element in SVG files. + * Obsolete, no longer used. + * SVG file uploads now always allow <title> elements. * - * MediaWiki will reject HTMLesque tags in uploaded files due to idiotic - * browsers which can not perform basic stuff like MIME detection and which are - * vulnerable to further idiots uploading crap files as images. - * - * When this directive is on, "<title>" will be allowed in files with an - * "image/svg+xml" MIME type. You should leave this disabled if your web server - * is misconfigured and doesn't send appropriate MIME types for SVG images. + * @deprecated 1.34 */ -$wgAllowTitlesInSVG = false; +$wgAllowTitlesInSVG = true; /** * Whether thumbnails should be generated in target language (usually, same as @@ -1390,6 +1385,16 @@ $wgAntivirusRequired = true; */ $wgVerifyMimeType = true; +/** + * Determines whether extra checks for IE type detection should be applied. + * This is a conservative check for exactly what IE 6 or so checked for, + * and shouldn't trigger on for instance JPEG files containing links in EXIF + * metadata. + * + * @since 1.34 + */ +$wgVerifyMimeTypeIE = true; + /** * Sets the MIME type definition file to use by includes/libs/mime/MimeAnalyzer.php. * Set to null, to use built-in defaults only. diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php index d905aa47d9..597c2777cf 100644 --- a/includes/upload/UploadBase.php +++ b/includes/upload/UploadBase.php @@ -404,7 +404,7 @@ abstract class UploadBase { * @return mixed True if the file is verified, an array otherwise */ protected function verifyMimeType( $mime ) { - global $wgVerifyMimeType; + global $wgVerifyMimeType, $wgVerifyMimeTypeIE; if ( $wgVerifyMimeType ) { wfDebug( "mime: <$mime> extension: <{$this->mFinalExtension}>\n" ); global $wgMimeTypeBlacklist; @@ -412,17 +412,19 @@ abstract class UploadBase { return [ 'filetype-badmime', $mime ]; } - # Check what Internet Explorer would detect - $fp = fopen( $this->mTempPath, 'rb' ); - $chunk = fread( $fp, 256 ); - fclose( $fp ); - - $magic = MediaWiki\MediaWikiServices::getInstance()->getMimeAnalyzer(); - $extMime = $magic->guessTypesForExtension( $this->mFinalExtension ); - $ieTypes = $magic->getIEMimeTypes( $this->mTempPath, $chunk, $extMime ); - foreach ( $ieTypes as $ieType ) { - if ( $this->checkFileExtension( $ieType, $wgMimeTypeBlacklist ) ) { - return [ 'filetype-bad-ie-mime', $ieType ]; + if ( $wgVerifyMimeTypeIE ) { + # Check what Internet Explorer would detect + $fp = fopen( $this->mTempPath, 'rb' ); + $chunk = fread( $fp, 256 ); + fclose( $fp ); + + $magic = MediaWiki\MediaWikiServices::getInstance()->getMimeAnalyzer(); + $extMime = $magic->guessTypesForExtension( $this->mFinalExtension ); + $ieTypes = $magic->getIEMimeTypes( $this->mTempPath, $chunk, $extMime ); + foreach ( $ieTypes as $ieType ) { + if ( $this->checkFileExtension( $ieType, $wgMimeTypeBlacklist ) ) { + return [ 'filetype-bad-ie-mime', $ieType ]; + } } } } @@ -1262,12 +1264,11 @@ abstract class UploadBase { * @return bool True if the file contains something looking like embedded scripts */ public static function detectScript( $file, $mime, $extension ) { - global $wgAllowTitlesInSVG; - # ugly hack: for text files, always look at the entire file. # For binary field, just check the first K. - if ( strpos( $mime, 'text/' ) === 0 ) { + $isText = strpos( $mime, 'text/' ) === 0; + if ( $isText ) { $chunk = file_get_contents( $file ); } else { $fp = fopen( $file, 'rb' ); @@ -1312,36 +1313,19 @@ abstract class UploadBase { } } - /** - * Internet Explorer for Windows performs some really stupid file type - * autodetection which can cause it to interpret valid image files as HTML - * and potentially execute JavaScript, creating a cross-site scripting - * attack vectors. - * - * Apple's Safari browser also performs some unsafe file type autodetection - * which can cause legitimate files to be interpreted as HTML if the - * web server is not correctly configured to send the right content-type - * (or if you're really uploading plain text and octet streams!) - * - * Returns true if IE is likely to mistake the given file for HTML. - * Also returns true if Safari would mistake the given file for HTML - * when served with a generic content-type. - */ + // Quick check for HTML heuristics in old IE and Safari. + // + // The exact heuristics IE uses are checked separately via verifyMimeType(), so we + // don't need them all here as it can cause many false positives. + // + // Check for `<script` and such still to forbid script tags and embedded HTML in SVG: $tags = [ - '<a href', '<body', '<head', '<html', # also in safari - '<img', - '<pre', '<script', # also in safari - '<table' ]; - if ( !$wgAllowTitlesInSVG && $extension !== 'svg' && $mime !== 'image/svg' ) { - $tags[] = '<title'; - } - foreach ( $tags as $tag ) { if ( strpos( $chunk, $tag ) !== false ) { wfDebug( __METHOD__ . ": found something that may make it be mistaken for html: $tag\n" ); diff --git a/tests/phpunit/data/upload/jpeg-a-href-in-metadata.jpg b/tests/phpunit/data/upload/jpeg-a-href-in-metadata.jpg new file mode 100644 index 0000000000000000000000000000000000000000..54387360277fbc237d6cbab9fc2032954361a890 GIT binary patch literal 7809 zcmeG=d0bOxwl@ie04^-X0tUT=6bdzv5CQ}UO9)F+$O3^P_BS>p0d5QlSr81bQ>kcy zLD{rJX&M2cq}a@qQQJ-(e{H8I`qWZmK(y9TXr)fIih%9-#^!xDEMo2ae$Ko<pI<^a z_uO;NclK{_j5)4Cp8RxPI)uSMP$u|5j%zr6S`|_ZLD|_*7z9BCXgOvjgayzR@Mp%X za>CvagmK4sI$<{elQ7;84!p;J4}|fDmN{Vv6O38A2!~^yo2LQNFmxxc7l5KMkxqCu zfHN`iPIx7NUwW<G2?qdJ`8oo*%*(6;{~?}Qp@(0PmX|AZ2Kc!w1!AaBm%tenYPpp9 zqC%%u=%_rk-T=^sP&i#<(8R$BQn*y7C}xvO4Tkc#h=|I{%5c3wQC=!lQ*|0esVZEq zASdR|Vc?w4KPXitL`V}MNWgnRD1cLiIU-?Bii9T=%wxDws3xe_P^;(ui;yaXs!VFo z=wL>8Y&f8Zq|sS%wCFfm3`~zgfhY#FI0-uK!zXk~I08;hg*h9kxhX&b4ag<E*0JD2 z?3Ft5LqFGr%)zc-LQpdVxdK`jS|o$sj9c(0_Ik6+B7DCEGe?8L;-FUSf=t}XR@Zr% zAcC!gC9vB(3<S5jFVe5+T$qbaqjh5DX@Cbhu?sPR?sVc7;m+=7=4n9Od$14bdvHr& zmqq#OdhqjjFmKO-ZYb}9ZYX|<ZawZx=$9{n=W>hyLAc<as0BaZ!T~!v(3sr^(E*`h z#L?(*BrOhnnKU$FkKrI_^C}2h+YWeo=Xp_nOe8HTiV@9(VrbzsY9tN(!ewP}aYSTz zEU2Xw$L4cQtq+&VHARYWnWikFN?IO452r;y2}xDuQrQ-T0WMOMAZj-G_R&wsFd}D@ zUu0&}vddEyrAVexr^q!5Br@X`8B0!1N`w=t;;PEZ%M=DFTveu0>*K1}WT)^r0Hf## zGVCNVY+;iNvPE#JMyG(8;Zfl<GT_$9i{o;*>GQnc>5+n{WQ1#UB@uKMixokOjEIb+ z0t%{ro7y0)qN?>l3lg{ry-bIc8xV~eMkPv%G!+Im8O-cdNiJKIT3(@3Ic3Ua5ek)} zOrbXDf%$Y)ODAo4DJV~Usiu69<q>Z!zIOU-feCov*U1;0ONJL2<5HzgMPJk*28E7I zex&-A(s88*MXF8#enAM(ETGaDR2p5fkQr23OdO4ds!$#`M~8C!D(M_iwnmN=Z(Af{ zQE5PAjAWq?ERm$qNi-T2oBYfEf%;o6ivx{JrI-(1ipnq#sSwnKaVn|0giWrZ$`!@Z z3YCGJxU@MYM4;hOA%MjR&2dL8kqJN<YP3c-FE&@9U7X-yKSW#AFNMufqQV|Z01x_# zBBesMpe09I@=zRkscz&Y^5(S!!O?+c4qCVYrotkP3NavCV5AJ@B2ty6gbb6j$G5+) zR;v(M>EqlSg-(U2AIE1Z5Va0)P&ub}sZ`Wl15%8x7mpK)K)@=>^m0VMr9!U<$^AG< zu})DYhd&>HOBBUGl~ORHtTYME2ZbP4=-@0xi9#(`09X&}Wu=u;ov~CZ)gb^2O8~t= zu|%XZB6I#ho%qmi-~k9&sIYnW{d<9b!c{R?Wr%;0g)z9q5WiSB=t6}uMo3ZgFAaK_ zVvpJYi~@crHRzw%o<}D9#me}vXI-4c>E0!s3e4+7f%b=ji+wZ^emb6d;Hd|mdf=%C zo_gS^2mb$g;NeLOY~I-9N^s7C9JjCp(Zbopc@~f5@UmUdYX}JQB?(gq;nqHzK>`O; zEQBRtMbL`H?FzbACSemH0(yv`F=%uW*7(@#DoD9>GyH`6wg2!IgM^J)s*M36Eh_sf zw+<w%AGGq(tvZU@@bB!-Q3m|nh8zW-`4@X|^qtpZ+inz_@_*iGlduVpM<gwh#-xE` z7mY^3CPDbQXA*W9w0x=iow0oujV<Ik)&IgPJ0`-U&sB|QsRxQQj!z*k0@MlJ!C}Y{ z)(eC4!Z-$@^&kzFVVuLs27bWJipw&*E5Xg(0}vbm_hT3w4(ozjwhT=h%q!^4i;LGX z??8GA-bXBTC2Lnl*0gjHf;a=85p&Mnp)iVcuerIedB)ez|JmS>=R(7xn9(t@thiKe zT6#t%kDn{a%YU(8W1$S3^-4++rQT4nwX$lPaYyaWU9Z>GH?+3x-S@`t+u!WyKG4(q zPM_u7{y!Z$eB^@<Kl<~>fBk&$_=%yDr~cb^-aayVVeI0iYvU8&e0zQJyBmL>x;s5H zd+*1e{&63*3tZ{UnFW65Ec=CBUcfG_iwn-h6}1b4twas?a#<Eg$9t!UU8Pzda%2r* zHK(O(;4`-%M$R2#k?x%P8cNi)XQxopoR&SAVXys1mMt3g(5|nbRB+3Q4lMZMuvic( z92hQm7j)oV@y_8oKM2m@h7OO#;Q&G~C?^iL417HZc*5elCk7l}gPXBcj!V#T90nv4 z&I?L{9`Hjxxgn-cbm(=0ut@FZu}lX<9SjM;XQvBdS>yZmAiFG_XubG{Vg5@k;@0F( zuUiSJ!$iNtnI5~mCL3z3nzf8gcjO4@Vusi4hI521J|?@oiJz~MaIfA`wtCjyvkWJk zuP1j?$MllG_p1GOHyO7I`L!K~u|Ag$6d7|`mC;NDIuSc*<qr8CXSI_ij&aUZkB|#? z9&On9mieQ;f#F!o3oqw&5iU+Lz0@;3CX+<is#DrLN7YI)QgGFt;rd78;q9`RKK|}K zZoTTs(F2sN2a}^(#L?;7`qumqYpG}VpIfot@#TZG%f^OAle>q^O6&M}FzIx0Alzt| zo2Fj)_{~;hUf_x%qg{pY-dV5g^xV(i-NfqLU)Z=`FpB`IE--!8z1c^1ZK!Lry&Fgn zlH407qe!!7X&+h(2%8%1l*zu;*ERgQf&NU6H(gw^`n}5%MbowX+92&`<6RVgy@@2* zP@UK5`Sz6&4^r-_8H-y$e=EgfRWGON)=#-#xvo3n!7RkQm!howfYleTZK!L>5A>a| zCTHGMrZas?tcA%mb9TB=%6~;G8o<@$w~*<##Pr*#G1j!BA&Ey2g5%tSq~Pw5poUiy zB;4)#&0`i2%9<vv_=nyQd^g1tI_Oz@Uht~F?>**Pk~y^J8LziYk`04~J|D3+<7}bl z&ZG8?xA|wZ;(>#i93OL7bdZZ}z*5i5OyvdiN009{N#r%>8{YR}_XnN7w694v+Fg8g zq$jXv&xnVoG50iSl4aS%R@x{Wp|Q4gS-f_<yO@}XpMLwu+GvCqJ9&(gIdhQXRX<F0 z`!sRpZuN|Xhd-PgM7pzrBS1FxGdg-|gQD?ioXwWA&-*mG*A9H2-x5?XRU_)C_HWvn zR)}-h9>j0RAa{oZgl^h1>-Wc-hNioA&PB@?uB*qZPK1#&CMC@T0qc1BP)JAqj}}vj zX{2t;dS#=@)^_1YI+}`;z1)J52EC_}VVaiIp75!uxzc{(HKRm6T?qScGD)(kbEnP9 z;2V<WU5rXg!Q?S^orQNWGdXjZ=n;+21dgIV2y5OoaF6LmHox*oT+N@J=Wbu=%JfRO zzOOzYESj<>Er;Vf*s=4J>-PfLPZDl(>_H!Yp5@f!AAp6yuxYe*cTwU#kEB=m`5|4F z-{~dIE56ufId!wNnDq{Q=r<z>#&P~ZRLHT6<MHGJlSf{aumAR-zaZ|s+sW0vfBs%{ zRGVKLtZfqyoa~j|5U=}7ULal&M%Et>ow1DFJBaZ+I&0bZ`ZWQ?E}v@Xsf{wp?eeSI z6pBQC-3oh}V~HN?68GLyNj3<lwE6Y^H^bOpe<w4C)=m#6&X%UG4Y}0y^`10#Q{m39 z8uKWDzV|C;EW&_y3nsp`w3~bKI`J}Fm#l?<>jFu_y+<s?w_+?`Fm~`ane18GlSIV( z#34zRAUl-lmH@KCx1-i%4n3obvj<xtdQgjK;Ip&rw*r(tP1ZtAlEeNWq9{(nogTuQ z1lj4lTbnQP)_-fUW$^1-nyg7o4<GwT7eU|A*s%&X+CDT23QjMM&uIg}p;XL(^o%xk z)J^dV4Da~t`Q&ZUu34hbx^m=9hOz!FA_9%Z-WGjOZTmg>zyz2~#ye%%v&v>3BD#T8 zE~x3KbwE|Q?RQg%UX#70wNW47m22Q>q2?v~hRSvEBNUuq8~y-gGT0<!dc>&o`OWRM zKUy|^1aIx5|B#(5SgE|3$#QvFl6Le<o~3?>e|USA$xfMSs9vXB6LJg`smZL24mOPi ztl<9b=l;V%j*$mpYBx(k%P>DD^S)jF&C3_=6(yZc@jD8N6e$3q?FU-fGknKQLS_A1 z)BT>KOuq!}r5z1YW;ezI^o-m?;zL^<(DxuFeV`-0-$(zh8q5e3d!6Z}DbxoX3-iA6 zcE8PYt3~*3Z}G|TF4-6wfr-At`j4miLcOSUMNabaa=mEaWZxSB@e<0Ud8C_D#PF}( zZ!;Bk%g{p8>GYR6sW;9hw29ir@_KNaU9?