| blob | 1782804eff154726acec9b065aa6ed767d5979c0 |
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5 /**
6 * Manifest Format
7 * ---------------
8 *
9 * contents = 1*( line )
10 * line = method LWS *( param LWS ) CRLF
11 * CRLF = "\r\n"
12 * LWS = 1*( " " | "\t" )
13 *
14 * Available methods for the manifest file:
15 *
16 * updatev2.manifest
17 * -----------------
18 * method = "add" | "add-if" | "patch" | "patch-if" | "remove" |
19 * "rmdir" | "rmrfdir" | type
20 *
21 * 'type' is the update type (e.g. complete or partial) and when present MUST
22 * be the first entry in the update manifest. The type is used to support
23 * downgrades by causing the actions defined in precomplete to be performed.
24 *
25 * updatev3.manifest
26 * -----------------
27 * method = "add" | "add-if" | "add-if-not" | "patch" | "patch-if" |
28 * "remove" | "rmdir" | "rmrfdir" | type
29 *
30 * 'add-if-not' adds a file if it doesn't exist.
31 *
32 * precomplete
33 * -----------
34 * method = "remove" | "rmdir"
35 */
42 #include <thread>
43 #include <vector>
45 #include <stdio.h>
46 #include <string.h>
47 #include <stdlib.h>
48 #include <stdarg.h>
50 #include <sys/types.h>
51 #include <sys/stat.h>
52 #include <fcntl.h>
53 #include <limits.h>
54 #include <errno.h>
55 #include <algorithm>
56 #include <memory>
58 #include <config_version.h>
62 #include <onlineupdate/mozilla/Compiler.h>
63 #include <onlineupdate/mozilla/Types.h>
65 #ifdef _WIN32
66 #include <comphelper/windowsStart.hxx>
70 // TODO:moggi taken from the mozilla code -- find a better solution
71 #define INVALID_APPLYTO_DIR_ERROR 74
72 #define REMOVE_FILE_SPEC_ERROR 71
73 #define INVALID_APPLYTO_DIR_STAGED_ERROR 72
75 #endif
78 // Amount of the progress bar to use in each of the 3 update stages,
79 // should total 100.0.
80 #define PROGRESS_PREPARE_SIZE 20.0f
81 #define PROGRESS_EXECUTE_SIZE 75.0f
82 #define PROGRESS_FINISH_SIZE 5.0f
84 // Amount of time in ms to wait for the parent process to close
85 #ifdef _WIN32
86 #define PARENT_WAIT 5000
87 #endif
89 #if defined(MACOSX)
90 // These functions are defined in launchchild_osx.mm
99 struct UpdateServerThreadArgs
100 {
103 };
104 #endif
106 #ifndef SSIZE_MAX
107 # define SSIZE_MAX LONG_MAX
108 #endif
110 // We want to use execv to invoke the callback executable on platforms where
111 // we were launched using execv. See nsUpdateDriver.cpp.
112 #if defined(UNIX) && !defined(MACOSX)
113 #define USE_EXECV
114 #endif
116 #if defined(VERIFY_MAR_SIGNATURE) && !defined(_WIN32) && !defined(MACOSX)
117 #include <nss.h>
118 #include <nspr.h>
119 #endif
121 #ifdef _WIN32
122 #ifdef MAINTENANCE_SERVICE
124 #endif
127 LPCWSTR siblingFilePath,
128 LPCWSTR newFileName);
131 // Closes the handle if valid and if the updater is elevated returns with the
132 // return code specified. This prevents multiple launches of the callback
133 // application by preventing the elevated process from launching the callback.
134 #define EXIT_WHEN_ELEVATED(path, handle, retCode) \
135 { \
136 if (handle != INVALID_HANDLE_VALUE) { \
137 CloseHandle(handle); \
138 } \
139 if (_waccess(path, F_OK) == 0 && NS_tremove(path) != 0) { \
140 LogFinish(); \
141 return retCode; \
142 } \
143 }
144 #endif
146 //-----------------------------------------------------------------------------
148 // This variable lives in libbz2. It's declared in bzlib_private.h, so we just
149 // declare it here to avoid including that entire header file.
150 #if defined __GNUC__
152 #elif defined(__SUNPRO_C) || defined(__SUNPRO_CC)
154 #else
156 #endif
158 static unsigned int
160 {
169 }
171 //-----------------------------------------------------------------------------
173 // A simple stack based container for a FILE struct that closes the
174 // file descriptor from its destructor.
175 class AutoFile
176 {
180 {
181 }
184 {
187 }
190 {
195 }
198 {
200 }
203 {
205 }
209 };
211 struct MARChannelStringTable
212 {
214 {
216 }
219 };
221 //-----------------------------------------------------------------------------
231 #ifdef _WIN32
232 // The current working directory specified in the command line.
237 #endif
245 {
247 {
250 }
252 // skip leading "whitespace"
255 do
256 {
258 {
260 {
263 }
264 }
265 }
269 {
272 }
275 do
276 {
278 {
280 {
284 }
285 }
287 }
292 }
294 #if defined(_WIN32) && defined(MAINTENANCE_SERVICE)
295 static bool
297 {
300 }
301 #endif
303 /**
304 * Coverts a relative update path to a full path.
305 *
306 * @param relpath
307 * The relative path to convert to a full path.
308 * @return valid filesystem full path or nullptr if memory allocation fails.
309 */
312 {
323 c++;
329 }
334 {
336 /*
337 // the algorithm is:
338 // 1.) if userprofile path length is smaller than installation dir,
339 // the profile is surely not in instdir
340 // 2.) else comparing the two paths looking only at the installation dir
341 // characters should yield an equal string
342 NS_tchar userprofile[MAXPATHLEN];
343 NS_tstrcpy(userprofile, gPatchDirPath);
344 NS_tchar *slash = (NS_tchar *) NS_tstrrchr(userprofile, NS_T('/'));
345 if (slash)
346 *slash = NS_T('\0');
348 size_t userprofile_len = NS_tstrlen(userprofile);
349 size_t installdir_len = NS_tstrlen(gInstallDirPath);
351 if (userprofile_len < installdir_len)
352 return false;
354 return NS_tstrncmp(userprofile, gInstallDirPath, installdir_len) == 0;
355 */
356 }
358 }
360 /**
361 * Converts a full update path into a relative path; reverses get_full_path.
362 *
363 * @param fullpath
364 * The absolute path to convert into a relative path.
