From b1b68af3cca9cbf5133e2dfbf63b0806abc1d6dc Mon Sep 17 00:00:00 2001 From: Paolo Perego Date: Mon, 13 Nov 2023 16:38:47 +0100 Subject: [PATCH] Cleanup codebase --- CONTRIBUTING.md | 4 +- KnowledgeBase.md | 508 ----- Roadmap.md | 123 - doc/change.sh | 13 - doc/dawn_1_0_announcement.md | 139 -- doc/dawn_1_1_announcement.md | 67 - doc/dawn_1_2_announcement.md | 69 - doc/dawn_1_5_announcement.md | 66 - doc/dawnscanner.yml.sample | 18 - doc/kickstart_kb.tar.gz | Bin 54729 -> 0 bytes doc/knowledge_base.rb | 650 ------ doc/new_knowledge_base_v1.0.md | 78 - docs/.placeholder | 0 docs/CNAME | 1 - docs/_config.yml | 1 - ...an_incorrect_command_line.feature.disabled | 21 - ...scan_a_secure_sinatra_app.feature.disabled | 31 - ..._a_vulnerable_sinatra_app.feature.disabled | 36 - features/step_definition/dawn_steps.rb | 18 - features/support/env.rb | 1 - support/bootstrap.js | 2027 ----------------- support/bootstrap.min.css | 9 - support/codesake.css | 63 - 23 files changed, 2 insertions(+), 3941 deletions(-) delete mode 100644 KnowledgeBase.md delete mode 100644 Roadmap.md delete mode 100644 doc/change.sh delete mode 100644 doc/dawn_1_0_announcement.md delete mode 100644 doc/dawn_1_1_announcement.md delete mode 100644 doc/dawn_1_2_announcement.md delete mode 100644 doc/dawn_1_5_announcement.md delete mode 100644 doc/dawnscanner.yml.sample delete mode 100644 doc/kickstart_kb.tar.gz delete mode 100644 doc/knowledge_base.rb delete mode 100644 doc/new_knowledge_base_v1.0.md delete mode 100644 docs/.placeholder delete mode 100644 docs/CNAME delete mode 100644 docs/_config.yml delete mode 100644 features/dawn_complains_about_an_incorrect_command_line.feature.disabled delete mode 100644 features/dawn_scan_a_secure_sinatra_app.feature.disabled delete mode 100644 features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled delete mode 100644 features/step_definition/dawn_steps.rb delete mode 100644 features/support/env.rb delete mode 100644 support/bootstrap.js delete mode 100644 support/bootstrap.min.css delete mode 100644 support/codesake.css diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 5b5b1c64..3e1b4b6d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -5,7 +5,7 @@ agree to abide by the latest version of the [Contributor Covenant Code of Conduct](http://contributor-covenant.org/version/1/4/). Are you still interested in contributing to -[dawnscanner](https://dawnscanner.org) project? Great, here is some very basic +[dawnscanner](https://github.com/thesp0nge/dawnscanner) project? Great, here is some very basic rules in order to make rocking pull requests. First of all, I use the branching model described in [this @@ -91,4 +91,4 @@ request](https://github.com/thesp0nge/dawnscanner/compare/). Enjoy it! -Last update: _Tue Sep 27 22:44:01 CEST 2016_ +Last update: _November 2023_ diff --git a/KnowledgeBase.md b/KnowledgeBase.md deleted file mode 100644 index 96de9b26..00000000 --- a/KnowledgeBase.md +++ /dev/null @@ -1,508 +0,0 @@ -# Dawnscanner Knowledge base - -The knowledge base library for dawnscanner version 1.6.6 contains 235 security checks. ---- -* Simple Form XSS - 20131129: There is a XSS vulnerability on Simple Form's label, hint and error options. When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe. -* [CVE-2004-0755](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0755): The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions. -* CVE-2004-0755: The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions. -* [CVE-2004-0983](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0983): The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request. -* CVE-2004-0983: The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request. -* [CVE-2005-1992](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1992): The XMLRPC server in utils.rb for the ruby library (libruby) 1.8 sets an invalid default value that prevents "security protection" using handlers, which allows remote attackers to execute arbitrary commands. -* CVE-2005-1992: The XMLRPC server in utils.rb for the ruby library (libruby) 1.8 sets an invalid default value that prevents "security protection" using handlers, which allows remote attackers to execute arbitrary commands. -* [CVE-2005-2337](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2337): Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input (stdin). -* CVE-2005-2337: Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input (stdin). -* [CVE-2006-1931](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1931): The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which allows attackers to cause a denial of service (blocked connections) via a large amount of data. -* CVE-2006-1931: The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which allows attackers to cause a denial of service (blocked connections) via a large amount of data. -* [CVE-2006-2582](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2582): The editing form in RWiki 2.1.0pre1 through 2.1.0 allows remote attackers to execute arbitrary Ruby code via unknown attack vectors. -* CVE-2006-2582: The editing form in RWiki 2.1.0pre1 through 2.1.0 allows remote attackers to execute arbitrary Ruby code via unknown attack vectors. -* [CVE-2006-3694](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3694): Multiple unspecified vulnerabilities in Ruby before 1.8.5 allow remote attackers to bypass "safe level" checks via unspecified vectors involving (1) the alias function and (2) "directory operations". -* CVE-2006-3694: Multiple unspecified vulnerabilities in Ruby before 1.8.5 allow remote attackers to bypass "safe level" checks via unspecified vectors involving (1) the alias function and (2) "directory operations". -* [CVE-2006-4112](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4112): Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111. -* CVE-2006-4112: Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111. -* [CVE-2006-5467](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467): The cgi.rb CGI library for Ruby 1.8 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an HTTP request with a multipart MIME body that contains an invalid boundary specifier, as demonstrated using a specifier that begins with a "-" instead of "--" and contains an inconsistent ID. -* CVE-2006-5467: The cgi.rb CGI library for Ruby 1.8 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an HTTP request with a multipart MIME body that contains an invalid boundary specifier, as demonstrated using a specifier that begins with a "-" instead of "--" and contains an inconsistent ID. -* [CVE-2006-6303](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6303): The read_multipart function in cgi.rb in Ruby before 1.8.5-p2 does not properly detect boundaries in MIME multipart content, which allows remote attackers to cause a denial of service (infinite loop) via crafted HTTP requests, a different issue than CVE-2006-5467. -* CVE-2006-6303: The read_multipart function in cgi.rb in Ruby before 1.8.5-p2 does not properly detect boundaries in MIME multipart content, which allows remote attackers to cause a denial of service (infinite loop) via crafted HTTP requests, a different issue than CVE-2006-5467. -* [CVE-2006-6852](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6852): Eval injection vulnerability in tDiary 2.0.3 and 2.1.4.20061127 allows remote authenticated users to execute arbitrary Ruby code via unspecified vectors, possibly related to incorrect input validation by (1) conf.rhtml and (2) i.conf.rhtml. NOTE: some of these details are obtained from third party information. -* CVE-2006-6852: Eval injection vulnerability in tDiary 2.0.3 and 2.1.4.20061127 allows remote authenticated users to execute arbitrary Ruby code via unspecified vectors, possibly related to incorrect input validation by (1) conf.rhtml and (2) i.conf.rhtml. NOTE: some of these details are obtained from third party information. -* [CVE-2006-6979](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6979): The ruby handlers in the Magnatune component in Amarok do not properly quote text in certain contexts, probably including construction of an unzip command line, which allows attackers to execute arbitrary commands via shell metacharacters. -* CVE-2006-6979: The ruby handlers in the Magnatune component in Amarok do not properly quote text in certain contexts, probably including construction of an unzip command line, which allows attackers to execute arbitrary commands via shell metacharacters. -* [CVE-2007-0469](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0469): The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM packages. -* CVE-2007-0469: The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM packages. -* [CVE-2007-5162](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5162): The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site. -* CVE-2007-5162: The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site. -* [CVE-2007-5379](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5379): Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file. -* CVE-2007-5379: Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file. -* [CVE-2007-5380](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5380): Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions." -* CVE-2007-5380: Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions." -* [CVE-2007-5770](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5770): The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162. -* CVE-2007-5770: The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162. -* [CVE-2007-6077](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6077): The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. It has been reviewed in 2012 and it affects also 2.3.x, 3.0.x and 3.1.x. -* CVE-2007-6077: The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. It has been reviewed in 2012 and it affects also 2.3.x, 3.0.x and 3.1.x. -* [CVE-2007-6612](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6612): Directory traversal vulnerability in DirHandler (lib/mongrel/handlers.rb) in Mongrel 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to read arbitrary files via an HTTP request containing double-encoded sequences (".%252e"). -* CVE-2007-6612: Directory traversal vulnerability in DirHandler (lib/mongrel/handlers.rb) in Mongrel 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to read arbitrary files via an HTTP request containing double-encoded sequences (".%252e"). -* [CVE-2008-1145](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1145): Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash () path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. -* CVE-2008-1145: Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash () path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. -* [CVE-2008-1891](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1891): Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. -* CVE-2008-1891: Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. -* [CVE-2008-2376](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2376): Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows. -* CVE-2008-2376: Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows. -* [CVE-2008-2662](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662): Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change. -* CVE-2008-2662: Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change. -* [CVE-2008-2663](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663): Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. -* CVE-2008-2663: Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. -* [CVE-2008-2664](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664): The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. -* CVE-2008-2664: The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. -* [CVE-2008-2725](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725): Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. -* CVE-2008-2725: Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. -* [CVE-2008-3655](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3655): Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not properly restrict access to critical variables and methods at various safe levels, which allows context-dependent attackers to bypass intended access restrictions via (1) untrace_var, (2) $PROGRAM_NAME, and (3) syslog at safe level 4, and (4) insecure methods at safe levels 1 through 3. -* CVE-2008-3655: Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not properly restrict access to critical variables and methods at various safe levels, which allows context-dependent attackers to bypass intended access restrictions via (1) untrace_var, (2) $PROGRAM_NAME, and (3) syslog at safe level 4, and (4) insecure methods at safe levels 1 through 3. -* [CVE-2008-3657](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3657): The dl module in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not check "taintness" of inputs, which allows context-dependent attackers to bypass safe levels and execute dangerous functions by accessing a library using DL.dlopen. -* CVE-2008-3657: The dl module in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not check "taintness" of inputs, which allows context-dependent attackers to bypass safe levels and execute dangerous functions by accessing a library using DL.dlopen. -* [CVE-2008-3790](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790): The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion." -* CVE-2008-3790: The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion." -* [CVE-2008-3905](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3905): resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential transaction IDs and constant source ports for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447. -* CVE-2008-3905: resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential transaction IDs and constant source ports for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447. -* [CVE-2008-4094](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4094): Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. -* CVE-2008-4094: Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. -* [CVE-2008-4310](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4310): httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat Enterprise Linux 4 and 5, allows remote attackers to cause a denial of service (CPU consumption) via a crafted HTTP request. NOTE: this issue exists because of an incomplete fix for CVE-2008-3656. -* CVE-2008-4310: httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat Enterprise Linux 4 and 5, allows remote attackers to cause a denial of service (CPU consumption) via a crafted HTTP request. NOTE: this issue exists because of an incomplete fix for CVE-2008-3656. -* [CVE-2008-5189](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5189): CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function. -* CVE-2008-5189: CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function. -* [CVE-2008-7248](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7248): Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain. -* CVE-2008-7248: Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain. -* [CVE-2009-4078](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4078): Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. -* CVE-2009-4078: Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. -* [CVE-2009-4124](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4124): Heap-based buffer overflow in the rb_str_justify function in string.c in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving (1) String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of these details are obtained from third party information. -* CVE-2009-4124: Heap-based buffer overflow in the rb_str_justify function in string.c in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving (1) String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of these details are obtained from third party information. -* [CVE-2009-4214](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214): Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. -* CVE-2009-4214: Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. -* [CVE-2010-1330](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1330): The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string. -* CVE-2010-1330: The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string. -* [CVE-2010-2489](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2489): Buffer overflow in Ruby 1.9.x before 1.9.1-p429 on Windows might allow local users to gain privileges via a crafted ARGF.inplace_mode value that is not properly handled when constructing the filenames of the backup files -* CVE-2010-2489: Buffer overflow in Ruby 1.9.x before 1.9.1-p429 on Windows might allow local users to gain privileges via a crafted ARGF.inplace_mode value that is not properly handled when constructing the filenames of the backup files -* [CVE-2010-3933](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3933): Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. -* CVE-2010-3933: Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs. -* [CVE-2011-0188](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0188): The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue." -* CVE-2011-0188: The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue." -* [CVE-2011-0446](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0446): Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. Please note that victim must voluntarily interact with attack mechanism -* CVE-2011-0446: Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. Please note that victim must voluntarily interact with attack mechanism -* [CVE-2011-0447](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0447): Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. -* CVE-2011-0447: Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696. -* [CVE-2011-0739](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0739): The deliver function in the sendmail delivery agent (lib/mail/network/delivery_methods/sendmail.rb) in Ruby Mail gem 2.2.14 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail address. -* CVE-2011-0739: The deliver function in the sendmail delivery agent (lib/mail/network/delivery_methods/sendmail.rb) in Ruby Mail gem 2.2.14 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail address. -* [CVE-2011-0995](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0995): The sqlite3-ruby gem in the rubygem-sqlite3 package before 1.2.4-0.5.1 in SUSE Linux Enterprise (SLE) 11 SP1 uses weak permissions for unspecified files, which allows local users to gain privileges via unknown vectors. -* CVE-2011-0995: The sqlite3-ruby gem in the rubygem-sqlite3 package before 1.2.4-0.5.1 in SUSE Linux Enterprise (SLE) 11 SP1 uses weak permissions for unspecified files, which allows local users to gain privileges via unknown vectors. -* [CVE-2011-1004](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1004): The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack. -* CVE-2011-1004: The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack. -* [CVE-2011-1005](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1005): The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname. -* CVE-2011-1005: The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname. -* [CVE-2011-2197](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2197): The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. -* CVE-2011-2197: The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method. -* [CVE-2011-2686](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2686): Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. NOTE: this issue exists because of a regression during Ruby 1.8.6 development. -* CVE-2011-2686: Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. NOTE: this issue exists because of a regression during Ruby 1.8.6 development. -* [CVE-2011-2705](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2705): The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID. -* CVE-2011-2705: The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID. -* [CVE-2011-2929](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2929): The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability." -* CVE-2011-2929: The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability." -* [CVE-2011-2930](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2930): Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. -* CVE-2011-2930: Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name. -* [CVE-2011-2931](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2931): Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. -* CVE-2011-2931: Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. -* [CVE-2011-2932](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2932): Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." -* CVE-2011-2932: Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability." -* [CVE-2011-3009](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3009): Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. -* CVE-2011-3009: Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. -* [CVE-2011-3186](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3186): CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header. -* CVE-2011-3186: CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header. -* [CVE-2011-3187](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3187): The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header. -* CVE-2011-3187: The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header. -* [CVE-2011-4319](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4319): Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring. -* CVE-2011-4319: Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring. -* [CVE-2011-4815](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4815): Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. -* CVE-2011-4815: Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. -* [CVE-2011-5036](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5036): Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. -* CVE-2011-5036: Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. -* [CVE-2012-1098](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098): Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods. -* CVE-2012-1098: Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods. -* [CVE-2012-1099](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements. -* CVE-2012-1099: Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements. -* [CVE-2012-1241](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1241): GRScript18.dll before 1.2.2.0 in ActiveScriptRuby (ASR) before 1.8.7 does not properly restrict interaction with an Internet Explorer ActiveX environment, which allows remote attackers to execute arbitrary Ruby code via a crafted HTML document. -* CVE-2012-1241: GRScript18.dll before 1.2.2.0 in ActiveScriptRuby (ASR) before 1.8.7 does not properly restrict interaction with an Internet Explorer ActiveX environment, which allows remote attackers to execute arbitrary Ruby code via a crafted HTML document. -* [CVE-2012-2139](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2139): Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter. -* CVE-2012-2139: Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter. -* [CVE-2012-2140](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2140): The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery. -* CVE-2012-2140: The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery. -* [CVE-2012-2660](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2660): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694. -* CVE-2012-2660: actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694. -* [CVE-2012-2661](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2661): The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695. -* CVE-2012-2661: The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695. -* [CVE-2012-2671](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2671): The Rack::Cache rubygem 0.3.0 through 1.1 caches Set-Cookie and other sensitive headers, which allows attackers to obtain sensitive cookie information, hijack web sessions, or have other unspecified impact by accessing the cache. -* CVE-2012-2671: The Rack::Cache rubygem 0.3.0 through 1.1 caches Set-Cookie and other sensitive headers, which allows attackers to obtain sensitive cookie information, hijack web sessions, or have other unspecified impact by accessing the cache. -* [CVE-2012-2694](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2694): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660. -* CVE-2012-2694: actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660. -* [CVE-2012-2695](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2695): The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. -* CVE-2012-2695: The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. -* [CVE-2012-3424](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3424): The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method. -* CVE-2012-3424: The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method. -* [CVE-2012-3463](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3463): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper. -* CVE-2012-3463: Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper. -* [CVE-2012-3464](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3464): Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. -* CVE-2012-3464: Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character. -* [CVE-2012-3465](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3465): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. -* CVE-2012-3465: Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup. -* [CVE-2012-4464](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4464): Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression. -* CVE-2012-4464: Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression. -* [CVE-2012-4466](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4466): Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005. -* CVE-2012-4466: Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005. -* [CVE-2012-4481](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4481): The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005. -* CVE-2012-4481: The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005. -* [CVE-2012-4522](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4522): The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path. -* CVE-2012-4522: The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path. -* [CVE-2012-5370](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5370): JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838. -* CVE-2012-5370: JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838. -* [CVE-2012-5371](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5371): Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815. -* CVE-2012-5371: Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815. -* [CVE-2012-5380](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5380): ** DISPUTED ** Untrusted search path vulnerability in the installation functionality in Ruby 1.9.3-p194, when installed in the top-level C: directory, might allow local users to gain privileges via a Trojan horse DLL in the C:Ruby193in directory, which may be added to the PATH system environment variable by an administrator, as demonstrated by a Trojan horse wlbsctrl.dll file used by the "IKE and AuthIP IPsec Keying Modules" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview. NOTE: CVE disputes this issue because the unsafe PATH is established only by a separate administrative action that is not a default part of the Ruby installation. -* CVE-2012-5380: ** DISPUTED ** Untrusted search path vulnerability in the installation functionality in Ruby 1.9.3-p194, when installed in the top-level C: directory, might allow local users to gain privileges via a Trojan horse DLL in the C:Ruby193in directory, which may be added to the PATH system environment variable by an administrator, as demonstrated by a Trojan horse wlbsctrl.dll file used by the "IKE and AuthIP IPsec Keying Modules" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview. NOTE: CVE disputes this issue because the unsafe PATH is established only by a separate administrative action that is not a default part of the Ruby installation. -* [CVE-2012-6109](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6109): lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header. -* CVE-2012-6109: lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header. -* [CVE-2012-6134](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6134): Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem 1.1.1 and earlier for Ruby allows remote attackers to hijack the authentication of users for requests that modify session state. -* CVE-2012-6134: Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem 1.1.1 and earlier for Ruby allows remote attackers to hijack the authentication of users for requests that modify session state. -* [CVE-2012-6496](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6496): SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. -* CVE-2012-6496: SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. -* [CVE-2012-6497](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6497): The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product. -* CVE-2012-6497: The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product. -* [CVE-2012-6684](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684): Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI. -* CVE-2012-6684: Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI. -* [CVE-2013-0155](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155): Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694. -* CVE-2013-0155: Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694. -* [CVE-2013-0156](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156): active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion. -* CVE-2013-0156: active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion. -* [CVE-2013-0162](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0162): The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp. -* CVE-2013-0162: The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp. -* [CVE-2013-0175](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0175): multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. -* CVE-2013-0175: multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. -* [CVE-2013-0183](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0183): multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet. -* CVE-2013-0183: multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet. -* [CVE-2013-0184](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0184): Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings." -* CVE-2013-0184: Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings." -* [CVE-2013-0233](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0233): Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts. -* CVE-2013-0233: Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts. -* [CVE-2013-0256](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0256): darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL. -* CVE-2013-0256: darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL. -* [CVE-2013-0262](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0262): rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals." -* CVE-2013-0262: rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals." -* [CVE-2013-0263](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0263): Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time. -* CVE-2013-0263: Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time. -* [CVE-2013-0269](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269): The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability." -* CVE-2013-0269: The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability." -* [CVE-2013-0276](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0276): ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request. -* CVE-2013-0276: ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request. -* [CVE-2013-0277](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0277): ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML. -* CVE-2013-0277: ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML. -* [CVE-2013-0284](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0284): Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communicating with servers operated by New Relic, which allows remote attackers to obtain sensitive information (database credentials and SQL statements) by sniffing the network and deserializing the data. -* CVE-2013-0284: Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communicating with servers operated by New Relic, which allows remote attackers to obtain sensitive information (database credentials and SQL statements) by sniffing the network and deserializing the data. -* [CVE-2013-0285](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0285): The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. -* CVE-2013-0285: The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. -* [CVE-2013-0333](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0333): lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156. -* CVE-2013-0333: lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156. -* [CVE-2013-0334](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0334): CVE-2013-0334: Bundler Gem for Ruby Multiple Top-level Source Lines Gemfile Handling Gem Installation Spoofing -* CVE-2013-0334: CVE-2013-0334: Bundler Gem for Ruby Multiple Top-level Source Lines Gemfile Handling Gem Installation Spoofing -* [CVE-2013-1607](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1607): PDFKit Gem for Ruby contains a flaw that is due to the program failing to properly validate input during the handling of parameters when generating PDF files. This may allow a remote attacker to potentially execute arbitrary code via the pdfkit generation options. -* CVE-2013-1607: PDFKit Gem for Ruby contains a flaw that is due to the program failing to properly validate input during the handling of parameters when generating PDF files. This may allow a remote attacker to potentially execute arbitrary code via the pdfkit generation options. -* [CVE-2013-1655](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1655): Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when - running Ruby 1.9.3 or later, allows remote attackers to execute - arbitrary code via vectors related to "serialized attributes." -* CVE-2013-1655: Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when - running Ruby 1.9.3 or later, allows remote attackers to execute - arbitrary code via vectors related to "serialized attributes." -* [CVE-2013-1656](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1656): Spree Commerce 1.0.x through 1.3.2 allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function. -* CVE-2013-1656: Spree Commerce 1.0.x through 1.3.2 allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function. -* [CVE-2013-1756](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1756): Dragonfly Gem for Ruby contains a flaw that is triggered during the parsing of a specially crafted request. This may allow a remote attacker to execute arbitrary code. -* CVE-2013-1756: Dragonfly Gem for Ruby contains a flaw that is triggered during the parsing of a specially crafted request. This may allow a remote attacker to execute arbitrary code. -* [CVE-2013-1800](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1800): The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. -* CVE-2013-1800: The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. -* [CVE-2013-1801](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1801): The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156. -* CVE-2013-1801: The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156. -* [CVE-2013-1802](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1802): The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. -* CVE-2013-1802: The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. -* [CVE-2013-1812](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1812): The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack. -* CVE-2013-1812: The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack. -* [CVE-2013-1821](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821): lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 and 2.0.0-p0 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack. -* CVE-2013-1821: lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 and 2.0.0-p0 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack. -* [CVE-2013-1854](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1854): The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. -* CVE-2013-1854: The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. -* [CVE-2013-1855](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1855): The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. -* CVE-2013-1855: The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. -* [CVE-2013-1856](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1856): The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference. -* CVE-2013-1856: The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference. -* [CVE-2013-1857](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1857): The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence. -* CVE-2013-1857: The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence. -* [CVE-2013-1875](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1875): command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename. -* CVE-2013-1875: command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename. -* [CVE-2013-1898](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1898): lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. -* CVE-2013-1898: lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. -* [CVE-2013-1911](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1911): lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name. -* CVE-2013-1911: lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name. -* [CVE-2013-1933](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1933): The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename. -* CVE-2013-1933: The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename. -* [CVE-2013-1947](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1947): kelredd-pruview gem 0.3.8 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename argument to (1) document.rb, (2) video.rb, or (3) video_image.rb. -* CVE-2013-1947: kelredd-pruview gem 0.3.8 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename argument to (1) document.rb, (2) video.rb, or (3) video_image.rb. -* [CVE-2013-1948](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1948): converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename. -* CVE-2013-1948: converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename. -* [CVE-2013-2065](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2065): Native functions exposed to Ruby with DL or Fiddle do not check the taint values set on the objects passed in. This can result in tainted objects being accepted as input when a SecurityError exception should be raised. -* CVE-2013-2065: Native functions exposed to Ruby with DL or Fiddle do not check the taint values set on the objects passed in. This can result in tainted objects being accepted as input when a SecurityError exception should be raised. -* [CVE-2013-2090](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2090): Ruby Gem Creme Fraiche version 0.6 suffers from a remote command injection vulnerability due to unsanitized input. -* CVE-2013-2090: Ruby Gem Creme Fraiche version 0.6 suffers from a remote command injection vulnerability due to unsanitized input. -* [CVE-2013-2105](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2105): The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html. -* CVE-2013-2105: The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html. -* [CVE-2013-2119](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2119): Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem. -* CVE-2013-2119: Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem. -* [CVE-2013-2512](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2512): ftpd Gem for Ruby contains a flaw that is triggered when handling a specially crafted option or filename that contains a shell character. This may allow a remote attacker to inject arbitrary commands -* CVE-2013-2512: ftpd Gem for Ruby contains a flaw that is triggered when handling a specially crafted option or filename that contains a shell character. This may allow a remote attacker to inject arbitrary commands -* [CVE-2013-2513](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2513): flash_tool Gem for Ruby contains a flaw that is triggered during the handling of downloaded files that contain shell characters. With a specially crafted file, a context-dependent attacker can execute arbitrary commands. -* CVE-2013-2513: flash_tool Gem for Ruby contains a flaw that is triggered during the handling of downloaded files that contain shell characters. With a specially crafted file, a context-dependent attacker can execute arbitrary commands. -* [CVE-2013-2516](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2516): fileutils Gem for Ruby contains a flaw in file_utils.rb. The issue is triggered when handling a specially crafted URL containing a command after a delimiter (;). This may allow a remote attacker to potentially execute arbitrary commands. -* CVE-2013-2516: fileutils Gem for Ruby contains a flaw in file_utils.rb. The issue is triggered when handling a specially crafted URL containing a command after a delimiter (;). This may allow a remote attacker to potentially execute arbitrary commands. -* [CVE-2013-2615](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2615): lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. -* CVE-2013-2615: lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. -* [CVE-2013-2616](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2616): lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. -* CVE-2013-2616: lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. -* [CVE-2013-2617](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2617): lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. -* CVE-2013-2617: lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. -* [CVE-2013-3221](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3221): The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database. -* CVE-2013-3221: The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database. -* [CVE-2013-4164](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164): Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable. -* CVE-2013-4164: Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable. -* [CVE-2013-4203](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4203): The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg gem before 0.2.