From 680e7ceab1a1da00ec065d00a34a7bbf3d6ec547 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Wed, 28 Feb 2024 22:54:31 +0100 Subject: [PATCH] :sparkles: Fortify: Support .fpr format (#9590) * :sparkles: fpr format for fortify * :construction: extract content of fdr * extract audit.fvdl * add unittests * fix bug * update fortify parser * update fortify parser * update fortify parser * fix unittests * flake8 * implement severity * :bug: fix * add unittest for new severity * flake8 * commit according to review Co-authored-by: Steve Lohr * commit according to review Co-authored-by: Steve Lohr * update according to review * update * update documentation * remove docs file as it was moved * flake8 --------- Co-authored-by: Steve Lohr --- .../en/integrations/parsers/file/fortify.md | 21 +- dojo/tools/fortify/README.md | 17 - dojo/tools/fortify/__init__.py | 2 +- dojo/tools/fortify/parser.py | 85 +- .../DefaultReportDefinitionAllIssues.xml | 0 unittests/scans/fortify/audit.fvdl | 23044 ++++++++++++++++ unittests/scans/fortify/many_findings.fpr | Bin 0 -> 2042533 bytes unittests/tools/test_fortify_parser.py | 26 +- 8 files changed, 23165 insertions(+), 30 deletions(-) delete mode 100644 dojo/tools/fortify/README.md rename {dojo/tools => unittests/scans}/fortify/DefaultReportDefinitionAllIssues.xml (100%) create mode 100644 unittests/scans/fortify/audit.fvdl create mode 100644 unittests/scans/fortify/many_findings.fpr diff --git a/docs/content/en/integrations/parsers/file/fortify.md b/docs/content/en/integrations/parsers/file/fortify.md index bbd44f4fff3..5c113c36cb8 100644 --- a/docs/content/en/integrations/parsers/file/fortify.md +++ b/docs/content/en/integrations/parsers/file/fortify.md @@ -2,7 +2,24 @@ title: "Fortify" toc_hide: true --- -Import Findings from XML file format. +You can either import the findings in .xml or in .fpr file format.
+If you import a .fpr file, the parser will look for the file 'audit.fvdl' and analyze it. An extracted example can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/fortify/audit.fvdl). ### Sample Scan Data -Sample Fortify scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/fortify). \ No newline at end of file +Sample Fortify scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/fortify). + +#### Generate XML Output from Foritfy +This section describes how to import XML generated from a Fortify FPR. It assumes you +already have, or know how to acquire, an FPR file. Once you have the FPR file you will need +use Fortify's ReportGenerator tool (located in the bin directory of your fortify install). +```FORTIFY_INSTALL_ROOT/bin/ReportGenerator``` + +By default, the Report Generator tool does _not_ display all issues, it will only display one +per category. To get all issues, copy the [DefaultReportDefinitionAllIssues.xml](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/fortify/DefaultReportDefinitionAllIssues.xml) to: +```FORTIFY_INSTALL_ROOT/Core/config/reports``` + +Once this is complete, you can run the following command on your .fpr file to generate the +required XML: +``` +./path/to/ReportGenerator -format xml -f /path/to/output.xml -source /path/to/downloaded/artifact.fpr -template DefaultReportDefinitionAllIssues.xml +``` \ No newline at end of file diff --git a/dojo/tools/fortify/README.md b/dojo/tools/fortify/README.md deleted file mode 100644 index c89e306c05c..00000000000 --- a/dojo/tools/fortify/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# Usage -To use this importer you will need an XML generated from a Fortify FPR. This guide assumes you -already have, or know how to acquire, an FPR file. Once you have the FPR file you will need -use Fortify's ReportGenerator tool (located in the bin directory of your fortify install). -```FORTIFY_INSTALL_ROOT/bin/ReportGenerator``` - -### Getting All Issues -By default, the Report Generator tool does _not_ display all issues, it will only display one -per category. To get all issues, copy the DefaultReportDefinitionAllIssues.xml file from this -directory to: -```FORTIFY_INSTALL_ROOT/Core/config/reports``` - -Once this is complete, you can run the following command on your .fpr file to generate the -required XML: -``` -./path/to/ReportGenerator -format xml -f /path/to/output.xml -source /path/to/downloaded/artifact.fpr -template DefaultReportDefinitionAllIssues.xml -``` diff --git a/dojo/tools/fortify/__init__.py b/dojo/tools/fortify/__init__.py index 5c0e70cba77..eabab4eabac 100644 --- a/dojo/tools/fortify/__init__.py +++ b/dojo/tools/fortify/__init__.py @@ -1 +1 @@ -__author__ = "Rajarshi333" +__author__ = "Rajarshi333", "manuel-sommer" diff --git a/dojo/tools/fortify/parser.py b/dojo/tools/fortify/parser.py index 38f3c336a42..b86dcbf0c6d 100644 --- a/dojo/tools/fortify/parser.py +++ b/dojo/tools/fortify/parser.py @@ -1,7 +1,7 @@ +import re import logging - +import zipfile from defusedxml import ElementTree - from dojo.models import Finding logger = logging.getLogger(__name__) @@ -15,9 +15,15 @@ def get_label_for_scan_types(self, scan_type): return scan_type # no custom label for now def get_description_for_scan_types(self, scan_type): - return "Import Findings from XML file format." + return "Import Findings in FPR or XML file format." def get_findings(self, filename, test): + if str(filename.name).endswith('.xml'): + return self.parse_xml(filename, test) + elif str(filename.name).endswith('.fpr'): + return self.parse_fpr(filename, test) + + def parse_xml(self, filename, test): fortify_scan = ElementTree.parse(filename) root = fortify_scan.getroot() @@ -114,6 +120,79 @@ def get_findings(self, filename, test): dupes.add(title) return items + def fpr_severity(self, Confidence, InstanceSeverity): + if float(Confidence) >= 2.5 and float(InstanceSeverity) >= 2.5: + severity = "Critical" + elif float(Confidence) >= 2.5 and float(InstanceSeverity) < 2.5: + severity = "High" + elif float(Confidence) < 2.5 and float(InstanceSeverity) >= 2.5: + severity = "Medium" + elif float(Confidence) < 2.5 and float(InstanceSeverity) < 2.5: + severity = "Low" + else: + severity = "Info" + return severity + + def parse_fpr(self, filename, test): + if str(filename.__class__) == "": + input_zip = zipfile.ZipFile(filename.name, 'r') + else: + input_zip = zipfile.ZipFile(filename, 'r') + zipdata = {name: input_zip.read(name) for name in input_zip.namelist()} + root = ElementTree.fromstring(zipdata["audit.fvdl"].decode('utf-8')) + regex = r"{.*}" + matches = re.match(regex, root.tag) + try: + namespace = matches.group(0) + except BaseException: + namespace = "" + items = list() + for child in root: + if "Vulnerabilities" in child.tag: + for vuln in child: + ClassID = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}ClassID").text + Kingdom = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}Kingdom").text + Type = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}Type").text + AnalyzerName = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}AnalyzerName").text + DefaultSeverity = vuln.find(f"{namespace}ClassInfo").find(f"{namespace}DefaultSeverity").text + InstanceID = vuln.find(f"{namespace}InstanceInfo").find(f"{namespace}InstanceID").text + InstanceSeverity = vuln.find(f"{namespace}InstanceInfo").find(f"{namespace}InstanceSeverity").text + Confidence = vuln.find(f"{namespace}InstanceInfo").find(f"{namespace}Confidence").text + SourceLocationpath = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("path") + SourceLocationline = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("line") + SourceLocationlineEnd = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("lineEnd") + SourceLocationcolStart = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("colStart") + SourceLocationcolEnd = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("colEnd") + SourceLocationsnippet = vuln.find(f"{namespace}AnalysisInfo").find(f"{namespace}Unified").find(f"{namespace}Trace").find(f"{namespace}Primary").find(f"{namespace}Entry").find(f"{namespace}Node").find(f"{namespace}SourceLocation").attrib.get("snippet") + description = Type + "\n" + severity = self.fpr_severity(Confidence, InstanceSeverity) + description += "**ClassID:** " + ClassID + "\n" + description += "**Kingdom:** " + Kingdom + "\n" + description += "**AnalyzerName:** " + AnalyzerName + "\n" + description += "**DefaultSeverity:** " + DefaultSeverity + "\n" + description += "**InstanceID:** " + InstanceID + "\n" + description += "**InstanceSeverity:** " + InstanceSeverity + "\n" + description += "**Confidence:** " + Confidence + "\n" + description += "**SourceLocationpath:** " + str(SourceLocationpath) + "\n" + description += "**SourceLocationline:** " + str(SourceLocationline) + "\n" + description += "**SourceLocationlineEnd:** " + str(SourceLocationlineEnd) + "\n" + description += "**SourceLocationcolStart:** " + str(SourceLocationcolStart) + "\n" + description += "**SourceLocationcolEnd:** " + str(SourceLocationcolEnd) + "\n" + description += "**SourceLocationsnippet:** " + str(SourceLocationsnippet) + "\n" + items.append( + Finding( + title=Type + " " + ClassID, + severity=severity, + static_finding=True, + test=test, + description=description, + unique_id_from_tool=ClassID, + file_path=SourceLocationpath, + line=SourceLocationline, + ) + ) + return items + def format_title(self, category, filename, line_no): """ Builds the title much like it is represented in Fortify diff --git a/dojo/tools/fortify/DefaultReportDefinitionAllIssues.xml b/unittests/scans/fortify/DefaultReportDefinitionAllIssues.xml similarity index 100% rename from dojo/tools/fortify/DefaultReportDefinitionAllIssues.xml rename to unittests/scans/fortify/DefaultReportDefinitionAllIssues.xml diff --git a/unittests/scans/fortify/audit.fvdl b/unittests/scans/fortify/audit.fvdl new file mode 100644 index 00000000000..0221c8b8ea5 --- /dev/null +++ b/unittests/scans/fortify/audit.fvdl @@ -0,0 +1,23044 @@ + + + + +404dd009-bf42-404e-9aa0-2c18a9ffa842 + + front_end_20240220_629_9_1361_6018341 + front_end_20240220_629_9_1361_6018341 + front_end_20240220_629_9_1361_6018341 + 58 + 2707 + 2942 + 1850 + 961 + 23648 + /var/lib/jenkins/workspace/SDM_SockShop_front-end_master/src + + + public/js/js.cookie.js + 76 + 93 + + + /opt/fortify/.fortify/sca23.1/build/front_end_20240220_629_9_1361_6018341/extracted/javascript/var/lib/jenkins/workspace/SDM_SockShop_front-end_master/src/public/checkout1.html.js + + + api/catalogue/index.js + 18 + 18 + + + /opt/fortify/.fortify/sca23.1/build/front_end_20240220_629_9_1361_6018341/extracted/javascript/var/lib/jenkins/workspace/SDM_SockShop_front-end_master/src/public/basket.html.js + + + /opt/fortify/.fortify/sca23.1/build/front_end_20240220_629_9_1361_6018341/extracted/javascript/var/lib/jenkins/workspace/SDM_SockShop_front-end_master/src/public/detail.html.js + + + public/css/bootstrap.css + + + public/css/bootstrap.min.css.map + + + /opt/fortify/.fortify/sca23.1/build/front_end_20240220_629_9_1361_6018341/extracted/javascript/var/lib/jenkins/workspace/SDM_SockShop_front-end_master/src/public/checkout3.html.js + + + public/js/waypoints.min.js + + + public/checkout1.html + 18 + 19 + + + nyc.config.js + 8 + 8 + + + public/js/client.js + 168 + 171 + + + /opt/fortify/.fortify/sca23.1/build/front_end_20240220_629_9_1361_6018341/extracted/javascript/var/lib/jenkins/workspace/SDM_SockShop_front-end_master/src/public/customer-account.html.js + + + public/footer.html + + + public/css/bootstrap.css.map + + + public/customer-account.html + 18 + 19 + + + public/checkout2.html + 18 + 19 + + + /opt/fortify/.fortify/sca23.1/build/front_end_20240220_629_9_1361_6018341/extracted/javascript/var/lib/jenkins/workspace/SDM_SockShop_front-end_master/src/public/register.html.js + + + /opt/fortify/.fortify/sca23.1/build/front_end_20240220_629_9_1361_6018341/extracted/javascript/var/lib/jenkins/workspace/SDM_SockShop_front-end_master/src/public/customer-wishlist.html.js + + + public/css/bootstrap-theme.min.css.map + + + api/endpoints.js + 17 + 20 + + + api/user/index.js + 201 + 216 + + + public/detail.html + 46 + 50 + + + public/customer-orders.html + 29 + 31 + + + public/customer-order.html + 62 + 64 + + + public/js/bootstrap-hover-dropdown.js + 53 + 57 + + + public/js/main.js + 2 + 2 + + + api/orders/index.js + 97 + 107 + + + public/css/style.blue.css + + + public/js/front.js + 104 + 108 + + + /opt/fortify/.fortify/sca23.1/build/front_end_20240220_629_9_1361_6018341/extracted/javascript/var/lib/jenkins/workspace/SDM_SockShop_front-end_master/src/public/index.html.js + + + helpers/index.js + 43 + 44 + + + public/checkout4.html + 18 + 19 + + + public/css/bootstrap-theme.min.css + + + /opt/fortify/.fortify/sca23.1/build/front_end_20240220_629_9_1361_6018341/extracted/javascript/var/lib/jenkins/workspace/SDM_SockShop_front-end_master/src/public/checkout2.html.js + + + public/js/jquery.flexslider.js + 646 + 694 + + + public/customer-wishlist.html + 18 + 19 + + + public/navbar.html + + + /opt/fortify/.fortify/sca23.1/build/front_end_20240220_629_9_1361_6018341/extracted/javascript/var/lib/jenkins/workspace/SDM_SockShop_front-end_master/src/public/category.html.js + + + public/checkout3.html + 18 + 19 + + + public/js/modernizr.js + 406 + 458 + + + public/index.html + 46 + 48 + + + public/css/bootstrap-theme.css.map + + + public/topbar.html + + + server.js + 41 + 44 + + + api/metrics/index.js + 32 + 32 + + + public/register.html + 16 + 17 + + + public/js/jquery.cookie.js + 53 + 57 + + + /opt/fortify/.fortify/sca23.1/build/front_end_20240220_629_9_1361_6018341/extracted/javascript/var/lib/jenkins/workspace/SDM_SockShop_front-end_master/src/public/customer-order.html.js + + + public/basket.html + 113 + 124 + + + config.js + 17 + 17 + + + public/css/bootstrap.min.css + + + public/category.html + 64 + 72 + + + /opt/fortify/.fortify/sca23.1/build/front_end_20240220_629_9_1361_6018341/extracted/javascript/var/lib/jenkins/workspace/SDM_SockShop_front-end_master/src/public/checkout4.html.js + + + api/cart/index.js + 97 + 106 + + + public/css/bootstrap-theme.css + + + /opt/fortify/.fortify/sca23.1/build/front_end_20240220_629_9_1361_6018341/extracted/javascript/var/lib/jenkins/workspace/SDM_SockShop_front-end_master/src/public/customer-orders.html.js + + + public/js/jquery.query-object.js + 144 + 170 + + + + + + + + 114E5A67-3446-4DD5-B578-D0E6FDBB304E + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + 1B87289954501EF8FD3861819DD98C27 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.getJSON + + + + + + + + + + + 114E5A67-3446-4DD5-B578-D0E6FDBB304E + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + 23E28CD11BFCAD680405E5DFDC19B2AD + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.getJSON + + + + + + + + + + + 2335EF74-F5C5-4BE1-89B6-707D1B78D6B3 + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + 378A7E1CCD7EAF9345EB7ABF7532086D + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + + + + 2335EF74-F5C5-4BE1-89B6-707D1B78D6B3 + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + 378A7E1CCD7EAF9345EB7ABF7532086E + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + + + + 114E5A67-3446-4DD5-B578-D0E6FDBB304E + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + 3DC38DC403EDD7803A73A0899EBDC5ED + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.getJSON + + + + + + + + + + + 2335EF74-F5C5-4BE1-89B6-707D1B78D6B3 + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + 42920BBE559DBC5B968B807FEB9A113C + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + + + + 2335EF74-F5C5-4BE1-89B6-707D1B78D6B3 + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + 42920BBE559DBC5B968B807FEB9A113D + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + + + + B43A5BD2-5F84-42AA-8EAA-B80F2CD81C35 + Security Features + Cookie Security + Missing SameSite Attribute + structural + 2.0 + + + 4EFE8050E359006F813E9D49255D9C47 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.cookie + + + + + + + + + + + B43A5BD2-5F84-42AA-8EAA-B80F2CD81C35 + Security Features + Cookie Security + Missing SameSite Attribute + structural + 2.0 + + + 4EFE8050E359006F813E9D49255D9C48 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.cookie + + + + + + + + + + + 811489B8-AA5B-494C-9074-926A810A1421 + Encapsulation + Hidden Field + content + 2.0 + + + 525403EBED319BD7226D757147D2578A + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 114E5A67-3446-4DD5-B578-D0E6FDBB304E + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + 5D03A154A44EE978139D5F55DE957438 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.getJSON + + + + + + + + + + + 114E5A67-3446-4DD5-B578-D0E6FDBB304E + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + 6638777E79A2B9005AE67B6571026BDB + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.getJSON + + + + + + + + + + + 8BC604D4-B876-4B22-8F8D-88811E4E2E98 + Security Features + Cookie Security + Cookie not Sent Over SSL + structural + 3.0 + + + 7057618F77921875B7C74CB53F347DBA + 3.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.cookie + + + + + + + + + + + 8BC604D4-B876-4B22-8F8D-88811E4E2E98 + Security Features + Cookie Security + Cookie not Sent Over SSL + structural + 3.0 + + + 7057618F77921875B7C74CB53F347DBB + 3.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.cookie + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + 721C6D8636C0DAFB13649026652B7FED + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + 721C6D8636C0DAFB13649026652B7FEE + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + 721C6D8636C0DAFB13649026652B7FEF + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + 721C6D8636C0DAFB13649026652B7FF0 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + 75A8C48FA320333378A792C88F575F4B + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + 75A8C48FA320333378A792C88F575F4C + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + 83872CC2861B5480CD1AA2F438138EA5 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + 83872CC2861B5480CD1AA2F438138EA6 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + 83872CC2861B5480CD1AA2F438138EA7 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + 839F1A67EEC27529ED185D979A968207 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + 839F1A67EEC27529ED185D979A968208 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + 839F1A67EEC27529ED185D979A968209 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + 839F1A67EEC27529ED185D979A96820A + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + A637C7C0AF86C3A38DF40D6F7A1FEF24 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + A637C7C0AF86C3A38DF40D6F7A1FEF25 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 114E5A67-3446-4DD5-B578-D0E6FDBB304E + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + B0A7C67B067BC4DB80EEED53C37D4E41 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.getJSON + + + + + + + + + + + 114E5A67-3446-4DD5-B578-D0E6FDBB304E + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + B0BE998B3DEF07E151FAC64685E77F6B + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.getJSON + + + + + + + + + + + 114E5A67-3446-4DD5-B578-D0E6FDBB304E + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + B481D7BB2AEAA4C2F381E3AD9DB6B299 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.getJSON + + + + + + + + + + + 114E5A67-3446-4DD5-B578-D0E6FDBB304E + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + C2E99AF9DD09C891F101749246267633 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.getJSON + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + C85783901853490631AC2FDCE6AC9173 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + C85783901853490631AC2FDCE6AC9174 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + C85783901853490631AC2FDCE6AC9175 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 114E5A67-3446-4DD5-B578-D0E6FDBB304E + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + C9E2ECE0EED91F9889EB8C0E80BF47EC + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.getJSON + + + + + + + + + + + 2335EF74-F5C5-4BE1-89B6-707D1B78D6B3 + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + CD7A377E921B8F8677CDBED8383A5B4C + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + + + + 2335EF74-F5C5-4BE1-89B6-707D1B78D6B3 + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + CD7A377E921B8F8677CDBED8383A5B4D + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + + + + 2335EF74-F5C5-4BE1-89B6-707D1B78D6B3 + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + CD7A377E921B8F8677CDBED8383A5B4E + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + + + + 2335EF74-F5C5-4BE1-89B6-707D1B78D6B3 + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + CD7A377E921B8F8677CDBED8383A5B4F + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + CFA1A6C237BC531DAF5EDE83571C2E4A + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + CFA1A6C237BC531DAF5EDE83571C2E4B + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + CFA1A6C237BC531DAF5EDE83571C2E4C + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 114E5A67-3446-4DD5-B578-D0E6FDBB304E + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + D11BD5C3124BA997C148B4760303826B + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.getJSON + + + + + + + + + + + 114E5A67-3446-4DD5-B578-D0E6FDBB304E + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + D11BD5C3124BA997C148B4760303826C + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.getJSON + + + + + + + + + + + 114E5A67-3446-4DD5-B578-D0E6FDBB304E + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + D11BD5C3124BA997C148B4760303826D + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.getJSON + + + + + + + + + + + 2335EF74-F5C5-4BE1-89B6-707D1B78D6B3 + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + D6B1EF486E73EF31355475787A8C4298 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + + + + 2335EF74-F5C5-4BE1-89B6-707D1B78D6B3 + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + D6B1EF486E73EF31355475787A8C4299 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + + + + C72A3E77-8324-4FF9-B958-74FCDDF39D17 + Security Features + Insecure Transport + External Link + content + 5.0 + + + D739B2E51B127BDFA4FE07B5A7662A44 + 5.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + C72A3E77-8324-4FF9-B958-74FCDDF39D17 + Security Features + Insecure Transport + External Link + content + 5.0 + + + D739B2E51B127BDFA4FE07B5A7662A45 + 5.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 114E5A67-3446-4DD5-B578-D0E6FDBB304E + Encapsulation + Cross-Site Request Forgery + structural + 2.0 + + + DCEDD320CD15B1629421860F75A9E542 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + Name: ~JS_Generic.getJSON + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + E62CA950B4D0A45585669D5C417EFC62 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + E62CA950B4D0A45585669D5C417EFC63 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + F8EBA22A2D13CCE0180DFDB32E11C86D + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + F8EBA22A2D13CCE0180DFDB32E11C86E + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + F8EBA22A2D13CCE0180DFDB32E11C86F + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + F9BBA322F3EF4182501DBA402388E4E9 + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + F9BBA322F3EF4182501DBA402388E4EA + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + F9BBA322F3EF4182501DBA402388E4EB + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + 78E0700E-56FE-45A2-A11B-6A560F730576 + Encapsulation + Cross-Site Request Forgery + content + 2.0 + + + F9BBA322F3EF4182501DBA402388E4EC + 2.0 + 5.0 + + + + + + + + + + + + + + + + + + + + + + + + <Content>A cookie is created without the <code>Secure</code> flag set to <code>true</code>.</Content> + <Content>Modern web browsers support a <code>Secure</code> flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier. + <Paragraph> +In this case a cookie is created in <Replace key="PrimaryLocation.file"/> on line <Replace key="PrimaryLocation.line"/>, but the <code>Secure</code> property is not set to <code>true</code>. + </Paragraph> + +<b>Example 1:</b> In the following example, a cookie is added to the response without setting the <code>Secure</code> property to <code>true</code>. +<pre> + res.cookie('important_cookie', info, {domain: 'secure.example.com', path: '/admin', httpOnly: true}); +</pre> + +If your application uses both HTTPS and HTTP but does not set the <code>Secure</code> flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.