365 * return pointer to the location within fullpath where the relative path starts
366 * or fullpath itself if it already looks relative.
367 */
370 {
371 // If the path isn't absolute, just return it as-is.
372 #ifdef _WIN32
374 {
375 #else
377 {
378 #endif
380 }
384 // If the path isn't long enough to be absolute, return it as-is.
386 {
388 }
391 }
393 /**
394 * Gets the platform specific path and performs simple checks to the path. If
395 * the path checks don't pass nullptr will be returned.
396 *
397 * @param line
398 * The line from the manifest that contains the path.
399 * @param isdir
400 * Whether the path is a directory path. Defaults to false.
401 * @return valid filesystem path or nullptr if the path checks fail.
402 */
405 {
408 {
411 }
413 // All paths must be relative from the current working directory
415 {
418 }
420 #ifdef _WIN32
421 // All paths must be relative from the current working directory
423 {
426 }
427 #endif
430 {
431 // Directory paths must have a trailing forward slash.
433 {
437 }
439 // Remove the trailing forward slash because stat on Windows will return
440 // ENOENT if the path has a trailing slash.
442 }
444 // Don't allow relative paths that resolve to a parent directory.
446 {
449 }
452 }
456 {
473 c++;
475 }
478 {
479 #ifdef _WIN32
481 #else
484 {
486 }
487 #endif
488 }
491 {
498 }
500 // Remove the directory pointed to by path and all of its files and sub-directories.
503 {
504 // We use lstat rather than stat here so that we can successfully remove
505 // symlinks.
509 {
510 // This error is benign
512 }
514 {
516 }
523 {
527 }
530 {
533 {
539 {
541 }
542 }
543 }
548 {
552 {
555 }
556 }
558 }
561 {
566 // Make sure the string begins with "r"
570 // Look for "r+" or "r+b"
574 // Look for "rb+"
579 }
582 {
586 {
587 // Don't attempt to modify the file permissions if the file is being opened
588 // in read-only mode.
590 }
592 {
594 {
596 }
598 }
601 {
603 {
605 }
607 }
609 }
611 // Ensure that the directory containing this file exists.
613 {
618 {
621 // Only attempt to create the directory if we're not at the root
623 {
625 // If the directory already exists, then ignore the error.
627 {
631 }
632 else
633 {
635 }
636 }
638 }
640 }
642 #ifdef UNIX
644 {
645 // Copy symlinks by creating a new symlink to the same target
649 {
653 }
656 {
657 LOG(("ensure_copy_symlink: failed to create the new link: " LOG_S ", target: " LOG_S " err: %d",
660 }
662 }
663 #endif
665 // Copy the file named path onto a new file named dest.
667 {
668 #ifdef _WIN32
669 // Fast path for Windows
672 {
676 }
678 #else
682 {
686 }
688 #ifdef UNIX
690 {
692 }
693 #endif
697 {
701 }
704 {
708 }
710 // This block size was chosen pretty arbitrarily but seems like a reasonable
711 // compromise. For example, the optimal block size on a modern OS X machine
712 // is 100k */
719 {
722 {
727 }
732 {
735 {
740 }
743 }
744 }
750 #endif
751 }
754 struct copy_recursive_skiplist
755 {
759 {
761 }
764 {
766 }
769 {
771 {
773 {
775 }
776 }
778 }
779 };
781 // Copy all of the files and subdirectories under path to a new directory named dest.
782 // The path names in the skiplist will be skipped and will not be copied.
786 {
790 {
794 }
796 #ifdef UNIX
798 {
800 }
801 #endif
804 {
806 }
810 {
811 LOG(("ensure_copy_recursive: could not create destination directory: " LOG_S ", rv: %d, err: %d",
814 }
821 {
825 }
828 {
831 {
836 {
838 }
844 {
846 }
847 }
848 }
851 }
853 // Renames the specified file to the new file specified. If the destination file
854 // exists it is removed.
857 {
865 {
869 }
872 {
874 {
878 }
879 else
880 {
882 }
883 }
886 {
888 {
892 }
893 }
896 {
900 }
903 }
905 #ifdef _WIN32
906 // Remove the directory pointed to by path and all of its files and
907 // sub-directories. If a file is in use move it to the tobedeleted directory
908 // and attempt to schedule removal of the file on reboot
910 {
914 {
915 // This error is benign
917 }
920 {
926 {
929 }
930 else
931 {
934 }
936 }
943 {
948 }
951 {
954 {
958 // There is no need to check the return value of this call since this
959 // function is only called after an update is successful and there is not
960 // much that can be done to recover if it isn't successful. There is also
961 // no need to log the value since it will have already been logged.
963 }
964 }
969 {
973 {
976 }
977 }
979 }
980 #endif
982 //-----------------------------------------------------------------------------
984 // Create a backup of the specified file by renaming it.
986 {
992 }
994 // Rename the backup of the specified file that was created by renaming it back
995 // to the original file.
997 {
1007 {
1010 }
1013 }
1015 // Discard the backup of the specified file that was created by renaming it.
1017 {
1026 // Nothing to discard
1028 {
1030 }
1033 #if defined(_WIN32)
1035 {
1040 {
1044 }
1045 // The MoveFileEx call to remove the file on OS reboot will fail if the
1046 // process doesn't have write access to the HKEY_LOCAL_MACHINE registry key
1047 // but this is ok since the installer / uninstaller will delete the
1048 // directory containing the file along with its contents after an update is
1049 // applied, on reinstall, and on uninstall.
1051 {
1054 }
1055 else
1056 {
1059 }
1060 }
1061 #else
1064 #endif
1067 }
1069 // Helper function for post-processing a temporary backup.
1072 {
1075 else
1077 }
1079 //-----------------------------------------------------------------------------
1083 class Action
1084 {
1091 // Do any preprocessing to ensure that the action can be performed. Execute
1092 // will be called if this Action and all others return OK from this method.
1095 // Perform the operation. Return OK to indicate success. After all actions
1096 // have been executed, Finish will be called. A requirement of Execute is
1097 // that its operation be reversible from Finish.
1100 // Finish is called after execution of all actions. If status is OK, then
1101 // all actions were successfully executed. Otherwise, some action failed.
1109 };
1112 {
1125 };
1127 int
1129 {
1130 // format "<deadfile>"
1141 {
1143 }
1146 }
1148 int
1150 {
1151 // Skip the file if it already doesn't exist.