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors. -* CVE-2013-4203: The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg gem before 0.2.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors. -* [CVE-2013-4389](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389): Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message. -* CVE-2013-4389: Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message. -* [CVE-2013-4413](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4413): Wicked Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed via the 'the_step' parameter upon submission to the render_redirect.rb script. This may allow a remote attacker to gain access to arbitrary files. -* CVE-2013-4413: Wicked Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed via the 'the_step' parameter upon submission to the render_redirect.rb script. This may allow a remote attacker to gain access to arbitrary files. -* [CVE-2013-4457](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4457): The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation. -* CVE-2013-4457: The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation. -* [CVE-2013-4478](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4478): Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of an email attachment. -* CVE-2013-4478: Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of an email attachment. -* [CVE-2013-4479](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4479): lib/sup/message_chunks.rb in Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the content_type of an email attachment. -* CVE-2013-4479: lib/sup/message_chunks.rb in Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the content_type of an email attachment. -* [CVE-2013-4489](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4489): There is a remote code execution vulnerability in the code search feature of GitLab provided by the grit gem. -* CVE-2013-4489: There is a remote code execution vulnerability in the code search feature of GitLab provided by the grit gem. -* [CVE-2013-4491](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem. -* CVE-2013-4491: Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem. -* [CVE-2013-4492](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4492): Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call. -* CVE-2013-4492: Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call. -* [CVE-2013-4562](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4562): Because of the way that omniauth-facebook supports setting a per-request state parameter by storing it in the session, it is possible to circumvent the automatic CSRF protection. Therefore the CSRF added in 1.4.1 should be considered broken. If you are currently providing a custom state, you will need to store and retrieve this yourself (for example, by using the session store) to use 1.5.0. -* CVE-2013-4562: Because of the way that omniauth-facebook supports setting a per-request state parameter by storing it in the session, it is possible to circumvent the automatic CSRF protection. Therefore the CSRF added in 1.4.1 should be considered broken. If you are currently providing a custom state, you will need to store and retrieve this yourself (for example, by using the session store) to use 1.5.0. -* [CVE-2013-4593](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4593): omniauth-facebook Gem for Ruby contains a flaw that is due to the application supporting passing the access token via the URL. This may allow a remote attacker to bypass authentication and authenticate as another user. -* CVE-2013-4593: omniauth-facebook Gem for Ruby contains a flaw that is due to the application supporting passing the access token via the URL. This may allow a remote attacker to bypass authentication and authenticate as another user. -* [CVE-2013-5647](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5647): lib/sounder/sound.rb in the sounder gem 1.0.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a filename. -* CVE-2013-5647: lib/sounder/sound.rb in the sounder gem 1.0.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a filename. -* [CVE-2013-5671](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5671): fog-dragonfly Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed via the imagemagickutils.rb script. This may allow a remote attacker to execute arbitrary commands. -* CVE-2013-5671: fog-dragonfly Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed via the imagemagickutils.rb script. This may allow a remote attacker to execute arbitrary commands. -* [CVE-2013-6414](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414): actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching. -* CVE-2013-6414: actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching. -* [CVE-2013-6415](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415): Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter. -* CVE-2013-6415: Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter. -* [CVE-2013-6416](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6416): Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute. -* CVE-2013-6416: Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute. -* [CVE-2013-6417](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155. -* CVE-2013-6417: actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155. -* [CVE-2013-6421](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6421): The unpack_zip function in archive_unpacker.rb in the sprout gem 0.7.246 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a (1) filename or (2) path. -* CVE-2013-6421: The unpack_zip function in archive_unpacker.rb in the sprout gem 0.7.246 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a (1) filename or (2) path. -* [CVE-2013-6459](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6459): Cross-site scripting (XSS) vulnerability in the will_paginate gem before 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via vectors involving generated pagination links. -* CVE-2013-6459: Cross-site scripting (XSS) vulnerability in the will_paginate gem before 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via vectors involving generated pagination links. -* [CVE-2013-6460](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6460): There is a vulnerability in Nokogiri when using JRuby where the parser can enter an infinite loop and exhaust the process memory. Nokogiri users on JRuby using the native Java extension. Attackers can send XML documents with carefully crafted documents which can cause the XML processor to enter an infinite loop, causing the server to run out of memory and crash. -* CVE-2013-6460: There is a vulnerability in Nokogiri when using JRuby where the parser can enter an infinite loop and exhaust the process memory. Nokogiri users on JRuby using the native Java extension. Attackers can send XML documents with carefully crafted documents which can cause the XML processor to enter an infinite loop, causing the server to run out of memory and crash. -* [CVE-2013-6461](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6461): There is an entity expansion vulnerability in Nokogiri when using JRuby. Nokogiri users on JRuby using the native Java extension. Attackers can send -XML documents with carefully crafted entity expansion strings which can cause the server to run out of memory and crash. -* CVE-2013-6461: There is an entity expansion vulnerability in Nokogiri when using JRuby. Nokogiri users on JRuby using the native Java extension. Attackers can send -XML documents with carefully crafted entity expansion strings which can cause the server to run out of memory and crash. -* [CVE-2013-7086](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7086): The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message. -* CVE-2013-7086: The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message. -* [CVE-2014-0036](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0036): rbovirt Gem for Ruby contains a flaw related to certificate validation. The issue is due to the program failing to validate SSL certificates. This may allow an attacker with access to network traffic (e.g. MiTM, DNS cache poisoning) to spoof the SSL server via an arbitrary certificate that appears valid. Such an attack would allow for the interception of sensitive traffic, and potentially allow for the injection of content into the SSL stream. -* CVE-2014-0036: rbovirt Gem for Ruby contains a flaw related to certificate validation. The issue is due to the program failing to validate SSL certificates. This may allow an attacker with access to network traffic (e.g. MiTM, DNS cache poisoning) to spoof the SSL server via an arbitrary certificate that appears valid. Such an attack would allow for the interception of sensitive traffic, and potentially allow for the injection of content into the SSL stream. -* [CVE-2014-0080](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0080): SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving (backslash) characters that are not properly handled in operations on array columns. -* CVE-2014-0080: SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving (backslash) characters that are not properly handled in operations on array columns. -* [CVE-2014-0081](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081): Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. -* CVE-2014-0081: Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. -* [CVE-2014-0082](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082): actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers. -* CVE-2014-0082: actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers. -* [CVE-2014-0130](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130): The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server. -* CVE-2014-0130: The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server. -* [CVE-2014-1233](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1233): The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process. -* CVE-2014-1233: The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process. -* [CVE-2014-1234](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1234): The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process. -* CVE-2014-1234: The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process. -* [CVE-2014-2322](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2322): Arabic Prawn Gem for Ruby contains a flaw in the ib/string_utf_support.rb file. The issue is due to the program failing to sanitize user input. This may allow a remote attacker to inject arbitrary commands. -* CVE-2014-2322: Arabic Prawn Gem for Ruby contains a flaw in the ib/string_utf_support.rb file. The issue is due to the program failing to sanitize user input. This may allow a remote attacker to inject arbitrary commands. -* [CVE-2014-2525](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525): -* CVE-2014-2525: -* [CVE-2014-2538](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2538): rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. -* CVE-2014-2538: rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. -* [CVE-2014-3482](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3482): Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting bitstrings. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. -* CVE-2014-3482: Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting bitstrings. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. -* [CVE-2014-3483](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3483): Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting ranges. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. -* CVE-2014-3483: Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting ranges. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. -* [CVE-2014-3916](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3916): The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string. -* CVE-2014-3916: The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string. -* [CVE-2014-4975](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4975): Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow. -* CVE-2014-4975: Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow. -* [CVE-2014-7818](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7818): Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence. -* CVE-2014-7818: Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence. -* [CVE-2014-7819](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7819): Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding. -* CVE-2014-7819: Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding. -* [CVE-2014-7829](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7829): Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a (backslash) character, a similar issue to CVE-2014-7818. -* CVE-2014-7829: Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a (backslash) character, a similar issue to CVE-2014-7818. -* [CVE-2014-8090](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8090): The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080. -* CVE-2014-8090: The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080. -* [CVE-2014-9490](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9490): The numtok function in lib/raven/okjson.rb in the raven-ruby gem before 0.12.2 for Ruby allows remote attackers to cause a denial of service via a large exponent value in a scientific number. -* CVE-2014-9490: The numtok function in lib/raven/okjson.rb in the raven-ruby gem before 0.12.2 for Ruby allows remote attackers to cause a denial of service via a large exponent value in a scientific number. -* [CVE-2015-1819](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1819): Nokogiri versions before 1.6.6.4 contain a vulnerable version of libxml2 as a C extension. The vulnerability allows for memory consumption denial of service. -* CVE-2015-1819: Nokogiri versions before 1.6.6.4 contain a vulnerable version of libxml2 as a C extension. The vulnerability allows for memory consumption denial of service. -* [CVE-2015-1840](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1840): jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value. -* CVE-2015-1840: jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value. -* [CVE-2015-1840](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1840): jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value. -* CVE-2015-1840: jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value. -* [CVE-2015-2963](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2963): The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg. -* CVE-2015-2963: The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg. -* [CVE-2015-3224](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3224): request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request. -* CVE-2015-3224: request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request. -* [CVE-2015-3225](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3225): lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. -* CVE-2015-3225: lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. -* [CVE-2015-3226](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226): Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding. -* CVE-2015-3226: Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding. -* [CVE-2015-3227](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227): The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth. -* CVE-2015-3227: The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth. -* [CVE-2015-3448](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3448): REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log. -* CVE-2015-3448: REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log. -* [CVE-2015-4020](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4020): RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a 'DNS hijack attack.' -* CVE-2015-4020: RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a 'DNS hijack attack.' -* [CVE-2015-5312](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5312): The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660. -* CVE-2015-5312: The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660. -* [CVE-2015-7497](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7497): Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors. -* CVE-2015-7497: Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors. -* [CVE-2015-7498](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7498): Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure. -* CVE-2015-7498: Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure. -* [CVE-2015-7499](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7499): Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. -* CVE-2015-7499: Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. -* [CVE-2015-7500](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7500): The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags. -* CVE-2015-7500: The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags. -* [CVE-2015-7519](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7519): agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header. -* CVE-2015-7519: agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header. -* [CVE-2015-7541](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7541): The initialize method in the Histogram class in lib/colorscore/histogram.rb in the colorscore gem before 0.0.5 for Ruby allows context-dependent attackers to execute arbitrary code via shell metacharacters in the (1) image_path, (2) colors, or (3) depth variable. -* CVE-2015-7541: The initialize method in the Histogram class in lib/colorscore/histogram.rb in the colorscore gem before 0.0.5 for Ruby allows context-dependent attackers to execute arbitrary code via shell metacharacters in the (1) image_path, (2) colors, or (3) depth variable. -* [CVE-2015-7576](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7576): There is a timing attack vulnerability in the basic authentication support in Action Controller. Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. -* CVE-2015-7576: There is a timing attack vulnerability in the basic authentication support in Action Controller. Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. -* [CVE-2015-7577](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7577): There is a vulnerability in how the nested attributes feature in Active Record handles updates in combination with destroy flags when destroying records is disabled. -* CVE-2015-7577: There is a vulnerability in how the nested attributes feature in Active Record handles updates in combination with destroy flags when destroying records is disabled. -* [CVE-2015-7578](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7578): There is a possible XSS vulnerability in rails-html-sanitizer. Certain attributes are not removed from tags when they are sanitized, and these attributes can lead to an XSS attack on target applications. -* CVE-2015-7578: There is a possible XSS vulnerability in rails-html-sanitizer. Certain attributes are not removed from tags when they are sanitized, and these attributes can lead to an XSS attack on target applications. -* [CVE-2015-7579](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7579): There is a XSS vulnerability in Rails::Html::FullSanitizer used by Action View's strip_tags. Due to the way that Rails::Html::FullSanitizer is implemented, if an attacker passes an already escaped HTML entity to the input of Action View's strip_tags these entities will be unescaped what may cause a XSS attack if used in combination with raw or html_safe. -* CVE-2015-7579: There is a XSS vulnerability in Rails::Html::FullSanitizer used by Action View's strip_tags. Due to the way that Rails::Html::FullSanitizer is implemented, if an attacker passes an already escaped HTML entity to the input of Action View's strip_tags these entities will be unescaped what may cause a XSS attack if used in combination with raw or html_safe. -* [CVE-2015-7581](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7581): There is an object leak vulnerability for wildcard controllers in Action Pack. Users that have a route that contains the string ":controller" are susceptible to objects being leaked globally which can lead to unbounded memory growth. -* CVE-2015-7581: There is an object leak vulnerability for wildcard controllers in Action Pack. Users that have a route that contains the string ":controller" are susceptible to objects being leaked globally which can lead to unbounded memory growth. -* [CVE-2015-8241](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8241): The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. -* CVE-2015-8241: The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. -* [CVE-2015-8242](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8242): The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. -* CVE-2015-8242: The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. -* [CVE-2015-8317](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8317): The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read -* CVE-2015-8317: The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read -* [CVE-2016-0751](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751): There is a possible object leak which can lead to a denial of service vulnerability in Action Pack. A carefully crafted accept header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack. -* CVE-2016-0751: There is a possible object leak which can lead to a denial of service vulnerability in Action Pack. A carefully crafted accept header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack. -* [CVE-2016-0752](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0752): There is a possible directory traversal and information leak vulnerability in Action View. Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability. -* CVE-2016-0752: There is a possible directory traversal and information leak vulnerability in Action View. Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability. -* [CVE-2016-0753](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0753): There is a possible input validation circumvention vulnerability in Active Model. Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations. -* CVE-2016-0753: There is a possible input validation circumvention vulnerability in Active Model. Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations. -* [CVE-2016-2097](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2097): Possible Information Leak Vulnerability in Action View. There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all the scenarios. -* CVE-2016-2097: Possible Information Leak Vulnerability in Action View. There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all the scenarios. -* [CVE-2016-2098](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2098): There is a possible remote code execution vulnerability in Action Pack. Applications that pass unverified user input to the render method in a -controller or a view may be vulnerable to a code injection. -* CVE-2016-2098: There is a possible remote code execution vulnerability in Action Pack. Applications that pass unverified user input to the render method in a -controller or a view may be vulnerable to a code injection. -* [CVE-2016-5697](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697): ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack in the specific scenario where there was a signature that referenced at the same time 2 elements (but past the scheme validator process since 1 of the element was inside the encrypted assertion). -* CVE-2016-5697: ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack in the specific scenario where there was a signature that referenced at the same time 2 elements (but past the scheme validator process since 1 of the element was inside the encrypted assertion). -* [CVE-2016-6316](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6316): Text declared as "HTML safe" when passed as an attribute value to a tag helper will not have quotes escaped which can lead to an XSS attack. -* CVE-2016-6316: Text declared as "HTML safe" when passed as an attribute value to a tag helper will not have quotes escaped which can lead to an XSS attack. -* [CVE-2016-6317](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6317): Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with “IS NULL” or empty where clauses. This issue does not let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn’t expect it. -* CVE-2016-6317: Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with “IS NULL” or empty where clauses. This issue does not let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn’t expect it. -* [CVE-2016-6582](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6582): Doorkeeper failed to implement OAuth 2.0 Token Revocation (RFC 7009) in the following ways: - -Public clients making valid, unauthenticated calls to revoke a token would not have their token revoked -Requests were not properly authenticating the client credentials but were, instead, looking at the access token in a second location -Because of 2, the requests were also not authorizing confidential clients’ ability to revoke a given token. It should only revoke tokens that belong to it. -The security implication is: OAuth 2.0 clients who "log out" a user expect to have the corresponding access & refresh tokens revoked, preventing an attacker who may have already hijacked the session from continuing to impersonate the victim. Because of the bug described above, this is not the case. As far as OWASP is concerned, this counts as broken authentication design. - -MITRE has assigned CVE-2016-6582 due to the security issues raised. An attacker, thanks to 1, can replay a hijacked session after a victim logs out/revokes their token. Additionally, thanks to 2 & 3, an attacker via a compromised confidential client could "grief" other clients by revoking their tokens (albeit this is an exceptionally narrow attack with little value). -* CVE-2016-6582: Doorkeeper failed to implement OAuth 2.0 Token Revocation (RFC 7009) in the following ways: - -Public clients making valid, unauthenticated calls to revoke a token would not have their token revoked -Requests were not properly authenticating the client credentials but were, instead, looking at the access token in a second location -Because of 2, the requests were also not authorizing confidential clients’ ability to revoke a given token. It should only revoke tokens that belong to it. -The security implication is: OAuth 2.0 clients who "log out" a user expect to have the corresponding access & refresh tokens revoked, preventing an attacker who may have already hijacked the session from continuing to impersonate the victim. Because of the bug described above, this is not the case. As far as OWASP is concerned, this counts as broken authentication design. - -MITRE has assigned CVE-2016-6582 due to the security issues raised. An attacker, thanks to 1, can replay a hijacked session after a victim logs out/revokes their token. Additionally, thanks to 2 & 3, an attacker via a compromised confidential client could "grief" other clients by revoking their tokens (albeit this is an exceptionally narrow attack with little value). -* [OSVDB-105971](http://osvdb.org/show/osvdb/105971): sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands. -* OSVDB-105971: sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands. -* [OSVDB-108569](http://osvdb.org/show/osvdb/108569): backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered as the program displays password information in plaintext in the process list. This may allow a local attacker to gain access to password information. -* OSVDB-108569: backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered as the program displays password information in plaintext in the process list. This may allow a local attacker to gain access to password information. -* [OSVDB-108570](http://osvdb.org/show/osvdb/108570): backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands. -* OSVDB-108570: backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands. -* [OSVDB-108530](http://osvdb.org/show/osvdb/108530): kajam Gem for Ruby contains a flaw in /dataset/lib/dataset/database/postgresql.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands. -* OSVDB-108530: kajam Gem for Ruby contains a flaw in /dataset/lib/dataset/database/postgresql.