%0FNMCAHxFHU7xpySxgGflcJ5TiIRfZL z>s7h+0hk-2wzm8h>VC)Q12Q`-QUVH1>|@^YKg^(i9`XcUVBHXe;82uukl7^73aPa1 zH7mW9Hb`bxlB<q~SG(`tvm%G%Umj~|pZcs<CT6T0+3K-7)-u*8I%B+VSN)Az$gLaP zaXk65cGN5+dZ|n!gQ>m~|5TE-qo%W$B^g21LX4Y*H@>gQn!bsM5Tq<NQv1y-2=BIN z!1wCNSQbZ#PqdF`CP>n)1SH{lw~T+{KnRfsjk0cw+RUNf{Aek-I{JpE4b<q+HNNmA zyXxz|+lVI^?qKCf+&f+_2n*Ir>XRH79*`1`c*XX;;d|0@sIB4W;f#M22d8m|NayR> z%3yU&Uf^=-ar*Ai1icvaEgX+xPdmCpppHG8eCsO*bRoZa`_!rH-TKR-%XYbW7V&1* z1s^D$>HROgdDepj-0i!k`#{J?y_8Af+L+1w=3S=i-Rkx}`VhWr10x@FwQbn0#F=ru zIL2?>N>&Gc>Sx(B9dP4}_AE#E+kIO-8_R!t!~^K!YUNx!i19_2(g0*|>Nr=}Tj=@M zZI;tA>+>W@7NFv})d{Vfp{RSZE1gC0(?5;YHE#eJVH=px+_lu-%5Po|mPwGv>Bef? zp_NDcf<HN&lXN=JjUwTW@13>$F0YI3dv!{DXysv_#s;Yhl#8%8S)dCYG#6;aZ_GF# z_rt;TVXc@Bd5504vd=G}$V!k6+z<hVdu))2@gqH0hJ<UnTN)DFO)-brJn6SOcGgG5 zkldvScfxGX?pFWBz0PFl{E+BlzWg(>$iG|}6Gi_bEq#;C3fYvApMqD$-5pl2Si2J4 zLN0V@SuD$#Nt?eN0d<qpCZbQ^t=@r2R<6+}rEJ9SN7g~GfZcRuu4Sw&WqJ)~<@LBa GF8(i~e&_}O literal 0 HcmV?d00001 diff --git a/tests/phpunit/data/upload/png-embedded-breaks-ie5.png b/tests/phpunit/data/upload/png-embedded-breaks-ie5.png new file mode 100644 index 0000000000000000000000000000000000000000..0af03fc6083653e4dd77ad6f07ed7e6015574f18 GIT binary patch literal 10158 zcmd^l^-~=%6ChgL-5>5epg?hVcXxQWySux)Q=m9Jthl=sD^}dyy}<Rm@8pO36K-dc zO?EfQ?oP5Z$tGG^Q3?f-5D@|b0!2nzT=gF||4)I3{#Q%!gDfB*prZM$6{Hyc{{}&R zYkNz8tDCnSNPxo0(bd|`+R=d*U}Ea(Xy@(*;sdxjI`IP7*!ci<APYBM05=690O0Ck zCO~23=H|o;1lobzZC&k699Ya8?SZZ!Gj|tjH*cW4ng|=v!P*SO;^biYpCO*s=5AI3 z6l|=l6aXubwWXEY|LU07{cBMGfP#qpu4XRQPHq4<Z>N8{xPiRffHo!`CjX^U2qKz0 znz`G99NbteEX5q{99;kc09sEgYc~)r-~Z*A{=YmEJCKVT9fgjgy9>b7#nICh<N~lV zaRpdAm^r$*fXv+NyaAT(AXitAIl#>d^gq`JI9mK`Te|`*tnEN7015!(KO6o7|DDFn z(b3i#<O*<f_^;GIw}AjAE+F3jNCN(kqW=}6=R@QN{?`gYesgP&|LtvaYgZ>b6K`IC zgQEk8LU7=5$sPg%8bVoKT>=k>gaC(%5TA$~KuSr%Ney77p`fNCXJn!mVWN{}Wfo*( z)cD2<<OXtbv8b}MDRHpL3b2TNW!Lz|VaUgB%E4tW$}7ajYsky(Ajst;%r7s%rz^$J z%gbvm%<0a<Z!X27D9U3b%&#fL3linARuD9l6|@x*vlA2cloYWO6?KsiH<l4Kl@PO% z7Iu~swUQO~QIJ-UmDX31*4B`b(3Vz_m-dyHw^EXEm6vl?m9y27a??|lP*d?#Rddl& z@=;dxS68#wR&h~R2{X}9*3q;z)HKvri8Iu;GF3_hY3u0d`snBc8EJbP=(-zehni`I z8=C~17)Mzc1%pid?TtL0KnB*vaTXT7PI~#S<`$NwnRXVQP8N>#7JgP%$+p%Jj+T)g z7SUd=+HUUNt`21`&N*IA$$kzgUXHl|E`IK=NnWneKCWRQuI>R2c|jfye)d%%_Vuy; z0U`eRf&S%T0qL>c`Qd>{QGrpB0YBq?dXvKgQ-aeIBD0bslVZXfQlp|`Bg+$_3RA-> zv%}NUgIhA<y-NINGZKo@66!J%%L`NEa#C{(Q`0h%y0hcQi=wAXQVUCynk$lP^3&Uj zGb&4xhl(=lzvuT?7Zp_(R#xS=RTqFO3c73a`m6J&tMgXDWd%R;`&)~;>T8laz87_u zr*)JzHdi#Z{;2FKX$P10wUl=>mXG%5pG{Wg50($L*N*nqwYJv}3|9~I)eUwx*K}8& zj5HPWHZ^rNcMjKgbv4XS)Hn5k`-YlpJL(Tcz%3Kt+OEdU-j><E*74ESp1JOx$)3sS zo{^cpj;X%B-<^GPgXIey^YdL(!(BI%y$ehI4Wm70W4(Jz18vJaV+$kG^CJt3W20-s zqx1bw8~qo{!{@VOkH5w*SLc4O&u*+uzwP{5*;-gw`SpA{Gk>r!b~rb;zcjG4__DEh zw!V0O_WR{x@$-Ij`(*q6a`)tAckX6?`)2#~{$Ta)=>Fww<?Z(O>(%4??ZL<O_1o*- z`^)3s_Y3n_)Z~A08o^0g#}xts3F|)v5+WxL{~r;~O-4ZiZV3tx5tGCIgKz=@0stW+ zE~0L=sgQ-FKkwN)x|)%jS$04ze@JXf0kBbbSygVZ76`_-nw-b>l`Rz4V|M>7i&aem zw6e9?WW8I>!}rQaaVRp`RLKG9MCrwVY}Gs$&%rkCJwj`)hDVIgqKjL(vriwNW)?Iw zc!o2Z-9q17JuMDD_TS&0XdNE!^?P}E?yMX<94t(C4~GmI#^(yomh1J~*_|yfKlbx; zv93K+OFa+!KD52=j}v+B6H|}Z2hImd!)cWYy1k;$vk&+zTyAIH+oL<NTvM?;uaq{! z#2gJz+UH%dqP`l#b35NnOphm=eXG}}zij7W^YPq$O)tEXALuMSF0>5#>UlIn_j<KD z-Y%s?`VMz<>NxUsYHDi#&(Q3*z%MvhSgEPkd&gG5uCUoavYss%$mPJFF8(EO=6{ua z%PP!VFs+ua<TnW}+P#ksNgCchzpnD}`n+HM`IEn@Bg`b=`?xzid4x+o`w{V{FgG_l zY>$@qYNr2eygfTR`b_8(Ic^SNznJXTj#k~`?*gH~jz>Rcx)3s7KFOVKMgf6R&+Wb7 z?{njCL0SIb=lxYIs)OOJIK0^cfx$nYW)6>+Lvh1pL5+P59}q{yaJ)x<U&yw-5Bx4( z7RGu)3Ka`Ki(6a&5$k8379ZXI5age?^YFy>kWRA<R4Spv$}|LRbAA~Ri1l-Q68w<` z4L2))pC<smS_tLi8YcdG%E-N8Y6MyG^Z7m**z<gPuQSB!|GJ20l+Ww`$dt0++HL7} zIRotddplZcIfi~P-eeir8xWEGOfZZGJ{A=BF)?wtRkXiAsN@hM#vyIC9!&_XFhb&X zd5xu%N+1?;+28IDJ&{5UxLNJ*_I)Dde_q8i$`kbeVEPGeeOyeQ6@07z{2;^j{Jx(} z4a-z8C@&9TdVBevEi;tUDYSMI-^Bzp%E=@knLva8)BF@mX;hT@G*Bt^ND&*X1!smj z0$6V}8?`L-_kh99Uu$!;b$X8EoB6yMD>)pt#mQJk_kx%L7;O~(<ooLB*<7ikk&=<? z(Z$Wol`{j6{0Gv~9%{Yun}wsPyu2T>FzQHOr=G-dWbJy}l>(3j$eo-_*cmT(_c40X z>2y7*Rj<sQRP|!1#EKq~4V%R3iiPabE3=_{`%-a2dz*L!8gV&cQrsR1dh+k%a)^6L z93IT1ivY&pNknm%+=t|x-a=VxmTTkBJiKp{8EpiD?{D2%0jzyGLsL^ZcoxYOG{u)b zb&FhQ8lxXAK>7>u9(4vBSO4fZVKOpyQwWKn#6-AAYMM(NXH)T;n;Q(j0Nr?SO?gof zKns(AK=J9};Z<su68n+1{$lPg<$hgwI6=`=3H$lWj(%Ye6}^ck=1>nnNQgN{4gr}4 zD^LH=IB|fVsh>Q>%BDC*)OPIS2$DCyi~<V$I8Y!t4Sm?`Rkbl-v+x5Pglu{TL+{-h zrs`z@1@GGQHI=00C_Qv7&OXG+`HS!b5+Zx4b=bCXU`;6;mY^2}|NO!e%}8ug%(EAU z5`aZ{8CyN`P;S8^66si-3HPe^a4_)m23~g!3X>hJI51d*`TBLbAXmufs<PYVv1aXu z!e*CuF1JAr?er{gRxZB$4G!zK7q2sBxDx~G`~rr#Zx>y`?4G2|_xV4!x0ol5-|0wg z<AF2%7?E$rqiD(~vA^iZ1i*{bU)I!>l;FgnUnQNLFQO``d8XoVvLm`QP<s@kQ4vkd zti=VNWiS)*F^#nW{DcPZW6ksPSZ|mTP>}h%?eqO3so=xG&mN)9>)V6WaN0y%@=H3J zZI)}S=H#Z~vI&f)-F+59W^txu+|10$>d7KQn0o-BQq+u+T&nECLK3FRl%NVnK4$Vy z$E}{dQ7kOXfpC4^navRk>Vy!Zro9O$VO(5G=0>A1)2;wm5DvrH-mrq1g~UkfFEr8N z=rO%p8*d#ELs`1a88|7N3O)IhpCo`1ui~TwA|}j>^)`PazqBm8p`rFwU7h;oevIo+ zZXqO9<$JtBW>NW~)IwlHT^RoSZp>U`RqFchIZ><ymHh+Rmez6_MkWqyV(RcVVQC7) z2@h;<jP*>ME`OsCx)31t&5L;6g)AeZtu1jt{L?1m*QO}8w~pF8seCjavXz_rzcHx! zOg!h%ZJeE0P2Y>enYC>1ZXd%WD}oz#{j41>oe^N9qUPn8_R)Xz*a>Fh5R-4;w9DsR z@M&slG7>j9JS$ZA9O9OvACB+N%OR&I|6RK+dns$F`Z}JgRoiSp88Vx1RHkg(qN{UQ zAa5O@puqE*yLS>DEpsD-F)$>K5g9{!6ROQ*gd01JT4tsNF*xA?JA<OMrp4C|u?I47 z@W4pJCi6yVkfu*!JkS|$wB6Ec<6&SE%h4-Rwt5g=rChLCTJuAvOqU%>L6+fg(Lyei zEM<+xX3CH)W6u_^3cVoGWVF}v;^ls${_P=r5<jD$z|7J!ROE$?m#L|at@RHvYJdlG zm)lo;BxO_~RLg%6B3m?ZwUukFS7<KpXOd=?NAF=_6|+1!;32eQa~GV(K2)gEr{T0} zUUiv(P%Z~{y3LHE9^Kru4{yFs*(zxSr5B6=HL9w?gTHI^9l9k`GP1KZ%9nD=r)lgp zw$5ubV;N|Ta;UJWb>)YSZcelr`k|Ga222}KQ8gVQh9-WG3?oRbHGg}Ly|d)wm9#7d zuziX^z!=_J;Y1E<G6#-MFw?P7QdU<vk8yOH+bq~jA7a$%YO3WF(qL3b4>@D1Gw};z z5hC<&Zf?%a_0P<$oyLC?j-ez?9CW~@A?0y@l$|{$OEQK}G167j*Hg(YG}85{Bd}pR z-#EDHx)V{>m-WcD7(*_fOURz~_t&)#P$=M_#26kbp%#piF7xu?=B?3209iF5<4<PP z2K^2hW^WxCBIbeZ?9bm>mC90e5>=3pV1|dxQl*|vFnGJXZQC+zx0u}_&OXfWwwd7g zPNKt_2vJ7x8mFF;k%2nPF=mFEK2g4_sjauZvclZtb3{_4y}r)Fv)y2h?-D(lSjbR! z@p6DBkAg1CXalK=s8f}e395*w4fK3rSWjPPH(y<A?e7;!HBqi7J6m|PPUnRE<tP$b z7Vf+v!cSUwd}$8HZg+0Sbg64`u)Q5Lhye{{YOG(#i~4?z7o<&Rd{D-@#OVzl^!4z+ zom*>xKvWdcS^izlcKqOfiopzDSxH|@moA%vE>3~r!tJMm9JvEJ+BWW<8u1};!4uyk z1gtCxenv${2K!$xRumQtEUH74l~-0)mNb9wB0RJ*{9UjjVA3gQ_;xvAUumi9&P?cU zTQ3`5Q-Y01Erv-eSt~)cf7fpkOcl}{Dxh5RDXGoJ%fn;5VF1l#zxI>U;%f6^-4ptI ziA*Jotb(^fOIKA#2NUDhubdvU1*}P_d3x{hs5J)5RW_QU*+EL=gx0=jG*BUA$#jQ} z-3W?aHK7;mjA0F6T?<RcquuS3%RNL&qQ~H<i}gJ=9EBDVl4)a3Y9mIC_;}`cFtLu} zA!)<P;?y~NJ0fqaqJN`I^w1&MtkNgPyO(L0H2hcO9Q;JGsUb`R?I7dLM%boSokr8} z&`}$hn;pCTSc+E1VUDG~K*lATB-L_dH?iuf8m7zx9CMIN6BrRuc7N-*8P_%<re46% zhq&eOqU2)ziF!b?|Hz3OnVlzTHzJ`e*h!m@du@fgqfd4F@>1;3?#~!nLLXiFgaxQc zRzr;(Sg-2#jmxGP5rl&n-wXiO7s;0`9Q*pdy{<P;E0n#^0@@O;<o+;+jX=3m?7BYx z1!!CH^Ya5LiOB(62_C4Ak25Tn#)1L+@wwYT*6kmt?ykV+l5+h@4Gv8%uBzNcL>@bg zd8jNph8D?%<>h*k#V1aU%%W%)iub#FFSZ&<Hc>-#qp>Y%)O#n-Cu1M(l^}c~Up_r4 z+K^br)r}>0cL?3G=d8_yO`7nIb^@25<sBlB_F5b3HELsbLCP$d-#FZa%WTP?{dphS zyK3}df_Lx>o4-ZOV%>(_oC}k&FNDfdh2Tq_dDdK<6BCo<>+3`AbiDd&74|7WW?2*o zhlaz1maA?6GOPD%nRS_^>4EhupOR&2iTa)8%eL$5Z|X*5lasUQq8`+;m`~K#;dIZU zH1t8j<gZDM+w4-baJEFgzIbD%;?5rKH+Klvt6?V>XBtnHzDpCg;8U71(K6L>U~5}5 zojR-T{w-#@Vg=bETEfZOx_i}WiWw|Kvh;ikCKd%bou3JRp{%)6RvZL7*7u*>>pa?e zeB9pLKHTlRoe*QgBw*x)WlM~CNM=mlOj&ZNya0t*QG>D+tw7gek!nultjp|Il=qmb zzkbr(+B)-82%^Q@1!$=TV@FOWN#f#Yi<buZ#N<tR{CUC|Nc{R3gK%km+^U)!BGQ0V zjVkaLiFDDe65HUZCHh4h1K-SkWA?=2O;vh<WUZu3q_5QUGE5kwky6(tmeEJ9QRWos z=exlV_f9U(P+B}4!W{hi`rA9Zr+blrU#wNd;hY+D={DGy>2<w<#tm|%3oQfnZm*C1 zm8&}@{=U@|jCeKQ0nqp|$-CUe!c?Mzu}V}JjoeKAB(d%TgPHlIlW)}<0!-MRp36^c z{*=G^(|^cma&T7TOd#PA5&~!pphJK8)^9lU`Xdx9k9>i9TVKK>?{qN<oRyZ5O`(b! zM(7-TxnU#bjTF1>GZTTuJrfa@ZD6T3Fi2|e6i#S2_1PH|EsadN=YTBJS#>%Q6_eA_ z3e4>3HmLY@!eU_a)BmllxcKAov7AB2!CE1}K~qwaP?@6D;h>2pSeznK`nJM{5350) z!Y_a}Dx#AyjRKJmJ2sI|atltNtD}5ZU&2+&(Xm>w+De7Pqm8oD?ZmXYs(44#fAYG% z&9SYmjqBSHD4!dS(a%9sS5-C-V5-KND^1aqMO6X^nK+y>7HkggL<&NOaalQNF?oG3 z^QjdrgTd*Bm^*WeiHH~(@!(cp-duA+aN~4C!H;jNZ)t6<nm|g(7k~rhq$j5U_Swk2 zD|-UO5&5{Y`i+yah<(tvw|C+?Vmf1C_jW?&9#NkjPSmHnyH7WhlN*x*4CLg*#6s(g zw&s6rt|5vNvUsBW{gU*kxfBjg`BQH@v47A`up9Pl91+MGdU`UxT_h-TOZ)QmnV$wj z?g79{snq_HyWT?tU*5L!a$e#%dBX5V7KQ-pKFTdpOkGCs2d)I)_9@V)$LFlgx=E$J z^LrKV3(u62H_MP9d(0$Naw9h)Giwqu8+kGU6+3N+2sOr^4Ftt)7EipRCxd*g&JHtO z_ZTF+wCQdEobI9_?jOq{y*A3t&G&6jPftX=db)&Xz%8F^V~=N5*G}2|hnMA}s!3N@ zYWn0ICI(cO80m*c8slhnBSc7>La{IK*>S{&h{;CXYbge`y7ruIZx$<qMa5`@ugse^ z)*@-a{WsQweSH_z<tHyYJLR#{HcO3hDW@q=@P99zxN^e>cPrH~nUbke@ZxvnKwttG zAX-T#U-0qeK}^W*F0$ZY-ygLqUn$>*)6Jb^5xRuO3`vDj(dEs}B_XG)wylck(9pKg zX*soJ7EXOT4N^W$Ljx$8JZv0N%%R(ny+(CO*4Rt3V=Q#(l7&k35VT|&8jNUjAQ|v! z`Q;!c*onbcQf2DFf7!vP+pV*@skY|>>bu6<MfJ#5Mn*<?y&>leP$5^B5Ziyk@1#92 z5Jd|;WvmthDzK)l=^F~KIUrh;LbdYa(mbW`GqNAjkV-ieSwvsUtb>qHT|t?gq;!yS zFe13xAYaJCphw?mOTdYM{Y=#NEnF^C@@{^CTCG>JzK(^i^5tonmfeMVU~D^y(~EdB zd>aW59fkoWJZKb4dYcX^xoa)`9F}_TQdXQNV$Mo~0dz&DpO<hP{|=o~Odem}*xA|X zdTirAH<M4qRkM2iGF(|Unpk1N#gKMDy+tSIa(9<HFxbw-Kzh_Zu({?F-`$o8#O=V# zKvaQ>Y0D&I?eg;juo%u<W?kaK#=RsYY+{toS>cB$C~j>Dx!D>UA3qU&>v=PO_a(df zG(KA%T#!T0HPJ`~>sGSNLPW8$!vh{$Gios&M{yDow24uVV#A$k9`7jHLwoh1HA4yU zpvooYlr`qUh`HGLxmY=V{JUq0YNBj(xS#C|ZUw$x7Lxfle{^$py2q+5*TvHT3*HV* zf%-zySObFuRC%G(MEK7>X4wyjN?iiVe*}I6unO}>S;akj!*=zq4UVtEE>x<}<@|e8 zeFfZ`Nv1mE7wqk6jgAKTUT^O}_x-)UXfyh_+cO(fQ(KOB)9vN)Y-}ek-|Jo3k<a5~ zD#xG7#jj3(oT-BmcfKj|>3mD3$My_LiY7Hrg2Jg+;ZUE<%@H13Sy@?ZY1~P^5m9D$ z@VS0|8dWM3^#A*O6M9mJsD!$en?p!st&zc@btHRNcC#b?i8Bcig#S1*L;7o9fY^CP zor(DBNJQL6v;Ohs)@O^vXW7_DOa`G@3O<J5JAQnqRy{#P$CnXuU$T#vqlKeD0sk%z zdsao}nM4C3Qq2IAb%u^cyxrI~-7iG>Ew!Pg`FA!_QQRD+v>`&l$i5_iO*CY9z^m7b zHsFFm<6(I7uwb*Ft;rdY?)7mJ8XB5r;XX7{>C?wvDKo=Rxc|>WwO;SX>(I?mGe<J8 z-((mu>ln2l!Kt;0q(;OGjfskl6uBdF)&`td$afuesT_xbr~a#>PqO*Y*Em!QB|k|| zY++$RE)nwjbm^|wP(&f5!1tZk{UjR8DfkxHBLsQ24c`exRaYvoIgW7zpXsdaD+Lw2 zEe`N{dl5!W-N}V5v90|$BmzYeLODjb_j_GwEeJpL_5DPky91){A5?1vcKh7y9yCep z6=??Sdikgh^wc7Qmu<A*VX9EM*EdPUy|!hjFfpO}Js(03cb|F^+Y0$saTZpuuTEV7 zWsY`J{1!P}37?N|ziKao9R{Br@033OV!