1154 {
1158 }
1162 // Make sure that we're actually a file...
1166 {
1168 errno));
1170 }
1173 {
1176 }
1180 {
1184 }
1185 else
1186 {
1188 }
1191 {
1194 }
1197 }
1199 int
1201 {
1207 // The file is checked for existence here and in Prepare since it might have
1208 // been removed by a separate instruction: bug 311099.
1211 {
1215 }
1217 // Rename the old file. It will be removed in Finish.
1220 {
1223 }
1226 }
1228 void
1230 {
1237 }
1240 {
1253 };
1255 int
1257 {
1258 // format "<deaddir>/"
1268 {
1270 }
1273 }
1275 int
1277 {
1278 // We expect the directory to exist if we are to remove it.
1281 {
1285 }
1289 // Make sure that we're actually a dir.
1293 {
1295 errno));
1297 }
1300 {
1303 }
1307 {
1310 }
1313 }
1315 int
1317 {
1323 // The directory is checked for existence at every step since it might have
1324 // been removed by a separate instruction: bug 311099.
1327 {
1330 }
1333 }
1335 void
1337 {
1343 // The directory is checked for existence at every step since it might have
1344 // been removed by a separate instruction: bug 311099.
1347 {
1350 }
1354 {
1356 {
1359 }
1360 }
1361 }
1364 {
1378 };
1380 int
1382 {
1383 // format "<newfile>"
1395 {
1397 }
1400 }
1402 int
1404 {
1408 }
1410 int
1412 {
1417 // First make sure that we can actually get rid of any existing file.
1420 {
1424 }
1425 else
1426 {
1430 }
1432 #ifdef _WIN32
1436 {
1439 }
1442 #else
1444 #endif
1446 {
1448 }
1450 }
1452 void
1454 {
1456 // When there is an update failure and a file has been added it is removed
1457 // here since there might not be a backup to replace it.
1461 }
1464 {
1466 PatchFile(ArchiveReader& ar) : mPatchFile(nullptr), mPatchIndex(-1), buf(nullptr), mArchiveReader(ar) { }
1484 MBSPatchHeader header;
1487 AutoFile mPatchStream;
1489 };
1494 {
1495 // Make sure mPatchStream gets unlocked on Windows; the system will do that,
1496 // but not until some indeterminate future time, and we want determinism.
1497 // Normally this happens at the end of Execute, when we close the stream;
1498 // this call is here in case Execute errors out.
1499 #ifdef _WIN32
1501 {
1502 UnlockFile((HANDLE)_get_osfhandle(fileno(mPatchStream)), (DWORD)0, (DWORD)0, (DWORD)-1, (DWORD)-1);
1503 }
1504 #endif
1506 // delete the temporary patch file
1512 }
1514 int
1516 {
1520 {
1524 }
1527 {
1531 }
1540 {
1544 {
1548 }
1552 }
1554 // Verify that the contents of the source file correspond to what we expect.
1559 {
1563 }
1566 }
1568 int
1570 {
1571 // format "<patchfile>" "<filetopatch>"
1573 // Get the path to the patch file inside of the mar
1578 // consume whitespace between args
1591 {
1593 }
1596 }
1598 int
1600 {
1603 // extract the patch to a temporary file
1615 #ifdef _WIN32
1616 // Lock the patch file, so it can't be messed with between
1617 // when we're done creating it and when we go to apply it.
1618 if (!LockFile((HANDLE)_get_osfhandle(fileno(mPatchStream)), (DWORD)0, (DWORD)0, (DWORD)-1, (DWORD)-1))
1619 {
1621 // TODO: moggi: fix the build problem with LOCK_ERROR_PATCH_FILE
1623 }
1627 {
1630 }
1633 #else
1635 #endif
1638 }
1640 int
1642 {
1652 #ifdef _WIN32
1654 {
1655 // Read from the copy of the callback when patching since the callback can't
1656 // be opened for reading to prevent the application from being launched.
1658 }
1659 else
1660 {
1662 }
1663 #else
1665 #endif
1668 {
1672 }
1677 {
1680 }
1682 // Rename the destination file if it exists before proceeding so it can be
1683 // used to restore the file to its original state if there is an error.
1687 {
1691 }
1697 #if defined(HAVE_POSIX_FALLOCATE)
1700 #elif defined(_WIN32)
1702 // Creating the file, setting the size, and then closing the file handle
1703 // lessens fragmentation more than any other method tested. Other methods that
1704 // have been tested are:
1705 // 1. _chsize / _chsize_s reduced fragmentation though not completely.
1706 // 2. _get_osfhandle and then setting the size reduced fragmentation though
1707 // not completely. There are also reports of _get_osfhandle failing on
1708 // mingw.
1710 GENERIC_WRITE,
1713 CREATE_ALWAYS,
1714 FILE_ATTRIBUTE_NORMAL,
1718 {
1722 {
1724 }
1726 }
1730 #elif defined(MACOSX)
1732 // Modified code from FileUtils.cpp
1734 // Try to get a continuous chunk of disk space
1737 {
1738 // OK, perhaps we are too fragmented, allocate non-continuous
1741 }
1744 {
1746 }
1747 #else
1749 #endif
1752 {
1754 errno));
1756 }
1758 #ifdef _WIN32
1760 {
1762 }
1763 #endif
1767 // Go ahead and do a bit of cleanup now to minimize runtime overhead.
1768 // Make sure mPatchStream gets unlocked on Windows; the system will do that,
1769 // but not until some indeterminate future time, and we want determinism.
1770 #ifdef _WIN32
1771 UnlockFile((HANDLE)_get_osfhandle(fileno(mPatchStream)), (DWORD)0, (DWORD)0, (DWORD)-1, (DWORD)-1);
1772 #endif
1773 // Set mPatchStream to nullptr to make AutoFile close the file,
1774 // so it can be deleted on Windows.
1781 }
1783 void
1785 {
1789 }
1792 {
1803 };
1807 {
1808 }
1810 int
1812 {
1813 // format "<testfile>" "<newfile>"
1819 // consume whitespace between args
1825 }
1827 int
1829 {
1830 // If the test file does not exist, then skip this action.
1832 {
1835 }
1838 }
1840 int
1842 {
1847 }
1849 void
1851 {
1856 }
1859 {
1870 };
1874 {
1875 }
1877 int
1879 {
1880 // format "<testfile>" "<newfile>"
1886 // consume whitespace between args
1892 }
1894 int
1896 {
1897 // If the test file exists, then skip this action.