</Content> + <Content>Set the <code>Secure</code> flag on all new cookies to instruct browsers not to send these cookies in the clear. + +<b>Example 2:</b> +<pre> + res.cookie('important_cookie', info, {domain: 'secure.example.com', path: '/admin', httpOnly: true, secure: true}); +</pre></Content> + + + Automated HTTPS Cookie Hijacking + Mike Perry + http://fscked.org/blog/fully-automated-active-https-cookie-hijacking + + + Node.js Security Checklist + https://blog.risingstack.com/node-js-security-checklist/ + + + CWE ID 614 + Standards Mapping - Common Weakness Enumeration + + + CCI-001184, CCI-002418, CCI-002420, CCI-002421, CCI-002422 + Standards Mapping - DISA Control Correlation Identifier Version 2 + + + CM, SC + Standards Mapping - FIPS200 + + + Insufficient Data Protection + Standards Mapping - General Data Protection Regulation + + + SC-8 Transmission Confidentiality and Integrity (P1) + Standards Mapping - NIST Special Publication 800-53 Revision 4 + + + SC-8 Transmission Confidentiality and Integrity + Standards Mapping - NIST Special Publication 800-53 Revision 5 + + + API8 Security Misconfiguration + Standards Mapping - OWASP API Top 10 2023 + + + 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 3.2.3 Session Binding Requirements (L1 L2 L3), 3.4.1 Cookie-based Session Management (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3) + Standards Mapping - OWASP Application Security Verification Standard 4.0 + + + M4 Unintended Data Leakage + Standards Mapping - OWASP Mobile Top 10 Risks 2014 + + + M8 Security Misconfiguration + Standards Mapping - OWASP Mobile Top 10 Risks 2023 + + + A10 Insecure Configuration Management + Standards Mapping - OWASP Top 10 2004 + + + A9 Insecure Communications + Standards Mapping - OWASP Top 10 2007 + + + A9 Insufficient Transport Layer Protection + Standards Mapping - OWASP Top 10 2010 + + + A6 Sensitive Data Exposure + Standards Mapping - OWASP Top 10 2013 + + + A3 Sensitive Data Exposure + Standards Mapping - OWASP Top 10 2017 + + + A05 Security Misconfiguration + Standards Mapping - OWASP Top 10 2021 + + + Requirement 4.1, Requirement 6.5.3 + Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 + + + Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.7, Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 + + + Requirement 4.1, Requirement 6.5.4 + Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 + + + Requirement 4.1, Requirement 6.5.4, Requirement 6.5.10 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 + + + Requirement 4.1, Requirement 6.5.4, Requirement 6.5.10 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 + + + Requirement 4.1, Requirement 6.5.4, Requirement 6.5.10 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 + + + Requirement 4.1, Requirement 6.5.4, Requirement 6.5.10 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 + + + Requirement 4.2.1, Requirement 6.2.4 + Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 + + + Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography + Standards Mapping - Payment Card Industry Software Security Framework 1.0 + + + Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography + Standards Mapping - Payment Card Industry Software Security Framework 1.1 + + + Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications + Standards Mapping - Payment Card Industry Software Security Framework 1.2 + + + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.1 + + + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.10 + + + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.4 + + + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.5 + + + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.6 + + + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.7 + + + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.9 + + + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.1 + + + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.10 + + + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.11 + + + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.2 + + + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.3 + + + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.4 + + + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.5 + + + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.6 + + + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.7 + + + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.8 + + + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.9 + + + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.1 + + + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.2 + + + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.3 + + + Insufficient Authentication + Standards Mapping - Web Application Security Consortium 24 + 2 + + + Insufficient Transport Layer Protection (WASC-04) + Standards Mapping - Web Application Security Consortium Version 2.00 + + + + + <Content>The program fails to set the <code>SameSite</code> attribute on session cookies.</Content> + <Content>Browsers automatically append cookies to every HTTP request made to the site that sets the cookie. Cookies might store sensitive data such as session ID and authorization token or site data that is shared between different requests to the same site during a session. An attacker can perform an impersonation attack by generating a request to the authenticated site from a third-party site page loaded on the client machine because the browser automatically appends the cookie to the request. + +The <code>SameSite</code> attribute limits the scope of the cookie so that it is only attached to a request if the request is generated from first-party or same-site context. This helps to protect cookies from Cross-Site Request Forgery (CSRF) attacks. The <code>SameSite</code> attribute can have the following three values: + +- <b>Strict</b>: When set to <code>Strict</code>, cookies are only sent along with requests upon top-level navigation. +- <b>Lax</b>: When set to <code>Lax</code>, cookies are sent with top-level navigation from the same host as well as GET requests originating from third-party sites, including those that have either <code>iframe</code> or <code>href</code> tags that link to the host site. For example, suppose there is a third-party site that has either <code>iframe</code> or <code>href</code> tags that link to the host site. If a user follows the link, the request will include the cookie. +- <b>None</b>: Cookies are sent in all requests made to the site within the path and domain scope set for the cookie. Requests generated due to form submissions using the POST method are also allowed to send cookies with the request. + +<Paragraph> +In this case, the <code>SameSite</code> property is set to <code>None</code>, <code>false</code>, or is omitted in <Replace key="PrimaryLocation.file"/> on line <Replace key="PrimaryLocation.line"/>. +</Paragraph> + +<b>Example 1:</b> The following code disables the <code>SameSite</code> attribute for session cookies. +<pre> +app.get('/', function (req, res) { + ... + res.cookie('name', 'Foo', { sameSite: false }); + ... +} +</pre> + + </Content> + <Content>Enable the <code>SameSite</code> attribute when creating session cookies. To do this, set the <code>SameSite</code> field to <code>Strict</code> or <code>Lax</code> in your cookie configuration. + +<b>Example 2:</b> The following code enables the <code>SameSite</code> attribute for session cookies. +<pre> +app.get('/', function (req, res) { + ... + res.cookie('name', 'Foo', { sameSite: "Strict" }); + ... +} +</pre> + +Furthermore, Fortify recommends that developers continue to add traditional Cross-Site Request Forgery (CSRF) mitigations to the site along with the <code>SameSite</code> attribute. Many users might use older browser versions to access the site. Older browser versions do not suppport the <code>SameSite</code> attribute. + </Content> + + + HTTP State Management Mechanism + Internet Engineering Task Force + https://datatracker.ietf.org/doc/html/rfc6265 + + + SameSite Browser Compatibility + Can I Use + https://caniuse.com/?search=samesite + + + CWE ID 352 + Standards Mapping - Common Weakness Enumeration + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2019 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2020 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2021 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2022 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2023 + + + CCI-001310, CCI-001941, CCI-001942 + Standards Mapping - DISA Control Correlation Identifier Version 2 + + + Access Violation + Standards Mapping - General Data Protection Regulation + + + SC-23 Session Authenticity (P1) + Standards Mapping - NIST Special Publication 800-53 Revision 4 + + + SC-23 Session Authenticity + Standards Mapping - NIST Special Publication 800-53 Revision 5 + + + 3.4.3 Cookie-based Session Management (L1 L2 L3) + Standards Mapping - OWASP Application Security Verification Standard 4.0 + + + M5 Poor Authorization and Authentication + Standards Mapping - OWASP Mobile Top 10 Risks 2014 + + + M3 Insecure Authentication/Authorization + Standards Mapping - OWASP Mobile Top 10 Risks 2023 + + + A5 Cross Site Request Forgery (CSRF) + Standards Mapping - OWASP Top 10 2007 + + + A5 Cross-Site Request Forgery (CSRF) + Standards Mapping - OWASP Top 10 2010 + + + A8 Cross-Site Request Forgery (CSRF) + Standards Mapping - OWASP Top 10 2013 + + + A01 Broken Access Control + Standards Mapping - OWASP Top 10 2021 + + + Requirement 6.5.5 + Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 + + + Requirement 6.2.4 + Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 + + + Control Objective 5.4 - Authentication and Access Control + Standards Mapping - Payment Card Industry Software Security Framework 1.0 + + + Control Objective 5.4 - Authentication and Access Control + Standards Mapping - Payment Card Industry Software Security Framework 1.1 + + + Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls + Standards Mapping - Payment Card Industry Software Security Framework 1.2 + + + Insecure Interaction - CWE ID 352 + Standards Mapping - SANS Top 25 2009 + + + Insecure Interaction - CWE ID 352 + Standards Mapping - SANS Top 25 2010 + + + Insecure Interaction - CWE ID 352 + Standards Mapping - SANS Top 25 2011 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.1 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.10 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.4 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.5 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.6 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.7 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.9 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.1 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.10 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.11 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.2 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.3 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.4 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.5 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.6 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.7 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.8 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.9 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.1 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.2 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.3 + + + Cross-Site Request Forgery + Standards Mapping - Web Application Security Consortium 24 + 2 + + + Cross-Site Request Forgery (WASC-09) + Standards Mapping - Web Application Security Consortium Version 2.00 + + + + + <Content><Paragraph>The HTTP request at <Replace key="PrimaryLocation.file"/> line <Replace key="PrimaryLocation.line"/> must contain a user-specific secret to prevent an attacker from making unauthorized requests.<AltParagraph>HTTP requests must contain a user-specific secret to prevent an attacker from making unauthorized requests.</AltParagraph></Paragraph></Content> + <Content>A cross-site request forgery (CSRF) vulnerability occurs when: +1. A web application uses session cookies. + +2. The application acts on an HTTP request without verifying that the request was made with the user's consent. + +<Paragraph> +In this case, the application generates an HTTP request at <Replace key="PrimaryLocation.file"/> line <Replace key="PrimaryLocation.line"/>. +</Paragraph> + +A nonce is a cryptographic random value that is sent with a message to prevent replay attacks. If the request does not contain a nonce that proves its provenance, the code that handles the request is vulnerable to a CSRF attack (unless it does not change the state of the application). This means a web application that uses session cookies has to take special precautions to ensure that an attacker can't trick users into submitting bogus requests. Imagine a web application that allows administrators to create new accounts as follows: + + +<pre> + var req = new XMLHttpRequest(); + req.open("POST", "/new_user", true); + body = addToPost(body, new_username); + body = addToPost(body, new_passwd); + req.send(body); +</pre> + +An attacker might set up a malicious web site that contains the following code. + +<pre> + var req = new XMLHttpRequest(); + req.open("POST", "http://www.example.com/new_user", true); + body = addToPost(body, "attacker"); + body = addToPost(body, "haha"); + req.send(body); +</pre> + +If an administrator for <code>example.com</code> visits the malicious page while she has an active session on the site, she will unwittingly create an account for the attacker. This is a CSRF attack. It is possible because the application does not have a way to determine the provenance of the request. Any request could be a legitimate action chosen by the user or a faked action set up by an attacker. The attacker does not get to see the Web page that the bogus request generates, so the attack technique is only useful for requests that alter the state of the application. + +Applications that pass the session identifier in the URL rather than as a cookie do not have CSRF problems because there is no way for the attacker to access the session identifier and include it as part of the bogus request. +CSRF is entry number five on the 2007 OWASP Top 10 list.</Content> + <Content>Applications that use session cookies must include some piece of information in every form post that the back-end code can use to validate the provenance of the request. One way to do that is to include a random request identifier or nonce, as follows: + +<pre> + RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, "/new_user"); + body = addToPost(body, new_username); + body = addToPost(body, new_passwd); + body = addToPost(body, request_id); + rb.sendRequest(body, new NewAccountCallback(callback)); +</pre> + +Then the back-end logic can validate the request identifier before processing the rest of the form data. When possible, the request identifier should be unique to each server request rather than shared across every request for a particular session. As with session identifiers, the harder it is for an attacker to guess the request identifier, the harder it is to conduct a successful CSRF attack. The token should not be easily guessed and it should be protected in the same way that session tokens are protected, such as using SSLv3. + +Additional mitigation techniques include: + +<b>Framework protection:</b> Most modern web application frameworks embed CSRF protection and they will automatically include and verify CSRF tokens. +<b>Use a Challenge-Response control:</b> Forcing the customer to respond to a challenge sent by the server is a strong defense against CSRF. Some of the challenges that can be used for this purpose are: CAPTCHAs, password re-authentication and one-time tokens. +<b>Check HTTP Referer/Origin headers:</b> An attacker won't be able to spoof these headers while performing a CSRF attack. This makes these headers a useful method to prevent CSRF attacks. +<b>Double-submit Session Cookie:</b> Sending the session ID Cookie as a hidden form value in addition to the actual session ID Cookie is a good protection against CSRF attacks. The server will check both values and make sure they are identical before processing the rest of the form data. If an attacker submits a form in behalf of a user, he won't be able to modify the session ID cookie value as per the same-origin-policy. +<b>Limit Session Lifetime:</b> When accessing protected resources using a CSRF attack, the attack will only be valid as long as the session ID sent as part of the attack is still valid on the server. Limiting the Session lifetime will reduce the probability of a successful attack. + +The techniques described here can be defeated with XSS attacks. Effective CSRF mitigation includes XSS mitigation techniques. + + </Content> + + Fortify Static Code Analyzer flags all HTML forms and all XMLHttpRequest objects that might perform either a GET or POST operation. The auditor must determine if each form is valuable to an attacker as a CSRF target and whether or not an appropriate mitigation technique is in place. + + + + Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics + A. Klein + http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf + + + 2007 OWASP Top 10 + OWASP + http://www.owasp.org/index.php/Top_10_2007 + + + CWE ID 352 + Standards Mapping - Common Weakness Enumeration + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2019 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2020 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2021 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2022 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2023 + + + CCI-001310, CCI-001941, CCI-001942 + Standards Mapping - DISA Control Correlation Identifier Version 2 + + + Access Violation + Standards Mapping - General Data Protection Regulation + + + SC-23 Session Authenticity (P1) + Standards Mapping - NIST Special Publication 800-53 Revision 4 + + + SC-23 Session Authenticity + Standards Mapping - NIST Special Publication 800-53 Revision 5 + + + 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3) + Standards Mapping - OWASP Application Security Verification Standard 4.0 + + + M5 Poor Authorization and Authentication + Standards Mapping - OWASP Mobile Top 10 Risks 2014 + + + M3 Insecure Authentication/Authorization + Standards Mapping - OWASP Mobile Top 10 Risks 2023 + + + A5 Cross Site Request Forgery (CSRF) + Standards Mapping - OWASP Top 10 2007 + + + A5 Cross-Site Request Forgery (CSRF) + Standards Mapping - OWASP Top 10 2010 + + + A8 Cross-Site Request Forgery (CSRF) + Standards Mapping - OWASP Top 10 2013 + + + A01 Broken Access Control + Standards Mapping - OWASP Top 10 2021 + + + Requirement 6.5.5 + Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 + + + Requirement 6.2.4 + Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 + + + Control Objective 5.4 - Authentication and Access Control + Standards Mapping - Payment Card Industry Software Security Framework 1.0 + + + Control Objective 5.4 - Authentication and Access Control + Standards Mapping - Payment Card Industry Software Security Framework 1.1 + + + Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls + Standards Mapping - Payment Card Industry Software Security Framework 1.2 + + + Insecure Interaction - CWE ID 352 + Standards Mapping - SANS Top 25 2009 + + + Insecure Interaction - CWE ID 352 + Standards Mapping - SANS Top 25 2010 + + + Insecure Interaction - CWE ID 352 + Standards Mapping - SANS Top 25 2011 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.1 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.10 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.4 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.5 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.6 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.7 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.9 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.1 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.10 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.11 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.2 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.3 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.4 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.5 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.6 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.7 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.8 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.9 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.1 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.2 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.3 + + + Cross-Site Request Forgery + Standards Mapping - Web Application Security Consortium 24 + 2 + + + Cross-Site Request Forgery (WASC-09) + Standards Mapping - Web Application Security Consortium Version 2.00 + + + + + <Content><Paragraph>The form post at <Replace key="PrimaryLocation.file"/> line <Replace key="PrimaryLocation.line"/> must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.<AltParagraph>Form posts must contain a user-specific secret in order to prevent an attacker from making unauthorized requests.</AltParagraph></Paragraph></Content> + <Content>A cross-site request forgery (CSRF) vulnerability occurs when: +1. A Web application uses session cookies. + +2. The application acts on an HTTP request without verifying that the request was made with the user's consent. + +<Paragraph> +In this case, the application generates HTTP request via a form post at <Replace key="PrimaryLocation.file"/> line <Replace key="PrimaryLocation.line"/>. +</Paragraph> + +A nonce is a cryptographic random value that is sent with a message to prevent replay attacks. If the request does not contain a nonce that proves its provenance, the code that handles the request is vulnerable to a CSRF attack (unless it does not change the state of the application). This means a Web application that uses session cookies has to take special precautions in order to ensure that an attacker can't trick users into submitting bogus requests. Imagine a Web application that allows administrators to create new accounts by submitting this form: + +<pre> +&lt;form method="POST" action="/new_user" &gt; + Name of new user: &lt;input type="text" name="username"&gt; + Password for new user: &lt;input type="password" name="user_passwd"&gt; + &lt;input type="submit" name="action" value="Create User"&gt; +&lt;/form&gt; +</pre> + +An attacker might set up a Web site with the following: + +<pre> +&lt;form method="POST" action="http://www.example.com/new_user"&gt; + &lt;input type="hidden" name="username" value="hacker"&gt; + &lt;input type="hidden" name="user_passwd" value="hacked"&gt; +&lt;/form&gt; +&lt;script&gt; + document.usr_form.submit(); +&lt;/script&gt; +</pre> + +If an administrator for <code>example.com</code> visits the malicious page while she has an active session on the site, she will unwittingly create an account for the attacker. This is a CSRF attack. It is possible because the application does not have a way to determine the provenance of the request. Any request could be a legitimate action chosen by the user or a faked action set up by an attacker. The attacker does not get to see the Web page that the bogus request generates, so the attack technique is only useful for requests that alter the state of the application. + +Applications that pass the session identifier in the URL rather than as a cookie do not have CSRF problems because there is no way for the attacker to access the session identifier and include it as part of the bogus request. + +CSRF is entry number five on the 2007 OWASP Top 10 list.