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands. -* [OSVDB-108563](http://osvdb.org/show/osvdb/108563): gyazo Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands. -* OSVDB-108563: gyazo Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands. -* [OSVDB_115654](http://osvdb.org/show/osvdb/115654): Sentry raven-ruby contains a flaw in the lib/raven/okjson.rb script that is triggered when large numeric values are stored as an exponent or in scientific notation. With a specially crafted request, an attacker can cause the software to consume excessive resources resulting in a denial of service. -* OSVDB_115654: Sentry raven-ruby contains a flaw in the lib/raven/okjson.rb script that is triggered when large numeric values are stored as an exponent or in scientific notation. With a specially crafted request, an attacker can cause the software to consume excessive resources resulting in a denial of service. -* [OSVDB_116010](http://osvdb.org/show/osvdb/116010): Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors. -* OSVDB_116010: Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors. -* [OSVDB_117903](http://osvdb.org/show/osvdb/117903): ruby-saml contains a flaw that is triggered as the URI value of a SAML response is not properly sanitized through a prepared statement. This may allow a remote attacker to execute arbitrary shell commands on the host machine. -* OSVDB_117903: ruby-saml contains a flaw that is triggered as the URI value of a SAML response is not properly sanitized through a prepared statement. This may allow a remote attacker to execute arbitrary shell commands on the host machine. -* [OSVDB_118579](http://osvdb.org/show/osvdb/118579): xaviershay-dm-rails Gem for Ruby contains a flaw in the execute() function in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb. The issue is due to the function exposing sensitive information via the process table. This may allow a local attack to gain access to MySQL credential information. -* OSVDB_118579: xaviershay-dm-rails Gem for Ruby contains a flaw in the execute() function in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb. The issue is due to the function exposing sensitive information via the process table. This may allow a local attack to gain access to MySQL credential information. -* [OSVDB_118830](http://osvdb.org/show/osvdb/118830): Doorkeeper Gem for Ruby contains a flaw in lib/doorkeeper/engine.rb. The issue is due to the program storing sensitive information in production logs. This may allow a local attacker to gain access to sensitive information. -* OSVDB_118830: Doorkeeper Gem for Ruby contains a flaw in lib/doorkeeper/engine.rb. The issue is due to the program storing sensitive information in production logs. This may allow a local attacker to gain access to sensitive information. -* [OSVDB_118954](http://osvdb.org/show/osvdb/118954): Ruby on Rails contains a flaw that is triggered when handling a to_json call to ActiveModel::Name, which can cause an infinite loop. This may allow a remote attacker to cause a denial of service. -* OSVDB_118954: Ruby on Rails contains a flaw that is triggered when handling a to_json call to ActiveModel::Name, which can cause an infinite loop. This may allow a remote attacker to cause a denial of service. -* [OSVDB_119878](http://osvdb.org/show/osvdb/119878): rest-client Gem for Ruby contains a flaw in abstract_response.rb related to the handling of set-cookie headers in redirection responses that allows a remote, user-assisted attacker to conduct a session fixation attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session to be subsequently hijacked. -* OSVDB_119878: rest-client Gem for Ruby contains a flaw in abstract_response.rb related to the handling of set-cookie headers in redirection responses that allows a remote, user-assisted attacker to conduct a session fixation attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session to be subsequently hijacked. -* [OSVDB_119927](http://osvdb.org/show/osvdb/119927): http Gem for Ruby contains a flaw related to certificate validation. The issue is due to a failure to call the OpenSSL::SSL::SSLSocket#post_connection_check method, leading to hostnames not being properly verified. By spoofing the TLS/SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MiTM, DNS cache poisoning) can disclose and optionally manipulate transmitted data. -* OSVDB_119927: http Gem for Ruby contains a flaw related to certificate validation. The issue is due to a failure to call the OpenSSL::SSL::SSLSocket#post_connection_check method, leading to hostnames not being properly verified. By spoofing the TLS/SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MiTM, DNS cache poisoning) can disclose and optionally manipulate transmitted data. -* [OSVDB_120415](http://osvdb.org/show/osvdb/120415): redcarpet gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the parse_inline() function in markdown.c does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. -* OSVDB_120415: redcarpet gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the parse_inline() function in markdown.c does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. -* [OSVDB_120857](http://osvdb.org/show/osvdb/120857): refile Gem for Ruby contains a flaw that is triggered when input is not sanitized when handling the 'remote_image_url' field in a form, where 'image' is the name of the attachment. This may allow a remote attacker to execute arbitrary shell commands. -* OSVDB_120857: refile Gem for Ruby contains a flaw that is triggered when input is not sanitized when handling the 'remote_image_url' field in a form, where 'image' is the name of the attachment. This may allow a remote attacker to execute arbitrary shell commands. -* [OSVDB_121701](http://osvdb.org/show/osvdb/121701): open-uri-cached Gem for Ruby contains a flaw that is due to the program creating temporary files in a predictable, unsafe manner when using YAML. This may allow a local attacker to gain elevated privileges. -* OSVDB_121701: open-uri-cached Gem for Ruby contains a flaw that is due to the program creating temporary files in a predictable, unsafe manner when using YAML. This may allow a local attacker to gain elevated privileges. -* [OSVDB_132234](http://osvdb.org/show/osvdb/132234): When using rack-attack with a rails app, developers expect the request path to be normalized. In particular, trailing slashes are stripped so a request path "/login/" becomes "/login" by the time you're in ActionController. Since Rack::Attack runs before ActionDispatch, the request path is not yet normalized. This can cause throttles and blacklists to not work as expected. E.g., a throttle: throttle('logins', ...) {|req| req.path == "/login" } would not match a request to '/login/', though Rails would route '/login/' to the same '/login' action. -* OSVDB_132234: When using rack-attack with a rails app, developers expect the request path to be normalized. In particular, trailing slashes are stripped so a request path "/login/" becomes "/login" by the time you're in ActionController. Since Rack::Attack runs before ActionDispatch, the request path is not yet normalized. This can cause throttles and blacklists to not work as expected. E.g., a throttle: throttle('logins', ...) {|req| req.path == "/login" } would not match a request to '/login/', though Rails would route '/login/' to the same '/login' action. -* Owasp Ror CheatSheet: Command Injection: Ruby offers a function called "eval" which will dynamically build new Ruby code based on Strings. It also has a number of ways to call system commands. While the power of these commands is quite useful, extreme care should be taken when using them in a Rails based application. Usually, its just a bad idea. If need be, a whitelist of possible values should be used and any input should be validated as thoroughly as possible. The Ruby Security Reviewer's Guide has a section on injection and there are a number of OWASP references for it, starting at the top: Command Injection. -* Owasp Ror CheatSheet: Cross Site Request Forgery: Ruby on Rails has specific, built in support for CSRF tokens. To enable it, or ensure that it is enabled, find the base ApplicationController and look for the protect_from_forgery directive. Note that by default Rails does not provide CSRF protection for any HTTP GET request. -* Owasp Ror CheatSheet: Session management: By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session. -* Owasp Ror CheatSheet: Mass Assignement in model: Although the major issue with Mass Assignment has been fixed by default in base Rails specifically when generating new projects, it still applies to older and upgraded projects so it is important to understand the issue and to ensure that only attributes that are intended to be modifiable are exposed. -* Owasp Ror CheatSheet: Security Related Headers: To set a header value, simply access the response.headers object as a hash inside your controller (often in a before/after_filter). Rails 4 provides the "default_headers" functionality that will automatically apply the values supplied. This works for most headers in almost all cases. -* Owasp Ror CheatSheet: Check for safe redirect and forward: Web applications often require the ability to dynamically redirect users based -on client-supplied data. To clarify, dynamic redirection usually entails the -client including a URL in a parameter within a request to the application. Once -received by the application, the user is redirected to the URL specified in the -request. - -For example: http://www.example.com/redirect?url=http://www.example_commerce_site.com/checkout - -The above request would redirect the user to http://www.example.com/checkout. - -The security concern associated with this functionality is leveraging an -organization's trusted brand to phish users and trick them into visiting a -malicious site, in our example, "badhacker.com". - -Example: http://www.example.com/redirect?url=http://badhacker.com - -The most basic, but restrictive protection is to use the :only_path option. -Setting this to true will essentially strip out any host information. -* Owasp Ror CheatSheet: Sensitive Files: Many Ruby on Rails apps are open source and hosted on publicly available source code repositories. Whether that is the case or the code is committed to a corporate source control system, there are certain files that should be either excluded or carefully managed. -* Not revised code: Analyzing comments, it seems your code is waiting from some review from you. Please consider take action before putting it in production. -This check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME - - -_Last updated: Tue 01 Nov 18:59:32 CET 2016_ diff --git a/Roadmap.md b/Roadmap.md deleted file mode 100644 index 8638bdf9..00000000 --- a/Roadmap.md +++ /dev/null @@ -1,123 +0,0 @@ -# Dawnscanner - roadmap - -Dawnscanner is a static analysis security scanner for ruby written web applications. -It supports [Sinatra](http://www.sinatrarb.com), -[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org) -frameworks. - -This is an ongoing roadmap for the Dawnscanner source code review tool. - -The document is _dynamic_ and feature schedule may vary. If you do need a -feature to be included sooner, please open an [issue on -github](https://github.com/thesp0nge/dawnscanner/issues/new) - -_latest update: mar 7 mag 2019, 17:48:53, CEST_ - - -* Add Hanami support -* Add node.js support - -* Add Maven support (this will lead of creating the skeleton of a - dawnscanner-java gem. I will decide later if it will stay with the core or if - it will be a separted gem plugging into dawnscanner as plugin). -* Add support for pure Rack applications -* Add basic support for Javascript. At the beginning, it will be a signature - based support. dawnscanner will try to detect the js library version by using - SHA hashing functions, comparing it with fingerprint of vulnerable libraies. - Of course, this will lead to false negatives if a user tamper the original - JS. We must consider also minified versions and we're not able to deal with - obfuscated code. - - -* Issue #131 - Adding a check for OSVDB 119927 : http Gem for Ruby SSL Certificate Validation MitM Spoofing -* Issue #119 - Adding a check for OSVDB 114641 : Ruby lib/rexml/entity.rb NULL String Handling Recursive XML External Entity (XXE) Expansion Resource Consumption Remote DoS -* Issue #118 - Adding a check for OSVDB 113965 : Sprockets Gem for Ruby Unspecified Request Handling File Enumeration -* Issue #117 - Adding a check for OSVDB 113986 : Ruby on Rails Action Pack Gem Unspecified Request Handling File Enumeration -* Issue #116 - Adding a check for OSVDB 113747 : Ruby lib/rexml/entity.rb XML External Entity (XXE) Expansion Remote DoS -* Issue #115 - Adding a check for OSVDB 112346 : Web Console Gem for Ruby on Rails Unspecified Issue -* Issue #114 - Adding a check for OSVDB 112347 : Ruby on Rails Active Job Global ID String Argument Deserialization Unspecified Object Injection -* Issue #113 - Adding a check for OSVDB 112683 : as Gem for Ruby Process List Local Plaintext Credentials Disclosure -* Issue #112 - Adding a check for OSVDB 115891 : Active Resource (ARes) Gem for Ruby lib/active_resource/base.rb Thread Object Instantiation Unspecified Issue -* Issue #111 - Adding a check for OSVDB 110796 : FlavourSaver Gem for Ruby Kernel::send Method Template Helper Calling Remote Code Execution -* Issue #110 - Adding a check for OSVDB 108971 : Ruby pack.c encodes() Function Remote Stack Buffer Overflow -* Issue #109 - Adding a check for OSVDB 110439 : Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution -* Issue #108 - Adding a check for OSVDB 110147 : Active Record Gem for Ruby create_with Method Strong Parameter Protection Bypass -* Issue #107 - Adding a check for OSVDB 110004 : Bundler Gem for Ruby Multiple Top-level Source Lines Gemfile Handling Gem Installation Spoofing -* Issue #106 - Adding a check for OSVDB 108899 : brbackup Gem for Ruby /lib/brbackup.rb name Parameter SQL Injection -* Issue #105 - Adding a check for OSVDB 108901 : brbackup Gem for Ruby Process List Local Plaintext Password Disclosure -* Issue #104 - Adding a check for OSVDB 108900 : brbackup Gem for Ruby dbuser Variable Shell Metacharacter Injection Remote Command Execution -* Issue #103 - Ruby pack.c encodes() Function Remote Stack Buffer Overflow -* Issue #96 - Sinatra apps without views: NoMethodError -* adding test for CVE-2011-4969 XSS in jquery < 1.6.2 - - -* Add a language check. It will handle a ruby script as input and a - ruby\_parser line as unsafe pattern. It will compile the ruby and look for - the unsafe pattern -* Cross Site Scripting, SQL injection and CSRF detection: it must be done for - all MVC frameworks (including Rack) and it must cover either reflected than - stored attack patterns -* Owasp RoR cheatsheet check for backup files **MUST** be integrated in - dawnscanner the proper way. This is a dynamic tests that it must be run in a - static way, looking for the public directory for old and backup files - pattern. - -### New features - -* Separate dependencies check from model, view and controller analysis. -* Add a '--ab-decision' flag. Can be a good idea to make dawnscanner able just - to say a quick "go/no go" for a release with a small json output like - {decision:"GO", vulns: 12, mean\_cvss: 3.2} or {decision:"NO GO", vulns: 9, - mean\_cvss:9.2} -* Add a --github option to Dawnscanner to clone a remote repository, perform - a bundle install and do a code review. -* SQLite3 integration for saving data. Each project will have its own SQLite - database containing reviews, findings and all. A table with Dawnscanner - version it created the database will be inserted as well -* Add source code metrics gathering (lines of code, lines of comments, - cyclomatic complexity index, ...) -* Add a ruby deprecation check, accordingly to - https://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering -* Add support for github hooks -* Add a new way to handle KB. Like wpscan, the KB must be separated and - deployed using dawnscanner.org web site and a --update flag, people can use - to upgrade and have new checks. Of course, new checks would be also rely on - newer APIs, so a require dawnscanner info must be given and user forced also - to upgrade the tool. KB download must be digitally signed and encrypted. -* Improving HTML output - -### New Knowledge Base - -* Issue #147 : In the KB revamp, a task to automate security issues search - either in CVE archive than OSVDB or Ruby related mailing lists, it must be - created. - -### Issues - -* Issue #148 - Adding a check for CVE-2011-4969: XSS in jquery < 1.6.2 - -### Deprecates - -* BasicCheck.priority - -### Other - -* clean rake kb:lint output -* clean rspec 'passing' tests - -## Version 2.5.0 (est. December 2016) - -* Add automatic mitigation patch generation for Ruby -* Add Opal support - -## Long term Roadmap - -This section is the long term part of dawnscanner roadmap. It anticipates -features they will come from version 3 or later. - -* Some dynamic test -* Add WordPress themes/plugin support -* Add Ember support -* Add Joomla support -* Add Go support -* Add general PHP support diff --git a/doc/change.sh b/doc/change.sh deleted file mode 100644 index b6129562..00000000 --- a/doc/change.sh +++ /dev/null @@ -1,13 +0,0 @@ -LIST=`ls *.yml | sort` -TOCHANGE=$1 - -if [ -z $TOCHANGE ]; then - echo "an argument is required" - exit 1 -fi - -for i in $LIST -do - sed -i 's/object:Dawn::Kb::'`basename $i .yml`'/object:Dawn::Kb::'$TOCHANGE'/g' $i -done - diff --git a/doc/dawn_1_0_announcement.md b/doc/dawn_1_0_announcement.md deleted file mode 100644 index 171a5ff6..00000000 --- a/doc/dawn_1_0_announcement.md +++ /dev/null @@ -1,139 +0,0 @@ - -## Press announcement - -After 9 months of development, it's now time for Codesake::Dawn security source -code scanner first major release. - -Codesake::Dawn is a static analysis security scanner for ruby written web applications. -It supports [Sinatra](http://www.sinatrarb.com), -[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org) -frameworks. - -Version 1.0 introduces 142 security checks against public bulletins since 2006, -you can use to check the vulnerabilities introduced by third party libraries -your web application include in its Gemfile. - -Writing safe code it's important, but sometimes security issues are introduced -by third party code your application relies on. As example, consider a SQL -Injection vulnerability introduced by Ruby on Rails framework. Despite the -effort you spend in sanitize inputs, your web application inherits the -vulnerability suffering as well. An attacker can easily exploit it and break -into your database unless you upgrade the offended gem. - -There is a comprehensive set of command line flags you can read more by issuing -```dawn -h``` flag or by reading [project README](https://github.com/codesake/codesake-dawn/raw/master/README.md) file. - -The list of security checks included in version 1.0.0 can be found online at: -[http://dawn.codesake.com/knowledge-base](http://dawn.codesake.com/knowledge-base). - -You can use [facilities provided by -github](https://github.com/codesake/codesake-dawn/issues) to submit bug -reports, product enhancements, new security checks you want to me to add in -future releases and even success stories. - -Now it's time for you to install Codesake::Dawn version 1.0.0 with the -following command and start reviewing your code for security issues: - -``` -$ gem install codesake-dawn -``` - -You can find the announcement on the web here: [http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-0-released/](http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-0-released/) -Enjoy it! -Paolo - paolo@codesake.com - -## Twitter announcement - -### version 1.0.6 - -@dawnscanner version 1.0.6 is out. A new security check: CVE-2014-2538 #ruby #security #rails #sinatra #padrino - -### version 1.0.5 - -@dawnscanner version 1.0.5 is out. 2 new security checks: CVE-2014-2322 and CVE-2014-0036 #ruby #security #rails #sinatra #padrino - -### version 1.0.4 - -@dawnscanner version 1.0.4 is out. 10 security checks actually in development were backported to master release. https://twitter.com/rubygems/status/444389931851718656 #ruby #security #rails - -### version 1.0.3 - -@dawnscanner version 1.0.3 is out. It fixes the rake task that it wasn't available. https://github.com/codesake/codesake-dawn/issues/37 #sinatra #padrino #rails - -### version 1.0.2 - -@dawnscanner version 1.0.2 is out. It fixes an annoying bug whit rainbow gem 2.0.0 #sinatra #padrino #rubyonrails #security #scanner - -### version 1.0.1 - -@dawnscanner version 1.0.1 is out. It fixes two minor issues about #owasp #rubyonrails #cheatsheet #sinatra #padrino #security #scanner - -### version 1.0.0 -@dawnscanner version 1.0.0 is out. Read the announcement: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-0-released/ #ruby #rails #sinatra #padrina #security #scanner - - -## Linkedin announcement - -### version 1.0.6 - -@dawnscanner version 1.0.6 is out. You can read the announcement here: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-6-released/ -Codesake::Dawn v1.0.6 introduces a newly released CVE bullettin: CVE-2014-2538 about a reflected xss in rack-ssl rubygem. Codesake::Dawk supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box. - -$ gem install codesake-dawn -$ have fun - -### version 1.0.5 - -@dawnscanner version 1.0.5 is out. You can read the announcement here: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-5-released/ -Codesake::Dawn v1.0.5 introduces 2 newly released CVE bullettins: CVE-2014-006 and CVE-2014-2322 about a MitM Spoofing Weakness in rbovirt gem and command injection in arabic prawn gem. Codesake::Dawk supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box. - -$ gem install codesake-dawn -$ have fun - -### version 1.0.4 - -@dawnscanner version 1.0.4 is out. You can read the announcement here: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-4-released/ -Codesake::Dawn v1.0.4 introduces 10 security checks backported from upcoming version 1.1.x and released in the latest months. Now the knowledge base has 152 security checks. Codesake::Dawk supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box. - -$ gem install codesake-dawn -$ have fun - -### version 1.0.3 -@dawnscanner version 1.0.3 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 142 CVE bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC framework out of the box. - -Now you can add the ```require 'codesake/dawn/tasks'``` line in your Rakefile taking advantages from the rake ```dawn:run``` task - -https://twitter.com/rubygems/status/433913686659702784 - -$ gem install codesake-dawn -$ have fun - -### version 1.0.2 -@dawnscanner version 1.0.2 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 142 CVE bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC framework out of the box. - - -https://twitter.com/rubygems/status/427768158284677120 - -$ gem install codesake-dawn -$ have fun - -### version 1.0.1 -@dawnscanner version 1.0.1 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 142 CVE bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC framework out of the box. - -https://twitter.com/rubygems/status/427066100367777792 - -$ gem install codesake-dawn -$ have fun - -### version 1.0.0 -@dawnscanner version 1.0.0 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 142 CVE bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC framework out of the box. - -$ gem install codesake-dawn -$ have fun - -## HN Link -https://news.ycombinator.com/item?id=7094470 -## Reddit -http://www.reddit.com/r/security/comments/1vr4ur/ann_codesakedawn_v100_released/ -http://www.reddit.com/r/ruby/comments/1vr4u0/ann_codesakedawn_v100_released/ - diff --git a/doc/dawn_1_1_announcement.md b/doc/dawn_1_1_announcement.md deleted file mode 100644 index c01edb0f..00000000 --- a/doc/dawn_1_1_announcement.md +++ /dev/null @@ -1,67 +0,0 @@ -## Press announcement - -The April 4th 2013, the first Codesake::Dawn import in Github happened. After -1 year and three months later than the first major released, I'm happy to -annonunce Codesake::Dawn 1.1.0, codename Lightning McQueen - -Codesake::Dawn is a source code scanner designed to review your code for -security issues. - -Codesake::Dawn is able to scan your ruby standalone programs but its main usage -is to deal with web applications. It supports applications written using majors -MVC (Model View Controller) frameworks, like: - -* [Ruby on Rails](http://rubyonrails.org) -* [Sinatra](http://www.sinatrarb.com) -* [Padrino](http://www.padrinorb.com) - -Codesake::Dawn version 1.1 has 171 security checks loaded in its knowledge -base. Most of them are CVE bulletins applying to gems or the ruby interpreter -itself. There are also some check coming from Owasp Ruby on Rails cheatsheet. - -Writing safe code it's important, but sometimes security issues are introduced -by third party code your application relies on. As example, consider a SQL -Injection vulnerability introduced by Ruby on Rails framework. - -Despite the effort you spend in sanitizing inputs, your web application -inherits the vulnerability suffering as well. An attacker can easily exploit it -and break into your database unless you upgrade the offended gem. - -There is a comprehensive set of command line flags you can read more by issuing -```dawn --list-knowledge-base``` flag or by reading [project -README](https://github.com/codesake/codesake-dawn/raw/master/README.md) file. - -The list of security checks included in version 1.1.0 can be found online at: -[http://dawn.codesake.com/knowledge-base](http://dawn.codesake.com/knowledge-base). - -You can use [facilities provided by -github](https://github.com/codesake/codesake-dawn/issues) to submit bug -reports, product enhancements, new security checks you want to me to add in -future releases and even success stories. - -Now it's time for you to install Codesake::Dawn version 1.1.0 with the -following command and start reviewing your code for security issues: - -``` -$ gem install codesake-dawn -``` - -You can find the announcement on the web here: [http://dawn.codesake.com/blog/announce-codesake-dawn-v1-1-0-released/](http://dawn.codesake.com/blog/announce-codesake-dawn-v1-1-0-released/) -Enjoy it! -Paolo - paolo@codesake.com - -## Twitter announcement - -### version 1.1.0 -@dawnscanner version 1.1.0 is out. 171 security checks. Improved output and more. Read the announcement: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-1-0-released/ #ruby #rails #sinatra #padrina #security #scanner - -## Linkedin announcement - -### version 1.0.0 -@dawnscanner version 1.1.0 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 171 CVE bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box. - -$ gem install codesake-dawn -$ have fun - -## HN Link -## Reddit diff --git a/doc/dawn_1_2_announcement.md b/doc/dawn_1_2_announcement.md deleted file mode 100644 index ba5fda17..00000000 --- a/doc/dawn_1_2_announcement.md +++ /dev/null @@ -1,69 +0,0 @@ -## Press announcement - -Today, the XXX ?nd 2014, the second minor Codesake::Dawn rubygem version it has -been released. -This will be the last release of the codesake-dawn gem with this name. Starting -form November, 7th we will rename the gem to just dawn. - -Codesake::Dawn is a source code scanner designed to review your code for -security issues. - -Codesake::Dawn is able to scan your ruby standalone programs but its main usage -is to deal with web applications. It supports applications written using majors -MVC (Model View Controller) frameworks, like: - -* [Ruby on Rails](http://rubyonrails.org) -* [Sinatra](http://www.sinatrarb.com) -* [Padrino](http://www.padrinorb.com) - -Codesake::Dawn version 1.2 has 180 security checks loaded in its knowledge -base. Most of them are CVE or OSVDB bulletins applying to gems or the ruby -interpreter itself. There are also some check coming from Owasp Ruby on Rails -cheatsheet. - -Writing safe code it's important, but sometimes security issues are introduced -by third party code your application relies on. As example, consider a SQL -Injection vulnerability introduced by Ruby on Rails framework. - -Despite the effort you spend in sanitizing inputs, your web application -inherits the vulnerability suffering as well. An attacker can easily exploit it -and break into your database unless you upgrade the offended gem. - -There is a comprehensive set of command line flags you can read more by issuing -```dawn --list-knowledge-base``` flag or by reading [project -README](https://github.com/codesake/codesake-dawn/raw/master/README.md) file. - -The list of security checks included in version 1.2.0 can be found online at: -[http://dawn.codesake.com/knowledge-base](http://dawn.codesake.com/knowledge-base). - -You can use [facilities provided by -github](https://github.com/codesake/codesake-dawn/issues) to submit bug -reports, product enhancements, new security checks you want to me to add in -future releases and even success stories. - -Now it's time for you to install Codesake::Dawn version 1.2.0 with the -following command and start reviewing your code for security issues: - -``` -$ gem install -P MediumSecurity codesake-dawn -``` - -You can find the announcement on the web here: [http://dawn.codesake.com/blog/announce-codesake-dawn-v1-2-0-released/](http://dawn.codesake.com/blog/announce-codesake-dawn-v1-2-0-released/) -Enjoy it! -Paolo - paolo@codesake.com - -## Twitter announcement - -### version 1.2.0 -@dawnscanner version 1.2.0 is out. 180 security checks and some bug fixes. Read the announcement: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-2-0-released/ #ruby #rails #sinatra #padrina #security #scanner - -## Linkedin announcement - -### version 1.2.0 -@dawnscanner version 1.2.0 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 180 CVE and OSVDB bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box. - -$ gem install codesake-dawn -$ have fun - -## HN Link -## Reddit diff --git a/doc/dawn_1_5_announcement.md b/doc/dawn_1_5_announcement.md deleted file mode 100644 index 14ca5f99..00000000 --- a/doc/dawn_1_5_announcement.md +++ /dev/null @@ -1,66 +0,0 @@ -## Press announcement - -Today, the December 9th 2015, the fifth, and last, minor dawnscanner rubygem -version it has been released. - -dawnscanner is a source code scanner designed to review your code for -security issues. - -dawnscanner is able to scan your ruby standalone programs but its main usage -is to deal with web applications. It supports applications written using majors -MVC (Model View Controller) frameworks, like: - -* [Ruby on Rails](http://rubyonrails.org) -* [Sinatra](http://www.sinatrarb.com) -* [Padrino](http://www.padrinorb.com) - -dawnscanner version 1.5.0 has 209 security checks loaded in its knowledge -base. Most of them are CVE bulletins applying to gems or the ruby interpreter -itself. There are also some check coming from Owasp Ruby on Rails cheatsheet. - -Writing safe code it's important, but sometimes security issues are introduced -by third party code your application relies on. As example, consider a SQL -Injection vulnerability introduced by Ruby on Rails framework. - -Despite the effort you spend in sanitizing inputs, your web application -inherits the vulnerability suffering as well. An attacker can easily exploit it -and break into your database unless you upgrade the offended gem. - -There is a comprehensive set of command line flags you can read more by issuing -```dawn --list-knowledge-base``` flag or by reading [project -README](https://github.com/codesake/codesake-dawn/raw/master/README.md) file. - -The list of security checks included in version 1.5.0 can be found online at: -[http://dawnscanner.org/knowledge-base.html](http://dawnscanner.org/knowledge-base.html). - -You can use [facilities provided by -github](https://github.com/thesp0nge/dawnscanner/issues) to submit bug -reports, product enhancements, new security checks you want to me to add in -future releases and even success stories. - -Now it's time for you to install dawnscanner version 1.5.0 with the -following command and start reviewing your code for security issues: - -``` -$ gem install -P MediumSecurity dawnscanner -``` - -You can find the announcement on the web here: [http://dawnscanner.org/announce-codesake-dawn-v1-5-0-released.html/](http://dawnscanner.org/announce-codesake-dawn-v1-5-0-released.html/) -Enjoy it! -Paolo - paolo@dawnscanner.org - -## Twitter announcement - -### version 1.5.0 -@dawnscanner version 1.5.0 is out. 209 security checks, SQLite3 integration, better reports and tons of bug fixes. Read the announcement here: http://dawnscanner.org/announce-codesake-dawn-v1-5-0-released.html/ #ruby #rails #sinatra #padrino #security #appsec #cyber - -## Linkedin announcement - -### version 1.5.0 -@dawnscanner version 1.5.0 is out. Read the announcement online. dawnscanner makes security code review fun for ruby developers, it scans 209 CVE and OSVDB bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box. - -$ gem install dawnscanner -$ have fun - -## HN Link -## Reddit diff --git a/doc/dawnscanner.yml.sample b/doc/dawnscanner.yml.sample deleted file mode 100644 index 7f1b9ec5..00000000 --- a/doc/dawnscanner.yml.sample +++ /dev/null @@ -1,18 +0,0 @@ ---- -config: - :kb: yaml - :verbose: false - :output: console - :mvc: '' - :gemfile_scan: false - :gemfile_name: '' - :filename: - :debug: false - :exit_on_warn: false - :enabled_checks: - - :generic_check - - :code_quality - - :bulletin - - :code_style - - :owasp_ror_cheatsheet - - :owasp_top_10 diff --git a/doc/kickstart_kb.tar.gz b/doc/kickstart_kb.tar.gz deleted file mode 100644 index c305326375bf2786592f3daa80d21dbc39b2eed1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 54729 zcmZ6yWmJ?=7dA|HcejM3bcaYt2#AP)w9?XDLkS2-hcrkxN+|+EODLd}gbXF!IlwUI z8-1SlThIH>nqRZ#$GOkh``TBWn>8K}?cWD;FF(j@t<|^tv`q_u z_czzVmtFskT=7>GCB>SWcHfNgexVDtfbi{47P1OkLdMJOHNowB9M+9oy ztENG`?e}}Xk#6f%mzkEo-)g_Z&w#kwUd-HWV1MOcd2hK=wDGv|#(&-%mYwXgZnwB_ zEzy{?Q2qv5{fg$+A|FZ$|6=t4IG4Y?RsL3&wHFfr#_RdC(;c)}6-bwo_12pZo zsZ3Ig7Sn#3L4Wy_^5s--<@iS3k7&12sap+OfF&s=r_TT2)camQ^%-sx|xkNukD3%;yV zfx-%PnEZpEcnQ7~%|3fo=4Qge-nlDX+G%or{%q$$epAS%o>EPGKcI<*+XDZFCmseo zSg^!TOTJsI(O+18A3S}cYaE4yy%AV|Oo!ib#)SW5jQe5v0XW5R?B*2z%K6>)bPpQ; z|8Ig(1uTahPJaRW2pFTQ32)qJA48BWq&-)xtQrhqb9gNA97-KyvQtQ;@V-*JwONkQ zQK8ThFdur4l-kM-(QOszo4N@Zke|TuxpkX}fxPtpoa+Q*5~zZVKJ*K*y+4y02w)Bs z4G-gy6?{3ZQ$TQ(;sW;QK`PgYo}*&u*1#IHGM88>Y)6s_X)DiU(X+%yJl;?hvM+z~8{%SzDLVy!`4Ust@=9205ipI+M9QFNquU+W!k|^(wIo7`T zrMask?L&bW=-3L->l*D@=%Plh-fL9X!5;9rm06Z_R$Wwk}C z4UJ^}b^q_IekPh%cq|%tYU{c-nnG74>;a;>=-!%Fyp2OIce!Mz>Jrb%l{?E$!qZ?$ z7)tFcx~w_q9fIZJxow^TY`Jbf&0r-d+VM|WuCtY12QPon%M1H~=|A^ErlwV1cC4aF zl}hxu3D<$$faymh*ZJDDq?=I58_H|+gPNsz+;7=a*ECd~l8KlZ>>0$B2+ADYD_Y6) zBkQPrcgejzH}l|6unhTO5O?qXK%E>?ikk8g69p{GK*I)}t(d?Wx$s`Ku3>sQ06Q$Biba?98npXkz9a*_S5a(Gxwd|SuzSrq9j5xV8Be)QkGVevSssl0+!wHlB2 z+wB{8>JU;}yI+=-%oBhQM+8`E6F-IF$cE_7!^azquf}Jvfe(Ao5M%M` zbd(#}=e>`x*NPM3+i6GO=4tf)8pVv8`pQnKc;z+Gv>u8c7)I)Yn0%z&olPq*WC-Qi6@NLt+N$I-?Mb5V zMbOY2UlV$(wvm8~A~)aOfLY{O`=fy1AkKseXxP!7)TrO96LFBuNv(J-x1ywbWJ${b zKMc{v1h2{`XG=4HPDlnI>VcRKbsZP-S+4~p0HINXt2;u6c`ANMp)mjIojLNCQ~cSR2=(#Mn#dF=H{qjyM&WNQb06PQpmXHk;{o zaTvaok>~jj?T0zo>O3w|KR9;R^gK9nC+4M7=F{$Dqj;GwLVK0Eq^kbOOOoPn&>Bys zV~NDy&#z+Gznn_?$CJcK$0T)y+NW@l$`coce`@P3X&8%LL$i zNADE2ih#xeqGctoY4j&(%Z%yj$b|=}qTYo!bk+hBw6F-!o_xEe8)$|@Ft=WJ=Q`%; zHQgG3RnBjlu4M<}GODN7qiY+ME#HXj{Bs0i z+6Qkq0=o|`l0f5e%N!6Y7=>h({z`4loP}k{4i^I)+m=^#YLdUd}>A7ji|3f!2Mg zSGi0>BL!jhjKHM*XAc4veQZe%KKwuXJW>q``4B)hOkJ#wnj?#LoWJJ_*1>rRVE#*dcb-C>0pG~hjBAYb08@nID$0-oAum87DSCqWRP0xYhUpz!rYHQS6 zx8IeErZ5Xe^jC`8w)@?}Wt1%Vj=s!m0{G2X7b0u~sk(2%qB+9|rWu9}q`R**#>^6UmceRvjJQs@YEct*-6;rdc}LZ>~=7 z(AAt?5)cCfUs)S?UT1fmMj)Kys@~A{HMNFwR@(XM3M;P4_m+aSEbhZ>{*eOl?dxssJoO0<_mu}`EP(zdT0q~nb4aSsM$ z;cWS&N81_M&bkS)=O$NNL6sgGl|-IH81_IkYIP5ez)dC&5~hQKQ%0~5%`pS!QuY|Z zl;JFsth?}|cGw(T}RX}RLqxzuoxPUvII<2%~xYl?* z`Z^_#4?O+evJ>rrY43RyN0AfAJb4){jcl5%Skz*oRaLVNwqHimz8aYx-A@*4$nPvevOk03lF z+>?D(l|Z{KT62$m=3!YUZ^rfeCpDxs3Pz_4Pj(#~>ku&3JuYOH5FCo?ZO~Pg4WuSe z7}^WkZ5BomZv4HVf^tq388g_%jFe(Ke02hKp-M5y7hg`>zuRhZLOwe^`E$`y&T0j{ zOxkLe^q0F8`zIF#>XeXo>`{K|lFoI1h@8hZbQ=ia~^J}Y%N6J%-&(Y%Uwmw?-@=vz`_ zzsEMdM}tbCM-#^uLp46sGDJ4Nu9V;pFCeNM>Gl*cO&T>ne zCynk)eLTCdTN1^&$JT4@!!f_U--|jlVzR$4c-1vUvE?kRuU)iD(DHx?BSi0KIdE)$ zg%27IQA!RqR}8?vQ5}!Oy?MF{{dL571|@j`&QP;@w;rIkuX<4_n?1(ax45;h+9rax-w zM!+^%MZ$>wpooZ!lKZH-=U!FN!Lz4SR56gP=O5Ozo^)Ph2RGw)@<)$!MLI2eyuc8! zA$8KPw)vLM@b0%^a{;nkqQ>sE#w!Fz+eu+d?iIBCF1&&8-)PGQl7A~_1K65oE<>4z zSx|ov1%88&&F+6+;WZ`gpEI6lvN;1`7Ah$W_#XwB-<}TRRb%tIhU0E>Vw9-_c<5MB za$<EWx3V^WL@iTLyJR&H36V${)5^rdTyyZ&trJ&{Vd+t4O{!M3KzsdzP=H zb-i50lmu<21#ogrj&?W4pDUUF5>P1H_~P=tR)5kO+i(?q;OFv_eoX?Vgo%e)_sKWl zI>%>?ftAU8D#4@v{i?0fMPW&gxM9h5$MQ*{Qs-B1$$XhN!*R31s0?`q$O%8aPs6;A z*(0;{>NTcd%G4_~)dT@@2WJwhJaRNI+Lxs@!bt@PqBVre?BW{4276UdZmKwKW8^RpL z1Us}-;Px?iZhFNUgyLFPu4;c#*bWI(Mxk&GNSY%9hP7bn%^o{YT{Fu9Z7%@?HCA}K zpJqZT2`~93fsQcmF~qPOKm@;1yI;S0#l=zfa9MyF4>NMHVcXkchmfw?-ux}PR>0bk zD3e8q{0-u&?exb0`)8lWu%3)sr)o^m^U-wN<_F?6B*C54#Gh^jDoOr)>gDeYjoM** z5+n6qw)q(9n*C)3LXHBlf9RG1r2aC*LGU!~))M}gt$qc+;4}H4if_CJbd~PxE`!Go zNbH*~Bf>?Ki9lF&E&QA_Y^T-K>t`Xe&U9DtcFk@-hPkMfyA(gCho?W5=ZSfOVw8@; zV5~g$4eg|)HUC=7Y92WjZ*M@PpdiNr268Q?e9!D>ZHb5W~Nl15q3}OHxsD6cbXbjVD?PVpBUNZ*9&ZJ zVUO0a5pK>yp#2UU$R&S;gX#P(?z#(z+ArXD2UU(2u2-z)njK+LAF@vQ(1eZfKD`b! zx#M7j=Wjh^y@58Ru3xGuZgXRhYVXpeHS0AI8eSc6HTn>pC8xZY3=d2^M~C} zr{~kPe5>t)#!3tNx`MBsTzok**^qb(-l7LZxrDM^Y;v>~a>+YnX~&(UMHE~r2|nzs zuB>|!otpzL;oGdzKPGQP{1-G~>-ILg3z}1<@*Um7D7A?*;)+mufXG615$ta{FZ?U# zTVv-~z=4t(s7V+(*wzoR+(EQif&GPX^zNP3! z9DvKII_*mV)Won+@G`yzF^oK@?QR=Io1sMjW=%}s_E$=OM>?DE?}BHo+;Ax2oD`B( z6IJ<%pt4>Gc(GOGlvX=`2T|iz9B(iDW*lP43iV z!cgLQ(@cuf{{Mz!^1SZI8#%`397G=ioky!(8LL?!}m=wshj^ z0L%JPeKM*~f2?b9o?Jrmz{LuudYF|srg!A{r9r6oyvV{KSh$(J)0XmLoHl>_mg*I%FOu7gnY&s)^O01AKbxfbRX8u;V<2Z778945J<*_nwu+Z!jgXeOlChInIw?;?8?>(bLM0WNpmM2 zcQU&-Z`!8oHd5`<4G!ODkcG{N7X-ja8*eR?UDU%DPCl7OD$q;oI9 zm7ZZNXm>`;8m4Fd#2(wNybo5mYQw;V*W_lc)2*dgx&%@z3aQHJ>w>5l@jn)XAO2=XNbo{|! z^2Oh1ukx^rV-G2b^V8jr%+wU&Y;|0T7)}NP#~$h57(WRd$qO46oAsqtR6p}G+iyGO zrDXD-Ge0Wc9P(g0jm$I%yT3tn6A}cE%RD634N>l>tT%R>hRJpm4PiPyIdIfh?y0t* zP8Z?Dqmp*@Rm8680l04fH4PDf1X#{o8JA}U3o_r3OnK~D_wq?QLy@`GUadf1zXuhLa(qxT+trsgUE?v-04&uBv z)$e6mTVGSVV{KSAO0RJd7kr@18(81elU%hI(fA%W&9+iqrRh3@ZjU|a)!>!L@<`6V zNXybrF6HXa3&^42+lYs%8uB&cvv;qceslneLN;>L5iLFa27*3qdp)HGCDi?pODrH| ztuX{TJpo_?yc|k=C_yWNdgjFhJ z>@M7L|7_+Qv{x?!?mal1Rk*7i(NJUd2yJH@Qrix`oIE!oUO{difDqn5E8=Xk$y3v( zBF;gd{3pu2jq-HRaqa8_SeeC zO{hWfuTutq58OC?gAp;bmPWTpqcL!Z5%I5&l1PQVyYyM`lPgm$O;S8pNxcb1d5IE7 z0>>>lQL4XzbS|QL$R^v}ldXp*4d0#ql>;_QBWcF(wF%r3Z%ZR+ZncwAtsS0PidPTm z(k7xtLU^=S`vC z+qrRVv;E#~LPp$s|9B+BB@uF5o5_ zWc_ByPSGEJGY%43DI&=idEwTDIFpPwd-enuzk&0;;S9$H=}CxwuTB0A>z=m{Ax4D# z!3&0_#%1xlbPNNZmjCFCKTkM{d>^(#Wib3|Pbx1tlVg14NAn>sdR^UJ&G+tAf9vcp{&fEzXHj>dz%tgyi zMb1hYRx5pQ z16y?0vcL};Rmoq6KuC-0ZI<8_)X)$dIufIITM)--b!G!YCt^QUOTEiH!w(bxV_Ru}1Ye35M4)77z-BQY{$4AP! z@ozvC{-Wk8)FK?|WjqCO?N3Yw%d0^|K$suRVM+*1nt>y(=$Yt^|3f%>O}hT;O|_6s z3_p=0Wd?!!mbPdag9%#-Ej6=e*k;DlxrGc{eA}oG>Jj*s`pKEG&4eIo2{b(p+o^lk@R_aJ$% zg?&061427&@mftyr(2s=gTz-!yW`h)*})_uQJ!Bklp_9xQB7RIn7U3++H&k)PLuMA zEE_c6uM{?!Y(g7|EHm5WTRsyM9~}#4d^o<8d%1oZl4waZtg(Yjp`k4M*f*By5RFxc z_I)Ojo@+v43!Q{V`NgNo()({*rSDU*rTE(8j@w&qUvzQ4i9G)}8`)Dd04#Yie76dv ztr=@^0IS_Cj0^#b!bd8(@vi}#Ss+pO#R8O6;33_56H|flEXdse66km>5<~nKJ15U) z1Dzj+1vX6X3g|J4-0t;I#=M=3*1_?wd83-|h{x+zt0@>~Kka&t-fmX)m;=tj&2xLj7@kNZsoM3*QlHV>k$sSO5jTb+=H ztb;)K|4g9&R{SbRe7p>3k6GXTx_1Im+60go1i-lh1aLqB2ci|g&f)hfxMfupxLH?1 zss^54>`cxIH&{MAx~^f3anHB%&9{y2UZj)w5RqH2R}=>)crZpL^Oo-3F{6NsExAwx zo8$AwFv~7#%FO}0RjV=EBwKA9J5Bf zD?MbTBtOIvx}<;4P;7ehZB^DqVUBFMPj4^KN>Am%Fe#b!V)}@2V!a-85{(K*Gj# z3!4a##z9Uhw{FE?HkO$Y?21|h``iMvEu}O>jA&&fcs8B1)6?>!WX$=R+@uqEfn@$j z^PG_12PtZNtgJnYJz-p{|BX;)3%v(py*oa zlT=dDNs?NuIVQS`c^z2r{#R*}fDkFE5KmL3n~UpnuTXu`%Ouj~ujfgHt{GkTp>Qj& zjINODff~4;VS7v!D8@%=0G4h@wK~Ec4=IPvzYhJ!AXlNT6>LCn3OMv9CV`{XHN@rF zwyF=ylxaXH>pM3=pGoypFDX)vjeV}xk{9j9hh+Alp05_X!m5W(2SqW44dcnl;zdZc zVr-j-BpA7#cyNxpYF|fmsSrL(ptV%5UvGc4-KIf;O=FfRW*<&z*RLuvWa#p7WD1SF zlsUY8oTQ}Bfq|>wEsL47Ok*GJWM1)MWjWJy_vc4u67y4j+1rc5tvpGN36qVuzI=Hs zOZ4;PZ>o%r3yWDQkulGJTR%%L#C%oB{O_RuFPlLP`lsoD=M3^+V3Y4yQ+VJvtBLeMi*BmV8{yi!zml#v~5wX(vqn+Q0Pa-2tr(rT511CyeK(FaM~7 z8FTt!eUa)*A+(Qp9^LIX#%#qQh2mVa?7w(i7k7k*Q zbrR=xcG|9oNN&#$5urO)FR2ehKVQRFWSEjU1;-FhIE9P+Fh8jZe>gSFUbR_*vEFWpI`00O_1l=S(13b@kmqmSe1uZTxg|%SSO9TuP68sfcD1lCq*! zm(<-i7Jh7SfQ3?vmngNk$Bu**On_JYiEjZhJ&Km@f}Ns^;O_1#wC3lANMgEBX{|w3 zLVp=y#Ne+`qwD>Ma6Qv&)j!V2FmY17Q8S)U7v|hjGBlRoyV%NGh@w_sxRYR=PgbB` zAB8;5R>D*GyZ2@#7ey6BnY2fo2e~Y`Pbm!WwuV|3%>CKCyS%7`ezaEFtl+*X&wO=( zcL|{e^pQ&{GvK^n8Or^?yfy76HL{ zIs|V1ilYG#-9835Kn=Z|BJyi|Lp^A#sa`mSKGg={J5XxwAod5p1U6>nVi zX6mwkBmNirN5a3baBk6ixZOSP+H>dM(imJNzTyP@zl&$KrA)#2gzPr}qed}@x+4f= zVjm4$`n;Twm|26ig#Xy_dt30{M;03iVctOe?wU~@lbgKR4r=m2!X{BLUJWN@wh)Ga zUI0sfwG50G2V8zjMFTD4L1(wL8(>HRc0VeK*LWBGNx$8%wO1=YP>HKpZXh}IG z%jM6Wqpyit{Y<9)6CsALU*(hZaqHx*SYFRGRo8OEci5bB_we3gnf`D+D?^6-W{-0= zE)DB7i=17}s*y%;U zhso}lB5Zhlef2wa&-v+nERw#lH#mJl_|HAonrqp(>C~@?R5ujA%YVI!V|liEAQQ1p zNvA_3nD{=P=lrfqV_MbIWPW0OZZ`6@9<_U?AFBl^^537Jox#P#rExm#@pFrasG*g%|^$NHkb?^V7w3N{^Jw;w-x??ec$#P z1k6wkC6o5H5K#a9x^MVP6@Qd`-%(cP)YeRUMN~An>5%#}#9&x^hFBbpsA+yJvsZ{; z6*2up`tI9VrU7doE5)Zq1RXh}vI76K!9LyCcinf!aE{4qWj0^=H0Lxcx(BfXa-ZJe zdUvH$;;^i~?Du2MR8Ej5h&;pc zl_tS_LhhlO>-1>(UE@2SbcQ)53-SeVZ@vm)+Jfc7%;oF-SMjg%t=p@sv4;-|@aYU$aYDZ;4ddw*G)t zW+{vjhM|(}C6Vy>a3{zMBVRW-=B_*@8oU&C<7pS&<5NwT_t_3;(g6cU9Jp!D^4HVL zrY_g9^@8htEFU4Q8d<6CdUn!< zw?RF&hsuCC{oVIzo+fhAmZp1~vxg5?G1Tp;si3v?PR9&XiX16a&y;Ob^QEh5NE@Q@ zX-K+Oim3#*b=~7(YIkh7)WTeubZ}pbpoxiD=$OYw#kWnO5qemyJ`$;T-iorO=zP3w z2MsglHssnSfXzFOaOx+a0}E-#vNinY zIE*ggH`N?9kxq;D>|e6;B42I&`uw%U(~fE6R~8SN|b% z@_Nu_po=#2&HApVG`g}l7ww^F(Oh91N{KyudlHizXln_a$4O5L;a;rOYPyC z&CO8D z6N{U@O~paO5iN`}#Pd}x)ybayWWGX{=_ywf&O-T1^v_=n2uZLQzLtdg>x<+imEaK^ zSZliT5E9J1P%SW+Q-noL@}BMs@7C0`u__TMgR}(HE&A`R4M( zQH5|Vxyga-DZx8+nmZZPMw}X-8MV2I(e-O-t>2J$`uMSLmv$#uP8isH);jm&6ucCA zwvtNd^nBW6*9lios&%PPYT5avekbu`TdHsM`gN@mCAt*7;ljdO?fezRLR>Z;(UreP ze{Ojr3G{e6U)ZNZpIk|uFG>=qJ#EUw`8;cS(2~>nl!YNa1g~Zt99W;hy#IryC>LS_ z{4Uy1r zTKviwEy9mYt_ZXVulYPR-YvF#ylo;_+8JKUKizz(cx*#!Ytw*4);~BSl}u0eeM7s36T z2;h_P&7kta<_=Z%Ei=4ux%;Q*)L#DO1T#;tLzvJmxc7h(Z+huZ4(-mioY3q2fxiHB zp@xLvFZd#0KduFtV|8Pi$_S83DB1d-;Nt{bq_ri3KVQVrSI9&WI+tV&4)`xAb^5#!(&%>J!HY-P;(woS& zYxH0zz={>!>1 zH62ZoPELOB&GpQXi~XIQ0PC<=+q7=R>Oa1p*z#HdCW9<_^y!xJX zdH7U~V}kSB3y!<7d93>6X=^Hyrmj~PtpiChiydtTEejiN&B7n{n%A(?AW(yAa~TEW zI1i4Z@9idRjfWb6%Q`cg}b=Oz;2h$v{+8p+doFY#?D10mc^M zuG~mbK}H+qR6NNtZ_l6Fmx%wuA?UaBVtPjq^%<$V{CoKaM#E5;up;yIXw7JwTbbI+wz4p5 zm-T^o;jLOP&kFB$6(+i-uowwiAf8?`c3H7gli3AMm#HGuL{lPkZK7{fQu(62Mcz zB7tMp?{1K@HUr z^e=lP`3kBzP<;kW$9X}`km*~~@tR}SKYhxi+5s!JUpKI?74^(G_2cxdAuzt@%)wB? zu|yjgvQqd+Zj#3=Ct$cx*N#su9BbHZ4BxN5i!mk>V5!e z>GCXXnqj(t_0vp}ym%yecYjUQ+IN%N)t@f+{GZg&=J7Y_+XTBX(&6vHe;#hU9j3i~ z*hJ`eu&T;B5G8y;rkGroq>@`H5nh1~4ZBZCa`B-3UT42!8Qu0;0k0K&aKO^v5y$UM zlu>TTCzCKIuJj}|9KUVr#xRI{0ru=<%qDZo*dn<^-kFRCO~5UgP-g-W zrr7N0baaxH1^ZdmGpgriOfs*!6qS-zfX1FA0%sf-IW=l}_eMV_Xt@78dj$JXYO*R; zr~s|If}GEl>Vpkid`+?3*1`IWg$@%*g=ILl^!#lr^=sRJ6brtls4iACSq{NR9tI`a5vxj;c~oq^fx*P(%0``aZvcXokD* z?^{wv>Ect>1!{#+qrdv<<(Ay!rLsf?h!>K-^c*O=m1t-c6{Rj*(sZYtZ8U&18|z{jFb({o zNqr5Z4#y2~eO>b2;i!c#ygFSEzkSyb!y(O{^-+gabLp``b^x8tW#996(kubijwyF~ z$P5ETeHDJiP?>)@mGL~M_|sY-PqtZ=>sT9oJ;cRYY&`e2VmNkjxLE>7xo!;ZkNI0A z;Iz*$CVXkd7;pF>!{Qh?{xe*M>igr20+}uEX2T8N=q(e);-Yh}4^GHg>J$*r{;waS zfFBfPzYT*<9{@3)0x0bK2HHP@YuNb}H1yW3e?p0ZZI@kTD_N8`+mKNa$Gum0UE5Q; z{MA@fCE<10cE}4cylx3(A~jrb;auc*wRwg?HEpeEQN6}?9){22h}c7Cs=JmtRJGmO zc8V`kW{$Un2a*Ix6r|7}x8-5TJK1b%O58A;9VVt9cencdp`ws0lh(%+F1q?KJr$g2g{7k9`HcD@wfc1CnPBan7P-N2bwfm{Cd>;9Yc<-4Kk;RKR`EQv)K z`zRcnzw8CyUb5af4Imo~;0e9X#Ku$X_uLi`>iRA}p!