1899 {
1902 }
1905 }
1907 int
1909 {
1914 }
1916 void
1918 {
1923 }
1926 {
1937 };
1941 {
1942 }
1944 int
1946 {
1947 // format "<testfile>" "<patchfile>" "<filetopatch>"
1953 // consume whitespace between args
1959 }
1961 int
1963 {
1964 // If the test file does not exist, then skip this action.
1966 {
1969 }
1972 }
1974 int
1976 {
1981 }
1983 void
1985 {
1990 }
1992 //-----------------------------------------------------------------------------
1994 #ifdef _WIN32
1996 /**
1997 * Launch the post update application (helper.exe). It takes in the path of the
1998 * callback application to calculate the path of helper.exe. For service updates
1999 * this is called from both the system account and the current user account.
2000 *
2001 * @param installationDir The path to the callback application binary.
2002 * @param updateInfoDir The directory where update info is stored.
2003 * @return true if there was no error starting the process.
2004 */
2005 bool
2008 {
2012 // TODO: moggi: needs adaption for LibreOffice
2013 // Most likely we don't have the helper method yet. Check if we really need it.
2015 // Launch helper.exe to perform post processing (e.g. registry and log file
2016 // modifications) for the update.
2020 {
2022 }
2030 {
2032 }
2036 {
2038 }
2041 exeasync,
2043 inifile))
2044 {
2046 }
2048 // Verify that exeFile doesn't contain relative paths
2050 {
2052 }
2057 {
2059 }
2061 #if !defined(TEST_UPDATER) && defined(MAINTENANCE_SERVICE)
2064 {
2066 }
2067 #endif
2071 {
2073 }
2078 {
2080 }
2088 {
2090 }
2098 {
2100 }
2102 // We want to launch the post update helper app to update the Windows
2103 // registry even if there is a failure with removing the uninstall.update
2104 // file or copying the update.log file.
2112 cmdline,
2118 workingDirectory,
2123 {
2125 {
2127 }
2130 }
2132 }
2134 #endif
2136 static void
2141 {
2145 // Run from the specified working directory (see bug 312360). This is not
2146 // necessary on Windows CE since the application that launches the updater
2147 // passes the working directory as an --environ: command line argument.
2149 {
2151 }
2153 #if defined(USE_EXECV)
2157 #elif defined(MACOSX)
2159 #elif defined(WNT)
2160 // Do not allow the callback to run when running an update through the
2161 // service as session 0. The unelevated updater.exe will do the launching.
2163 {
2165 }
2166 #else
2168 #endif
2169 }
2171 static bool
2173 {
2175 #if defined(_WIN32)
2176 // The temp file is not removed on failure since there is client code that
2177 // will remove it.
2179 #else
2182 #endif
2184 // Make sure that the directory for the update status file exists
2188 // This is scoped to make the AutoFile close the file so it is possible to
2189 // move the temp file to the update.status file on Windows.
2190 {
2193 {
2195 }
2198 {
2200 }
2201 }
2203 #if defined(_WIN32)
2208 {
2210 }
2211 #endif
2214 }
2216 static void
2218 {
2223 {
2225 {
2227 }
2228 else
2229 {
2231 }
2232 }
2233 else
2234 {
2237 }
2240 }
2242 #ifdef MAINTENANCE_SERVICE
2243 /*
2244 * Read the update.status file and sets isPendingService to true if
2245 * the status is set to pending-service.
2246 *
2247 * @param isPendingService Out parameter for specifying if the status
2248 * is set to pending-service or not.
2249 * @return true if the information was retrieved and it is pending
2250 * or pending-service.
2251 */
2252 static bool
2254 {
2273 }
2274 #endif
2276 #ifdef _WIN32
2277 /*
2278 * Read the update.status file and sets isSuccess to true if
2279 * the status is set to succeeded.
2280 *
2281 * @param isSucceeded Out parameter for specifying if the status
2282 * is set to succeeded or not.
2283 * @return true if the information was retrieved and it is succeeded.
2284 */
2285 static bool
2287 {
2304 }
2305 #endif
2307 /*
2308 * Copy the entire contents of the application installation directory to the
2309 * destination directory for the update process.
2310 *
2311 * @return 0 if successful, an error code otherwise.
2312 */
2313 static int
2315 {
2316 // These files should not be copied over to the updated app
2317 #ifdef _WIN32
2318 #define SKIPLIST_COUNT 4
2319 #elif defined(MACOSX)
2320 #define SKIPLIST_COUNT 1
2321 #else
2322 #define SKIPLIST_COUNT 3
2323 #endif
2335 #ifndef MACOSX
2338 #ifdef _WIN32
2340 #endif
2341 #endif
2344 }
2346 /*
2347 * Replace the application installation directory with the destination
2348 * directory in order to finish a staged update task
2349 *
2350 * @return 0 if successful, an error code otherwise.
2351 */
2352 static int
2354 {
2355 // TODO: moggi: handle the user profile in the installation dir also
2356 // during the replacement request
2357 // The replacement algorithm is like this:
2358 // 1. Move destDir to tmpDir. In case of failure, abort.
2359 // 2. Move newDir to destDir. In case of failure, revert step 1 and abort.
2360 // 3. Delete tmpDir (or defer it to the next reboot).
2362 #ifdef MACOSX
2366 #elif defined(WNT)
2367 // Windows preserves the case of the file/directory names. We use the
2368 // GetLongPathName API in order to get the correct case for the directory
2369 // name, so that if the user has used a different case when launching the
2370 // application, the installation directory's name does not change.
2374 {
2376 }
2377 #else
2379 #endif
2385 // First try to remove the possibly existing temp directory, because if this
2386 // directory exists, we will fail to rename destDir.
2387 // No need to error check here because if this fails, we will fail in the
2388 // next step anyways.
2395 #ifdef _WIN32
2396 // On Windows, if Firefox is launched using the shortcut, it will hold a handle
2397 // to its installation directory open, which might not get released in time.
2398 // Therefore we wait a little bit here to see if the handle is released.
2399 // If it's not released, we just fail to perform the replace request.
2403 {
2411 }
2412 #endif
2414 {
2415 // The status file will have 'pending' written to it so there is no value in
2416 // returning an error specific for this failure.