</Content> + <Content>Applications that use session cookies must include some piece of information in every form post that the back-end code can use to validate the provenance of the request. One way to do that is to include a random request identifier or nonce, as follows: + +<pre> + RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, "/new_user"); + body = addToPost(body, new_username); + body = addToPost(body, new_passwd); + body = addToPost(body, request_id); + rb.sendRequest(body, new NewAccountCallback(callback)); +</pre> + +Then the back-end logic can validate the request identifier before processing the rest of the form data. When possible, the request identifier should be unique to each server request rather than shared across every request for a particular session. As with session identifiers, the harder it is for an attacker to guess the request identifier, the harder it is to conduct a successful CSRF attack. The token should not be easily guessed and it should be protected in the same way that session tokens are protected, such as using SSLv3. + +Additional mitigation techniques include: + +<b>Framework protection:</b> Most modern web application frameworks embed CSRF protection and they will automatically include and verify CSRF tokens. +<b>Use a Challenge-Response control:</b> Forcing the customer to respond to a challenge sent by the server is a strong defense against CSRF. Some of the challenges that can be used for this purpose are: CAPTCHAs, password re-authentication and one-time tokens. +<b>Check HTTP Referer/Origin headers:</b> An attacker won't be able to spoof these headers while performing a CSRF attack. This makes these headers a useful method to prevent CSRF attacks. +<b>Double-submit Session Cookie:</b> Sending the session ID Cookie as a hidden form value in addition to the actual session ID Cookie is a good protection against CSRF attacks. The server will check both values and make sure they are identical before processing the rest of the form data. If an attacker submits a form in behalf of a user, he won't be able to modify the session ID cookie value as per the same-origin-policy. +<b>Limit Session Lifetime:</b> When accessing protected resources using a CSRF attack, the attack will only be valid as long as the session ID sent as part of the attack is still valid on the server. Limiting the Session lifetime will reduce the probability of a successful attack. + +The techniques described here can be defeated with XSS attacks. Effective CSRF mitigation includes XSS mitigation techniques. +</Content> + + Fortify Static Code Analyzer flags all HTML forms and XMLHttpRequest objects that might perform either a GET or POST operation. The auditor must determine if each form is valuable to an attacker as a CSRF target and whether or not an appropriate mitigation technique is in place. + + + + Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics + A. Klein + http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf + + + 2007 OWASP Top 10 + OWASP + http://www.owasp.org/index.php/Top_10_2007 + + + CWE ID 352 + Standards Mapping - Common Weakness Enumeration + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2019 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2020 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2021 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2022 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2023 + + + CCI-001310, CCI-001941, CCI-001942 + Standards Mapping - DISA Control Correlation Identifier Version 2 + + + Access Violation + Standards Mapping - General Data Protection Regulation + + + SC-23 Session Authenticity (P1) + Standards Mapping - NIST Special Publication 800-53 Revision 4 + + + SC-23 Session Authenticity + Standards Mapping - NIST Special Publication 800-53 Revision 5 + + + 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3) + Standards Mapping - OWASP Application Security Verification Standard 4.0 + + + M5 Poor Authorization and Authentication + Standards Mapping - OWASP Mobile Top 10 Risks 2014 + + + M3 Insecure Authentication/Authorization + Standards Mapping - OWASP Mobile Top 10 Risks 2023 + + + A5 Cross Site Request Forgery (CSRF) + Standards Mapping - OWASP Top 10 2007 + + + A5 Cross-Site Request Forgery (CSRF) + Standards Mapping - OWASP Top 10 2010 + + + A8 Cross-Site Request Forgery (CSRF) + Standards Mapping - OWASP Top 10 2013 + + + A01 Broken Access Control + Standards Mapping - OWASP Top 10 2021 + + + Requirement 6.5.5 + Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 + + + Requirement 6.2.4 + Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 + + + Control Objective 5.4 - Authentication and Access Control + Standards Mapping - Payment Card Industry Software Security Framework 1.0 + + + Control Objective 5.4 - Authentication and Access Control + Standards Mapping - Payment Card Industry Software Security Framework 1.1 + + + Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls + Standards Mapping - Payment Card Industry Software Security Framework 1.2 + + + Insecure Interaction - CWE ID 352 + Standards Mapping - SANS Top 25 2009 + + + Insecure Interaction - CWE ID 352 + Standards Mapping - SANS Top 25 2010 + + + Insecure Interaction - CWE ID 352 + Standards Mapping - SANS Top 25 2011 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.1 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.10 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.4 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.5 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.6 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.7 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.9 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.1 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.10 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.11 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.2 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.3 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.4 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.5 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.6 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.7 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.8 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.9 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.1 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.2 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.3 + + + Cross-Site Request Forgery + Standards Mapping - Web Application Security Consortium 24 + 2 + + + Cross-Site Request Forgery (WASC-09) + Standards Mapping - Web Application Security Consortium Version 2.00 + + + + + <Content><Paragraph>The HTTP request at <Replace key="PrimaryLocation.file"/> line <Replace key="PrimaryLocation.line"/> must contain a user-specific secret to prevent an attacker from making unauthorized requests.<AltParagraph>HTTP requests must contain a user-specific secret to prevent an attacker from making unauthorized requests.</AltParagraph></Paragraph></Content> + <Content>A cross-site request forgery (CSRF) vulnerability occurs when: +1. A web application uses session cookies. + +2. The application acts on an HTTP request without verifying that the request was made with the user's consent. + +<Paragraph> +In this case, the application generates an HTTP request at <Replace key="PrimaryLocation.file"/> line <Replace key="PrimaryLocation.line"/>. +</Paragraph> + +A nonce is a cryptographic random value that is sent with a message to prevent replay attacks. If the request does not contain a nonce that proves its provenance, the code that handles the request is vulnerable to a CSRF attack (unless it does not change the state of the application). This means a web application that uses session cookies has to take special precautions to ensure that an attacker can't trick users into submitting bogus requests. Imagine a web application that allows administrators to create new accounts as follows: + + +<pre> + var req = new XMLHttpRequest(); + req.open("POST", "/new_user", true); + body = addToPost(body, new_username); + body = addToPost(body, new_passwd); + req.send(body); +</pre> + +An attacker might set up a malicious web site that contains the following code. + +<pre> + var req = new XMLHttpRequest(); + req.open("POST", "http://www.example.com/new_user", true); + body = addToPost(body, "attacker"); + body = addToPost(body, "haha"); + req.send(body); +</pre> + +If an administrator for <code>example.com</code> visits the malicious page while she has an active session on the site, she will unwittingly create an account for the attacker. This is a CSRF attack. It is possible because the application does not have a way to determine the provenance of the request. Any request could be a legitimate action chosen by the user or a faked action set up by an attacker. The attacker does not get to see the Web page that the bogus request generates, so the attack technique is only useful for requests that alter the state of the application. + +Applications that pass the session identifier in the URL rather than as a cookie do not have CSRF problems because there is no way for the attacker to access the session identifier and include it as part of the bogus request. +CSRF is entry number five on the 2007 OWASP Top 10 list.</Content> + <Content>Applications that use session cookies must include some piece of information in every form post that the back-end code can use to validate the provenance of the request. One way to do that is to include a random request identifier or nonce, as follows: + +<pre> + RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, "/new_user"); + body = addToPost(body, new_username); + body = addToPost(body, new_passwd); + body = addToPost(body, request_id); + rb.sendRequest(body, new NewAccountCallback(callback)); +</pre> + +Then the back-end logic can validate the request identifier before processing the rest of the form data. When possible, the request identifier should be unique to each server request rather than shared across every request for a particular session. As with session identifiers, the harder it is for an attacker to guess the request identifier, the harder it is to conduct a successful CSRF attack. The token should not be easily guessed and it should be protected in the same way that session tokens are protected, such as using SSLv3. + +Additional mitigation techniques include: + +<b>Framework protection:</b> Most modern web application frameworks embed CSRF protection and they will automatically include and verify CSRF tokens. +<b>Use a Challenge-Response control:</b> Forcing the customer to respond to a challenge sent by the server is a strong defense against CSRF. Some of the challenges that can be used for this purpose are: CAPTCHAs, password re-authentication and one-time tokens. +<b>Check HTTP Referer/Origin headers:</b> An attacker won't be able to spoof these headers while performing a CSRF attack. This makes these headers a useful method to prevent CSRF attacks. +<b>Double-submit Session Cookie:</b> Sending the session ID Cookie as a hidden form value in addition to the actual session ID Cookie is a good protection against CSRF attacks. The server will check both values and make sure they are identical before processing the rest of the form data. If an attacker submits a form in behalf of a user, he won't be able to modify the session ID cookie value as per the same-origin-policy. +<b>Limit Session Lifetime:</b> When accessing protected resources using a CSRF attack, the attack will only be valid as long as the session ID sent as part of the attack is still valid on the server. Limiting the Session lifetime will reduce the probability of a successful attack. + +The techniques described here can be defeated with XSS attacks. Effective CSRF mitigation includes XSS mitigation techniques. + + </Content> + + Fortify Static Code Analyzer flags all HTML forms and all XMLHttpRequest objects that might perform either a GET or POST operation. The auditor must determine if each form is valuable to an attacker as a CSRF target and whether or not an appropriate mitigation technique is in place. + + + + Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics + A. Klein + http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf + + + 2007 OWASP Top 10 + OWASP + http://www.owasp.org/index.php/Top_10_2007 + + + CWE ID 352 + Standards Mapping - Common Weakness Enumeration + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2019 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2020 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2021 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2022 + + + [9] CWE ID 352 + Standards Mapping - Common Weakness Enumeration Top 25 2023 + + + CCI-001310, CCI-001941, CCI-001942 + Standards Mapping - DISA Control Correlation Identifier Version 2 + + + Access Violation + Standards Mapping - General Data Protection Regulation + + + SC-23 Session Authenticity (P1) + Standards Mapping - NIST Special Publication 800-53 Revision 4 + + + SC-23 Session Authenticity + Standards Mapping - NIST Special Publication 800-53 Revision 5 + + + 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3) + Standards Mapping - OWASP Application Security Verification Standard 4.0 + + + M5 Poor Authorization and Authentication + Standards Mapping - OWASP Mobile Top 10 Risks 2014 + + + M3 Insecure Authentication/Authorization + Standards Mapping - OWASP Mobile Top 10 Risks 2023 + + + A5 Cross Site Request Forgery (CSRF) + Standards Mapping - OWASP Top 10 2007 + + + A5 Cross-Site Request Forgery (CSRF) + Standards Mapping - OWASP Top 10 2010 + + + A8 Cross-Site Request Forgery (CSRF) + Standards Mapping - OWASP Top 10 2013 + + + A01 Broken Access Control + Standards Mapping - OWASP Top 10 2021 + + + Requirement 6.5.5 + Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 + + + Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 + + + Requirement 6.2.4 + Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 + + + Control Objective 5.4 - Authentication and Access Control + Standards Mapping - Payment Card Industry Software Security Framework 1.0 + + + Control Objective 5.4 - Authentication and Access Control + Standards Mapping - Payment Card Industry Software Security Framework 1.1 + + + Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls + Standards Mapping - Payment Card Industry Software Security Framework 1.2 + + + Insecure Interaction - CWE ID 352 + Standards Mapping - SANS Top 25 2009 + + + Insecure Interaction - CWE ID 352 + Standards Mapping - SANS Top 25 2010 + + + Insecure Interaction - CWE ID 352 + Standards Mapping - SANS Top 25 2011 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.1 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.10 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.4 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.5 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.6 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.7 + + + APP3585 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.9 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.1 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.10 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.11 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.2 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.3 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.4 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.5 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.6 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.7 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.8 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.9 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.1 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.2 + + + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.3 + + + Cross-Site Request Forgery + Standards Mapping - Web Application Security Consortium 24 + 2 + + + Cross-Site Request Forgery (WASC-09) + Standards Mapping - Web Application Security Consortium Version 2.00 + + + + + <Content><Paragraph>A hidden form field is used in <Replace key="PrimaryLocation.file"/> on line <Replace key="PrimaryLocation.line"/>.<AltParagraph>A hidden form field is used.</AltParagraph></Paragraph></Content> + <Content>Programmers often trust the contents of hidden fields, expecting that users will not be able to view them or manipulate their contents. Attackers will violate these assumptions. They will examine the values written to hidden fields and alter them or replace the contents with attack data. + +<b>Example:</b> An <code>&lt;input&gt;</code> tag of type <code>hidden</code> indicates the use of a hidden field. +<pre> +&lt;input type="hidden"&gt; +</pre> + +If hidden fields carry sensitive information, this information will be cached the same way the rest of the page is cached. This can lead to sensitive information being tucked away in the browser cache without the user's knowledge.</Content> + <Content>Expect that attackers will study and decode all uses of hidden fields in the application. Treat hidden fields as untrusted input. Don't store information in hidden fields if the information should not be cached along with the rest of the page.</Content> + + + CWE ID 472 + Standards Mapping - Common Weakness Enumeration + + + CCI-002420 + Standards Mapping - DISA Control Correlation Identifier Version 2 + + + MASVS-STORAGE-2 + Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 + + + M4 Unintended Data Leakage + Standards Mapping - OWASP Mobile Top 10 Risks 2014 + + + A04 Insecure Design + Standards Mapping - OWASP Top 10 2021 + + + Risky Resource Management - CWE ID 642 + Standards Mapping - SANS Top 25 2009 + + + APP3610 CAT I + Standards Mapping - Security Technical Implementation Guide Version 3.1 + + + APP3610 CAT I + Standards Mapping - Security Technical Implementation Guide Version 3.10 + + + APP3610 CAT I + Standards Mapping - Security Technical Implementation Guide Version 3.4 + + + APP3610 CAT I + Standards Mapping - Security Technical Implementation Guide Version 3.5 + + + APP3610 CAT I + Standards Mapping - Security Technical Implementation Guide Version 3.6 + + + APP3610 CAT I + Standards Mapping - Security Technical Implementation Guide Version 3.7 + + + APP3610 CAT I + Standards Mapping - Security Technical Implementation Guide Version 3.9 + + + APSC-DV-002485 CAT I + Standards Mapping - Security Technical Implementation Guide Version 4.1 + + + APSC-DV-002485 CAT I + Standards Mapping - Security Technical Implementation Guide Version 4.10 + + + APSC-DV-002485 CAT I + Standards Mapping - Security Technical Implementation Guide Version 4.11 + + + APSC-DV-002485 CAT I + Standards Mapping - Security Technical Implementation Guide Version 4.2 + + + APSC-DV-002485 CAT I + Standards Mapping - Security Technical Implementation Guide Version 4.3 + + + APSC-DV-002485 CAT I + Standards Mapping - Security Technical Implementation Guide Version 4.4 + + + APSC-DV-002485 CAT I + Standards Mapping - Security Technical Implementation Guide Version 4.5 + + + APSC-DV-002485 CAT I + Standards Mapping - Security Technical Implementation Guide Version 4.6 + + + APSC-DV-002485 CAT I + Standards Mapping - Security Technical Implementation Guide Version 4.7 + + + APSC-DV-002485 CAT I + Standards Mapping - Security Technical Implementation Guide Version 4.8 + + + APSC-DV-002485 CAT I + Standards Mapping - Security Technical Implementation Guide Version 4.9 + + + APSC-DV-002485 CAT I + Standards Mapping - Security Technical Implementation Guide Version 5.1 + + + APSC-DV-002485 CAT I + Standards Mapping - Security Technical Implementation Guide Version 5.2 + + + APSC-DV-002485 CAT I + Standards Mapping - Security Technical Implementation Guide Version 5.3 + + + Information Leakage + Standards Mapping - Web Application Security Consortium 24 + 2 + + + Information Leakage (WASC-13) + Standards Mapping - Web Application Security Consortium Version 2.00 + + + + + <Content><Paragraph>The file <Replace key="PrimaryLocation.file"/> on line <Replace key="PrimaryLocation.line"/> links to a third-party site over an unencrypted channel.<AltParagraph>The file links to a third-party site over an unencrypted channel.</AltParagraph></Paragraph></Content> + <Content>Ensure that hyperlinks on your web pages only link to secure locations to prevent any user-compromise when navigating around your website. Even if the link redirects from an insecure protocol (such as HTTP) to a secure protocol (such as HTTPS), the initial connection over an unencrypted channel enables an attacker to perform a man-in-the-middle (MiTM) attack. This enables the attacker to control the page the resulting landing page. + +<b>Example:</b> Consider the following hyperlink: +<pre> +&lt;a href="http://www.example.com/index.html"/&gt; +</pre> + +If an attacker is listening to the network traffic between the user and the server, the attacker can imitate or manipulate <code>www.example.com</code> to load their own web page. + +Links to third-party websites might not initially be considered important to secure, but any compromise can appear to a user as coming from a link on your web page and can therefore lower user trust in using your platform.</Content> + <Content>Keep control over the web pages linked on your website, and if possible ensure that the links are always loaded over a secure protocol. If an insecure protocol is required by the destination server, provide a warning to inform the user that there is some additional risk from clicking the link. Do not include scripts or other artifacts from third-party sites where possible.</Content> + + + CWE ID 297 + Standards Mapping - Common Weakness Enumeration + + + [13] CWE ID 287, [25] CWE ID 295 + Standards Mapping - Common Weakness Enumeration Top 25 2019 + + + [14] CWE ID 287 + Standards Mapping - Common Weakness Enumeration Top 25 2020 + + + [14] CWE ID 287 + Standards Mapping - Common Weakness Enumeration Top 25 2021 + + + [14] CWE ID 287 + Standards Mapping - Common Weakness Enumeration Top 25 2022 + + + [13] CWE ID 287 + Standards Mapping - Common Weakness Enumeration Top 25 2023 + + + CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123 + Standards Mapping - DISA Control Correlation Identifier Version 2 + + + CM, SC + Standards Mapping - FIPS200 + + + Insufficient Data Protection + Standards Mapping - General Data Protection Regulation + + + SC-8 Transmission Confidentiality and Integrity (P1) + Standards Mapping - NIST Special Publication 800-53 Revision 4 + + + SC-8 Transmission Confidentiality and Integrity + Standards Mapping - NIST Special Publication 800-53 Revision 5 + + + API10 Unsafe Consumption of APIs + Standards Mapping - OWASP API Top 10 2023 + + + 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3) + Standards Mapping - OWASP Application Security Verification Standard 4.0 + + + MASVS-NETWORK-1, MASVS-PLATFORM-2 + Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 + + + M3 Insufficient Transport Layer Protection + Standards Mapping - OWASP Mobile Top 10 Risks 2014 + + + M5 Insecure Communication + Standards Mapping - OWASP Mobile Top 10 Risks 2023 + + + A3 Broken Authentication and Session Management + Standards Mapping - OWASP Top 10 2004 + + + A9 Insecure Communications + Standards Mapping - OWASP Top 10 2007 + + + A9 Insufficient Transport Layer Protection + Standards Mapping - OWASP Top 10 2010 + + + A6 Sensitive Data Exposure + Standards Mapping - OWASP Top 10 2013 + + + A3 Sensitive Data Exposure + Standards Mapping - OWASP Top 10 2017 + + + A05 Security Misconfiguration + Standards Mapping - OWASP Top 10 2021 + + + Requirement 4.1, Requirement 6.5.10 + Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 + + + Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9 + Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 + + + Requirement 4.1, Requirement 6.5.4 + Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 + + + Requirement 4.1, Requirement 6.5.4 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 + + + Requirement 4.1, Requirement 6.5.4 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 + + + Requirement 4.1, Requirement 6.5.4 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 + + + Requirement 4.1, Requirement 6.5.4 + Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 + + + Requirement 4.2.1, Requirement 6.2.4 + Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 + + + Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography + Standards Mapping - Payment Card Industry Software Security Framework 1.0 + + + Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design + Standards Mapping - Payment Card Industry Software Security Framework 1.1 + + + Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications + Standards Mapping - Payment Card Industry Software Security Framework 1.2 + + + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.1 + + + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.10 + + + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.4 + + + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.5 + + + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.6 + + + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.7 + + + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II + Standards Mapping - Security Technical Implementation Guide Version 3.9 + + + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.1 + + + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.10 + + + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.11 + + + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.2 + + + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.3 + + + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.4 + + + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.5 + + + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.6 + + + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.7 + + + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.8 + + + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 4.9 + + + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.1 + + + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.2 + + + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + Standards Mapping - Security Technical Implementation Guide Version 5.3 + + + Information Leakage + Standards Mapping - Web Application Security Consortium 24 + 2 + + + Insufficient Transport Layer Protection (WASC-04) + Standards Mapping - Web Application Security Consortium Version 2.00 + + + + + + api/cart/index.js + 85 + 91 + + + + api/orders/index.js + 121 + 127 + + + + api/user/index.js + 25 + 31 + + + + api/user/index.js + 47 + 53 + + + + api/user/index.js + 66 + 72 + + + + api/user/index.js + 89 + 95 + + + + api/user/index.js + 111 + 117 + + + + api/user/index.js + 180 + 186 + + + + api/user/index.js + 216 + 222 + + + + api/user/index.js + 237 + 243 + + + + api/user/index.js + 281 + 287 + + + + api/user/index.js + 302 + 308 + + + + public/basket.html + 64 + 114 + + +
+