(tiybJ5Jh1w^(uNe95Oy8WT zFD#h$yoC=!Dff|q^6Y$6&(qS=io5A+auMb?LMzj-?!zzKx_CM_gKxvy^DAF@;~XI< znuYhyP)@2(3xw>}&j2*h{|mJLYaI0er#AcASqSa*;a?`liehpIC6NnO0J*yQt#`*m ziE$O_RewuXPrqf8O$#wsd<=`8DSk+y|H3m_$KYOu|N2Or%jIJ%d+zc%ZN(N^@+%6G znPc0l(c8rp;{A;;!nBYT1N|hXx`t}Wqk6{+*>*)wak#m`_xdHH8&3P8+_%8Qh|#IXYaURnH~n^S z9h_-a@Iu8kuHVTh6;qa@4}w((?d?;BvK_-YIYZJQ1os`V+3+kqMEWEjcfNA)V8RjG z-miF4MLMs-mL{Yi7FVkMMw{49O9XXi!FYz?zMsbiQDXiVI{quHR9cn+GMthdevqfof6Ky9$9?+|ZHJ5MIxm`UHk=RUOyvHgG`JxbAC{MI^ z6u}#AIDF2&5LbU`N|$r`yL(L)^UF5YGG{yLJvwvLMUI$C@cTcW&405hQ!q<#R;Y$> z6Z@xj_Y7vhz1AZ2+rw9D5c3vN;ro+G^4xz~dBG>Pp}W6HTl^&~ZEFyp7#V)Am`5eO zda7I2-{ODV-2xH#m1=ei4L`)TZtfU^PU+I%qm|M>s8#&DZe_}rM4VZ`CZ?eBL|c8Y zhICm)piUJt{HvWEstjLau-RNZYbT}HqE@%%nQ7^7BCr-%2@8*OHuyteX!9j0Ma#iQ zF4HbSBlF(Qyszbrg(1G-$YPLUaSk?%Lj)~}jS&K7;B5eIqyF{Xe|;5dz^{g4V}Rj9 zNezgYUE$xrD%M z*T%He&qW16&^7b3H33s-ctKm?vK~U|FGU6T&C#upnnn>^zFH>etWx*i`EBA~!TFv_ z5vAhm@aH8H{5aLhAbm@+5!oG>?_;X!Cy$daZ%Serkj+w8*EZd{T_NG`ZPFvd_N{C^ zWv%uSe^UdlCxFTM~7F}?W{M{y-#i}h7le>;$hHwZNtr|{9_@uP#B zdPLT>6ZE>JhNDQ(}_JW9cEZU}_cm;dP<4hofy2m*2p=O_#ZO-;N4RQbK{7 zaP=XjmN5ntLkniO6Si7Fwi zTA}~w1;ofX#9#j%)!t31ERe+{zI`KQWL53!d#>I@xi>Kky?PU9?!`;1?^4w|=2>9o z4B}6sH7;eF_u1|IyjZ*v>KW?cWReF?*NEf`+7uV7H!mV-ta-&Zzg8qD^0XgICGgwJ z4FpR*r5%K{p5eDfe)-U*d174a4T=`$&{V-z=$74Ycx_m!q!k%F&${VPJ)n97`r~wv zL3>5vz#HSGM`u&04t{+CR9gE z#AuV5nA#59$FIN-y3a>mp+Fsp@m-eT<>GStl*b_p_0~I!^5oAfkuTA|iU%nNBp;(0 zq;8_*sv;W>y?`|w3gus!(nA_w`=hdhpQh9mTAA!?^kurpSbcBLRuacv-G5tSGNhmX zQNmAV6*=+hy2<`UQzF8J>*c&IdfKjTzBN0Z)B$$q^vwGsKxS3y_YG9&UsgpE35;u) z^8yTVsGu{`By1CiDoNx;M_wx0K976K}|ROUhf zjmh+f2c&Em*Ro{RjPJenb;z^za3g)ji-L6&7qp?!MDD-@e#Xsq8HktA?ht2UY^Hx$ zBsSV7KMSc;uHcVF9~Sw4PB)z%jhD$yY3wQkBSEmk#<9kA;?kKxU8Jefi zLjgGd35;5>71*--9|4+3>4F#uv`-)Z2HL8%AG5t}5R*yUUgDoOMXvtNu{Px-+=gK4 zW%~V$Q?M-H)vP!=eOd2pcKr~$#4zlalz$&b$8dD_^G8^ytG~UqyM1~V=p#S2R~GvZ z7syP>XFORs4iN@bYk6dGP*z8*oB&R7_6I&`nkA=Id6zEdEukeDT6Z`Y57=mYWE-;TLuW?n(z@aFc5B*@8^h*;0{o%idwN9W-8-h#O}G!xQCi#>e?9~jtl(j4l)wnD6Q&2Kge$$xU`!xY`TM0>z+tDLs(;78WDr>Qfsv1NDS-IrwY>#zc-O;yisyc| zXt(Sn*C=#ZlDxTW!#K@?nfdo(yL~=(^5)jgK?G@Pl3CFT2Vpwpck%VOrZQ+GZ4#Ttl-V zHs~!QPLwT%BsFRa?cb{dvyxjx(0O&xE0QcF32$WgC(64>OIrUuRTD z(lMR*N<4m8@KCk;6T`yLivVqNvzDK7>J=MazVAfcqi;0~qaP@|(?c~6nnGLRAHd5b zJ4^Wf<2dF;N3Qt~MoKQvw$5rt9DiJ6{+m_&AjfWYx%LT6PjT^h@|Cqka}q4xcz%2L zMd?G*A!k{g~)W9TrLbmkbS_ zT;e8MFQ%8~6os2W3EwJAbqXEGsEt1Y{@hLdD`UaQ^Na>?zoI-Ha1ASzQbE9)i?~2H z6GiHmiCJi>6{IPUN*eYSb9jrA=s>cpo5AzadV~qz^5|mP?P+Q;A&(-d8M|oZA^J?C z4T7}dRvvpMsAMkFW z*;Z+rXyVG4le@lSiY@9pGYmLY*9N^+eX4$3!wiMrW54SS{&H~Rb>YcHHRE#J)d~WL zh=Ed?J3Bwt5mc2Kd5C?dd9ML%YXBK&W2Nr}Nm1c3AU^<#kwEtu${EsC3jwU_gekPr zB6iiN@lRWNAQm)VdGMaP()%aZ2#_Qt)AN}g^)4S-eMsx~P%LJRQreDgtN%`G=!jJP z0&R?j3PWp~;ipQ0r#p?5sAnOu;1*q5lTaNn>;Qy88T7w?^lM}OVL=6Bz+Oi}$5({-mZik-wRIogIKVhg>c__}NG+A%E^GV8RsJFzm8O#pq?df~IGH_UqV7=MU7^dUv)pX8_ z2!)M$LK;&xrbeIl7<1wcy!?<1w08qpTfp!MG=KlI93YD0?OM1AMF<>A$pU%*m<;~4 zg04f|B#?RBXHqofK{vqhler&2@)R&4t|$2C63=NV#+15z02QM8DBfR`ox|&N|77=6 z6=M&wokM8ZGNbS`9t~d0R&I9860K5nn8XyR@zG9@0l>U`I^|~E1GV5GWK>P06X_s| zu{r8TougaIlRerN_^kbW!MJmjKQ|+@kD;@p#js_(9fZyS!YZ?EAIl9 z0taHhzq3T1SjL<^)S3uq5=&sC%WYdL7&iDch^%;HRi$H|x%MsPv42W8{6gXz$rP&3<#DTOtO}kXgXBz^5(E2# zH>=_vF7JX8(PLI`#YCb;vkl&m&QZ06#JuOw9j<&w5i%s~{w_wr=glsJm6P@r=}2K8 zk+Ecd7!-~iyA}HMz>NI?9_5>Op757N)IQqaiS@?1%bzZRMD?#*`A)--XaSbgHSXS8 zS=X@IPr&Ipj6MV?K$j*~Z8AZ{j|?#qO7!hLr}SUDhn)Rkn;dID3-cj^gcb^&QkQ+8 z?@&@5Z|JHo^4FoFZMYz&&l8mVI@a)YB;soW>2^B?Jkjzs&09FdSfEmSMh=VUU)yd1 z<8q{`=3C{RSt9##(qb~yy3SS+*R*g)vT*m5eIYGf2v$fjWW9ECMO`2Odzq!1Cz1Sj zSQ*1yKVIe~**kun=J1Vyvp4+9o`F|#05y)yEEu_&lX?mN%(M#pGYfyiVgJCyQui}d zB*n2*)HDdwCH_F6E~vjQ=#xkyaZq-OqzyC3T;FL87p9XvU0~x+Qrv%Xkweik-{K;_ zp7B`V8}$}3M4Jb~K|xlPXke&*v(P9wBhUY%G-IhI-9C6{|DID^W&bGr$5)KrXHMJ{ zyyh4;ZVgjZJCoh78xri__?+q8Y&14KlTWBa0q%GLe=H)nh-wJ_r2ge;mcd5L5 z7BrqzXHF5KF0bMf5ist^BpYF2%KppcZLM*Mq@T{$Sk}$L{Id=-g%_7PcI1RixmQ@> zYm}{5Jw@X-+nKMUew#@-8V?hU2ggeK_+F}HqeR9$TY2>bN9>CgAGgu%TOs4nZti5KkjZgmCK^Go`uJKfyQhbK`$-hy{GJPT-fF2j-JsnniR{l5=x0a|7co6f6g?X{ zY%NX!8t%l#4(Q{*BTexNdI_R0&0~h`ed9Io{4RW?(}iPYdu!{1zA)Ya9IZ8}s*-Xj z&dW#~c?X1}WMb#1Asy0fh8!k#%hh(7F1h{bd3@$Ko~rHA`L+9od^q2=727@pV9a-G z7(v9)D6{5<4ci3|ZB8#2yA-$z| zx+Z7+)|1$Xrrh)@MeD@G&xV@|#V;w2j#Z~l`^jm~$0I+veYbWL4<^!^>_DX20K*LL zd~>`X%-2(Hp$d|JH8#M0_?{a&)-yeXR+9pFfe48il#~9lJ63q@oiT+ADAgkcn0BF$ z%;a-{sE?C{kvN`7s?#ymDk8|(qst@vO|>6Iqq|jA__G}T0S{47a{LGf>b^X2RFkUf zLuCu(aF$=MCwOW4d8__81;z@KzL-Z}2kg~+gWI1gts}bWsAb*zQbruv6400Z0Fl>=$bB9a*^AM3sDz%x& z&&$Azee7#kY2q>P9>Ji=%ZXbb0X!~*j~O{1y+O(J@npF9Zfr0o4|Qy!C!7}>&Xqt{ z-~qE`zPQCtOeuq{#TfXde_E1YjnBp`<{8E;`dptVv}Nb0k8irpv z@)&(R-a+h5sWKQLC9i$R(lE&rwf>A$_DaZW8dhS0tc9Q5_HKRLdsV7{2(x!MM^eD2 zzS1!RcH__w^EaQ35%2!!{F!#!cPqep)k4VPo|F)o(*bVs$xa-@;_~lWcfb% zC1~8ghyrVPWQ9x2&P4d33GLe)`myZKqF-<80PbtmF`_kqCg0jQy@c>S8jl%YlH{i3?g6n#zIREp_aUz-P*R zxWrN=`3!O5refFwX?%X6AKQ=dTX0MQe!BWRJ>0|Ovu=DbRY00Gj>lFkX8U#(yS;|o z+1iG*=D7Dg_j_?VjF~fEQOk(8V#7T+VQfq9D%kd}7~&D~vEoP1^_$gJLikQ2ChRjX zM=Ojdr0v4wc+&`wiW})_PmEEiQ^4ep)N7=+Jjl^%SOJiP#P@+;zoPSZLR(7wM3CR5N}{Yae*FO=>wKVrQW;wYjoeD5 zWVd#)j=#3tdra{(@Wl0B9pT1N=B#pj=K5lVhn55>o1LO0huA7Rzbz=6%}X?1#9#8e z+A(j=40AOPM77Z7aCnBZ9&%3PT#iu*ecl6hw@lpDE%}K6Q*)myFArZZu)}CY z-nJ*P4VDa=Q;zgU8LV)Wv_k)eMwdW0AQ&12rOh2c6NGN1CHcVcM>=DqlmR9;{4%#6 zXdpnGXKhfYv~+lD6ZZUU{@_G~K2=f~0O!Lk`^~Arl_SSzWKGTIPIV3a>ouiX080PXfc>*VK zRbeO`%+tzjVbYmNV)^aC=)?k+B98*3j+4utS8<+kJWlYr8a>{v><;*opx7uLZX5q_ z!wNX`s4OYmO?+`{Z)*hGDZGR&d}C10&B8H=P8`%APh~u*Z)O0e<6RaP7xAz2kqY>` z8GDFC`_n7}f*#P&BX|SFayw_JIYmyYp(EoGCR^SG(r%N)yPtktG#vKk2mDGW^ts?Q zGKsZM@pxQ6WUV(YqvEA+s8M`u6!Jj*Ty=H0u#W?HO*l)x|OJce9nBrDq^bdK1r6mcmGOJ6s}9 zX)+@7tD)4s>jtSMw;Oit-)om2F>QTsVpOQ>XOvJd^pi4GZbHXGpQo zu*-HPEDw{72f_02;HJOiEICTy#E=JUwiv&Zduc}&nuFqgB6kJtTu7;jRvZ4!v}Jp^KM zqaS<7&et8hb=bNHkZovKVPwGChC6d&kBiyFp>Fup(=lb*i-s@kaWnrOj&DA|M(?P% zLbIg8Dxr8`$piSHZz?&K#NEZJ4 zV8~bn0)47$BqAF!0P#@DJ)*GWvM>qh#qwK!AQ!iYN@6PgQ^9BIp*gwMtLk4d@OyY_ zT}+0=!1BCe2HjBgdyON47gf{g2Sl@OzPZo*MbCM@c$dj`b>iYnGY7x_H6Gn4`yPG7 zW!_=EVa*BG`mfJHgrZRAwfT+MBZKb-lr+WhzuhF1_w|gFO7#>k)8_7lg%oFFX+3M{ z%Kv;(X(A={aY2yaynrX2|AkA`{yWi2;B_(hA}9b@C!ruC0Dnsh_|#hj{{lxozzT=n z1t6EcPXIrIpp+=ML$--{{>9kd))ad)dM~K4ey%TRzntRWzN|MtD1FGjMpzB2=ryiN zYJkleU-ugS;%L^m-D4GRRHZ!eRB~&n5NiIxn2_f1rczVqILOXi&hxQ;0tJhE-?1s} zH*cXT97ogc*BQmd)@apZ>KfM`W2(!fJwICsC4v@w4o&c=QXk7*wbVsOc(CYy%?U-s zd=WFcc!Q{%8HI^`zfgqN$kgSIn2QD34aq zO_R`GVtk5@vgW&2+IBsDR@-_S{wtV|UWDdAu7j2ID+F0fFk`%{;eB3L2(%-_LijFk9Yeny zGtik!0I#;Cgw4CQfG`^eb;Od7iq3&pK){WIn^|B6A6*yTPFF{*1p8M%cS}5DN$yg- zvn$r5zU}#oAKYwHM}y}9=PP|2J9v;&%uRIqICgu0d}HM4=aI9Cr`Q7cYdbIg&>b(h z3<>AzL;6C0r*>rt&g^Nq*vBVMzDf7OF^Gy{@O~oaK8;RP zqK%ODLgNP|mk&X0z6Dxx)+$tV^%BkQBZsMfh=RB|Qp~FxXA`9r)$nS9gLEzy7O_4F z2Q{z-X-qy8+?5@raQ{*DgvZRxMF#6}IvexJ_lnR_;FsE0Q8k)$p1gohGdMcA&!}_S zC3p(2OI;`t>?@!{rDhH0H}$SS5p0~$tmeKtL@x>k-0xg0O-SPypcGWx+rXs!lXH=* zns8vkW&)^B35#YnTzw$mb*7`?kb)W-cR8zwnE%ZsHu<|c0N3D+B*CaN0UvjS|4L$E z_)i0oYGEahM?tFDkt^v19H`=t4+Ya~u|>}__%9Dzw|{!i+#iZEKYb(sR;$@P zsk%7n9C18u(h|LKcp4sXks~2r5hA&&SKO10o^Vlpv!iHEF)AdngwEG7HbU_zAfrUY zzw4y`1D|fL6)QdAPRwf1sht4Cs<=p)QB4s4%69FeK}+)4_IfLdg&KZ-DWps#{8wWM zMmXmWGJ!{7++{Z1ilt1Ac>d9Nh-z1soyVU7d+fy5_%=_jjNh8v3U?=UX14hLj0kM` zY#$F_62AvT+&KInIji>^S}YC796|3oG?x0Vq)q|*uIrSd$?j8cvXn0^4BnUL-&&py zl9?M**c(Q6THLSK;Xx7YEKlNh*9@vo5c04?l}@&If6gf)zK2Cb{8|s~3d2FcAyEIV zs1avdj(ux}8Y<$W*|*d(wj_pBJIiG%3^O-#oR`E`;{L^QI3HCNWrV+5`2Uv8Zfa_> z8}WRQ0(K+Vr6O&KmgO@&s5?>!yaL22302rV~}mz3tBVCvq6s!F|j$oxr}jSK0#DDTcgY&jlMcLo+x z@mC|i#Iz)EFspI#&PQL{9`A$mN+pQtHp`$8$8*iga-1M`X zz7x4J7RLr6&VhddE&sy0IKaE`QtAk*eYby!gqPBN1E>Zq&Pv_Ukql8-Nvijp^WIr_ zwXC;vz?YX#(I$6R?|mv+4*Fj99;r>#4%{s!{tBA^Vk1p>*vJ7kA`ETD9uE76d})R1 zy$p4W2NF*J$@ME^2K<_3sAdp!_gG4k2JOeCVJf!JmzxlP_Xw)%cggI7IN<(<%lIv) z2TH@?Q=E^Pd(EVk3Muu6j@Ay9mY77FvL=;dDdF*&X{GO|S4T}1&35iJ)a{V0O8!lN zON!_7%_g`zs5?`KoU~2ZXXQO>OUJ8Balf}QZtL`J4i_;dMPNG+r4o=|?5?-L@)JD% zN#L|Ye*fpa*9QID;c)_R&3eJZK7s>)P!B*UtyI z{WBS8su24Lj+T z*yx3ZaWuu-ciFUPP3^dtR?)g+mvfcxMkfj6%e{Rqeo)qr)~3N`DqGzBOag161aXw1 z8(}^3LFz6K1oVwkvxaPhmOWSbkM}=eU5e>~(+ym|-@!z(Q)uFy`wV)b)d?t1LMN+G zfxp!;;D%4zMk4Wj)48HS(@iv-A-OqX)JTpyToi-(Ht+Wes#G55WOG0$XvqFewBC)H z?>fzJP(=n3{6@B416?Y%NxDS?oUfgu1<$l9BhDR3N9o*u0B1Q?%`SNR`%e>#3aDg< zmiJ9OE$O4ojM{VUd0M4&@AIW*zbT6GY2ovs*Ub{oQ|PO7(AFMuIp(|$bV_8yr%+Hf z_rp6c+Ss`oVPP``8tS05;_gZz6#E6aX zhSRVq{X)sKWOKO)PN|koi1oMya$v~YG<#&NtzBkyoxz2>4O(yD#ssrI&DH5fUujcn z2F$14b56?vdA?ig0EH*{q<*YMkvZ|cs~@3bL4qQL&;a#6oXae4|-SJ7WcjKBTOVScb2#Wi_ z-2aKduEXpDz=8{?^*;&NIZ_h%POD&R3)D*jdAi@?JPXQ9Tic%((fMBM&0_A)eL;)q zY8~A4+QoUB(z{Lc^(S56zK)04osscR6iKxYds512chtL)C%!a(B5cDMQnNm`bB+w$ zy!c_F1foCg^JL2AoYRqcl$cJy^Y*ZMfKf0{0#b=VP_T6Pt2)D{G~>^27~1Y4f=s}U z7ZqTL`u8VSFbi>TrMfrH2L$juq77@crPRq1R{0YC!I7gy20iG0t@+h%3{;}~78feg zKJ8Q{dB}}4+?f&aR#mC>8^nur)$62IHk;?H;?BdOKD4vA9xKdv&&OR#e`qhQYpg_R zQn93^`gX$8?H*oI#n>+GzP0WEG!z`UrhiB7zawB3rlN*~4TCXH5cEZke#-=XShL5n zT{Rn?N%Ox3dF6$hCYCTq{9~49kS5Pw9pl%0D_bR!HW<=yh2(B9LPYpEIO&-fFRYk=0Z18~-5Bft}a7_hao|15^h#ak_7Y$zdR_y^*F`RnU=XG^l}Z;$oagF)$? zpLwk|wq>~5?n8ogzrq1wi%eP;r0OeKFnyWITP{OZ=b%n*Z$l@T9AIRtCipgUmlOd zhL!Vx@x9IBD-ielvHEf0y{&w&PsZ7JwUWf}Laayg-aKuAQ1mJ|&>7|N_CC_64r zL^IGwHo{8$_v)>B+}w)6rppb+8~&7!AO=SV(rU?0m;RdKOMuk56y{d4IkNl;pM+pG_wE;Ror99*kCEFH+Vc z9Xl33q>G`Qi&$k+=;X4GOtgK2Mv}TT!}P5>s)?O?F7A?4zogC3YiS{Lm-N}s-ioIW z%=zSfH7KWgpiNl$8t4A!+37d+jWxqejN5ehA2+Jzv4!N#knHd-`s&-zMe*4AmH1db zS9a>9cIL7aV7yi41T0rI{y&Gl6-o`S9EAS;W6uDHN}9-!+!Ii>hPk5*J#OG~O!!lh zy$7k7qgZf5WdCdCJ)0V}^m8PJ3!P(^eH@+rTt2 zTeoH50#e>!?}%h$XCeQ=N|~U=-0^PAgFqtUvrbx!$0|%u zqZ>^|Q!0gqPbBF1rmby)9znGS-I>}s+2joX!iz8S*_8C~2odd5B`BLpCvhjJXu8C(Y zO6HsN%r-fl_a^UAi2|G^><_vqE@P6S{Tnqp%=wY|a>!bfcVlV0Ex@ME#h-!a8klFaVZALBou zwX`LKlF7b`8FyY+^K~g-3S_%R1~q&udBl|xE1;Ga zV;1tnC-$j@jF!>@p}jA^K>7HC!iaP%nC5PT-l#+W{ZzHLoiV@8G04>URe9ogxI&E* zw5nEfe0y+P)*M9WcX(eD?FG>oF0*g%|6YxKL;B&F8PBe3Jbm(<7;firG1X=^p+QUe zga-5Uqj1CRhnOZ@ygM1#=`Fu%+4?M1gUqv(!J>_j?%Z^%Gow)yOvhj5yY*4^uco`g zD)J}ofM9k*Br3aM?sq-^{DW_7A(q;nrUpDWel|zOmyCO0iAuvi82MjLVgR;G?m<05 zkYIK#5?HRK59UBcTxcs{tlovI$p?r{huC9lF`FAATfwVF{JUF*!7&UBn9~ zVoMQn^0c_1unH`n!6drE$63=`Sz*hxi$~@)d57rO-eFy>Dh|U)&L+(Deg#j$^q#6I zo0nG_*5?`FT^F99)afx1v<}5VI{Z~={*$A*h7wepAdJ_cB4%A(fa3vO1@duk1KR7b zBa|{P%9f^BiXc7G*xY0^@@OM%OuKs2w|_D(j1c-`D#6~*&kr9I{uTM(|9^|}PAI_* zRP#F{0L#O>69H5JlF}x*Q-;hCJS9P=;yv1%rZA7Cu~b^b87l8^lU6`cfM1>5f+3`e z?SA@4XK(v$+?dx=^{)ry%Rz&5%#Bnw(i}8cg0|jBAf*UE^SFHi)=q+k(@1!&9+2mR ztc)A(3s_=>*U_@SM)eNK51Ww@Z%fCJ+syVDA~NF}4G!a2IWkj`e9qe6?*B0OL09rf zY~(WIi!%LXHvHEuFVXe~oMnf{Bl9O>*G!7q>3rO<9tx`j;X64_#W)JQ8a)oOjDpQ!s0N%!Hhytb&qE_+#FS^_s{1()STx&*`Qag_ zM|Y$$XLE-7aE<~rnsUjrr+;WXK_~qFT4xr9F+K-u#W_q?>7%FG3w+* zGTZLU)~D4^YNRAjT~X0~rK+pC_;gPny#$i%jtc)M&pIY!Nqq^Ah<%%VPm`4YGk(Q} zY&F-aS+4asHys_m270?d(C2_p=D8g4S0xNz;_`#}?}a!SGqX2iP(JVCj9egjO00i# zfm|T5-iOe&wY=#sIzu9N4-YE@=l5B2_NreKk`4WwZOZ&2YLe&X|LIVP7AMH@RIz~U zNkLyjfyS#SNYVca5exo2Q=vJ`ZOOx=m=Lt znG5+2Ec_-TYI@{1bhY}D18J-ot69DHjnTQ$iCYQ2@>VhyT-UddLTJ+3nHpz80iwL< z$Hw6Vzg3;zm$xwGUsW1C$V`~~HEZ3^qEC|XaG;Z~;*oV@37dCug#f(;eE`Mt(wG88 z&qTCqm5v6@_$xpCkvVo^-|!%#e5@RXD>2<3s29L^1B4y{kN)C{|0adQ%Qt}o&QLH0 zu%C%EZXDFoIrQ!I(%IXQGuks=BERsOD7yr6^&W(@XdfR5#lC+z&k1|>=i$^(3Z+oB zhi&!B%$UAP>z}e16cDOEep4jS_3%?kH;1XYw7CscG;^@{m+(}#OW*H%NOo=gDgv8F z+=$K-vltAIg$)~?5HJh2F%4}p-P74#5NZkx$&Y`IoC&7mt;;Xh_Nk)ZHC5gKMjq#J z_1A`{JsV|-FU0gM6zJ?J8W0~R9GHU*WcLt#*swg}Ol@9jh8;^50>6at3zys*jiGhv z&~ZOR*LosJfLbL7BEwrr{qfJAZ<{r%ndvw4-h&n|+Lu5z`+pwQzoQO(RHWdey88TL z{|XN4RJkdIAQcG^rAr3OJ1Jz4{SJk(0?0QM4^x_LDfJ(yFMHoTAuC@Epwjzs_pk@w6PC=43ahOq22Rg{hmy-F_goVM(zjj5EC8xwJGL7QFkGr{tUryp0{wI6%=Dj&Y{f(_`! zYf^1m>NfFG?Zx(xA z^Ky!LmlO9+rur_8MXd!9;RJ9DlW+1_DfDM?KYPNJylMO~|=i8@4yo|@H=`QL86 zH)O}%{%yotfNJ95>e{-R-geNK3m_ftGIkgBwHm<1##Y7)eke|}Qgq794>0O?qhPY1 z&7o5rCb(W2xgWpyrn!&ZNCY^)!O{gNZd5_l5)}RZ8$C$T0i?dt86u^Oye$M#8h%6H zSG-|nS>{U4i#W!G6R)1Iv(mOQbeg55Bi|f?_ zN_!uJ5m$P?_viJY^tIIg4Cgke@+OdPXu*pt&BMO?C$XoXmESV4egg&7yD+GNje+He zixxy<{Rakvw#LIc_2_02G0S(#>VglnZV^_G{j8z|i0=u8jYl2bk}Q)NKo=s-&Wcxc z8hq%L^Dtmdzuf0?p4v?xPfchfyH;8|MhrhgoZ1iEVz*d63~>0$YQf**?c8bp;WBJw zQswz136>YZ;X9ojvZy^{I3s<^n&3RHBmC-sU`{f`YGdpyzRig02S(^8ArFJR?Px6c zf>U4z(Ci<9ZJ+C^eB*ct6#)ncvw;GSyIA}GqK{xsqhPllX{A~OzI?(4fY3c#b)<(8 zQ2BToR(kl5Wzq=+&~e5%8UL#wOCGyu-M{*kcUnQp>jmWtA6fE6JyVi%+Z{;AF3-@*gf` z)yAHbjU_!xM;}^$r5kelk=>e~xIJL8@%}zL;t{)%_QCB$N1t<@%eTH;Ecs^=vu}d) zvwj?1H#pAvo}ZJ`2OW$wWEd^M5bq3#jGJK{1)`j2WePcCC=|FrG(VDZ}(Vx%R#{AA9WQ5;&xcRu!G zjSIz?tHq7v(Mq*@;gGzyFrrCC0JJbwuS3M4b-G1ob>hTRg^Q`)6$X>e$q?TP> zP%v}O4(P{EP{%@~o+!N*q9kcrNV)7krRw*YQd%u|`iR$x6n%;k?Bi(@jeEe(#wDCn zN79>hDvyedPV{aai=F)sT2UBl%2A>Hw^h^in9(7OCNc$=Ol67@9Fm%aVMWWw+xVRh zZHqxvaJb&^*ta~t8*gL{&>R{3Vx9T`8-u?q}y&_v-h4?`novJ^R#f)SotTetHT(Q z50-dbahj>K1DntAW2fqbtXzJ)D7yNJ!E>Z$Qv9^*;)piCSmjkgukBFRvtdl4L8~rj z#XU#PE?DFBvagera@580Zld_@xx?XNN-aBTqD`V(z(chy@c|2pnkLOtV43kIBlN+4 z#>Kx5>brWK^BYxARtNQ=6TpNWG2}H4Q@NZ|4A@jme{fS-hqB7s>zA99%IS#eY9*Tq zs&9ql$8Vp!`R;8?V1=pWd(M2p8$VbC5YBwZhz+Vl?05u zKfeLgclu^CEs@Ze%$p~-4))d=Fx9vemSw}beB)PyRZ3XB{Ti8E&ezwbyjwAXX&3V0 zKQL|@1h+~SD)R7wzv<)FZyaE28~|z9?lxs*gh*I-&=Gu&G5tq?83Cx0lF9RM02euuYbuu0=$Ng+Jx` z1P|K!;4)+xC~-^c5D4Fh_vPR$%&burQ?~Ey*pQ^aBjhOddsVn{K-2CJdhjBF;+ev> zK;BZkkV7Hj5cB9!#lol#S%>Kbk79 z%tt>oUV4x4P@aL7426F4ZGfEpNTey;{c@}H%S9=Jq%W249@P8#vUEvRG_QM>;^G77&=vvm66{>lsoBp%^*_VOy-x(soXxHFn+}>x%9(!dh3E`Sa_nX`z?@v2Eg0ZF4#HNiQ zN_4h{=Qh@;0es86dG|y}VVM)-G-+4%jomup&yfu9O}`5f=o6%zwG9ls+6+1J!NdF7 z=m@q9HLbpaai1}${1ar zTqsJzQTc;_l9`ax7xcRksWSmm{3S9GbZtfcEeTwM zVV=T-<%}j+Cx*`Z3g^o|VQ;A8`A72nu%C$~;i~ zOc3%WU%+!PAG99G}c;pJyl{M(ps%Fb5y z8a#*zxQMa++4(7%29oHD&;GihUnPVE@Q&cdo&;FjpQJY<`S$gtSFWTyQ~7X$si;|G zGa@pC&9cPKdyp5Ed4DVU;;ANw{&f|r@72}DIbQDbn#kipI!u9f|2N+V@Jh2@QqjJ= zB5-BNlnzH9;!}Hm;HsypI?Vs40Y>dE3iCSs{Z91;2A>49-!4L%C4B|R{f-+oPhsv! za4?8}S11U2{#Ss7yWRrOkW^AW2-Jg@HQ3g|VIeniDLB8v!~$ycNbIF`C!qD4>4QMsw?9vf zERUXW-5-7*tAhT(TPkUlf!RiSxmY_;{~h-gJhuH#?s@?TYYV)6_IUH~KK z?s{YV;oyLpBs1|SqvVei8zkZZ{?;bCdf}CsQq%Dn)jD3(UI?*4=(D;mVzN`lFk!vZIrjFMsF(}$P@^?Jfmv!sV?JH#mkR>A zL2Jj2H;?gXzf6yW9s=Ndm=h7y0mVfCmbT(Z8rLeV(kadJ=24OxqCArjc4c z9$2l(pvD=J?(+=bM^H(^kpl>}gXhs)$Q0inCL zD>$?eUK_$jDO}Xo!V(Xshz_KA9QoL$P4;x%Nv?;F9lhVoE$O9WUq5b@S%NAl>!9Vi zP8)Ac7PFyYQ(rA5nRVL@p2)QR<8;1oB?W)eTA2^Ltp!waXrn@TBGw9r3;c)tKeQQ2 zUT)%DF#J;U=Q7ps5J|ymO}agEJmh#BT8%F7W^Aa^sw9K73?~uIAM~;`u^O^cny1jG zx<>rAI(}EsNJhx=X$kcRl_l;2)!3s`=EMhj*G$G`+oOz~vsz^b2t71dCGIbt4_~ln zyJqWsYzwfQwv#Hu(b@eH)CUJB;xz@hhB=)5+f=m2(rUPp{R?+?Dy~J#;y(IhGEdoi zG#rt5Qn&Pn)tH>qhH09#I)OEkm+?V&3aG6?40d1K1W8fhXI#*C zgNUp4tByGrnU)dRGe#g50y(ATuO32tZfwW0tW#ainrpUXNL6Lo zZ`y72*)}4}HGqxA;=p;Rg_yMxY`Ng=_FG!9@&YsJ#I;u$(}c_2*6so4Mh6kfSr`Qr z*PpB_t4i3%4|0az&}&GCrG%2b9C|VQay@zEtnTY6ztF{&?yasYO-`ZMxR6iR+hnug z9ZSj-(V&yKWaImBEe{LAlfHEZTWI7kSHx*!cyp1nyp$tNpjq;E*IXVWBsVRGu?GE- zDuwwV=0o~c#~K)x0PZt;2c+i>j+Sf5RpI_y99mJ8yJ$ua0ETxh|8tc`5|9ICvcYxy z-7@Ab`&Val`|-SZ05~K8b9ODET1}b8i3P#}@z`2yKXL~hVwbgz#Irrhod{#Rp)wi; zF1}&@W^Hd3>6sOTTpi7KlMW%yt4d)oWloD5mp6FP&JW1ucaZ%)MvPHDC_*3Mw=QS! zTS0s{2Doyv1n;S46JS_Lc~6wax*q0iR|63*W-@lqpOJl3_M3{{U6`OC{W5}17EriI?=&RGwcHU z9C&{UU@k0zg+H;_b42{WRQnMrC5H6oa{|e6wNv(v?Gc16=?6;cV23Pr206WZ&yAN= z?#Jn7;&<)e^S*D^cqv?lr@8QmjN~gvua&uA>-`ch9V0UrmT2;@y_?4FXc_WQK#m~%gnDE7u%jo*E!7ON3utY!C zwebWI3BY_J_5a79F6#HLGqRB$LSR}x3?yOjp|EcNl;-BJTd~$CmtB#yA%P~(G0oB^ zg%s^;-xxmHF9k~N)6$eTPvoVck4$JGTr1u$Q2@!%#iP!dj=<-8%;5b#yy=cuvB@dlH6$$W(gU~)q z#eU|}m7VGJ&PzFn>K3Dn2+>_kotbOE64h?fX~`J8=1QkyJH(@Jk}B5f?8n(^mEpNB zUeINDSWEZCJd5h{V||hC@a@?gH+3+ zI#ivq{GJ>wd9BSG$f6Yx7#_iRvlW1 z2IUtV>x+{N5x`AlUH>f>i9>GBjyJ90(1@ddBRFVdu{g<;Uw#ydT3vcIXC*H zE)Kk^24Fll4grf=<^q8y;ix2k$jdTD$GjE-mSH4i{~FD3kz*Rw{-8Yow8{-%Ni`1A zvjfIqH8$@Ms4u(K*6r9NazFfj>Wgh`PSlC>(VB_cU$p80P0MoR8jZ->yy=dH2}?ra z7b|J}OXlHTSN~6WnYzz7r^#}6#qV-FB4J7rjIOIJXB1V>6L+{o+DuC)QluAqQGSp; z`L$#av+VVeF&b^>hWu-;$^YZ(EyJQ}_xEoa3F%T=QaY7Jq(lS+C8R^7r8|ZWMNp7N zLb|(SDCtHC>24VshM8Had0EAy4@> z$K%PFn9m-Q8b47sV)H0W>;4zTuF0;H;s!!OwYMGm2Rhh9d4r7`nw!6zs|3m?Q1T9* zIK4KNmJ-F-M6Zy({GrbIAgjOGIT-;ly1G?X|35lF0;1wv0oi~#_ZK~N=-0+QU)>aV z_F5ahSbkjll%kP?TmL-Q^i6JwlTam^-4J27Z|)IOl;G|=6-_bu0~dbS(^1{E`(2?G zLoS`(d5dA&33fQ4LK5FrduA8#RE0VrtmtY=Xk*^^kk0hL>o2yukOx{NgWsR z;L$O@zc#$(U`{-heN#dI4kZsQ zDjF%BPV?v#CnaM6n@zIlJEwR@z7Az-x`QtnZROnsM8XFvABXPZw`#49JggQ~mki&n z&GF}o51MRcVaA0m>fNf3QAsf1vBj;!Yw!x%iQrc|jD(LxRD%~qI~%}XZ(t6@m;#~~ z#A=PHLrty1yiy znA^K9+O{?rxZl-@*5oQ&pMRKQH=p5Z7p_h#I8v9mhlb%8&_y<9hb^ar6)KvS#Ti*_ z%%hDJ^zL}fSf5*A2x7FZNa1EI^*Puo{NQsq%^M2k$o8064i0XX$OA(r4tt9M;w*Wp zW`&6tkp=yyFW3q5<-XX}#Gc+aGb1rI1vflNzssf}zXF0;f^4wujUteO9&{H_El1i$ z*))m`Wda;ddh$n)`*E__+UQlIG~z!S()ql9|M^E#fv-2=C$k%urJ8ugMW{yb#R%-Q z64)&$JiWM(VjU1+OS@la`{?mAE4;ZPGT8W6P#x8I>zDi&0Wf$4+5U@&slYs{I0Z{L z`<|FD0B+heRwR%qyN1QYjc=_xjMexmT{*Xgj9Hg+GiV@+KuWoA*RTWPVu^qeV=hmf z9NFld5TgKFzzRyYroW`{Ia7c1MXjTUZ`j%t-q?T0a@3Nb>^{?ek@We zrr3_xN}FDl9Ct?8-FI~`n3~EQolkCT`n!qX^ZRhAmqbKnHgZm}LkfObX7*F7hQ{nd z3>LN&?ZC;UFUytRwXmT==P%gFsW#+dwZEjLfcMa5lf&pwXVsWme4=iE0-1L=cywV} zIDLl4hJ)dZ|7TCv32=QtmLLD!-$_a!HCiwBrbB0NhrYj@e5HNpCfTF_3!an14O`iN z9nsf%S2pEGr@IannK%Onx|jiMzVrM@bLBLFQHPOqDY0rwAt!x=)TnuRGCtZ^)Qp6w;H6rSSL^(JTTEVvGo4eP0_TIqzB%%-}uOo4utvGSTda27e2` zJXCab7|wNCub9Pr!ZKwwiP5z-SG|&PxPNH;1AiZ)3NHYvvV}&8CIQtN`E%OA~iVMzWd}O0qm8)_xtX>In7^2_a~z_ z=;#)67^Ip&nigwbY_?>Oe*nJJOtY0Hx?roQ99!S`8MxKU)5Bv0Sz{d58^4cJRz5zQ z`{Q*G8pAl`At2A*=B^}_j(p($7=yUd)Pmeg%Am>$r9|la&h`(*;itaAwWgF;F2eR( zIQX%?HY-80Ip=kV>agoD;kf$u+iAA3t)@RSQb_6CZcavqh-IMxm&e=F!{rlbbo$p@ z9CEE6W2h24q}0|Z6C1ctGl7`IYk>A`gyH|dPe2BAn|dc4bbW$5hqwCxJy_iu**&Fv z_GI#F*8A&Aulua=Hd0T)7wk`H;`Zn%H=L%TkT>zP=0t7B7yAzjsRCEnM&GlUV`Mr@ z)mskEUOrMPt0Rj64jM|r1^2Su@EtU3;S}E>8&${lRtWA*UEIBcKvI!|5%p3r-NfQt zPVJsK8L+XRt(v02NQ}pmJZBNBOa6*ybEmw$j8mPG4G#$V_-wq+2KYf zuU%KQq%Gk;G!6H#I-p@k6wfZonb6M_Tcmw6F5eUgO#D9mUHiAnvn{lD?cVfiK`3Z8j)P7Vq6`u59Gy3FyXI$Fsgu$jl} zeP`QoH1azk#@GOX`;L2h!`ByXo>iuuuWM;9f`q7bUc5IT{6p9~`S`kksZ~^dzUnwZ z#4^@MDpKV917*1&n^!vKn)IjKhD_F}`s}*G`xK`c=2!0zOkd|&5HE`Rz*ol2^R}WkC+hkuN&9yUdQ0s9JrM<ip@-tXvZO_Kr0#MM8b6pPFq4}tfNc4O2NlxW*t{u^yOz3RK}Dh8 z8)Pe!@!FxtwyH9|K03TaGrQGg`FkNlnDb;6%hw65<7&^NPxsW`h{~4|?kK&QEmP+1 z^z(-&mBcdIa{W&Ixg6=X5eAD*>FFdqFV1RdEdC?eh&AF7s_YIX zx-iQ3L7lrh`hGbMu$dXsCA^@W`NSCV)E9sS(2bVa`NQkV0Hn$4nBxc(n66WgdYUx) zu9K^}nZ!|lr;i8+7VEVHN%|MIVg!DI|03Ev+yCZVJ^uoRYk<8(H0aAo2dHyot46zz zz;h!@nV}D#INSB{DeUeOCH6LovhDz)^NH)UG3NQmOT()3Bwfa37D`9}@@}NRT1lNk zah;(+@lU~Fsm@ArtN;di{XTj>r9xSug6xYSN#M^`v%gg=@4IadAf4uYAST(8D^eHnF^TmfvOEacF4kW)x zsp$0Z7tS#{OyG~c_z65PtGx58-CBPYK7JBSsY7GNBxqrwWplR}e}tFF8P|QrkXyB) z=(+sQ=}(o>J7{La#@%53;Ejbl7@fp@R}Pp*DRV?i5waW6Xl4Xn3la;O<=YYuQW!1-}+qkV8D`!7=*{Vd;BoE?CwBdsg$EB;oAv!nRRzB(?{(LK-!4sio{ zSKyTQzZ5L+BH+BJ+XJ-SZw>zw$DnA!eO*@PD)Z4IKhS;Z#25Qwc$bzfvQG=mpC(6v zzv3D@9T==z8!~;QVZO~F`~g6fxI#sQD_2hwe?0B{_zp*u6Z-i$`-h)%Wl!u@%w~*{ zn4Ynpu4!|}*$DW?6IG*@N&mya12q%i&CFLEd=A`#MsGC}fD>w;F&L1^-oB)D%Chjb zUco`AsPaJwaBI8uONm+Q(JA&65>Yk%Q3fjj3>3@7(|1Qu6 zAV&U1KsGn1wgdC&LhO#RQ6>v#nro1O?wh4grDYESRGA&MJ00ZD-hb|K5lB>)Tbn1H zj!J&TFng*!E3XV|UY`N^VT79Wqbl-=MQp-u-X8ajkyR9FPAE@GD0RrbE89>f{&v8tB$VR8s_i4l^ii77BH@L%+Ey|^ugSfoCw|c z2T>q($pj@D1l=T?MIc<~1@UGz%!q=*sjAn85GLjU&aw;#Gb1_|k-a`-ui>I465;sR z(bT&X2DJt+c;r?1$mWFnZ8)VdokA-xH6_N_>}<`S1%*UV{un3GD#43B9)6Uwd$Qel zoyKn>BlpohDJ<{Zs_JsM$tvHvNimmLTFfc_=j!A3l^lZ~c`OuK$u+JsCvA_6l^wM0 zxZ55X>VD*|_PLXBzNmtSb;lZ++Dkz%qildCcQc}yt_()=U(cQUH6kf$E?G&qLxa^heUP)y{J|Rt$c5* zA44gILO2lb{R~Ys>G1FJMIFk;osz{IoIcz{J5%}Q@Xx!+eE5%P<`_k)Qyd@D>ia3o ztUyC{Wba9Xz=FRDG4Ql`4HPwG02O#hkgWqAHoBbi@vkZD=(P1tk{a}+Xs1dNh|`F1b#|vfV^VL1c$6L? z8iW8{BsahCb>gAYYn)Pb2fq5bRVTZaz_GewgG6syM42-Fgn0k5-wqJLc@a7u*ktBqY|MAG$OyOB{@H&b^4 z=nmiL@3CB!ooMjf4gH$eW-4!-MUj9KgrDGa+;Y#K*O(RJ>ds61b2#9Zw89^?Gm3i; z*1ljYDf<0li_wC0wWHCOY&=GDQfuLzqETTmU+MN)M+IURzPLBz&qY%b%tN>7%ZCPP z+=z0(bpiChj09_xM!^$6`L?jM*nrAm0}k;UHEaN-IpeQv$no0Uz>bg9vYm@A317(b z4x|5E>+_*?${KE8*sv<1Ih``+X;YUY-&>Q#bblL>#wA$7q*{wRq3Pr|sLf-IiCj7n zphg(GJQzyv4r;wVK^f^k|8O*MzO547B<@$2LeI$6XQkYqEj&a5b(hw-k1hnaX=(84 z7Z$q^(Uiu`c5)KCW54M;GITGs;Z9utOL>Jd+>Ro&DWi_s9$~!}Y&PG#4;*kjeQ;+- z90yq3%If~^rtpBj#zzd)sCi=f`G^vR^V< z^+c{h#lz$KUA6=za#D_x==HGP#?Y=Dqo-)Jn!fc}lIEvQ^Z9su6Q!Z00b^sQ;!^8c zd6ZF~Tkyd4)Hn9`LZYT039Ja9tlW-jERna$7|rYx8euj;rktBcU#O>B(pO?GtMBq|w4|;nD zgT>W9oOiA(lfzv*ICRnYpFSJ0oN)Y`I~Lf=lx;^T%MkiW*Ee%=Sv}PAQ@NA;BNQ4+ z_0%fewAN!!<1uga@fP-&HE~f$Cbma+rruqm3!#wZH_@2TOi2-w4%7FuVTaLGGGVW1 z&@=W&;j7hieQ@UwD=>?@M7mV>oo_x;RDcGED1hX6`5%2Oc=`#TFw0Bp5VBy*>g`5I z2R!{kq&(JS=kJ<{2sjYIBO>me^%OJlEL87{2dj#OY0(Dyi`zU(1R~({T5Bx!(MEwC zpbTU0caERP8^4dPv)K|NQu$y}%cMTG`r9duxSZ(sVuv6>?L7DI)z1vzpwU(o zWE37l|4(lRUQV~I9X9!GSS1Uv3ravAcR-^1-oF^D^KLDr)gL&((Vlct4A5qYNeB!q zxVY)?XiapB`qCBZi}#`K7@zbkyXS$M)s;jX80x;sR{H_^S}7QUN~cB}nk2Yp7WcN_ zAjQ3tI2)4|#9AjO(@DzpTp*ME*QXJz&6lw>o9tj+n(DpGYM0uxlKjeLf~l4POi@{Y zy)GoG*~7KBkW0EL<&?AVY4v(|&<}=bh*~nOK{RG>eZ`cZ_x*M?2#2)Tf%JAoaxm@# zwAtrrJamDMc=Io3U!E{3ejcGODVf4)efwCAcIUKt3P)`k=hswt1ie>@bu+ryg+PR> z-1@kH8fdn7Ksif!F~Mb@VP0&iLO) zUx`Y~cbh(62IVlq9twzvyh(H1EX=FUCfCy3g{i?1N&+S)`9m?(bpSIAG6=Khb768^ zPLuAzf0>I$_mWQsZDsK5ot_UlIJ2b9G8uleM={5l;-#vKjrv=?{?-gMj0YapODG2_ zwE)gi`h&$G$L0R@7N@Jr3&*42*jM{V=u*4i^^oSPw}*(zJocH~3sfQflZ)s31Q7w2>2D*pAzxV{7w|;BqA4tgSJJwOS0i#M zyZX3Y$ycYg-SHUNv6Mtth0oDlw^XpahTu37FL|8+eb)ER1ws=MukXiv=j$y`Xwvo; z0kJSjk4sbR!rx(K3x|)P={Z<)yAO6Tsa&b@*u-^n;VOYz*{7!w$%lA8*qNu1cXxWF z2+@34q{0$eijwb#FR!QN=+s3es6Ci@_l2=?2o|8OVn@1w|Lo%!ck#6)W&=AxPL@S8Fho_^Ij75p<8_7AdF4?^mgub*X{0F9 zBS~rZg^8aTdv3}WEz32^-{efD?0+$c`KunqD#NV>cG7z(9_$AM>4dgJ`l>6Bx{9x$ zB_)esQ|I~rpYDN@JSER>piUu4=>UevyauWY&mJ)|dL<-2RD@VV{f{3OP$XrtjC;6m z-|>H=ZKv=Vv&khz6yxnKUc#CZop127qnhuFXQUrn!R$;bEY{UWTM@A%Q6lcG;*{q3 zm3D-kStmgdR=ER($?tTRsgog@+yiYEZ^K9FE~N>3-jR0Ec&fdLbSmjE%O+raN9k8X zFS0o8cjdSVK~Qluld{ezk1WKJA+oLB!S&iyLx?85<8~0dlW^!q$(?UrTw&h?7drCf9d)gXKX^fVk*PV zz;k5JISq^wQ~WGpDfNJ3HvUB7#fzN5InVvJ->aVmI`_V_H^+GJgw2%XCEMXS z1gHSE4-@`s`+yq=5=v9BI=po(eW`>wZBE8Q%=gaW-E|~v>WcSt$NP^Gg`o?v7NF4HM>L;9~21dj>&s z&u%O@a+1%i@qI{74H7^?QIM*hUNrGXYxwEF&xAt{nax4$BYMqE`egYWuFg`pv{wL45$cZYV|NRVeZtyNz8U7H)PQ=k?eR4 zv6Q&qU=~=#tRm&G4%LdP{q+Xj5Xz?c;Lgo?71Tr+O=>1Wknoed`W#QK9Q=wbRvVKO z5!@D}(y7)l1e3l&Oyyz8CWma>yyzF}h-0R~z>G(uaj-_c5;`#?pqa^g5|!dT@-d)M zfZ&-Q9o|p2szT04OCN?XH5j_c9ElKx@zqx|^2ZyDRgMpY{XGJkS!Vmnx{E})tup2b z{?HRA(0_g#MwBSxj84TyDADP_-)}@H;>_$V=QQ%b$C~A*RLp~RE3JCW)VqGP?R~vi zMC-~CYFNQlxkfO7OGHp-21f5srgSgSZ% zJWQS3!IE)vyY9+)GuwX*YwnK6kH^KoO47n9I8E2lc3X`zNIyIaT~x>1jiP>0**Zu* zE2(%~bA6{iC4+bel*?3*5aN8IrY(e;_Y=2DtHnlUmJx`F675c`c)FhQFVObFU)AJC z{4!V}zVt-=eAoG8oR8rUBv^mtUV%pq-8>Gdp~sdXXmHM@rDi-XL)`0ZF!NxVQ-2%w z=Z>zZQs*bv&MsF&k4r7jl^9zUewId#r-s*8SMx(98dun}d7Gg!7eVz^!B`P^?Lzpw z)%_-RPU)2#o@)&-9WUU5VE7`xF@|h4t@1K&-ng223ijh(*F(EdsJ?(>IEy|Z6+<8% zx!{6ATh>GCondJjX;;CwyH44BL__%fbW$eZ0XEHpL?cs{fL|xH!qOj}`MmRC!95SW zDhgVZ@GKM`jeT)4LXyz)ikImOyJG}HcG!N}m~_pOAMmJn@%1sgUq|#MI3>iEL5l^@)mV@yvJA(Kv(?SYJ9$ptOs)o z@-1T=V&Bt)IBMmE07vIwajA{aXlN-1K3xOmsLQL1@oPqekqAZ|(j_<)04(z)WaA6Jy zDGm13XvsfRxvB#h4ZE(7ayr@pMjlt{B&P41P1Vc;17$PcoIq~6 zmDZ>9$Spz8#Z^TAARyUn;&}!~*f{zyn)-LQ>HhVImG*A!l3HeJjz?Z3UbTvLtS?r+ zkW_)J3<~luB%dxA^$o)2;3{b561{d_{k@)`r34?f@9DP5bUVYB{iou1fSMorOGMvy zo7soheMhOXc;q4?l1!^`WtBaz^0=D!2ghHsEgGdk(`rVnx8Yi}7FG{9-uwRH^!?U5 zRr_D*V;Bq1uZG@WZu^E|r+utG%C}nf-Ruo$4a?~~u%72#BwiT)R}EJT>>AHCR|Hk= z9|$(#CVl+z3@SlH1+WV`ye4{U5&FLUZ43)t0{ra#aFbob!NYZtsdncaH2F`ze}+c0 z6`bo>+f;AO3;n6PH7(e5(7IPKU4^>8k!>z82QiGE6?(A%DV8lvaNQ2-c-07z>M28i_V$PBpFk9ap$B19N z}ScA3v?D5HRRya^0IZKTAlqEZm-bTwNDiySY{+6~5 z9dABRUqPEKMmF9Y)49o$ELC{GgN0Bq`WeMqVjeEv2frt$up-rx1}S!$`)ZrNosczX zY=R!s1`h_JqN?g_N*z|q8SXvQ#TCUK;^B!Wf9LIF`cSr9gm=F~FE!vPXVYXS#>kzW z%Blz}kj`>WRD+rai~9e|E0N7JMe2gIJ#*zDNSnkyv`xAUkP!m>O$eZrGz|wVxs@Hb zJlF)m^VFS(@6xU{z+HN;+0_^c*c|*_XZ@RSzXmlfU;^a-2HeX40RA0pYn+cuaH021 z%!U)0hb!<)PMCAk`S~JU#&`fvT^={VjA@a5R|L~L^%{t2HJ6m`a_;Bzxu{^)TDn~_ zkECJFRc#+i!%gvclRdWmVX3m&&$zu$-n`^+sQw}$S^d2$@z>9$rBjTbxzSO<=$#Au z-s!d)W$XD7By86MgpqyE*&0bOa>VWkv*~ltPoufFWKFnPXRBorzgLCd71ns6Qx;qu zUPj`YeJH{W5&!0`(nsLrN=NS3i_ZN5*Qz_4b%XP1Q0?bT&KE!=S#0&33P{W+tjP>| zvpU-1%veTEK#*gGscVxYRu7rqG-CSYOoAG ziGmmJ+>h3g4ymmkdTX0pJ6UZ{l=W)ul*|In?nOO&S56?6upFDQ_HgYhvj_PmU%9xe z@(Z5{?EPd#)iEx>(R8Vt-YV8RHAxYk@BjQ_A2LZGSrO5G4XA?e&`LJn^xtL+)L|Yk z8~<&#faqWZG3hN|CIg_ddd&A%c9n=8xfjH%jLy59Mkuo zyws};mf8+(@x*LxG%1XQ2XL>Zu7H(@|@QU3`?Xa!&5r1#LOfeDy2_? zHGSVHb;!IBU`L`+o30AzuNEpkT`SEZ>!6J<&%g7OV;+-tBF@8jho<3 z9MKSW=t0e*Mz1`#Jxo#bX)5k}F52WJGNF_y05!|55dxn8=|j#=&?w zqCJ52E4v9#%~F=c`qTKj`#{6n05!{lJljr#7V4ttt=;*NHdAZ+Rq z4jMAFZ;!hF{jyhN)gDjJKqNuPA^X8B0^)V(pii!Iqc3xh8fqLC-duW56yrKD`K_^S z!yvJB%mbc}q{LH|(l7eMj93N)cydXaztTo6WI30H+;yx`=BdYw+zsdX!21zx1Mi;H zDvP4Lj@$^IWvLIH+1?@9LmZiAqN1;lDh>{o1p6M`+*ekY2-qf4EmUFA8BeKrG}UBj z!$KYHLw~Z~H1YLI#nD3kClemq+7=l~=05X@uP+FBg%9`7#Pmqlt3JBNYbvMOK04h( z`(6C%qqj!kgx~I-VmEc#$3^A{Nf}F`V??4~lbeEMaY=+j&2VCubS~T6X#^UkY%nxV zGc@A4-HOe?&WFf>g}g-1CiAl-Ku>IJlV%X9+5x#A1$gjqT*~C2?Y%r_rR%Xgk4222$DoaRLraZ z>Y@OPp#u(t=n88={TY||o%ZxV70v=NLbUpb=9yZ1 z_kt`aY<;$B*?D){ZZ?r&XM5e0(ZOL=q(QXUGIZ0fU2bV?*ODUIcb-*8;eZK!nRXycnR#XR)+dGb^W=_?uz;JQCD->$JVC+qCZ|rf;eQ}t6OI< zWJ#w3_!}xR0AQmaYPW$=A*ZquoxH;7lHBhvQ|=khca|+zXC0D!UOEq|5V+hc5E0&+ z|MelA!>CF0!Sfwo?J1lbV-&>WEMCnu!ZNeH?sK@gP{uG6NhopFI%zTX{XS_B`G4%Boe|&8lOzoAoR==~>1riss^n*h9(|U58d(TEl zTyZuHuer$)U9(^F(A;w83Q8tp-O4;2Z^d! zk*zBz1Znmk{tm#wy)Y?oxC!1;Bq;@8S5k}P8KszG99Rax_tq`6;cLTN z=$d^R{iI1d-U`89%0728pI+iDWvpOcxMLk9V@pL+yVEoD9BChe*4&X0T1g$8aO^?S z4XaJk@i{Rj4Tb3IEgGfwnqFPl_^9B?+$gyC-q6hTUXVp>i`6J2}<; z$a_<%@|B%W)pXs@3h$#H)ixHYk+(wDRWgKYG)+|WEiA+yo0=P#(S(nlkp6fl5jxwm zKb;$P4cSfPuht#QkjaZt(#SLyb1eDg!-q5h$cgqLYgKhSjR99?f^@)R;#VEW;Y!A) z&d^0!|3PK4)DVBudpOn!1CfZT+2VWrN_Xx))+k7PU5;dEcdwr?xfU%o5@Cv;ol4bwt4qw->zMHLweis;*C?l6W} z@3hPWF9ZXtveJXV-w^xyE&!9}Ix*iib>e9Ew-7K@&_*ScI>EgLsdq@Kr+hqjX?A@B zsrYLygj&(`4ubNoi@$Kny9mg=VWmzXxGF@Opsl@ytELnKvofE1 z6Nu;Cfbr67kVMEvJn5V!72lPI3#q*>Hu%v`4yv>7yDK3DkBt>S{y^Wn&YWJ(%>G`< zuPU=WR(cB1@)=ukKOy$mNs@9DZt+}!vDsV`sQ`RU%BIhI{*bBYw`=TB`&f6~xK*q` z9Cz*9B%hH%nOCqE$zK0??5W(bj8N)lROg%ex=30(w?@{{&a-vj$)1}-Jx)jc8!K<7 zl(qNynabn|-q+l`SCRLMhd4CjbTnApnl}`>rp43(WhSxEuL10-gLjlaSH3ME0vDGK zq*Dic#B3nUBe)@QWe$>T^NGehjN49=&X(JIG9SLpt(yqsEb=EaNpuc{GMYc>BPb9+ z5+SS?c{8oys)-W3+79lP+V$V6QoNjfim-Pr6YE!2$(bCw8U&p<-42TGQ9mlFYv!d4 z2=LvL(HDf@SS!vcbL)@IDs#hSVif5Q*7Z!gYGQS2{m-nk4zs_+v_~j;{26(oLuq-b z1P@u9-#N?{UR?U);3m=1V0PdaM!0hM_VQ7!G#!`_O0f-OQJ_a}8x86ifCG@3LN)3L^^O_8n?}25b zYO(tQ1YNI*KaG+@xlrr1Q_GLw5cGSZIZ#*LaR&rc?T44Ud850#oH{xsQPjF53d6L$-i$t}Rf+wufLGB_9D2jF3rD?0lkk+?8#3Joh>35l=0_@tR!S3OdDbU}zgqfh z+j+&`?NkXp^+U(G?~li__v}bb74F66Ka{Lw<8C0G4783zM( zK`G<{vR6~*QZ+xQNFToAO~q-Dzsj;yTYxrQ5HGgp@25JM+tWveUap#sld4DiE0JEJuC(v96%dCdzP5rNE7T&&%ao*Q4F2nPtmUb-T*4p%B+zeGz4JTZ$$rtz^AM zDY#^d)CCr!2oC|;9Am)C?v&IsW3bYZIASJ{FgL{qbw2WJW60gVdZ`y2a-b-jrKB`HO>6 zlPB&y{i#02*9S;)n)~=RYJSCqK|gM0^+_jZ$n<{c{d(@FGny)|879Mz_lDwE|I|x? zY*)E3rX5+XSI$!g&sBdJIGOHmo<9G$&3lyJ8oK0iVhWlh%@$5DlMQ`_88L?=YtkR3 zBQGZFrf$8SwRFNILQ=|qlHSA*iRV3ZHI89Le#DD|6~U@m@kVUt#7-Gw)>L>pTKliPz>aQJV^;vBlXIUNnVTfI1Z1AfF?hr3X zOSwF5!SwLn`Ey+5+dIJD#f6ZCznqX*#6ilYey_P={0UH@GW!~|0gbVj`qEyDM_u9u zmjDfz9@SA0hGP6pRerzzFx!{CG=}mD^0#&y1ai0*6K5Zf{B*OYHZB z*EH5oI8#Psa?VoHuA_a1cCd^yt6-))>u%sGAio*k_U8m)@{M#-r~Xpd>LrYl&z z(?&7Y&D#i}lrb&f{I{Vl;Kg$$iPT{<_QYv!E(aEm?(=HzmV9e3_LxD)4$U((TXpT} zWdl~Xh+yz}DizEdGyyHriqxn~_5)^ArnC;k@Ell4(9H+hQh~gOb={Ci#k!Fbe&7{O z;q}+yZFNGPUj{H1RJI_qv|-fHQlIQ=uKGiAvpg#H_E@(BwvgR7b%~$ie55FRipmly zcl^F<^GWaF8K&`ZmxQQ=|GD!!ifi)wR%uCVb2R8MEhEoI(@SOeQGYV5S<4U=FK!0o z$w=;1l~<>t6DJKjwN|I{I8SVR1LNC`uVwd-dUw4$#t?Z}s zAcf_ebjL&a*nSu0-y=n;yCF`b{W%Bs`{c()kW%88HwO#XyG?VXHP_eIZDKEqw*aG@ zc`(>VO_xv*a2(g!1~BuMwS0|!1*)`HJpvdD^;PLR3ZzHC+hVHTKg`j0Cj+m2fUXjMCAWOO+Nc;5l4*#1LtkV-VZa8VvbsulS7KSrsc zw@b5=1N;h{4YibfIm06)d?Y+pAD={%_P?kJIDj`Iz!2bcHj8Do5mxhah<)0^tO0vP_@1uSbN688;!IN8lU59ds?-eJ#>SI0LUeLIc1gnSHXvJ*7={nL>dnKJkFL-b zj>ywfjY16%cJGZ6B`U`pY(E^mfr|Z19XlS$h%4r}zFgxLS1eftG-=NPw??3VRd?4MiEN z1%H4mGSl%cN8~6!P9YwEXBFY+ zWZvMBHvtPrmdjN6yy)R{k+eDhVx)6H>Iitx#ZxlE347A6Wy z!_`u-o*JE?{joa-XIkboK~IFZ4z2=@VAO*erR&}w4`?*CKN;ne?Kn7$XGm-rst>Ua zmh)T83k|1Ra#RmDv8-29IjI%LcH%ZhsfZB$uzB&F8k1v#pMhT(^Qg3IK)9u?K3(*f zKsrsd%0^?Czjx`Ka%oWUeUf=($GF%yrxc7M-`cjyr(o@cD51_0>BmYA#|}u7&2rqj zh2zbvIjZ2yrws^pj67d{XAhcs=n3`P_*(yX!1v*?V!*x!VO`E${1YIlLE3FB^p{{G zkn|pY!E%6kbZlJk>JgB$9K3l0#T4!Y9=J2C>P;UEZ$s?1WiLgpNP6U7t9_vJjl^>! zcE@`Sp!i22Nqf+<+KeltV^3}8;1M*xR-_SF3Dev`2~%vLrT~mI{k$}WW|OYHx!*`= z#jPnAC0l1SFwW7Q{FM3vWGBJ3?u2k*ElHa{k%w)!GoNi5!`HXhoMl+mNr?<-abF ztfDF4%F52xzZ6(eKdI7=P4DWE{w-}L=4~~8hSauyM$b?DgAgudtU{9hf^86mO)K#% zx!*VA?PS&Q4`nfmAv0X?3=yTr!*TAmT1OLJJEmVUp{a0OZZ~>nB16Q#+}e&ffBGG0 zg^ZYtyKHJWLfarlJJ_4Z@A*c=fO`^OS2cc;xZ~!8!Ws|%^v!5!;>U{WME;3W%anfK~YN z^dG=~5j7Y1-Ns`S4Up7)$`dU8c^HGWPMRy2bF|FHa_PavOz8bVE zzYbZ5DnwnG8_Y&J48~&4IlT*?Atj~OQCCjb`_f$vEc7Z z&?HAzmAY$Z(s%xx=93>Z>RpwpSMoTu6kn zg@v`eyO$zkZ|(EC>{Dh8UG*O_P=>J-z0}6|u*IY7H_U?Yb9B7X)?$8y?7LZg*Y!?gm&tYMOu@Qt1#%^+E%hj-n zJ*Z*x$6LV^cI(q~j;@QZ3n~dy`TDYjsM)nOa_C`oJ?l(EYfmqmIJs)r>eKI0gW3Z5 zoZF#t9cNSw4c*1T6WRPe({VEJMERht#PuZ}KdGi8!?)^;IylkvbW?-98ct&%*nXjE zXs-ZN$V)mPv5kSy@-j(se**r=>Wt*^j%Ahz)!(q?xbYh^q@;ZnUu`<`v_=l^P7k&U zf?8kb$1Ac0u{TzZpw^3en`Ix9&V7J1_pojf=T!u;&lFFiDXZ`Yj3Kscrw^4e&eB1+9PjIMvEXJsJPSM<d)y-Kb`~;3J5B>Qspj&Ca8%>!7QuOZhrmrTxPg$lZQgc?gEwN|p&u=Jfv z=6CCp+OcJ054)$&j`AM;l#7Lmc@tgyHLqZN*dmf17Jhyy{Ck6;g<|G}9? z?0f6~&Tg{u<-x7ze_BV=#Qd)j6Z60Gwk_v>^>6x|RjvPbmF~*@-_yEc{?~{d*ZhxN zUQ%{>?SHoSl*DC%@tEK{V|fW@bHM0NoEy`7!c}01{_>N(QR2cB!*^~auIfusnKb94 zC;_G+(~{l-9(obXJ51b%pUg%u4++N7t$9yuiLIqcpcd;hZ1vmJrIl)|il#IN8aWhz>gUvUShF)WVhrKj6{K_Vu7zi6l zzoW>p315Rbp6$TY_3aqCj`J9pb(lCrvE#WB4I25X~jb{~!+4bkZ z&WjJ>+pbOXD--9s0afuPX=C_1ZL>wFPbcmwouPfEP*o><3KOiK6F5LV*bygwg#Pp@ z!o9Nrz?cF2f9{-o{O#q{C%{a&Ac(2S{ouwIm?#~xSs0s4#=*Sc3T+kZ38ej^E$J$` z4-%NFM-g@m@Sfy}NQoJ~dLdoW#c(103Ky>9wXmEO52qN1F!jgF1BM^l$cmEl7-e=m zFz0aC6qV+@7!48zbValCaltE7z|qkZ)bv-2W3dWaViL17i6Ie!o#!xkis3)(9K(wz z|K}6p9al-pGCfJ_;d#ctE{NIEL{y%TqlK<=9 z^f{~Ie^pag)_>sNJ;DD?*m3bcUS1MjUJ}2&Bz}4Aeb(9Kf(J6trej#3u&{kZ`c>o*hMe@luZ?+mkZ>+ zOgSwi*2Da+G`WkEcgTS~#5^-xUd4fs_)^i0gVLEX-yd|vcE)A`N6q?U2SBoZ5U0Vp zbo7fR5sGm?h~#g+eEB5({QApc0cQzl-(xBp^$h6~>6s~Wvi%eu;@GrstqiUdnr|$+ zJIuH=Y=zh`$^tz?)1$LQSO%-Rx#3Gkw1{hq&X9QQe_!@s{(ld1+2Ko=pig`UueG5I zKeRBB^wvpWd;ahCI->q>BPRI&ylp%F-{PjvS+)Pav&#R9D(b&9Vn@aQczH>=%L^Hg zF0cLL|4WbO&mopmq7;)jU{2KBfzWYGDG$%_NpaK8<2K1&64oD+IR@(n z4>ih7N+>D~4hlvkbVmuMBhuUfx!d()%nqYXMi^CNLmy~*gP%Hg^B{8Um5ISiBu#2< z$V%nnd?Ia|H-RB!KJ!%5d4!qMKLPb;xU_)LIJ9+0oWWfF*=D4xpUL)*VLk?LQbV+a z5M{C&aHc41hsCC0kR6>3&%6h2ZF(L6J9&$14-QTUXLx+UIN$vXn(1Uc-!N`1CJN$4 z7+L2=*Y}uVYf*|QI~^oa!U_q@a13r7j8;o8*rg0sHt19H#$k(3i~5mM7-l%h)8ICD zlxb`r4JKae5f6>RRjb93;;t8`k6p2RsmY{G987G5yUb2kLrDIF7J&H4i_9B-?$Yzt zI{Y+hFDn86(Wap+T@qM2{f9)Q2lIcr5;y$pczC*o{Og>s7|3>Vn_&*ojL6?`rFR%UM|Cay}1wduW=!K#rE|?qwATm9e z2`EFjDxeEai+wSY*f3EP2Tlu6C*390w=^Il^XNZgNhB01wPGta$tq;K+1n13RFWb!8$@CL4GVCu`4`}xxQ->$CY zPuT(l4ICRZKEXN9$di4z?ctxrg%@oIreD68|MR~;T{(SE|MP!HKS)nsz5ejer)3)y zonF43A4I-89+z&qdc2N*N5=pB@{;KC+CTQc$AFjR$RFqv6O#+(0P9?B z8J(G!+{xnl=gG)(Ed=bG-dtXnIdtX$95}F`Lvj30oG;NtA>inf=Bmx9t~An~8}r0! zD$gB+^MGQzv&M<(c&flfE`r^1LX!JKnP%?CUj)@VF74mB!)$SujvnTm=`+)Z!B}{j zJ)N{A^4nr$wsSW}ZK1&DABQ&>uzZn7j&gu2g|Lz#^@f+Vn-XHt|0 zFa_nJ;(|P8qvqSpKrg3Wk`knk&_u${NzCPa(xWf%3csXa^v@2!tDO?=$ItI+Bs|pT zA-^(;@UU2eMQIh@=8%moy8mojdXkHdZ!y+sEqzgXVbUG}tZUgA@6u8u(0=~k%a!R?xxob$w#HNV(23BoS5B)skV&?<63a-;$+5+ zNv)fOjfz?U zcrRXDn$YHq)$ diff --git a/doc/knowledge_base.rb b/doc/knowledge_base.rb deleted file mode 100644 index 86b5b52a..00000000 --- a/doc/knowledge_base.rb +++ /dev/null @@ -1,650 +0,0 @@ -require 'date' -# Core KB -require "dawn/kb/basic_check" -require "dawn/kb/pattern_match_check" -require "dawn/kb/dependency_check" -require "dawn/kb/ruby_version_check" -require "dawn/kb/operating_system_check" -require "dawn/kb/combo_check" -require "dawn/kb/version_check" -require "dawn/kb/deprecation_check" -require "dawn/kb/gem_check" - -# Q&A related checks -## Not revised code -require "dawn/kb/not_revised_code" - -## Owasp ROR Cheatsheet -require 'dawn/kb/owasp_ror_cheatsheet/command_injection' -require 'dawn/kb/owasp_ror_cheatsheet/csrf' -require 'dawn/kb/owasp_ror_cheatsheet/session_stored_in_database' -require 'dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model' -require 'dawn/kb/owasp_ror_cheatsheet/security_related_headers' -require 'dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward' -require 'dawn/kb/owasp_ror_cheatsheet/sensitive_files' - -# Security checks with no or pending CVE - -# A XSS issue on Simple Form gem reported by Rafael Mendonça França on -# November, 29 2013 -# -# https://groups.google.com/forum/#!topic/ruby-security-ann/flHbLMb07tE -require "dawn/kb/simpleform_xss_20131129" - -# CVE - 2004 -require "dawn/kb/cve_2004_0755" -require "dawn/kb/cve_2004_0983" - -# CVE - 2005 -require "dawn/kb/cve_2005_1992" -require "dawn/kb/cve_2005_2337" - -# CVE - 2006 -require "dawn/kb/cve_2006_1931" -require "dawn/kb/cve_2006_2582" -require "dawn/kb/cve_2006_3694" -require "dawn/kb/cve_2006_4112" -require "dawn/kb/cve_2006_5467" -require "dawn/kb/cve_2006_6303" -require "dawn/kb/cve_2006_6852" -require "dawn/kb/cve_2006_6979" - -# CVE - 2007 -require "dawn/kb/cve_2007_0469" -require "dawn/kb/cve_2007_5162" -require "dawn/kb/cve_2007_5379" -require "dawn/kb/cve_2007_5380" -require "dawn/kb/cve_2007_5770" -require "dawn/kb/cve_2007_6077" -require "dawn/kb/cve_2007_6612" - -# CVE - 2008 - -require "dawn/kb/cve_2008_1145" -require "dawn/kb/cve_2008_1891" -require "dawn/kb/cve_2008_2376" -require "dawn/kb/cve_2008_2662" -require "dawn/kb/cve_2008_2663" -require "dawn/kb/cve_2008_2664" -require "dawn/kb/cve_2008_2725" -require "dawn/kb/cve_2008_3655" -require "dawn/kb/cve_2008_3657" -require "dawn/kb/cve_2008_3790" -require "dawn/kb/cve_2008_3905" -require "dawn/kb/cve_2008_4094" -require "dawn/kb/cve_2008_4310" -require "dawn/kb/cve_2008_5189" -require "dawn/kb/cve_2008_7248" - -# CVE - 2009 -require "dawn/kb/cve_2009_4078" -require "dawn/kb/cve_2009_4124" -require "dawn/kb/cve_2009_4214" - -# CVE - 2010 -require "dawn/kb/cve_2010_1330" -require "dawn/kb/cve_2010_2489" -require "dawn/kb/cve_2010_3933" - -# CVE - 2011 -require "dawn/kb/cve_2011_0188" -require "dawn/kb/cve_2011_0446" -require "dawn/kb/cve_2011_0447" -require "dawn/kb/cve_2011_0739" -require "dawn/kb/cve_2011_0995" -require "dawn/kb/cve_2011_1004" -require "dawn/kb/cve_2011_1005" -require "dawn/kb/cve_2011_2197" -require "dawn/kb/cve_2011_2686" -require "dawn/kb/cve_2011_2705" -require "dawn/kb/cve_2011_2929" -require "dawn/kb/cve_2011_2930" -require "dawn/kb/cve_2011_2931" -require "dawn/kb/cve_2011_2932" -require "dawn/kb/cve_2011_3009" -require "dawn/kb/cve_2011_3186" -require "dawn/kb/cve_2011_3187" -require "dawn/kb/cve_2011_4319" -require "dawn/kb/cve_2011_4815" -require "dawn/kb/cve_2011_5036" - -# CVE - 2012 -require "dawn/kb/cve_2012_1098" -require "dawn/kb/cve_2012_1099" -require "dawn/kb/cve_2012_1241" -require "dawn/kb/cve_2012_2139" -require "dawn/kb/cve_2012_2140" -require "dawn/kb/cve_2012_2660" -require "dawn/kb/cve_2012_2661" -require "dawn/kb/cve_2012_2671" -require "dawn/kb/cve_2012_2694" -require "dawn/kb/cve_2012_2695" -require "dawn/kb/cve_2012_3424" -require "dawn/kb/cve_2012_3463" -require "dawn/kb/cve_2012_3464" -require "dawn/kb/cve_2012_3465" -require "dawn/kb/cve_2012_4464" -require "dawn/kb/cve_2012_4466" -require "dawn/kb/cve_2012_4481" -require "dawn/kb/cve_2012_4522" -require "dawn/kb/cve_2012_5370" -require "dawn/kb/cve_2012_5371" -require "dawn/kb/cve_2012_5380" -require "dawn/kb/cve_2012_6109" -require "dawn/kb/cve_2012_6134" -require "dawn/kb/cve_2012_6496" -require "dawn/kb/cve_2012_6497" -require "dawn/kb/cve_2012_6684" - -# CVE - 2013 -require "dawn/kb/cve_2013_0155" -require "dawn/kb/cve_2013_0156" -require "dawn/kb/cve_2013_0162" -require "dawn/kb/cve_2013_0175" -require "dawn/kb/cve_2013_0183" -require "dawn/kb/cve_2013_0184" -require "dawn/kb/cve_2013_0233" -require "dawn/kb/cve_2013_0256" -require "dawn/kb/cve_2013_0262" -require "dawn/kb/cve_2013_0263" -require "dawn/kb/cve_2013_0269" -require "dawn/kb/cve_2013_0276" -require "dawn/kb/cve_2013_0277" -require "dawn/kb/cve_2013_0284" -require "dawn/kb/cve_2013_0285" -require "dawn/kb/cve_2013_0333" -require "dawn/kb/cve_2013_0334" -require "dawn/kb/cve_2013_1607" -require "dawn/kb/cve_2013_1655" -require "dawn/kb/cve_2013_1656" -require "dawn/kb/cve_2013_1756" -require "dawn/kb/cve_2013_1800" -require "dawn/kb/cve_2013_1801" -require "dawn/kb/cve_2013_1802" -require "dawn/kb/cve_2013_1812" -require "dawn/kb/cve_2013_1821" -require "dawn/kb/cve_2013_1854" -require "dawn/kb/cve_2013_1855" -require "dawn/kb/cve_2013_1856" -require "dawn/kb/cve_2013_1857" -require "dawn/kb/cve_2013_1875" -require "dawn/kb/cve_2013_1898" -require "dawn/kb/cve_2013_1911" -require "dawn/kb/cve_2013_1933" -require "dawn/kb/cve_2013_1947" -require "dawn/kb/cve_2013_1948" -require "dawn/kb/cve_2013_2065" -require "dawn/kb/cve_2013_2090" -require "dawn/kb/cve_2013_2105" -require "dawn/kb/cve_2013_2119" -require "dawn/kb/cve_2013_2512" -require "dawn/kb/cve_2013_2513" -require "dawn/kb/cve_2013_2516" -require "dawn/kb/cve_2013_2615" -require "dawn/kb/cve_2013_2616" -require "dawn/kb/cve_2013_2617" -require "dawn/kb/cve_2013_3221" -require "dawn/kb/cve_2013_4164" -require "dawn/kb/cve_2013_4203" -require "dawn/kb/cve_2013_4389" -require "dawn/kb/cve_2013_4413" -require "dawn/kb/cve_2013_4457" -require "dawn/kb/cve_2013_4478" -require "dawn/kb/cve_2013_4479" -require "dawn/kb/cve_2013_4489" -require "dawn/kb/cve_2013_4491" -require "dawn/kb/cve_2013_4492" -require "dawn/kb/cve_2013_4562" -require "dawn/kb/cve_2013_4593" -require "dawn/kb/cve_2013_5647" -require "dawn/kb/cve_2013_5671" -require "dawn/kb/cve_2013_6414" -require "dawn/kb/cve_2013_6415" -require "dawn/kb/cve_2013_6416" -require "dawn/kb/cve_2013_6417" -require "dawn/kb/cve_2013_6421" -require "dawn/kb/cve_2013_6459" -require "dawn/kb/cve_2013_6460" -require "dawn/kb/cve_2013_6461" -require "dawn/kb/cve_2013_7086" - -# CVE - 2014 - -require "dawn/kb/cve_2014_0036" -require "dawn/kb/cve_2014_0080" -require "dawn/kb/cve_2014_0081" -require "dawn/kb/cve_2014_0082" -require "dawn/kb/cve_2014_0130" -require "dawn/kb/cve_2014_1233" -require "dawn/kb/cve_2014_1234" -require "dawn/kb/cve_2014_2322" -require "dawn/kb/cve_2014_2525" -require "dawn/kb/cve_2014_2538" -require "dawn/kb/cve_2014_3482" -require "dawn/kb/cve_2014_3483" -require "dawn/kb/cve_2014_3916" -require "dawn/kb/cve_2014_4975" -require "dawn/kb/cve_2014_7818" -require "dawn/kb/cve_2014_7819" -require "dawn/kb/cve_2014_7829" -require "dawn/kb/cve_2014_8090" -require "dawn/kb/cve_2014_9490" - -# CVE - 2015 - - -require "dawn/kb/cve_2015_1819" -# CVE-2015-1840 is spread in two classes because a single CVE is assigned to a -# vulnerability affecting two differents but related gems. -require "dawn/kb/cve_2015_1840/cve_2015_1840_a" -require "dawn/kb/cve_2015_1840/cve_2015_1840_b" -require "dawn/kb/cve_2015_2963" -require "dawn/kb/cve_2015_3224" -require "dawn/kb/cve_2015_3225" -require "dawn/kb/cve_2015_3226" -require "dawn/kb/cve_2015_3227" -require "dawn/kb/cve_2015_3448" -require "dawn/kb/cve_2015_4020" -require "dawn/kb/cve_2015_5312" -require "dawn/kb/cve_2015_7497" -require "dawn/kb/cve_2015_7498" -require "dawn/kb/cve_2015_7499" -require "dawn/kb/cve_2015_7500" -require "dawn/kb/cve_2015_7519" -require "dawn/kb/cve_2015_7541" -require "dawn/kb/cve_2015_7576" -require "dawn/kb/cve_2015_7577" -require "dawn/kb/cve_2015_7578" -require "dawn/kb/cve_2015_7579" -require "dawn/kb/cve_2015_7581" -require "dawn/kb/cve_2015_8241" -require "dawn/kb/cve_2015_8242" -require "dawn/kb/cve_2015_8317" - -# CVE - 2016 - -require "dawn/kb/cve_2016_0751" -require "dawn/kb/cve_2016_0752" -require "dawn/kb/cve_2016_0753" -require "dawn/kb/cve_2016_2097" -require "dawn/kb/cve_2016_2098" -require "dawn/kb/cve_2016_5697" -require "dawn/kb/cve_2016_6316" -require "dawn/kb/cve_2016_6317" -require "dawn/kb/cve_2016_6582" - -# OSVDB - -require "dawn/kb/osvdb_105971" -require "dawn/kb/osvdb_108569" -require "dawn/kb/osvdb_108570" -require "dawn/kb/osvdb_108530" -require "dawn/kb/osvdb_108563" -require "dawn/kb/osvdb_115654" -require "dawn/kb/osvdb_116010" -require "dawn/kb/osvdb_117903" -require "dawn/kb/osvdb_118579" -require "dawn/kb/osvdb_118830" -require "dawn/kb/osvdb_118954" -require "dawn/kb/osvdb_119878" -require "dawn/kb/osvdb_119927" -require "dawn/kb/osvdb_120415" -require "dawn/kb/osvdb_120857" -require "dawn/kb/osvdb_121701" -require "dawn/kb/osvdb_132234" - - - -module Dawn - # XXX: Check if it best using a singleton here - class KnowledgeBase - - include Dawn::Utils - - GEM_CHECK = :rubygem_check - DEPENDENCY_CHECK = :dependency_check - PATTERN_MATCH_CHECK = :pattern_match_check - RUBY_VERSION_CHECK = :ruby_version_check - OS_CHECK = :os_check - COMBO_CHECK = :combo_check - CUSTOM_CHECK = :custom_check - - def initialize(options={}) - @enabled_checks = Dawn::Kb::BasicCheck::ALLOWED_FAMILIES - @enabled_checks = options[:enabled_checks] unless options[:enabled_checks].nil? - - @security_checks = load_security_checks - end - - def self.find(checks=nil, name) - return nil if name.nil? or name.empty? - checks = Dawn::KnowledgeBase.new.load_security_checks if checks.nil? - - checks.each do |sc| - return sc if sc.name == name - end - nil - end - - def find(name) - Dawn::KnowledgeBase.find(@security_checks, name) - end - - def all - @security_checks - end - - # TODO - next big refactoring will include also a change in this API. - # - # So to match Semantic Version, it must bring to a major version bump. - # MVC name should be passed as constructor option, so the all_by_mvc can - # - # be called without parameter, having a nice-to-read code. - # @checks = Dawn::KnowledgeBase.new({:enabled_checks=>@enabled_checks}).all_by_mvc(@name) - def all_by_mvc(mvc) - ret = [] - @security_checks.each do |sc| - ret << sc if sc.applies_to?