| author | ymh <ymh.work@gmail.com> |
| Mon, 14 Oct 2019 17:39:30 +0200 | |
| changeset 7 | cf61fcea0001 |
| child 16 | a86126ab1dd4 |
| permissions | -rw-r--r-- |
|
7
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
1 |
<?php |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
2 |
/** |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
3 |
* SSL utilities for Requests |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
4 |
* |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
5 |
* @package Requests |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
6 |
* @subpackage Utilities |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
7 |
*/ |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
8 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
9 |
/** |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
10 |
* SSL utilities for Requests |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
11 |
* |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
12 |
* Collection of utilities for working with and verifying SSL certificates. |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
13 |
* |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
14 |
* @package Requests |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
15 |
* @subpackage Utilities |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
16 |
*/ |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
17 |
class Requests_SSL { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
18 |
/** |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
19 |
* Verify the certificate against common name and subject alternative names |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
20 |
* |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
21 |
* Unfortunately, PHP doesn't check the certificate against the alternative |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
22 |
* names, leading things like 'https://www.github.com/' to be invalid. |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
23 |
* Instead |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
24 |
* |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
25 |
* @see https://tools.ietf.org/html/rfc2818#section-3.1 RFC2818, Section 3.1 |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
26 |
* |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
27 |
* @throws Requests_Exception On not obtaining a match for the host (`fsockopen.ssl.no_match`) |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
28 |
* @param string $host Host name to verify against |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
29 |
* @param array $cert Certificate data from openssl_x509_parse() |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
30 |
* @return bool |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
31 |
*/ |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
32 |
public static function verify_certificate($host, $cert) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
33 |
// Calculate the valid wildcard match if the host is not an IP address |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
34 |
$parts = explode('.', $host); |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
35 |
if (ip2long($host) === false) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
36 |
$parts[0] = '*'; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
37 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
38 |
$wildcard = implode('.', $parts); |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
39 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
40 |
$has_dns_alt = false; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
41 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
42 |
// Check the subjectAltName |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
43 |
if (!empty($cert['extensions']) && !empty($cert['extensions']['subjectAltName'])) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
44 |
$altnames = explode(',', $cert['extensions']['subjectAltName']); |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
45 |
foreach ($altnames as $altname) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
46 |
$altname = trim($altname); |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
47 |
if (strpos($altname, 'DNS:') !== 0) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
48 |
continue; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
49 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
50 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
51 |
$has_dns_alt = true; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
52 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
53 |
// Strip the 'DNS:' prefix and trim whitespace |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
54 |
$altname = trim(substr($altname, 4)); |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
55 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
56 |
// Check for a match |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
57 |
if (self::match_domain($host, $altname) === true) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
58 |
return true; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
59 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
60 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
61 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
62 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
63 |
// Fall back to checking the common name if we didn't get any dNSName |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
64 |
// alt names, as per RFC2818 |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
65 |
if (!$has_dns_alt && !empty($cert['subject']['CN'])) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
66 |
// Check for a match |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
67 |
if (self::match_domain($host, $cert['subject']['CN']) === true) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
68 |
return true; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
69 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
70 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
71 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
72 |
return false; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
73 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
74 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
75 |
/** |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
76 |
* Verify that a reference name is valid |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
77 |
* |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
78 |
* Verifies a dNSName for HTTPS usage, (almost) as per Firefox's rules: |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
79 |
* - Wildcards can only occur in a name with more than 3 components |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
80 |
* - Wildcards can only occur as the last character in the first |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
81 |
* component |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
82 |
* - Wildcards may be preceded by additional characters |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
83 |
* |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
84 |
* We modify these rules to be a bit stricter and only allow the wildcard |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
85 |
* character to be the full first component; that is, with the exclusion of |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
86 |
* the third rule. |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
87 |
* |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
88 |
* @param string $reference Reference dNSName |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
89 |
* @return boolean Is the name valid? |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
90 |
*/ |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
91 |
public static function verify_reference_name($reference) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
92 |
$parts = explode('.', $reference); |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
93 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
94 |
// Check the first part of the name |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
95 |
$first = array_shift($parts); |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
96 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
97 |
if (strpos($first, '*') !== false) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
98 |
// Check that the wildcard is the full part |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
99 |
if ($first !== '*') { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
100 |
return false; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
101 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
102 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
103 |
// Check that we have at least 3 components (including first) |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
104 |
if (count($parts) < 2) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
105 |
return false; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
106 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
107 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
108 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
109 |
// Check the remaining parts |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
110 |
foreach ($parts as $part) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
111 |
if (strpos($part, '*') !== false) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
112 |
return false; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
113 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
114 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
115 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
116 |
// Nothing found, verified! |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
117 |
return true; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
118 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
119 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
120 |
/** |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
121 |
* Match a hostname against a dNSName reference |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
122 |
* |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
123 |
* @param string $host Requested host |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
124 |
* @param string $reference dNSName to match against |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
125 |
* @return boolean Does the domain match? |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
126 |
*/ |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
127 |
public static function match_domain($host, $reference) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
128 |
// Check if the reference is blacklisted first |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
129 |
if (self::verify_reference_name($reference) !== true) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
130 |
return false; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
131 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
132 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
133 |
// Check for a direct match |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
134 |
if ($host === $reference) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
135 |
return true; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
136 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
137 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
138 |
// Calculate the valid wildcard match if the host is not an IP address |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
139 |
// Also validates that the host has 3 parts or more, as per Firefox's |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
140 |
// ruleset. |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
141 |
if (ip2long($host) === false) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
142 |
$parts = explode('.', $host); |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
143 |
$parts[0] = '*'; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
144 |
$wildcard = implode('.', $parts); |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
145 |
if ($wildcard === $reference) { |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
146 |
return true; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
147 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
148 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
149 |
|
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
150 |
return false; |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
151 |
} |
|
cf61fcea0001
resynchronize code repo with production
ymh <ymh.work@gmail.com>
parents:
diff
changeset
|
152 |
} |