Shopping cart

+

+
+ + + + + + + + + + + + + + + + + + +
ProductQuantityUnit priceDiscountTotal
Total
+ +
+ + + +
+
+ Continue + shopping +
+
+ Update basket + + +
+
+ +
+ + + +]]> + + + public/basket.html + 133 + 165 + Address + +
+
+
+ + +
+
+ + +
+
+ + +
+
+ + +
+
+ + +
+

+ +

+
+
+ + +]]> + + + public/basket.html + 184 + 203 + Credit Card + +
+
+
+ + +
+
+ + +
+
+ + +
+
+

+ + + +

+ + + + + +]]> + + + public/basket.html + 361 + 367 + + + + public/basket.html + 369 + 375 + \ + \ +]]> + + + public/basket.html + 372 + 378 + \ + \ + \ + \ + ' + data.namex + '\ +]]> + + + public/basket.html + 424 + 430 + + + + public/basket.html + 434 + 440 + + + + public/basket.html + 452 + 458 + + + + public/category.html + 72 + 87 + + +
+
+
+ + + Apply + + +
+ + + +]]> + + + public/category.html + 98 + 120 + +
+
+
+
+
+
+
+
+ Sort by + +
+
+
+
+ + +]]> + + + public/category.html + 186 + 192 + + + + public/category.html + 219 + 225 + -1) { +]]> + + + public/category.html + 231 + 237 + \ +]]> + + + public/checkout1.html + 74 + 96 + Customer login + +
+
+
+ +
+
+ +
+ +

+ +

+ +
+ +

Not registered yet?

+

+ + + public/checkout1.html + 463 + 480 + + +

+ +]]> + + + public/checkout1.html + 502 + 625 + + +
+
+

Checkout

+ + +
+
+
+
+ + +
+
+
+
+ + +
+
+
+ + +
+
+
+ + +
+
+
+
+ + +
+
+
+ + +
+
+
+ + +
+
+
+
+ + +
+
+
+
+ + +
+
+
+
+ + +
+
+ +
+
+ + +
+
+
+
+ + +
+
+ +
+ +
+ +
+
+ Back to + basket +
+
+ +
+
+
+
+ + +]]> + + + public/checkout2.html + 74 + 96 + Customer login + +
+
+
+ +
+
+ +
+ +

+ +

+ +
+ +

Not registered yet?

+

+ + + public/checkout2.html + 463 + 480 + + +

+ +]]> + + + public/checkout2.html + 502 + 593 + + +
+
+

Checkout - Delivery method

+ + +
+
+
+
+ +

USPS Next Day

+ +

Get it right on next day - fastest + option possible.

+ +
+ + +
+
+
+
+
+ +

USPS Next Day

+ +

Get it right on next day - fastest + option possible.

+ +
+ + +
+
+
+ +
+
+ +

USPS Next Day

+ +

Get it right on next day - fastest + option possible.

+ +
+ + +
+
+
+
+ + +
+ + +
+
+ Back to + Addresses +
+
+ +
+
+
+
+ + +]]> + + + public/checkout3.html + 74 + 96 + Customer login + +
+
+
+ +
+
+ +
+ +

+ +

+ +
+ +

Not registered yet?

+

+ + + public/checkout3.html + 463 + 480 + + +

+ +]]> + + + public/checkout3.html + 502 + 590 + + +
+
+

Checkout - Payment method

+ + +
+
+
+
+ +

Paypal

+ +

We like it all.

+ +
+ + +
+
+
+
+
+ +

Payment gateway

+ +

VISA and Mastercard only.

+ +
+ + +
+
+
+ +
+
+ +

Cash on delivery

+ +

You pay when you get it.

+ +
+ + +
+
+
+
+ + +
+ + +
+
+ Back to + Shipping method +
+
+ +
+
+
+
+ + +]]> + + + public/checkout4.html + 74 + 96 + Customer login + +
+
+
+ +
+
+ +
+ +

+ +

+ +
+ +

Not registered yet?

+

+ + + public/checkout4.html + 463 + 480 + + +

+ +]]> + + + public/checkout4.html + 502 + 595 + + +
+
+

Checkout - Order review

+ + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ProductQuantityUnit priceDiscountTotal
+ + White Blouse Armani + + White Blouse Armani + 2$123.00$0.00$246.00
+ + Black Blouse Armani + + Black Blouse Armani + 1$200.00$0.00$200.00
Total$446.00
+ +
+ +
+ + +
+
+ Back to + Payment method +
+
+ +
+
+
+
+ + +]]> + + + public/customer-account.html + 74 + 96 + Customer login + +
+
+
+ +
+
+ +
+ +

+ +

+ +
+ +

Not registered yet?

+

+ + + public/customer-account.html + 463 + 480 + + +

+ +]]> + + + public/customer-account.html + 549 + 590 + Change password + +
+
+
+
+ + +
+
+
+
+
+
+ + +
+
+
+
+ + +
+
+
+ + +
+ +
+
+ +
+ +]]> + + + public/customer-account.html + 589 + 683 + + +

Personal details

+
+
+
+
+ + +
+
+
+
+ + +
+
+
+ + +
+
+
+ + +
+
+
+
+ + +
+
+
+ + +
+
+
+ + +
+
+
+
+ + +
+
+
+
+ + +
+
+
+
+ + +
+
+ +
+
+ + +
+
+
+
+ + +
+
+
+ + +
+
+
+ + + +]]> + + + public/customer-order.html + 202 + 208 + + + + public/customer-order.html + 214 + 220 + \ + \ +]]> + + + public/customer-orders.html + 163 + 169 + + $(document).ready(function () { + $.getJSON('/orders', {}, function (data) { + $.each(data, function (index, element) { + var selfRef = element._links.self.href; + var split = selfRef.split("/"); +]]> + + + public/customer-wishlist.html + 74 + 96 + Customer login + +
+
+
+ +
+
+ +
+ +

+ +

+ +
+ +

Not registered yet?

+

+ + + public/customer-wishlist.html + 463 + 480 + + +

+ +]]> + + + public/detail.html + 200 + 206 + + + + public/detail.html + 218 + 224 + \ +]]> + + + public/footer.html + 100 + 106 + +
+
+

�� 2016-2017 Weaveworks

+ +
+
+]]> + + + public/footer.html + 104 + 111 + +
+

Template courtesy of Bootstrapious +

+
+
+]]> + + + public/index.html + 183 + 189 + + + + public/register.html + 74 + 96 + Customer login +
+
+
+
+ +
+
+ +
+ +

+ +

+ +
+ +

Not registered yet?

+

+ + + public/register.html + 463 + 480 + + +

+ +]]> + + + public/register.html + 515 + 540 + + +
+
+ + +
+
+ + +
+
+ + +
+
+ +
+
+ + + +]]> + + + public/register.html + 552 + 573 + + +
+
+ + +
+
+ + +
+
+ +
+
+ + + +]]> + + + public/topbar.html + 32 + 56 + + +
+
+ +
+
+ +
+ +

+ +

+ +
+ + + +]]> + + + public/topbar.html + 73 + 112 + + +
+ +
+ + +
+
+ + +
+
+ + +
+
+ + +
+
+ + +
+