(mvc) - end - ret - end - - def all_sinatra_checks - self.all_by_mvc("sinatra") - end - - def all_rails_checks - self.all_by_mvc("rails") - end - - def all_padrino_checks - self.all_by_mvc("padrino") - end - - def all_rack_checks - self.all_by_mvc("rack") - end - - def load_security_checks - - # START @cve_security_checks array - @cve_security_checks = - [ - Dawn::Kb::CVE_2004_0755.new, - Dawn::Kb::CVE_2004_0983.new, - Dawn::Kb::CVE_2005_1992.new, - Dawn::Kb::CVE_2005_2337.new, - Dawn::Kb::CVE_2006_1931.new, - Dawn::Kb::CVE_2006_2582.new, - Dawn::Kb::CVE_2006_3694.new, - Dawn::Kb::CVE_2006_4112.new, - Dawn::Kb::CVE_2006_5467.new, - Dawn::Kb::CVE_2006_6303.new, - Dawn::Kb::CVE_2006_6852.new, - Dawn::Kb::CVE_2006_6979.new, - Dawn::Kb::CVE_2007_0469.new, - Dawn::Kb::CVE_2007_5162.new, - Dawn::Kb::CVE_2007_5379.new, - Dawn::Kb::CVE_2007_5380.new, - Dawn::Kb::CVE_2007_5770.new, - Dawn::Kb::CVE_2007_6077.new, - Dawn::Kb::CVE_2007_6612.new, - Dawn::Kb::CVE_2008_1145.new, - Dawn::Kb::CVE_2008_1891.new, - Dawn::Kb::CVE_2008_2376.new, - Dawn::Kb::CVE_2008_2662.new, - Dawn::Kb::CVE_2008_2663.new, - Dawn::Kb::CVE_2008_2664.new, - Dawn::Kb::CVE_2008_2725.new, - Dawn::Kb::CVE_2008_3655.new, - Dawn::Kb::CVE_2008_3657.new, - Dawn::Kb::CVE_2008_3790.new, - Dawn::Kb::CVE_2008_3905.new, - Dawn::Kb::CVE_2008_4094.new, - Dawn::Kb::CVE_2008_4310.new, - Dawn::Kb::CVE_2008_5189.new, - Dawn::Kb::CVE_2008_7248.new, - Dawn::Kb::CVE_2009_4078.new, - Dawn::Kb::CVE_2009_4124.new, - Dawn::Kb::CVE_2009_4214.new, - Dawn::Kb::CVE_2010_1330.new, - Dawn::Kb::CVE_2010_2489.new, - Dawn::Kb::CVE_2010_3933.new, - Dawn::Kb::CVE_2011_0188.new, - Dawn::Kb::CVE_2011_0446.new, - Dawn::Kb::CVE_2011_0447.new, - Dawn::Kb::CVE_2011_0739.new, - Dawn::Kb::CVE_2011_0995.new, - Dawn::Kb::CVE_2011_1004.new, - Dawn::Kb::CVE_2011_1005.new, - Dawn::Kb::CVE_2011_2197.new, - Dawn::Kb::CVE_2011_2686.new, - Dawn::Kb::CVE_2011_2705.new, - Dawn::Kb::CVE_2011_2929.new, - Dawn::Kb::CVE_2011_2930.new, - Dawn::Kb::CVE_2011_2931.new, - Dawn::Kb::CVE_2011_2932.new, - Dawn::Kb::CVE_2011_3009.new, - Dawn::Kb::CVE_2011_3186.new, - Dawn::Kb::CVE_2011_3187.new, - Dawn::Kb::CVE_2011_4319.new, - Dawn::Kb::CVE_2011_4815.new, - Dawn::Kb::CVE_2011_5036.new, - Dawn::Kb::CVE_2012_1098.new, - Dawn::Kb::CVE_2012_1099.new, - Dawn::Kb::CVE_2012_1241.new, - Dawn::Kb::CVE_2012_2139.new, - Dawn::Kb::CVE_2012_2140.new, - Dawn::Kb::CVE_2012_2660.new, - Dawn::Kb::CVE_2012_2661.new, - Dawn::Kb::CVE_2012_2671.new, - Dawn::Kb::CVE_2012_2694.new, - Dawn::Kb::CVE_2012_2695.new, - Dawn::Kb::CVE_2012_3424.new, - Dawn::Kb::CVE_2012_3463.new, - Dawn::Kb::CVE_2012_3464.new, - Dawn::Kb::CVE_2012_3465.new, - Dawn::Kb::CVE_2012_4464.new, - Dawn::Kb::CVE_2012_4466.new, - Dawn::Kb::CVE_2012_4481.new, - Dawn::Kb::CVE_2012_4522.new, - Dawn::Kb::CVE_2012_5370.new, - Dawn::Kb::CVE_2012_5371.new, - Dawn::Kb::CVE_2012_5380.new, - Dawn::Kb::CVE_2012_6109.new, - Dawn::Kb::CVE_2012_6134.new, - Dawn::Kb::CVE_2012_6496.new, - Dawn::Kb::CVE_2012_6497.new, - Dawn::Kb::CVE_2012_6684.new, - Dawn::Kb::CVE_2013_0155.new, - Dawn::Kb::CVE_2013_0156.new, - Dawn::Kb::CVE_2013_0162.new, - Dawn::Kb::CVE_2013_0175.new, - Dawn::Kb::CVE_2013_0183.new, - Dawn::Kb::CVE_2013_0184.new, - Dawn::Kb::CVE_2013_0233.new, - Dawn::Kb::CVE_2013_0256.new, - Dawn::Kb::CVE_2013_0262.new, - Dawn::Kb::CVE_2013_0263.new, - Dawn::Kb::CVE_2013_0269.new, - Dawn::Kb::CVE_2013_0276.new, - Dawn::Kb::CVE_2013_0277.new, - Dawn::Kb::CVE_2013_0284.new, - Dawn::Kb::CVE_2013_0285.new, - Dawn::Kb::CVE_2013_0333.new, - Dawn::Kb::CVE_2013_0334.new, - Dawn::Kb::CVE_2013_1607.new, - Dawn::Kb::CVE_2013_1655.new, - Dawn::Kb::CVE_2013_1656.new, - Dawn::Kb::CVE_2013_1756.new, - Dawn::Kb::CVE_2013_1800.new, - Dawn::Kb::CVE_2013_1801.new, - Dawn::Kb::CVE_2013_1802.new, - Dawn::Kb::CVE_2013_1812.new, - Dawn::Kb::CVE_2013_1821.new, - Dawn::Kb::CVE_2013_1854.new, - Dawn::Kb::CVE_2013_1855.new, - Dawn::Kb::CVE_2013_1856.new, - Dawn::Kb::CVE_2013_1857.new, - Dawn::Kb::CVE_2013_1875.new, - Dawn::Kb::CVE_2013_1898.new, - Dawn::Kb::CVE_2013_1911.new, - Dawn::Kb::CVE_2013_1933.new, - Dawn::Kb::CVE_2013_1947.new, - Dawn::Kb::CVE_2013_1948.new, - Dawn::Kb::CVE_2013_2065.new, - Dawn::Kb::CVE_2013_2090.new, - Dawn::Kb::CVE_2013_2105.new, - Dawn::Kb::CVE_2013_2119.new, - Dawn::Kb::CVE_2013_2512.new, - Dawn::Kb::CVE_2013_2513.new, - Dawn::Kb::CVE_2013_2516.new, - Dawn::Kb::CVE_2013_2615.new, - Dawn::Kb::CVE_2013_2616.new, - Dawn::Kb::CVE_2013_2617.new, - Dawn::Kb::CVE_2013_3221.new, - Dawn::Kb::CVE_2013_4164.new, - Dawn::Kb::CVE_2013_4203.new, - Dawn::Kb::CVE_2013_4389.new, - Dawn::Kb::CVE_2013_4413.new, - Dawn::Kb::CVE_2013_4457.new, - Dawn::Kb::CVE_2013_4478.new, - Dawn::Kb::CVE_2013_4479.new, - Dawn::Kb::CVE_2013_4489.new, - Dawn::Kb::CVE_2013_4491.new, - Dawn::Kb::CVE_2013_4492.new, - Dawn::Kb::CVE_2013_4562.new, - Dawn::Kb::CVE_2013_4593.new, - Dawn::Kb::CVE_2013_5647.new, - Dawn::Kb::CVE_2013_5671.new, - Dawn::Kb::CVE_2013_6414.new, - Dawn::Kb::CVE_2013_6415.new, - Dawn::Kb::CVE_2013_6416.new, - Dawn::Kb::CVE_2013_6417.new, - Dawn::Kb::CVE_2013_6421.new, - Dawn::Kb::CVE_2013_6459.new, - Dawn::Kb::CVE_2013_6460.new, - Dawn::Kb::CVE_2013_6461.new, - Dawn::Kb::CVE_2013_7086.new, - Dawn::Kb::CVE_2014_0036.new, - Dawn::Kb::CVE_2014_0080.new, - Dawn::Kb::CVE_2014_0081.new, - Dawn::Kb::CVE_2014_0082.new, - Dawn::Kb::CVE_2014_0130.new, - Dawn::Kb::CVE_2014_1233.new, - Dawn::Kb::CVE_2014_1234.new, - Dawn::Kb::CVE_2014_2322.new, - Dawn::Kb::CVE_2014_2525.new, - Dawn::Kb::CVE_2014_2538.new, - Dawn::Kb::CVE_2014_3482.new, - Dawn::Kb::CVE_2014_3483.new, - Dawn::Kb::CVE_2014_3916.new, - Dawn::Kb::CVE_2014_4975.new, - Dawn::Kb::CVE_2014_7818.new, - Dawn::Kb::CVE_2014_7819.new, - Dawn::Kb::CVE_2014_7829.new, - Dawn::Kb::CVE_2014_8090.new, - Dawn::Kb::CVE_2014_9490.new, - Dawn::Kb::CVE_2015_1819.new, - Dawn::Kb::CVE_2015_1840_a.new, - Dawn::Kb::CVE_2015_1840_b.new, - Dawn::Kb::CVE_2015_2963.new, - Dawn::Kb::CVE_2015_3224.new, - Dawn::Kb::CVE_2015_3225.new, - Dawn::Kb::CVE_2015_3226.new, - Dawn::Kb::CVE_2015_3227.new, - Dawn::Kb::CVE_2015_3448.new, - Dawn::Kb::CVE_2015_4020.new, - Dawn::Kb::CVE_2015_5312.new, - Dawn::Kb::CVE_2015_7497.new, - Dawn::Kb::CVE_2015_7498.new, - Dawn::Kb::CVE_2015_7499.new, - Dawn::Kb::CVE_2015_7500.new, - Dawn::Kb::CVE_2015_7519.new, - Dawn::Kb::CVE_2015_7541.new, - Dawn::Kb::CVE_2015_7576.new, - Dawn::Kb::CVE_2015_7577.new, - Dawn::Kb::CVE_2015_7578.new, - Dawn::Kb::CVE_2015_7579.new, - Dawn::Kb::CVE_2015_7581.new, - Dawn::Kb::CVE_2015_8241.new, - Dawn::Kb::CVE_2015_8242.new, - Dawn::Kb::CVE_2015_8317.new, - Dawn::Kb::CVE_2016_0751.new, - Dawn::Kb::CVE_2016_0752.new, - Dawn::Kb::CVE_2016_0753.new, - Dawn::Kb::CVE_2016_2097.new, - Dawn::Kb::CVE_2016_2098.new, - Dawn::Kb::CVE_2016_5697.new, - Dawn::Kb::CVE_2016_6316.new, - Dawn::Kb::CVE_2016_6317.new, - Dawn::Kb::CVE_2016_6582.new, - - - # OSVDB Checks are still here since are all about dependencies - Dawn::Kb::OSVDB_105971.new, - Dawn::Kb::OSVDB_108569.new, - Dawn::Kb::OSVDB_108570.new, - Dawn::Kb::OSVDB_108530.new, - Dawn::Kb::OSVDB_108563.new, - Dawn::Kb::OSVDB_115654.new, - Dawn::Kb::OSVDB_116010.new, - Dawn::Kb::OSVDB_117903.new, - Dawn::Kb::OSVDB_118579.new, - Dawn::Kb::OSVDB_118830.new, - Dawn::Kb::OSVDB_118954.new, - Dawn::Kb::OSVDB_119878.new, - Dawn::Kb::OSVDB_119927.new, - Dawn::Kb::OSVDB_120415.new, - Dawn::Kb::OSVDB_120857.new, - Dawn::Kb::OSVDB_121701.new, - Dawn::Kb::OSVDB_132234.new, - ] - # END @cve_security_checks array - # START @owasp_ror_cheatsheet_checks array - @owasp_ror_cheatsheet_checks = [ - Dawn::Kb::OwaspRorCheatSheet::CommandInjection.new, - Dawn::Kb::OwaspRorCheatSheet::Csrf.new, - Dawn::Kb::OwaspRorCheatSheet::SessionStoredInDatabase.new, - Dawn::Kb::OwaspRorCheatSheet::MassAssignmentInModel.new, - Dawn::Kb::OwaspRorCheatSheet::SecurityRelatedHeaders.new, - Dawn::Kb::OwaspRorCheatSheet::CheckForSafeRedirectAndForward.new, - Dawn::Kb::OwaspRorCheatSheet::SensitiveFiles.new, - ] - # END @owasp_ror_cheatsheet_checks array - @code_quality_checks = [ - Dawn::Kb::NotRevisedCode.new, - ] - @aux_checks = - [ - Dawn::Kb::SimpleForm_Xss_20131129.new, - ] - - ret = [] - ret += @aux_checks - ret += @cve_security_checks if @enabled_checks.include?(:bulletin) - ret += @owasp_ror_cheatsheet_checks if @enabled_checks.include?(:owasp_ror_cheatsheet) - ret += @code_quality_checks if @enabled_checks.include?(:code_quality) - - ret - end - - def self.dump(verbose=false) - puts "Security checks currently supported:" - i=0 - self.new.all.each do |check| - i+=1 - if verbose - puts "Name: #{check.name}\tCVSS: #{check.cvss_score}\tReleased: #{check.release_date}" - puts "Description\n#{check.message}" - puts "Remediation\n#{check.remediation}\n\n" - else - puts "#{check.name}" - end - end - puts "-----\nTotal: #{i}" - - end - end - -end diff --git a/doc/new_knowledge_base_v1.0.md b/doc/new_knowledge_base_v1.0.md deleted file mode 100644 index 884bfc24..00000000 --- a/doc/new_knowledge_base_v1.0.md +++ /dev/null @@ -1,78 +0,0 @@ -# The Knowledge Base - -For future releases, the dawnscanner knowledge base must be improved. Now, each -new test is included in the whole binary gem, requiring the user to manually -upgrade his bundle to reflect the support of newest vulnerabilities. - -This has some major drawbacks: - -* people must manually check if a new dawnscanner gem is available -* upgrading a bundle, sometimes must not be possible due to dependencies -* new vulnerabilities will require KB to be upgraded very quickly. People must - upgrade daily, as their anti virus tool, but dawnscanner core should not be - forced to go at the same speed. -* upgrade must be automatic on tool startup, to avoid people being exposed to - vulnerabilities. - -For such a reason, security checks must be separated from the tool core. They -must be a set of independent archives, deployed on the Internet in a digitally -encrypted and signed format. - -They must have an information about dawnscanner API version it has been able to -consume it. In example, we can introduce a new option in DepedencyCheck in -dawnscanner version 1.10. Each check will contain a required version, so to be -excluded when old dawnscanner would try consuming those archives. - -## Format - -Now, security checks are standard ruby classes. This could have an impact in -terms of memory utilization. At the time, no benchmarks are available. -An option can be, translating check's initialize methods in YAML format, -letting the generic class DepdencyCheck, PatternMatchingCheck and friends, to -answer to the vuln? method (like today). - -This can have the benefit of having 4 classes, reading YAML files, instead of -having tons of superclasses instanciating those magic 4. The core rules, -understanding if a vulnerability is present, is already in the base API. It's -just a matter of translating initialiation in YAML file and creating a method -reading the YAML file populating internal data. - -Instead of YAML we can think also to sqlite db or JSON files. Latter option can -be a good idea since it's web and API friendly. - -## Archives - -Checks organization will be different upon the format to be chosen. In case of -YAML files, a standard directory hierachy is enough: - - vulnerabilities/ - kb.txt <-- where info about the archive, like version, it must be stored - third\_party\_gems/ - CVE\_2013\_2103.yaml - CVE\_2013\_2104.yaml - ruby_interpreter/ - CVE\_1023\_4302.yaml - misc/ - CVE\_9999\_1211.yaml - -In case of JSON, we can gather together vulnerabilities in files: - - vulnerabilities/ - third\_party\_gems_20151116_01.json - ruby\_interpreter_20151116_01.json - -SQL approach would be eventually, really close to JSON one, with tables instead -of files. - -## Info - -Using either CVE or OSVDB identifiers as vulnerability keys is a poor choice. -This lead of duplicated vulns in knowledge base and a lot of effort in checking -if a vuln is present. - -## Benchmark - -Those solutions must be benchmarked - - -_last update: Mon Nov 16 17:38:45 CET 2015_ diff --git a/docs/.placeholder b/docs/.placeholder deleted file mode 100644 index e69de29b..00000000 diff --git a/docs/CNAME b/docs/CNAME deleted file mode 100644 index 435912e7..00000000 --- a/docs/CNAME +++ /dev/null @@ -1 +0,0 @@ -www.dawnscanner.org \ No newline at end of file diff --git a/docs/_config.yml b/docs/_config.yml deleted file mode 100644 index c4192631..00000000 --- a/docs/_config.yml +++ /dev/null @@ -1 +0,0 @@ -theme: jekyll-theme-cayman \ No newline at end of file diff --git a/features/dawn_complains_about_an_incorrect_command_line.feature.disabled b/features/dawn_complains_about_an_incorrect_command_line.feature.disabled deleted file mode 100644 index 5364f7d1..00000000 --- a/features/dawn_complains_about_an_incorrect_command_line.feature.disabled +++ /dev/null @@ -1,21 +0,0 @@ -Feature: dawn complains on its command line when incomplete - When executed dawn needs a target to analyse - - Scenario: dawn complains if you don't specify the target framework - When I run `bundle exec dawn` - Then the stderr should contain "missing target" - - Scenario: dawn complains if you don't specify the target - When I run `bundle exec dawn -s` - Then the stderr should contain "missing target" - - Scenario: dawn complains if the target doesn't exist - Given the generic project "/tmp/this_is_foo" doesn't exist - When I run `bundle exec dawn -s /tmp/this_is_foo` - Then the stderr should contain "invalid directory (/tmp/this_is_foo)" - - Scenario: dawn complains if the target uses a different framework than the one specified - Given the hello world rails project does exist - When I run `bundle exec dawn -s /tmp/hello_world_3.2.13` - Then the stderr should contain "nothing to do on /tmp/hello_world_3.2.13" - diff --git a/features/dawn_scan_a_secure_sinatra_app.feature.disabled b/features/dawn_scan_a_secure_sinatra_app.feature.disabled deleted file mode 100644 index 74d92650..00000000 --- a/features/dawn_scan_a_secure_sinatra_app.feature.disabled +++ /dev/null @@ -1,31 +0,0 @@ -Feature: dawn reports no security issues - When it scans a sinatra application that it is updated and it has no XSS - - Scenario: dawn detects the sinatra version - Given a safe sinatra application exists - When I run `bundle exec dawn /tmp/sinatra-safe` - Then the stdout should contain "1.4.2" - - Scenario: dawn tells there are no vulnerabilities - Given a safe sinatra application exists - When I run `bundle exec dawn /tmp/sinatra-safe` - Then the stdout should contain "no vulnerabilities found" - - # Test for --output json - Scenario: dawn can give a brief json output as well - Given a safe sinatra application exists - When I run `bundle exec dawn -s /tmp/sinatra-safe --output json` - Then the stdout should contain "{\"status\":"OK",\"target\":"/tmp/sinatra-safe",\"mvc\":"sinatra",\"mvc_version\":"1.4.2",\"vulnerabilities_count\":0,\"vulnerabilities\":[],\"mitigated_vuln_count\":0,\"mitigated_vuln\":[],\"reflected_xss\":[]}" - - - # Tests for --count-only option - Scenario: dawn can give just the number of issues found as output - Given a safe sinatra application exists - When I run `bundle exec dawn --count-only -s /tmp/sinatra-safe` - Then the stdout should contain "0" - - Scenario: dawn can give just the number of issues found as output - Given a safe sinatra application exists - When I run `bundle exec dawn --count-only -s /tmp/sinatra-safe --output json` - Then the stdout should contain "{\"status\":"OK",\"vulnerabilities_count\":0}" - diff --git a/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled b/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled deleted file mode 100644 index 77b4aa56..00000000 --- a/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled +++ /dev/null @@ -1,36 +0,0 @@ -Feature: dawn reports security issues - When it scans a sinatra application that it is not updated and it has XSS - - Scenario: dawn detects the sinatra version - Given a vulnerable sinatra application exists - When I run `bundle exec dawn /tmp/sinatra-vulnerable` - Then the stdout should contain "1.2.6" - - Scenario: dawn tells there are no vulnerabilities - Given a vulnerable sinatra application exists - When I run `bundle exec dawn /tmp/sinatra-vulnerable` - Then the stdout should contain "4 vulnerabilities found" - And the stdout should contain "Not revised code failed" - And the stdout should contain "CVE-2013-0269 failed" - And the stdout should contain "CVE-2013-1800 failed" - And the stdout should contain "1 reflected XSS found" - And the stdout should contain "request parameter \"name\"" - - # Test for --output json - Scenario: dawn can give a brief json output as well - Given a vulnerable sinatra application exists - When I run `bundle exec dawn -s /tmp/sinatra-vulnerable --output json` - Then the stdout should contain "{\"status\":"OK",\"target\":"/tmp/sinatra-vulnerable",\"mvc\":"sinatra",\"mvc_version\":"1.2.6",\"vulnerabilities_count\":4,\"vulnerabilities\":["Not revised code","CVE-2013-0269","CVE-2013-1800"],\"mitigated_vuln_count\":0,\"mitigated_vuln\":[],\"reflected_xss\":["request parameter \"name\""]}" - - - # Tests for --count-only option - Scenario: dawn can give just the number of issues found as output - Given a vulnerable sinatra application exists - When I run `bundle exec dawn --count-only -s /tmp/sinatra-vulnerable` - Then the stdout should contain "4" - - Scenario: dawn can give just the number of issues found as output - Given a vulnerable sinatra application exists - When I run `bundle exec dawn --count-only -s /tmp/sinatra-vulnerable --output json` - Then the stdout should contain "{\"status\":"OK",\"vulnerabilities_count\":4}" - diff --git a/features/step_definition/dawn_steps.rb b/features/step_definition/dawn_steps.rb deleted file mode 100644 index 3aff263c..00000000 --- a/features/step_definition/dawn_steps.rb +++ /dev/null @@ -1,18 +0,0 @@ -Given /^the generic project "(.*?)" doesn't exist$/ do |file| - FileUtils.rm(file) if File.exist?(file) -end - -Given /^the hello world rails project does exist$/ do - system("rm -rf /tmp/hello_world_3.2.13") - system("cp -a ./spec/support/hello_world_3.2.13 /tmp") -end - -Given /^a safe sinatra application exists$/ do - system("rm -rf /tmp/sinatra-safe") - system("cp -a ./spec/support/sinatra-safe /tmp") -end - -Given /^a vulnerable sinatra application exists$/ do - system("rm -rf /tmp/sinatra-vulnerable") - system("cp -a ./spec/support/sinatra-vulnerable /tmp") -end diff --git a/features/support/env.rb b/features/support/env.rb deleted file mode 100644 index fb0a661b..00000000 --- a/features/support/env.rb +++ /dev/null @@ -1 +0,0 @@ -require 'aruba/cucumber' diff --git a/support/bootstrap.js b/support/bootstrap.js deleted file mode 100644 index f73fcb8e..00000000 --- a/support/bootstrap.js +++ /dev/null @@ -1,2027 +0,0 @@ -/* =================================================== - * bootstrap-transition.js v2.1.1 - * http://twitter.github.com/bootstrap/javascript.html#transitions - * =================================================== - * Copyright 2012 Twitter, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ========================================================== */ - - -!function ($) { - - $(function () { - - "use strict"; // jshint ;_; - - - /* CSS TRANSITION SUPPORT (http://www.modernizr.com/) - * ======================================================= */ - - $.support.transition = (function () { - - var transitionEnd = (function () { - - var el = document.createElement('bootstrap') - , transEndEventNames = { - 'WebkitTransition' : 'webkitTransitionEnd' - , 'MozTransition' : 'transitionend' - , 'OTransition' : 'oTransitionEnd otransitionend' - , 'transition' : 'transitionend' - } - , name - - for (name in transEndEventNames){ - if (el.style[name] !== undefined) { - return transEndEventNames[name] - } - } - - }()) - - return transitionEnd && { - end: transitionEnd - } - - })() - - }) - -}(window.jQuery);/* ========================================================== - * bootstrap-alert.js v2.1.1 - * http://twitter.github.com/bootstrap/javascript.html#alerts - * ========================================================== - * Copyright 2012 Twitter, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ========================================================== */ - - -!function ($) { - - "use strict"; // jshint ;_; - - - /* ALERT CLASS DEFINITION - * ====================== */ - - var dismiss = '[data-dismiss="alert"]' - , Alert = function (el) { - $(el).on('click', dismiss, this.close) - } - - Alert.prototype.close = function (e) { - var $this = $(this) - , selector = $this.attr('data-target') - , $parent - - if (!selector) { - selector = $this.attr('href') - selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') //strip for ie7 - } - - $parent = $(selector) - - e && e.preventDefault() - - $parent.length || ($parent = $this.hasClass('alert') ? $this : $this.parent()) - - $parent.trigger(e = $.Event('close')) - - if (e.isDefaultPrevented()) return - - $parent.removeClass('in') - - function removeElement() { - $parent - .trigger('closed') - .remove() - } - - $.support.transition && $parent.hasClass('fade') ? - $parent.on($.support.transition.end, removeElement) : - removeElement() - } - - - /* ALERT PLUGIN DEFINITION - * ======================= */ - - $.fn.alert = function (option) { - return this.each(function () { - var $this = $(this) - , data = $this.data('alert') - if (!data) $this.data('alert', (data = new Alert(this))) - if (typeof option == 'string') data[option].call($this) - }) - } - - $.fn.alert.Constructor = Alert - - - /* ALERT DATA-API - * ============== */ - - $(function () { - $('body').on('click.alert.data-api', dismiss, Alert.prototype.close) - }) - -}(window.jQuery);/* ============================================================ - * bootstrap-button.js v2.1.1 - * http://twitter.github.com/bootstrap/javascript.html#buttons - * ============================================================ - * Copyright 2012 Twitter, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============================================================ */ - - -!function ($) { - - "use strict"; // jshint ;_; - - - /* BUTTON PUBLIC CLASS DEFINITION - * ============================== */ - - var Button = function (element, options) { - this.$element = $(element) - this.options = $.extend({}, $.fn.button.defaults, options) - } - - Button.prototype.setState = function (state) { - var d = 'disabled' - , $el = this.$element - , data = $el.data() - , val = $el.is('input') ? 'val' : 'html' - - state = state + 'Text' - data.resetText || $el.data('resetText', $el[val]()) - - $el[val](data[state] || this.options[state]) - - // push to event loop to allow forms to submit - setTimeout(function () { - state == 'loadingText' ? - $el.addClass(d).attr(d, d) : - $el.removeClass(d).removeAttr(d) - }, 0) - } - - Button.prototype.toggle = function () { - var $parent = this.$element.closest('[data-toggle="buttons-radio"]') - - $parent && $parent - .find('.active') - .removeClass('active') - - this.$element.toggleClass('active') - } - - - /* BUTTON PLUGIN DEFINITION - * ======================== */ - - $.fn.button = function (option) { - return this.each(function () { - var $this = $(this) - , data = $this.data('button') - , options = typeof option == 'object' && option - if (!data) $this.data('button', (data = new Button(this, options))) - if (option == 'toggle') data.toggle() - else if (option) data.setState(option) - }) - } - - $.fn.button.defaults = { - loadingText: 'loading...' - } - - $.fn.button.Constructor = Button - - - /* BUTTON DATA-API - * =============== */ - - $(function () { - $('body').on('click.button.data-api', '[data-toggle^=button]', function ( e ) { - var $btn = $(e.target) - if (!$btn.hasClass('btn')) $btn = $btn.closest('.btn') - $btn.button('toggle') - }) - }) - -}(window.jQuery);/* ========================================================== - * bootstrap-carousel.js v2.1.1 - * http://twitter.github.com/bootstrap/javascript.html#carousel - * ========================================================== - * Copyright 2012 Twitter, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ========================================================== */ - - -!function ($) { - - "use strict"; // jshint ;_; - - - /* CAROUSEL CLASS DEFINITION - * ========================= */ - - var Carousel = function (element, options) { - this.$element = $(element) - this.options = options - this.options.slide && this.slide(this.options.slide) - this.options.pause == 'hover' && this.$element - .on('mouseenter', $.proxy(this.pause, this)) - .on('mouseleave', $.proxy(this.cycle, this)) - } - - Carousel.prototype = { - - cycle: function (e) { - if (!e) this.paused = false - this.options.interval - && !this.paused - && (this.interval = setInterval($.proxy(this.next, this), this.options.interval)) - return this - } - - , to: function (pos) { - var $active = this.$element.find('.item.active') - , children = $active.parent().children() - , activePos = children.index($active) - , that = this - - if (pos > (children.length - 1) || pos < 0) return - - if (this.sliding) { - return this.$element.one('slid', function () { - that.to(pos) - }) - } - - if (activePos == pos) { - return this.pause().cycle() - } - - return this.slide(pos > activePos ? 'next' : 'prev', $(children[pos])) - } - - , pause: function (e) { - if (!e) this.paused = true - if (this.$element.find('.next, .prev').length && $.support.transition.end) { - this.$element.trigger($.support.transition.end) - this.cycle() - } - clearInterval(this.interval) - this.interval = null - return this - } - - , next: function () { - if (this.sliding) return - return this.slide('next') - } - - , prev: function () { - if (this.sliding) return - return this.slide('prev') - } - - , slide: function (type, next) { - var $active = this.$element.find('.item.active') - , $next = next || $active[type]() - , isCycling = this.interval - , direction = type == 'next' ? 'left' : 'right' - , fallback = type == 'next' ? 'first' : 'last' - , that = this - , e = $.Event('slide', { - relatedTarget: $next[0] - }) - - this.sliding = true - - isCycling && this.pause() - - $next = $next.length ? $next : this.$element.find('.item')[fallback]() - - if ($next.hasClass('active')) return - - if ($.support.transition && this.$element.hasClass('slide')) { - this.$element.trigger(e) - if (e.isDefaultPrevented()) return - $next.addClass(type) - $next[0].offsetWidth // force reflow - $active.addClass(direction) - $next.addClass(direction) - this.$element.one($.support.transition.end, function () { - $next.removeClass([type, direction].join(' ')).addClass('active') - $active.removeClass(['active', direction].join(' ')) - that.sliding = false - setTimeout(function () { that.$element.trigger('slid') }, 0) - }) - } else { - this.$element.trigger(e) - if (e.isDefaultPrevented()) return - $active.removeClass('active') - $next.addClass('active') - this.sliding = false - this.$element.trigger('slid') - } - - isCycling && this.cycle() - - return this - } - - } - - - /* CAROUSEL PLUGIN DEFINITION - * ========================== */ - - $.fn.carousel = function (option) { - return this.each(function () { - var $this = $(this) - , data = $this.data('carousel') - , options = $.extend({}, $.fn.carousel.defaults, typeof option == 'object' && option) - , action = typeof option == 'string' ? option : options.slide - if (!data) $this.data('carousel', (data = new Carousel(this, options))) - if (typeof option == 'number') data.to(option) - else if (action) data[action]() - else if (options.interval) data.cycle() - }) - } - - $.fn.carousel.defaults = { - interval: 5000 - , pause: 'hover' - } - - $.fn.carousel.Constructor = Carousel - - - /* CAROUSEL DATA-API - * ================= */ - - $(function () { - $('body').on('click.carousel.data-api', '[data-slide]', function ( e ) { - var $this = $(this), href - , $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) //strip for ie7 - , options = !$target.data('modal') && $.extend({}, $target.data(), $this.data()) - $target.carousel(options) - e.preventDefault() - }) - }) - -}(window.jQuery);/* ============================================================= - * bootstrap-collapse.js v2.1.1 - * http://twitter.github.com/bootstrap/javascript.html#collapse - * ============================================================= - * Copyright 2012 Twitter, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============================================================ */ - - -!function ($) { - - "use strict"; // jshint ;_; - - - /* COLLAPSE PUBLIC CLASS DEFINITION - * ================================ */ - - var Collapse = function (element, options) { - this.$element = $(element) - this.options = $.extend({}, $.fn.collapse.defaults, options) - - if (this.options.parent) { - this.$parent = $(this.options.parent) - } - - this.options.toggle && this.toggle() - } - - Collapse.prototype = { - - constructor: Collapse - - , dimension: function () { - var hasWidth = this.$element.hasClass('width') - return hasWidth ? 'width' : 'height' - } - - , show: function () { - var dimension - , scroll - , actives - , hasData - - if (this.transitioning) return - - dimension = this.dimension() - scroll = $.camelCase(['scroll', dimension].join('-')) - actives = this.$parent && this.$parent.find('> .accordion-group > .in') - - if (actives && actives.length) { - hasData = actives.data('collapse') - if (hasData && hasData.transitioning) return - actives.collapse('hide') - hasData || actives.data('collapse', null) - } - - this.$element[dimension](0) - this.transition('addClass', $.Event('show'), 'shown') - $.support.transition && this.$element[dimension](this.$element[0][scroll]) - } - - , hide: function () { - var dimension - if (this.transitioning) return - dimension = this.dimension() - this.reset(this.$element[dimension]()) - this.transition('removeClass', $.Event('hide'), 'hidden') - this.$element[dimension](0) - } - - , reset: function (size) { - var dimension = this.dimension() - - this.$element - .removeClass('collapse') - [dimension](size || 'auto') - [0].offsetWidth - - this.$element[size !== null ? 'addClass' : 'removeClass']('collapse') - - return this - } - - , transition: function (method, startEvent, completeEvent) { - var that = this - , complete = function () { - if (startEvent.type == 'show') that.reset() - that.transitioning = 0 - that.$element.trigger(completeEvent) - } - - this.$element.trigger(startEvent) - - if (startEvent.isDefaultPrevented()) return - - this.transitioning = 1 - - this.$element[method]('in') - - $.support.transition && this.$element.hasClass('collapse') ? - this.$element.one($.support.transition.end, complete) : - complete() - } - - , toggle: function () { - this[this.$element.hasClass('in') ? 'hide' : 'show']() - } - - } - - - /* COLLAPSIBLE PLUGIN DEFINITION - * ============================== */ - - $.fn.collapse = function (option) { - return this.each(function () { - var $this = $(this) - , data = $this.data('collapse') - , options = typeof option == 'object' && option - if (!data) $this.data('collapse', (data = new Collapse(this, options))) - if (typeof option == 'string') data[option]() - }) - } - - $.fn.collapse.defaults = { - toggle: true - } - - $.fn.collapse.Constructor = Collapse - - - /* COLLAPSIBLE DATA-API - * ==================== */ - - $(function () { - $('body').on('click.collapse.data-api', '[data-toggle=collapse]', function (e) { - var $this = $(this), href - , target = $this.attr('data-target') - || e.preventDefault() - || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') //strip for ie7 - , option = $(target).data('collapse') ? 'toggle' : $this.data() - $this[$(target).hasClass('in') ? 'addClass' : 'removeClass']('collapsed') - $(target).collapse(option) - }) - }) - -}(window.jQuery);/* ============================================================ - * bootstrap-dropdown.js v2.1.1 - * http://twitter.github.com/bootstrap/javascript.html#dropdowns - * ============================================================ - * Copyright 2012 Twitter, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============================================================ */ - - -!function ($) { - - "use strict"; // jshint ;_; - - - /* DROPDOWN CLASS DEFINITION - * ========================= */ - - var toggle = '[data-toggle=dropdown]' - , Dropdown = function (element) { - var $el = $(element).on('click.dropdown.data-api', this.toggle) - $('html').on('click.dropdown.data-api', function () { - $el.parent().removeClass('open') - }) - } - - Dropdown.prototype = { - - constructor: Dropdown - - , toggle: function (e) { - var $this = $(this) - , $parent - , isActive - - if ($this.is('.disabled, :disabled')) return - - $parent = getParent($this) - - isActive = $parent.hasClass('open') - - clearMenus() - - if (!isActive) { - $parent.toggleClass('open') - $this.focus() - } - - return false - } - - , keydown: function (e) { - var $this - , $items - , $active - , $parent - , isActive - , index - - if (!/(38|40|27)/.test(e.keyCode)) return - - $this = $(this) - - e.preventDefault() - e.stopPropagation() - - if ($this.is('.disabled, :disabled')) return - - $parent = getParent($this) - - isActive = $parent.hasClass('open') - - if (!isActive || (isActive && e.keyCode == 27)) return $this.click() - - $items = $('[role=menu] li:not(.divider) a', $parent) - - if (!$items.length) return - - index = $items.index($items.filter(':focus')) - - if (e.keyCode == 38 && index > 0) index-- // up - if (e.keyCode == 40 && index < $items.length - 1) index++ // down - if (!~index) index = 0 - - $items - .eq(index) - .focus() - } - - } - - function clearMenus() { - getParent($(toggle)) - .removeClass('open') - } - - function getParent($this) { - var selector = $this.attr('data-target') - , $parent - - if (!selector) { - selector = $this.attr('href') - selector = selector && /#/.test(selector) && selector.replace(/.*(?=#[^\s]*$)/, '') //strip for ie7 - } - - $parent = $(selector) - $parent.length || ($parent = $this.parent()) - - return $parent - } - - - /* DROPDOWN PLUGIN DEFINITION - * ========================== */ - - $.fn.dropdown = function (option) { - return this.each(function () { - var $this = $(this) - , data = $this.data('dropdown') - if (!data) $this.data('dropdown', (data = new Dropdown(this))) - if (typeof option == 'string') data[option].call($this) - }) - } - - $.fn.dropdown.Constructor = Dropdown - - - /* APPLY TO STANDARD DROPDOWN ELEMENTS - * =================================== */ - - $(function () { - $('html') - .on('click.dropdown.data-api touchstart.dropdown.data-api', clearMenus) - $('body') - .on('click.dropdown touchstart.dropdown.data-api', '.dropdown form', function (e) { e.stopPropagation() }) - .on('click.dropdown.data-api touchstart.dropdown.data-api' , toggle, Dropdown.prototype.toggle) - .on('keydown.dropdown.data-api touchstart.dropdown.data-api', toggle + ', [role=menu]' , Dropdown.prototype.keydown) - }) - -}(window.jQuery);/* ========================================================= - * bootstrap-modal.js v2.1.1 - * http://twitter.github.com/bootstrap/javascript.html#modals - * ========================================================= - * Copyright 2012 Twitter, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ========================================================= */ - - -!function ($) { - - "use strict"; // jshint ;_; - - - /* MODAL CLASS DEFINITION - * ====================== */ - - var Modal = function (element, options) { - this.options = options - this.$element = $(element) - .delegate('[data-dismiss="modal"]', 'click.dismiss.modal', $.proxy(this.hide, this)) - this.options.remote && this.$element.find('.modal-body').load(this.options.remote) - } - - Modal.prototype = { - - constructor: Modal - - , toggle: function () { - return this[!this.isShown ? 'show' : 'hide']() - } - - , show: function () { - var that = this - , e = $.Event('show') - - this.$element.trigger(e) - - if (this.isShown || e.isDefaultPrevented()) return - - $('body').addClass('modal-open') - - this.isShown = true - - this.escape() - - this.backdrop(function () { - var transition = $.support.transition && that.$element.hasClass('fade') - - if (!that.$element.parent().length) { - that.$element.appendTo(document.body) //don't move modals dom position - } - - that.$element - .show() - - if (transition) { - that.$element[0].offsetWidth // force reflow - } - - that.$element - .addClass('in') - .attr('aria-hidden', false) - .focus() - - that.enforceFocus() - - transition ? - that.$element.one($.support.transition.end, function () { that.$element.trigger('shown') }) : - that.$element.trigger('shown') - - }) - } - - , hide: function (e) { - e && e.preventDefault() - - var that = this - - e = $.Event('hide') - - this.$element.trigger(e) - - if (!this.isShown || e.isDefaultPrevented()) return - - this.isShown = false - - $('body').removeClass('modal-open') - - this.escape() - - $(document).off('focusin.modal') - - this.$element - .removeClass('in') - .attr('aria-hidden', true) - - $.support.transition && this.$element.hasClass('fade') ? - this.hideWithTransition() : - this.hideModal() - } - - , enforceFocus: function () { - var that = this - $(document).on('focusin.modal', function (e) { - if (that.$element[0] !== e.target && !that.$element.has(e.target).length) { - that.$element.focus() - } - }) - } - - , escape: function () { - var that = this - if (this.isShown && this.options.keyboard) { - this.$element.on('keyup.dismiss.modal', function ( e ) { - e.which == 27 && that.hide() - }) - } else if (!this.isShown) { - this.$element.off('keyup.dismiss.modal') - } - } - - , hideWithTransition: function () { - var that = this - , timeout = setTimeout(function () { - that.$element.off($.support.transition.end) - that.hideModal() - }, 500) - - this.$element.one($.support.transition.end, function () { - clearTimeout(timeout) - that.hideModal() - }) - } - - , hideModal: function (that) { - this.$element - .hide() - .trigger('hidden') - - this.backdrop() - } - - , removeBackdrop: function () { - this.$backdrop.remove() - this.$backdrop = null - } - - , backdrop: function (callback) { - var that = this - , animate = this.$element.hasClass('fade') ? 'fade' : '' - - if (this.isShown && this.options.backdrop) { - var doAnimate = $.support.transition && animate - - this.$backdrop = $('