@9U2pRdXeI9Q%RH^5*qSbxD*Jk)V2Q3FM z7PxMJ+;J*E)#eWuEmtXS62_DKqK26vSNH_|hs~g>{PdKtrK8OeX27Atp3nzE!^`aW zw9he->?6AC;oHH@ZoL^VsGWm31&3H9#Kd-0QQ9l-D-3ZYb;=J`x@hr0$B=K)!W6I} zFR))&qo_RD@9U6m*?+nP$p~?kljX7JL_|3JdG2ZI^z}R0xfA+CyEP54wvmNo^wjl( z4?W)5w?bRCV^u_liKX^=gZ;uDh0H#lxsN3rQXumsN(m4tU+xo>QWsHW!&AdVNlB^p z+GtCYYVG&;cP-II+X&f*5Ovb%;Ys5mruI2zNVFH9G(GVq5;nKU_Ki0Gc;Xb`Yb7$n z(mF5*A!oaT8ol-UshBDnU%|}4tc6(R^;J0^IXeywc@O%V!(Z+X^pFrby4P7FrtE1S zcbx#;lq8XehiQyf+o+DnCQ4MxtJtzvtZaF%e7OprRA?UJtTB;&<DY`J!K<Pp$Sv*~ zn(5?-=aLQ6D1;Fa$nW|28=0Mf{?FGtM)geLx2J6K*wS@XHO*ntUp7}~W@hF{83t!o zSCKj>(r3)sD_QYZMdT&7CI78yX$<ib{kM<SRBdaAtd53zDk6Y#gl(^3=l8F^gUgPR zh*uwR?^j(U_3>tFaUDtptXl#Y;T0Z{>H*PWUzKbo4|F_2A)Mx*{u?4Ap>GaUa6z-u zS*>JeGuRp$8rDm?-2oFE+*Ta;qmG_<0fFG2kKb2lfq}1!m``Q@A}m`szmOQk;Y%nw zkreB7W-e{Is3qK2I*va%oVHfjNkc1R(W_R$N#7j8l9Vg6W?HYRVuGNM{0a>ngXo1= zxmka`?|E(wy7@sg21c2FF8}Qwu1pq$N9Y)iYx7lb4nZPgco3tRo<@m`R0%2bR{h2L z1rg4A6+cQfL0UqVMGF^4a{>o33PJx08LG6p`mXc!s^|0Ocm2Oz{(j;b#9vVO?F{EY zHJY1!Xp7W<U@f?fzpFdjF3_m0<&4gjuAs-3uBQk2OC%h{uZ~D2bWIS&;qSIB92{I6 zoP0=TfW&$|BwNHKS>RvP)p$5LCCFQ-zbzaB<;<Bh(cvN=UcN-XcEg@%RCJ1)-M6U- z!zCecu#F^HbEn^gV7!=;q^V7KJI@f2Fv?^R&}+-9hmARqt&G%qK0i)F%SMw%14WG3 zi1ZF#WDuYr=TJv#^HZC?77z@T{SrIj$f*ZT+viu%h7W&-gN40$;U}Hl1)`>oUEdA3 zEidC75>F?OSE(~_!VI%o5prbTGdIZoh4<K_E$R|A@$T_b+S1L(p4n3&r+9o!Ff{yN z;>{N|8ht2xd0pt^k7i=YoD_RXc*bQ5Cgw_uK`SS9!#><MhnASDAmUKWjWaW&2`#Q} zYPuLL4EXy|0f&}xSV%d>!QI4^K#lITCMJFk4<qy?^<WY+2=$v%O+^K5ykvz_yNHPN z7iDGAuUWseyU_QK=koHp{;-d+!guN*C9y4_+x6RTgRdO__^>(#GZD1tx{q)fA^O95 zA=OoMLE+0AY0_mLeu2oNwcBh~_JQYve?i<RL`FqD6c&YJAA_Ku__#eTP8~&^G*@Qu z_c>;6n9d%7d*c*-`M9kmD);7S&v0XA(5cC-U6<8kB+B|}NcE)|gC(|Q24!ktAyahc zOE^q;5t1n@B+!d8a+>A~dscAPL`lhco>=7Ll~5dUc_hlefN9J{ID(SX+B$RjI;rIt zr<W$5Xth*XT~qVRe--4R2!okEQx+c9pv?hOtn8=L&jg9seo(-RUlqV*GmR`Srh>tW zN+PQ`Gc}WHYhuYpG=0sAx=CnL{npd7b6dL==znut--{dR4sMy;@_C#7wiRZN8k0ma zWY!d#?PbKE&!tS~hRerIm4`Qg1z;BW>lA>VI}LBnJ}!<dPGWw(RhXCO!>&{(3GHHo z_=vj@)I+9uHHoqzhIW`)AQ))!+qQJe|Lvj;BE)-eW~OlbC_EIsBew!*&m8|q&PT-` zMKptUgy3}zzY7QJd?La`({UFcEX$7&m(S-(V|kd~8xhwZ!&%nLWfe5HBw!w7^7;4X zuYlRXS{svS5_TY}9y$@>#KF9kt-y($1Kl?|etvz3LL&eKB0FU6AO!s{9oAJITC@wH z=D?%6{PD_cSeJH9Thi>D9CpQQlo64ii|okpL{}TWjm_LbOV4wijyhpoFNd<Kthsn3 z9q~k%vPgPTX5{c;(10Rw^!P;>XR#t@Fag<XGOLu5=%UEzOoPFCidxf*Rg2Hv%3|{> zKc_vbRm&RJakg2LT<jBW=G3R(lf8H_&U$b^E`m3|12>}^$v3;N_IDQC0_>{jESQL4 z{9YwSE@H>5P=IK*2Ofz?#R2MpI%d7rb9q7iFWs;ki(J4Q$a&bz)trF6MY1A$lexba zQjXoBT@S7H=-kx29Q+(<!-(rsup~QO*Vj=OA=lS*#mZD*Y{W%DB2lR2&8!lNs5e@^ zwy<z}gms);9ra4Ktn$Fz$n9K(i2jd^$Bc|e+vSMSk=K#e=1-UjJ;&}A297K|92^on zQbODg7ACh`VRZVaxEMq@dX<46(jPS6G3gOZnjkQPL^#2BsY<POE8qaJmAXYH9gxuX z>w5}SXvS(y6>6=PQ)4sL-)XoN7ca*bp3C#1)-_{4!hZaa?ze#CA1E1=NQS_ODfL#F zgK|!zqksy5dVwvrRLwF+mNkwVi+DH_+H5d!wUc$w5n5BmFk3SxT|9BqK+(_ufm~|& z&9vyI?b~ZZj}Y5der$9O?;fvMeFyN$;uFy0#$ts<VUr9eu9ITWZ%Z|ViWV`d(SKx# z{us=E^K@8k_~=HFp4j=iMy?%;4qCHgCwl9|*07woy>&TYXtA5s{ie5`P8Jq6A~AfS zm?SPmD^5Km5rc&}ga8i(#O#X|HK7ush#|uu9zunLM~&riTf|IBT<(3^e0{JTG)+9v zXhF#~l4DcaAX=~?s-94^0Fg{G{5VM+7F~6Qopas|+y6-wEslwY2Uiihw|&n&1m!-b zvORi{oCHs<Ty4jd9}~$dviXWn0iLiQ>}W6;r=4wXA&@UJnX-Z;cw4WY**_R}QM5SB zw7gvF;^AeXW?`{bI=zfb3w&p!hn0tNjB2Ak-z34qqgGt$F~CNMj)+PAcO0-8Xy9(~ zz<6m)fsRYB%*BnX>^#_`=rH@7gT_|DMMb`6k!oMT?ER{$9u?+&Pg8Mmi&KB%kY&Df zOh)WSmG17Al<t)%Yr+?uHT?XrTZv$cL=CQQwbS|BWC*H3S?@Y?;^Llya2Ao_Li6Td zT+&$9rk<Rf2vTcG0+kc<Wu#~4WGCmQ=jNuTlgr43YtSRMGcqtJBBQgClf4RNN)+$? z$QpPjqa4E>(r&R4)3&pl*pYS8CgSjgo(LizRHkLhPPYU%p$&2e5s!u7>3B=0)gW&y z%}&cJBnNGonyHzINa<tCg6T})fq9c<gZ$S+!~!<aZ=>6_2N1!(LI)Yn2>Cb-2vLfP zyj$FVFKcKFI8Dw>q|h5<q>Y>F=&WXsvNuiagS^2t$k$q;s`@reP9<&jp?!UL!bRE6 zbLXS`!~#BUM>9&w9?V8PHWwZ4ov2sit7?no*6JLsE!G@4Tnd)?<=`J+@HH|qOC}>B zIhy$aZBqit<P3A><Rm!xb6!<-*W)5uF<vr)okb+5s$d%F0P`g4T#U!cie#ld;Qdtz z)$dkD`?grX7j?|o7*~U9z-iIVV`<6y6g;brtBLb3lfr<l3!6n8R8(BlRU?~`{V(a9 zeCsWHT6e6z-)xn(LU#`(k_5p^MFPF|PK8`oDuw2!la+6Kobeq30<!2oe*se84}wd< zrEo6b)KpNo1b9NSq2slqqa^REgnM|-1cO9rd9j3ErB!v9bw2GRV?DzpBZQ-fHhW5{ z=Ww)|FamsX6c$A|s}9%T@onV!#JFINn!5JqMw`1tI2ee;_-}t=ldiP8qMge~H1y)) z;Bsl=l1vAqpp$bFDnnh%>LgR2AAsm!Rn@+#rLe1-s$o*4Ebbqt{S2cT;}F4ibhV<} zz-uDQnHbL-=-@JsXjO~?62EO^Mn2MBt@V-#ikc{@fXJB?czD9o4IbiiBvBAGiImN$ z!ChSpIym1+oaU8vMyM|oWg#QDC72Y0)nj8&H@XtSgXi?L>rWh@N5xpI9hUlo!zH#_ z5Bl)e2|8_Ocitmo%z1d=gta_O%*?u5kyN3mVT30bLEfNS27(ETA8Bbn)yF{Q^rl{- zxI+lW!oH%2p%KOZvhR*(uWv2rCyu@Ex5sm`3VJ)i%z6W@7yJ-rFUm8)0(@wemX=5A zzsFCBi2C((V^jFY5*c{H4xJ=phE>h>iXJ^n$3`VeaR7O8HxJDpMj_N_bmR%BcK^O| OK*&fair0x6hx`w)ZVD3s literal 0 HcmV?d00001 diff --git a/tests/phpunit/data/upload/png-plain.png b/tests/phpunit/data/upload/png-plain.png new file mode 100644 index 0000000000000000000000000000000000000000..83e9130172984613f17af580dc899d13fe9c7608 GIT binary patch literal 9497 zcmV+!CFa_RP)<h;3K|Lk000e1NJLTq003kF003kN0{{R3M?7U_00093P)t-s7Zn{D z6(kxM8zCSbBONs*ATTB(B`6^)EGa=OC`d3ZJ~1m*H!v?aFEutUQZg}5G%-p&E<!Uh zRW~$VJ2GN4He^CNKRY^JIyi1VHgG^ZOg%eVM?5+@I%z;PbvZm_M>$SHIbT3LRzEsr zLOE$oK3+;bYe7S7LqK;%L2N=oaz#X7NkU>pLug1qaZ5sIN<ex|NKHyeTu(??RY^ry zNKs5kdrVAdPf2r3OL0<5Ygb2fTT(?+QFl^Pa#v4!P*QzVQ*BsLa#T@-VO3CBR%>2X zUR+U(URY>iPmg6-Sy@_oSy_NzSb1GqbzfM6V^)P=VS!;_h-P1bWnq17Uw3e2U1?y9 zW@dYETb*-cW@loTY-V?GW^Zj~d}wHqYiWjWXNPuXiFk8Zbai=iZl!W@ns{)Ld~T9> zZ<~H{e06h>cyoz*bA*C(b$)J~fOc+tZK{H8uZw+tf_<HTeWrwdm5X_ug@2HUe~5>E zxQ%+hk%fPfft8Mjn30E&iiNO~h=_}arjCf8lZ2_6g_M<nwU&)|qJ7Vnj-Zr|u9lCc zpOcK5lbfHDl$MaanT^SyiOr&upQDhpr;)6kmA9dmsiKj@pq8(sox!W1psSy$s-3s1 zp0cN&y{(+VtDViOoY}Iap17UCwxGPPtdY8;puMJ)x}&kQr?IxEsl1}OvZlbbrn<4F z$HATJ%c-5iro_3e$G@(&xv#>-tHQvp!@abuy{YNOv!1`Rv%9pr#jm`)u+qw}v%s>z z#I&utujR(FwaT)sys_TDwa>t|$;Y<7(Y?OQzRS(N#?HXH%)r3byTH-IrqjC8(!9*Y zyz$Gw)78PS$G+>xzvI=yx7WVN)5gux#?#cu$J)im(!uxL!R^<@?9a&d(8=!E(bn6~ z-P+Cj;n3LM)6>|{`0CEm<<rRK(b449!qwFI-PG&b)b#7t`R&yI^xoj<;Pmd|>G|T( z@#Ns~;QI9C+4JZ0`RmyG^49wA_WknZ{_ybo`s4li_Wb?rWQz`w00009a7bBm000XU z000XU0RWnu7ytkO2XskIMF-Ua7YY(IZT=d{001BWNkl<ZXx>ej3tZB7zsK2@o0p~K zB~0cVVj>`FRC3u+uxUMk7--AV6njdaL|ZL&)=Cqr9WQ8WYThvO*_;@7mXdCuVct=i zWm$+@ie+n4chu~%YIVLp+H+p#EBHdx-<!|({{LfUCMFkN&fdL0H*<Gp=KkdU`}Zeq z_Vir8IXUxaZgy^FV&dk+U9ic~p6l1IT)8rFXYT&wotqQzcax)c=D_|~c=YIxIrNW{ z=-a~V!lQ*JPoBMaiR_u>J7#k7&i%QGyAyMh6L;@V-h@MMUg^2ga}$U&U<f#I^UBT1 zj_WtCTq*9kIWc;7;`)`J?@YqGqv)S!fHQaJ&M5lt*~z&_PagdT@#=5JGtA7)<lMy1 zH-82d6BCn@@Z;!cFT8}$e;>Zz1OeB7xN?1>2W0$Ed!?siauR6Q?@Znq?YVj9<{hy6 z|1;S;I(q%?+}xenSwJj3d-meR%jXs$&;EwopPQSRgySbC@6N&N$+?-CiR(ZA42;nU z<e?wX;a9HI)}B9qy7qi6D1sk*J4WHXD?L4<ci`iJq|wRyfS7%<_~h9WB<025j2F+I zJ;U7pV{Z2D#EiwIfU&@C{s8Bp2Ri5c`5)kU<$Ue=)5yMppH83up|-Z?{Q0lW_tf@u z+!>whxj8wDz8=jk!l_RX1xc`g;57!qJ&SyE_dckY0|(Dc^qf7i@6&@jHpLwL>MJ<i zVqXEGxcKyuFTVKd^jX9@efrcFU!6LA_AHXqbG>JD?#?g2{PM@6XUGuc$+KsFzkY_9 z_!-3)vgkfUdSPL1@=k5-38^$g92Fk4X~&L(r(X*=a{7xSM~)mna^&E_gXu>Oe(~AC zy?gf_JowocUz|RD{w%n%w)WJK&p!LF|Nb8occkQ*B?T;=!%R#7V)E|&nMuT&yFc3T zjl3)`Uz(R09m)>~+_d+LBVVAC_rj@1_9BacR|jJb#vt3VW5;KoeRc#Co!Yl=YjF67 zJI?>{$fD-OYZaE)5O@I0AYa{|xH~g<ceJTlRg#vQcDy((Hk!@|4BP={Z35e|H)d~Q zOiX+XKn}*hyIV!*hppSU?@cc*FF28r8oP~4^Zv)_yKwN!SFcbwkgEA-PcRUMnFWwA za}x}5ze(L%^7*IfC-RTyWyW&pEKcCYfcJgCHg1ghkHy26D26YJ7e$CTqV$5A>hc0< zR;E}O&h`D^A79;nvh?zGFd#6%S;WlDnipn~rzWB9dal$q>s818wJ#~{M7~ri6?1)w zj6feBGGYKl#E*{$hb1QN6>(xj@$vBye12MuvaF_{pdeQg85vIZ_4WEk&m$D}C$H_% z{3GP9g@qZQ%%U>v`Qcojz9cDOcM`<DAU{7Xno9``CKH@o+{qk%d}4e|BG}$U5s2W6 z_Qnf&JV{Lr2+1!!k(3a{WBO9De%_z{vVaU?^8_h*wuDl6W&#Lvvon(&wda+C+Kg?2 zaB&7e$_olIqiKZTV1KNm2NOPcB0SR5_a?@Rkc#+t5l<j4P}dYxm*z{;c83e-R4f+n zzvjb#|M3V~+5!?X521g7K`rq5&7PY-U+<~Ca`vp+s7>Cyd7C(0nkUWAFV9PjruzpI z)_6K`5`}OoFw)ZzWP7|Qp3mb(Nu<);^70btv7{&-YmG0?!4Zf1V8;(o4U5nyA3d_v zB?j75PfrI#1NugBaqWnyB{|HE6`6*-RSv#Ri4F>3V`)S__(>9v7!qJuAUqmf2*|Y3 z(i8g<MFIhx;<?hn#*?z<!~ecNyYTYmlZ7Xb79s8^Cg3jc6SR@D#ihy-v*P3~8ZAUD zkrtPi%d5+vUIg?Y8c&GMPfL?Z)6<X=QOrJ3G@TNWxNqOS<Hr*d62gUCI?mq4W+je- zU$f)N0zeiPXDzW`gkrpY1!WZ~>*K{uV`fFhw$Kkk#fivU@@jcmL0(EIm(B-A6{lNF zlDHipqIjW@<r^##?c29~Uwo997sSN5*;-kzw80VZ|2RJjQc(04pDjX6pp&03hOUGd z(&CEIv8t2X*3m)}(^2H*O0~A8CMzs76dWamw?IfD3d(jAc@f)}6})|4f+&J76!G~) zob5_0D{E^UevS9uD>Ji*G5fl$oJXAxdLP*F^!$nroh&)*1GhE16SJhCL@ifq^YZqD zMyG+W;(Tdt?r{kOM~Ko(EaVWVzHC016&xYp@wrT#?K@UhRx2E^Zum{7dgd0U5a!9^ z(n}1IQ2g5RrTL|`sx!%(SFN;NBZAMJU!_oMwOU!`o=j<eO-(uao8#$;iAnKE5yHeo z5r>K=@q<__Ulxna4y9vP0K>|51<nmm+E+Wd0OMt0Zgvrr6d!pFut+J8E9F_qv1{L3 zw>c^?Lz-KlP-yi)*(1|x)!KXzBb7?Tk_<^Sa#swWMx!u^6fBlXr81dBs)OwtRx52+ zcse-yCDwL8>5a}!O)W0I#GrT-7nfF46ju}%mn&7W!<*N+*?LAvQUFq>&>9S8vo^P; zSKFsn*W{NTm!^s16BD5>_ih&nxfD2_>WlTKQYn-bwpQ=FVPy^O!r{GRV2Ji~bXex` zGt6sGRe+VA$S+l@tFpt^tXyurMv|79nN_CMnx@SrZB^gwtX7LECtsQ*6eU_r#OLwp zSSrB-PjJFwu?`MaZve!~*2cvNN7}SE{fqNwJ32;Zp&&8;K>!3^^k@}_!&WVS$I2}z zF(V_Zs&U9Py<}?BYR%>mty)%7nx7^Sr%1$c5>zZaJ`)-V!QS59(b2)q(c0>bH$aLb z9*@Ir6eb=yb@ocn=pT?^2$Ek~Q(Rk7o1b4=dafC2G3?#t@4WLtP+UrOnP$igrqPa> z&3%1ZZGKIjG$Rqk#G)lWh)AV)dN?|)SP5llvkVx^maTx+g2ghn#>5;s1-rqW;n_!+ zQgA{|MMW(L0hm%H&yHRD?((<aUb$w^;T)OfmU(K*G^8C_FpmJG8TyP=l9rYZ&oszm z4wcHL;#OE&+t}DGvwG(ppjg}6IXU34WEgUZ$B&;XuI>5d4@?aZN-JssQVLnBl$T|v zhOK{h`6}C$+cIR?+P1;LL6c!nuOI8v_Gy(h1<-FngQbOW*g-rVpXlyn2QqBzY%K0t zX64}EfWr|30%BlXpE?fx@E3qsC}8EKHPtnFvcr3Jee%)TwEzlEKUvq-rZMRCed-Y{ z2&t(lttgdBk`P295pp<uQ4ELSW#`~vz0AgX8FCjy-Wnj-)jt1-iHCuG@YJWDp2E~r z0Hvm>si~s0q`VsDXkONy*gavpK3@Co%5AA<T6HZNeQU2ujjW;+3ME4lCq}JBB;@nK zVSyxqy@Neatp7$>J32WzVBK8<Hf`FtHD>SL?b~+)q@qcw1WHYLO|`tLy1FbYGcz@I z&z>-llbl=qjSj3`*Q#n(LYaV1AsT6W4<-VFACV~LvAqdSc&vl%GAo3zvRY<mZ|CCR z>F(nSBOCUCi0#|sF%?a<9UaYJH6>pwRgH};jj|kBPUar4*woDIGPw#mi%xy9Nr}Yf zAJ0$!H2rvDgh&W844N2^AI!uO30Qz&-mwL<wpp=ag@eax1o7c)<clJ<Z^bm#z<(>% zYLHT<P;^79s;n%R<rQRQNwcyF3QFYP=(HAVhKjE}UV0q0_U)qW+xI2HM#1NBI1Dm5 zkm81pw}Eh2J2=|dIJ&@6;O_22=4{-^501bnmC9yivr1J{Auq2|bT>9?v<hVv3XQZN zFR!3XrPJtpd;9v^w9QSW`6nQ^j_*s{EriAbbt2+(`1~MPXFNPSAgLT7AU2M64)*rW zF79AHe&mgt;4d)Xs19{=FZiOST&YzwRyH=Oo74(9Y!T7|m?