+ +

+ +
+ + + +]]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 23.1.1.0007 + + + 686C4B2F-0321-4025-B9F4-6E26094B4746 + RUL13242 + Fortify Secure Coding Rules, Community, Cloud + 2023.4.0.0006 + grifBOvdnj2E3X9X/Kb8RbEbxWGb1dCeFXM5/BhpZ6o= + + + 97b8b0e6-618b-47cf-a7fb-8636faea6b75 + RUL13240 + Fortify Secure Coding Rules, Community, Universal + 2023.4.0.0006 + k89RkA0Zdi0zxpTsp/NVaGeibKx6M8Cyo4vrYItDSWA= + + + BDACC98E-569C-4ECC-92AA-8DD890DF1287 + RUL13249 + Fortify Secure Coding Rules, Core, Cloud + 2023.4.0.0006 + f4BrD611XJ/rw1ZTJmoOSRwGYEcdBgSC4ZnxYEypDTM= + + + BD292C4E-4216-4DB8-96C7-9B607BFD9584 + RUL13059 + Fortify Secure Coding Rules, Core, JavaScript + 2023.4.0.0006 + kTo0BHUMxBIo7s1u+TrKPOVGQ+ZkzD8GjhPQbF+G5sg= + + + 88D39959-D322-499A-87F3-BC9E1193B07A + RUL13241 + Fortify Secure Coding Rules, Core, Universal + 2023.4.0.0006 + ZKUMnO//ibTAISpNzbarELfDTnubJlPX74rQo7HzHKE= + + + CD6959FC-0C37-45BE-9637-BAA43C3A4D56 + RUL13005 + Fortify Secure Coding Rules, Extended, Configuration + 2023.4.0.0006 + 3IpBM3vd6eIodh9tc98Sc5C76aQAglvNy+ej0z042eY= + + + 9C48678C-09B6-474D-B86D-97EE94D38F17 + RUL13067 + Fortify Secure Coding Rules, Extended, Content + 2023.4.0.0006 + 9diTkqYNtCn1mmBok8fnYTjpQblxTaafiGaFZr91kpg= + + + C4D1969E-B734-47D3-87D4-73962C1D32E2 + RUL13141 + Fortify Secure Coding Rules, Extended, JavaScript + 2023.4.0.0006 + vgDrjTAE/oV+qtLD5aPoOhM1BLrehrl6NaLwuwbyJ+Q= + + + + + awt.toolkit + sun.awt.X11.XToolkit + + + idea.io.use.nio2 + true + + + java.specification.version + 11 + + + log4j.configurationFile + /opt/fortify/Core/config/log4j2.xml + + + log4j.isThreadContextMapInheritable + true + + + sun.cpu.isalist + + + + sun.jnu.encoding + ANSI_X3.4-1968 + + + java.class.path + /opt/fortify/Core/lib/exe/sca-exe.jar + + + java.vm.vendor + Azul Systems, Inc. + + + sun.arch.data.model + 64 + + + java.vendor.url + http://www.azul.com/ + + + user.timezone + Etc/UTC + + + psi.track.invalidation + true + + + idea.ignore.disabled.plugins + true + + + com.fortify.sca.LogFileNameNoExt + sca + + + os.name + Linux + + + java.vm.specification.version + 11 + + + user.country + US + + + sun.boot.library.path + /opt/fortify/jre/lib + + + sun.java.command + sourceanalyzer -Djava.awt.headless=true -Dcom.sun.management.jmxremote=true -XX:+UseParallelGC -XX:SoftRefLRUPolicyMSPerMB=3000 --illegal-access=permit --add-exports=jdk.management/com.sun.management.internal=ALL-UNNAMED --add-exports=jdk.scripting.nashorn/jdk.nashorn.internal.runtime=ALL-UNNAMED --add-exports=java.base/jdk.internal.misc=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/sun.security.jca=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.util.regex=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/javax.crypto=ALL-UNNAMED --add-opens=java.management/sun.management=ALL-UNNAMED -Dcom.fortify.sca.env.classpath= -Dcom.fortify.sca.env.exesearchpath=/opt/fortify/bin:/opt/fortifyApps/bin:/opt/CollabNet_Subversion/bin:/home/ci/HP_Fortify/Fortify_SCA_and_Apps/bin:/home/jenkins:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -Dcom.fortify.sca.ProjectRoot=/opt/fortify/.fortify -Dstdout.isatty=false -Dstderr.isatty=false -Dcom.fortify.sca.PID=122 -Xmx1337M -Dcom.fortify.TotalPhysicalMemory=168991629312 -Xss16M -Dcom.fortify.sca.JVMArgs=-XX:+UseParallelGC -XX:SoftRefLRUPolicyMSPerMB=3000 --illegal-access=permit --add-exports=jdk.management/com.sun.management.internal=ALL-UNNAMED --add-exports=jdk.scripting.nashorn/jdk.nashorn.internal.runtime=ALL-UNNAMED --add-exports=java.base/jdk.internal.misc=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/sun.security.jca=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.util.regex=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/javax.crypto=ALL-UNNAMED --add-opens=java.management/sun.management=ALL-UNNAMED -Xmx1337M -Xss16M -Djava.class.path=/opt/fortify/Core/lib/exe/sca-exe.jar -b front_end_20240220_629_9_1361_6018341 -scan -f fortify_sast_front_end_20240220_629_9_1361_6018341.fpr -build-project front_end_20240220_629_9_1361_6018341 -build-version front_end_20240220_629_9_1361_6018341 -filter fortify_filter.txt + + + com.sun.management.jmxremote + true + + + jdk.debug + release + + + sun.cpu.endian + little + + + user.home + /opt/fortify + + + user.language + en + + + java.specification.vendor + Oracle Corporation + + + com.fortify.sca.LogFileDir + /opt/fortify/.fortify/sca23.1/log + + + java.version.date + 2023-01-17 + + + java.home + /opt/fortify/jre + + + idea.plugins.compatible.build + 999.SNAPSHOT + + + file.separator + / + + + java.vm.compressedOopsMode + 32-bit + + + line.separator + + + + + java.specification.name + Java Platform API Specification + + + java.vm.specification.vendor + Oracle Corporation + + + jdk.vendor.version + Zulu11.62+17-CA + + + java.awt.graphicsenv + sun.awt.X11GraphicsEnvironment + + + java.awt.headless + true + + + com.fortify.sca.JVMArgs + -XX:+UseParallelGC -XX:SoftRefLRUPolicyMSPerMB=3000 --illegal-access=permit --add-exports=jdk.management/com.sun.management.internal=ALL-UNNAMED --add-exports=jdk.scripting.nashorn/jdk.nashorn.internal.runtime=ALL-UNNAMED --add-exports=java.base/jdk.internal.misc=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/sun.security.jca=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.util.regex=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/javax.crypto=ALL-UNNAMED --add-opens=java.management/sun.management=ALL-UNNAMED -Xmx1337M -Xss16M + + + stdout.isatty + false + + + com.fortify.sca.PID + 122 + + + sun.management.compiler + HotSpot 64-Bit Tiered Compilers + + + java.runtime.version + 11.0.18+10-LTS + + + user.name + 1000 + + + com.fortify.sca.LogFileName + sca.log + + + path.separator + : + + + com.fortify.sca.AppendLogFile + true + + + os.version + 4.18.0-372.85.1.el8_6.x86_64 + + + com.fortify.sca.env.classpath + + + + com.fortify.InstallRoot + /opt/fortify + + + com.fortify.sca.LogFilePath + /opt/fortify/.fortify/sca23.1/log/sca.log + + + java.runtime.name + OpenJDK Runtime Environment + + + file.encoding + ANSI_X3.4-1968 + + + com.fortify.sca.LogFileExt + .log + + + project.structure.add.tools.jar.to.new.jdk + false + + + psi.incremental.reparse.depth.limit + 1000 + + + com.fortify.sca.LogFile + /opt/fortify/.fortify/sca23.1/log/sca + + + java.vm.name + OpenJDK 64-Bit Server VM + + + stderr.isatty + false + + + java.vendor.version + Zulu11.62+17-CA + + + java.vendor.url.bug + http://www.azul.com/support/ + + + java.io.tmpdir + /tmp + + + com.fortify.sca.env.exesearchpath + /opt/fortify/bin:/opt/fortifyApps/bin:/opt/CollabNet_Subversion/bin:/home/ci/HP_Fortify/Fortify_SCA_and_Apps/bin:/home/jenkins:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + + + java.version + 11.0.18 + + + user.dir + /var/lib/jenkins/workspace/SDM_SockShop_front-end_master + + + ide.hide.excluded.files + false + + + os.arch + amd64 + + + com.fortify.sca.LogLevel + INFO + + + java.vm.specification.name + Java Virtual Machine Specification + + + java.awt.printerjob + sun.print.PSPrinterJob + + + sun.os.patch.level + unknown + + + com.fortify.TotalPhysicalMemory + 168991629312 + + + java.library.path + /usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib + + + java.vm.info + mixed mode + + + java.vendor + Azul Systems, Inc. + + + java.vm.version + 11.0.18+10-LTS + + + java.rmi.server.randomIDs + true + + + sun.io.unicode.encoding + UnicodeLittle + + + java.class.version + 55.0 + + + com.fortify.sca.ProjectRoot + /opt/fortify/.fortify + + + ast.loading.filter + false + + + + + max.file.path.length + 255 + + + com.fortify.search.defaultSyntaxVer + 2 + + + com.fortify.log.console + false + + + com.fortify.SCAExecutablePath + /opt/fortify/../SCA/bin + + + com.fortify.AuthenticationKey + /opt/fortify/.fortify/config/tools + + + com.fortify.InstallationUserName + 1000 + + + com.fortify.WorkingDirectory + /opt/fortify/.fortify + + + com.fortify.Core + /opt/fortify/Core + + + com.fortify.VS.RequireASPPrecompilation + true + + + com.fortify.locale + en + + + + + com.fortify.sca.fileextensions.ini + JAVA_PROPERTIES + + + com.fortify.sca.skip.libraries.jQuery + jquery.js,jquery.min.js,jquery-migrate.js,jquery-migrate.min.js,jquery-ui.js,jquery-ui.min.js,jquery.mobile.js,jquery.mobile.min.js,jquery.color.js,jquery.color.min.js,jquery.color.svg-names.js,jquery.color.svg-names.min.js,jquery.color.plus-names.js,jquery.color.plus-names.min.js,jquery.tools.min.js + + + com.fortify.sca.compilers.gcc4* + com.fortify.sca.util.compilers.GccCompiler + + + com.fortify.sca.LowSeverityCutoff + 1.0 + + + com.fortify.sca.skip.libraries.javascript + bootstrap.js,bootstrap.min.js,typescript.js,typescriptServices.js + + + com.fortify.sca.fileextensions.page + VISUAL_FORCE + + + com.fortify.sca.fileextensions.pks + PLSQL + + + com.fortify.sca.fileextensions.yml + YAML + + + com.fortify.sca.fileextensions.mxml + MXML + + + com.fortify.sca.fileextensions.tsx + TYPESCRIPT + + + com.fortify.sca.fileextensions.yaml + YAML + + + com.fortify.sca.fileextensions.js + TYPESCRIPT + + + com.fortify.sca.fileextensions.faces + JSPX + + + com.fortify.sca.fileextensions.csdef + XML + + + com.fortify.sca.fileextensions.phtml + PHP + + + com.fortify.sca.CollectPerformanceData + true + + + com.fortify.sca.compilers.cc + com.fortify.sca.util.compilers.GccCompiler + + + com.fortify.sca.compilers.gradle + com.fortify.sca.util.compilers.GradleAdapter + + + com.fortify.sca.skip.libraries.ES6 + es6-shim.min.js,system-polyfills.js,shims_for_IE.js + + + com.fortify.sca.DisableFunctionPointers + false + + + com.fortify.sca.fileextensions.kt + KOTLIN + + + com.fortify.sca.fileextensions.xmi + XML + + + com.fortify.sca.fileextensions.bas + VB6 + + + com.fortify.sca.PHPv2 + false + + + com.fortify.sca.dart.SDK + /opt/fortify/Core/dart/sdk/dart-sdk/ + + + com.fortify.sca.fileextensions.master + ASPNET + + + com.fortify.sca.alias.mode.typescript + fi + + + com.fortify.sca.fileextensions.wadcfg + XML + + + com.fortify.sca.ApexVersion + 57 + + + com.fortify.sca.fileextensions.ashx + ASPNET + + + com.fortify.sca.fileextensions.wsdd + XML + + + com.fortify.sca.fileextensions.cshtml + ASPNET + + + com.fortify.sca.fileextensions.settings + XML + + + com.fortify.sca.compilers.g++ + com.fortify.sca.util.compilers.GppCompiler + + + com.fortify.sca.fileextensions.wsdl + XML + + + com.fortify.sca.fileextensions.tag + JSP + + + com.fortify.sca.fileextensions.cpx + XML + + + com.fortify.sca.fileextensions.mts + TYPESCRIPT + + + com.fortify.sca.compilers.jam + com.fortify.sca.util.compilers.TouchlessCompiler + + + com.fortify.sca.NoNestedOutTagOutput + org.apache.taglibs.standard.tag.rt.core.RemoveTag,org.apache.taglibs.standard.tag.rt.core.SetTag + + + com.fortify.sca.PHPVersion + 7.4 + + + com.fortify.sca.BuildVersion + front_end_20240220_629_9_1361_6018341 + + + com.fortify.sca.EnableNestedWrappers + true + + + com.fortify.sca.PrintPerformanceDataAfterScan + false + + + com.fortify.sca.compilers.mvn + com.fortify.sca.util.compilers.MavenAdapter + + + com.fortify.sca.compilers.ant + com.fortify.sca.util.compilers.AntAdapter + + + com.fortify.sca.lim.RequireTrustedSSLCert + true + + + com.fortify.sca.compilers.ar + com.fortify.sca.util.compilers.ArUtil + + + com.fortify.sca.ResultsFile + fortify_sast_front_end_20240220_629_9_1361_6018341.fpr + + + com.fortify.sca.fileextensions.pkh + PLSQL + + + com.fortify.sca.fileextensions.sql + SQL + + + com.fortify.sca.fileextensions.pkb + PLSQL + + + com.fortify.sca.ProjectRoot + /opt/fortify/.fortify + + + com.fortify.sca.fileextensions.abap + ABAP + + + com.fortify.sca.alias.mode.scala + fi + + + com.fortify.sca.RequireMapKeys + jsp_static + + + com.fortify.sca.BuildProject + front_end_20240220_629_9_1361_6018341 + + + com.fortify.sca.SuppressLowSeverity + true + + + com.fortify.sca.DefaultRulesDir + /opt/fortify/Core/config/rules + + + com.fortify.sca.fileextensions.axml + ASPNET + + + com.fortify.sca.jsp.UseNativeParser + true + + + com.fortify.sca.fileextensions.java + JAVA + + + com.fortify.sca.EnableInterproceduralConstantResolution + true + + + com.fortify.sca.FVDLDisableProgramData + false + + + com.fortify.sca.alias.mode.csharp + fs + + + com.fortify.sca.fileextensions.ascx + ASPNET + + + com.fortify.sca.AntCompilerClass + com.fortify.dev.ant.SCACompiler + + + com.fortify.sca.fileextensions.tagx + JSP + + + com.fortify.sca.fileextensions.vbhtml + ASPNET + + + com.fortify.sca.analyzer.controlflow.EnableLivenessOptimization + false + + + com.fortify.sca.compilers.javac + com.fortify.sca.util.compilers.JavacCompiler + + + com.fortify.sca.fileextensions.vue + VUE + + + com.fortify.sca.fileextensions.php + PHP + + + com.fortify.sca.fileextensions.Master + ASPNET + + + com.fortify.sca.fileextensions.xaml + ASPNET + + + com.fortify.sca.compilers.make + com.fortify.sca.util.compilers.TouchlessCompiler + + + com.fortify.sca.ThreadCount.NameTableLoading + 1 + + + com.fortify.sca.GoTranslator + /opt/fortify/Core/private-bin/sca/golang/golang + + + com.fortify.sca.fileextensions.cscfg + XML + + + com.fortify.sca.compilers.icc + com.fortify.sca.util.compilers.IntelCompiler + + + com.fortify.sca.JdkVersion + 1.8 + + + com.fortify.sca.fileextensions.frm + VB6 + + + com.fortify.sca.fileextensions.jsff + JSPX + + + com.fortify.sca.CustomRulesDir + /opt/fortify/Core/config/customrules + + + com.fortify.sca.PythonVersion + 2 + + + com.fortify.sca.skip.libraries.AngularJS + angular.js,angular.min.js,angular-animate.js,angular-aria.js,angular_1_router.js,angular-cookies.js,angular-message-format.js,angular-messages.js,angular-mocks.js,angular-parse-ext.js,angular-resource.js,angular-route.js,angular-sanitize.js,angular-touch.js + + + com.fortify.sca.fileextensions.appxmanifest + XML + + + com.fortify.sca.compilers.scalac + com.fortify.sca.util.compilers.ScalacCompiler + + + com.fortify.sca.fileextensions.cls + VB6 + + + com.fortify.sca.OldVbNetExcludeFileTypes + vb,asax,ascx,ashx,asmx,aspx,xaml,cshtml,vbhtml + + + com.fortify.sca.compilers.g++4* + com.fortify.sca.util.compilers.GppCompiler + + + com.fortify.sca.compilers.armcpp + com.fortify.sca.util.compilers.ArmCppCompiler + + + com.fortify.sca.fileextensions.Dockerfile + DOCKERFILE + + + com.fortify.sca.fileextensions.asax + ASPNET + + + com.fortify.sca.fileextensions.scala + SCALA + + + CA.EnableFineGrainedMergingProfiling + true + + + com.fortify.sca.DisableGlobals + false + + + com.fortify.sca.DeadCodeFilter + true + + + com.fortify.sca.fileextensions.ABAP + ABAP + + + com.fortify.sca.fileextensions.erb + RUBY_ERB + + + CA.EnableMergingProfiling + true + + + com.fortify.sca.BuildID + front_end_20240220_629_9_1361_6018341 + + + com.fortify.sca.DisableDeadCodeElimination + false + + + com.fortify.sca.fileextensions.properties + JAVA_PROPERTIES + + + com.fortify.sca.fileextensions.vbs + VBSCRIPT + + + com.fortify.sca.BundleControlflowIssues + true + + + com.fortify.sca.JavaSourcepathSearch + true + + + com.fortify.sca.compilers.g++3* + com.fortify.sca.util.compilers.GppCompiler + + + com.fortify.sca.fileextensions.razor + ASPNET + + + com.fortify.sca.fileextensions.htm + HTML + + + com.fortify.sca.FVDLStylesheet + /opt/fortify/Core/resources/sca/fvdl2html.xsl + + + com.fortify.sca.BuildOptions + -b front_end_20240220_629_9_1361_6018341 -debug-verbose -logfile fortify_sast_front_end_20240220_629_9_1361_6018341.log -version -Dcom.fortify.sca.DISabledLanguages=python -Dcom.fortify.sca.follow.imports=false -Dcom.fortify.sca.exclude=node_modules/**/* -exclude src/test src/api src/config.js src/helpers src/nyc.config.js src/public src/server.js src/test + + + com.fortify.sca.Phase0HigherOrder.Level + 1 + + + com.fortify.sca.fileextensions.dockerfile + DOCKERFILE + + + com.fortify.sca.Phase0HigherOrder.Languages + python,ruby,swift,javascript,typescript + + + com.fortify.sca.fileextensions.config + XML + + + com.fortify.sca.fileextensions.tld + TLD + + + com.fortify.sca.fileextensions.cjs + TYPESCRIPT + + + com.fortify.sca.EnableStructuralMatchCache + true + + + com.fortify.sca.compilers.g++2* + com.fortify.sca.util.compilers.GppCompiler + + + com.fortify.sca.fileextensions.ts + TYPESCRIPT + + + com.fortify.sca.DisableInferredConstants + false + + + com.fortify.sca.compilers.gmake + com.fortify.sca.util.compilers.TouchlessCompiler + + + com.fortify.sca.DeadCodeIgnoreTrivialPredicates + true + + + com.fortify.sca.fileextensions.html + HTML + + + com.fortify.sca.fileextensions.aspx + ASPNET + + + com.fortify.sca.fileextensions.cs + CSHARP + + + com.fortify.sca.fileextensions.tf + HCL + + + com.fortify.sca.FilterFile + fortify_filter.txt + + + com.fortify.sca.compilers.ld + com.fortify.sca.util.compilers.LdCompiler + + + com.fortify.sca.analyzer.controlflow.EnableRefRuleOptimization + false + + + com.fortify.sca.DaemonCompilers + com.fortify.sca.util.compilers.GppCompiler,com.fortify.sca.util.compilers.GccCompiler,com.fortify.sca.util.compilers.AppleGppCompiler,com.fortify.sca.util.compilers.AppleGccCompiler,com.fortify.sca.util.compilers.MicrosoftCompiler,com.fortify.sca.util.compilers.MicrosoftLinker,com.fortify.sca.util.compilers.LdCompiler,com.fortify.sca.util.compilers.ArUtil,com.fortify.sca.util.compilers.SunCCompiler,com.fortify.sca.util.compilers.SunCppCompiler,com.fortify.sca.util.compilers.IntelCompiler,com.fortify.sca.util.compilers.ExternalCppAdapter,com.fortify.sca.util.compilers.ClangCompiler + + + com.fortify.sca.alias.mode.swift + fs + + + com.fortify.sca.UniversalBlacklist + .*yyparse.* + + + com.fortify.sca.compilers.gcc + com.fortify.sca.util.compilers.GccCompiler + + + com.fortify.sca.IndirectCallGraphBuilders + WinFormsAdHocFunctionBuilder,VirtualCGBuilder,J2EEIndirectCGBuilder,JNICGBuilder,StoredProcedureResolver,JavaWSCGBuilder,StrutsCGBuilder,DotNetWSCGBuilder,SqlServerSPResolver,ASPCGBuilder,ScriptedCGBuilder,NewJspCustomTagCGBuilder,DotNetCABCGBuilder,StateInjectionCGBuilder,SqlServerSPResolver2,PHPLambdaResolver,JavaWebCGBuilder + + + com.fortify.sca.analyzer.controlflow.EnableTimeOut + true + + + com.fortify.sca.compilers.c++ + com.fortify.sca.util.compilers.GppCompiler + + + com.fortify.sca.fileextensions.py + PYTHON + + + com.fortify.sca.fileextensions.asmx + ASPNET + + + com.fortify.sca.compilers.icpc + com.fortify.sca.util.compilers.IntelCompiler + + + com.fortify.sca.DefaultJarsDirs + default_jars + + + com.fortify.sca.compilers.gcc-* + com.fortify.sca.util.compilers.GccCompiler + + + com.fortify.sca.SolverTimeout + 15 + + + WinForms.CollectionMutationMonitor.Label + WinFormsDataSource + + + com.fortify.sca.compilers.touchless + com.fortify.sca.util.compilers.FortifyCompiler + + + com.fortify.sca.FVDLDisableSnippets + false + + + com.fortify.sca.TypeInferenceFunctionTimeout + 60 + + + com.fortify.sca.fileextensions.plist + XML + + + com.fortify.sca.APEXv2 + false + + + com.fortify.sca.compilers.tcpp + com.fortify.sca.util.compilers.ArmCppCompiler + + + com.fortify.sca.fileextensions.dart + DART + + + com.fortify.sca.AddImpliedMethods + true + + + com.fortify.sca.fileextensions.hcl + HCL + + + com.fortify.sca.TypeInferencePhase0Timeout + 300 + + + com.fortify.sca.fileextensions.rb + RUBY + + + com.fortify.sca.fileextensions.as + ACTIONSCRIPT + + + com.fortify.sca.compilers.clearmake + com.fortify.sca.util.compilers.TouchlessCompiler + + + com.fortify.sca.fileextensions.xsd + XML + + + com.fortify.sca.PythonV2 + false + + + com.fortify.sca.alias.mode.vb + fs + + + com.fortify.sca.dart.Enable + true + + + com.fortify.sca.fileextensions.jspx + JSPX + + + CA.EnableMachineProfiling + false + + + com.fortify.sca.fileextensions.cfc + CFML + + + com.fortify.sca.fileextensions.xhtml + JSPX + + + com.fortify.sca.AspnetTranslatorDotnet + /opt/fortify/Core/private-bin/sca/dotnet/aspnet-translator/Dotnet/aspcodegen + + + com.fortify.sca.ScaMSBuildDotnetTargets + /opt/fortify/Core/private-bin/sca/MSBuildPlugin/Dotnet/Fortify.targets + + + com.fortify.sca.analyzer.controlflow.EnableMachineFiltering + false + + + com.fortify.sca.fileextensions.go + GO + + + com.fortify.sca.MultithreadedAnalysis + true + + + com.fortify.sca.alias.mode.javascript + fi + + + com.fortify.sca.fileextensions.mjs + TYPESCRIPT + + + com.fortify.sca.fileextensions.trigger + APEX_TRIGGER + + + com.fortify.sca.parser.python.ignore.module.8 + test.badsyntax_nocaret + + + com.fortify.sca.compilers.dotnet + com.fortify.sca.util.compilers.DotnetAdapter + + + com.fortify.sca.parser.python.ignore.module.6 + test.badsyntax_future8 + + + com.fortify.sca.parser.python.ignore.module.7 + test.badsyntax_future9 + + + com.fortify.sca.parser.python.ignore.module.4 + test.badsyntax_future6 + + + com.fortify.sca.parser.python.ignore.module.5 + test.badsyntax_future7 + + + com.fortify.sca.fileextensions.conf + HOCON + + + com.fortify.sca.SqlLanguage + PLSQL + + + com.fortify.sca.parser.python.ignore.module.2 + test.badsyntax_future4 + + + com.fortify.sca.parser.python.ignore.module.3 + test.badsyntax_future5 + + + com.fortify.sca.fileextensions.cfm + CFML + + + com.fortify.sca.compilers.tcc + com.fortify.sca.util.compilers.ArmCcCompiler + + + com.fortify.sca.parser.python.ignore.module.1 + test.badsyntax_future3 + + + com.fortify.sca.compilers.fortify + com.fortify.sca.util.compilers.FortifyCompiler + + + com.fortify.sca.fileextensions.asp + ASP + + + com.fortify.sca.EnableWrapperDetection + true + + + com.fortify.sca.DefaultAnalyzers + semantic:dataflow:controlflow:nullptr:configuration:content:structural:buffer + + + com.fortify.sca.FVDLDisableDescriptions + false + + + com.fortify.sca.DisableCFRules + 19EF0414-88CD-4882-82FC-BF3A89865666,4E28CEFE-1B94-4711-BF5A-EDA5D1B3E6BF,A2D33B21-FE55-4C53-86C6-2AB5BF343738,7F4CC818-7525-440B-9C68-02267A80179A,7F80BA1C-82E9-4F2A-BBB4-ADFDFB27B215,E650C773-2BB6-42AA-BC29-370AAF0C53ED + + + com.fortify.sca.DotnetTranslator + /opt/fortify/Core/private-bin/sca/dotnet/dotnet-translator/dotnet-translator + + + com.fortify.sca.fileextensions.swift + SWIFT + + + com.fortify.sca.compilers.g++-* + com.fortify.sca.util.compilers.GppCompiler + + + com.fortify.sca.fileextensions.cfml + CFML + + + com.fortify.sca.skip.libraries.typescript + typescript.d.ts,typescriptServices.d.ts + + + com.fortify.sca.dart.Translator + /opt/fortify/Core/private-bin/sca/dart/dart2nst.exe + + + com.fortify.sca.fileextensions.BSP + ABAP + + + com.fortify.sca.fileextensions.ctp + PHP + + + com.fortify.sca.fileextensions.cts + TYPESCRIPT + + + com.fortify.sca.compilers.gcc2* + com.fortify.sca.util.compilers.GccCompiler + + + com.fortify.sca.compilers.gradlew + com.fortify.sca.util.compilers.GradleAdapter + + + com.fortify.sca.fileextensions.ctl + VB6 + + + com.fortify.sca.fileextensions.xml + XML + + + com.fortify.sca.fileextensions.wadcfgx + XML + + + com.fortify.sca.fileextensions.vbscript + VBSCRIPT + + + com.fortify.sca.compilers.armcc + com.fortify.sca.util.compilers.ArmCcCompiler + + + com.fortify.sca.fileextensions.object + APEX_OBJECT + + + com.fortify.sca.fileextensions.json + JSON + + + com.fortify.sca.UnicodeInputFile + true + + + com.fortify.sca.fileextensions.Config + XML + + + com.fortify.sca.fileextensions.kts + KOTLIN + + + com.fortify.sca.fileextensions.bsp + ABAP + + + com.fortify.sca.compilers.gcc3* + com.fortify.sca.util.compilers.GccCompiler + + + com.fortify.sca.TypeInferenceLanguages + javascript,typescript,python,ruby + + + com.fortify.sca.fileextensions.xcfg + XML + + + com.fortify.sca.fileextensions.vb + VB + + + com.fortify.sca.DefaultFileTypes + java,rb,erb,jsp,jspx,jspf,tag,tagx,tld,sql,cfm,php,phtml,ctp,pks,pkh,pkb,xml,config,Config,settings,properties,dll,exe,winmd,cs,vb,asax,ascx,ashx,asmx,aspx,master,Master,xaml,baml,cshtml,vbhtml,razor,inc,asp,vbscript,js,mjs,cjs,jsx,ini,bas,cls,vbs,frm,ctl,html,htm,xsd,wsdd,xmi,py,cfml,cfc,abap,xhtml,cpx,xcfg,jsff,as,mxml,cbl,cob,cscfg,csdef,wadcfg,wadcfgx,appxmanifest,wsdl,plist,bsp,ABAP,BSP,swift,page,trigger,scala,ts,mts,cts,tsx,conf,json,yaml,yml,tf,hcl,go,kt,kts,Dockerfile,dockerfile,vue + + + com.fortify.sca.fileextensions.jsx + TYPESCRIPT + + + com.fortify.sca.fileextensions.jsp + JSP + + + com.fortify.sca.fileextensions.jspf + JSP + + + + -b + front_end_20240220_629_9_1361_6018341 + -scan + -f + fortify_sast_front_end_20240220_629_9_1361_6018341.fpr + -build-project + front_end_20240220_629_9_1361_6018341 + -build-version + front_end_20240220_629_9_1361_6018341 + -filter + fortify_filter.txt + + + + sdm-sockshop-front-end-master-1361-vrwrb-xt84v-1k82m + 1000 + Linux + + + + + + JavaScript jQuery + Access Violation + SC-23 Session Authenticity (P1) + SC-23 Session Authenticity + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + CCI-001310, CCI-001941, CCI-001942 + CWE ID 352 + 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3) + None + None + None + A5 Cross Site Request Forgery (CSRF) + A5 Cross-Site Request Forgery (CSRF) + A8 Cross-Site Request Forgery (CSRF) + None + A01 Broken Access Control + None + M5 Poor Authorization and Authentication + M3 Insecure Authentication/Authorization + None + Insecure Interaction - CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + None + None + Requirement 6.5.5 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.2.4 + Control Objective 5.4 - Authentication and Access Control + Control Objective 5.4 - Authentication and Access Control + Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + Cross-Site Request Forgery + Cross-Site Request Forgery (WASC-09) + Insecure Interaction - CWE ID 352 + Insecure Interaction - CWE ID 352 + None + 1.0 + 2.0 + 2.0 + security + Integrity + Complete + Complete + None + 12.0 + broad + + + + + JavaScript Core + Access Violation + SC-23 Session Authenticity (P1) + SC-23 Session Authenticity + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + CCI-001310, CCI-001941, CCI-001942 + CWE ID 352 + 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3) + None + None + None + A5 Cross Site Request Forgery (CSRF) + A5 Cross-Site Request Forgery (CSRF) + A8 Cross-Site Request Forgery (CSRF) + None + A01 Broken Access Control + None + M5 Poor Authorization and Authentication + M3 Insecure Authentication/Authorization + None + Insecure Interaction - CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + None + None + Requirement 6.5.5 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.2.4 + Control Objective 5.4 - Authentication and Access Control + Control Objective 5.4 - Authentication and Access Control + Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + Cross-Site Request Forgery + Cross-Site Request Forgery (WASC-09) + Insecure Interaction - CWE ID 352 + Insecure Interaction - CWE ID 352 + None + 1.0 + 2.0 + 2.0 + security + Integrity + Complete + Complete + None + 12.0 + broad + + + + + Content Core + Access Violation + SC-23 Session Authenticity (P1) + SC-23 Session Authenticity + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + CCI-001310, CCI-001941, CCI-001942 + CWE ID 352 + 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3) + None + None + None + A5 Cross Site Request Forgery (CSRF) + A5 Cross-Site Request Forgery (CSRF) + A8 Cross-Site Request Forgery (CSRF) + None + A01 Broken Access Control + None + M5 Poor Authorization and Authentication + M3 Insecure Authentication/Authorization + None + Insecure Interaction - CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + None + None + Requirement 6.5.5 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.2.4 + Control Objective 5.4 - Authentication and Access Control + Control Objective 5.4 - Authentication and Access Control + Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + Cross-Site Request Forgery + Cross-Site Request Forgery (WASC-09) + Insecure Interaction - CWE ID 352 + Insecure Interaction - CWE ID 352 + None + 1.0 + 2.0 + 2.0 + security + Integrity + Complete + Complete + None + 12.0 + broad + + + + + Content Core + None + None + None + APSC-DV-002485 CAT I + APSC-DV-002485 CAT I + APSC-DV-002485 CAT I + APSC-DV-002485 CAT I + APSC-DV-002485 