyBQSFBfSU5JX1NUQUdF X1NUQVJUVVAgc2luY2Ugd2UgbmVlZCB0aGUgdmFsdWUgYmFjayAKKwkJCQlidXQgd2UgY2Fu J3QganVzdCB1c2UgcmVzdG9yZV9pbmlfZW50cnkgc2luY2UgaXQgd2lsbCByZXN0b3JlIAor CQkJCWRlZmF1bHQgdmFsdWUsIG5vdCBjdXJyZW50IHZhbHVlICovCisJCWVmcmVlKG9sZF9h bGxvd192YWx1ZSk7CisJfQogCXJldHVybiBzdHJlYW07CiB9CiAKQEAgLTM1MSw2ICszOTIs NyBAQAogCXp2YWwgKiphcmdzWzJdOwkKIAlpbnQgY2FsbF9yZXN1bHQ7CiAJcGhwX3N0cmVh bSAqc3RyZWFtID0gTlVMTDsKKwljaGFyICpvbGRfYWxsb3dfdmFsdWUgPSBOVUxMOwogCiAJ LyogVHJ5IHRvIGNhdGNoIGJhZCB1c2FnZSB3aXRob3V0IHByZXZlbnRpbmcgZmxleGliaWxp dHkgKi8KIAlpZiAoRkcodXNlcl9zdHJlYW1fY3VycmVudF9maWxlbmFtZSkgIT0gTlVMTCAm JiBzdHJjbXAoZmlsZW5hbWUsIEZHKHVzZXJfc3RyZWFtX2N1cnJlbnRfZmlsZW5hbWUpKSA9 PSAwKSB7CkBAIC0zNTksNiArNDAxLDI4IEBACiAJfQogCUZHKHVzZXJfc3RyZWFtX2N1cnJl bnRfZmlsZW5hbWUpID0gZmlsZW5hbWU7CiAJCisJLyogaWYgdGhlIHVzZXIgc3RyZWFtIHdh cyByZWdpc3RlcmVkIGFzIGxvY2FsIGFuZCB3ZSBhcmUgaW4gaW5jbHVkZSBjb250ZXh0LAor CQl3ZSBhZGQgYWxsb3dfdXJsX2luY2x1ZGUgcmVzdHJpY3Rpb25zIHRvIGFsbG93X3VybF9m b3BlbiBvbmVzICovCisJLyogd2UgbmVlZCBvbmx5IGlzX3VybCA9PSAwIGhlcmUgc2luY2Ug aWYgaXNfdXJsID09IDEgYW5kIHJlbW90ZSB3cmFwcGVycworCQl3ZXJlIHJlc3RyaWN0ZWQg d2Ugd291bGRuJ3QgZ2V0IGhlcmUgKi8KKwlpZih1d3JhcC0+d3JhcHBlci5pc191cmwgPT0g MCAmJiAKKwkJKG9wdGlvbnMgJiBTVFJFQU1fT1BFTl9GT1JfSU5DTFVERSkgJiYgCisJCShQ RyhhbGxvd191cmxfaW5jbHVkZV9saXN0KSA9PSBOVUxMIHx8IHN0cmxlbihQRyhhbGxvd191 cmxfaW5jbHVkZV9saXN0KSkgIT0xIHx8IFBHKGFsbG93X3VybF9pbmNsdWRlX2xpc3QpWzBd ICE9ICcqJykpIHsKKwkJLyogd2UgYXJlIGluIGluY2x1ZGUgYW5kIGFsbG93X3VybF9pbmNs dWRlIGlzIHJlc3RyaWN0aXZlICovCisJCQljaGFyICppbmNsdWRlX3ZhbHVlID0gemVuZF9p bmlfc3RyaW5nKCJhbGxvd191cmxfaW5jbHVkZSIsIHNpemVvZigiYWxsb3dfdXJsX2luY2x1 ZGUiKSwgMCk7CisJCQlvbGRfYWxsb3dfdmFsdWUgPSB6ZW5kX2luaV9zdHJpbmcoImFsbG93 X3VybF9mb3BlbiIsIHNpemVvZigiYWxsb3dfdXJsX2ZvcGVuIiksIDApOworCQkJaWYob2xk X2FsbG93X3ZhbHVlKSB7CisJCQkJb2xkX2FsbG93X3ZhbHVlID0gZXN0cmR1cChvbGRfYWxs b3dfdmFsdWUpOworCQkJfQorCQkJaWYgKHplbmRfYWx0ZXJfaW5pX2VudHJ5KCJhbGxvd191 cmxfZm9wZW4iLCBzaXplb2YoImFsbG93X3VybF9mb3BlbiIpLCAKKwkJCQkJCQkJaW5jbHVk ZV92YWx1ZSwgc3RybGVuKGluY2x1ZGVfdmFsdWUpLAorCQkJCQkJCQlQSFBfSU5JX1VTRVIs IFBIUF9JTklfU1RBR0VfUlVOVElNRSkgPT0gRkFJTFVSRSkgeworCQkJcGhwX3N0cmVhbV93 cmFwcGVyX2xvZ19lcnJvcih3cmFwcGVyLCBvcHRpb25zIFRTUk1MU19DQywgImFsbG93X3Vy