$c>M$^~VuN~C)HC30O ziE<+S^YnNztVS_HUJzf%-$)MhaCi4$dN|mC7#n*#TSq5?i!0gP)pd0MTBZ1y-j3cT zg}S*Ja=50tK>=-7-P^2F$n$_uE|)hnbU>wRA^3ed^|`#PTm*sP7@xE^hR+l7gz@Y^ zA2QQ}OeBIBN9%X2?d%*J9i3cU0pYs(eOI5rO#zr@pg@C#1cRnh-5{5%<gG1QEl4RZ zuP*;arBjbwyQbG`+uQq8UmwfM&y_-UB}x+aCGdqP_(CQrfIuPokg?!0M<)ks8+&^f z$YMlsc6IUd3Gms3>Fw)P_o;i;%JQ=6CZ$59Qpqp2x3nl!Fk0mD5|vJ;AJh+y>HFJt zs_K$s1ptvq(vlJrA|WVzVLYEoWN?^_05TJ#xH#K6SX(<dc{qAFxjMT5$i*G94Aa+V z5z+xI5;~VkAxE5kO^ZTZrIJ^FbD=@2H4K>UnfeX=imLp4NH|zo(j*B&p*WrolU>N? zaOsdlL=V*NU7Z{uvz$DfK$Z(UToJ<ul)yMrRy09KAd^+9vIa$!Lf@imfy~t@)M{OO zm%(5%kD=aDDLs)_ke3THB`HZP5yyu|@L^|(=W~c;B9-jof%Wuoa&ZDzIl4eJJX~Dh z;o|D!hak`}s-cB7RVbBe6cUxLzkgt`OQX}Z!mo7t_Q9#y;bDDyt0F5GtfU|V7)g=h zIH5o!Lc@zsBoVPVEWsU%b;84!oukY9tKB^;6nA&m_c47V(7~0cOI9>Bs};%%7aAHM zCS3!A(0i}lZohpAp4Y|(2m9OA7a_ZHVSmp^NlKC=h{XxJ!};+s96E<X^1x$31s3Z; zKuWMKt6g1?xw}A)xng?Z!$PBnkn}VGrCHf<=|V$GS66?RzP(+i(CIE+YPfy-x1pi_ z_V%VKS#D`fer{GqMjB8ewr=IKIe|nXhe-0LdOH)aR3dzSCy0i-E0iJ%I~0qLJ4W9J zJ-oW6;#@^@M{jSdPOE59G<LTmyL9PdtE!>lLVe5dueWcvx3@Mo=VhHZ2P=GTR$5X@ zoFHOTFq=psvzR2J2LX@8lE{H%vbzg_5Cn4A<+Wk@^<#RiLZt*1y#Uecbc%+C#>RFy zRM+0xa0zrZbPX7dx39IfwyMetj-5RRWtx?dk|5+UA$h63enbj8IGDj;keD2L5a8h9 zjJk@uiv{E1g3<O4_x0&i&Aq+q-jR{9k$zoEOG870u3z8M(B9e#LK-f24g3a>_Eyz} zvXb1dYs%#1xf$Yw_+W;AFoWvp$>5+qN%AN8Gx$6v5li(TIwMcHxHzwNK^RPHyYA9O z=#k1^sF)EwFysyL3yQ9mf&LanJK*XsU%q<lw`sFcue+qGI{7)wPkAoHJ~E2SB$2T= z3N0{@3^5^*2_!Nnf<Yw_+}#OI;4XI;=l5NmSG&4nT6KyG7nIGtJr%v6#5kzeLBDEH zw6yfM_xJZ3I$K&A>o4DW@L+cMQggdXo%Q+G=c>zdb0sN};Vdc+a*9ax_9kG7R9^}K zYM(;}2$_r=<_eKtz1ospty*n0bo*x5!=RxL8u~5XYH2}~fx+=<!@$7ptETDs;o+u> z&1%)LjFRe-0to!>a5kHT!{Vt_5-gD<k{6BQOJ%Yd1TPPwmpg&z?&XSt;^GWG!@%5A zs(VL!_3GZ?kwGYq_LfFXqe9o--qk;F@3-Hl&4Yut$IVMq*Df_&Y*ijRR$g5KNt_fF z9umaz#^bS6Mlg%+ALtVhNTSoJRDutYNhT4AWG^2t_t*L5ih*z{dqz>r^?lcFU%hm@ ztFx`X{sN>``|Yd7-<Fn^rmtQ#&M!@yS{f96%6#d$e}4^E5R%BP5dwd#x3f15I%FV; zLLySB{_bRwpZ|x!0bV3fgA74jS7W*w8dObCAswT`Bg2M)t6iNxc3r+)U*A1&88Yia zd;5h;gGTex(<M{CR<EuuD5?4P*C#S^CBn$ykTrN5-i6=`7Z3z01ciXd6G-4F0+GDh zmFxv2<L*jCIfl__RVrogC|sP5=#BjYnxP?$rm?%byL0GjebLUH8#b)j@cG55rN@t_ zVKyq1<t5)JOLFt`lfuKfEGi!7xx(JsdX2remoFB&7nTZ90*benA27Upd>}4f&hD7* z76pv?j*i|DqtR#>f=y1}-#>I~U|{I?8#liDWc_;|@Bd)y*Td6G5Sw9Dld@W=F3$jn zFfs@r_O_O-5%$Lwj*eIy4(E%7aIE(8BDsUVTmx2v8W#elMbS`I(S#f}GCVdgG^igR zGD21j-MV$_;ltm5`tF|}eYF0)HM@0-Q`fGIC@-G-=3*~gKS&e8!x<!;gUuTl_<CcR z^$JhCJy6^|sD3a&JcwwF_<04qzuLpe*#*<7Q7D=^Iy(9w^kYVoaTuQC<5$PWe|zxY z;RC?@^zFA_{`2Ew!&6h&hWlE-Id`$S9H!&H*x^i^H7uqW%$pdimG;iA1VnN1pnALe zktq~+fRKqEWRL<CuTeBq%bS`&$k^D})U~nUk?}!LGH!bC`1i+8pFVy3`0<13p9)V7 z-<z5m8);RRG*{<J^QH0OME@1b0Du_w&dwgt<UJg5&QvTM@8>~8dRDLY@$!1#9eUSb zUqeX=v_}Yv8KfAEgIBK^hPnpEA$uSG`RCK;e?5J?G;J_WEzXZ!8y;4E4cjWZu@~Zt zw^{}powcolqn-0=M~FByVkd$>fed>cAl?rQ2q5}+`B)(BDpmEx-sYa(!7;OO3Ml&a z%L4-gCe!qThfn`{ZBLh$UO>Uz)2my*{`$o6#I!V#FTr8O3Yh2)o{n&~vmLBKcn>Tj zF&+%Mm(OalkDoj6i0)8~4Hs0<y1+)X=6hg+R}GzzTSL>+(@T#5@aom`zg|I2f}VT* zI(6xZ6L5j@FTOtk>);5x0wk`ZJ>JO?=LnZ^SbIkTf#5_Sc>DQ44wK=V1)^)M{^lEH zhZ+KJhIPSs?^n}6_rSoo2`KX~5ai{nSAV^F@#5vPMdP4We&Tp~Qo_Ei46@g1R|o{E z4mjK19z=NHNhA^y0>O9ngXZG*zK^$`JJ}V}+3@e`b0DQ}Y|K1nnl_IA_WRJS?tyN@ z_;2%1|NIjO$eur6dNKd#-mt1vnzj$F1{hc>*3kn?AYeW4umRz4o(@<%g+iuLp|e02 zMg~(7mP?=a1KcrPs;27d8nwE&Zv?__x@{VI09ANn=<2|4k01Vty!AKb@#3#zI%T;u zEs_-+L4sjx*-l7!oHGO*hb5AzFer&ce{X^}i9jL+g82moFo+~~GW4zs@-nz|fJr|# zrXQR#nudmM-1xq;yL)`;;qyQL5AtGuX=+LVD|cFa2!rV1<Y*7qY%op`1dAnl`vnFv zhzv5xm*f*bf}TkRh)*DgOs0B(lCFlTYB{VdBO@bI`mt*!lWBbX)~y@ex5gj-KP8aI z=IOEK5?JgKf{A!LNGTlN3lum(;PF^I$&bt+GpP(J)!Q$C37X)#B@njo_n{<-7)@hc zW3?Pn`ub3v44I4%4C4bgZu~g@5Q2gzDEiM|ESb%Eby<E|l8`}$_018sYlymsvm*{? z?~A4S6PZjlolB>BlLI*%n8-ooV7NZ=f!RXF47GJtR+S+N>_)K74H|}q4E>#*-Iu$6 zefaR<U#~2M^6D{66iBYBth9tk2Hx4u&d$*uD#Om%*$cWNmCj@`sW2GXK}<&AMvy^< zXJ7!h5Y~EE%&oS%N?BEPlL{as#xdit;nvW=<?gzohWdI$dHPxlRLQhyL|G$E6Y?1Z zK-f7!tHMH|dr_Gzb`TdDKNYlq!SNekKR0e92Y}B=n6@A5&J<NuRcX~)y?)9xIA}B& z$8UERet)vQ{?_jge}DSa68EL~#i=p9JU>Gs=J|sV8%HqkmzyV*LT3jvC^X!fHEU=T zki^)?iP>m@kT-6GkWi_Z&bIHWihu$Oe4k!#fGIyPI55!t<9FY~bbJ7@e~4oL*ZjT3 zsgXVi3A)9Mw|h--f(sui^+P7j%?*c#QG%s;QqV943I}P~7>H7iNJUC6R~8jk$`uNT z30&_C0;8*|^Sk=*zW?#ouTTH{{poXnJf5F7>lNivi8wOE-yU5V+JUz`yuF!he_yw? z>nLj|p1x}+zP=0whX*3ix`!+fR%IgQ*0<jk6&4j0odGQ%Mcc0dF^29RfBX*FjR#9l z0rCR;wKP4ZEte*Vg+cy!dmGT=g!d*<S)sIb;3OJ_MgbKRUq&#S&HFzDcr1`eC1E<d z>k11IrAi49t){ERU^EP9UsJyS{_2CJ$B@T=L0>T&Tjlvl2?7Dp4#usWle06P8N{W~ zL+Lb{uP@DQou?;-#iR!X1@ZYj9?#-04wK06^TKr3*A?a*&5_BfR4O$D#V}|ZG@0}* zuuA+0cH<|Yyh34lzIadHTAdWm<53|Z_V$imUj8gPokCy7^`-gx)4)85EH0PJL-&sO z7BPVwHk67FrXF+@=Hz4pMbW1lG)|k0V`C<Rp{ujA?Z=;f{Qjp050>ViBgiy3vn-A! z5O~@{MC=FzKL(TK%MySNH&3jmrzed@r*OGJK}ZHrP#!aw&{(_><ml0yoV?sJ$S?@I zSqqRc(-3UIZQ!!+Z`^t?Z-FcswOVz?HeU*T1$Yatr@R6fOkY+gm*xfloF{DFv`~5o zI|%s--Jc8&4(32Y2QtV2Da!ux=%JIx4$EXvDt&tBEwIg*#s~W~K>7aitsAC!G`W^^ zEh<^8o2}bQTPquwxLza%v=J_gwayL9)6<ti;Rb~Sg`f*!Faa-kBZti<1~Qm|n98D} z?3_b~_U}K89Hxg2Z*0t9HX6nanzpvi?)uADZ;V@%Opj>QsjIB4(0$ouc1{EmmCmJw zgs@mN1ffuTS-~s;3c2N;IvA>cHfqfbOhZu-Fb*9`PR`8ElWSpTF&oYBFb>`tYODLc zzTxt%-+z7a@~^)Zhjp^G%intY%{SkKZ4Qc%9mHd^gPC|=DqJ>DD0CJ(I3%1G!V@4Z zLHuxj5Sz^iWHQM_3`8Ad?BAc9oO&`(u0{iLY6|ui(}2DoR`1IV-9r!Nm!3X<Vb*J- z-+lY-w*Z29!_Lm1$>)WG5W1VEFKsQ2_8~hYJct|459bMZ@Cf1u1##&?EGD}1je$x$ z35=aPcP3}%mA{6J!HPAdzcy%q(bYX<fMNgq@%%kw<=VF_LXZ@H4qFf#8p`F;Xlp&` zY;GtwC_Fq|0H0qV017ezo5KJp&{;6qIVTV8KeT`6uARxLnFVsWR%;%anwm0BnGME4 zxYRNXjT`UXd$F`QKh^lryKh;9y!qxzQZSnr9lDJh5=skOM`IxfgaaU;L=cVC1aU*4 zak3d7`jIe4PeRl|$Ih@_+mchW&S<rI^Vrn1**rCEFle>fHt3mSvrCKj7MINbeD`fc zffd_<!4?U5JZ?BEbR9QrGi~!`I6X2_5H1o5ggkhnUvfj}FajWnG4(k`hfcyJ!mce_ zw(LwkTn4=b-PATOngP-Um)V+r<J2FZZDG;;?MH9DgS_>&Z4fvmIy5{ql*J0$%mp3c zyzuad?Sk;|D4|d!vJ?u`J{v*;*WQ?-B8dAZJGX>|Z3){In^{z;F_@-*n}^_=O@_h# zmiCsG_G{OM$Hw}``n3N9%3E)}wJJ227Znv97akfGx-Kkqn?MjLh>VH~2Psj)s7U@M zq!K9!VY2`dfI&5~^OH}uY}m4XL)fm=ELmkgr1112QUfciR#7Eawd!DFQr46fr|tRZ z?RVGGLTRkXsD!AfNWo?SJi?;GMUemzilcc^(E@RlC?W!a0{I1@XHuAC3`$^#$cFXn zKi;rmb8Jd(SwGrP5o6k99@Ob{RSi{DWo2@$JY!cV&271@gXapj*r?sR#p3ALXrv%I zN*Ea_7K;;vh!h>gkJ}y*Dd0!2gF>JyQz`zKLa4)?`*&{Hu>QRbNXp?e+96nr5M|nI zG8_B56jf)+^73-!Dz$9SS~pwUl^=wJ#zn>LPLM=LCqyO0MT!#=#0dxjFA~6uLSZC7 zB8ndo9K;R*2o8%mbkq`(kJrEV-um@x!(xx+RkaP7UrRAh-5b+t8>`ArW@R1ADyZp` z#X{L}1<`Thgygs+i9`|?7YC<{<KXl-!~%8EQQ*hzk&p->P^)Y<or;G#LEicpBC^VD z!@96t$tTaWwHZvHVa#X&8T;F-&gA9Ea!zLEmuK$Uyg529B`z*$PwMWBlz;szDFsXd zZ-}=g?A{$07bQ;EzFiaviH3@i!vHB1DkcZ=7qS<WEPrp+`YoZc*)lm4#}EYMHN#+N zfuNv!>xWY_vNFL^Qg)|g!1v6IjMU8Bj0{Nzy32;-h@;}-qNC%YP*w<_>#(@~Y}ke| zhYo?SwrpAd-YS5s4colya5gy10C7P{HV=6`)YVnjSS8EL%79a|kY%PEJC>E1nwgQC zm7ANDl_5z>g;gmExhpCvP7Dw*As_lamqnrDsF=e2A0x;X#8|azLs)EV%Hc|ISQ|8Z z1ImCQ!%!zInU!a<vk${KfE>tz7g>2ol&lQh)z8gLO_6}#Vq;TdK}TE^O0p<n2rrz= zrNcb%#2h_piTlUkt>plL(1XJ&>l!;XT^bFbpn0`**4I^4!f?yZ%91Hy5tPYfSy|bc z$1=0Z<YjrXtPJp1LQ-66EO4T?ZG*tT7eJtyanbC@<QzSEbmz`bP<Aa}zH05db-NDl z$=OrXrfF0(wzX+Anl?>mou;y=va;|D94?nD8X*s4<tMX_9m~!wm&?ntk^j<CQsQ>) ziB641hB7WefU2I&3*{2&nCwG2XlNbSxqkinPY!(YNm%lsJ$nwwU|<$iHo|b!bavI% zY3j1iR2EhhR#sLj6j}wC9DtyqpuDU~mYJKInUV5&O6soYROGa1l-MZr0zr@fIwTzf z<NYKIuA@f}d|8;CYv`7w0004?Nkl<Zll|p^qq3t1a<Y??Wranu%0{rd`ntNJoHIpr zg__DLMWd#nMO&$8tAuHtC(A3ZD$6SXZ$Vfxl9PAEiBmuc2$6^rB84znHpA%hhwRG9 zKAKZhSpVI(bw!1;FAFQH&g2vx*tv5L>`6tizZMl1HdYoL&4CRNAvGFM0`N*%ktOWq zWhezwQ!`VNGE!nw5+st;<mi;Rge1r`K@@LuXeiwmvmctu$(+KvHe`mjPKYlY``wp^ z_9yS!zaKtAVNOwHAuLTfIfa#7^^KZF4GLBpP-G>tyu2z|6{H<-(ok8(CGAd10fsn5 zEKY$`i;522ypDx|(OX!r>23qZLoR7<)xm*<Mc=mNz!=*ZyKB$k{fCNVIXMSFS9W1z zW4*QuQUWCeK*}p+d1dk{8Omm;l$5ws$Yo?HVt7Ip#0g+PdqN6>hM}Rhwr}hD`?V11 zZ@>NW=+R0|Tj7B%Tf(;OJOE?)P|krpI}c}PXXjMb$?6*$!CP93l03+dDmjGaa7K#7 rQe)$w_IIPm$3>$RAe>9_^|bz9f+Y_qA&w4g00000NkvXXu0mjfGgw$M literal 0 HcmV?d00001 diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php index 58c69e3229..cafc846e9a 100644 --- a/tests/phpunit/includes/upload/UploadBaseTest.php +++ b/tests/phpunit/includes/upload/UploadBaseTest.php @@ -585,6 +585,42 @@ class UploadBaseTest extends MediaWikiTestCase { [ '<?xml version="1.0" encoding="WINDOWS-1252"?><svg></svg>', false ], ]; } + + /** + * @covers UploadBase::detectScript + * @dataProvider provideDetectScript + */ + public function testDetectScript( $filename, $mime, $extension, $expected, $message ) { + $result = $this->upload->detectScript( $filename, $mime, $extension ); + $this->assertSame( $expected, $result, $message ); + } + + public static function provideDetectScript() { + global $IP; + return [ + [ + "$IP/tests/phpunit/data/upload/png-plain.png", + 'image/png', + 'png', + false, + 'PNG with no suspicious things in it, should pass.' + ], + [ + "$IP/tests/phpunit/data/upload/png-embedded-breaks-ie5.png", + 'image/png', + 'png', + true, + 'PNG with embedded data that IE5/6 interprets as HTML; should be rejected.' + ], + [ + "$IP/tests/phpunit/data/upload/jpeg-a-href-in-metadata.jpg", + 'image/jpeg', + 'jpeg', + false, + 'JPEG with innocuous HTML in metadata from a flickr photo; should pass (T27707).' + ], + ]; + } } class UploadTestHandler extends UploadBase { -- 2.20.1