2419 }
2423 {
2428 }
2429 else
2430 {
2433 gWorkingDirPath);
2434 }
2439 #ifdef MACOSX
2441 {
2446 }
2447 #endif
2449 {
2455 {
2457 }
2458 // The status file will be have 'pending' written to it so there is no value
2459 // in returning an error specific for this failure.
2461 }
2464 {
2465 // 1.) calculate path of the user profile in the backup directory
2466 // 2.) move the user profile from the backup to the install directory
2481 {
2483 }
2486 }
2488 #if !defined(_WIN32) && !defined(MACOSX)
2489 // Platforms that have their updates directory in the installation directory
2490 // need to have the last-update.log and backup-update.log files moved from the
2491 // old installation directory to the new installation directory.
2496 {
2502 }
2503 #endif
2508 {
2510 #ifdef _WIN32
2514 // Attempt to remove the tobedeleted directory and then recreate it if it
2515 // was successfully removed.
2518 {
2520 }
2522 #endif
2523 }
2525 #ifdef MACOSX
2526 // On OS X, we need to remove the staging directory after its Contents
2527 // directory has been moved.
2532 #endif
2537 }
2539 #ifdef _WIN32
2540 static void
2542 {
2543 // We wait at most 10 minutes, we already waited 5 seconds previously
2544 // before deciding to show this UI.
2547 }
2548 #endif
2550 #ifdef VERIFY_MAR_SIGNATURE
2551 /**
2552 * This function reads in the ACCEPTED_MAR_CHANNEL_IDS from update-settings.ini
2553 *
2554 * @param path The path to the ini file that is to be read
2555 * @param results A pointer to the location to store the read strings
2556 * @return OK on success
2557 */
2558 static int
2560 {
2561 // TODO: moggi: needs adaption for LibreOffice
2562 // Check where this function gets its parameters from
2574 }
2575 #endif
2577 static int
2579 {
2585 // add the language packs
2588 {
2591 }
2595 {
2599 {
2601 {
2604 {
2611 }
2612 }
2613 }
2614 }
2616 }
2618 static int
2620 {
2621 #ifdef VERIFY_MAR_SIGNATURE
2622 #ifdef _WIN32
2628 L"SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Enhanced Cryptographic Provider v1.0",
2631 {
2634 DWORD type;
2637 {
2639 {
2644 {
2646 }
2647 }
2648 }
2649 }
2650 #endif
2652 #ifdef _WIN32
2654 {
2656 {
2660 }
2662 }
2663 #endif
2667 {
2669 {
2672 // TODO: moggi: needs adaption for LibreOffice
2673 // These paths need to be adapted for us.
2676 #ifdef MACOSX
2678 #else
2680 #endif
2681 gWorkingDirPath);
2682 MARChannelStringTable MARStrings;
2684 {
2685 // If we can't read from update-settings.ini then we shouldn't impose
2686 // a MAR restriction. Some installations won't even include this file.
2688 }
2691 LIBO_VERSION_DOTTED);
2692 }
2693 }
2694 #endif
2697 }
2699 static void
2701 {
2702 // open ZIP archive and process...
2705 {
2707 }
2708 else
2709 {
2714 {
2715 ArchiveReader archiveReader;
2718 {
2721 }
2725 {
2728 }
2729 }
2732 {
2734 }
2737 {
2739 {
2740 ArchiveReader archiveReader;
2743 }
2748 }
2749 }
2752 {
2753 #ifdef _WIN32
2754 // On Windows, the current working directory of the process should be changed
2755 // so that it's not locked.
2757 {
2760 {
2762 }
2763 }
2764 #endif
2766 // When attempting to replace the application, we should fall back
2767 // to non-staged updates in case of a failure. We do this by
2768 // setting the status to pending, exiting the updater, and
2769 // launching the callback application. The callback application's
2770 // startup path will see the pending status, and will start the
2771 // updater application again in order to apply the update without
2772 // staging.
2774 {
2776 }
2777 else
2778 {
2780 }
2781 #ifdef TEST_UPDATER
2782 // Some tests need to use --test-process-updates again.
2784 #endif
2785 }
2786 else
2787 {
2789 {
2791 }
2792 else
2793 {
2794 #ifdef MACOSX
2795 // If the update was successful we need to update the timestamp on the
2796 // top-level Mac OS X bundle directory so that Mac OS X's Launch Services
2797 // picks up any major changes when the bundle is updated.
2799 {
2801 }
2802 #endif
2805 }
2807 }
2811 }
2813 #ifdef MACOSX
2814 static void
2816 {
2820 {
2822 }
2824 }
2827 {
2829 {
2831 }
2833 }
2834 #endif
2837 int callbackIndex
2838 #ifdef _WIN32
2840 , HANDLE updateLockFileHandle
2841 #elif defined(MACOSX)
2843 #endif
2844 )
2845 {
2847 {
2848 #if defined(_WIN32)
2850 {
2852 {
2854 }
2856 // The service update will only be executed if it is already installed.
2857 // For first time installs of the service, the install will happen from
2858 // the PostUpdate process. We do the service update process here
2859 // because it's possible we are updating with updater.exe without the
2860 // service if the service failed to apply the update. We want to update
2861 // the service to a newer version in that case. If we are not running
2862 // through the service, then USING_SERVICE will not exist.
2864 {
2866 }
2867 }
2869 #elif defined(MACOSX)
2871 {
2873 {
2875 }
2876 #endif
2881 sUsingService);
2882 #ifdef XP_MACOSX
2885 }
2887 }
2890 {
2891 // The callback is the remaining arguments starting at callbackIndex.
2892 // The argument specified by callbackIndex is the callback executable and the
2893 // argument prior to callbackIndex is the working directory.
2896 #ifdef MACOSX
2897 // TODO: moggi: needs adaption for LibreOffice
2901 {
2903 {
2904 // Won't actually get here because ObtainUpdaterArguments will terminate
2905 // the current process on failure.
2907 }
2908 }
2909 #endif
2911 #if defined(VERIFY_MAR_SIGNATURE) && !defined(_WIN32) && !defined(MACOSX)
2912 // On Windows and Mac we rely on native APIs to do verifications so we don't
2913 // need to initialize NSS at all there.
2914 // Otherwise, minimize the amount of NSS we depend on by avoiding all the NSS
2915 // databases.