CAT I + APSC-DV-002485 CAT I + APSC-DV-002485 CAT I + APSC-DV-002485 CAT I + APSC-DV-002485 CAT I + APSC-DV-002485 CAT I + APSC-DV-002485 CAT I + APSC-DV-002485 CAT I + APSC-DV-002485 CAT I + APSC-DV-002485 CAT I + CCI-002420 + CWE ID 472 + None + None + None + None + None + None + None + None + A04 Insecure Design + None + M4 Unintended Data Leakage + None + MASVS-STORAGE-2 + Risky Resource Management - CWE ID 642 + None + None + None + None + None + None + None + None + None + None + None + None + None + None + None + None + None + APP3610 CAT I + APP3610 CAT I + APP3610 CAT I + APP3610 CAT I + APP3610 CAT I + APP3610 CAT I + APP3610 CAT I + Information Leakage + Information Leakage (WASC-13) + None + None + None + 5.0 + 1.0 + 1.0 + security + Confidentiality + Partial + None + None + 4.0 + broad + + + + + JavaScript Express JS + Insufficient Data Protection + SC-8 Transmission Confidentiality and Integrity (P1) + SC-8 Transmission Confidentiality and Integrity + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-002220 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + CCI-001184, CCI-002418, CCI-002420, CCI-002421, CCI-002422 + CWE ID 614 + 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 3.2.3 Session Binding Requirements (L1 L2 L3), 3.4.1 Cookie-based Session Management (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3) + None + None + A10 Insecure Configuration Management + A9 Insecure Communications + A9 Insufficient Transport Layer Protection + A6 Sensitive Data Exposure + A3 Sensitive Data Exposure + A05 Security Misconfiguration + API8 Security Misconfiguration + M4 Unintended Data Leakage + M8 Security Misconfiguration + None + None + None + None + None + None + None + CM, SC + Requirement 4.1, Requirement 6.5.3 + Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.7, Requirement 6.5.9 + Requirement 4.1, Requirement 6.5.4 + Requirement 4.1, Requirement 6.5.4, Requirement 6.5.10 + Requirement 4.1, Requirement 6.5.4, Requirement 6.5.10 + Requirement 4.1, Requirement 6.5.4, Requirement 6.5.10 + Requirement 4.1, Requirement 6.5.4, Requirement 6.5.10 + Requirement 4.2.1, Requirement 6.2.4 + Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography + Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography + Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II + Insufficient Authentication + Insufficient Transport Layer Protection (WASC-04) + None + None + None + 3.1 + 2.0 + 2.0 + security + Confidentiality + Complete + None + None + 2.0 + broad + + + + + JavaScript Express JS + Access Violation + SC-23 Session Authenticity (P1) + SC-23 Session Authenticity + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II + CCI-001310, CCI-001941, CCI-001942 + CWE ID 352 + 3.4.3 Cookie-based Session Management (L1 L2 L3) + None + None + None + A5 Cross Site Request Forgery (CSRF) + A5 Cross-Site Request Forgery (CSRF) + A8 Cross-Site Request Forgery (CSRF) + None + A01 Broken Access Control + None + M5 Poor Authorization and Authentication + M3 Insecure Authentication/Authorization + None + Insecure Interaction - CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + [9] CWE ID 352 + None + None + Requirement 6.5.5 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.5.9 + Requirement 6.2.4 + Control Objective 5.4 - Authentication and Access Control + Control Objective 5.4 - Authentication and Access Control + Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + APP3585 CAT II + Cross-Site Request Forgery + Cross-Site Request Forgery (WASC-09) + Insecure Interaction - CWE ID 352 + Insecure Interaction - CWE ID 352 + None + 1.0 + 2.0 + 2.0 + security + Integrity + Complete + Complete + None + 1.0 + broad + + + + + Content Core + Insufficient Data Protection + SC-8 Transmission Confidentiality and Integrity (P1) + SC-8 Transmission Confidentiality and Integrity + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II + CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123 + CWE ID 297 + 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3) + None + None + A3 Broken Authentication and Session Management + A9 Insecure Communications + A9 Insufficient Transport Layer Protection + A6 Sensitive Data Exposure + A3 Sensitive Data Exposure + A05 Security Misconfiguration + API10 Unsafe Consumption of APIs + M3 Insufficient Transport Layer Protection + M5 Insecure Communication + MASVS-NETWORK-1, MASVS-PLATFORM-2 + None + [13] CWE ID 287, [25] CWE ID 295 + [14] CWE ID 287 + [14] CWE ID 287 + [14] CWE ID 287 + [13] CWE ID 287 + CM, SC + Requirement 4.1, Requirement 6.5.10 + Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9 + Requirement 4.1, Requirement 6.5.4 + Requirement 4.1, Requirement 6.5.4 + Requirement 4.1, Requirement 6.5.4 + Requirement 4.1, Requirement 6.5.4 + Requirement 4.1, Requirement 6.5.4 + Requirement 4.2.1, Requirement 6.2.4 + Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography + Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design + Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II + APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II + Information Leakage + Insufficient Transport Layer Protection (WASC-04) + None + None + None + 5.0 + 2.0 + 5.0 + security + Confidentiality + Partial + None + None + 1.0 + broad + + + + + + owner + DHL Information Services (Europe) s.r.o. + + + License Description + 10 scanning users 2134196974 + + + Subscription ID + Sb15cce9f-b9fc-4426-b79f-0063d5c50dad + + + License ID + La4dcb72d-bad0-49af-a2dd-0fdafb43035a + + + Created On + 2021-08-03 05:56:18.0 + + + SCA-ColdFusion-Support + 2032-12-31 + + + Runtime-Interface-WIRT + 2032-12-31 + + + AuditWorkbench + 2032-12-31 + + + SCA-ABAP-Support + 2032-12-31 + + + F360-CollabModule + 2032-12-31 + + + RulePackUpdate + 2121-08-03 + + lid + La4dcb72d-bad0-49af-a2dd-0fdafb43035a + + + + Runtime-Interface-CEF + 2032-12-31 + + + SCA-Analysis + 2032-12-31 + + + F360-Server + 2032-12-31 + + + JDeveloperPlugins + 2032-12-31 + + + SCA-COBOL-Support + 2032-12-31 + + + SCA-Python-Support + 2032-12-31 + + + Runtime-Option-EnableActions + 2032-12-31 + + + EclipsePlugins + 2032-12-31 + + + Enterprise-Reporting + 2032-12-31 + + + VSPlugins + 2032-12-31 + + + + diff --git a/unittests/scans/fortify/many_findings.fpr b/unittests/scans/fortify/many_findings.fpr new file mode 100644 index 0000000000000000000000000000000000000000..016d0a61878addeb179b12a59ec76323f81b4d8f GIT binary patch literal 2042533 zcmZs?Wl$x-vNek9;O_2jgTvtN?(Xh7xH}tn*aI7f!5s#7cXxLf+`c*I-gxhec(0>l z^@^L0zTt13HFSq>5k6ATUx4orekT^sEGIuQPG6AyD6cV~OTfBhJ@xzB zGd*jg*+R@brAl}o4wDT;0SBK{eUqb)|J0Ns&kSWd0k(`YoN{%(&UIebt>N5OpCvXJ zI;jZyyFEZOQqM8u2N?syd3jZZf4$+y>3AWF|KqRU=FZo7<9cFZVs(czA*`2@iZ_n1uUXF`66|H!+YUm7fgBn0J-r=nAF>8vGqZBp-IF4;6`)E&IRT zKS*T;r5e_6XGy3-^#U(oehT|i*wwDROh12gkT8)s1Q!nyIF->?)UMqOZXjKU6tQUU zn&b8h@>N*f5__><43Rb)zioDNKi*uI-9}i~w;nxq7~>Xuog>h7ywH4YeUWdtckRwx z!$aFphTAkqIrfdVp63`I1m5gLa$inwwQiy~uJ^q3D;dXJ4m-co;rkf${50$NdZ4}t zX!n7W>T$jNuF?U?67%80kMCvFbc~RbCcH?d-`f*T`%EJ}$_b=uhW###8(dNe91@qv zpajt)6_I!vao;2st3Ep|5W)WPt_!3NH>2={{F=0OT}NrZ+$MiUX*YYOyV2{Bm;pXp zcv{K0Rg9@~xV0Q;l*zSq7&g_3#(Gd>E6SaNY~|A$=p_QU2_HLe=iBj{`c*a*gF$&@ z$c1rICD=CGK&%#qEdTW{^u#Xa9mzND>xPUIw+u_C(lMClvj7AdHXFf#(9hiV3>%pe z`)F|Ga1hKN2XisV8%dFl^Fc%5&VuJlGv08(R2< z^oylqH^rxb)&*PbCHXOIuIyE%7Lw=w*0n#C>UMN#>i1pgNDS(W%xK)yDul@IF7xM} zDk?dDBE{7`vP>%HJU9O$qi&P1{GBZ!2b;2!3(s8Lu{6_PRFMRjH|s;j8lFT%X)JL{ zK{LbK0tpF|PdP~IMaPLKa!r#FFOJNQdsAO=;iftnOz5yeJPV6uo zRCG-IJeqTELxpd+J^V8gC);f5+Fxek=1pgG&lWWBGZyJL(_%E*8B73;&ARH8>x*{i z!9?l>r~Q8Pi*dARN3VeT1^!%QvIe|MOVpek&YD`B%EmA%EgM#ex%B4cMpgA~7yWO; zf`Nn@RYZ%G3yKv7lriE=Pw4lHVjUY@zF2mpGxSYr+G!#MOnEgE8-6-#gB=AX8)DCR zwrd2DzYL#wgjE=8D;PD{)tW>#vQ)dJlZ?bc9qR5oOcMba+E!HJ<;qk#a~U1|SvF^S z$Y3&&>tOT`vSwgtm7M967^>a$*^lipkoK6u4Nnjjx_V|wIiN&m{%F< z1X>cB3gsF{ck(**im*cY#fF8687o)RDI14&<_*Y$%|ZRJJ;G~M+;y@e!}P%d;Mbo! z9Q>Z|Swv}>t?u@ksRo-jM9cY9hv+TTF&Hlu1U$w;kcSSBp8A33+?A` zM!eA~I20;Ryq^-wG*(d1^@78Qb}l2da$?Yll^ zGa=n-f*ce_q_q(PR25*qykgJQEVYHWlv|r#?VzOLx!Q#RSt@4-TjhkkKdr=O+_A0- z>t%l$ONw99hN}{wC9`r@sjP_B%}B-J*Q1O1FZ&8WeQI5Kp!FcVo&H zq4HkCQ=rnpTQeJ$k?T(uM)SI<(pjhjs$9!37BOD#twlnxXEcEzRb`|GH!G!#UUx8? z2g*n~K}Q>EEdsV8eHK_zn!wFr#{$1Yv^}byiUUirYGOFDT!!eZC;wK?ghO;E=Z&W& zCBph#ls(xwEn(l`L5qCcl9J(L-AGp<1(04~J|ayuxvpjo1agjPKi)-mx11TiWT0>WRuj zy)ryRQ%M35>>;VLiksDQr5WX@i8ijwRQmg~+7zM8VlRTfp*(*g5w!BX$uzfPfi3+V ztUrzJRwLNbdFzYH6r$NmM(y<+v+FCk9A;JY*Ey+@d282JH%A-3;MdN>L%FAZpT`4b z3OJMun;OPP6-bJPoT^-KB_?x7AHxg$XUs7X3rqcGPAb3mkhLx2`hJuKzV4gPp(oO8 zdb2-*y&)P=KCOM`ai0!z3r*Pnc5Q_A&FvX^&@Q{HY@uVJFAY7VQVuOISD*LD8YOqp zpKPL1Aj6+^&|79ipiSv$dv;d=gjbfg&&r(ypT0PmcQQR?jq|Y>00Fck+^f_5JIptJ zY8@f$rYAY8Ru^P=gH|VGM3vV_j()^zV|_%tW6GwE*L}=ilyRNUyB@#nX(Jq=A7g(i zD1Ev|2zD=Qp|+cRQNtWWl!r|T-_{PSR{F%>&vn0!l01Mj!+f$%p#fZheHyzdUw_+g zO$fh%-LS*!dChR(>sZmsuGHKK#0dS&SIy3FZBnllf5+88Ei zbmG?%5IEHT8YIH`xpMdVk>Gqi{N-}LkAg%NrK$%rgRk^1Sw~7nA?`4vuidZjwp*&> zrb4x?FUt8%l0sN=4wIr;8WUJCp(&r%7GtT6&J`_Mel_PbzO@qE#}6H@Sn@e-^1Slo z_w@PBZJol}3inGqrIx_UP&mZaEb$ud>sZ(^;KPl5t63EbT-A5edl&kW$_cC!W)la$ zOmJCLnuw8;!g#(a}mgIS{3rpJFVUu+HEhg-sso>#rWUQ~XW-ChDCioxZHc6(T+ZsFT?N1`wb~WWA^*wwS9MlY1z(p&)U3)zhch+eV2$UnMhNY2{ zSpfr?_ZN$_rr0*(40XI-W7ydvdNiRNA5=Mpj>UCYDYg;5vt5O=53|sSK|yA`6q$VE zBHx-9)6Ba>|C(I16b0M~h;jn67<|`QC%?D@jiQ9d7zSyT6B=TPr8>xPN=VA9En18# zYdEutGx>@yv4g4#uCg8hQ(~DQJF{rE! zv5w#)=<$G{^8_2c`uoKfr?gU&#+|;=JDtf)y0!~Ej_*_TAYdcmoxT*8!7Q4G9*)5x zrp2&nLK&|*S~(D-#eGO#rnGRPeBdFj?U8mIEkh+Q26Q@7@0gQre->kD3q0ckIiiy5 z7!m9-d+5>XfValw#Vg5-QYmKFX|^qqh1+nXjk9TT*h_NB)O{QM?rypQq*c|T08WbI z`HDpA!Bcr5;8&Skp&MUSx-n*WQE~~pfwEm|SWD~V!g%AcbR&rnjyRX-tZx=frpy6k zIo}<|YKF4o@FmsUc1X(d<(Tv+(kWR&+X#C2dute5yJ1@oqz;vb`#Zufjv%@>ax z5|Evg^aK;?XLUkjARJ(P+P^k@fd-?~PB{y|l1Y4L02OjaLL-FZCNaM=0Cytj0~Z zyPjw7ldC&k_G_hEkETb-yL)Wu!MKAk!|+3oCv+nsa5VKh7E_@i*`B27VcGB>G*-+| zw81(Hl@<-?P8K2f5;pHg3gw_~xn~Dm)ojWxQP-p!vZAE#I z6}9SM<0QUI>8AG7wKKbdpJL2}W7K$=?`%};!#Ecf)3=0iT6U1MK9FtPg)tLgU9%5C zs2z8LX{^N+$374aQBHQdBCF!MlFt%@n5Fb?=( znF@nRShE^b;)VM)a)f~m(j^0`_6o_Ea*asKlz=|>WcnC+g+)Od?71!OSlQ{5b%@c0 zUkWc?avbWqo0zo=?}b1dbfaSTAawl1nsX3ER*W4_J*bU3MMI?&fSfn+d(cU%tL0Y( z(N8jP$#^2GIHJ;t86lku;~3Y^o#3<)CWMMXiC(G!tHmYzJy}pOFR~jGG>SlmL4_?) zMB%$0CSxRuw?$+*;&>=mP%c|gD_4*`GHJbkBhywtIGm;_3~4<`^H%s9C`aB)f|>y& zO1Q{cZrV>GUz%QnQIG#)CymHo1&I^~lC(w}as(U9wNsuE7Ai^f2ulK^5)6)uutKi> zmtGB7M>E1lY&MAQ)Yzbgx;pF69|rzsApVaj_#ftC4Vg#y=vY+Gy}4?v`hN~IG%Ygn zT;+#8!Oe#WC#=vJ^|B4xP?_}NZRumPZEV{?GW8C$6V2u-X_=FZ{jSce^wZT@pO9BiuVJXv}a7aTafk676Y< zi+oH&ZKoW4LU~#)d3!Jns|F+07>vkGS~_xxE-_ahZI`huJ4Fk4kMDHI0x4BVJA9&8PZ3jXi2=6b`Z zq7uLMw8F7ElABZSGyPI$>M)yri;7ejL%pI@)Yt*Zqe0}Wpvs(fhiGgQASgx=k3dd^ zU)whxB_kB2bmCc<&7XA6N1jg>3_@a>EKJpSq=8D02nNH%a(67-j&x-1>oN2t!l zWSNtF!jr%xmtMR!VR8^=LTM%Hr_{pTbmzQrKP*w3f8d9chHy+q^p-ox&fAh{mW(Ld z(^7wmfKhL1O|Oy8czza9LRVv2HZYLVD}TZaU z#do3XUvf}mD-RfZ^MQQ`mRl9H-PJZIpGl_r7}>h65n#Anp&=oeyJm7=X4=+&pZ87F z!lc6hH$%o4@YNG`6$@kWf&oRHGANl9emPCdNiNIjW)pZMD9fynNxe$DnG4F?8wi znbkmbIZilw>kQGEcESlyv!Z_H;~DaVmxL6CLPq%%ofSI&7Eqb3Mx+>;ImVyQPE;?l zICqGbI}$~P4s1_kN}T`G)M}hwZY~9r=kPb(V(J z5NTN`Xf+>Da}dofxU1Pz0BteU7VQU9yJ5teHN;dkq)G=C^c7Sz#=jHkrErcWO{Pp; zdZUUP28?O%K39kurI+mY-7pUe*-AwiQpAM3k#&QoV%=+9el6C?mn z>Pv8$q5mvm%I7)Jl5-K!r{_JCdEBj4-d>{LT&5;I@iBMT^<7-*-zo?_mNyUo;pPp@ ztY*~g<<Z(E=H^dII3@}5xVp4(9DMixyiBn zN~Fp3V~BX$9bm&K4pw#thJ$#jG`c;ssc00@xLCam(6emm+9l+rxHAu9vYAdnOc_Ch zsT*|Gza!e@g4)!CXfH=tOQXX{w?rWXUPjKtJO1QS8<0 zQ&SLZutgoBYb{cu1&kRhrtm={&5N+(}>n*DRro@Jyx{R zv}xC`DU4*iv3WhcvCI1#m@%jov&4OUSzR1=bq=0)b&8Rv+tsUh4mZ2z`(xY?r^y-m z8ZdR~1jb1bOhDCb%@y?IJUH!kpz_5lk$y_|^An`sM)$)JDoYnlfr8AFc{iS_u8F@>wGQX+|l^h>J0C3bn`wT>IpxKhzd#NkLg ztxB3r0u=#}iWm7u$iY}laqQs>UEz(QNRe8(-9dG-7sJ8F8AShFLYh4pmPt#}$`8M# zDoozn=2f-MLVZjsq>^guGK++oqOo-NshVGzF;!}@efmcANaVKOL(o}#?G4Kwg$Ifv zX=*-pjn(_y>4nv%=))G-du4!qS#f{`sITl7e)eElz?f7m5tM_=csC-E8=2^jlnloY z87ajdonn6@JdZd-|80BbzctEoLJpF#b7V4%?{up!|7OGfw~Voir7zM%kI?hhk(%ez zRp4l4^?y6NlLs2mv{hi66*@PV9D$_6y**`k3F1Pd`+Y(;<{s(7_U2@ZS_fv!c1L39 zD%vm64Y<{T?2BxLYOH!x+v%OZAuYTRbOk(qH>lf6Cscgrims=2Gw8B8t6x&jvRiFt zIQ_1Y5xg0{oo5`0t-lTFe)miDPiR2g(+h;U6>fZ=i#}L;&Zt9NK`skxPLM79b;xe1 z*5!pOJicT7G2=BXf`$xtIR!?F@?xU_?kAxNmxY)HrtNRp)6fINRkv=$es4dZ09qn8 zWXHTZr_ngwIuP}Q9-B}H#H{y@!KGscuv=TuFxdRAKF)^3NKo3)sAACO^B8nj-N!_#33G*Ld|0bFViaFtPw0)CYp z;sQN?KR5Iy`N9i}z>n8CM8~8nn5WRHTcuj#uG0{-Q*gXCDYSPdIAfiLAUDz@Y9-&5 z4GUKr4You%U<|u^;F5VDn1O(5GBC!!%_m*lTR8P4RR3o^oN;?@yocWEfoY4^&X_%c z-3yz-rK94m*Nm$|w5+O#=lFD$I=FkXw7y1{GDVTZV>EjD1E3_K5}gH=5M9Hu$wsB+ z&beoejzQJ$BCcj0(|_QEv%Qpjkl-)r){alK1nk#J(+}WwSDp?9sD~gAN~5XNLZFtZb4zPlkQtexy8_C- z!*rlcUQkwKuaF~=Tz&x~aU3#6Z7Rjp^#@tXFPHE~6iizG0Acm&J*CX{YPHEUq97Pq zc`Xh1JYBvz_Z<3k+cZe%&I$^a2)l(JE<-9Lks7Q-K%}3Jz=p_u7 zZZ1+j8%dy!1;b6ZuZVG2si~2cqb9zoK7;qbG=@anth*L@=`%wW4olIFBJl@zx(-RdF(kIT-cR%N zlxaQpdlEh9pETJuW}5>qK%e=s>76MZ;%u*(5NB@KAk1?~nAGTX0*b zub0`8>prY9an>IWKKGi>{GQC5{s#Ge9$lg$NHW|NMi@rxK#P5<$EY&w)J?7<8AhM{{=`F$e$TSo zZ3eC;4DF7P3@g!Yv&L2GIO|?|)@^O?H0iz1zw9AN{xl*b3LxmAc5eEC5%Cf59OZC9 z<7I&3e(>O1Sj1!Vz{W`k)*^fvMQRY2=&0WCu-Kaj#@LAs(cP2==l)=7%iIHs@II1|kW(f#?9v3>8=+>j9f z*>wXygw#tA57v~DYz6^Cvk`GCHaA+x|L|EKsXVD~%b*cS} z<&5!``TC*geDgJ&|JSHP*wY^@X6e@-P#?nQtvX6D0-=bTP;hs&H@I;hLVqbQT*L}s zmF|VkdMSFXPKre@Bno&GsYt;{hfPScLo+M&Yhli%tIgNsw%2CI@x)zbf+NCR2s(@m zCufX}=|f5He}?PqXTYDK(fR`weejVppga#`5KyzLKp za{HVPl$=li%!`+A#KyCxU%%QuwOH>0`8(r{5b3Nla^8Uz#~L|hZ&M_{#Ga?W->IIF7~!g5I1=zc{op**3qjDMFWH z2v^iOZ;{SaePi6PKMNJ+Hp;SFV#jmMv?@VTUluu-Sq+XYC5OmhF+!Kgah!v1*DhiCohE>K)(!MGW+ zwT0KgLd`y38f)`jp>x*uN91vx?ig8wy>o@^4fOWAS80_QLfeHbV5f?&h&EMAFZ?IX zPfgEa1VT|yAHCIh6sIP<*G?4jE5mK2`Ym0Z1(HBEM*9>%kOkn)gu)p?rpTV`#HL)>>SdM0 zoJg?`Vt~KX>xG{)?9~fJI1Q#ZI9lB2Pq=npT+G;c-Qp6)OG+*0>7(`uAJ%zn+0-Nh zg#s*XJ3DXhX{gMVebRVCUYvKLo$s{9X2IK$tm{t=k6(0ALK4Q%=H~$q0R`zg%o~r? zwm<09D!S5en5={eYt;miIj>@%(;G>GnP!8&d-qAjctJo~ey z`=@zqt;wV49M|hH39Z{B^gOpT&^uh_IsK}r78!fK5dqdmrC99$x_Q(cVV-$GRCOiu z3dgFYombs*R9?675PIE&Ro61|jpKto&!4zj3Q9@BXRaR0aCb+Gs9PpNJOfn#km-{CiQMAJCv0pd%Q9y}~Ru zLuF$UxqAv&P}YO2FoDJS8`Aju6471rtM9}g|{6471hMeHPHy4WEzOu}x|MJxT-RrUnXqrnj!KL1`Sb1fpBNSN zzC{+86GQWy0St{~p_b5g-?{X+sH%L=gy9D0%HjV{m|G3Qz;+eCj?