') - .appendTo(document.body) - - if (this.options.backdrop != 'static') { - this.$backdrop.click($.proxy(this.hide, this)) - } - - if (doAnimate) this.$backdrop[0].offsetWidth // force reflow - - this.$backdrop.addClass('in') - - doAnimate ? - this.$backdrop.one($.support.transition.end, callback) : - callback() - - } else if (!this.isShown && this.$backdrop) { - this.$backdrop.removeClass('in') - - $.support.transition && this.$element.hasClass('fade')? - this.$backdrop.one($.support.transition.end, $.proxy(this.removeBackdrop, this)) : - this.removeBackdrop() - - } else if (callback) { - callback() - } - } - } - - - /* MODAL PLUGIN DEFINITION - * ======================= */ - - $.fn.modal = function (option) { - return this.each(function () { - var $this = $(this) - , data = $this.data('modal') - , options = $.extend({}, $.fn.modal.defaults, $this.data(), typeof option == 'object' && option) - if (!data) $this.data('modal', (data = new Modal(this, options))) - if (typeof option == 'string') data[option]() - else if (options.show) data.show() - }) - } - - $.fn.modal.defaults = { - backdrop: true - , keyboard: true - , show: true - } - - $.fn.modal.Constructor = Modal - - - /* MODAL DATA-API - * ============== */ - - $(function () { - $('body').on('click.modal.data-api', '[data-toggle="modal"]', function ( e ) { - var $this = $(this) - , href = $this.attr('href') - , $target = $($this.attr('data-target') || (href && href.replace(/.*(?=#[^\s]+$)/, ''))) //strip for ie7 - , option = $target.data('modal') ? 'toggle' : $.extend({ remote: !/#/.test(href) && href }, $target.data(), $this.data()) - - e.preventDefault() - - $target - .modal(option) - .one('hide', function () { - $this.focus() - }) - }) - }) - -}(window.jQuery);/* =========================================================== - * bootstrap-tooltip.js v2.1.1 - * http://twitter.github.com/bootstrap/javascript.html#tooltips - * Inspired by the original jQuery.tipsy by Jason Frame - * =========================================================== - * Copyright 2012 Twitter, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ========================================================== */ - - -!function ($) { - - "use strict"; // jshint ;_; - - - /* TOOLTIP PUBLIC CLASS DEFINITION - * =============================== */ - - var Tooltip = function (element, options) { - this.init('tooltip', element, options) - } - - Tooltip.prototype = { - - constructor: Tooltip - - , init: function (type, element, options) { - var eventIn - , eventOut - - this.type = type - this.$element = $(element) - this.options = this.getOptions(options) - this.enabled = true - - if (this.options.trigger == 'click') { - this.$element.on('click.' + this.type, this.options.selector, $.proxy(this.toggle, this)) - } else if (this.options.trigger != 'manual') { - eventIn = this.options.trigger == 'hover' ? 'mouseenter' : 'focus' - eventOut = this.options.trigger == 'hover' ? 'mouseleave' : 'blur' - this.$element.on(eventIn + '.' + this.type, this.options.selector, $.proxy(this.enter, this)) - this.$element.on(eventOut + '.' + this.type, this.options.selector, $.proxy(this.leave, this)) - } - - this.options.selector ? - (this._options = $.extend({}, this.options, { trigger: 'manual', selector: '' })) : - this.fixTitle() - } - - , getOptions: function (options) { - options = $.extend({}, $.fn[this.type].defaults, options, this.$element.data()) - - if (options.delay && typeof options.delay == 'number') { - options.delay = { - show: options.delay - , hide: options.delay - } - } - - return options - } - - , enter: function (e) { - var self = $(e.currentTarget)[this.type](this._options).data(this.type) - - if (!self.options.delay || !self.options.delay.show) return self.show() - - clearTimeout(this.timeout) - self.hoverState = 'in' - this.timeout = setTimeout(function() { - if (self.hoverState == 'in') self.show() - }, self.options.delay.show) - } - - , leave: function (e) { - var self = $(e.currentTarget)[this.type](this._options).data(this.type) - - if (this.timeout) clearTimeout(this.timeout) - if (!self.options.delay || !self.options.delay.hide) return self.hide() - - self.hoverState = 'out' - this.timeout = setTimeout(function() { - if (self.hoverState == 'out') self.hide() - }, self.options.delay.hide) - } - - , show: function () { - var $tip - , inside - , pos - , actualWidth - , actualHeight - , placement - , tp - - if (this.hasContent() && this.enabled) { - $tip = this.tip() - this.setContent() - - if (this.options.animation) { - $tip.addClass('fade') - } - - placement = typeof this.options.placement == 'function' ? - this.options.placement.call(this, $tip[0], this.$element[0]) : - this.options.placement - - inside = /in/.test(placement) - - $tip - .remove() - .css({ top: 0, left: 0, display: 'block' }) - .appendTo(inside ? this.$element : document.body) - - pos = this.getPosition(inside) - - actualWidth = $tip[0].offsetWidth - actualHeight = $tip[0].offsetHeight - - switch (inside ? placement.split(' ')[1] : placement) { - case 'bottom': - tp = {top: pos.top + pos.height, left: pos.left + pos.width / 2 - actualWidth / 2} - break - case 'top': - tp = {top: pos.top - actualHeight, left: pos.left + pos.width / 2 - actualWidth / 2} - break - case 'left': - tp = {top: pos.top + pos.height / 2 - actualHeight / 2, left: pos.left - actualWidth} - break - case 'right': - tp = {top: pos.top + pos.height / 2 - actualHeight / 2, left: pos.left + pos.width} - break - } - - $tip - .css(tp) - .addClass(placement) - .addClass('in') - } - } - - , setContent: function () { - var $tip = this.tip() - , title = this.getTitle() - - $tip.find('.tooltip-inner')[this.options.html ? 'html' : 'text'](title) - $tip.removeClass('fade in top bottom left right') - } - - , hide: function () { - var that = this - , $tip = this.tip() - - $tip.removeClass('in') - - function removeWithAnimation() { - var timeout = setTimeout(function () { - $tip.off($.support.transition.end).remove() - }, 500) - - $tip.one($.support.transition.end, function () { - clearTimeout(timeout) - $tip.remove() - }) - } - - $.support.transition && this.$tip.hasClass('fade') ? - removeWithAnimation() : - $tip.remove() - - return this - } - - , fixTitle: function () { - var $e = this.$element - if ($e.attr('title') || typeof($e.attr('data-original-title')) != 'string') { - $e.attr('data-original-title', $e.attr('title') || '').removeAttr('title') - } - } - - , hasContent: function () { - return this.getTitle() - } - - , getPosition: function (inside) { - return $.extend({}, (inside ? {top: 0, left: 0} : this.$element.offset()), { - width: this.$element[0].offsetWidth - , height: this.$element[0].offsetHeight - }) - } - - , getTitle: function () { - var title - , $e = this.$element - , o = this.options - - title = $e.attr('data-original-title') - || (typeof o.title == 'function' ? o.title.call($e[0]) : o.title) - - return title - } - - , tip: function () { - return this.$tip = this.$tip || $(this.options.template) - } - - , validate: function () { - if (!this.$element[0].parentNode) { - this.hide() - this.$element = null - this.options = null - } - } - - , enable: function () { - this.enabled = true - } - - , disable: function () { - this.enabled = false - } - - , toggleEnabled: function () { - this.enabled = !this.enabled - } - - , toggle: function () { - this[this.tip().hasClass('in') ? 'hide' : 'show']() - } - - , destroy: function () { - this.hide().$element.off('.' + this.type).removeData(this.type) - } - - } - - - /* TOOLTIP PLUGIN DEFINITION - * ========================= */ - - $.fn.tooltip = function ( option ) { - return this.each(function () { - var $this = $(this) - , data = $this.data('tooltip') - , options = typeof option == 'object' && option - if (!data) $this.data('tooltip', (data = new Tooltip(this, options))) - if (typeof option == 'string') data[option]() - }) - } - - $.fn.tooltip.Constructor = Tooltip - - $.fn.tooltip.defaults = { - animation: true - , placement: 'top' - , selector: false - , template: '
' - , trigger: 'hover' - , title: '' - , delay: 0 - , html: true - } - -}(window.jQuery); -/* =========================================================== - * bootstrap-popover.js v2.1.1 - * http://twitter.github.com/bootstrap/javascript.html#popovers - * =========================================================== - * Copyright 2012 Twitter, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * =========================================================== */ - - -!function ($) { - - "use strict"; // jshint ;_; - - - /* POPOVER PUBLIC CLASS DEFINITION - * =============================== */ - - var Popover = function (element, options) { - this.init('popover', element, options) - } - - - /* NOTE: POPOVER EXTENDS BOOTSTRAP-TOOLTIP.js - ========================================== */ - - Popover.prototype = $.extend({}, $.fn.tooltip.Constructor.prototype, { - - constructor: Popover - - , setContent: function () { - var $tip = this.tip() - , title = this.getTitle() - , content = this.getContent() - - $tip.find('.popover-title')[this.options.html ? 'html' : 'text'](title) - $tip.find('.popover-content > *')[this.options.html ? 'html' : 'text'](content) - - $tip.removeClass('fade top bottom left right in') - } - - , hasContent: function () { - return this.getTitle() || this.getContent() - } - - , getContent: function () { - var content - , $e = this.$element - , o = this.options - - content = $e.attr('data-content') - || (typeof o.content == 'function' ? o.content.call($e[0]) : o.content) - - return content - } - - , tip: function () { - if (!this.$tip) { - this.$tip = $(this.options.template) - } - return this.$tip - } - - , destroy: function () { - this.hide().$element.off('.' + this.type).removeData(this.type) - } - - }) - - - /* POPOVER PLUGIN DEFINITION - * ======================= */ - - $.fn.popover = function (option) { - return this.each(function () { - var $this = $(this) - , data = $this.data('popover') - , options = typeof option == 'object' && option - if (!data) $this.data('popover', (data = new Popover(this, options))) - if (typeof option == 'string') data[option]() - }) - } - - $.fn.popover.Constructor = Popover - - $.fn.popover.defaults = $.extend({} , $.fn.tooltip.defaults, { - placement: 'right' - , trigger: 'click' - , content: '' - , template: '

' - }) - -}(window.jQuery);/* ============================================================= - * bootstrap-scrollspy.js v2.1.1 - * http://twitter.github.com/bootstrap/javascript.html#scrollspy - * ============================================================= - * Copyright 2012 Twitter, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============================================================== */ - - -!function ($) { - - "use strict"; // jshint ;_; - - - /* SCROLLSPY CLASS DEFINITION - * ========================== */ - - function ScrollSpy(element, options) { - var process = $.proxy(this.process, this) - , $element = $(element).is('body') ? $(window) : $(element) - , href - this.options = $.extend({}, $.fn.scrollspy.defaults, options) - this.$scrollElement = $element.on('scroll.scroll-spy.data-api', process) - this.selector = (this.options.target - || ((href = $(element).attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) //strip for ie7 - || '') + ' .nav li > a' - this.$body = $('body') - this.refresh() - this.process() - } - - ScrollSpy.prototype = { - - constructor: ScrollSpy - - , refresh: function () { - var self = this - , $targets - - this.offsets = $([]) - this.targets = $([]) - - $targets = this.$body - .find(this.selector) - .map(function () { - var $el = $(this) - , href = $el.data('target') || $el.attr('href') - , $href = /^#\w/.test(href) && $(href) - return ( $href - && $href.length - && [[ $href.position().top, href ]] ) || null - }) - .sort(function (a, b) { return a[0] - b[0] }) - .each(function () { - self.offsets.push(this[0]) - self.targets.push(this[1]) - }) - } - - , process: function () { - var scrollTop = this.$scrollElement.scrollTop() + this.options.offset - , scrollHeight = this.$scrollElement[0].scrollHeight || this.$body[0].scrollHeight - , maxScroll = scrollHeight - this.$scrollElement.height() - , offsets = this.offsets - , targets = this.targets - , activeTarget = this.activeTarget - , i - - if (scrollTop >= maxScroll) { - return activeTarget != (i = targets.last()[0]) - && this.activate ( i ) - } - - for (i = offsets.length; i--;) { - activeTarget != targets[i] - && scrollTop >= offsets[i] - && (!offsets[i + 1] || scrollTop <= offsets[i + 1]) - && this.activate( targets[i] ) - } - } - - , activate: function (target) { - var active - , selector - - this.activeTarget = target - - $(this.selector) - .parent('.active') - .removeClass('active') - - selector = this.selector - + '[data-target="' + target + '"],' - + this.selector + '[href="' + target + '"]' - - active = $(selector) - .parent('li') - .addClass('active') - - if (active.parent('.dropdown-menu').length) { - active = active.closest('li.dropdown').addClass('active') - } - - active.trigger('activate') - } - - } - - - /* SCROLLSPY PLUGIN DEFINITION - * =========================== */ - - $.fn.scrollspy = function (option) { - return this.each(function () { - var $this = $(this) - , data = $this.data('scrollspy') - , options = typeof option == 'object' && option - if (!data) $this.data('scrollspy', (data = new ScrollSpy(this, options))) - if (typeof option == 'string') data[option]() - }) - } - - $.fn.scrollspy.Constructor = ScrollSpy - - $.fn.scrollspy.defaults = { - offset: 10 - } - - - /* SCROLLSPY DATA-API - * ================== */ - - $(window).on('load', function () { - $('[data-spy="scroll"]').each(function () { - var $spy = $(this) - $spy.scrollspy($spy.data()) - }) - }) - -}(window.jQuery);/* ======================================================== - * bootstrap-tab.js v2.1.1 - * http://twitter.github.com/bootstrap/javascript.html#tabs - * ======================================================== - * Copyright 2012 Twitter, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ======================================================== */ - - -!function ($) { - - "use strict"; // jshint ;_; - - - /* TAB CLASS DEFINITION - * ==================== */ - - var Tab = function (element) { - this.element = $(element) - } - - Tab.prototype = { - - constructor: Tab - - , show: function () { - var $this = this.element - , $ul = $this.closest('ul:not(.dropdown-menu)') - , selector = $this.attr('data-target') - , previous - , $target - , e - - if (!selector) { - selector = $this.attr('href') - selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') //strip for ie7 - } - - if ( $this.parent('li').hasClass('active') ) return - - previous = $ul.find('.active a').last()[0] - - e = $.Event('show', { - relatedTarget: previous - }) - - $this.trigger(e) - - if (e.isDefaultPrevented()) return - - $target = $(selector) - - this.activate($this.parent('li'), $ul) - this.activate($target, $target.parent(), function () { - $this.trigger({ - type: 'shown' - , relatedTarget: previous - }) - }) - } - - , activate: function ( element, container, callback) { - var $active = container.find('> .active') - , transition = callback - && $.support.transition - && $active.hasClass('fade') - - function next() { - $active - .removeClass('active') - .find('> .dropdown-menu > .active') - .removeClass('active') - - element.addClass('active') - - if (transition) { - element[0].offsetWidth // reflow for transition - element.addClass('in') - } else { - element.removeClass('fade') - } - - if ( element.parent('.dropdown-menu') ) { - element.closest('li.dropdown').addClass('active') - } - - callback && callback() - } - - transition ? - $active.one($.support.transition.end, next) : - next() - - $active.removeClass('in') - } - } - - - /* TAB PLUGIN DEFINITION - * ===================== */ - - $.fn.tab = function ( option ) { - return this.each(function () { - var $this = $(this) - , data = $this.data('tab') - if (!data) $this.data('tab', (data = new Tab(this))) - if (typeof option == 'string') data[option]() - }) - } - - $.fn.tab.Constructor = Tab - - - /* TAB DATA-API - * ============ */ - - $(function () { - $('body').on('click.tab.data-api', '[data-toggle="tab"], [data-toggle="pill"]', function (e) { - e.preventDefault() - $(this).tab('show') - }) - }) - -}(window.jQuery);/* ============================================================= - * bootstrap-typeahead.js v2.1.1 - * http://twitter.github.com/bootstrap/javascript.html#typeahead - * ============================================================= - * Copyright 2012 Twitter, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============================================================ */ - - -!function($){ - - "use strict"; // jshint ;_; - - - /* TYPEAHEAD PUBLIC CLASS DEFINITION - * ================================= */ - - var Typeahead = function (element, options) { - this.$element = $(element) - this.options = $.extend({}, $.fn.typeahead.defaults, options) - this.matcher = this.options.matcher || this.matcher - this.sorter = this.options.sorter || this.sorter - this.highlighter = this.options.highlighter || this.highlighter - this.updater = this.options.updater || this.updater - this.$menu = $(this.options.menu).appendTo('body') - this.source = this.options.source - this.shown = false - this.listen() - } - - Typeahead.prototype = { - - constructor: Typeahead - - , select: function () { - var val = this.$menu.find('.active').attr('data-value') - this.$element - .val(this.updater(val)) - .change() - return this.hide() - } - - , updater: function (item) { - return item - } - - , show: function () { - var pos = $.extend({}, this.$element.offset(), { - height: this.$element[0].offsetHeight - }) - - this.$menu.css({ - top: pos.top + pos.height - , left: pos.left - }) - - this.$menu.show() - this.shown = true - return this - } - - , hide: function () { - this.$menu.hide() - this.shown = false - return this - } - - , lookup: function (event) { - var items - - this.query = this.$element.val() - - if (!this.query || this.query.length < this.options.minLength) { - return this.shown ? this.hide() : this - } - - items = $.isFunction(this.source) ? this.source(this.query, $.proxy(this.process, this)) : this.source - - return items ? this.process(items) : this - } - - , process: function (items) { - var that = this - - items = $.grep(items, function (item) { - return that.matcher(item) - }) - - items = this.sorter(items) - - if (!items.length) { - return this.shown ? this.hide() : this - } - - return this.render(items.slice(0, this.options.items)).show() - } - - , matcher: function (item) { - return ~item.toLowerCase().indexOf(this.query.toLowerCase()) - } - - , sorter: function (items) { - var beginswith = [] - , caseSensitive = [] - , caseInsensitive = [] - , item - - while (item = items.shift()) { - if (!item.toLowerCase().indexOf(this.query.toLowerCase())) beginswith.push(item) - else if (~item.indexOf(this.query)) caseSensitive.push(item) - else caseInsensitive.push(item) - } - - return beginswith.concat(caseSensitive, caseInsensitive) - } - - , highlighter: function (item) { - var query = this.query.replace(/[\-\[\]{}()*+?.,\\\^$|#\s]/g, '\\$&') - return item.replace(new RegExp('(' + query + ')', 'ig'), function ($1, match) { - return '' + match + '' - }) - } - - , render: function (items) { - var that = this - - items = $(items).map(function (i, item) { - i = $(that.options.item).attr('data-value', item) - i.find('a').html(that.highlighter(item)) - return i[0] - }) - - items.first().addClass('active') - this.$menu.html(items) - return this - } - - , next: function (event) { - var active = this.$menu.find('.active').removeClass('active') - , next = active.next() - - if (!next.length) { - next = $(this.$menu.find('li')[0]) - } - - next.addClass('active') - } - - , prev: function (event) { - var active = this.$menu.find('.active').removeClass('active') - , prev = active.prev() - - if (!prev.length) { - prev = this.$menu.find('li').last() - } - - prev.addClass('active') - } - - , listen: function () { - this.$element - .on('blur', $.proxy(this.blur, this)) - .on('keypress', $.proxy(this.keypress, this)) - .on('keyup', $.proxy(this.keyup, this)) - - if ($.browser.chrome || $.browser.webkit || $.browser.msie) { - this.$element.on('keydown', $.proxy(this.keydown, this)) - } - - this.$menu - .on('click', $.proxy(this.click, this)) - .on('mouseenter', 'li', $.proxy(this.mouseenter, this)) - } - - , move: function (e) { - if (!this.shown) return - - switch(e.keyCode) { - case 9: // tab - case 13: // enter - case 27: // escape - e.preventDefault() - break - - case 38: // up arrow - e.preventDefault() - this.prev() - break - - case 40: // down arrow - e.preventDefault() - this.next() - break - } - - e.stopPropagation() - } - - , keydown: function (e) { - this.suppressKeyPressRepeat = !~$.inArray(e.keyCode, [40,38,9,13,27]) - this.move(e) - } - - , keypress: function (e) { - if (this.suppressKeyPressRepeat) return - this.move(e) - } - - , keyup: function (e) { - switch(e.keyCode) { - case 40: // down arrow - case 38: // up arrow - break - - case 9: // tab - case 13: // enter - if (!this.shown) return - this.select() - break - - case 27: // escape - if (!this.shown) return - this.hide() - break - - default: - this.lookup() - } - - e.stopPropagation() - e.preventDefault() - } - - , blur: function (e) { - var that = this - setTimeout(function () { that.hide() }, 150) - } - - , click: function (e) { - e.stopPropagation() - e.preventDefault() - this.select() - } - - , mouseenter: function (e) { - this.$menu.find('.active').removeClass('active') - $(e.currentTarget).addClass('active') - } - - } - - - /* TYPEAHEAD PLUGIN DEFINITION - * =========================== */ - - $.fn.typeahead = function (option) { - return this.each(function () { - var $this = $(this) - , data = $this.data('typeahead') - , options = typeof option == 'object' && option - if (!data) $this.data('typeahead', (data = new Typeahead(this, options))) - if (typeof option == 'string') data[option]() - }) - } - - $.fn.typeahead.defaults = { - source: [] - , items: 8 - , menu: '
    ' - , item: '
    • ' - , minLength: 1 - } - - $.fn.typeahead.Constructor = Typeahead - - - /* TYPEAHEAD DATA-API - * ================== */ - - $(function () { - $('body').on('focus.typeahead.data-api', '[data-provide="typeahead"]', function (e) { - var $this = $(this) - if ($this.data('typeahead')) return - e.preventDefault() - $this.typeahead($this.data()) - }) - }) - -}(window.jQuery); -/* ========================================================== - * bootstrap-affix.js v2.1.1 - * http://twitter.github.com/bootstrap/javascript.html#affix - * ========================================================== - * Copyright 2012 Twitter, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ========================================================== */ - - -!function ($) { - - "use strict"; // jshint ;_; - - - /* AFFIX CLASS DEFINITION - * ====================== */ - - var Affix = function (element, options) { - this.options = $.extend({}, $.fn.affix.defaults, options) - this.$window = $(window).on('scroll.affix.data-api', $.proxy(this.checkPosition, this)) - this.$element = $(element) - this.checkPosition() - } - - Affix.prototype.checkPosition = function () { - if (!this.$element.is(':visible')) return - - var scrollHeight = $(document).height() - , scrollTop = this.$window.scrollTop() - , position = this.$element.offset() - , offset = this.options.offset - , offsetBottom = offset.bottom - , offsetTop = offset.top - , reset = 'affix affix-top affix-bottom' - , affix - - if (typeof offset != 'object') offsetBottom = offsetTop = offset - if (typeof offsetTop == 'function') offsetTop = offset.top() - if (typeof offsetBottom == 'function') offsetBottom = offset.bottom() - - affix = this.unpin != null && (scrollTop + this.unpin <= position.top) ? - false : offsetBottom != null && (position.top + this.$element.height() >= scrollHeight - offsetBottom) ? - 'bottom' : offsetTop != null && scrollTop <= offsetTop ? - 'top' : false - - if (this.affixed === affix) return - - this.affixed = affix - this.unpin = affix == 'bottom' ? position.top - scrollTop : null - - this.$element.removeClass(reset).addClass('affix' + (affix ? '-' + affix : '')) - } - - - /* AFFIX PLUGIN DEFINITION - * ======================= */ - - $.fn.affix = function (option) { - return this.each(function () { - var $this = $(this) - , data = $this.data('affix') - , options = typeof option == 'object' && option - if (!data) $this.data('affix', (data = new Affix(this, options))) - if (typeof option == 'string') data[option]() - }) - } - - $.fn.affix.Constructor = Affix - - $.fn.affix.defaults = { - offset: 0 - } - - - /* AFFIX DATA-API - * ============== */ - - $(window).on('load', function () { - $('[data-spy="affix"]').each(function () { - var $spy = $(this) - , data = $spy.data() - - data.offset = data.offset || {} - - data.offsetBottom && (data.offset.bottom = data.offsetBottom) - data.offsetTop && (data.offset.top = data.offsetTop) - - $spy.affix(data) - }) - }) - - -}(window.jQuery); \ No newline at end of file diff --git a/support/bootstrap.min.css b/support/bootstrap.min.css deleted file mode 100644 index a8973013..00000000 --- a/support/bootstrap.min.css +++ /dev/null @@ -1,9 +0,0 @@ -/*! - * Bootstrap v2.1.1 - * - * Copyright 2012 Twitter, Inc - * Licensed under the Apache License v2.0 - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Designed and built with all the love in the world @twitter by @mdo and @fat. - */article,aside,details,figcaption,figure,footer,header,hgroup,nav,section{display:block}audio,canvas,video{display:inline-block;*display:inline;*zoom:1}audio:not([controls]){display:none}html{font-size:100%;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}a:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}a:hover,a:active{outline:0}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{width:auto\9;height:auto;max-width:100%;vertical-align:middle;border:0;-ms-interpolation-mode:bicubic}#map_canvas img{max-width:none}button,input,select,textarea{margin:0;font-size:100%;vertical-align:middle}button,input{*overflow:visible;line-height:normal}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}button,input[type="button"],input[type="reset"],input[type="submit"]{cursor:pointer;-webkit-appearance:button}input[type="search"]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type="search"]::-webkit-search-decoration,input[type="search"]::-webkit-search-cancel-button{-webkit-appearance:none}textarea{overflow:auto;vertical-align:top}.clearfix{*zoom:1}.clearfix:before,.clearfix:after{display:table;line-height:0;content:""}.clearfix:after{clear:both}.hide-text{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.input-block-level{display:block;width:100%;min-height:30px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}body{margin:0;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:20px;color:#333;background-color:#fff}a{color:#08c;text-decoration:none}a:hover{color:#005580;text-decoration:underline}.img-rounded{-webkit-border-radius:6px;-moz-border-radius:6px;border-radius:6px}.img-polaroid{padding:4px;background-color:#fff;border:1px solid #ccc;border:1px solid rgba(0,0,0,0.2);-webkit-box-shadow:0 1px 3px rgba(0,0,0,0.1);-moz-box-shadow:0 1px 3px rgba(0,0,0,0.1);box-shadow:0 1px 3px rgba(0,0,0,0.1)}.img-circle{-webkit-border-radius:500px;-moz-border-radius:500px;border-radius:500px}.row{margin-left:-20px;*zoom:1}.row:before,.row:after{display:table;line-height:0;content:""}.row:after{clear:both}[class*="span"]{float:left;min-height:1px;margin-left:20px}.container,.navbar-static-top .container,.navbar-fixed-top .container,.navbar-fixed-bottom .container{width:940px}.span12{width:940px}.span11{width:860px}.span10{width:780px}.span9{width:700px}.span8{width:620px}.span7{width:540px}.span6{width:460px}.span5{width:380px}.span4{width:300px}.span3{width:220px}.span2{width:140px}.span1{width:60px}.offset12{margin-left:980px}.offset11{margin-left:900px}.offset10{margin-left:820px}.offset9{margin-left:740px}.offset8{margin-left:660px}.offset7{margin-left:580px}.offset6{margin-left:500px}.offset5{margin-left:420px}.offset4{margin-left:340px}.offset3{margin-left:260px}.offset2{margin-left:180px}.offset1{margin-left:100px}.row-fluid{width:100%;*zoom:1}.row-fluid:before,.row-fluid:after{display:table;line-height:0;content:""}.row-fluid:after{clear:both}.row-fluid [class*="span"]{display:block;float:left;width:100%;min-height:30px;margin-left:2.127659574468085%;*margin-left:2.074468085106383%;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.row-fluid [class*="span"]:first-child{margin-left:0}.row-fluid .span12{width:100%;*width:99.94680851063829%}.row-fluid .span11{width:91.48936170212765%;*width:91.43617021276594%}.row-fluid .span10{width:82.97872340425532%;*width:82.92553191489361%}.row-fluid .span9{width:74.46808510638297%;*width:74.41489361702126%}.row-fluid .span8{width:65.95744680851064%;*width:65.90425531914893%}.row-fluid .span7{width:57.44680851063829%;*width:57.39361702127659%}.row-fluid .span6{width:48.93617021276595%;*width:48.88297872340425%}.row-fluid .span5{width:40.42553191489362%;*width:40.37234042553192%}.row-fluid .span4{width:31.914893617021278%;*width:31.861702127659576%}.row-fluid .span3{width:23.404255319148934%;*width:23.351063829787233%}.row-fluid .span2{width:14.893617021276595%;*width:14.840425531914894%}.row-fluid .span1{width:6.382978723404255%;*width:6.329787234042553%}.row-fluid .offset12{margin-left:104.25531914893617%;*margin-left:104.14893617021275%}.row-fluid .offset12:first-child{margin-left:102.12765957446808%;*margin-left:102.02127659574467%}.row-fluid .offset11{margin-left:95.74468085106382%;*margin-left:95.6382978723404%}.row-fluid .offset11:first-child{margin-left:93.61702127659574%;*margin-left:93.51063829787232%}.row-fluid .offset10{margin-left:87.23404255319149%;*margin-left:87.12765957446807%}.row-fluid .offset10:first-child{margin-left:85.1063829787234%;*margin-left:84.99999999999999%}.row-fluid .offset9{margin-left:78.72340425531914%;*margin-left:78.61702127659572%}.row-fluid .offset9:first-child{margin-left:76.59574468085106%;*margin-left:76.48936170212764%}.row-fluid .offset8{margin-left:70.2127659574468%;*margin-left:70.10638297872339%}.row-fluid .offset8:first-child{margin-left:68.08510638297872%;*margin-left:67.9787234042553%}.row-fluid .offset7{margin-left:61.70212765957446%;*margin-left:61.59574468085106%}.row-fluid .offset7:first-child{margin-left:59.574468085106375%;*margin-left:59.46808510638297%}.row-fluid .offset6{margin-left:53.191489361702125%;*margin-left:53.085106382978715%}.row-fluid .offset6:first-child{margin-left:51.063829787234035%;*margin-left:50.95744680851063%}.row-fluid .offset5{margin-left:44.68085106382979%;*margin-left:44.57446808510638%}.row-fluid .offset5:first-child{margin-left:42.5531914893617%;*margin-left:42.4468085106383%}.row-fluid .offset4{margin-left:36.170212765957444%;*margin-left:36.06382978723405%}.row-fluid .offset4:first-child{margin-left:34.04255319148936%;*margin-left:33.93617021276596%}.row-fluid .offset3{margin-left:27.659574468085104%;*margin-left:27.5531914893617%}.row-fluid .offset3:first-child{margin-left:25.53191489361702%;*margin-left:25.425531914893618%}.row-fluid .offset2{margin-left:19.148936170212764%;*margin-left:19.04255319148936%}.row-fluid .offset2:first-child{margin-left:17.02127659574468%;*margin-left:16.914893617021278%}.row-fluid .offset1{margin-left:10.638297872340425%;*margin-left:10.53191489361702%}.row-fluid .offset1:first-child{margin-left:8.51063829787234%;*margin-left:8.404255319148938%}[class*="span"].hide,.row-fluid [class*="span"].hide{display:none}[class*="span"].pull-right,.row-fluid [class*="span"].pull-right{float:right}.container{margin-right:auto;margin-left:auto;*zoom:1}.container:before,.container:after{display:table;line-height:0;content:""}.container:after{clear:both}.container-fluid{padding-right:20px;padding-left:20px;*zoom:1}.container-fluid:before,.container-fluid:after{display:table;line-height:0;content:""}.container-fluid:after{clear:both}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:21px;font-weight:200;line-height:30px}small{font-size:85%}strong{font-weight:bold}em{font-style:italic}cite{font-style:normal}.muted{color:#999}.text-warning{color:#c09853}.text-error{color:#b94a48}.text-info{color:#3a87ad}.text-success{color:#468847}h1,h2,h3,h4,h5,h6{margin:10px 0;font-family:inherit;font-weight:bold;line-height:1;color:inherit;text-rendering:optimizelegibility}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small{font-weight:normal;line-height:1;color:#999}h1{font-size:36px;line-height:40px}h2{font-size:30px;line-height:40px}h3{font-size:24px;line-height:40px}h4{font-size:18px;line-height:20px}h5{font-size:14px;line-height:20px}h6{font-size:12px;line-height:20px}h1 small{font-size:24px}h2 small{font-size:18px}h3 small{font-size:14px}h4 small{font-size:14px}.page-header{padding-bottom:9px;margin:20px 0 30px;border-bottom:1px solid #eee}ul,ol{padding:0;margin:0 0 10px 25px}ul ul,ul ol,ol ol,ol ul{margin-bottom:0}li{line-height:20px}ul.unstyled,ol.unstyled{margin-left:0;list-style:none}dl{margin-bottom:20px}dt,dd{line-height:20px}dt{font-weight:bold}dd{margin-left:10px}.dl-horizontal{*zoom:1}.dl-horizontal:before,.dl-horizontal:after{display:table;line-height:0;content:""}.dl-horizontal:after{clear:both}.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}hr{margin:20px 0;border:0;border-top:1px solid #eee;border-bottom:1px solid #fff}abbr[title]{cursor:help;border-bottom:1px dotted #999}abbr.