2917 {
2922 }
2923 #endif
2925 #ifdef MACOSX
2927 {
2928 #endif
2930 #ifdef MACOSX
2931 }
2932 #endif
2934 // To process an update the updater command line must at a minimum have the
2935 // directory path containing the updater.mar file to process as the first
2936 // argument, the install directory as the second argument, and the directory
2937 // to apply the update to as the third argument. When the updater is launched
2938 // by another process the PID of the parent process should be provided in the
2939 // optional fourth argument and the updater will wait on the parent process to
2940 // exit if the value is non-zero and the process is present. This is necessary
2941 // due to not being able to update files that are in use on Windows. The
2942 // optional fifth argument is the callback's working directory and the
2943 // optional sixth argument is the callback path. The callback is the
2944 // application to launch after updating and it will be launched when these
2945 // arguments are provided whether the update was successful or not. All
2946 // remaining arguments are optional and are passed to the callback when it is
2947 // launched.
2949 {
2950 fprintf(stderr, "Usage: updater patch-dir install-dir apply-to-dir [wait-pid [callback-working-dir callback-path args...]]\n");
2951 #ifdef MACOSX
2953 {
2956 }
2957 #endif
2959 }
2961 // The directory containing the update information.
2964 // The directory we're going to update to.
2965 // We copy this string because we need to remove trailing slashes. The C++
2966 // standard says that it's always safe to write to strings pointed to by argv
2967 // elements, but I don't necessarily believe it.
2972 {
2974 }
2976 #ifdef _WIN32
2981 // We never want the service to be used unless we build with
2982 // the maintenance service.
2983 #ifdef MAINTENANCE_SERVICE
2985 // Our tests run with a different apply directory for each test.
2986 // We use this registry key on our test slaves to store the
2987 // allowed name/issuers.
2989 #endif
2991 // Remove everything except close window from the context menu
2992 {
2993 // TODO: moggi: needs adaption for LibreOffice
3003 {
3008 }
3009 }
3010 #endif
3012 // If there is a PID specified and it is not '0' then wait for the process to exit.
3013 #ifdef _WIN32
3015 #else
3017 #endif
3019 {
3020 #ifdef _WIN32
3022 #else
3024 #endif
3026 {
3027 // This is a signal from the parent process that the updater should stage
3028 // the update.
3030 }
3032 {
3033 // We're processing a request to replace the application with a staged
3034 // update.
3036 }
3037 }
3039 // The directory we're going to update to.
3040 // We copy this string because we need to remove trailing slashes. The C++
3041 // standard says that it's always safe to write to strings pointed to by argv
3042 // elements, but I don't necessarily believe it.
3047 {
3049 }
3051 #ifdef MACOSX
3053 {
3054 // If the app directory isn't recursively writeable, an elevated update is
3055 // required.
3056 UpdateServerThreadArgs threadArgs;
3060 Thread t1;
3062 {
3063 // Show an indeterminate progress bar while an elevated update is in
3064 // progress.
3066 }
3071 }
3072 #endif
3077 {
3079 #ifdef MACOSX
3081 {
3084 }
3085 #endif
3087 }
3090 {
3092 }
3094 {
3096 }
3102 #ifdef _WIN32
3104 {
3106 {
3112 }
3119 {
3124 }
3127 {
3133 }
3134 }
3135 #endif
3138 #ifdef _WIN32
3140 {
3142 // May return nullptr if the parent process has already gone away.
3143 // Otherwise, wait for the parent process to exit before starting the
3144 // update.
3146 {
3152 }
3153 }
3154 #else
3157 #endif
3159 #if defined(_WIN32)
3160 #ifdef MAINTENANCE_SERVICE
3163 #endif
3164 // lastFallbackError keeps track of the last error for the service not being
3165 // used, in case of an error when fallback is not enabled we write the
3166 // error to the update.status file.
3167 // When fallback is disabled (MOZ_NO_SERVICE_FALLBACK does not exist) then
3168 // we will instead fallback to not using the service and display a UAC prompt.
3171 // Launch a second instance of the updater with the runas verb on Windows
3172 // when write access is denied to the installation directory.
3177 {
3180 {
3181 // When staging an update, the lock file is:
3182 // <install_dir>\updated.update_in_progress.lock
3186 }
3188 {
3189 // When processing a replace request, the lock file is:
3190 // <install_dir>\..\moz_update_in_progress.lock
3198 }
3199 else
3200 {
3201 // In the non-staging update case, the lock file is:
3202 // <install_dir>\<app_name>.exe.update_in_progress.lock
3206 }
3208 // The update_in_progress.lock file should only exist during an update. In
3209 // case it exists attempt to remove it and exit if that fails to prevent
3210 // simultaneous updates occurring.
3213 {
3214 // Try to fall back to the old way of doing updates if a staged
3215 // update fails.
3217 {
3218 // Note that this could fail, but if it does, there isn't too much we
3219 // can do in order to recover anyways.
3221 }
3224 }
3230 OPEN_ALWAYS,
3231 FILE_FLAG_DELETE_ON_CLOSE,
3238 // Even if a file has no sharing access, you can still get its attributes
3242 // If we're running from the service, then we were started with the same
3243 // token as the service so the permissions are already dropped. If we're
3244 // running from an elevated updater that was started from an unelevated
3245 // updater, then we drop the permissions here. We do not drop the
3246 // permissions on the originally called updater because we use its token
3247 // to start the callback application.
3249 {
3250 // Disable every privilege we don't need. Processes started using
3251 // CreateProcess will use the same token as this process.
3253 }
3257 {
3260 {
3263 }
3265 HANDLE elevatedFileHandle;
3270 OPEN_ALWAYS,
3271 FILE_FLAG_DELETE_ON_CLOSE,
3275 {
3278 }
3282 {
3285 }
3287 // Make sure the path to the updater to use for the update is on local.
3288 // We do this check to make sure that file locking is available for
3289 // race condition security checks.
3291 {
3294 }
3296 // If we have unprompted elevation we should NOT use the service
3297 // for the update. Service updates happen with the SYSTEM account
3298 // which has more privs than we need to update with.
3299 // Windows 8 provides a user interface so users can configure this
3300 // behavior and it can be configured in the registry in all Windows
3301 // versions that support UAC.
3303 {
3304 BOOL unpromptedElevation;
3306 {
3308 }
3309 }
3311 // Make sure the service registry entries for the installation path
3312 // are available. If not don't use the service.