From 2e83387666756039129fd4e8f667dc5fed0849f3 Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Thu, 6 Jun 2019 14:54:29 -0700 Subject: [PATCH] Relax HTML sniffing checks on image upload Allows uploaded files to include some HTML tag strings that were previously forbidden in the first 1k or so of the file: * 7809 bytes .../data/upload/png-embedded-breaks-ie5.png | Bin 0 -> 10158 bytes tests/phpunit/data/upload/png-plain.png | Bin 0 -> 9497 bytes .../includes/upload/UploadBaseTest.php | 36 +++++++++++ 7 files changed, 79 insertions(+), 47 deletions(-) create mode 100644 tests/phpunit/data/upload/jpeg-a-href-in-metadata.jpg create mode 100644 tests/phpunit/data/upload/png-embedded-breaks-ie5.png create mode 100644 tests/phpunit/data/upload/png-plain.png diff --git a/RELEASE-NOTES-1.34 b/RELEASE-NOTES-1.34 index dca64bd195..db0c732ff0 100644 --- a/RELEASE-NOTES-1.34 +++ b/RELEASE-NOTES-1.34 @@ -42,6 +42,13 @@ For notes on 1.33.x and older releases, see HISTORY. variable $wgCdnMaxageLagged. The previous configuration variable names are deprecated, but will be used as the fall back if they are still set. Note that wgSquidPurgeUseHostHeader has not been renamed, as it is deprecated. +* (T27707) File type checks for image uploads have been relaxed to allow files + containing some HTML markup in metadata. As a result, the $wgAllowTitlesInSVG + setting is no longer applied and is now always true. Note that MSIE 7 may + still be able to misinterpret certain malformed PNG files as HTML. +* Introduced $wgVerifyMimeTypeIE to allow disabling the MSIE 6/7 file type + detection heuristic on upload, which is more conservative than the checks + that were changed above. * â¦ ==== Removed configuration ==== diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index ab1afe2109..73d05ff408 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -1214,17 +1214,12 @@ $wgSVGMaxSize = 5120; $wgSVGMetadataCutoff = 262144; /** - * Disallow element in SVG files. + * Obsolete, no longer used. + * SVG file uploads now always allow <title> elements. * - * MediaWiki will reject HTMLesque tags in uploaded files due to idiotic - * browsers which can not perform basic stuff like MIME detection and which are - * vulnerable to further idiots uploading crap files as images. - * - * When this directive is on, "<title>" will be allowed in files with an - * "image/svg+xml" MIME type. You should leave this disabled if your web server - * is misconfigured and doesn't send appropriate MIME types for SVG images. + * @deprecated 1.34 */ -$wgAllowTitlesInSVG = false; +$wgAllowTitlesInSVG = true; /** * Whether thumbnails should be generated in target language (usually, same as @@ -1390,6 +1385,16 @@ $wgAntivirusRequired = true; */ $wgVerifyMimeType = true; +/** + * Determines whether extra checks for IE type detection should be applied. + * This is a conservative check for exactly what IE 6 or so checked for, + * and shouldn't trigger on for instance JPEG files containing links in EXIF + * metadata. + * + * @since 1.34 + */ +$wgVerifyMimeTypeIE = true; + /** * Sets the MIME type definition file to use by includes/libs/mime/MimeAnalyzer.php. * Set to null, to use built-in defaults only. diff --git a/includes/upload/UploadBase.php b/includes/upload/UploadBase.php index d905aa47d9..597c2777cf 100644 --- a/includes/upload/UploadBase.php +++ b/includes/upload/UploadBase.php @@ -404,7 +404,7 @@ abstract class UploadBase { * @return mixed True if the file is verified, an array otherwise */ protected function verifyMimeType( $mime ) { - global $wgVerifyMimeType; + global $wgVerifyMimeType, $wgVerifyMimeTypeIE; if ( $wgVerifyMimeType ) { wfDebug( "mime: <$mime> extension: <{$this->mFinalExtension}>\n" ); global $wgMimeTypeBlacklist; @@ -412,17 +412,19 @@ abstract class UploadBase { return [ 'filetype-badmime', $mime ]; } - # Check what Internet Explorer would detect - $fp = fopen( $this->mTempPath, 'rb' ); - $chunk = fread( $fp, 256 ); - fclose( $fp ); - - $magic = MediaWiki\MediaWikiServices::getInstance()->getMimeAnalyzer(); - $extMime = $magic->guessTypesForExtension( $this->mFinalExtension ); - $ieTypes = $magic->getIEMimeTypes( $this->mTempPath, $chunk, $extMime ); - foreach ( $ieTypes as $ieType ) { - if ( $this->checkFileExtension( $ieType, $wgMimeTypeBlacklist ) ) { - return [ 'filetype-bad-ie-mime', $ieType ]; + if ( $wgVerifyMimeTypeIE ) { + # Check what Internet Explorer would detect + $fp = fopen( $this->mTempPath, 'rb' ); + $chunk = fread( $fp, 256 ); + fclose( $fp ); + + $magic = MediaWiki\MediaWikiServices::getInstance()->getMimeAnalyzer(); + $extMime = $magic->guessTypesForExtension( $this->mFinalExtension ); + $ieTypes = $magic->getIEMimeTypes( $this->mTempPath, $chunk, $extMime ); + foreach ( $ieTypes as $ieType ) { + if ( $this->checkFileExtension( $ieType, $wgMimeTypeBlacklist ) ) { + return [ 'filetype-bad-ie-mime', $ieType ]; + } } } } @@ -1262,12 +1264,11 @@ abstract class UploadBase { * @return bool True if the file contains something looking like embedded scripts */ public static function detectScript( $file, $mime, $extension ) { - global $wgAllowTitlesInSVG; - # ugly hack: for text files, always look at the entire file. # For binary field, just check the first K. - if ( strpos( $mime, 'text/' ) === 0 ) { + $isText = strpos( $mime, 'text/' ) === 0; + if ( $isText ) { $chunk = file_get_contents( $file ); } else { $fp = fopen( $file, 'rb' ); @@ -1312,36 +1313,19 @@ abstract class UploadBase { } } - /** - * Internet Explorer for Windows performs some really stupid file type - * autodetection which can cause it to interpret valid image files as HTML - * and potentially execute JavaScript, creating a cross-site scripting - * attack vectors. - * - * Apple's Safari browser also performs some unsafe file type autodetection - * which can cause legitimate files to be interpreted as HTML if the - * web server is not correctly configured to send the right content-type - * (or if you're really uploading plain text and octet streams!) - * - * Returns true if IE is likely to mistake the given file for HTML. - * Also returns true if Safari would mistake the given file for HTML - * when served with a generic content-type. - */ + // Quick check for HTML heuristics in old IE and Safari. + // + // The exact heuristics IE uses are checked separately via verifyMimeType(), so we + // don't need them all here as it can cause many false positives. + // + // Check for `<script` and such still to forbid script tags and embedded HTML in SVG: $tags = [ - '<a href', '<body', '<head', '<html', # also in safari - '<img', - '<pre', '<script', # also in safari - '<table' ]; - if ( !$wgAllowTitlesInSVG && $extension !== 'svg' && $mime !== 'image/svg' ) { - $tags[] = '<title'; - } - foreach ( $tags as $tag ) { if ( strpos( $chunk, $tag ) !== false ) { wfDebug( __METHOD__ . ": found something that may make it be mistaken for html: $tag\n" ); diff --git a/tests/phpunit/data/upload/jpeg-a-href-in-metadata.jpg b/tests/phpunit/data/upload/jpeg-a-href-in-metadata.jpg new file mode 100644 index 0000000000000000000000000000000000000000..54387360277fbc237d6cbab9fc2032954361a890 GIT binary patch literal 7809 zcmeG=d0bOxwl@ie04^-X0tUT=6bdzv5CQ}UO9)F+$O3^P_BS>p0d5QlSr81bQ>kcy zLD{rJX&M2cq}a@qQQJ-(e{H8I`qWZmK(y9TXr)fIih%9-#^!xDEMo2ae$Ko<pI<^a z_uO;NclK{_j5)4Cp8RxPI)uSMP$u|5j%zr6S`|_ZLD|_*7z9BCXgOvjgayzR@Mp%X za>CvagmK4sI$<{elQ7;84!p;J4}|fDmN{Vv6O38A2!~^yo2LQNFmxxc7l5KMkxqCu zfHN`iPIx7NUwW<G2?qdJ`8oo*%*(6;{~?}Qp@(0PmX|AZ2Kc!w1!AaBm%tenYPpp9 zqC%%u=%_rk-T=^sP&i#<(8R$BQn*y7C}xvO4Tkc#h=|I{%5c3wQC=!lQ*|0esVZEq zASdR|Vc?w4KPXitL`V}MNWgnRD1cLiIU-?Bii9T=%wxDws3xe_P^;(ui;yaXs!VFo z=wL>8Y&f8Zq|sS%wCFfm3`~zgfhY#FI0-uK!zXk~I08;hg*h9kxhX&b4ag<E*0JD2 z?3Ft5LqFGr%)zc-LQpdVxdK`jS|o$sj9c(0_Ik6+B7DCEGe?8L;-FUSf=t}XR@Zr% zAcC!gC9vB(3<S5jFVe5+T$qbaqjh5DX@Cbhu?sPR?sVc7;m+=7=4n9Od$14bdvHr& zmqq#OdhqjjFmKO-ZYb}9ZYX|<ZawZx=$9{n=W>hyLAc<as0BaZ!T~!v(3sr^(E*`h z#L?(*BrOhnnKU$FkKrI_^C}2h+YWeo=Xp_nOe8HTiV@9(VrbzsY9tN(!ewP}aYSTz zEU2Xw$L4cQtq+&VHARYWnWikFN?IO452r;y2}xDuQrQ-T0WMOMAZj-G_R&wsFd}D@ zUu0&}vddEyrAVexr^q!5Br@X`8B0!1N`w=t;;PEZ%M=DFTveu0>*K1}WT)^r0Hf## zGVCNVY+;iNvPE#JMyG(8;Zfl<GT_$9i{o;*>GQnc>5+n{WQ1#UB@uKMixokOjEIb+ z0t%{ro7y0)qN?>l3lg{ry-bIc8xV~eMkPv%G!+Im8O-cdNiJKIT3(@3Ic3Ua5ek)} zOrbXDf%$Y)ODAo4DJV~Usiu69<q>Z!zIOU-feCov*U1;0ONJL2<5HzgMPJk*28E7I zex&-A(s88*MXF8#enAM(ETGaDR2p5fkQr23OdO4ds!$#`M~8C!D(M_iwnmN=Z(Af{ zQE5PAjAWq?ERm$qNi-T2oBYfEf%;o6ivx{JrI-(1ipnq#sSwnKaVn|0giWrZ$`!@Z z3YCGJxU@MYM4;hOA%MjR&2dL8kqJN<YP3c-FE&@9U7X-yKSW#AFNMufqQV|Z01x_# zBBesMpe09I@=zRkscz&Y^5(S!!O?+c4qCVYrotkP3NavCV5AJ@B2ty6gbb6j$G5+) zR;v(M>EqlSg-(U2AIE1Z5Va0)P&ub}sZ`Wl15%8x7mpK)K)@=>^m0VMr9!U<$^AG< zu})DYhd&>HOBBUGl~ORHtTYME2ZbP4=-@0xi9#(`09X&}Wu=u;ov~CZ)gb^2O8~t= zu|%XZB6I#ho%qmi-~k9&sIYnW{d<9b!c{R?Wr%;0g)z9q5WiSB=t6}uMo3ZgFAaK_ zVvpJYi~@crHRzw%o<}D9#me}vXI-4c>E0!s3e4+7f%b=ji+wZ^emb6d;Hd|mdf=%C zo_gS^2mb$g;NeLOY~I-9N^s7C9JjCp(Zbopc@~f5@UmUdYX}JQB?(gq;nqHzK>`O; zEQBRtMbL`H?FzbACSemH0(yv`F=%uW*7(@#DoD9>GyH`6wg2!IgM^J)s*M36Eh_sf zw+<w%AGGq(tvZU@@bB!-Q3m|nh8zW-`4@X|^qtpZ+inz_@_*iGlduVpM<gwh#-xE` z7mY^3CPDbQXA*W9w0x=iow0oujV<Ik)&IgPJ0`-U&sB|QsRxQQj!z*k0@MlJ!C}Y{ z)(eC4!Z-$@^&kzFVVuLs27bWJipw&*E5Xg(0}vbm_hT3w4(ozjwhT=h%q!^4i;LGX z??8GA-bXBTC2Lnl*0gjHf;a=85p&Mnp)iVcuerIedB)ez|JmS>=R(7xn9(t@thiKe zT6#t%kDn{a%YU(8W1$S3^-4++rQT4nwX$lPaYyaWU9Z>GH?+3x-S@`t+u!WyKG4(q zPM_u7{y!Z$eB^@<Kl<~>fBk&$_=%yDr~cb^-aayVVeI0iYvU8&e0zQJyBmL>x;s5H zd+*1e{&63*3tZ{UnFW65Ec=CBUcfG_iwn-h6}1b4twas?a#<Eg$9t!UU8Pzda%2r* zHK(O(;4`-%M$R2#k?x%P8cNi)XQxopoR&SAVXys1mMt3g(5|nbRB+3Q4lMZMuvic( z92hQm7j)oV@y_8oKM2m@h7OO#;Q&G~C?^iL417HZc*5elCk7l}gPXBcj!V#T90nv4 z&I?L{9`Hjxxgn-cbm(=0ut@FZu}lX<9SjM;XQvBdS>yZmAiFG_XubG{Vg5@k;@0F( zuUiSJ!$iNtnI5~mCL3z3nzf8gcjO4@Vusi4hI521J|?@oiJz~MaIfA`wtCjyvkWJk zuP1j?$MllG_p1GOHyO7I`L!K~u|Ag$6d7|`mC;NDIuSc*<qr8CXSI_ij&aUZkB|#? z9&On9mieQ;f#F!o3oqw&5iU+Lz0@;3CX+<is#DrLN7YI)QgGFt;rd78;q9`RKK|}K zZoTTs(F2sN2a}^(#L?;7`qumqYpG}VpIfot@#TZG%f^OAle>q^O6&M}FzIx0Alzt| zo2Fj)_{~;hUf_x%qg{pY-dV5g^xV(i-NfqLU)Z=`FpB`IE--!8z1c^1ZK!Lry&Fgn zlH407qe!!7X&+h(2%8%1l*zu;*ERgQf&NU6H(gw^`n}5%MbowX+92&`<6RVgy@@2* zP@UK5`Sz6&4^r-_8H-y$e=EgfRWGON)=#-#xvo3n!7RkQm!howfYleTZK!L>5A>a| zCTHGMrZas?tcA%mb9TB=%6~;G8o<@$w~*<##Pr*#G1j!BA&Ey2g5%tSq~Pw5poUiy zB;4)#&0`i2%9<vv_=nyQd^g1tI_Oz@Uht~F?>**Pk~y^J8LziYk`04~J|D3+<7}bl z&ZG8?xA|wZ;(>#i93OL7bdZZ}z*5i5OyvdiN009{N#r%>8{YR}_XnN7w694v+Fg8g zq$jXv&xnVoG50iSl4aS%R@x{Wp|Q4gS-f_<yO@}XpMLwu+GvCqJ9&(gIdhQXRX<F0 z`!sRpZuN|Xhd-PgM7pzrBS1FxGdg-|gQD?ioXwWA&-*mG*A9H2-x5?XRU_)C_HWvn zR)}-h9>j0RAa{oZgl^h1>-Wc-hNioA&PB@?uB*qZPK1#&CMC@T0qc1BP)JAqj}}vj zX{2t;dS#=@)^_1YI+}`;z1)J52EC_}VVaiIp75!uxzc{(HKRm6T?qScGD)(kbEnP9 z;2V<WU5rXg!Q?S^orQNWGdXjZ=n;+21dgIV2y5OoaF6LmHox*oT+N@J=Wbu=%JfRO zzOOzYESj<>Er;Vf*s=4J>-PfLPZDl(>_H!Yp5@f!AAp6yuxYe*cTwU#kEB=m`5|4F z-{~dIE56ufId!wNnDq{Q=r<z>#&P~ZRLHT6<MHGJlSf{aumAR-zaZ|s+sW0vfBs%{ zRGVKLtZfqyoa~j|5U=}7ULal&M%Et>ow1DFJBaZ+I&0bZ`ZWQ?E}v@Xsf{wp?eeSI z6pBQC-3oh}V~HN?68GLyNj3<lwE6Y^H^bOpe<w4C)=m#6&X%UG4Y}0y^`10#Q{m39 z8uKWDzV|C;EW&_y3nsp`w3~bKI`J}Fm#l?