bF9mb3BlbiBpcyBtb3JlIHJlc3RyaWN0aXZlIHRoYW4gYWxsb3dfdXJsX2luY2x1ZGUiKTsK KwkJCWVmcmVlKG9sZF9hbGxvd192YWx1ZSk7CisJCQlyZXR1cm4gTlVMTDsKKwkJfQorCX0K KwogCXVzID0gZW1hbGxvYyhzaXplb2YoKnVzKSk7CiAJdXMtPndyYXBwZXIgPSB1d3JhcDsJ CiAKQEAgLTQyNCwxMSArNDg4LDIwIEBACiAKIAlGRyh1c2VyX3N0cmVhbV9jdXJyZW50X2Zp bGVuYW1lKSA9IE5VTEw7CiAJCQorCWlmKG9sZF9hbGxvd192YWx1ZSkgeworCQl6ZW5kX2Fs dGVyX2luaV9lbnRyeSgiYWxsb3dfdXJsX2ZvcGVuIiwgc2l6ZW9mKCJhbGxvd191cmxfZm9w ZW4iKSwgCisJCQlvbGRfYWxsb3dfdmFsdWUsIHN0cmxlbihvbGRfYWxsb3dfdmFsdWUpLAor CQkJUEhQX0lOSV9VU0VSLCBQSFBfSU5JX1NUQUdFX1NUQVJUVVApOworCQkvKiBoYWNrIGhl cmUgLSB1c2luZyBQSFBfSU5JX1NUQUdFX1NUQVJUVVAgc2luY2Ugd2UgbmVlZCB0aGUgdmFs dWUgYmFjayAKKwkJYnV0IHdlIGNhbid0IGp1c3QgdXNlIHJlc3RvcmVfaW5pX2VudHJ5IHNp bmNlIGl0IHdpbGwgcmVzdG9yZSAKKwkJZGVmYXVsdCB2YWx1ZSwgbm90IGN1cnJlbnQgdmFs dWUgKi8KKwkJZWZyZWUob2xkX2FsbG93X3ZhbHVlKTsKKwl9CiAJcmV0dXJuIHN0cmVhbTsK IH0KIAogCi0vKiB7e3sgcHJvdG8gYm9vbCBzdHJlYW1fd3JhcHBlcl9yZWdpc3RlcihzdHJp bmcgcHJvdG9jb2wsIHN0cmluZyBjbGFzc25hbWUpCisvKiB7e3sgcHJvdG8gYm9vbCBzdHJl YW1fd3JhcHBlcl9yZWdpc3RlcihzdHJpbmcgcHJvdG9jb2wsIHN0cmluZyBjbGFzc25hbWVb LCBib29sIHJlbW90ZV0pCiAgICBSZWdpc3RlcnMgYSBjdXN0b20gVVJMIHByb3RvY29sIGhh bmRsZXIgY2xhc3MgKi8KIFBIUF9GVU5DVElPTihzdHJlYW1fd3JhcHBlcl9yZWdpc3RlcikK IHsKQEAgLTQzNiw4ICs1MDksOSBAQAogCWludCBwcm90b2NvbF9sZW4sIGNsYXNzbmFtZV9s ZW47CiAJc3RydWN0IHBocF91c2VyX3N0cmVhbV93cmFwcGVyICogdXdyYXA7CiAJaW50IHJz cmNfaWQ7CisJemVuZF9ib29sIHJlbW90ZSA9IDE7CiAJCi0JaWYgKHplbmRfcGFyc2VfcGFy YW1ldGVycyhaRU5EX05VTV9BUkdTKCkgVFNSTUxTX0NDLCAic3MiLCAmcHJvdG9jb2wsICZw cm90b2NvbF9sZW4sICZjbGFzc25hbWUsICZjbGFzc25hbWVfbGVuKSA9PSBGQUlMVVJFKSB7 CisJaWYgKHplbmRfcGFyc2VfcGFyYW1ldGVycyhaRU5EX05VTV9BUkdTKCkgVFNSTUxTX0ND LCAic3N8YiIsICZwcm90b2NvbCwgJnByb3RvY29sX2xlbiwgJmNsYXNzbmFtZSwgJmNsYXNz bmFtZV9sZW4sICZyZW1vdGUpID09IEZBSUxVUkUpIHsKIAkJUkVUVVJOX0ZBTFNFOwogCX0K IAkKQEAgLTQ0Niw2ICs1MjAsNyBAQAogCXV3cmFwLT5jbGFzc25hbWUgPSBlc3RybmR1cChj bGFzc25hbWUsIGNsYXNzbmFtZV9sZW4pOwogCXV3cmFwLT53cmFwcGVyLndvcHMgPSAmdXNl cl9zdHJlYW1fd29wczsKIAl1d3JhcC0+d3JhcHBlci5hYnN0cmFjdCA9IHV3cmFwOworCXV3 cmFwLT53cmFwcGVyLmlzX3VybCA9IChyZW1vdGUgIT0gMCk7CiAKIAlyc3JjX2lkID0gWkVO RF9SRUdJU1RFUl9SRVNPVVJDRShOVUxMLCB1d3JhcCwgbGVfcHJvdG9jb2xzKTsNCg== --------------080306080707030406050608--