3314 {
3316 // TODO: moggi: needs adaption for LibreOffice
3317 // Most likely the registry part is not correct yet
3319 maintenanceServiceKey))
3320 {
3326 {
3328 }
3329 else
3330 {
3331 #ifdef TEST_UPDATER
3333 #endif
3335 {
3337 }
3338 }
3339 }
3340 else
3341 {
3344 }
3345 }
3347 // Originally we used to write "pending" to update.status before
3348 // launching the service command. This is no longer needed now
3349 // since the service command is launched from updater.exe. If anything
3350 // fails in between, we can fall back to using the normal update process
3351 // on our own.
3353 // If we still want to use the service try to launch the service
3354 // command for the update.
3356 {
3357 // If the update couldn't be started, then set useService to false so
3358 // we do the update the old way.
3361 // If the command was launched then wait for the service to be done.
3363 {
3365 // Never show the progress UI when staging updates.
3367 {
3368 // We need to call this separately instead of allowing ShowProgressUI
3369 // to initialize the strings because the service will move the
3370 // ini file out of the way when running updater.
3372 }
3374 // Wait for the service to stop for 5 seconds. If the service
3375 // has still not stopped then show an indeterminate progress bar.
3378 {
3381 {
3383 }
3385 }
3389 {
3390 // If the service doesn't stop after 10 minutes there is
3391 // something seriously wrong.
3394 }
3395 }
3396 else
3397 {
3399 }
3400 }
3402 // If the service can't be used when staging and update, make sure that
3403 // the UAC prompt is not shown! In this case, just set the status to
3404 // pending and the update will be applied during the next startup.
3406 {
3408 {
3410 }
3413 }
3415 // If we started the service command, and it finished, check the
3416 // update.status file to make sure it succeeded, and if it did
3417 // we need to manually start the PostUpdate process from the
3418 // current user's session of this unelevated updater.exe the
3419 // current process is running as.
3420 // Note that we don't need to do this if we're just staging the update,
3421 // as the PostUpdate step runs when performing the replacing in that case.
3423 {
3426 updateStatusSucceeded)
3427 {
3429 {
3432 }
3433 }
3434 }
3436 // If we didn't want to use the service at all, or if an update was
3437 // already happening, or launching the service command failed, then
3438 // launch the elevated updater.exe as we do without the service.
3439 // We don't launch the elevated updater in the case that we did have
3440 // write access all along because in that case the only reason we're
3441 // using the service is because we are testing.
3444 {
3445 SHELLEXECUTEINFO sinfo;
3449 SEE_MASK_FLAG_DDEWAIT |
3450 SEE_MASK_NOCLOSEPROCESS;
3461 {
3464 }
3465 else
3466 {
3468 }
3469 }
3472 {
3475 }
3481 {
3482 // We didn't use the service and we did run the elevated updater.exe.
3483 // The elevated updater.exe is responsible for writing out the
3484 // update.status file.
3486 }
3488 {
3489 // The service command was launched. The service is responsible for
3490 // writing out the update.status file.
3492 {
3494 }
3496 }
3497 else
3498 {
3499 // Otherwise the service command was not launched at all.
3500 // We are only reaching this code path because we had write access
3501 // all along to the directory and a fallback key existed, and we
3502 // have fallback disabled (MOZ_NO_SERVICE_FALLBACK env var exists).
3503 // We only currently use this env var from XPCShell tests.
3507 }
3508 }
3509 }
3510 #endif
3513 {
3514 // When staging updates, blow away the old installation directory and create
3515 // it from scratch.
3517 }
3519 {
3520 // Try to create the destination directory if it doesn't exist
3523 {
3524 #ifdef MACOSX
3526 {
3529 }
3530 #endif
3532 }
3533 }
3535 #ifdef _WIN32
3536 // For replace requests, we don't need to do any real updates, so this is not
3537 // necessary.
3539 {
3540 // Allocate enough space for the length of the path an optional additional
3541 // trailing slash and null termination.
3542 NS_tchar *destpath = (NS_tchar *) malloc((NS_tstrlen(gWorkingDirPath) + 2) * sizeof(NS_tchar));
3551 {
3554 }
3556 c++;
3559 }
3564 {
3570 {
3573 }
3575 }
3579 {
3580 // If the callback executable is specified it must exist for a successful
3581 // update. It is important we null out the whole buffer here because later
3582 // we make the assumption that the callback application is inside the
3583 // apply-to dir. If we don't have a fully null'ed out buffer it can lead
3584 // to stack corruption which causes crashes and other problems.
3591 {
3592 // In case of replace requests, we should look for the callback file in
3593 // the destination directory.
3595 gInstallDirPath,
3608 bufferLeft--;
3613 installDir,
3618 }
3621 {
3627 {
3631 sUsingService);
3632 }
3634 }
3636 // Doing this is only necessary when we're actually applying a patch.
3638 {
3642 // advance to the apply to directory and advance past the trailing backslash
3643 // if present.
3648 // Copy the string and replace backslashes with forward slashes along the
3649 // way.
3650 do
3651 {
3654 else
3658 }
3663 // Make a copy of the callback executable so it can be read when patching.
3669 {
3675 {
3677 }
3678 else
3679 {
3681 }
3687 sUsingService);
3689 }
3691 // Since the process may be signaled as exited by WaitForSingleObject before
3692 // the release of the executable image try to lock the main executable file
3693 // multiple times before giving up. If we end up giving up, we won't
3694 // fail the update.
3698 do
3699 {
3700 // By opening a file handle without FILE_SHARE_READ to the callback
3701 // executable, the OS will prevent launching the process while it is
3702 // being updated.
3705 // allow delete, rename, and write
3717 }
3720 // CreateFileW will fail if the callback executable is already in use.
3722 {
3723 // Only fail the update if the last error was not a sharing violation.
3725 {
3730 {
3732 }
3733 else
3734 {
3736 }
3743 sUsingService);
3745 }
3749 }
3750 }
3751 }
3753 // DELETE_DIR is not required when performing a staged update or replace
3754 // request; it can be used during a replace request but then it doesn't
3755 // use gDeleteDirPath.
3757 {
3758 // The directory to move files that are in use to on Windows. This directory
3759 // will be deleted after the update is finished, on OS reboot using
3760 // MoveFileEx if it contains files that are in use, or by the post update
3761 // process after the update finishes. On Windows when performing a normal
3762 // update (e.g. the update is not a staged update and is not a replace
3763 // request) gWorkingDirPath is the same as gInstallDirPath and
3764 // gWorkingDirPath is used because it is the destination directory.