<>jFu_y+<s?w_+?`Fm~`ane18GlSIV( z#34zRAUl-lmH@KCx1-i%4n3obvj<xtdQgjK;Ip&rw*r(tP1ZtAlEeNWq9{(nogTuQ z1lj4lTbnQP)_-fUW$^1-nyg7o4<GwT7eU|A*s%&X+CDT23QjMM&uIg}p;XL(^o%xk z)J^dV4Da~t`Q&ZUu34hbx^m=9hOz!FA_9%Z-WGjOZTmg>zyz2~#ye%%v&v>3BD#T8 zE~x3KbwE|Q?RQg%UX#70wNW47m22Q>q2?v~hRSvEBNUuq8~y-gGT0<!dc>&o`OWRM zKUy|^1aIx5|B#(5SgE|3$#QvFl6Le<o~3?>e|USA$xfMSs9vXB6LJg`smZL24mOPi ztl<9b=l;V%j*$mpYBx(k%P>DD^S)jF&C3_=6(yZc@jD8N6e$3q?FU-fGknKQLS_A1 z)BT>KOuq!}r5z1YW;ezI^o-m?;zL^<(DxuFeV`-0-$(zh8q5e3d!6Z}DbxoX3-iA6 zcE8PYt3~*3Z}G|TF4-6wfr-At`j4miLcOSUMNabaa=mEaWZxSB@e<0Ud8C_D#PF}( zZ!;Bk%g{p8>GYR6sW;9hw29ir@_KNaU9?%0FNMCAHxFHU7xpySxgGflcJ5TiIRfZL z>s7h+0hk-2wzm8h>VC)Q12Q`-QUVH1>|@^YKg^(i9`XcUVBHXe;82uukl7^73aPa1 zH7mW9Hb`bxlB<q~SG(`tvm%G%Umj~|pZcs<CT6T0+3K-7)-u*8I%B+VSN)Az$gLaP zaXk65cGN5+dZ|n!gQ>m~|5TE-qo%W$B^g21LX4Y*H@>gQn!bsM5Tq<NQv1y-2=BIN z!1wCNSQbZ#PqdF`CP>n)1SH{lw~T+{KnRfsjk0cw+RUNf{Aek-I{JpE4b<q+HNNmA zyXxz|+lVI^?qKCf+&f+_2n*Ir>XRH79*`1`c*XX;;d|0@sIB4W;f#M22d8m|NayR> z%3yU&Uf^=-ar*Ai1icvaEgX+xPdmCpppHG8eCsO*bRoZa`_!rH-TKR-%XYbW7V&1* z1s^D$>HROgdDepj-0i!k`#{J?y_8Af+L+1w=3S=i-Rkx}`VhWr10x@FwQbn0#F=ru zIL2?>N>&Gc>Sx(B9dP4}_AE#E+kIO-8_R!t!~^K!YUNx!i19_2(g0*|>Nr=}Tj=@M zZI;tA>+>W@7NFv})d{Vfp{RSZE1gC0(?5;YHE#eJVH=px+_lu-%5Po|mPwGv>Bef? zp_NDcf<HN&lXN=JjUwTW@13>$F0YI3dv!{DXysv_#s;Yhl#8%8S)dCYG#6;aZ_GF# z_rt;TVXc@Bd5504vd=G}$V!k6+z<hVdu))2@gqH0hJ<UnTN)DFO)-brJn6SOcGgG5 zkldvScfxGX?pFWBz0PFl{E+BlzWg(>$iG|}6Gi_bEq#;C3fYvApMqD$-5pl2Si2J4 zLN0V@SuD$#Nt?eN0d<qpCZbQ^t=@r2R<6+}rEJ9SN7g~GfZcRuu4Sw&WqJ)~<@LBa GF8(i~e&_}O literal 0 HcmV?d00001 diff --git a/tests/phpunit/data/upload/png-embedded-breaks-ie5.png b/tests/phpunit/data/upload/png-embedded-breaks-ie5.png new file mode 100644 index 0000000000000000000000000000000000000000..0af03fc6083653e4dd77ad6f07ed7e6015574f18 GIT binary patch literal 10158 zcmd^l^-~=%6ChgL-5>5epg?hVcXxQWySux)Q=m9Jthl=sD^}dyy}<Rm@8pO36K-dc zO?EfQ?oP5Z$tGG^Q3?f-5D@|b0!2nzT=gF||4)I3{#Q%!gDfB*prZM$6{Hyc{{}&R zYkNz8tDCnSNPxo0(bd|`+R=d*U}Ea(Xy@(*;sdxjI`IP7*!ci<APYBM05=690O0Ck zCO~23=H|o;1lobzZC&k699Ya8?SZZ!Gj|tjH*cW4ng|=v!P*SO;^biYpCO*s=5AI3 z6l|=l6aXubwWXEY|LU07{cBMGfP#qpu4XRQPHq4<Z>N8{xPiRffHo!`CjX^U2qKz0 znz`G99NbteEX5q{99;kc09sEgYc~)r-~Z*A{=YmEJCKVT9fgjgy9>b7#nICh<N~lV zaRpdAm^r$*fXv+NyaAT(AXitAIl#>d^gq`JI9mK`Te|`*tnEN7015!(KO6o7|DDFn z(b3i#<O*<f_^;GIw}AjAE+F3jNCN(kqW=}6=R@QN{?`gYesgP&|LtvaYgZ>b6K`IC zgQEk8LU7=5$sPg%8bVoKT>=k>gaC(%5TA$~KuSr%Ney77p`fNCXJn!mVWN{}Wfo*( z)cD2<<OXtbv8b}MDRHpL3b2TNW!Lz|VaUgB%E4tW$}7ajYsky(Ajst;%r7s%rz^$J z%gbvm%<0a<Z!X27D9U3b%&#fL3linARuD9l6|@x*vlA2cloYWO6?KsiH<l4Kl@PO% z7Iu~swUQO~QIJ-UmDX31*4B`b(3Vz_m-dyHw^EXEm6vl?m9y27a??|lP*d?#Rddl& z@=;dxS68#wR&h~R2{X}9*3q;z)HKvri8Iu;GF3_hY3u0d`snBc8EJbP=(-zehni`I z8=C~17)Mzc1%pid?TtL0KnB*vaTXT7PI~#S<`$NwnRXVQP8N>#7JgP%$+p%Jj+T)g z7SUd=+HUUNt`21`&N*IA$$kzgUXHl|E`IK=NnWneKCWRQuI>R2c|jfye)d%%_Vuy; z0U`eRf&S%T0qL>c`Qd>{QGrpB0YBq?dXvKgQ-aeIBD0bslVZXfQlp|`Bg+$_3RA-> zv%}NUgIhA<y-NINGZKo@66!J%%L`NEa#C{(Q`0h%y0hcQi=wAXQVUCynk$lP^3&Uj zGb&4xhl(=lzvuT?7Zp_(R#xS=RTqFO3c73a`m6J&tMgXDWd%R;`&)~;>T8laz87_u zr*)JzHdi#Z{;2FKX$P10wUl=>mXG%5pG{Wg50($L*N*nqwYJv}3|9~I)eUwx*K}8& zj5HPWHZ^rNcMjKgbv4XS)Hn5k`-YlpJL(Tcz%3Kt+OEdU-j><E*74ESp1JOx$)3sS zo{^cpj;X%B-<^GPgXIey^YdL(!(BI%y$ehI4Wm70W4(Jz18vJaV+$kG^CJt3W20-s zqx1bw8~qo{!{@VOkH5w*SLc4O&u*+uzwP{5*;-gw`SpA{Gk>r!b~rb;zcjG4__DEh zw!V0O_WR{x@$-Ij`(*q6a`)tAckX6?`)2#~{$Ta)=>Fww<?Z(O>(%4??ZL<O_1o*- z`^)3s_Y3n_)Z~A08o^0g#}xts3F|)v5+WxL{~r;~O-4ZiZV3tx5tGCIgKz=@0stW+ zE~0L=sgQ-FKkwN)x|)%jS$04ze@JXf0kBbbSygVZ76`_-nw-b>l`Rz4V|M>7i&aem zw6e9?WW8I>!}rQaaVRp`RLKG9MCrwVY}Gs$&%rkCJwj`)hDVIgqKjL(vriwNW)?Iw zc!o2Z-9q17JuMDD_TS&0XdNE!^?P}E?yMX<94t(C4~GmI#^(yomh1J~*_|yfKlbx; zv93K+OFa+!KD52=j}v+B6H|}Z2hImd!)cWYy1k;$vk&+zTyAIH+oL<NTvM?;uaq{! z#2gJz+UH%dqP`l#b35NnOphm=eXG}}zij7W^YPq$O)tEXALuMSF0>5#>UlIn_j<KD z-Y%s?`VMz<>NxUsYHDi#&(Q3*z%MvhSgEPkd&gG5uCUoavYss%$mPJFF8(EO=6{ua z%PP!VFs+ua<TnW}+P#ksNgCchzpnD}`n+HM`IEn@Bg`b=`?xzid4x+o`w{V{FgG_l zY>$@qYNr2eygfTR`b_8(Ic^SNznJXTj#k~`?*gH~jz>Rcx)3s7KFOVKMgf6R&+Wb7 z?{njCL0SIb=lxYIs)OOJIK0^cfx$nYW)6>+Lvh1pL5+P59}q{yaJ)x<U&yw-5Bx4( z7RGu)3Ka`Ki(6a&5$k8379ZXI5age?^YFy>kWRA<R4Spv$}|LRbAA~Ri1l-Q68w<` z4L2))pC<smS_tLi8YcdG%E-N8Y6MyG^Z7m**z<gPuQSB!|GJ20l+Ww`$dt0++HL7} zIRotddplZcIfi~P-eeir8xWEGOfZZGJ{A=BF)?wtRkXiAsN@hM#vyIC9!&_XFhb&X zd5xu%N+1?;+28IDJ&{5UxLNJ*_I)Dde_q8i$`kbeVEPGeeOyeQ6@07z{2;^j{Jx(} z4a-z8C@&9TdVBevEi;tUDYSMI-^Bzp%E=@knLva8)BF@mX;hT@G*Bt^ND&*X1!smj z0$6V}8?`L-_kh99Uu$!;b$X8EoB6yMD>)pt#mQJk_kx%L7;O~(<ooLB*<7ikk&=<? z(Z$Wol`{j6{0Gv~9%{Yun}wsPyu2T>FzQHOr=G-dWbJy}l>(3j$eo-_*cmT(_c40X z>2y7*Rj<sQRP|!1#EKq~4V%R3iiPabE3=_{`%-a2dz*L!8gV&cQrsR1dh+k%a)^6L z93IT1ivY&pNknm%+=t|x-a=VxmTTkBJiKp{8EpiD?{D2%0jzyGLsL^ZcoxYOG{u)b zb&FhQ8lxXAK>7>u9(4vBSO4fZVKOpyQwWKn#6-AAYMM(NXH)T;n;Q(j0Nr?SO?gof zKns(AK=J9};Z<su68n+1{$lPg<$hgwI6=`=3H$lWj(%Ye6}^ck=1>nnNQgN{4gr}4 zD^LH=IB|fVsh>Q>%BDC*)OPIS2$DCyi~<V$I8Y!t4Sm?`Rkbl-v+x5Pglu{TL+{-h zrs`z@1@GGQHI=00C_Qv7&OXG+`HS!b5+Zx4b=bCXU`;6;mY^2}|NO!e%}8ug%(EAU z5`aZ{8CyN`P;S8^66si-3HPe^a4_)m23~g!3X>hJI51d*`TBLbAXmufs<PYVv1aXu z!e*CuF1JAr?er{gRxZB$4G!zK7q2sBxDx~G`~rr#Zx>y`?4G2|_xV4!x0ol5-|0wg z<AF2%7?E$rqiD(~vA^iZ1i*{bU)I!>l;FgnUnQNLFQO``d8XoVvLm`QP<s@kQ4vkd zti=VNWiS)*F^#nW{DcPZW6ksPSZ|mTP>}h%?eqO3so=xG&mN)9>)V6WaN0y%@=H3J zZI)}S=H#Z~vI&f)-F+59W^txu+|10$>d7KQn0o-BQq+u+T&nECLK3FRl%NVnK4$Vy z$E}{dQ7kOXfpC4^navRk>Vy!Zro9O$VO(5G=0>A1)2;wm5DvrH-mrq1g~UkfFEr8N z=rO%p8*d#ELs`1a88|7N3O)IhpCo`1ui~TwA|}j>^)`PazqBm8p`rFwU7h;oevIo+ zZXqO9<$JtBW>NW~)IwlHT^RoSZp>U`RqFchIZ><ymHh+Rmez6_MkWqyV(RcVVQC7) z2@h;<jP*>ME`OsCx)31t&5L;6g)AeZtu1jt{L?1m*QO}8w~pF8seCjavXz_rzcHx! zOg!h%ZJeE0P2Y>enYC>1ZXd%WD}oz#{j41>oe^N9qUPn8_R)Xz*a>Fh5R-4;w9DsR z@M&slG7>j9JS$ZA9O9OvACB+N%OR&I|6RK+dns$F`Z}JgRoiSp88Vx1RHkg(qN{UQ zAa5O@puqE*yLS>DEpsD-F)$>K5g9{!6ROQ*gd01JT4tsNF*xA?JA<OMrp4C|u?I47 z@W4pJCi6yVkfu*!JkS|$wB6Ec<6&SE%h4-Rwt5g=rChLCTJuAvOqU%>L6+fg(Lyei zEM<+xX3CH)W6u_^3cVoGWVF}v;^ls${_P=r5<jD$z|7J!ROE$?m#L|at@RHvYJdlG zm)lo;BxO_~RLg%6B3m?ZwUukFS7<KpXOd=?NAF=_6|+1!;32eQa~GV(K2)gEr{T0} zUUiv(P%Z~{y3LHE9^Kru4{yFs*(zxSr5B6=HL9w?gTHI^9l9k`GP1KZ%9nD=r)lgp zw$5ubV;N|Ta;UJWb>)YSZcelr`k|Ga222}KQ8gVQh9-WG3?oRbHGg}Ly|d)wm9#7d zuziX^z!=_J;Y1E<G6#-MFw?P7QdU<vk8yOH+bq~jA7a$%YO3WF(qL3b4>@D1Gw};z z5hC<&Zf?%a_0P<$oyLC?j-ez?9CW~@A?0y@l$|{$OEQK}G167j*Hg(YG}85{Bd}pR z-#EDHx)V{>m-WcD7(*_fOURz~_t&)#P$=M_#26kbp%#piF7xu?=B?3209iF5<4<PP z2K^2hW^WxCBIbeZ?9bm>mC90e5>=3pV1|dxQl*|vFnGJXZQC+zx0u}_&OXfWwwd7g zPNKt_2vJ7x8mFF;k%2nPF=mFEK2g4_sjauZvclZtb3{_4y}r)Fv)y2h?-D(lSjbR! z@p6DBkAg1CXalK=s8f}e395*w4fK3rSWjPPH(y<A?e7;!HBqi7J6m|PPUnRE<tP$b z7Vf+v!cSUwd}$8HZg+0Sbg64`u)Q5Lhye{{YOG(#i~4?z7o<&Rd{D-@#OVzl^!4z+ zom*>xKvWdcS^izlcKqOfiopzDSxH|@moA%vE>3~r!tJMm9JvEJ+BWW<8u1};!4uyk z1gtCxenv${2K!$xRumQtEUH74l~-0)mNb9wB0RJ*{9UjjVA3gQ_;xvAUumi9&P?cU zTQ3`5Q-Y01Erv-eSt~)cf7fpkOcl}{Dxh5RDXGoJ%fn;5VF1l#zxI>U;%f6^-4ptI ziA*Jotb(^fOIKA#2NUDhubdvU1*}P_d3x{hs5J)5RW_QU*+EL=gx0=jG*BUA$#jQ} z-3W?aHK7;mjA0F6T?<RcquuS3%RNL&qQ~H<i}gJ=9EBDVl4)a3Y9mIC_;}`cFtLu} zA!)<P;?y~NJ0fqaqJN`I^w1&MtkNgPyO(L0H2hcO9Q;JGsUb`R?I7dLM%boSokr8} z&`}$hn;pCTSc+E1VUDG~K*lATB-L_dH?iuf8m7zx9CMIN6BrRuc7N-*8P_%<re46% zhq&eOqU2)ziF!b?|Hz3OnVlzTHzJ`e*h!m@du@fgqfd4F@>1;3?#~!nLLXiFgaxQc zRzr;(Sg-2#jmxGP5rl&n-wXiO7s;0`9Q*pdy{<P;E0n#^0@@O;<o+;+jX=3m?7BYx z1!!CH^Ya5LiOB(62_C4Ak25Tn#)1L+@wwYT*6kmt?ykV+l5+h@4Gv8%uBzNcL>@bg zd8jNph8D?%<>h*k#V1aU%%W%)iub#FFSZ&<Hc>-#qp>Y%)O#n-Cu1M(l^}c~Up_r4 z+K^br)r}>0cL?3G=d8_yO`7nIb^@25<sBlB_F5b3HELsbLCP$d-#FZa%WTP?{dphS zyK3}df_Lx>o4-ZOV%>(_oC}k&FNDfdh2Tq_dDdK<6BCo<>+3`AbiDd&74|7WW?2*o zhlaz1maA?6GOPD%nRS_^>4EhupOR&2iTa)8%eL$5Z|X*5lasUQq8`+;m`~K#;dIZU zH1t8j<gZDM+w4-baJEFgzIbD%;?5rKH+Klvt6?V>XBtnHzDpCg;8U71(K6L>U~5}5 zojR-T{w-#@Vg=bETEfZOx_i}WiWw|Kvh;ikCKd%bou3JRp{%)6RvZL7*7u*>>pa?e zeB9pLKHTlRoe*QgBw*x)WlM~CNM=mlOj&ZNya0t*QG>D+tw7gek!nultjp|Il=qmb zzkbr(+B)-82%^Q@1!$=TV@FOWN#f#Yi<buZ#N<tR{CUC|Nc{R3gK%km+^U)!BGQ0V zjVkaLiFDDe65HUZCHh4h1K-SkWA?=2O;vh<WUZu3q_5QUGE5kwky6(tmeEJ9QRWos z=exlV_f9U(P+B}4!W{hi`rA9Zr+blrU#wNd;hY+D={DGy>2<w<#tm|%3oQfnZm*C1 zm8&}@{=U@|jCeKQ0nqp|$-CUe!c?Mzu}V}JjoeKAB(d%TgPHlIlW)}<0!-MRp36^c z{*=G^(|^cma&T7TOd#PA5&~!pphJK8)^9lU`Xdx9k9>i9TVKK>?{qN<oRyZ5O`(b! zM(7-TxnU#bjTF1>GZTTuJrfa@ZD6T3Fi2|e6i#S2_1PH|EsadN=YTBJS#>%Q6_eA_ z3e4>3HmLY@!eU_a)BmllxcKAov7AB2!CE1}K~qwaP?@6D;h>2pSeznK`nJM{5350) z!Y_a}Dx#AyjRKJmJ2sI|atltNtD}5ZU&2+&(Xm>w+De7Pqm8oD?ZmXYs(44#fAYG% z&9SYmjqBSHD4!dS(a%9sS5-C-V5-KND^1aqMO6X^nK+y>7HkggL<&NOaalQNF?oG3 z^QjdrgTd*Bm^*WeiHH~(@!(cp-duA+aN~4C!H;jNZ)t6<nm|g(7k~rhq$j5U_Swk2 zD|-UO5&5{Y`i+yah<(tvw|C+?Vmf1C_jW?&9#NkjPSmHnyH7WhlN*x*4CLg*#6s(g zw&s6rt|5vNvUsBW{gU*kxfBjg`BQH@v47A`up9Pl91+MGdU`UxT_h-TOZ)QmnV$wj z?g79{snq_HyWT?tU*5L!a$e#%dBX5V7KQ-pKFTdpOkGCs2d)I)_9@V)$LFlgx=E$J z^LrKV3(u62H_MP9d(0$Naw9h)Giwqu8+kGU6+3N+2sOr^4Ftt)7EipRCxd*g&JHtO z_ZTF+wCQdEobI9_?jOq{y*A3t&G&6jPftX=db)&Xz%8F^V~=N5*G}2|hnMA}s!3N@ zYWn0ICI(cO80m*c8slhnBSc7>La{IK*>S{&h{;CXYbge`y7ruIZx$<qMa5`@ugse^ z)*@-a{WsQweSH_z<tHyYJLR#{HcO3hDW@q=@P99zxN^e>cPrH~nUbke@ZxvnKwttG zAX-T#U-0qeK}^W*F0$ZY-ygLqUn$>*)6Jb^5xRuO3`vDj(dEs}B_XG)wylck(9pKg zX*soJ7EXOT4N^W$Ljx$8JZv0N%%R(ny+(CO*4Rt3V=Q#(l7&k35VT|&8jNUjAQ|v! z`Q;!c*onbcQf2DFf7!vP+pV*@skY|>>bu6<MfJ#5Mn*<?y&>leP$5^B5Ziyk@1#92 z5Jd|;WvmthDzK)l=^F~KIUrh;LbdYa(mbW`GqNAjkV-ieSwvsUtb>qHT|t?gq;!yS zFe13xAYaJCphw?mOTdYM{Y=#NEnF^C@@{^CTCG>JzK(^i^5tonmfeMVU~D^y(~EdB zd>aW59fkoWJZKb4dYcX^xoa)`9F}_TQdXQNV$Mo~0dz&DpO<hP{|=o~Odem}*xA|X zdTirAH<M4qRkM2iGF(|Unpk1N#gKMDy+tSIa(9<HFxbw-Kzh_Zu({?F-`$o8#O=V# zKvaQ>Y0D&I?eg;juo%u<W?kaK#=RsYY+{toS>cB$C~j>Dx!D>UA3qU&>v=PO_a(df zG(KA%T#!T0HPJ`~>sGSNLPW8$!vh{$Gios&M{yDow24uVV#A$k9`7jHLwoh1HA4yU zpvooYlr`qUh`HGLxmY=V{JUq0YNBj(xS#C|ZUw$x7Lxfle{^$py2q+5*TvHT3*HV* zf%-zySObFuRC%G(MEK7>X4wyjN?iiVe*}I6unO}>S;akj!