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:0 0 0 15px;margin:0 0 20px;border-left:5px solid #eee}blockquote p{margin-bottom:0;font-size:16px;font-weight:300;line-height:25px}blockquote small{display:block;line-height:20px;color:#999}blockquote small:before{content:'\2014 \00A0'}blockquote.pull-right{float:right;padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0}blockquote.pull-right p,blockquote.pull-right small{text-align:right}blockquote.pull-right small:before{content:''}blockquote.pull-right small:after{content:'\00A0 \2014'}q:before,q:after,blockquote:before,blockquote:after{content:""}address{display:block;margin-bottom:20px;font-style:normal;line-height:20px}code,pre{padding:0 3px 2px;font-family:Monaco,Menlo,Consolas,"Courier New",monospace;font-size:12px;color:#333;-webkit-border-radius:3px;-moz-border-radius:3px;border-radius:3px}code{padding:2px 4px;color:#d14;background-color:#f7f7f9;border:1px solid #e1e1e8}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:20px;word-break:break-all;word-wrap:break-word;white-space:pre;white-space:pre-wrap;background-color:#f5f5f5;border:1px solid #ccc;border:1px solid rgba(0,0,0,0.15);-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px}pre.prettyprint{margin-bottom:20px}pre code{padding:0;color:inherit;background-color:transparent;border:0}.pre-scrollable{max-height:340px;overflow-y:scroll}form{margin:0 0 20px}fieldset{padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:40px;color:#333;border:0;border-bottom:1px solid #e5e5e5}legend small{font-size:15px;color:#999}label,input,button,select,textarea{font-size:14px;font-weight:normal;line-height:20px}input,button,select,textarea{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif}label{display:block;margin-bottom:5px}select,textarea,input[type="text"],input[type="password"],input[type="datetime"],input[type="datetime-local"],input[type="date"],input[type="month"],input[type="time"],input[type="week"],input[type="number"],input[type="email"],input[type="url"],input[type="search"],input[type="tel"],input[type="color"],.uneditable-input{display:inline-block;height:20px;padding:4px 6px;margin-bottom:9px;font-size:14px;line-height:20px;color:#555;-webkit-border-radius:3px;-moz-border-radius:3px;border-radius:3px}input,textarea,.uneditable-input{width:206px}textarea{height:auto}textarea,input[type="text"],input[type="password"],input[type="datetime"],input[type="datetime-local"],input[type="date"],input[type="month"],input[type="time"],input[type="week"],input[type="number"],input[type="email"],input[type="url"],input[type="search"],input[type="tel"],input[type="color"],.uneditable-input{background-color:#fff;border:1px solid #ccc;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border linear .2s,box-shadow linear .2s;-moz-transition:border linear .2s,box-shadow linear .2s;-o-transition:border linear .2s,box-shadow linear .2s;transition:border linear .2s,box-shadow linear .2s}textarea:focus,input[type="text"]:focus,input[type="password"]:focus,input[type="datetime"]:focus,input[type="datetime-local"]:focus,input[type="date"]:focus,input[type="month"]:focus,input[type="time"]:focus,input[type="week"]:focus,input[type="number"]:focus,input[type="email"]:focus,input[type="url"]:focus,input[type="search"]:focus,input[type="tel"]:focus,input[type="color"]:focus,.uneditable-input:focus{border-color:rgba(82,168,236,0.8);outline:0;outline:thin dotted \9;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(82,168,236,0.6)}input[type="radio"],input[type="checkbox"]{margin:4px 0 0;margin-top:1px \9;*margin-top:0;line-height:normal;cursor:pointer}input[type="file"],input[type="image"],input[type="submit"],input[type="reset"],input[type="button"],input[type="radio"],input[type="checkbox"]{width:auto}select,input[type="file"]{height:30px;*margin-top:4px;line-height:30px}select{width:220px;background-color:#fff;border:1px solid #ccc}select[multiple],select[size]{height:auto}select:focus,input[type="file"]:focus,input[type="radio"]:focus,input[type="checkbox"]:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.uneditable-input,.uneditable-textarea{color:#999;cursor:not-allowed;background-color:#fcfcfc;border-color:#ccc;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.025);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,0.025);box-shadow:inset 0 1px 2px rgba(0,0,0,0.025)}.uneditable-input{overflow:hidden;white-space:nowrap}.uneditable-textarea{width:auto;height:auto}input:-moz-placeholder,textarea:-moz-placeholder{color:#999}input:-ms-input-placeholder,textarea:-ms-input-placeholder{color:#999}input::-webkit-input-placeholder,textarea::-webkit-input-placeholder{color:#999}.radio,.checkbox{min-height:18px;padding-left:18px}.radio input[type="radio"],.checkbox input[type="checkbox"]{float:left;margin-left:-18px}.controls>.radio:first-child,.controls>.checkbox:first-child{padding-top:5px}.radio.inline,.checkbox.inline{display:inline-block;padding-top:5px;margin-bottom:0;vertical-align:middle}.radio.inline+.radio.inline,.checkbox.inline+.checkbox.inline{margin-left:10px}.input-mini{width:60px}.input-small{width:90px}.input-medium{width:150px}.input-large{width:210px}.input-xlarge{width:270px}.input-xxlarge{width:530px}input[class*="span"],select[class*="span"],textarea[class*="span"],.uneditable-input[class*="span"],.row-fluid input[class*="span"],.row-fluid select[class*="span"],.row-fluid textarea[class*="span"],.row-fluid .uneditable-input[class*="span"]{float:none;margin-left:0}.input-append input[class*="span"],.input-append .uneditable-input[class*="span"],.input-prepend input[class*="span"],.input-prepend .uneditable-input[class*="span"],.row-fluid input[class*="span"],.row-fluid select[class*="span"],.row-fluid textarea[class*="span"],.row-fluid .uneditable-input[class*="span"],.row-fluid .input-prepend [class*="span"],.row-fluid .input-append [class*="span"]{display:inline-block}input,textarea,.uneditable-input{margin-left:0}.controls-row [class*="span"]+[class*="span"]{margin-left:20px}input.span12,textarea.span12,.uneditable-input.span12{width:926px}input.span11,textarea.span11,.uneditable-input.span11{width:846px}input.span10,textarea.span10,.uneditable-input.span10{width:766px}input.span9,textarea.span9,.uneditable-input.span9{width:686px}input.span8,textarea.span8,.uneditable-input.span8{width:606px}input.span7,textarea.span7,.uneditable-input.span7{width:526px}input.span6,textarea.span6,.uneditable-input.span6{width:446px}input.span5,textarea.span5,.uneditable-input.span5{width:366px}input.span4,textarea.span4,.uneditable-input.span4{width:286px}input.span3,textarea.span3,.uneditable-input.span3{width:206px}input.span2,textarea.span2,.uneditable-input.span2{width:126px}input.span1,textarea.span1,.uneditable-input.span1{width:46px}.controls-row{*zoom:1}.controls-row:before,.controls-row:after{display:table;line-height:0;content:""}.controls-row:after{clear:both}.controls-row [class*="span"]{float:left}input[disabled],select[disabled],textarea[disabled],input[readonly],select[readonly],textarea[readonly]{cursor:not-allowed;background-color:#eee}input[type="radio"][disabled],input[type="checkbox"][disabled],input[type="radio"][readonly],input[type="checkbox"][readonly]{background-color:transparent}.control-group.warning>label,.control-group.warning .help-block,.control-group.warning .help-inline{color:#c09853}.control-group.warning .checkbox,.control-group.warning .radio,.control-group.warning input,.control-group.warning select,.control-group.warning textarea{color:#c09853}.control-group.warning input,.control-group.warning select,.control-group.warning textarea{border-color:#c09853;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.control-group.warning input:focus,.control-group.warning select:focus,.control-group.warning textarea:focus{border-color:#a47e3c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #dbc59e;-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #dbc59e;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #dbc59e}.control-group.warning .input-prepend .add-on,.control-group.warning .input-append .add-on{color:#c09853;background-color:#fcf8e3;border-color:#c09853}.control-group.error>label,.control-group.error .help-block,.control-group.error .help-inline{color:#b94a48}.control-group.error .checkbox,.control-group.error .radio,.control-group.error input,.control-group.error select,.control-group.error textarea{color:#b94a48}.control-group.error input,.control-group.error select,.control-group.error textarea{border-color:#b94a48;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.control-group.error input:focus,.control-group.error select:focus,.control-group.error textarea:focus{border-color:#953b39;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #d59392;-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #d59392;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #d59392}.control-group.error .input-prepend .add-on,.control-group.error .input-append .add-on{color:#b94a48;background-color:#f2dede;border-color:#b94a48}.control-group.success>label,.control-group.success .help-block,.control-group.success .help-inline{color:#468847}.control-group.success .checkbox,.control-group.success .radio,.control-group.success input,.control-group.success select,.control-group.success textarea{color:#468847}.control-group.success input,.control-group.success select,.control-group.success textarea{border-color:#468847;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.control-group.success input:focus,.control-group.success select:focus,.control-group.success textarea:focus{border-color:#356635;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #7aba7b;-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #7aba7b;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #7aba7b}.control-group.success .input-prepend .add-on,.control-group.success .input-append .add-on{color:#468847;background-color:#dff0d8;border-color:#468847}.control-group.info>label,.control-group.info .help-block,.control-group.info .help-inline{color:#3a87ad}.control-group.info .checkbox,.control-group.info .radio,.control-group.info input,.control-group.info select,.control-group.info textarea{color:#3a87ad}.control-group.info input,.control-group.info select,.control-group.info textarea{border-color:#3a87ad;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.control-group.info input:focus,.control-group.info select:focus,.control-group.info textarea:focus{border-color:#2d6987;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #7ab5d3;-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #7ab5d3;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #7ab5d3}.control-group.info .input-prepend .add-on,.control-group.info .input-append .add-on{color:#3a87ad;background-color:#d9edf7;border-color:#3a87ad}input:focus:required:invalid,textarea:focus:required:invalid,select:focus:required:invalid{color:#b94a48;border-color:#ee5f5b}input:focus:required:invalid:focus,textarea:focus:required:invalid:focus,select:focus:required:invalid:focus{border-color:#e9322d;-webkit-box-shadow:0 0 6px #f8b9b7;-moz-box-shadow:0 0 6px #f8b9b7;box-shadow:0 0 6px #f8b9b7}.form-actions{padding:19px 20px 20px;margin-top:20px;margin-bottom:20px;background-color:#f5f5f5;border-top:1px solid #e5e5e5;*zoom:1}.form-actions:before,.form-actions:after{display:table;line-height:0;content:""}.form-actions:after{clear:both}.help-block,.help-inline{color:#595959}.help-block{display:block;margin-bottom:10px}.help-inline{display:inline-block;*display:inline;padding-left:5px;vertical-align:middle;*zoom:1}.input-append,.input-prepend{margin-bottom:5px;font-size:0;white-space:nowrap}.input-append input,.input-prepend input,.input-append select,.input-prepend select,.input-append .uneditable-input,.input-prepend .uneditable-input{position:relative;margin-bottom:0;*margin-left:0;font-size:14px;vertical-align:top;-webkit-border-radius:0 3px 3px 0;-moz-border-radius:0 3px 3px 0;border-radius:0 3px 3px 0}.input-append input:focus,.input-prepend input:focus,.input-append select:focus,.input-prepend select:focus,.input-append .uneditable-input:focus,.input-prepend .uneditable-input:focus{z-index:2}.input-append .add-on,.input-prepend .add-on{display:inline-block;width:auto;height:20px;min-width:16px;padding:4px 5px;font-size:14px;font-weight:normal;line-height:20px;text-align:center;text-shadow:0 1px 0 #fff;background-color:#eee;border:1px solid #ccc}.input-append .add-on,.input-prepend .add-on,.input-append .btn,.input-prepend .btn{vertical-align:top;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0}.input-append .active,.input-prepend .active{background-color:#a9dba9;border-color:#46a546}.input-prepend .add-on,.input-prepend .btn{margin-right:-1px}.input-prepend .add-on:first-child,.input-prepend .btn:first-child{-webkit-border-radius:3px 0 0 3px;-moz-border-radius:3px 0 0 3px;border-radius:3px 0 0 3px}.input-append input,.input-append select,.input-append .uneditable-input{-webkit-border-radius:3px 0 0 3px;-moz-border-radius:3px 0 0 3px;border-radius:3px 0 0 3px}.input-append .add-on,.input-append .btn{margin-left:-1px}.input-append .add-on:last-child,.input-append .btn:last-child{-webkit-border-radius:0 3px 3px 0;-moz-border-radius:0 3px 3px 0;border-radius:0 3px 3px 0}.input-prepend.input-append input,.input-prepend.input-append select,.input-prepend.input-append .uneditable-input{-webkit-border-radius:0;-moz-border-radius:0;border-radius:0}.input-prepend.input-append .add-on:first-child,.input-prepend.input-append .btn:first-child{margin-right:-1px;-webkit-border-radius:3px 0 0 3px;-moz-border-radius:3px 0 0 3px;border-radius:3px 0 0 3px}.input-prepend.input-append .add-on:last-child,.input-prepend.input-append .btn:last-child{margin-left:-1px;-webkit-border-radius:0 3px 3px 0;-moz-border-radius:0 3px 3px 0;border-radius:0 3px 3px 0}input.search-query{padding-right:14px;padding-right:4px \9;padding-left:14px;padding-left:4px \9;margin-bottom:0;-webkit-border-radius:15px;-moz-border-radius:15px;border-radius:15px}.form-search .input-append .search-query,.form-search .input-prepend .search-query{-webkit-border-radius:0;-moz-border-radius:0;border-radius:0}.form-search .input-append .search-query{-webkit-border-radius:14px 0 0 14px;-moz-border-radius:14px 0 0 14px;border-radius:14px 0 0 14px}.form-search .input-append .btn{-webkit-border-radius:0 14px 14px 0;-moz-border-radius:0 14px 14px 0;border-radius:0 14px 14px 0}.form-search .input-prepend .search-query{-webkit-border-radius:0 14px 14px 0;-moz-border-radius:0 14px 14px 0;border-radius:0 14px 14px 0}.form-search .input-prepend .btn{-webkit-border-radius:14px 0 0 14px;-moz-border-radius:14px 0 0 14px;border-radius:14px 0 0 14px}.form-search input,.form-inline input,.form-horizontal input,.form-search textarea,.form-inline textarea,.form-horizontal textarea,.form-search select,.form-inline select,.form-horizontal select,.form-search .help-inline,.form-inline .help-inline,.form-horizontal .help-inline,.form-search .uneditable-input,.form-inline .uneditable-input,.form-horizontal .uneditable-input,.form-search .input-prepend,.form-inline .input-prepend,.form-horizontal .input-prepend,.form-search .input-append,.form-inline .input-append,.form-horizontal .input-append{display:inline-block;*display:inline;margin-bottom:0;vertical-align:middle;*zoom:1}.form-search .hide,.form-inline .hide,.form-horizontal .hide{display:none}.form-search label,.form-inline label,.form-search .btn-group,.form-inline .btn-group{display:inline-block}.form-search .input-append,.form-inline .input-append,.form-search .input-prepend,.form-inline .input-prepend{margin-bottom:0}.form-search .radio,.form-search .checkbox,.form-inline .radio,.form-inline .checkbox{padding-left:0;margin-bottom:0;vertical-align:middle}.form-search .radio input[type="radio"],.form-search .checkbox input[type="checkbox"],.form-inline .radio input[type="radio"],.form-inline .checkbox input[type="checkbox"]{float:left;margin-right:3px;margin-left:0}.control-group{margin-bottom:10px}legend+.control-group{margin-top:20px;-webkit-margin-top-collapse:separate}.form-horizontal .control-group{margin-bottom:20px;*zoom:1}.form-horizontal .control-group:before,.form-horizontal .control-group:after{display:table;line-height:0;content:""}.form-horizontal .control-group:after{clear:both}.form-horizontal .control-label{float:left;width:160px;padding-top:5px;text-align:right}.form-horizontal .controls{*display:inline-block;*padding-left:20px;margin-left:180px;*margin-left:0}.form-horizontal .controls:first-child{*padding-left:180px}.form-horizontal .help-block{margin-bottom:0}.form-horizontal input+.help-block,.form-horizontal select+.help-block,.form-horizontal textarea+.help-block{margin-top:10px}.form-horizontal .form-actions{padding-left:180px}table{max-width:100%;background-color:transparent;border-collapse:collapse;border-spacing:0}.table{width:100%;margin-bottom:20px}.table th,.table td{padding:8px;line-height:20px;text-align:left;vertical-align:top;border-top:1px solid #ddd}.table th{font-weight:bold}.table thead th{vertical-align:bottom}.table caption+thead tr:first-child th,.table caption+thead tr:first-child td,.table colgroup+thead tr:first-child th,.table colgroup+thead tr:first-child td,.table thead:first-child tr:first-child th,.table thead:first-child tr:first-child td{border-top:0}.table tbody+tbody{border-top:2px solid #ddd}.table-condensed th,.table-condensed td{padding:4px 5px}.table-bordered{border:1px solid #ddd;border-collapse:separate;*border-collapse:collapse;border-left:0;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px}.table-bordered th,.table-bordered td{border-left:1px solid #ddd}.table-bordered caption+thead tr:first-child th,.table-bordered caption+tbody tr:first-child th,.table-bordered caption+tbody tr:first-child td,.table-bordered colgroup+thead tr:first-child th,.table-bordered colgroup+tbody tr:first-child th,.table-bordered colgroup+tbody tr:first-child td,.table-bordered thead:first-child tr:first-child th,.table-bordered tbody:first-child tr:first-child th,.table-bordered tbody:first-child tr:first-child td{border-top:0}.table-bordered thead:first-child tr:first-child th:first-child,.table-bordered tbody:first-child tr:first-child td:first-child{-webkit-border-top-left-radius:4px;border-top-left-radius:4px;-moz-border-radius-topleft:4px}.table-bordered thead:first-child tr:first-child th:last-child,.table-bordered tbody:first-child tr:first-child td:last-child{-webkit-border-top-right-radius:4px;border-top-right-radius:4px;-moz-border-radius-topright:4px}.table-bordered thead:last-child tr:last-child th:first-child,.table-bordered tbody:last-child tr:last-child td:first-child,.table-bordered tfoot:last-child tr:last-child td:first-child{-webkit-border-radius:0 0 0 4px;-moz-border-radius:0 0 0 4px;border-radius:0 0 0 4px;-webkit-border-bottom-left-radius:4px;border-bottom-left-radius:4px;-moz-border-radius-bottomleft:4px}.table-bordered thead:last-child tr:last-child th:last-child,.table-bordered tbody:last-child tr:last-child td:last-child,.table-bordered tfoot:last-child tr:last-child td:last-child{-webkit-border-bottom-right-radius:4px;border-bottom-right-radius:4px;-moz-border-radius-bottomright:4px}.table-bordered caption+thead tr:first-child th:first-child,.table-bordered caption+tbody tr:first-child td:first-child,.table-bordered colgroup+thead tr:first-child th:first-child,.table-bordered colgroup+tbody tr:first-child td:first-child{-webkit-border-top-left-radius:4px;border-top-left-radius:4px;-moz-border-radius-topleft:4px}.table-bordered caption+thead tr:first-child th:last-child,.table-bordered caption+tbody tr:first-child td:last-child,.table-bordered colgroup+thead tr:first-child th:last-child,.table-bordered colgroup+tbody tr:first-child td:last-child{-webkit-border-top-right-radius:4px;border-top-right-radius:4px;-moz-border-radius-topleft:4px}.table-striped tbody tr:nth-child(odd) td,.table-striped tbody tr:nth-child(odd) th{background-color:#f9f9f9}.table-hover tbody tr:hover td,.table-hover tbody tr:hover th{background-color:#f5f5f5}table [class*=span],.row-fluid table [class*=span]{display:table-cell;float:none;margin-left:0}.table .span1{float:none;width:44px;margin-left:0}.table .span2{float:none;width:124px;margin-left:0}.table .span3{float:none;width:204px;margin-left:0}.table .span4{float:none;width:284px;margin-left:0}.table .span5{float:none;width:364px;margin-left:0}.table .span6{float:none;width:444px;margin-left:0}.table .span7{float:none;width:524px;margin-left:0}.table .span8{float:none;width:604px;margin-left:0}.table .span9{float:none;width:684px;margin-left:0}.table .span10{float:none;width:764px;margin-left:0}.table .span11{float:none;width:844px;margin-left:0}.table .span12{float:none;width:924px;margin-left:0}.table .span13{float:none;width:1004px;margin-left:0}.table .span14{float:none;width:1084px;margin-left:0}.table .span15{float:none;width:1164px;margin-left:0}.table .span16{float:none;width:1244px;margin-left:0}.table .span17{float:none;width:1324px;margin-left:0}.table .span18{float:none;width:1404px;margin-left:0}.table .span19{float:none;width:1484px;margin-left:0}.table .span20{float:none;width:1564px;margin-left:0}.table .span21{float:none;width:1644px;margin-left:0}.table .span22{float:none;width:1724px;margin-left:0}.table .span23{float:none;width:1804px;margin-left:0}.table .span24{float:none;width:1884px;margin-left:0}.table tbody tr.success td{background-color:#dff0d8}.table tbody tr.error td{background-color:#f2dede}.table tbody tr.warning td{background-color:#fcf8e3}.table tbody tr.info td{background-color:#d9edf7}.table-hover tbody tr.success:hover td{background-color:#d0e9c6}.table-hover tbody tr.error:hover td{background-color:#ebcccc}.table-hover tbody tr.warning:hover td{background-color:#faf2cc}.table-hover tbody tr.info:hover td{background-color:#c4e3f3}[class^="icon-"],[class*=" icon-"]{display:inline-block;width:14px;height:14px;margin-top:1px;*margin-right:.3em;line-height:14px;vertical-align:text-top;background-image:url("../images/glyphicons-halflings.png");background-position:14px 14px;background-repeat:no-repeat}.icon-white,.nav-tabs>.active>a>[class^="icon-"],.nav-tabs>.active>a>[class*=" icon-"],.nav-pills>.active>a>[class^="icon-"],.nav-pills>.active>a>[class*=" icon-"],.nav-list>.active>a>[class^="icon-"],.nav-list>.active>a>[class*=" icon-"],.navbar-inverse .nav>.active>a>[class^="icon-"],.navbar-inverse .nav>.active>a>[class*=" icon-"],.dropdown-menu>li>a:hover>[class^="icon-"],.dropdown-menu>li>a:hover>[class*=" icon-"],.dropdown-menu>.active>a>[class^="icon-"],.dropdown-menu>.active>a>[class*=" icon-"]{background-image:url("../images/glyphicons-halflings-white.png")}.icon-glass{background-position:0 0}.icon-music{background-position:-24px 0}.icon-search{background-position:-48px 0}.icon-envelope{background-position:-72px 0}.icon-heart{background-position:-96px 0}.icon-star{background-position:-120px 0}.icon-star-empty{background-position:-144px 0}.icon-user{background-position:-168px 0}.icon-film{background-position:-192px 0}.icon-th-large{background-position:-216px 0}.icon-th{background-position:-240px 0}.icon-th-list{background-position:-264px 0}.icon-ok{background-position:-288px 0}.icon-remove{background-position:-312px 0}.icon-zoom-in{background-position:-336px 0}.icon-zoom-out{background-position:-360px 0}.icon-off{background-position:-384px 0}.icon-signal{background-position:-408px 0}.icon-cog{background-position:-432px 0}.icon-trash{background-position:-456px 0}.icon-home{background-position:0 -24px}.icon-file{background-position:-24px -24px}.icon-time{background-position:-48px -24px}.icon-road{background-position:-72px -24px}.icon-download-alt{background-position:-96px -24px}.icon-download{background-position:-120px -24px}.icon-upload{background-position:-144px -24px}.icon-inbox{background-position:-168px -24px}.icon-play-circle{background-position:-192px -24px}.icon-repeat{background-position:-216px -24px}.icon-refresh{background-position:-240px -24px}.icon-list-alt{background-position:-264px -24px}.icon-lock{background-position:-287px -24px}.icon-flag{background-position:-312px -24px}.icon-headphones{background-position:-336px -24px}.icon-volume-off{background-position:-360px -24px}.icon-volume-down{background-position:-384px -24px}.icon-volume-up{background-position:-408px -24px}.icon-qrcode{background-position:-432px -24px}.icon-barcode{background-position:-456px -24px}.icon-tag{background-position:0 -48px}.icon-tags{background-position:-25px -48px}.icon-book{background-position:-48px -48px}.icon-bookmark{background-position:-72px -48px}.icon-print{background-position:-96px -48px}.icon-camera{background-position:-120px -48px}.icon-font{background-position:-144px -48px}.icon-bold{background-position:-167px -48px}.icon-italic{background-position:-192px -48px}.icon-text-height{background-position:-216px -48px}.icon-text-width{background-position:-240px -48px}.icon-align-left{background-position:-264px -48px}.icon-align-center{background-position:-288px -48px}.icon-align-right{background-position:-312px -48px}.icon-align-justify{background-position:-336px -48px}.icon-list{background-position:-360px -48px}.icon-indent-left{background-position:-384px -48px}.icon-indent-right{background-position:-408px -48px}.icon-facetime-video{background-position:-432px -48px}.icon-picture{background-position:-456px -48px}.icon-pencil{background-position:0 -72px}.icon-map-marker{background-position:-24px -72px}.icon-adjust{background-position:-48px -72px}.icon-tint{background-position:-72px -72px}.icon-edit{background-position:-96px -72px}.icon-share{background-position:-120px -72px}.icon-check{background-position:-144px -72px}.icon-move{background-position:-168px -72px}.icon-step-backward{background-position:-192px -72px}.icon-fast-backward{background-position:-216px -72px}.icon-backward{background-position:-240px -72px}.icon-play{background-position:-264px -72px}.icon-pause{background-position:-288px -72px}.icon-stop{background-position:-312px -72px}.icon-forward{background-position:-336px -72px}.icon-fast-forward{background-position:-360px -72px}.icon-step-forward{background-position:-384px -72px}.icon-eject{background-position:-408px -72px}.icon-chevron-left{background-position:-432px -72px}.icon-chevron-right{background-position:-456px -72px}.icon-plus-sign{background-position:0 -96px}.icon-minus-sign{background-position:-24px -96px}.icon-remove-sign{background-position:-48px -96px}.icon-ok-sign{background-position:-72px -96px}.icon-question-sign{background-position:-96px -96px}.icon-info-sign{background-position:-120px -96px}.icon-screenshot{background-position:-144px -96px}.icon-remove-circle{background-position:-168px -96px}.icon-ok-circle{background-position:-192px -96px}.icon-ban-circle{background-position:-216px -96px}.icon-arrow-left{background-position:-240px -96px}.icon-arrow-right{background-position:-264px -96px}.icon-arrow-up{background-position:-289px -96px}.icon-arrow-down{background-position:-312px -96px}.icon-share-alt{background-position:-336px -96px}.icon-resize-full{background-position:-360px -96px}.icon-resize-small{background-position:-384px -96px}.icon-plus{background-position:-408px -96px}.icon-minus{background-position:-433px -96px}.icon-asterisk{background-position:-456px -96px}.icon-exclamation-sign{background-position:0 -120px}.icon-gift{background-position:-24px -120px}.icon-leaf{background-position:-48px -120px}.icon-fire{background-position:-72px -120px}.icon-eye-open{background-position:-96px -120px}.icon-eye-close{background-position:-120px -120px}.icon-warning-sign{background-position:-144px -120px}.icon-plane{background-position:-168px -120px}.icon-calendar{background-position:-192px -120px}.icon-random{width:16px;background-position:-216px -120px}.icon-comment{background-position:-240px -120px}.icon-magnet{background-position:-264px -120px}.icon-chevron-up{background-position:-288px -120px}.icon-chevron-down{background-position:-313px -119px}.icon-retweet{background-position:-336px -120px}.icon-shopping-cart{background-position:-360px -120px}.icon-folder-close{background-position:-384px -120px}.icon-folder-open{width:16px;background-position:-408px -120px}.icon-resize-vertical{background-position:-432px -119px}.icon-resize-horizontal{background-position:-456px -118px}.icon-hdd{background-position:0 -144px}.icon-bullhorn{background-position:-24px -144px}.icon-bell{background-position:-48px -144px}.icon-certificate{background-position:-72px -144px}.icon-thumbs-up{background-position:-96px -144px}.icon-thumbs-down{background-position:-120px -144px}.icon-hand-right{background-position:-144px -144px}.icon-hand-left{background-position:-168px -144px}.icon-hand-up{background-position:-192px -144px}.icon-hand-down{background-position:-216px -144px}.icon-circle-arrow-right{background-position:-240px -144px}.icon-circle-arrow-left{background-position:-264px -144px}.icon-circle-arrow-up{background-position:-288px -144px}.icon-circle-arrow-down{background-position:-312px -144px}.icon-globe{background-position:-336px -144px}.icon-wrench{background-position:-360px -144px}.icon-tasks{background-position:-384px -144px}.icon-filter{background-position:-408px -144px}.icon-briefcase{background-position:-432px -144px}.icon-fullscreen{background-position:-456px -144px}.dropup,.dropdown{position:relative}.dropdown-toggle{*margin-bottom:-3px}.dropdown-toggle:active,.open .dropdown-toggle{outline:0}.caret{display:inline-block;width:0;height:0;vertical-align:top;border-top:4px solid #000;border-right:4px solid transparent;border-left:4px solid transparent;content:""}.dropdown .caret{margin-top:8px;margin-left:2px}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;list-style:none;background-color:#fff;border:1px solid #ccc;border:1px solid rgba(0,0,0,0.2);*border-right-width:2px;*border-bottom-width:2px;-webkit-border-radius:6px;-moz-border-radius:6px;border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,0.2);-moz-box-shadow:0 5px 10px rgba(0,0,0,0.2);box-shadow:0 5px 10px rgba(0,0,0,0.2);-webkit-background-clip:padding-box;-moz-background-clip:padding;background-clip:padding-box}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{*width:100%;height:1px;margin:9px 1px;*margin:-5px 0 5px;overflow:hidden;background-color:#e5e5e5;border-bottom:1px solid #fff}.dropdown-menu a{display:block;padding:3px 20px;clear:both;font-weight:normal;line-height:20px;color:#333;white-space:nowrap}.dropdown-menu li>a:hover,.dropdown-menu li>a:focus,.dropdown-submenu:hover>a{color:#fff;text-decoration:none;background-color:#08c;background-color:#0081c2;background-image:-moz-linear-gradient(top,#08c,#0077b3);background-image:-webkit-gradient(linear,0 0,0 100%,from(#08c),to(#0077b3));background-image:-webkit-linear-gradient(top,#08c,#0077b3);background-image:-o-linear-gradient(top,#08c,#0077b3);background-image:linear-gradient(to bottom,#08c,#0077b3);background-repeat:repeat-x;filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ff0088cc',endColorstr='#ff0077b3',GradientType=0)}.dropdown-menu .active>a,.dropdown-menu .active>a:hover{color:#fff;text-decoration:none;background-color:#08c;background-color:#0081c2;background-image:linear-gradient(to bottom,#08c,#0077b3);background-image:-moz-linear-gradient(top,#08c,#0077b3);background-image:-webkit-gradient(linear,0 0,0 100%,from(#08c),to(#0077b3));background-image:-webkit-linear-gradient(top,#08c,#0077b3);background-image:-o-linear-gradient(top,#08c,#0077b3);background-repeat:repeat-x;outline:0;filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ff0088cc',endColorstr='#ff0077b3',GradientType=0)}.dropdown-menu .disabled>a,.dropdown-menu .disabled>a:hover{color:#999}.dropdown-menu .disabled>a:hover{text-decoration:none;cursor:default;background-color:transparent}.open{*z-index:1000}.open>.dropdown-menu{display:block}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{border-top:0;border-bottom:4px solid #000;content:""}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}.dropdown-submenu{position:relative}.dropdown-submenu>.dropdown-menu{top:0;left:100%;margin-top:-6px;margin-left:-1px;-webkit-border-radius:0 6px 6px 6px;-moz-border-radius:0 6px 6px 6px;border-radius:0 6px 6px 6px}.dropdown-submenu:hover>.dropdown-menu{display:block}.dropdown-submenu>a:after{display:block;float:right;width:0;height:0;margin-top:5px;margin-right:-10px;border-color:transparent;border-left-color:#ccc;border-style:solid;border-width:5px 0 5px 5px;content:" "}.dropdown-submenu:hover>a:after{border-left-color:#fff}.dropdown .dropdown-menu .nav-header{padding-right:20px;padding-left:20px}.typeahead{margin-top:2px;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.05);-moz-box-shadow:inset 0 1px 1px rgba(0,0,0,0.05);box-shadow:inset 0 1px 1px rgba(0,0,0,0.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,0.15)}.well-large{padding:24px;-webkit-border-radius:6px;-moz-border-radius:6px;border-radius:6px}.well-small{padding:9px;-webkit-border-radius:3px;-moz-border-radius:3px;border-radius:3px}.fade{opacity:0;-webkit-transition:opacity .15s linear;-moz-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-moz-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.collapse.in{height:auto}.close{float:right;font-size:20px;font-weight:bold;line-height:20px;color:#000;text-shadow:0 1px 0 #fff;opacity:.2;filter:alpha(opacity=20)}.close:hover{color:#000;text-decoration:none;cursor:pointer;opacity:.4;filter:alpha(opacity=40)}button.close{padding:0;cursor:pointer;background:transparent;border:0;-webkit-appearance:none}.btn{display:inline-block;*display:inline;padding:4px 14px;margin-bottom:0;*margin-left:.3em;font-size:14px;line-height:20px;*line-height:20px;color:#333;text-align:center;text-shadow:0 1px 1px rgba(255,255,255,0.75);vertical-align:middle;cursor:pointer;background-color:#f5f5f5;*background-color:#e6e6e6;background-image:-webkit-gradient(linear,0 0,0 100%,from(#fff),to(#e6e6e6));background-image:-webkit-linear-gradient(top,#fff,#e6e6e6);background-image:-o-linear-gradient(top,#fff,#e6e6e6);background-image:linear-gradient(to bottom,#fff,#e6e6e6);background-image:-moz-linear-gradient(top,#fff,#e6e6e6);background-repeat:repeat-x;border:1px solid #bbb;*border:0;border-color:rgba(0,0,0,0.1) rgba(0,0,0,0.1) rgba(0,0,0,0.25);border-color:#e6e6e6 #e6e6e6 #bfbfbf;border-bottom-color:#a2a2a2;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ffffffff',endColorstr='#ffe6e6e6',GradientType=0);filter:progid:dximagetransform.microsoft.gradient(enabled=false);*zoom:1;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.2),0 1px 2px rgba(0,0,0,0.05);-moz-box-shadow:inset 0 1px 0 rgba(255,255,255,0.2),0 1px 2px rgba(0,0,0,0.05);box-shadow:inset 0 1px 0 rgba(255,255,255,0.2),0 1px 2px rgba(0,0,0,0.05)}.btn:hover,.btn:active,.btn.active,.btn.disabled,.btn[disabled]{color:#333;background-color:#e6e6e6;*background-color:#d9d9d9}.btn:active,.btn.active{background-color:#ccc \9}.btn:first-child{*margin-left:0}.btn:hover{color:#333;text-decoration:none;background-color:#e6e6e6;*background-color:#d9d9d9;background-position:0 -15px;-webkit-transition:background-position .1s linear;-moz-transition:background-position .1s linear;-o-transition:background-position .1s linear;transition:background-position .1s linear}.btn:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn.active,.btn:active{background-color:#e6e6e6;background-color:#d9d9d9 \9;background-image:none;outline:0;-webkit-box-shadow:inset 0 2px 4px rgba(0,0,0,0.15),0 1px 2px rgba(0,0,0,0.05);-moz-box-shadow:inset 0 2px 4px rgba(0,0,0,0.15),0 1px 2px rgba(0,0,0,0.05);box-shadow:inset 0 2px 4px rgba(0,0,0,0.15),0 1px 2px rgba(0,0,0,0.05)}.btn.disabled,.btn[disabled]{cursor:default;background-color:#e6e6e6;background-image:none;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow:none;-moz-box-shadow:none;box-shadow:none}.btn-large{padding:9px 14px;font-size:16px;line-height:normal;-webkit-border-radius:5px;-moz-border-radius:5px;border-radius:5px}.btn-large [class^="icon-"]{margin-top:2px}.btn-small{padding:3px 9px;font-size:12px;line-height:18px}.btn-small [class^="icon-"]{margin-top:0}.btn-mini{padding:2px 6px;font-size:11px;line-height:17px}.btn-block{display:block;width:100%;padding-right:0;padding-left:0;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.btn-block+.btn-block{margin-top:5px}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.btn-primary.active,.btn-warning.active,.btn-danger.active,.btn-success.active,.btn-info.active,.btn-inverse.active{color:rgba(255,255,255,0.75)}.btn{border-color:#c5c5c5;border-color:rgba(0,0,0,0.15) rgba(0,0,0,0.15) rgba(0,0,0,0.25)}.btn-primary{color:#fff;text-shadow:0 -1px 0 rgba(0,0,0,0.25);background-color:#006dcc;*background-color:#04c;background-image:-webkit-gradient(linear,0 0,0 100%,from(#08c),to(#04c));background-image:-webkit-linear-gradient(top,#08c,#04c);background-image:-o-linear-gradient(top,#08c,#04c);background-image:linear-gradient(to bottom,#08c,#04c);background-image:-moz-linear-gradient(top,#08c,#04c);background-repeat:repeat-x;border-color:#04c #04c #002a80;border-color:rgba(0,0,0,0.1) rgba(0,0,0,0.1) rgba(0,0,0,0.25);filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ff0088cc',endColorstr='#ff0044cc',GradientType=0);filter:progid:dximagetransform.microsoft.gradient(enabled=false)}.btn-primary:hover,.btn-primary:active,.btn-primary.active,.btn-primary.disabled,.btn-primary[disabled]{color:#fff;background-color:#04c;*background-color:#003bb3}.btn-primary:active,.btn-primary.active{background-color:#039 \9}.btn-warning{color:#fff;text-shadow:0 -1px 0 rgba(0,0,0,0.25);background-color:#faa732;*background-color:#f89406;background-image:-webkit-gradient(linear,0 0,0 100%,from(#fbb450),to(#f89406));background-image:-webkit-linear-gradient(top,#fbb450,#f89406);background-image:-o-linear-gradient(top,#fbb450,#f89406);background-image:linear-gradient(to bottom,#fbb450,#f89406);background-image:-moz-linear-gradient(top,#fbb450,#f89406);background-repeat:repeat-x;border-color:#f89406 #f89406 #ad6704;border-color:rgba(0,0,0,0.1) rgba(0,0,0,0.1) rgba(0,0,0,0.25);filter:progid:dximagetransform.microsoft.gradient(startColorstr='#fffbb450',endColorstr='#fff89406',GradientType=0);filter:progid:dximagetransform.microsoft.gradient(enabled=false)}.btn-warning:hover,.btn-warning:active,.btn-warning.active,.btn-warning.disabled,.btn-warning[disabled]{color:#fff;background-color:#f89406;*background-color:#df8505}.btn-warning:active,.btn-warning.active{background-color:#c67605 \9}.btn-danger{color:#fff;text-shadow:0 -1px 0 rgba(0,0,0,0.25);background-color:#da4f49;*background-color:#bd362f;background-image:-webkit-gradient(linear,0 0,0 100%,from(#ee5f5b),to(#bd362f));background-image:-webkit-linear-gradient(top,#ee5f5b,#bd362f);background-image:-o-linear-gradient(top,#ee5f5b,#bd362f);background-image:linear-gradient(to bottom,#ee5f5b,#bd362f);background-image:-moz-linear-gradient(top,#ee5f5b,#bd362f);background-repeat:repeat-x;border-color:#bd362f #bd362f #802420;border-color:rgba(0,0,0,0.1) rgba(0,0,0,0.1) rgba(0,0,0,0.25);filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ffee5f5b',endColorstr='#ffbd362f',GradientType=0);filter:progid:dximagetransform.microsoft.gradient(enabled=false)}.btn-danger:hover,.btn-danger:active,.btn-danger.active,.btn-danger.disabled,.btn-danger[disabled]{color:#fff;background-color:#bd362f;*background-color:#a9302a}.btn-danger:active,.btn-danger.active{background-color:#942a25 \9}.btn-success{color:#fff;text-shadow:0 -1px 0 rgba(0,0,0,0.25);background-color:#5bb75b;*background-color:#51a351;background-image:-webkit-gradient(linear,0 0,0 100%,from(#62c462),to(#51a351));background-image:-webkit-linear-gradient(top,#62c462,#51a351);background-image:-o-linear-gradient(top,#62c462,#51a351);background-image:linear-gradient(to bottom,#62c462,#51a351);background-image:-moz-linear-gradient(top,#62c462,#51a351);background-repeat:repeat-x;border-color:#51a351 #51a351 #387038;border-color:rgba(0,0,0,0.1) rgba(0,0,0,0.1) rgba(0,0,0,0.25);filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ff62c462',endColorstr='#ff51a351',GradientType=0);filter:progid:dximagetransform.microsoft.gradient(enabled=false)}.btn-success:hover,.btn-success:active,.btn-success.active,.btn-success.disabled,.btn-success[disabled]{color:#fff;background-color:#51a351;*background-color:#499249}.btn-success:active,.btn-success.active{background-color:#408140 \9}.btn-info{color:#fff;text-shadow:0 -1px 0 rgba(0,0,0,0.25);background-color:#49afcd;*background-color:#2f96b4;background-image:-webkit-gradient(linear,0 0,0 100%,from(#5bc0de),to(#2f96b4));background-image:-webkit-linear-gradient(top,#5bc0de,#2f96b4);background-image:-o-linear-gradient(top,#5bc0de,#2f96b4);background-image:linear-gradient(to bottom,#5bc0de,#2f96b4);background-image:-moz-linear-gradient(top,#5bc0de,#2f96b4);background-repeat:repeat-x;border-color:#2f96b4 #2f96b4 #1f6377;border-color:rgba(0,0,0,0.1) rgba(0,0,0,0.1) rgba(0,0,0,0.25);filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ff5bc0de',endColorstr='#ff2f96b4',GradientType=0);filter:progid:dximagetransform.microsoft.gradient(enabled=false)}.btn-info:hover,.btn-info:active,.btn-info.active,.btn-info.disabled,.btn-info[disabled]{color:#fff;background-color:#2f96b4;*background-color:#2a85a0}.btn-info:active,.btn-info.active{background-color:#24748c \9}.btn-inverse{color:#fff;text-shadow:0 -1px 0 rgba(0,0,0,0.25);background-color:#363636;*background-color:#222;background-image:-webkit-gradient(linear,0 0,0 100%,from(#444),to(#222));background-image:-webkit-linear-gradient(top,#444,#222);background-image:-o-linear-gradient(top,#444,#222);background-image:linear-gradient(to bottom,#444,#222);background-image:-moz-linear-gradient(top,#444,#222);background-repeat:repeat-x;border-color:#222 #222 #000;border-color:rgba(0,0,0,0.1) rgba(0,0,0,0.1) rgba(0,0,0,0.25);filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ff444444',endColorstr='#ff222222',GradientType=0);filter:progid:dximagetransform.microsoft.gradient(enabled=false)}.btn-inverse:hover,.btn-inverse:active,.btn-inverse.active,.btn-inverse.disabled,.btn-inverse[disabled]{color:#fff;background-color:#222;*background-color:#151515}.btn-inverse:active,.btn-inverse.active{background-color:#080808 \9}button.btn,input[type="submit"].btn{*padding-top:3px;*padding-bottom:3px}button.btn::-moz-focus-inner,input[type="submit"].btn::-moz-focus-inner{padding:0;border:0}button.btn.btn-large,input[type="submit"].btn.btn-large{*padding-top:7px;*padding-bottom:7px}button.btn.btn-small,input[type="submit"].btn.btn-small{*padding-top:3px;*padding-bottom:3px}button.btn.btn-mini,input[type="submit"].btn.btn-mini{*padding-top:1px;*padding-bottom:1px}.btn-link,.btn-link:active,.btn-link[disabled]{background-color:transparent;background-image:none;-webkit-box-shadow:none;-moz-box-shadow:none;box-shadow:none}.btn-link{color:#08c;cursor:pointer;border-color:transparent;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0}.btn-link:hover{color:#005580;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover{color:#333;text-decoration:none}.btn-group{position:relative;*margin-left:.3em;font-size:0;white-space:nowrap;vertical-align:middle}.btn-group:first-child{*margin-left:0}.btn-group+.btn-group{margin-left:5px}.btn-toolbar{margin-top:10px;margin-bottom:10px;font-size:0}.btn-toolbar .btn-group{display:inline-block;*display:inline;*zoom:1}.btn-toolbar .btn+.btn,.btn-toolbar .btn-group+.btn,.btn-toolbar .btn+.btn-group{margin-left:5px}.btn-group>.btn{position:relative;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0}.btn-group>.btn+.btn{margin-left:-1px}.btn-group>.btn,.btn-group>.dropdown-menu{font-size:14px}.btn-group>.btn-mini{font-size:11px}.btn-group>.btn-small{font-size:12px}.btn-group>.btn-large{font-size:16px}.btn-group>.btn:first-child{margin-left:0;-webkit-border-bottom-left-radius:4px;border-bottom-left-radius:4px;-webkit-border-top-left-radius:4px;border-top-left-radius:4px;-moz-border-radius-bottomleft:4px;-moz-border-radius-topleft:4px}.btn-group>.btn:last-child,.btn-group>.dropdown-toggle{-webkit-border-top-right-radius:4px;border-top-right-radius:4px;-webkit-border-bottom-right-radius:4px;border-bottom-right-radius:4px;-moz-border-radius-topright:4px;-moz-border-radius-bottomright:4px}.btn-group>.btn.large:first-child{margin-left:0;-webkit-border-bottom-left-radius:6px;border-bottom-left-radius:6px;-webkit-border-top-left-radius:6px;border-top-left-radius:6px;-moz-border-radius-bottomleft:6px;-moz-border-radius-topleft:6px}.btn-group>.btn.large:last-child,.btn-group>.large.dropdown-toggle{-webkit-border-top-right-radius:6px;border-top-right-radius:6px;-webkit-border-bottom-right-radius:6px;border-bottom-right-radius:6px;-moz-border-radius-topright:6px;-moz-border-radius-bottomright:6px}.btn-group>.btn:hover,.btn-group>.btn:focus,.btn-group>.btn:active,.btn-group>.btn.active{z-index:2}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{*padding-top:5px;padding-right:8px;*padding-bottom:5px;padding-left:8px;-webkit-box-shadow:inset 1px 0 0 rgba(255,255,255,0.125),inset 0 1px 0 rgba(255,255,255,0.2),0 1px 2px rgba(0,0,0,0.05);-moz-box-shadow:inset 1px 0 0 rgba(255,255,255,0.125),inset 0 1px 0 rgba(255,255,255,0.2),0 1px 2px rgba(0,0,0,0.05);box-shadow:inset 1px 0 0 rgba(255,255,255,0.125),inset 0 1px 0 rgba(255,255,255,0.2),0 1px 2px rgba(0,0,0,0.05)}.btn-group>.btn-mini+.dropdown-toggle{*padding-top:2px;padding-right:5px;*padding-bottom:2px;padding-left:5px}.btn-group>.btn-small+.dropdown-toggle{*padding-top:5px;*padding-bottom:4px}.btn-group>.btn-large+.dropdown-toggle{*padding-top:7px;padding-right:12px;*padding-bottom:7px;padding-left:12px}.btn-group.open .dropdown-toggle{background-image:none;-webkit-box-shadow:inset 0 2px 4px rgba(0,0,0,0.15),0 1px 2px rgba(0,0,0,0.05);-moz-box-shadow:inset 0 2px 4px rgba(0,0,0,0.15),0 1px 2px rgba(0,0,0,0.05);box-shadow:inset 0 2px 4px rgba(0,0,0,0.15),0 1px 2px rgba(0,0,0,0.05)}.btn-group.open .btn.dropdown-toggle{background-color:#e6e6e6}.btn-group.open .btn-primary.dropdown-toggle{background-color:#04c}.btn-group.open .btn-warning.dropdown-toggle{background-color:#f89406}.btn-group.open .btn-danger.dropdown-toggle{background-color:#bd362f}.btn-group.open .btn-success.dropdown-toggle{background-color:#51a351}.btn-group.open .btn-info.dropdown-toggle{background-color:#2f96b4}.btn-group.open .btn-inverse.dropdown-toggle{background-color:#222}.btn .caret{margin-top:8px;margin-left:0}.btn-mini .caret,.btn-small .caret,.btn-large .caret{margin-top:6px}.btn-large .caret{border-top-width:5px;border-right-width:5px;border-left-width:5px}.dropup .btn-large .caret{border-top:0;border-bottom:5px solid #000}.btn-primary .caret,.btn-warning .caret,.btn-danger .caret,.btn-info .caret,.btn-success .caret,.btn-inverse .caret{border-top-color:#fff;border-bottom-color:#fff}.btn-group-vertical{display:inline-block;*display:inline;*zoom:1}.btn-group-vertical .btn{display:block;float:none;width:100%;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0}.btn-group-vertical .btn+.btn{margin-top:-1px;margin-left:0}.btn-group-vertical .btn:first-child{-webkit-border-radius:4px 4px 0 0;-moz-border-radius:4px 4px 0 0;border-radius:4px 4px 0 0}.btn-group-vertical .btn:last-child{-webkit-border-radius:0 0 4px 4px;-moz-border-radius:0 0 4px 4px;border-radius:0 0 4px 4px}.btn-group-vertical .btn-large:first-child{-webkit-border-radius:6px 6px 0 0;-moz-border-radius:6px 6px 0 0;border-radius:6px 6px 0 0}.btn-group-vertical .btn-large:last-child{-webkit-border-radius:0 0 6px 6px;-moz-border-radius:0 0 6px 6px;border-radius:0 0 6px 6px}.alert{padding:8px 35px 8px 14px;margin-bottom:20px;color:#c09853;text-shadow:0 1px 0 rgba(255,255,255,0.5);background-color:#fcf8e3;border:1px solid #fbeed5;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px}.alert h4{margin:0}.alert .close{position:relative;top:-2px;right:-21px;line-height:20px}.alert-success{color:#468847;background-color:#dff0d8;border-color:#d6e9c6}.alert-danger,.alert-error{color:#b94a48;background-color:#f2dede;border-color:#eed3d7}.alert-info{color:#3a87ad;background-color:#d9edf7;border-color:#bce8f1}.alert-block{padding-top:14px;padding-bottom:14px}.alert-block>p,.alert-block>ul{margin-bottom:0}.alert-block p+p{margin-top:5px}.nav{margin-bottom:20px;margin-left:0;list-style:none}.nav>li>a{display:block}.nav>li>a:hover{text-decoration:none;background-color:#eee}.nav>.pull-right{float:right}.nav-header{display:block;padding:3px 15px;font-size:11px;font-weight:bold;line-height:20px;color:#999;text-shadow:0 1px 0 rgba(255,255,255,0.5);text-transform:uppercase}.nav li+.nav-header{margin-top:9px}.nav-list{padding-right:15px;padding-left:15px;margin-bottom:0}.nav-list>li>a,.nav-list .nav-header{margin-right:-15px;margin-left:-15px;text-shadow:0 1px 0 rgba(255,255,255,0.5)}.nav-list>li>a{padding:3px 15px}.nav-list>.active>a,.nav-list>.active>a:hover{color:#fff;text-shadow:0 -1px 0 rgba(0,0,0,0.2);background-color:#08c}.nav-list [class^="icon-"]{margin-right:2px}.nav-list .divider{*width:100%;height:1px;margin:9px 1px;*margin:-5px 0 5px;overflow:hidden;background-color:#e5e5e5;border-bottom:1px solid #fff}.nav-tabs,.nav-pills{*zoom:1}.nav-tabs:before,.nav-pills:before,.nav-tabs:after,.nav-pills:after{display:table;line-height:0;content:""}.nav-tabs:after,.nav-pills:after{clear:both}.nav-tabs>li,.nav-pills>li{float:left}.nav-tabs>li>a,.nav-pills>li>a{padding-right:12px;padding-left:12px;margin-right:2px;line-height:14px}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{margin-bottom:-1px}.nav-tabs>li>a{padding-top:8px;padding-bottom:8px;line-height:20px;border:1px solid transparent;-webkit-border-radius:4px 4px 0 0;-moz-border-radius:4px 4px 0 0;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>.active>a,.nav-tabs>.active>a:hover{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-pills>li>a{padding-top:8px;padding-bottom:8px;margin-top:2px;margin-bottom:2px;-webkit-border-radius:5px;-moz-border-radius:5px;border-radius:5px}.nav-pills>.active>a,.nav-pills>.active>a:hover{color:#fff;background-color:#08c}.nav-stacked>li{float:none}.nav-stacked>li>a{margin-right:0}.nav-tabs.nav-stacked{border-bottom:0}.nav-tabs.nav-stacked>li>a{border:1px solid #ddd;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0}.nav-tabs.nav-stacked>li:first-child>a{-webkit-border-top-right-radius:4px;border-top-right-radius:4px;-webkit-border-top-left-radius:4px;border-top-left-radius:4px;-moz-border-radius-topright:4px;-moz-border-radius-topleft:4px}.nav-tabs.nav-stacked>li:last-child>a{-webkit-border-bottom-right-radius:4px;border-bottom-right-radius:4px;-webkit-border-bottom-left-radius:4px;border-bottom-left-radius:4px;-moz-border-radius-bottomright:4px;-moz-border-radius-bottomleft:4px}.nav-tabs.nav-stacked>li>a:hover{z-index:2;border-color:#ddd}.nav-pills.nav-stacked>li>a{margin-bottom:3px}.nav-pills.nav-stacked>li:last-child>a{margin-bottom:1px}.nav-tabs .dropdown-menu{-webkit-border-radius:0 0 6px 6px;-moz-border-radius:0 0 6px 6px;border-radius:0 0 6px 6px}.nav-pills .dropdown-menu{-webkit-border-radius:6px;-moz-border-radius:6px;border-radius:6px}.nav .dropdown-toggle .caret{margin-top:6px;border-top-color:#08c;border-bottom-color:#08c}.nav .dropdown-toggle:hover .caret{border-top-color:#005580;border-bottom-color:#005580}.nav-tabs .dropdown-toggle .caret{margin-top:8px}.nav .active .dropdown-toggle .caret{border-top-color:#fff;border-bottom-color:#fff}.nav-tabs .active .dropdown-toggle .caret{border-top-color:#555;border-bottom-color:#555}.nav>.dropdown.active>a:hover{cursor:pointer}.nav-tabs .open .dropdown-toggle,.nav-pills .open .dropdown-toggle,.nav>li.dropdown.open.active>a:hover{color:#fff;background-color:#999;border-color:#999}.nav li.dropdown.open .caret,.nav li.dropdown.open.active .caret,.nav li.dropdown.open a:hover .caret{border-top-color:#fff;border-bottom-color:#fff;opacity:1;filter:alpha(opacity=100)}.tabs-stacked .open>a:hover{border-color:#999}.tabbable{*zoom:1}.tabbable:before,.tabbable:after{display:table;line-height:0;content:""}.tabbable:after{clear:both}.tab-content{overflow:auto}.tabs-below>.nav-tabs,.tabs-right>.nav-tabs,.tabs-left>.nav-tabs{border-bottom:0}.tab-content>.tab-pane,.pill-content>.pill-pane{display:none}.tab-content>.active,.pill-content>.active{display:block}.tabs-below>.nav-tabs{border-top:1px solid #ddd}.tabs-below>.nav-tabs>li{margin-top:-1px;margin-bottom:0}.tabs-below>.nav-tabs>li>a{-webkit-border-radius:0 0 4px 4px;-moz-border-radius:0 0 4px 4px;border-radius:0 0 4px 4px}.tabs-below>.nav-tabs>li>a:hover{border-top-color:#ddd;border-bottom-color:transparent}.tabs-below>.nav-tabs>.active>a,.tabs-below>.nav-tabs>.active>a:hover{border-color:transparent #ddd #ddd #ddd}.tabs-left>.nav-tabs>li,.tabs-right>.nav-tabs>li{float:none}.tabs-left>.nav-tabs>li>a,.tabs-right>.nav-tabs>li>a{min-width:74px;margin-right:0;margin-bottom:3px}.tabs-left>.nav-tabs{float:left;margin-right:19px;border-right:1px solid #ddd}.tabs-left>.nav-tabs>li>a{margin-right:-1px;-webkit-border-radius:4px 0 0 4px;-moz-border-radius:4px 0 0 4px;border-radius:4px 0 0 4px}.tabs-left>.nav-tabs>li>a:hover{border-color:#eee #ddd #eee #eee}.tabs-left>.nav-tabs .active>a,.tabs-left>.nav-tabs .active>a:hover{border-color:#ddd transparent #ddd #ddd;*border-right-color:#fff}.tabs-right>.nav-tabs{float:right;margin-left:19px;border-left:1px solid #ddd}.tabs-right>.nav-tabs>li>a{margin-left:-1px;-webkit-border-radius:0 4px 4px 0;-moz-border-radius:0 4px 4px 0;border-radius:0 4px 4px 0}.tabs-right>.nav-tabs>li>a:hover{border-color:#eee #eee #eee #ddd}.tabs-right>.nav-tabs .active>a,.tabs-right>.nav-tabs .active>a:hover{border-color:#ddd #ddd #ddd transparent;*border-left-color:#fff}.nav>.disabled>a{color:#999}.nav>.disabled>a:hover{text-decoration:none;cursor:default;background-color:transparent}.navbar{*position:relative;*z-index:2;margin-bottom:20px;overflow:visible;color:#777}.navbar-inner{min-height:40px;padding-right:20px;padding-left:20px;background-color:#fafafa;background-image:-moz-linear-gradient(top,#fff,#f2f2f2);background-image:-webkit-gradient(linear,0 0,0 100%,from(#fff),to(#f2f2f2));background-image:-webkit-linear-gradient(top,#fff,#f2f2f2);background-image:-o-linear-gradient(top,#fff,#f2f2f2);background-image:linear-gradient(to bottom,#fff,#f2f2f2);background-repeat:repeat-x;border:1px solid #d4d4d4;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ffffffff',endColorstr='#fff2f2f2',GradientType=0);*zoom:1;-webkit-box-shadow:0 1px 4px rgba(0,0,0,0.065);-moz-box-shadow:0 1px 4px rgba(0,0,0,0.065);box-shadow:0 1px 4px rgba(0,0,0,0.065)}.navbar-inner:before,.navbar-inner:after{display:table;line-height:0;content:""}.navbar-inner:after{clear:both}.navbar .container{width:auto}.nav-collapse.collapse{height:auto}.navbar .brand{display:block;float:left;padding:10px 20px 10px;margin-left:-20px;font-size:20px;font-weight:200;color:#777;text-shadow:0 1px 0 #fff}.navbar .brand:hover{text-decoration:none}.navbar-text{margin-bottom:0;line-height:40px}.navbar-link{color:#777}.navbar-link:hover{color:#333}.navbar .divider-vertical{height:40px;margin:0 9px;border-right:1px solid #fff;border-left:1px solid #f2f2f2}.navbar .btn,.navbar .btn-group{margin-top:5px}.navbar .btn-group .btn,.navbar .input-prepend .btn,.navbar .input-append .btn{margin-top:0}.navbar-form{margin-bottom:0;*zoom:1}.navbar-form:before,.navbar-form:after{display:table;line-height:0;content:""}.navbar-form:after{clear:both}.navbar-form input,.navbar-form select,.navbar-form .radio,.navbar-form .checkbox{margin-top:5px}.navbar-form input,.navbar-form select,.navbar-form .btn{display:inline-block;margin-bottom:0}.navbar-form input[type="image"],.navbar-form input[type="checkbox"],.navbar-form input[type="radio"]{margin-top:3px}.navbar-form .input-append,.navbar-form .input-prepend{margin-top:6px;white-space:nowrap}.navbar-form .input-append input,.navbar-form .input-prepend input{margin-top:0}.navbar-search{position:relative;float:left;margin-top:5px;margin-bottom:0}.navbar-search .search-query{padding:4px 14px;margin-bottom:0;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;font-weight:normal;line-height:1;-webkit-border-radius:15px;-moz-border-radius:15px;border-radius:15px}.navbar-static-top{position:static;width:100%;margin-bottom:0}.navbar-static-top .navbar-inner{-webkit-border-radius:0;-moz-border-radius:0;border-radius:0}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;margin-bottom:0}.navbar-fixed-top .navbar-inner,.navbar-static-top .navbar-inner{border-width:0 0 1px}.navbar-fixed-bottom .navbar-inner{border-width:1px 0 0}.navbar-fixed-top .navbar-inner,.navbar-fixed-bottom .navbar-inner{padding-right:0;padding-left:0;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0}.navbar-static-top .container,.navbar-fixed-top .container,.navbar-fixed-bottom .container{width:940px}.navbar-fixed-top{top:0}.navbar-fixed-top .navbar-inner,.navbar-static-top .navbar-inner{-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.1),0 1px 10px rgba(0,0,0,0.1);-moz-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.1),0 1px 10px rgba(0,0,0,0.1);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.1),0 1px 10px rgba(0,0,0,0.1)}.navbar-fixed-bottom{bottom:0}.navbar-fixed-bottom .navbar-inner{-webkit-box-shadow:inset 0 1px 0 rgba(0,0,0,0.1),0 -1px 10px rgba(0,0,0,0.1);-moz-box-shadow:inset 0 1px 0 rgba(0,0,0,0.1),0 -1px 10px rgba(0,0,0,0.1);box-shadow:inset 0 1px 0 rgba(0,0,0,0.1),0 -1px 10px rgba(0,0,0,0.1)}.navbar .nav{position:relative;left:0;display:block;float:left;margin:0 10px 0 0}.navbar .nav.pull-right{float:right;margin-right:0}.navbar .nav>li{float:left}.navbar .nav>li>a{float:none;padding:10px 15px 10px;color:#777;text-decoration:none;text-shadow:0 1px 0 #fff}.navbar .nav .dropdown-toggle .caret{margin-top:8px}.navbar .nav>li>a:focus,.navbar .nav>li>a:hover{color:#333;text-decoration:none;background-color:transparent}.navbar .nav>.active>a,.navbar .nav>.active>a:hover,.navbar .nav>.active>a:focus{color:#555;text-decoration:none;background-color:#e5e5e5;-webkit-box-shadow:inset 0 3px 8px rgba(0,0,0,0.125);-moz-box-shadow:inset 0 3px 8px rgba(0,0,0,0.125);box-shadow:inset 0 3px 8px rgba(0,0,0,0.125)}.navbar .btn-navbar{display:none;float:right;padding:7px 10px;margin-right:5px;margin-left:5px;color:#fff;text-shadow:0 -1px 0 rgba(0,0,0,0.25);background-color:#ededed;*background-color:#e5e5e5;background-image:-webkit-gradient(linear,0 0,0 100%,from(#f2f2f2),to(#e5e5e5));background-image:-webkit-linear-gradient(top,#f2f2f2,#e5e5e5);background-image:-o-linear-gradient(top,#f2f2f2,#e5e5e5);background-image:linear-gradient(to bottom,#f2f2f2,#e5e5e5);background-image:-moz-linear-gradient(top,#f2f2f2,#e5e5e5);background-repeat:repeat-x;border-color:#e5e5e5 #e5e5e5 #bfbfbf;border-color:rgba(0,0,0,0.1) rgba(0,0,0,0.1) rgba(0,0,0,0.25);filter:progid:dximagetransform.microsoft.gradient(startColorstr='#fff2f2f2',endColorstr='#ffe5e5e5',GradientType=0);filter:progid:dximagetransform.microsoft.gradient(enabled=false);-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.075);-moz-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.075);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.075)}.navbar .btn-navbar:hover,.navbar .btn-navbar:active,.navbar .btn-navbar.active,.navbar .btn-navbar.disabled,.navbar .btn-navbar[disabled]{color:#fff;background-color:#e5e5e5;*background-color:#d9d9d9}.navbar .btn-navbar:active,.navbar .btn-navbar.active{background-color:#ccc \9}.navbar .btn-navbar .icon-bar{display:block;width:18px;height:2px;background-color:#f5f5f5;-webkit-border-radius:1px;-moz-border-radius:1px;border-radius:1px;-webkit-box-shadow:0 1px 0 rgba(0,0,0,0.25);-moz-box-shadow:0 1px 0 rgba(0,0,0,0.25);box-shadow:0 1px 0 rgba(0,0,0,0.25)}.btn-navbar .icon-bar+.icon-bar{margin-top:3px}.navbar .nav>li>.dropdown-menu:before{position:absolute;top:-7px;left:9px;display:inline-block;border-right:7px solid transparent;border-bottom:7px solid #ccc;border-left:7px solid transparent;border-bottom-color:rgba(0,0,0,0.2);content:''}.navbar .nav>li>.dropdown-menu:after{position:absolute;top:-6px;left:10px;display:inline-block;border-right:6px solid transparent;border-bottom:6px solid #fff;border-left:6px solid transparent;content:''}.navbar-fixed-bottom .nav>li>.dropdown-menu:before{top:auto;bottom:-7px;border-top:7px solid #ccc;border-bottom:0;border-top-color:rgba(0,0,0,0.2)}.navbar-fixed-bottom .nav>li>.dropdown-menu:after{top:auto;bottom:-6px;border-top:6px solid #fff;border-bottom:0}.navbar .nav li.dropdown.open>.dropdown-toggle,.navbar .nav li.dropdown.active>.dropdown-toggle,.navbar .nav li.dropdown.open.active>.dropdown-toggle{color:#555;background-color:#e5e5e5}.navbar .nav li.dropdown>.dropdown-toggle .caret{border-top-color:#777;border-bottom-color:#777}.navbar .nav li.dropdown.open>.dropdown-toggle .caret,.navbar .nav li.dropdown.active>.dropdown-toggle .caret,.navbar .nav li.dropdown.open.active>.dropdown-toggle .caret{border-top-color:#555;border-bottom-color:#555}.navbar .pull-right>li>.dropdown-menu,.navbar .nav>li>.dropdown-menu.pull-right{right:0;left:auto}.navbar .pull-right>li>.dropdown-menu:before,.navbar .nav>li>.dropdown-menu.pull-right:before{right:12px;left:auto}.navbar .pull-right>li>.dropdown-menu:after,.navbar .nav>li>.dropdown-menu.pull-right:after{right:13px;left:auto}.navbar .pull-right>li>.dropdown-menu .dropdown-menu,.navbar .nav>li>.dropdown-menu.pull-right .dropdown-menu{right:100%;left:auto;margin-right:-1px;margin-left:0;-webkit-border-radius:6px 0 6px 6px;-moz-border-radius:6px 0 6px 6px;border-radius:6px 0 6px 6px}.navbar-inverse{color:#999}.navbar-inverse .navbar-inner{background-color:#1b1b1b;background-image:-moz-linear-gradient(top,#222,#111);background-image:-webkit-gradient(linear,0 0,0 100%,from(#222),to(#111));background-image:-webkit-linear-gradient(top,#222,#111);background-image:-o-linear-gradient(top,#222,#111);background-image:linear-gradient(to bottom,#222,#111);background-repeat:repeat-x;border-color:#252525;filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ff222222',endColorstr='#ff111111',GradientType=0)}.navbar-inverse .brand,.navbar-inverse .nav>li>a{color:#999;text-shadow:0 -1px 0 rgba(0,0,0,0.25)}.navbar-inverse .brand:hover,.navbar-inverse .nav>li>a:hover{color:#fff}.navbar-inverse .nav>li>a:focus,.navbar-inverse .nav>li>a:hover{color:#fff;background-color:transparent}.navbar-inverse .nav .active>a,.navbar-inverse .nav .active>a:hover,.navbar-inverse .nav .active>a:focus{color:#fff;background-color:#111}.navbar-inverse .navbar-link{color:#999}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .divider-vertical{border-right-color:#222;border-left-color:#111}.navbar-inverse .nav li.dropdown.open>.dropdown-toggle,.navbar-inverse .nav li.dropdown.active>.dropdown-toggle,.navbar-inverse .nav li.dropdown.open.active>.dropdown-toggle{color:#fff;background-color:#111}.navbar-inverse .nav li.dropdown>.dropdown-toggle .caret{border-top-color:#999;border-bottom-color:#999}.navbar-inverse .nav li.dropdown.open>.dropdown-toggle .caret,.navbar-inverse .nav li.dropdown.active>.dropdown-toggle .caret,.navbar-inverse .nav li.dropdown.open.active>.dropdown-toggle .caret{border-top-color:#fff;border-bottom-color:#fff}.navbar-inverse .navbar-search .search-query{color:#fff;background-color:#515151;border-color:#111;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1),0 1px 0 rgba(255,255,255,0.15);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1),0 1px 0 rgba(255,255,255,0.15);box-shadow:inset 0 1px 2px rgba(0,0,0,0.1),0 1px 0 rgba(255,255,255,0.15);-webkit-transition:none;-moz-transition:none;-o-transition:none;transition:none}.navbar-inverse .navbar-search .search-query:-moz-placeholder{color:#ccc}.navbar-inverse .navbar-search .search-query:-ms-input-placeholder{color:#ccc}.navbar-inverse .navbar-search .search-query::-webkit-input-placeholder{color:#ccc}.navbar-inverse .navbar-search .search-query:focus,.navbar-inverse .navbar-search .search-query.focused{padding:5px 15px;color:#333;text-shadow:0 1px 0 #fff;background-color:#fff;border:0;outline:0;-webkit-box-shadow:0 0 3px rgba(0,0,0,0.15);-moz-box-shadow:0 0 3px rgba(0,0,0,0.15);box-shadow:0 0 3px rgba(0,0,0,0.15)}.navbar-inverse .btn-navbar{color:#fff;text-shadow:0 -1px 0 rgba(0,0,0,0.25);background-color:#0e0e0e;*background-color:#040404;background-image:-webkit-gradient(linear,0 0,0 100%,from(#151515),to(#040404));background-image:-webkit-linear-gradient(top,#151515,#040404);background-image:-o-linear-gradient(top,#151515,#040404);background-image:linear-gradient(to bottom,#151515,#040404);background-image:-moz-linear-gradient(top,#151515,#040404);background-repeat:repeat-x;border-color:#040404 #040404 #000;border-color:rgba(0,0,0,0.1) rgba(0,0,0,0.1) rgba(0,0,0,0.25);filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ff151515',endColorstr='#ff040404',GradientType=0);filter:progid:dximagetransform.microsoft.gradient(enabled=false)}.navbar-inverse .btn-navbar:hover,.navbar-inverse .btn-navbar:active,.navbar-inverse .btn-navbar.active,.navbar-inverse .btn-navbar.disabled,.navbar-inverse .btn-navbar[disabled]{color:#fff;background-color:#040404;*background-color:#000}.navbar-inverse .btn-navbar:active,.navbar-inverse .btn-navbar.active{background-color:#000 \9}.breadcrumb{padding:8px 15px;margin:0 0 20px;list-style:none;background-color:#f5f5f5;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px}.breadcrumb li{display:inline-block;*display:inline;text-shadow:0 1px 0 #fff;*zoom:1}.breadcrumb .divider{padding:0 5px;color:#ccc}.breadcrumb .active{color:#999}.pagination{height:40px;margin:20px 0}.pagination ul{display:inline-block;*display:inline;margin-bottom:0;margin-left:0;-webkit-border-radius:3px;-moz-border-radius:3px;border-radius:3px;*zoom:1;-webkit-box-shadow:0 1px 2px rgba(0,0,0,0.05);-moz-box-shadow:0 1px 2px rgba(0,0,0,0.05);box-shadow:0 1px 2px rgba(0,0,0,0.05)}.pagination ul>li{display:inline}.pagination ul>li>a,.pagination ul>li>span{float:left;padding:0 14px;line-height:38px;text-decoration:none;background-color:#fff;border:1px solid #ddd;border-left-width:0}.pagination ul>li>a:hover,.pagination ul>.active>a,.pagination ul>.active>span{background-color:#f5f5f5}.pagination ul>.active>a,.pagination ul>.active>span{color:#999;cursor:default}.pagination ul>.disabled>span,.pagination ul>.disabled>a,.pagination ul>.disabled>a:hover{color:#999;cursor:default;background-color:transparent}.pagination ul>li:first-child>a,.pagination ul>li:first-child>span{border-left-width:1px;-webkit-border-radius:3px 0 0 3px;-moz-border-radius:3px 0 0 3px;border-radius:3px 0 0 3px}.pagination ul>li:last-child>a,.pagination ul>li:last-child>span{-webkit-border-radius:0 3px 3px 0;-moz-border-radius:0 3px 3px 0;border-radius:0 3px 3px 0}.pagination-centered{text-align:center}.pagination-right{text-align:right}.pager{margin:20px 0;text-align:center;list-style:none;*zoom:1}.pager:before,.pager:after{display:table;line-height:0;content:""}.pager:after{clear:both}.pager li{display:inline}.pager a,.pager span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;-webkit-border-radius:15px;-moz-border-radius:15px;border-radius:15px}.pager a:hover{text-decoration:none;background-color:#f5f5f5}.pager .next a,.pager .next span{float:right}.pager .previous a{float:left}.pager .disabled a,.pager .disabled a:hover,.pager .disabled span{color:#999;cursor:default;background-color:#fff}.modal-open .modal .dropdown-menu{z-index:2050}.modal-open .modal .dropdown.open{*z-index:2050}.modal-open .modal .popover{z-index:2060}.modal-open .modal .tooltip{z-index:2080}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{opacity:0}.modal-backdrop,.modal-backdrop.fade.in{opacity:.8;filter:alpha(opacity=80)}.modal{position:fixed;top:50%;left:50%;z-index:1050;width:560px;margin:-250px 0 0 -280px;overflow:auto;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,0.3);*border:1px solid #999;-webkit-border-radius:6px;-moz-border-radius:6px;border-radius:6px;-webkit-box-shadow:0 3px 7px rgba(0,0,0,0.3);-moz-box-shadow:0 3px 7px rgba(0,0,0,0.3);box-shadow:0 3px 7px rgba(0,0,0,0.3);-webkit-background-clip:padding-box;-moz-background-clip:padding-box;background-clip:padding-box}.modal.fade{top:-25%;-webkit-transition:opacity .3s linear,top .3s ease-out;-moz-transition:opacity .3s linear,top .3s ease-out;-o-transition:opacity .3s linear,top .3s ease-out;transition:opacity .3s linear,top .3s ease-out}.modal.fade.in{top:50%}.modal-header{padding:9px 15px;border-bottom:1px solid #eee}.modal-header .close{margin-top:2px}.modal-header h3{margin:0;line-height:30px}.modal-body{max-height:400px;padding:15px;overflow-y:auto}.modal-form{margin-bottom:0}.modal-footer{padding:14px 15px 15px;margin-bottom:0;text-align:right;background-color:#f5f5f5;border-top:1px solid #ddd;-webkit-border-radius:0 0 6px 6px;-moz-border-radius:0 0 6px 6px;border-radius:0 0 6px 6px;*zoom:1;-webkit-box-shadow:inset 0 1px 0 #fff;-moz-box-shadow:inset 0 1px 0 #fff;box-shadow:inset 0 1px 0 #fff}.modal-footer:before,.modal-footer:after{display:table;line-height:0;content:""}.modal-footer:after{clear:both}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.tooltip{position:absolute;z-index:1030;display:block;padding:5px;font-size:11px;opacity:0;filter:alpha(opacity=0);visibility:visible}.tooltip.in{opacity:.8;filter:alpha(opacity=80)}.tooltip.top{margin-top:-3px}.tooltip.right{margin-left:3px}.tooltip.bottom{margin-top:3px}.tooltip.left{margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-top-color:#000;border-width:5px 5px 0}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-right-color:#000;border-width:5px 5px 5px 0}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-left-color:#000;border-width:5px 0 5px 5px}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-bottom-color:#000;border-width:0 5px 5px}.popover{position:absolute;top:0;left:0;z-index:1010;display:none;width:236px;padding:1px;background-color:#fff;border:1px solid #ccc;border:1px solid rgba(0,0,0,0.2);-webkit-border-radius:6px;-moz-border-radius:6px;border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,0.2);-moz-box-shadow:0 5px 10px rgba(0,0,0,0.2);box-shadow:0 5px 10px rgba(0,0,0,0.2);-webkit-background-clip:padding-box;-moz-background-clip:padding;background-clip:padding-box}.popover.top{margin-bottom:10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-right:10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:normal;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;-webkit-border-radius:5px 5px 0 0;-moz-border-radius:5px 5px 0 0;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover-content p,.popover-content ul,.popover-content ol{margin-bottom:0}.popover .arrow,.popover .arrow:after{position:absolute;display:inline-block;width:0;height:0;border-color:transparent;border-style:solid}.popover .arrow:after{z-index:-1;content:""}.popover.top .arrow{bottom:-10px;left:50%;margin-left:-10px;border-top-color:#fff;border-width:10px 10px 0}.popover.top .arrow:after{bottom:-1px;left:-11px;border-top-color:rgba(0,0,0,0.25);border-width:11px 11px 0}.popover.right .arrow{top:50%;left:-10px;margin-top:-10px;border-right-color:#fff;border-width:10px 10px 10px 0}.popover.right .arrow:after{bottom:-11px;left:-1px;border-right-color:rgba(0,0,0,0.25);border-width:11px 11px 11px 0}.popover.bottom .arrow{top:-10px;left:50%;margin-left:-10px;border-bottom-color:#fff;border-width:0 10px 10px}.popover.bottom .arrow:after{top:-1px;left:-11px;border-bottom-color:rgba(0,0,0,0.25);border-width:0 11px 11px}.popover.left .arrow{top:50%;right:-10px;margin-top:-10px;border-left-color:#fff;border-width:10px 0 10px 10px}.popover.left .arrow:after{right:-1px;bottom:-11px;border-left-color:rgba(0,0,0,0.25);border-width:11px 0 11px 11px}.thumbnails{margin-left:-20px;list-style:none;*zoom:1}.thumbnails:before,.thumbnails:after{display:table;line-height:0;content:""}.thumbnails:after{clear:both}.row-fluid .thumbnails{margin-left:0}.thumbnails>li{float:left;margin-bottom:20px;margin-left:20px}.thumbnail{display:block;padding:4px;line-height:20px;border:1px solid #ddd;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;-webkit-box-shadow:0 1px 3px rgba(0,0,0,0.055);-moz-box-shadow:0 1px 3px rgba(0,0,0,0.055);box-shadow:0 1px 3px rgba(0,0,0,0.055);-webkit-transition:all .2s ease-in-out;-moz-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}a.thumbnail:hover{border-color:#08c;-webkit-box-shadow:0 1px 4px rgba(0,105,214,0.25);-moz-box-shadow:0 1px 4px rgba(0,105,214,0.25);box-shadow:0 1px 4px rgba(0,105,214,0.25)}.thumbnail>img{display:block;max-width:100%;margin-right:auto;margin-left:auto}.thumbnail .caption{padding:9px;color:#555}.label,.badge{font-size:11.844px;font-weight:bold;line-height:14px;color:#fff;text-shadow:0 -1px 0 rgba(0,0,0,0.25);white-space:nowrap;vertical-align:baseline;background-color:#999}.label{padding:1px 4px 2px;-webkit-border-radius:3px;-moz-border-radius:3px;border-radius:3px}.badge{padding:1px 9px 2px;-webkit-border-radius:9px;-moz-border-radius:9px;border-radius:9px}a.label:hover,a.badge:hover{color:#fff;text-decoration:none;cursor:pointer}.label-important,.badge-important{background-color:#b94a48}.label-important[href],.badge-important[href]{background-color:#953b39}.label-warning,.badge-warning{background-color:#f89406}.label-warning[href],.badge-warning[href]{background-color:#c67605}.label-success,.badge-success{background-color:#468847}.label-success[href],.badge-success[href]{background-color:#356635}.label-info,.badge-info{background-color:#3a87ad}.label-info[href],.badge-info[href]{background-color:#2d6987}.label-inverse,.badge-inverse{background-color:#333}.label-inverse[href],.badge-inverse[href]{background-color:#1a1a1a}.btn .label,.btn .badge{position:relative;top:-1px}.btn-mini .label,.btn-mini .badge{top:0}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-moz-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-ms-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f7f7f7;background-image:-moz-linear-gradient(top,#f5f5f5,#f9f9f9);background-image:-webkit-gradient(linear,0 0,0 100%,from(#f5f5f5),to(#f9f9f9));background-image:-webkit-linear-gradient(top,#f5f5f5,#f9f9f9);background-image:-o-linear-gradient(top,#f5f5f5,#f9f9f9);background-image:linear-gradient(to bottom,#f5f5f5,#f9f9f9);background-repeat:repeat-x;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;filter:progid:dximagetransform.microsoft.gradient(startColorstr='#fff5f5f5',endColorstr='#fff9f9f9',GradientType=0);-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1);-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1);box-shadow:inset 0 1px 2px rgba(0,0,0,0.1)}.progress .bar{float:left;width:0;height:100%;font-size:12px;color:#fff;text-align:center;text-shadow:0 -1px 0 rgba(0,0,0,0.25);background-color:#0e90d2;background-image:-moz-linear-gradient(top,#149bdf,#0480be);background-image:-webkit-gradient(linear,0 0,0 100%,from(#149bdf),to(#0480be));background-image:-webkit-linear-gradient(top,#149bdf,#0480be);background-image:-o-linear-gradient(top,#149bdf,#0480be);background-image:linear-gradient(to bottom,#149bdf,#0480be);background-repeat:repeat-x;filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ff149bdf',endColorstr='#ff0480be',GradientType=0);-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);-moz-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;-webkit-transition:width .6s ease;-moz-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress .bar+.bar{-webkit-box-shadow:inset 1px 0 0 rgba(0,0,0,0.15),inset 0 -1px 0 rgba(0,0,0,0.15);-moz-box-shadow:inset 1px 0 0 rgba(0,0,0,0.15),inset 0 -1px 0 rgba(0,0,0,0.15);box-shadow:inset 1px 0 0 rgba(0,0,0,0.15),inset 0 -1px 0 rgba(0,0,0,0.15)}.progress-striped .bar{background-color:#149bdf;background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;-moz-background-size:40px 40px;-o-background-size:40px 40px;background-size:40px 40px}.progress.active .bar{-webkit-animation:progress-bar-stripes 2s linear infinite;-moz-animation:progress-bar-stripes 2s linear infinite;-ms-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-danger .bar,.progress .bar-danger{background-color:#dd514c;background-image:-moz-linear-gradient(top,#ee5f5b,#c43c35);background-image:-webkit-gradient(linear,0 0,0 100%,from(#ee5f5b),to(#c43c35));background-image:-webkit-linear-gradient(top,#ee5f5b,#c43c35);background-image:-o-linear-gradient(top,#ee5f5b,#c43c35);background-image:linear-gradient(to bottom,#ee5f5b,#c43c35);background-repeat:repeat-x;filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ffee5f5b',endColorstr='#ffc43c35',GradientType=0)}.progress-danger.progress-striped .bar,.progress-striped .bar-danger{background-color:#ee5f5b;background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent)}.progress-success .bar,.progress .bar-success{background-color:#5eb95e;background-image:-moz-linear-gradient(top,#62c462,#57a957);background-image:-webkit-gradient(linear,0 0,0 100%,from(#62c462),to(#57a957));background-image:-webkit-linear-gradient(top,#62c462,#57a957);background-image:-o-linear-gradient(top,#62c462,#57a957);background-image:linear-gradient(to bottom,#62c462,#57a957);background-repeat:repeat-x;filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ff62c462',endColorstr='#ff57a957',GradientType=0)}.progress-success.progress-striped .bar,.progress-striped .bar-success{background-color:#62c462;background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent)}.progress-info .bar,.progress .bar-info{background-color:#4bb1cf;background-image:-moz-linear-gradient(top,#5bc0de,#339bb9);background-image:-webkit-gradient(linear,0 0,0 100%,from(#5bc0de),to(#339bb9));background-image:-webkit-linear-gradient(top,#5bc0de,#339bb9);background-image:-o-linear-gradient(top,#5bc0de,#339bb9);background-image:linear-gradient(to bottom,#5bc0de,#339bb9);background-repeat:repeat-x;filter:progid:dximagetransform.microsoft.gradient(startColorstr='#ff5bc0de',endColorstr='#ff339bb9',GradientType=0)}.progress-info.progress-striped .bar,.progress-striped .bar-info{background-color:#5bc0de;background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent)}.progress-warning .bar,.progress .bar-warning{background-color:#faa732;background-image:-moz-linear-gradient(top,#fbb450,#f89406);background-image:-webkit-gradient(linear,0 0,0 100%,from(#fbb450),to(#f89406));background-image:-webkit-linear-gradient(top,#fbb450,#f89406);background-image:-o-linear-gradient(top,#fbb450,#f89406);background-image:linear-gradient(to bottom,#fbb450,#f89406);background-repeat:repeat-x;filter:progid:dximagetransform.microsoft.gradient(startColorstr='#fffbb450',endColorstr='#fff89406',GradientType=0)}.progress-warning.progress-striped .bar,.progress-striped .bar-warning{background-color:#fbb450;background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent)}.accordion{margin-bottom:20px}.accordion-group{margin-bottom:2px;border:1px solid #e5e5e5;-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px}.accordion-heading{border-bottom:0}.accordion-heading .accordion-toggle{display:block;padding:8px 15px}.accordion-toggle{cursor:pointer}.accordion-inner{padding:9px 15px;border-top:1px solid #e5e5e5}.carousel{position:relative;margin-bottom:20px;line-height:1}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel .item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-moz-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel .item>img{display:block;line-height:1}.carousel .active,.carousel .next,.carousel .prev{display:block}.carousel .active{left:0}.carousel .next,.carousel .prev{position:absolute;top:0;width:100%}.carousel .next{left:100%}.carousel .prev{left:-100%}.carousel .next.left,.carousel .prev.right{left:0}.carousel .active.left{left:-100%}.carousel .active.right{left:100%}.carousel-control{position:absolute;top:40%;left:15px;width:40px;height:40px;margin-top:-20px;font-size:60px;font-weight:100;line-height:30px;color:#fff;text-align:center;background:#222;border:3px solid #fff;-webkit-border-radius:23px;-moz-border-radius:23px;border-radius:23px;opacity:.5;filter:alpha(opacity=50)}.carousel-control.right{right:15px;left:auto}.carousel-control:hover{color:#fff;text-decoration:none;opacity:.9;filter:alpha(opacity=90)}.carousel-caption{position:absolute;right:0;bottom:0;left:0;padding:15px;background:#333;background:rgba(0,0,0,0.75)}.carousel-caption h4,.carousel-caption p{line-height:20px;color:#fff}.carousel-caption h4{margin:0 0 5px}.carousel-caption p{margin-bottom:0}.hero-unit{padding:60px;margin-bottom:30px;background-color:#eee;-webkit-border-radius:6px;-moz-border-radius:6px;border-radius:6px}.hero-unit h1{margin-bottom:0;font-size:60px;line-height:1;letter-spacing:-1px;color:inherit}.hero-unit p{font-size:18px;font-weight:200;line-height:30px;color:inherit}.pull-right{float:right}.pull-left{float:left}.hide{display:none}.show{display:block}.invisible{visibility:hidden}.affix{position:fixed} diff --git a/support/codesake.css b/support/codesake.css deleted file mode 100644 index 93be5df4..00000000 --- a/support/codesake.css +++ /dev/null @@ -1,63 +0,0 @@ - -