3770 {
3772 }
3773 }
3776 // Run update process on a background thread. ShowProgressUI may return
3777 // before QuitProgressUI has been called, so wait for UpdateThreadFunc to
3778 // terminate. Avoid showing the progress UI when staging an update, or if this
3779 // is an elevated process on OSX.
3782 #ifdef XP_MACOSX
3783 && !isElevated
3784 #endif
3785 )
3786 {
3788 }
3791 #ifdef _WIN32
3793 {
3795 {
3797 }
3798 // Remove the copy of the callback executable.
3800 }
3803 {
3806 // The directory probably couldn't be removed due to it containing files
3807 // that are in use and will be removed on OS reboot. The call to remove the
3808 // directory on OS reboot is done after the calls to remove the files so the
3809 // files are removed first on OS reboot since the directory must be empty
3810 // for the directory removal to be successful. The MoveFileEx call to remove
3811 // the directory on OS reboot will fail if the process doesn't have write
3812 // access to the HKEY_LOCAL_MACHINE registry key but this is ok since the
3813 // installer / uninstaller will delete the directory along with its contents
3814 // after an update is applied, on reinstall, and on uninstall.
3816 {
3818 DELETE_DIR));
3819 }
3820 else
3821 {
3824 }
3825 }
3829 #ifdef MACOSX
3830 // When the update is successful remove the precomplete file in the root of
3831 // the application bundle and move the distribution directory from
3832 // Contents/MacOS to Contents/Resources and if both exist delete the
3833 // directory under Contents/MacOS (see Bug 1068439).
3835 {
3846 {
3852 {
3857 {
3859 }
3860 }
3861 else
3862 {
3867 {
3870 }
3871 }
3872 }
3873 }
3876 {
3880 }
3882 {
3883 // If the group ownership of the Firefox .app bundle was set to the "admin"
3884 // group during a previous elevated update, we need to ensure that all files
3885 // in the bundle have group ownership of "admin" as well as write permission
3886 // for the group to not break updates in the future.
3888 }
3894 #ifdef _WIN32
3895 , elevatedLockFilePath
3896 , updateLockFileHandle
3897 #elif defined(MACOSX)
3898 , isElevated
3899 #endif
3900 );
3903 }
3905 class ActionList
3906 {
3920 };
3923 {
3926 {
3930 }
3931 }
3933 void
3935 {
3938 else
3942 mCount++;
3943 }
3945 int
3947 {
3948 // If the action list is empty then we should fail in order to signal that
3949 // something has gone wrong. Otherwise we report success when nothing is
3950 // actually done. See bug 327140.
3952 {
3955 }
3960 {
3969 }
3972 }
3974 int
3976 {
3980 {
3983 }
3987 {
3990 {
3993 }
4001 }
4004 }
4006 void
4008 {
4012 {
4017 PROGRESS_EXECUTE_SIZE +
4021 }
4025 }
4028 #ifdef _WIN32
4030 {
4032 WIN32_FIND_DATAW finddata;
4033 HANDLE hFindFile;
4043 {
4044 do
4045 {
4046 // Don't process the current or parent directory.
4054 {
4057 // Recurse into the directory.
4060 {
4063 }
4064 }
4065 else
4066 {
4067 // Add the file to be removed to the ActionList.
4075 {
4079 }
4083 }
4084 }
4088 {
4089 // Add the directory to be removed to the ActionList.
4099 else
4102 }
4103 }
4106 }
4108 #elif defined(__sun)
4110 {
4113 struct
4114 {
4115 dirent dent_buffer;
4123 {
4125 errno));
4127 }
4130 {
4140 {
4143 }
4145 {
4148 // Recurse into the directory.
4151 {
4155 }
4156 }
4157 else
4158 {
4159 // Add the file to be removed to the ActionList.
4162 {
4165 }
4170 {
4175 }
4178 }
4179 }
4182 // Add the directory to be removed to the ActionList.
4190 {
4193 }
4194 else
4195 {
4197 }
4200 }
4202 #else
4205 {
4211 // Remove the trailing slash so the paths don't contain double slashes. The
4212 // existence of the slash has already been checked in DoUpdate.
4216 // FTS_NOCHDIR is used so relative paths from the destination directory are
4217 // returned.
4224 {
4230 {
4231 // Filesystem objects that shouldn't be in the application's directories
4239 // Files
4242 // Add the file to be removed to the ActionList.
4247 {
4250 }
4258 // Directories
4261 // Add the directory to be removed to the ActionList.
4266 {
4269 }
4278 // Errors
4281 // ENOENT is an acceptable error for FTS_DNR and FTS_NS and means that
4282 // we're racing with ourselves. Though strange, the entry will be
4283 // removed anyway.
4285 {
4288 }
4289 // Fall through
4304 // FTS_D is ignored and FTS_DP is used instead (post-order).
4307 }
4311 }
4316 }
4317 #endif
4321 {
4324 {
4327 }
4332 {
4335 }
4344 {
4348 {
4352 }
4356 }
4360 #ifndef _WIN32
4362 #else
4365 {
4368 }
4372 {
4377 }
4381 #endif
4382 }
4385 {
4386 #ifdef MACOSX
4389 #else
4392 #endif
4396 {
4399 // Applications aren't required to have a precomplete manifest. The mar
4400 // generation scripts enforce the presence of a precomplete manifest.
4402 }
4407 {
4408 // skip comments
4414 {
4417 }
4421 {
4423 }
4425 {
4427 }
4429 {
4431 }
4432 else
4433 {
4436 }
4446 }
4449 }
4452 {
4458 // extract the manifest
4459 // TODO: moggi: needs adaption for LibreOffice
4460 // Why would we need the manifest? Even if we need it why would we need 2?
4463 {
4466 {
4469 }
4470 }
4475 {
4478 }
4480 ActionList list;
4485 {
4486 // skip comments
4492 {
4495 }
4498 {
4500 // The update manifest isn't required to have a type declaration. The mar
4501 // generation scripts enforce the presence of the type declaration.
4503 {
4507 {
4511 }
4513 }
4514 }
4518 {
4520 }
4522 {
4524 }
4526 {
4539 }
4541 {
4543 }
4545 {
4547 }
4549 {
4551 }
4553 {
4555 }
4557 {
4559 }
4560 else
4561 {
4564 }
4574 }
4584 }