*=zq4UVtEE>x<}<@|e8 zeFfZ`Nv1mE7wqk6jgAKTUT^O}_x-)UXfyh_+cO(fQ(KOB)9vN)Y-}ek-|Jo3k<a5~ zD#xG7#jj3(oT-BmcfKj|>3mD3$My_LiY7Hrg2Jg+;ZUE<%@H13Sy@?ZY1~P^5m9D$ z@VS0|8dWM3^#A*O6M9mJsD!$en?p!st&zc@btHRNcC#b?i8Bcig#S1*L;7o9fY^CP zor(DBNJQL6v;Ohs)@O^vXW7_DOa`G@3O<J5JAQnqRy{#P$CnXuU$T#vqlKeD0sk%z zdsao}nM4C3Qq2IAb%u^cyxrI~-7iG>Ew!Pg`FA!_QQRD+v>`&l$i5_iO*CY9z^m7b zHsFFm<6(I7uwb*Ft;rdY?)7mJ8XB5r;XX7{>C?wvDKo=Rxc|>WwO;SX>(I?mGe<J8 z-((mu>ln2l!Kt;0q(;OGjfskl6uBdF)&`td$afuesT_xbr~a#>PqO*Y*Em!QB|k|| zY++$RE)nwjbm^|wP(&f5!1tZk{UjR8DfkxHBLsQ24c`exRaYvoIgW7zpXsdaD+Lw2 zEe`N{dl5!W-N}V5v90|$BmzYeLODjb_j_GwEeJpL_5DPky91){A5?1vcKh7y9yCep z6=??Sdikgh^wc7Qmu<A*VX9EM*EdPUy|!hjFfpO}Js(03cb|F^+Y0$saTZpuuTEV7 zWsY`J{1!P}37?N|ziKao9R{Br@033OV!@9U2pRdXeI9Q%RH^5*qSbxD*Jk)V2Q3FM z7PxMJ+;J*E)#eWuEmtXS62_DKqK26vSNH_|hs~g>{PdKtrK8OeX27Atp3nzE!^`aW zw9he->?6AC;oHH@ZoL^VsGWm31&3H9#Kd-0QQ9l-D-3ZYb;=J`x@hr0$B=K)!W6I} zFR))&qo_RD@9U6m*?+nP$p~?kljX7JL_|3JdG2ZI^z}R0xfA+CyEP54wvmNo^wjl( z4?W)5w?bRCV^u_liKX^=gZ;uDh0H#lxsN3rQXumsN(m4tU+xo>QWsHW!&AdVNlB^p z+GtCYYVG&;cP-II+X&f*5Ovb%;Ys5mruI2zNVFH9G(GVq5;nKU_Ki0Gc;Xb`Yb7$n z(mF5*A!oaT8ol-UshBDnU%|}4tc6(R^;J0^IXeywc@O%V!(Z+X^pFrby4P7FrtE1S zcbx#;lq8XehiQyf+o+DnCQ4MxtJtzvtZaF%e7OprRA?UJtTB;&<DY`J!K<Pp$Sv*~ zn(5?-=aLQ6D1;Fa$nW|28=0Mf{?FGtM)geLx2J6K*wS@XHO*ntUp7}~W@hF{83t!o zSCKj>(r3)sD_QYZMdT&7CI78yX$<ib{kM<SRBdaAtd53zDk6Y#gl(^3=l8F^gUgPR zh*uwR?^j(U_3>tFaUDtptXl#Y;T0Z{>H*PWUzKbo4|F_2A)Mx*{u?4Ap>GaUa6z-u zS*>JeGuRp$8rDm?-2oFE+*Ta;qmG_<0fFG2kKb2lfq}1!m``Q@A}m`szmOQk;Y%nw zkreB7W-e{Is3qK2I*va%oVHfjNkc1R(W_R$N#7j8l9Vg6W?HYRVuGNM{0a>ngXo1= zxmka`?|E(wy7@sg21c2FF8}Qwu1pq$N9Y)iYx7lb4nZPgco3tRo<@m`R0%2bR{h2L z1rg4A6+cQfL0UqVMGF^4a{>o33PJx08LG6p`mXc!s^|0Ocm2Oz{(j;b#9vVO?F{EY zHJY1!Xp7W<U@f?fzpFdjF3_m0<&4gjuAs-3uBQk2OC%h{uZ~D2bWIS&;qSIB92{I6 zoP0=TfW&$|BwNHKS>RvP)p$5LCCFQ-zbzaB<;<Bh(cvN=UcN-XcEg@%RCJ1)-M6U- z!zCecu#F^HbEn^gV7!=;q^V7KJI@f2Fv?^R&}+-9hmARqt&G%qK0i)F%SMw%14WG3 zi1ZF#WDuYr=TJv#^HZC?77z@T{SrIj$f*ZT+viu%h7W&-gN40$;U}Hl1)`>oUEdA3 zEidC75>F?OSE(~_!VI%o5prbTGdIZoh4<K_E$R|A@$T_b+S1L(p4n3&r+9o!Ff{yN z;>{N|8ht2xd0pt^k7i=YoD_RXc*bQ5Cgw_uK`SS9!#><MhnASDAmUKWjWaW&2`#Q} zYPuLL4EXy|0f&}xSV%d>!QI4^K#lITCMJFk4<qy?^<WY+2=$v%O+^K5ykvz_yNHPN z7iDGAuUWseyU_QK=koHp{;-d+!guN*C9y4_+x6RTgRdO__^>(#GZD1tx{q)fA^O95 zA=OoMLE+0AY0_mLeu2oNwcBh~_JQYve?i<RL`FqD6c&YJAA_Ku__#eTP8~&^G*@Qu z_c>;6n9d%7d*c*-`M9kmD);7S&v0XA(5cC-U6<8kB+B|}NcE)|gC(|Q24!ktAyahc zOE^q;5t1n@B+!d8a+>A~dscAPL`lhco>=7Ll~5dUc_hlefN9J{ID(SX+B$RjI;rIt zr<W$5Xth*XT~qVRe--4R2!okEQx+c9pv?hOtn8=L&jg9seo(-RUlqV*GmR`Srh>tW zN+PQ`Gc}WHYhuYpG=0sAx=CnL{npd7b6dL==znut--{dR4sMy;@_C#7wiRZN8k0ma zWY!d#?PbKE&!tS~hRerIm4`Qg1z;BW>lA>VI}LBnJ}!<dPGWw(RhXCO!>&{(3GHHo z_=vj@)I+9uHHoqzhIW`)AQ))!+qQJe|Lvj;BE)-eW~OlbC_EIsBew!*&m8|q&PT-` zMKptUgy3}zzY7QJd?La`({UFcEX$7&m(S-(V|kd~8xhwZ!&%nLWfe5HBw!w7^7;4X zuYlRXS{svS5_TY}9y$@>#KF9kt-y($1Kl?|etvz3LL&eKB0FU6AO!s{9oAJITC@wH z=D?%6{PD_cSeJH9Thi>D9CpQQlo64ii|okpL{}TWjm_LbOV4wijyhpoFNd<Kthsn3 z9q~k%vPgPTX5{c;(10Rw^!P;>XR#t@Fag<XGOLu5=%UEzOoPFCidxf*Rg2Hv%3|{> zKc_vbRm&RJakg2LT<jBW=G3R(lf8H_&U$b^E`m3|12>}^$v3;N_IDQC0_>{jESQL4 z{9YwSE@H>5P=IK*2Ofz?#R2MpI%d7rb9q7iFWs;ki(J4Q$a&bz)trF6MY1A$lexba zQjXoBT@S7H=-kx29Q+(<!-(rsup~QO*Vj=OA=lS*#mZD*Y{W%DB2lR2&8!lNs5e@^ zwy<z}gms);9ra4Ktn$Fz$n9K(i2jd^$Bc|e+vSMSk=K#e=1-UjJ;&}A297K|92^on zQbODg7ACh`VRZVaxEMq@dX<46(jPS6G3gOZnjkQPL^#2BsY<POE8qaJmAXYH9gxuX z>w5}SXvS(y6>6=PQ)4sL-)XoN7ca*bp3C#1)-_{4!hZaa?ze#CA1E1=NQS_ODfL#F zgK|!zqksy5dVwvrRLwF+mNkwVi+DH_+H5d!wUc$w5n5BmFk3SxT|9BqK+(_ufm~|& z&9vyI?b~ZZj}Y5der$9O?;fvMeFyN$;uFy0#$ts<VUr9eu9ITWZ%Z|ViWV`d(SKx# z{us=E^K@8k_~=HFp4j=iMy?%;4qCHgCwl9|*07woy>&TYXtA5s{ie5`P8Jq6A~AfS zm?SPmD^5Km5rc&}ga8i(#O#X|HK7ush#|uu9zunLM~&riTf|IBT<(3^e0{JTG)+9v zXhF#~l4DcaAX=~?s-94^0Fg{G{5VM+7F~6Qopas|+y6-wEslwY2Uiihw|&n&1m!-b zvORi{oCHs<Ty4jd9}~$dviXWn0iLiQ>}W6;r=4wXA&@UJnX-Z;cw4WY**_R}QM5SB zw7gvF;^AeXW?`{bI=zfb3w&p!hn0tNjB2Ak-z34qqgGt$F~CNMj)+PAcO0-8Xy9(~ zz<6m)fsRYB%*BnX>^#_`=rH@7gT_|DMMb`6k!oMT?ER{$9u?+&Pg8Mmi&KB%kY&Df zOh)WSmG17Al<t)%Yr+?uHT?XrTZv$cL=CQQwbS|BWC*H3S?@Y?;^Llya2Ao_Li6Td zT+&$9rk<Rf2vTcG0+kc<Wu#~4WGCmQ=jNuTlgr43YtSRMGcqtJBBQgClf4RNN)+$? z$QpPjqa4E>(r&R4)3&pl*pYS8CgSjgo(LizRHkLhPPYU%p$&2e5s!u7>3B=0)gW&y z%}&cJBnNGonyHzINa<tCg6T})fq9c<gZ$S+!~!<aZ=>6_2N1!(LI)Yn2>Cb-2vLfP zyj$FVFKcKFI8Dw>q|h5<q>Y>F=&WXsvNuiagS^2t$k$q;s`@reP9<&jp?!UL!bRE6 zbLXS`!~#BUM>9&w9?V8PHWwZ4ov2sit7?no*6JLsE!G@4Tnd)?<=`J+@HH|qOC}>B zIhy$aZBqit<P3A><Rm!xb6!<-*W)5uF<vr)okb+5s$d%F0P`g4T#U!cie#ld;Qdtz z)$dkD`?grX7j?|o7*~U9z-iIVV`<6y6g;brtBLb3lfr<l3!6n8R8(BlRU?~`{V(a9 zeCsWHT6e6z-)xn(LU#`(k_5p^MFPF|PK8`oDuw2!la+6Kobeq30<!2oe*se84}wd< zrEo6b)KpNo1b9NSq2slqqa^REgnM|-1cO9rd9j3ErB!v9bw2GRV?DzpBZQ-fHhW5{ z=Ww)|FamsX6c$A|s}9%T@onV!#JFINn!5JqMw`1tI2ee;_-}t=ldiP8qMge~H1y)) z;Bsl=l1vAqpp$bFDnnh%>LgR2AAsm!Rn@+#rLe1-s$o*4Ebbqt{S2cT;}F4ibhV<} zz-uDQnHbL-=-@JsXjO~?62EO^Mn2MBt@V-#ikc{@fXJB?czD9o4IbiiBvBAGiImN$ z!ChSpIym1+oaU8vMyM|oWg#QDC72Y0)nj8&H@XtSgXi?L>rWh@N5xpI9hUlo!zH#_ z5Bl)e2|8_Ocitmo%z1d=gta_O%*?u5kyN3mVT30bLEfNS27(ETA8Bbn)yF{Q^rl{- zxI+lW!oH%2p%KOZvhR*(uWv2rCyu@Ex5sm`3VJ)i%z6W@7yJ-rFUm8)0(@wemX=5A zzsFCBi2C((V^jFY5*c{H4xJ=phE>h>iXJ^n$3`VeaR7O8HxJDpMj_N_bmR%BcK^O| OK*&fair0x6hx`w)ZVD3s literal 0 HcmV?d00001 diff --git a/tests/phpunit/data/upload/png-plain.png b/tests/phpunit/data/upload/png-plain.png new file mode 100644 index 0000000000000000000000000000000000000000..83e9130172984613f17af580dc899d13fe9c7608 GIT binary patch literal 9497 zcmV+!CFa_RP)<h;3K|Lk000e1NJLTq003kF003kN0{{R3M?7U_00093P)t-s7Zn{D z6(kxM8zCSbBONs*ATTB(B`6^)EGa=OC`d3ZJ~1m*H!v?aFEutUQZg}5G%-p&E<!Uh zRW~$VJ2GN4He^CNKRY^JIyi1VHgG^ZOg%eVM?5+@I%z;PbvZm_M>$SHIbT3LRzEsr zLOE$oK3+;bYe7S7LqK;%L2N=oaz#X7NkU>pLug1qaZ5sIN<ex|NKHyeTu(??RY^ry zNKs5kdrVAdPf2r3OL0<5Ygb2fTT(?+QFl^Pa#v4!P*QzVQ*BsLa#T@-VO3CBR%>2X zUR+U(URY>iPmg6-Sy@_oSy_NzSb1GqbzfM6V^)P=VS!;_h-P1bWnq17Uw3e2U1?y9 zW@dYETb*-cW@loTY-V?GW^Zj~d}wHqYiWjWXNPuXiFk8Zbai=iZl!W@ns{)Ld~T9> zZ<~H{e06h>cyoz*bA*C(b$)J~fOc+tZK{H8uZw+tf_<HTeWrwdm5X_ug@2HUe~5>E zxQ%+hk%fPfft8Mjn30E&iiNO~h=_}arjCf8lZ2_6g_M<nwU&)|qJ7Vnj-Zr|u9lCc zpOcK5lbfHDl$MaanT^SyiOr&upQDhpr;)6kmA9dmsiKj@pq8(sox!W1psSy$s-3s1 zp0cN&y{(+VtDViOoY}Iap17UCwxGPPtdY8;puMJ)x}&kQr?IxEsl1}OvZlbbrn<4F z$HATJ%c-5iro_3e$G@(&xv#>-tHQvp!@abuy{YNOv!1`Rv%9pr#jm`)u+qw}v%s>z z#I&utujR(FwaT)sys_TDwa>t|$;Y<7(Y?OQzRS(N#?HXH%)r3byTH-IrqjC8(!9*Y zyz$Gw)78PS$G+>xzvI=yx7WVN)5gux#?#cu$J)im(!uxL!R^<@?9a&d(8=!E(bn6~ z-P+Cj;n3LM)6>|{`0CEm<<rRK(b449!qwFI-PG&b)b#7t`R&yI^xoj<;Pmd|>G|T( z@#Ns~;QI9C+4JZ0`RmyG^49wA_WknZ{_ybo`s4li_Wb?rWQz`w00009a7bBm000XU z000XU0RWnu7ytkO2XskIMF-Ua7YY(IZT=d{001BWNkl<ZXx>ej3tZB7zsK2@o0p~K zB~0cVVj>`FRC3u+uxUMk7--AV6njdaL|ZL&)=Cqr9WQ8WYThvO*_;@7mXdCuVct=i zWm$+@ie+n4chu~%YIVLp+H+p#EBHdx-<!|({{LfUCMFkN&fdL0H*<Gp=KkdU`}Zeq z_Vir8IXUxaZgy^FV&dk+U9ic~p6l1IT)8rFXYT&wotqQzcax)c=D_|~c=YIxIrNW{ z=-a~V!lQ*JPoBMaiR_u>J7#k7&i%QGyAyMh6L;@V-h@MMUg^2ga}$U&U<f#I^UBT1 zj_WtCTq*9kIWc;7;`)`J?@YqGqv)S!fHQaJ&M5lt*~z&_PagdT@#=5JGtA7)<lMy1 zH-82d6BCn@@Z;!cFT8}$e;>Zz1OeB7xN?1>2W0$Ed!?siauR6Q?@Znq?YVj9<{hy6 z|1;S;I(q%?+}xenSwJj3d-meR%jXs$&;EwopPQSRgySbC@6N&N$+?-CiR(ZA42;nU z<e?wX;a9HI)}B9qy7qi6D1sk*J4WHXD?L4<ci`iJq|wRyfS7%<_~h9WB<025j2F+I zJ;U7pV{Z2D#EiwIfU&@C{s8Bp2Ri5c`5)kU<$Ue=)5yMppH83up|-Z?{Q0lW_tf@u z+!>whxj8wDz8=jk!l_RX1xc`g;57!qJ&SyE_dckY0|(Dc^qf7i@6&@jHpLwL>MJ<i zVqXEGxcKyuFTVKd^jX9@efrcFU!6LA_AHXqbG>JD?#?g2{PM@6XUGuc$+KsFzkY_9 z_!-3)vgkfUdSPL1@=k5-38^$g92Fk4X~&L(r(X*=a{7xSM~)mna^&E_gXu>Oe(~AC zy?gf_JowocUz|RD{w%n%w)WJK&p!LF|Nb8occkQ*B?T;=!%R#7V)E|&nMuT&yFc3T zjl3)`Uz(R09m)>~+_d+LBVVAC_rj@1_9BacR|jJb#vt3VW5;KoeRc#Co!Yl=YjF67 zJI?>{$fD-OYZaE)5O@I0AYa{|xH~g<ceJTlRg#vQcDy((Hk!@|4BP={Z35e|H)d~Q zOiX+XKn}*hyIV!*hppSU?@cc*FF28r8oP~4^Zv)_yKwN!SFcbwkgEA-PcRUMnFWwA za}x}5ze(L%^7*IfC-RTyWyW&pEKcCYfcJgCHg1ghkHy26D26YJ7e$CTqV$5A>hc0< zR;E}O&h`D^A79;nvh?zGFd#6%S;WlDnipn~rzWB9dal$q>s818wJ#~{M7~ri6?1)w zj6feBGGYKl#E*{$hb1QN6>(xj@$vBye12MuvaF_{pdeQg85vIZ_4WEk&m$D}C$H_% z{3GP9g@qZQ%%U>v`Qcojz9cDOcM`<DAU{7Xno9``CKH@o+{qk%d}4e|BG}$U5s2W6 z_Qnf&JV{Lr2+1!!k(3a{WBO9De%_z{vVaU?^8_h*wuDl6W&#Lvvon(&wda+C+Kg?2 zaB&7e$_olIqiKZTV1KNm2NOPcB0SR5_a?@Rkc#+t5l<j4P}dYxm*z{;c83e-R4f+n zzvjb#|M3V~+5!?X521g7K`rq5&7PY-U+<~Ca`vp+s7>Cyd7C(0nkUWAFV9PjruzpI z)_6K`5`}OoFw)ZzWP7|Qp3mb(Nu<);^70btv7{&-YmG0?!4Zf1V8;(o4U5nyA3d_v zB?j75PfrI#1NugBaqWnyB{|HE6`6*-RSv#Ri4F>3V`)S__(>9v7!qJuAUqmf2*|Y3 z(i8g<MFIhx;<?hn#*?z<!~ecNyYTYmlZ7Xb79s8^Cg3jc6SR@D#ihy-v*P3~8ZAUD zkrtPi%d5+vUIg?Y8c&GMPfL?Z)6<X=QOrJ3G@TNWxNqOS<Hr*d62gUCI?mq4W+je- zU$f)N0zeiPXDzW`gkrpY1!WZ~>*K{uV`fFhw$Kkk#fivU@@jcmL0(EIm(B-A6{lNF zlDHipqIjW@<r^##?c29~Uwo997sSN5*;-kzw80VZ|2RJjQc(04pDjX6pp&03hOUGd z(&CEIv8t2X*3m)}(^2H*O0~A8CMzs76dWamw?IfD3d(jAc@f)}6})|4f+&J76!G~) zob5_0D{E^UevS9uD>Ji*G5fl$oJXAxdLP*F^!$nroh&)*1GhE16SJhCL@ifq^YZqD zMyG+W;(Tdt?r{kOM~Ko(EaVWVzHC016&xYp@wrT#?K@UhRx2E^Zum{7dgd0U5a!9^ z(n}1IQ2g5RrTL|`sx!%(SFN;NBZAMJU!_oMwOU!`o=j<eO-(uao8#$;iAnKE5yHeo z5r>K=@q<__Ulxna4y9vP0K>|51<nmm+E+Wd0OMt0Zgvrr6d!pFut+J8E9F_qv1{L3 zw>c^?Lz-KlP-yi)*(1|x)!KXzBb7?Tk_<^Sa#swWMx!u^6fBlXr81dBs)OwtRx52+ zcse-yCDwL8>5a}!O)W0I#GrT-7nfF46ju}%mn&7W!<*N+*?LAvQUFq>&>9S8vo^P; zSKFsn*W{NTm!^s16BD5>_ih&nxfD2_>WlTKQYn-bwpQ=FVPy^O!r{GRV2Ji~bXex` zGt6sGRe+VA$S+l@tFpt^tXyurMv|79nN_CMnx@SrZB^gwtX7LECtsQ*6eU_r#OLwp zSSrB-PjJFwu?`MaZve!~*2cvNN7}SE{fqNwJ32;Zp&&8;K>!3^^k@}_!&WVS$I2}z zF(V_Zs&U9Py<}?BYR%>mty)%7nx7^Sr%1$c5>zZaJ`)-V!QS59(b2)q(c0>bH$aLb z9*@Ir6eb=yb@ocn=pT?^2$Ek~Q(Rk7o1b4=dafC2G3?#t@4WLtP+UrOnP$igrqPa> z&3%1ZZGKIjG$Rqk#G)lWh)AV)dN?|)SP5llvkVx^maTx+g2ghn#>5;s1-rqW;n_!+ zQgA{|MMW(L0hm%H&yHRD?((<aUb$w^;T)OfmU(K*G^8C_FpmJG8TyP=l9rYZ&oszm z4wcHL;#OE&+t}DGvwG(ppjg}6IXU34WEgUZ$B&;XuI>5d4@?aZN-JssQVLnBl$T|v zhOK{h`6}C$+cIR?+P1;LL6c!nuOI8v_Gy(h1<-FngQbOW*g-rVpXlyn2QqBzY%K0t zX64}EfWr|30%BlXpE?fx@E3qsC}8EKHPtnFvcr3Jee%)TwEzlEKUvq-rZMRCed-Y{ z2&t(lttgdBk`P295pp<uQ4ELSW#`~vz0AgX8FCjy-Wnj-)jt1-iHCuG@YJWDp2E~r z0Hvm>si~s0q`VsDXkONy*gavpK3@Co%5AA<T6HZNeQU2ujjW;+3ME4lCq}JBB;@nK zVSyxqy@Neatp7$>J32WzVBK8<Hf`FtHD>SL?b~+)q@qcw1WHYLO|`tLy1FbYGcz@I z&z>-llbl=qjSj3`*Q#n(LYaV1AsT6W4<-VFACV~LvAqdSc&vl%GAo3zvRY<mZ|CCR z>F(nSBOCUCi0#|sF%?a<9UaYJH6>pwRgH};jj|kBPUar4*woDIGPw#mi%xy9Nr}Yf zAJ0$!H2rvDgh&W844N2^AI!uO30Qz&-mwL<wpp=ag@eax1o7c)<clJ<Z^bm#z<(>% zYLHT<P;^79s;n%R<rQRQNwcyF3QFYP=(HAVhKjE}UV0q0_U)qW+xI2HM#1NBI1Dm5 zkm81pw}Eh2J2=|dIJ&@6;O_22=4{-^501bnmC9yivr1J{Auq2|bT>9?v<hVv3XQZN zFR!3XrPJtpd;9v^w9QSW`6nQ^j_*s{EriAbbt2+(`1~MPXFNPSAgLT7AU2M64)*rW zF79AHe&mgt;4d)Xs19{=FZiOST&YzwRyH=Oo74(9Y!T7|m?$c>M$^~VuN~C)HC30O ziE<+S^YnNztVS_HUJzf%-$)MhaCi4$dN|mC7#n*#TSq5?i!0gP)pd0MTBZ1y-j3cT zg}S*Ja=50tK>=-7-P^2F$n$_uE|)hnbU>wRA^3ed^|`#PTm*sP7@xE^hR+l7gz@Y^ zA2QQ}OeBIBN9%X2?d%*J9i3cU0pYs(eOI5rO#zr@pg@C#1cRnh-5{5%<gG1QEl4RZ zuP*;arBjbwyQbG`+uQq8UmwfM&y_-UB}x+aCGdqP_(CQrfIuPokg?!0M<)ks8+&^f z$YMlsc6IUd3Gms3>Fw)P_o;i;%JQ=6CZ$59Qpqp2x3nl!Fk0mD5|vJ;AJh+y>HFJt zs_K$s1ptvq(vlJrA|WVzVLYEoWN?^_05TJ#xH#K6SX(<dc{qAFxjMT5$i*G94Aa+V z5z+xI5;~VkAxE5kO^ZTZrIJ^FbD=@2H4K>UnfeX=imLp4NH|zo(j*B&p*WrolU>N? zaOsdlL=V*NU7Z{uvz$DfK$Z(UToJ<ul)yMrRy09KAd^+9vIa$!Lf@imfy~t@)M{OO zm%(5%kD=aDDLs)_ke3THB`HZP5yyu|@L^|(=W~c;B9-jof%Wuoa&ZDzIl4eJJX~Dh z;o|D!hak`}s-cB7RVbBe6cUxLzkgt`OQX}Z!mo7t_Q9#y;bDDyt0F5GtfU|V7)g=h zIH5o!Lc@zsBoVPVEWsU%b;84!oukY9tKB^;6nA&m_c47V(7~0cOI9>Bs};%%7aAHM zCS3!A(0i}lZohpAp4Y|(2m9OA7a_ZHVSmp^NlKC=h{XxJ!};+s96E<X^1x$31s3Z; zKuWMKt6g1?xw}A)xng?Z!$PBnkn}VGrCHf<=|V$GS66?RzP(+i(CIE+YPfy-x1pi_ z_V%VKS#D`fer{GqMjB8ewr=IKIe|nXhe-0LdOH)aR3dzSCy0i-E0iJ%I~0qLJ4W9J zJ-oW6;#@^@M{jSdPOE59G<LTmyL9PdtE!>lLVe5dueWcvx3@Mo=VhHZ2P=GTR$5X@ zoFHOTFq=psvzR2J2LX@8lE{H%vbzg_5Cn4A<+Wk@^<#RiLZt*1y#Uecbc%+C#>RFy zRM+0xa0zrZbPX7dx39IfwyMetj-5RRWtx?dk|5+UA$h63enbj8IGDj;keD2L5a8h9 zjJk@uiv{E1g3<O4_x0&i&Aq+q-jR{9k$zoEOG870u3z8M(B9e#LK-f24g3a>_Eyz} zvXb1dYs%#1xf$Yw_+W;AFoWvp$>5+qN%AN8Gx$6v5li(TIwMcHxHzwNK^RPHyYA9O z=#k1^sF)EwFysyL3yQ9mf&LanJK*XsU%q<lw`sFcue+qGI{7)wPkAoHJ~E2SB$2T= z3N0{@3^5^*2_!Nnf<Yw_+}#OI;4XI;=l5NmSG&4nT6KyG7nIGtJr%v6#5kzeLBDEH zw6yfM_xJZ3I$K&A>o4DW@L+cMQggdXo%Q+G=c>zdb0sN};Vdc+a*9ax_9kG7R9^}K zYM(;}2$_r=<_eKtz1ospty*n0bo*x5!=RxL8u~5XYH2}~fx+=<!@$7ptETDs;o+u> z&1%)LjFRe-0to!>a5kHT!{Vt_5-gD<k{6BQOJ%Yd1TPPwmpg&z?&XSt;^GWG!@%5A zs(VL!_3GZ?kwGYq_LfFXqe9o--qk;F@3-Hl&4Yut$IVMq*Df_&Y*ijRR$g5KNt_fF z9umaz#^bS6Mlg%+ALtVhNTSoJRDutYNhT4AWG^2t_t*L5ih*z{dqz>r^?lcFU%hm@ ztFx`X{sN>``|Yd7-<Fn^rmtQ#&M!@yS{f96%6#d$e}4^E5R%BP5dwd#x3f15I%FV; zLLySB{_bRwpZ|x!0bV3fgA74jS7W*w8dObCAswT`Bg2M)t6iNxc3r+)U*A1&88Yia zd;5h;gGTex(<M{CR<EuuD5?4P*C#S^CBn$ykTrN5-i6=`7Z3z01ciXd6G-4F0+GDh zmFxv2<L*jCIfl__RVrogC|sP5=#BjYnxP?$rm?%byL0GjebLUH8#b)j@cG55rN@t_ zVKyq1<t5)JOLFt`lfuKfEGi!7xx(JsdX2remoFB&7nTZ90*benA27Upd>}4f&hD7* z76pv?j*i|DqtR#>f=y1}-#>I~U|{I?8#liDWc_;|@Bd)y*Td6G5Sw9Dld@W=F3$jn zFfs@r_O_O-5%$Lwj*eIy4(E%7aIE(8BDsUVTmx2v8W#elMbS`I(S#f}GCVdgG^igR zGD21j-MV$_;ltm5`tF|}eYF0)HM@0-Q`fGIC@-G-=3*~gKS&e8!x<!;gUuTl_<CcR z^$JhCJy6^|sD3a&JcwwF_<04qzuLpe*#*<7Q7D=^Iy(9w^kYVoaTuQC<5$PWe|zxY z;RC?@^zFA_{`2Ew!&6h&hWlE-Id`$S9H!&H*x^i^H7uqW%$pdimG;iA1VnN1pnALe zktq~+fRKqEWRL<CuTeBq%bS`&$k^D})U~nUk?}!LGH!bC`1i+8pFVy3`0<13p9)V7 z-<z5m8);RRG*{<J^QH0OME@1b0Du_w&dwgt<UJg5&QvTM@8>~8dRDLY@$!1#9eUSb zUqeX=v_}Yv8KfAEgIBK^hPnpEA$uSG`RCK;e?5J?G;J_WEzXZ!8y;4E4cjWZu@~Zt zw^{}powcolqn-0=M~FByVkd$>fed>cAl?rQ2q5}+`B)(BDpmEx-sYa(!7;OO3Ml&a z%L4-gCe!qThfn`{ZBLh$UO>Uz)2my*{`$o6#I!V#FTr8O3Yh2)o{n&~vmLBKcn>Tj zF&+%Mm(OalkDoj6i0)8~4Hs0<y1+)X=6hg+R}GzzTSL>+(@T#5@aom`zg|I2f}VT* zI(6xZ6L5j@FTOtk>);5x0wk`ZJ>JO?=LnZ^SbIkTf#5_Sc>DQ44wK=V1)^)M{^lEH zhZ+KJhIPSs?^n}6_rSoo2`KX~5ai{nSAV^F@#5vPMdP4We&Tp~Qo_Ei46@g1R|o{E z4mjK19z=NHNhA^y0>O9ngXZG*zK^$`JJ}V}+3@e`b0DQ}Y|K1nnl_IA_WRJS?tyN@ z_;2%1|NIjO$eur6dNKd#-mt1vnzj$F1{hc>*3kn?AYeW4umRz4o(@<%g+iuLp|e02 zMg~(7mP?=a1KcrPs;27d8nwE&Zv?__x@{VI09ANn=<2|4k01Vty!AKb@#3#zI%T;u zEs_-+L4sjx*-l7!oHGO*hb5AzFer&ce{X^}i9jL+g82moFo+~~GW4zs@-nz|fJr|# zrXQR#nudmM-1xq;yL)`;;qyQL5AtGuX=+LVD|cFa2!rV1<Y*7qY%op`1dAnl`vnFv zhzv5xm*f*bf}TkRh)*DgOs0B(lCFlTYB{VdBO@bI`mt*!lWBbX)~y@ex5gj-KP8aI z=IOEK5?JgKf{A!LNGTlN3lum(;PF^I$&bt+GpP(J)!Q$C37X)#B@njo_n{<-7)@hc zW3?Pn`ub3v44I4%4C4bgZu~g@5Q2gzDEiM|ESb%Eby<E|l8`}$_018sYlymsvm*{? z?~A4S6PZjlolB>BlLI*%n8-ooV7NZ=f!RXF47GJtR+S+N>_)K74H|}q4E>#*-Iu$6 zefaR<U#~2M^6D{66iBYBth9tk2Hx4u&d$*uD#Om%*$cWNmCj@`sW2GXK}<&AMvy^< zXJ7!h5Y~EE%&oS%N?BEPlL{as#xdit;nvW=<?gzohWdI$dHPxlRLQhyL|G$E6Y?1Z zK-f7!tHMH|dr_Gzb`TdDKNYlq!SNekKR0e92Y}B=n6@A5&J<NuRcX~)y?)9xIA}B& z$8UERet)vQ{?_jge}DSa68EL~#i=p9JU>Gs=J|sV8%HqkmzyV*LT3jvC^X!fHEU=T zki^)?iP>m@kT-6GkWi_Z&bIHWihu$Oe4k!#fGIyPI55!t<9FY~bbJ7@e~4oL*ZjT3 zsgXVi3A)9Mw|h--f(sui^+P7j%?*c#QG%s;QqV943I}P~7>H7iNJUC6R~8jk$`uNT z30&_C0;8*|^Sk=*zW?#ouTTH{{poXnJf5F7>lNivi8wOE-yU5V+JUz`yuF!he_yw? z>nLj|p1x}+zP=0whX*3ix`!+fR%IgQ*0<jk6&4j0odGQ%Mcc0dF^29RfBX*FjR#9l z0rCR;wKP4ZEte*Vg+cy!dmGT=g!d*<S)sIb;3OJ_MgbKRUq&#S&HFzDcr1`eC1E<d z>k11IrAi49t){ERU^EP9UsJyS{_2CJ$B@T=L0>T&Tjlvl2?7Dp4#usWle06P8N{W~ zL+Lb{uP@DQou?;-#iR!X1@ZYj9?#-04wK06^TKr3*A?a*&5_BfR4O$D#V}|ZG@0}* zuuA+0cH<|Yyh34lzIadHTAdWm<53|Z_V$imUj8gPokCy7^`-gx)4)85EH0PJL-&sO z7BPVwHk67FrXF+@=Hz4pMbW1lG)|k0V`C<Rp{ujA?Z=;f{Qjp050>ViBgiy3vn-A! z5O~@{MC=FzKL(TK%MySNH&3jmrzed@r*OGJK}ZHrP#!aw&{(_><ml0yoV?sJ$S?@I zSqqRc(-3UIZQ!!+Z`^t?Z-FcswOVz?HeU*T1$Yatr@R6fOkY+gm*xfloF{DFv`~5o zI|%s--Jc8&4(32Y2QtV2Da!ux=%JIx4$EXvDt&tBEwIg*#s~W~K>7aitsAC!G`W^^ zEh<^8o2}bQTPquwxLza%v=J_gwayL9)6<ti;Rb~Sg`f*!Faa-kBZti<1~Qm|n98D} z?3_b~_U}K89Hxg2Z*0t9HX6nanzpvi?)uADZ;V@%Opj>QsjIB4(0$ouc1{EmmCmJw zgs@mN1ffuTS-~s;3c2N;IvA>cHfqfbOhZu-Fb*9`PR`8ElWSpTF&oYBFb>`tYODLc zzTxt%-+z7a@~^)Zhjp^G%intY%{SkKZ4Qc%9mHd^gPC|=DqJ>DD0CJ(I3%1G!V@4Z zLHuxj5Sz^iWHQM_3`8Ad?BAc9oO&`(u0{iLY6|ui(}2DoR`1IV-9r!Nm!3X<Vb*J- z-+lY-w*Z29!_Lm1$>)WG5W1VEFKsQ2_8~hYJct|459bMZ@Cf1u1##&?EGD}1je$x$ z35=aPcP3}%mA{6J!HPAdzcy%q(bYX<fMNgq@%%kw<=VF_LXZ@H4qFf#8p`F;Xlp&` zY;GtwC_Fq|0H0qV017ezo5KJp&{;6qIVTV8KeT`6uARxLnFVsWR%;%anwm0BnGME4 zxYRNXjT`UXd$F`QKh^lryKh;9y!qxzQZSnr9lDJh5=skOM`IxfgaaU;L=cVC1aU*4 zak3d7`jIe4PeRl|$Ih@_+mchW&S<rI^Vrn1**rCEFle>fHt3mSvrCKj7MINbeD`fc zffd_<!4?U5JZ?BEbR9QrGi~!`I6X2_5H1o5ggkhnUvfj}FajWnG4(k`hfcyJ!mce_ zw(LwkTn4=b-PATOngP-Um)V+r<J2FZZDG;;?MH9DgS_>&Z4fvmIy5{ql*J0$%mp3c zyzuad?Sk;|D4|d!vJ?u`J{v*;*WQ?-B8dAZJGX>|Z3){In^{z;F_@-*n}^_=O@_h# zmiCsG_G{OM$Hw}``n3N9%3E)}wJJ227Znv97akfGx-Kkqn?MjLh>VH~2Psj)s7U@M zq!K9!VY2`dfI&5~^OH}uY}m4XL)fm=ELmkgr1112QUfciR#7Eawd!DFQr46fr|tRZ z?RVGGLTRkXsD!AfNWo?SJi?;GMUemzilcc^(E@RlC?W!a0{I1@XHuAC3`$^#$cFXn zKi;rmb8Jd(SwGrP5o6k99@Ob{RSi{DWo2@$JY!cV&271@gXapj*r?sR#p3ALXrv%I zN*Ea_7K;;vh!h>gkJ}y*Dd0!2gF>JyQz`zKLa4)?`*&{Hu>QRbNXp?e+96nr5M|nI zG8_B56jf)+^73-!Dz$9SS~pwUl^=wJ#zn>LPLM=LCqyO0MT!#=#0dxjFA~6uLSZC7 zB8ndo9K;R*2o8%mbkq`(kJrEV-um@x!(xx+RkaP7UrRAh-5b+t8>`ArW@R1ADyZp` z#X{L}1<`Thgygs+i9`|?7YC<{<KXl-!~%8EQQ*hzk&p->P^)Y<or;G#LEicpBC^VD z!@96t$tTaWwHZvHVa#X&8T;F-&gA9Ea!zLEmuK$Uyg529B`z*$PwMWBlz;szDFsXd zZ-}=g?A{$07bQ;EzFiaviH3@i!vHB1DkcZ=7qS<WEPrp+`YoZc*)lm4#}EYMHN#+N zfuNv!>xWY_vNFL^Qg)|g!1v6IjMU8Bj0{Nzy32;-h@;}-qNC%YP*w<_>#(@~Y}ke| zhYo?SwrpAd-YS5s4colya5gy10C7P{HV=6`)YVnjSS8EL%79a|kY%PEJC>E1nwgQC zm7ANDl_5z>g;gmExhpCvP7Dw*As_lamqnrDsF=e2A0x;X#8|azLs)EV%Hc|ISQ|8Z z1ImCQ!%!zInU!a<vk${KfE>tz7g>2ol&lQh)z8gLO_6}#Vq;TdK}TE^O0p<n2rrz= zrNcb%#2h_piTlUkt>plL(1XJ&>l!;XT^bFbpn0`**4I^4!f?yZ%91Hy5tPYfSy|bc z$1=0Z<YjrXtPJp1LQ-66EO4T?ZG*tT7eJtyanbC@<QzSEbmz`bP<Aa}zH05db-NDl z$=OrXrfF0(wzX+Anl?>mou;y=va;|D94?nD8X*s4<tMX_9m~!wm&?ntk^j<CQsQ>) ziB641hB7WefU2I&3*{2&nCwG2XlNbSxqkinPY!(YNm%lsJ$nwwU|<$iHo|b!bavI% zY3j1iR2EhhR#sLj6j}wC9DtyqpuDU~mYJKInUV5&O6soYROGa1l-MZr0zr@fIwTzf z<NYKIuA@f}d|8;CYv`7w0004?Nkl<Zll|p^qq3t1a<Y??Wranu%0{rd`ntNJoHIpr zg__DLMWd#nMO&$8tAuHtC(A3ZD$6SXZ$Vfxl9PAEiBmuc2$6^rB84znHpA%hhwRG9 zKAKZhSpVI(bw!1;FAFQH&g2vx*tv5L>`6tizZMl1HdYoL&4CRNAvGFM0`N*%ktOWq zWhezwQ!`VNGE!nw5+st;<mi;Rge1r`K@@LuXeiwmvmctu$(+KvHe`mjPKYlY``wp^ z_9yS!zaKtAVNOwHAuLTfIfa#7^^KZF4GLBpP-G>tyu2z|6{H<-(ok8(CGAd10fsn5 zEKY$`i;522ypDx|(OX!r>23qZLoR7<)xm*<Mc=mNz!=*ZyKB$k{fCNVIXMSFS9W1z zW4*QuQUWCeK*}p+d1dk{8Omm;l$5ws$Yo?HVt7Ip#0g+PdqN6>hM}Rhwr}hD`?V11 zZ@>NW=+R0|Tj7B%Tf(;OJOE?)P|krpI}c}PXXjMb$?6*$!CP93l03+dDmjGaa7K#7 rQe)$w_IIPm$3>$RAe>9_^|bz9f+Y_qA&w4g00000NkvXXu0mjfGgw$M literal 0 HcmV?d00001 diff --git a/tests/phpunit/includes/upload/UploadBaseTest.php b/tests/phpunit/includes/upload/UploadBaseTest.php index 58c69e3229..cafc846e9a 100644 --- a/tests/phpunit/includes/upload/UploadBaseTest.php +++ b/tests/phpunit/includes/upload/UploadBaseTest.php @@ -585,6 +585,42 @@ class UploadBaseTest extends MediaWikiTestCase { [ '<?xml version="1.0" encoding="WINDOWS-1252"?><svg></svg>', false ], ]; } + + /** + * @covers UploadBase::detectScript + * @dataProvider provideDetectScript + */ + public function testDetectScript( $filename, $mime, $extension, $expected, $message ) { + $result = $this->upload->detectScript( $filename, $mime, $extension ); + $this->assertSame( $expected, $result, $message ); + } + + public static function provideDetectScript() { + global $IP; + return [ + [ + "$IP/tests/phpunit/data/upload/png-plain.png", + 'image/png', + 'png', + false, + 'PNG with no suspicious things in it, should pass.' + ], + [ + "$IP/tests/phpunit/data/upload/png-embedded-breaks-ie5.png", + 'image/png', + 'png', + true, + 'PNG with embedded data that IE5/6 interprets as HTML; should be rejected.' + ], + [ + "$IP/tests/phpunit/data/upload/jpeg-a-href-in-metadata.jpg", + 'image/jpeg', + 'jpeg', + false, + 'JPEG with innocuous HTML in metadata from a flickr photo; should pass (T27707).' + ], + ]; + } } class UploadTestHandler extends UploadBase { -- 2.20.1