#y#@_0WqQ9S6a zjvMu=vyg-;d4Wo0ZR?NJkTIJg0Te!LOUlZy@g-xuKz#RB@UWR>(WVU;+nVTWsYKS<&PKC*UpzMDk1C z#hGGx)POZ%Pn}}r52;p)9Vo~7R`pX|v?T;61wSQ!nSxWFYsa9k!!6v#!a);x9vZV32KZa@UADArbQvz#bJ$LmsPu(x|oY22<r?%8zn-fM}~yqF$&IyWb?B)!sRMaFVPh# zwjK-P7KDO_Rwvox)vw}}0M_@^2W)1Zu^G|xEVh20Hn!7XGhqw($)|nwp%ZWN?k-4P z>L{3K4eC5Br*39<-l<=*>SxEjyiSzDVPe8gR7?Kru<&x$YjKFri9^Zg!AZ&eYyxCg z#m~XtBi$?BZ*J5yH@;!`Vi+<@ZCktMNLGf{N#X5Z^(S(Zga@O5X7}%0VlpG~rGL|m zB^pLgVkbFsY23B%W#(Ejrn{Gxi&}lqeQ^n=nO^zLAc@lbxpG;_g5P!Kcsv+}fB{~x z?nrJqY$twyw3xv?%FBWf{1(9_P_lm}@iy4xoRKHu2F>IXPuZT)*Yl^>rYQ+Fn+C8; z#&z=tk^9?j;MZPen5#QfjR!cd@u*wR^ehPmi-*-~9*20ieO02AxTWIMA>}adBpiv@ ziPDB*Ew?k#HAK&LCF|A1{_MMR(BnvX5eM*&an6(Iw06S&eYZ_pfkH*gEPS^$g)QV0 zY-8PykZ*723SL&Jnlk*BI3XJjKi3^0K9@9a`J7ClX}Ce`52afd10-BBa;FM-h?`Jf zgsuY_$xbv1byjTxvDM0T?+M@~w;*K|C$Mz+lH7*b&qMCH?p^b@_7rjic&ZW>cbc6| z#zr(~)QX+k`-elm)cw}*0+zTN}1iR1a)stJOL@n1a=dy?-oqCN4De+j+ zwZ7WpVJjBK>Z@` z9VfM`e-+*Ajj8iAAT0o>@@rV881WT)Z0C;IdAS8Y#D?UJ+4tIWut%($mVe}rN4QKL z)v6OcpRP;A{cjm}>kI`ePAyfoib~QncHDX*V zFCC;DOA^ZsI9R96&p+>QFAVW!b3s=NFDV!_Qi%nV;st2UVt_XAOTW(}OyNK{k<$B;g<%N2g%9?mC~U zQEd~Ou(t-Hi=NP#^wEWD7$Tj4h#ZOKMsV5U?AF1R2lDW%&>*Eb-SzX`h$qp?tW3gF zeOf8jjkpByaG31u*1`9gXSyW6Z(UTOVGf)OhvQ=_Qt-Z?uisxA#T{?u6I#L?U zbK2E)n3A3yzX$7zu0Ws1d*iwt6U?E13lLrCQ(;H!?bx0POHJv)fQow_rR)cen$z6u zpt*S|!BhN+jdh1*v7nKMG*P){@t$E)#iM5jyPGq=2(uQ+hs<&IiRvc%CU$ZNk5$R^5(HJ=j0?=WZ3RNtiIx0t#NTx9kpo3hmQd(c5V6Q=` zjrwX`@~fth+XO(*Bc`NSHOq+H_R!viEgD)uBpV1MkD_}Ek?Bv=dwm)UZ;8I0SlnqO zh_)2eGvg=$O!HbwSc%PurxaQ*#o6`X$lLyLsK4lZD8jSUf3EN&&6q`8-Eo8~htECx z;fZm0x=(*}fi(^deI+aT<>F+V%38SAL zl=t}+l!_r>>97+F3~@$x>6-M`nm3!@g9eJ&k?_eRZu|KAPml;TMuYHm((oCseQ$_6 zC83GPp6s+aQK#ZYhL?^hnIe|WlnrGsbLmp=l}Sigr5Qx?vxa+_d6li#bW}s==|8i# zhuSPscFjzWKT0P=Uw&=;D9x>v2XDB)K@cS7gN6-9`^E<@Dw_Y8eNCpuvlI5?M1)va zuljiS(>o}SUU6iJ4%>n>`L+kj?3ojqEa`XRf(b3?dK=b-b*GQ!&B5S+7&-YY2Z>x7 za2v)S6lLhCW}Drj!ICtEhKbwz13*J-}CVxW8OTzi{8^4|J-tN0i=&Fm6@Yi4D2!bh(FsX*O-xB@Pi zMq)37n%I67G#|AjE*fwe#CRvQZ_I{0^a1u{FgOtP&S3 zH=$qFl-5?gGx1C=iwa-fZD5-u$wyk&bphTeH3Z*vimGK7{A1m?wqjN|*hMdJuVr&m z^k4vSy72S-q4Vb!5|Su*FpB8XB2utQme5Rlb>XWNFE#lf{hQ}+WL%>gnBa`i9i}sR zf4f|mheg!|@Lj0IQ>9@`fCiLw(B8cL5X2iw>^$04QZn!-EaCmc#HJ$+@`Yoll!&3o z5FP-1at)|GY})=OAeeJn4|-*cF~)IfnkAWZRJ+;{|Fy6Td0cTq=Si5P;LknZ>^t&Z z&h3rPH%2mqClKKuynd&M2bCo>e%|IoMtUnw3-*KPjB7Lsn1*}bd&pCRM@CMv9TTUR z1w4vAIYnQ8S*1P3;@r#-h>aBaA;547LW?E(=YY&lmN$1m%(yB?tCZ#4F3lrdk z{nr%)B?RhSgc7o`0*0J>0}$Y&z$Z|;G}eXS9F+vOdVlTjpX`-bV={4Q2hSZ2_Yiw8)*-Tn1|L(zUjK}m~JdN8Tqo+$6MJL43>zso`& zR*;`LL7oDg1&}V)qh!2tgIy59QcBnBFBWsJE)z_tT`zJEW)+cizJI zqi0S${CTf?qLvPoD<^G3J?n^ru&2aAIPPp3Jw*(Xny32B$d4zo}#D(X~O{gBdHjt;E8z z*drVz8dfpuy~m_PhlMhQCoVLhSMInS!Qg310ktpwQ+=4yeUYqDePr37E8sICQzFeBJGlL&(qx`6LqNJFTa9Zm`uZTW7#T~Ncj~r?nkAFE%B^r?uP>ihQd~k zmjebP8}=vker;_w$6bb>&H=`5^yn8T{r>{dG6ZoS-&v|>`^%7^zhnoDFurRlFxEyN z`lVD-r!NoOWov(?VT>Q9Ls28AG-!0*{XH-jph`dxw(L&0Nuc?|0B}T*VoEtEJ}$`3 zNjx!ftwHv#7FlKijAsyj=+Cd%;rl6=)!JNe#dm?~3gWA{;y-@WFL6F*4;jv{Jk>`1 z_iBg#h6ktfALlo^QSYL-%Iu+lg#Rp>I+WA(70iTtViq|c-72;J(Uus4GBu6)mFZg3 ze_g3sUsN1LRnYP&=(yxjry#9y!m;JVkTC!&W&fq>=*_HHz2~Uy{D$>rw`74&+a}4{ zoIKNxAMGX~Q_P?H93NC!L+tZM?quZoz&$d!U-vp_na!VQlE>Dx@u8+ z;dWV<6wCXC_c==t*Bv>%5rM%xejYZQr|M~RTowk=!*4?KxkEKT>Q57}idGK{*@b(x zni$3tNNy%0?Yi-xpuqp`TH-%qEiyu)YoIrx{cdaN*+l>FnGxqKJXlCK9dM7WJzP4i(NlE?Z(v=7SAQlY z1A1BJ{K`Hunt!*;{vRWa^t~{7e~;x;?HX+P>IYZHKe~MJnZ0S$@U}dv)$nHL88~@W zyZS-Ut1x-BEnoBB7CX-`nK9jlHxx>{|2A@U1b)So{qOAs!Abw^rT`F!BP(9H`f;q? z5bMx@NQJU=@p)gVJ$d!-T`pdHx>c@(^J#E(e7)0aHoUQfZz@sAcr;*?LU;fW>dd~Ip;~Z4GeDRRoW!SK6_vkxmSi5@8 z<=18TKgIyx3ylZG5IfocEQq4s-= z5pxoM;|4ZDDrlD3^ff5vP&aoHE_+o zzY9%`^*!@7`;$CEA_;DEGL5!UgCQxAKR1-Ki!D~!ffC@9FQXP$d8{v^I5+I4#tb=R z{`9jp1C>F}5TV44A;+E90RvHyj=yF9hHdZt@+wqVfhlPm_r?ZS=<#E#tA`(DX7?!H zl|42ce=ubWgS$3=dejd$eUkU=zKa?|V0sHvhF|lA~A>fcSI7% zM2gmJ0cCp<69MI98cO_|nJ0h!J$FQfRoWm=Bfa?6xtgQ}4B<_pMvCaxd6+d9^9`G? z3m)>T#-E;qXkKfA{0UL~4*5h<1A>hA%IOaGd9Ri$b(EX^S4(x`f+W>fCO+rVfGZQR z)Bj-P$$xPC_&w`crJqLA@r9_i^<99-Wxn>xC`>UUB}9m%*- zNQ(bA7j<%*lrJO^YB<=UTPPg0`_3;|RF|_a*E?vv%Zkh>6rQT$^7{sOmR ztXEuYKErB&WVZK-h6eZ)GFpU&lvlz0cDIu!IWHEF=(XyJNDEJ{{@ygK^_&Yi9qkoe zZk&%PmHw@~+wE?~s4b__kF&`6zfLdaJxVg7JB~cK@%-LW(2EC>}N zx=tCCk(hdeha0eTKY?}Ih(iJvuuAwByCIIRmJ=K3p2=C+RJnZ%SS%PwwVlUDhaT-P zgagvO&~C&a`y(tQvS+c4#^|GaPYZZ)*1+T6c;9lA-Q7_C`pz6_U56%K8)465SPV`a zL&|eVPCi1+Sscq0oFnQc9^>uBPFH#v{Jw|n;xw3IG&*T?;4jG`&%Xf^e0iw1FO)fo ziS(X{RIGPzpsXb*W3a^g>jO&S9G{&@S zjyRC41O-RQj~__7N~2m(u?P6~{f(yP6qz7Il8Ohu{id56un`mv*-CM|FQyLHA@^A$ z*qtS?8p^tWoxEVhV3ye*P0{pi_~yA!`kKnAhBLIKq?1lv1?MPHA_<`GJm|L!gCU@% zi(t)4<{oT(=?yx@9kwkwBMI6qKkHq)u@q*u;b!>r#*N+Rd7U|T_g4rccSwt~s3W~(bR`pM9{NQv zqa&X7)fD0yWS|x4^%8D(nb5)uB9pz2-Hv&YKz-gQ&yE;C$L!jp{`C#)m!-@fda`op zTj9HKyd9NqHo>i9PSn^MT(@ zie;Joy{-J+1K&?SMqzJn1mqfmL;DG)Zo<5_FdAnx%|?P%MMoPl^Fww80+DHLviYp* zlcY`R`Y)4^ZQnMze@5SZm-_rkSvrSe>G3A5Qer%G&WW7%CK8lHHg#M;#g^s{X4CA% ztCC+d`$l>Ogmo9jb6Q4w%B7EO0t-C8e`B1q?-)MNi3AwhCS&VW&Go8bU(yk2+xQU* zgwE#Qg$gF#_{riv>i3b<5RiyGb2Ptn9pd&2lp|vCv^1KbPs?#}+kPJG@39~MW)uSV z(Dyez3QrXT_CX5M_!HWBhU`-}d|FLeJm%`scPv8jr|do^zK?*{3eOJ=p}kM%s$Xt! z>g8`DCD{vgtS@my{-XBkSGJ~)B^5&17Ws5>4W2Sea>YD6K;VCAG%Yn~$ZN%GG2nmsO{->dj`mngD(1)4pHu|XnIx^(!7E8fKXBFUJUp_}Hn5B|@UK&4Le za4R#liT+9Qq3WM2vu*WQEX}xPOvD(#uO5SHX6sw%>_{R;v*N1=oNp~bjF`D4t5&*! zPEn1C+MtR8d0TTCx^3IG@2|qmhas1--Z!Q*Yy9_R>2PPrvhzN{+O>CIS48!ngguB6 zp9Dz$N2{d=dR8m@1@2(Y7uN?liJuwIla<2nllAe5L)&40j~&_NxrhfocXYw_FSdO* zl~}?9e^ST?3i+9l$pcgoY7w{LAWm8-p8L0Gzp-{uArOBET!p4_t|2|Q@JH{p2!5g& zp>fq9CZhOThZ;(G2S+yc&;~r|VIuQOhuz06JN0j=Nj>9WKVcIOezk;bHL>Es+(x?0 zJj~lsyuUqd{OSq(n%w^Sgt15P=+)zO=nRjbOprv9(v(+ObjUbqFG5c%PuOjZTczJc z!b|Y;_I+ujgSU9@n8|c|VzN;T=`|T&OHuZihdFfG6pN*vqfvMzuO5&6$wkiMScz@= z|7K890cz;}C9{j6m7gjnx1ipASzd~9Jv$Y7AUrYJ5VQj;Ww6@ugVgOXC2uu;#ea|u z5H`l2+n5=|e+24Nh&=1!_BFhK){4(9sKoRxD}Vm@js3~>QQ-^O#?HlQ;3APy0T&u^ z#=gqNsL&#z#<>B20Z2SMRl=B_-N67#7Lgj`Yq|_kvd_git8sz$a)s*uYKOv+P0A`{ zkY<~rFRjy6fHo45U(IukK*nWGOMz+#)v^V=T)M*wl~CJeI? z*Zc1A(0Io7^%?_DNY@C8EQ@pTCDUMoF#n6>`%mgWJfo5UX$Z;ZW1rrH2|iZDy*SeN zk&-`oY0R8yD7p7=u=G~di{YY5Pvfg1!QBBcq%}1iSE5cgTd||0=qt(~YQFR^+2ew~J$NdZ67Me6^P>nWFg$p=%X zzgLkRM!CgqV2A$cSZb%BUu37SI+BL__LP}w*6F20&hX5cE&YGj70octSc^Ai(dOuu zmrA+6Z%!>!Fi7&qE`M_guh3HY_*cfpl>t%J@pP-ZucXq~>5EtqGCi-fEN7$!)-~7R z`ke8#iiUVEyuJgpP@PmQGZ|IK%2E`cP17+`WTJ)^!|yCfcIGQi52uhDf($hE?#8G-MW-Ag5HGBg0gnW z716Wa)ZA=}dGJDY=J+MBnZH)ycmk;2f8n{Q1*vMOGWE0lAGW?Ss;;2f61NcC-QC@t z;O_1OclY4#?ydoXySqCCcY?bHo0B)+d$VTE{HfLJtm2+?yQ}uzb#8YNVM$xBY7CP| zwST1^N)+KTWNNU;arPMTu{Y+?TD~qW$(3;V-oIyd=OX3zwx`IC_ok~A!W~l%9HU6E zSy+FE0U@;2rtL$S?Rh%>ik4yEtbWVl`LH1vpQeo*!FTwepf?v)Yv z)M^}d-~7#*2kRqxof`$u8GwHt;5wIU&+mFJa00de7#YMJ=Ia}yP57PtWx@m<&)4;tI)_V;FLi#d5psR4?vtSi%t@>q}fh|kXoID!@!lp2v30IHQ z`m$iIc-#K*y+e99k-TZpr2lf@MkO$3;b}w^)Gv$wb2{rDc{fm6E<(@}**(|c4|@mV z#~(*7*&(kbge`|oD((L20uJK1mi zvt$U+8jLL(m~61WCqyeN@;oy{SkN?nU9i*aac;`*apBzx3`5H$`P&tL?-oy57e-=C z@1q)n*+B9V4*sSGI(Q8|98q(1N4nOF(4Kdl-lQSi_M_PL$3ut_bE(aagANi?ry{=1$BAv~^qwCPuDT_*LZO!Z^`lZ!TjywM+| zrXd6dRK+_^6t2B8Q!eN}1A9k@d*YjM17j9ZfgVP_SIbxX*!e&^4C2YL%$?k=z0n)Y zH?p^0!7i)2^=2RO4_!%@P+Z89g~^t$px+goMJ5+h^ma0a3Ht>CX3mBYE6TH~99U)2 z1>C5nByN5`f%e)xe})hWp-QNF{(a1-Z}AJ7dRk`_yG}C?Jld6+vQh!zR?soTz0D$u=e8P8tsnJ=+ zv45ygt2sgAPvn?dwQaD9MzfW6TS6VZH!|t+zhOU=VK@%Zev0hz) zPZO!rzPT2eqD*7gde@|kOuKQ(kc$PjIfDBHV*Cu9t9clWe_hN#8N5R@v-ol(WgUCz z{YRXNrgGzRTFMhtwEWWy4J4Lhi))NfLe=N-G-JL@0}jsrv-^Gf(-*Yz(oHZZM#rDO z)OLW@nIk4Ivf1YSfh%&;WpIB6tt-7!Chp6S%~>ZA#QAaC&nL~w*j}ELh&`@IGGweD zuyv{vbrn>+(ONvDW~5ANh7ilmct1`myQC{^nZas*WzO3UaN1v8pA+u(y+;2z3-IRO z8yR|dvt}~hj!NzD-q=P5^YcQ^EeWcMp55;sSytA#Sh9MZ36WLdh_Bxkmp*OJDRZ3xLot4*_+Tb3z=0TqbF%%`P=St4KCw*CL`pZ(?N~k zi7zzvCG{aEQ+&Eps%SdSx-07GC0LOs$L%usdpMC(Xj*h<28sRG?j0ZG)U<`ZWF;i4 zp)CvNAVaaU*X9t798h9@aT3!pq=J6@5m%YoCY7Y{S($#%2>W@T`$r>$H6DCkZ+qI$ zD_1Mr42Xs)8W>v9DdV(Fjlo2K9qVXPOS;vKhpLf1>&+XHvo2Db4l)5@7P~d`(0FOgitp2B5+8+`-PSMq zPd{k+wwd@+kF~E+IsVj-QW88QZzMLQUXKWxD>R{yte@KBJgb?gS*Xp0=XVXfM$GK* zM3q!GRK4W+lp|tnNA5W?L5O)t6EH>~(1g1_?5$fW_C}@A^U)!SMmse4!Icwf?oWNL zZL~;U^V62337?D3p1lk}HQM=u5h_7bS<&v8g7~N`&9W{jf0aqnU2W9O!7i+kP8E|| zsCU&cQ*Lvecn~v0C^&%f{iSva!BL{ZY*M;MYR;BMk-qGQ?tIO2d3- z^HnhJ)gSe9+M3+so$HBRUcTGrH>zwxtC&gZz9vTs`--EPS_9S`bwHODmKpyKC3OFm zGuY^w>wpY0^()v0rU|tmyDM>q8rLO{EGUbQ$QmZ1J8NN#q59a{O*NBy+xFm_`jD+Z zYV{twlx01E&Kv2?Fg+J$Rk-3BF?PQZ6Bg!LLzqugii%N%=eE7NwrY#WHkr^6%`Xhp z;yN4u_kQ_RMOW$a%45~U3|pQ0Bd&IxwamoG9-ZdW#!B{8KOI)R$1V4u!rFi-7B%gruRkHde>ulUnNu8Obg93Gixjp zZE)d&rpYQ%8Zyj;WY&foHPA_Z^XxEKlr*IG+sbI$rF8s4|6YLPboBN8fFvT2M;{ock)=+B!XcS1c- z66dg@fq`MW0md;xKg3_2J25rpM=((73=Ttx!i#%;qfb3O2k^hss<-ri z@Km4EH;FdyE`bfpW8bX82X)iRgu49J?F(Bvn@mu zY$TfTk&j||e3sS1l$CVA&N5?r*86$>OfwF-b{QKdoU-ZPKdYQ9#R`q5X_#Ci9m(`tN0FCk@QM`OyzlkubVmms zTrEEqIbGuV@`eukc5E6!a*qt0j; zI8-mDR?3}f6P|j&6}u;0^HZ|Dbug7Iv`1$>u`v>a!S)w9TT_S?KNc^ewtAT8bW{9f z#Lc#~kzASnviVu*I5|gij^~YtlO9D&q|TmNUABgr=i!{IiykNbn5ynT0{awu#?MHe z6c_YREN^poYNN2?1*@hanUZG3R{PaXuOX)tePWr3Hw8#9sZsUD407@Xs5 zBnKuYelRA)GKmLI!IXj@3%9eWO(k8oG`w2P=BOGhL%PRLb#xN8zBXmGBu|t&66qX`AFHnZPS#7NwI-`f_wh& zPzYiUn9pZ>YX%QxQA-4ZUg(bY&7WOU;mp_Hu6aL#2hdxN)^DPVJ5qhO4F=YyVY3rP z-7&FCr8X5TRNdn)bIQF@s< z<%0IIXGjd8Y>{V<;slqW^N)ES$b5s#F4_Aa?Bn(+EEU4GXI@jp2X=4L=iNn^iWNSC z$|e_#ss1@>fBz?keLfq!31M|&KTVo>Lu=3%`+^+jg!8VHQWX69oatdHZ2n-Z@JD2} zzE3{#bQv?=1iO2@>Lj}q?&lsAs|;5i4@l<66-N$tq88uvyJE#DX0X@6$KnQ|=P%f*LsUx3%ghgP07MN$~_UM8WFtFa@qclK4o< z(7}tK#8C$NvO+M`cu4gqU(W*Kd58{1L5U;BWfy)p=B?H5wTD*HRDMH`z+QAEi=eA> zfrm+Wn5UCXq4PBp3jb*zAAZsXE>bK9CK7x!seoU+{yYMMoN;lAIp8YKCuC}XOz-M3 zI;L8QfT;CEHN9RK7LeyQFDq0iP19tl#FY2)ax@Tg4Q?*|tEY1DOrJ^dpAZ2vR3M~Q^iLQvhtzuG$dLl~-)_-1;_6nu z^wZUuGD3z{k7iq*X8nY(AIsb=U?HyUs^(ao&#PT9J)uswv2AFYs`;DIuv*zss9X3a zV3q&dlq#<+gRA{Anwot)n*aPulz|zPbF(+u30mP63HLlkgsNkdSY?akDSe_>RPh#x z*4wRdvt;qO4jJv-uPu^_7RlI7apQ>gO5R8-W${IHnzQ@usz?WRxbT+Lj11BMjm);w*_~bn(5MB5M*pEkqy>Eho?h_Mt*rSJ`%QQ;eVX1 z zhW6h~+hA7duC@~nkv^$vPUOmP@6#-pC={6vs%MvGq{k*&r&Mn!=F42Rz8Z;Lradc7 zLF9uOG`RBiTMWTx{o2#6{jaH^d(g5=K}Az%P&*G{2j`(07tcmTB3o~95zwp`&z5(T z{sd5UOw#f{*6y`Q?dh9Qat=0`( zOLY7hVcL)SV7?jlJ8PMHcPon~|AY2P!{JLE)92W z3yKlqn_K$}={7P=lbB-^^w0%Ck?iVm-`DoFw)=3?cXvVl{=uO9nG%U)81J2yBwISw zjrqow3uN4G`=Y+@NuZGKf(RF?qcL(LYmMQY+ja2V2+WciRlFPFc57Qs!BgHbYAB)A z)VIM;T}MZ}YMDokZX-uQe;KTu&%tXFVYd`_vJf6pfA=*H)=%NrPJE|5a~mGFtK}R$ z{aP=oRUhCjsX;1sCW!O6XMMO^uOgubOxH3K4werucUj_F_Sm)U zD$?g7^|y`PJt9vQoiBCURp;b0Y)!%_7yO8ms|tPr@>a@y65H&<&fp`5(dPlZzfJ{n z?atH-_|B>Qo>Vh~Ikw&oij;v3L>?dS4R8rN*If-(4v&S%NHjK=g;xhOlb>jM&{xjw zJ#-trc^0G#&D+2Zz7B{wQ$BnR1M~b)QCBH9mkD;$6?J^2l2S|QcH;=3gNT-Syz81$ z<85(S78m*&T$#um$EdINqVNmnd=?_p7-E>dfuuVss(aD>rOYjdn*jM82(*KZ7tfIy zJj45@d_SKe?|oHXfM+7<;K@^Oj(jVhVwHyA>MhIPErc>nf^tZjJbh2$F1sYwjmMSu zW`UerMc>-BisY~}kC}ORog5+0e2j9p+k+7H-sLjc%Zu~=YWcLzU+TY4$i}*w2Qerm z)$OB_+@Rce=x>GMRUeW^Cmcqa1(0ur)@r>_4*D8<=D;u+_mQG>pBtPCswUiR3gNsm zFUzXCFJN}Luu0T(ag$u-SR#sX;TrzC_ki3~ad70KmL~50F6r1f7P{G+UKPdW}=D*gH`?){t>3s0u;x%J3>cA*;nrUCh`}y`Fg-=5zvMIVu>NX6IJ4gXt(yn5?7l@BC56Vgt|;A;EQ@4W6hIrsKb&} z2gbUhS>lU(9Z)H2HK$k7V$?<0D$6Cqs8oo-CoqdP;HPT&q2MIQnUlZKvp#Lu%23wr zRZ7{26B4z8Bf=k<)rRaAZ)1KuePSdk#0+;*roM#lR0J&`ny@}K_ojgTu{?5q*FUA7 zoNdeK6@EMT1U!r9&`oLR$HfND{@Jd*lSkBhs#3!k|?UE8uZ`?dSI zi}tS*s=wm@za3fQA$8w2y-u!0m3h8R5;oQG3n&{Vdnqf`#|z{2Bg)~!o9PzFSB+WM zOCCOU&N(_}@N7=8U9L-*n0)BFRjTK*ZRBF>e`jUn=ZUT7-qw7cy|#aunBFT z0vo245^YJxr?_Qq(WOM%&qr~V{-i|GTh$Mftu$6twYS@rr<&kUxYDhl$DB-(5C@hn zNcAEq#}c=#r%sV*7{O?T5qGYQ35*<5D@0@~%?wW zoo&ZB@?*ja%2_dBprabUvP1e$tU0)?)Ke^~S8rQbFWZ}YEIxBMGJ?jw7OZqgcTJgQ zW*eY{@~V7zxP70V#_?R#kNu5Ta@Z8F3mNMkXdJv7#$@;HJ^$Bp%N2UI4OEl)ZmEM# zm%d8v3SOntgV$7Mo>$kA&>6cpnQon|3gnlwr3^3EqtPl>3fbwtq9puZHve@@-t-AY zrlrETLcJ|#LhNjGe%Xxy)f2KT&35EOZ@kCzQi%)GJ2@WTuUxvP{I`;aXw9w?o+->0 zd8JiSJAahFlE{=z=gTkHiQ52%ald3o>CRy(h#aR`nViHtWwg~*de2ZQh9fEnicz?d z*mH||m|3f_(#qeV7pIYprYPhSPS8i%I--@GG$XC;p>rO?@!H@snKaA24cE@ktFz7! zag~|>-)0E#ZhH>N)j_Ugz1j0ASsQXPAQIXkoYu>>Q~AHPiQ2c zt2-EzEC^!{s!rPXR7mLuWy6T~H(&V2o1+JAOgABfs0aAxk-+o0#M_{J?KsQ}(Lx3!W6yiF#(Mes;W+HdXRw+VNoS9i26E?B*)z zu<*ZbJ2f?HLBuYYE($otli=i!@V8;PEuYz7XZo9yFUULFiI9c#g>Y|hw%!QdyfPlZk~vs7W{R($%7W+;_RKMXz$}h~0OS z`;6YXLfpUhJO66K_=pllmmR$;p3yKU*oFUJ&A0nK=AX9LYH>pk+grWo(bQzDS)|WP zg)8RJGEP|_`8fBO9Id)6sjudHm5dIC5V1rCHygJLAMIh^>u^K!zZ@b{0x@r|^bbH<#OeQiKU_(sH#a(NMQO zaPh(->ds~`9*g~J}%tTe8YP*&6=kA}U(z^xA6TO;;Zuc%) ziju;q;?lwNIa8V+mu^VOKoB8a$6KATAaw=zt z>NNWRQ@7fK3w@<8r{A0YKIQu{K3<7pQQUczB_G|(TRKLoGU#8a3FXe#f*dNypRH?q zSKsT&cB%ipNvT229Nb&P2S-G5espd$ft7Da#vV8xndorK0C0#B0^ZJg4j>>st^tUuxj3V_-K|{i@ z+9|E2S$Apaoe3c_kZcXDfP$LwVK&bfC0_TNbUr*~hNrwpcx*Wbnd2+7<6{W4YJoiE z>8r{WhVLf91D7gTrx7Mk9@trEy_6E?&*@;1caAn@^HXsgGm=Tsey2E;T(syxSQ#mX zJ(BBjrg709oL!%%4-4CgoI|?~*CY>b>3_u>1W9$n1IeULkp-n7zlvgfFNqL6c0Z)Q z6UU4fWGnI1rmwP9t2vvH6__0wuqaz5JMUM&OKZ$y7f}@o6-J^86}}&JQBA%fnaLnh zW|PKky}$jYjX{RuCma<%l9BhQIAcC>D0F0VT3z{Iy!GVkviqY%#`te;JjAlOCGn*_| z)r1dGCb3vaww{eDG5M8*A?gYP=fYpg_qHa}y$3eWea7E=iTkrZ_4@eb-F~d0tW7oK zWj(Dn64TxQ^JQU0{PD;kT?HeY<*6bV7v|(cJg``NR0`)=Nthqwmh2PbXn3khy-cIY zhcpXexkgC+OzM#+v-9I5pls5k)QUmyn*T|I+fMlB#?yX_oE#>h>}Yiwf$ZqTcN5B^ z$EY!iqsO~#ROd75KG?SRz@Uh>2d5y|wg;P?;0>>3ZxOpLDi6Tqn*+vv>Fa^XnRZV3 zz+s162^M1R6$im`_X$y#!HReXtUY-Q3)eQk-49-2cRCCfVd!5+6vrS^*|0ofINu8q z5=Jx1MT?y%PLVP~B6x%rT>}x2+;j55P3HhF&qi3DRN)w_V>NLC!O&US(ez;ng&gHm zbR!|yL!)o42IgcXe3ViQ(&KMz=yY$f0Z&JMzjTCurVd_N$YXt@@qW2YD;rwBf0!Wi zf2HxfyW7prKf(UZTEjf8}D-g)n^R=D5N;#K4JBR`OEnegl=8?&jPab$?L`y$|m}g8( z=g!7 zL03_o)&&IHb-{TKpxuQi4<7MnBii0!E(bUKN{x-}w$Jj?bvV(0>)`ajQZjDT@$sL#f%=zmCD>(tWpl*N{>JM=pQq$m);?#`cv5m1vv< zWgfG%dUEK`?#@pAp4BRPG_nYUwExC_y1tcqeB6t_+zP)9U1{B%PA#M{F7~(>CaDKafu1c6z3M*I2 zEeBt;2i&9wD33wR8clmn8&odaQ;4t{CZ7S_o;r7>oC z9e~kSARM|j|M^{AIFfSmiP0W&d^Bq0WKS366*P?~+1-8T=MG`8uOT?92yx!d--W;@ z;So>@3$Kt}1Qj_zbpgTj2hx@zFJBbGmhu$IXdTF8G3!7CcV1{?Jqm#4gZ-$3LFZ+9QS*WlQ2bRF0f z$O4&*D};)y=3H7ZC^~buswjKr33gvwDj$F9J1$m`Lu*#(1zNJAI!t&*!?qsUY(i|f z&0CPz@fxuqw`9|02CUn4XN9j%Yse1L|DmDSNxee@d?WtAwq6uqjdPKWi#!+4{=P*; zee%0BI(^lj#x}~P43^lSq>ghMcR!ta3Z0<_}uA@T%DoNcbL5`!y3$2&Bzuf+eJK zJ@pyH=-v)^Z>QWW`Mop9XMiR^J~?kLLL?k)8#X#Xhk%(%J8Ssx+IBg11`=kkO(<5U zFL~l&2!D6Kzyg7oqmJqlE?)(#V%ZX~0?M9&2y>R~N@3~PJW9|Ovp@*nx5zDm{#^&? zr+N0=&<+-HRXWv7aP-kiYxCcGK5J|6A`*4s`~=|o$QSQ6q;a+n9G1E z^-a!qm;Tplsc|5ftULfB#mOxfHKnFJ1u0kpP%;q+t%SI|a`1x*AnsnCfs7RJ3q(*< zo>e7u(d{*QE`k&JnlWH*>bu8Z&VMj#p%2H1N_dYtPLsK7s4mo%M5B%)(bwpRW$!du<0GGgZQJv7LbGql_3Y%r3{dX}(kx~H) zMWzFQYabbK;N=0hbp&2+@&XY%6Ci13Hh`qh08QloHZr*JH#-aP_M`>8g9HgUZ}~>~ z8N>Nd;EqtIlj6ygl;ink8hYa(W+skx4jU6s!zy)z&)f$>y6a0i{OiV;n1-UZbG!Xs z_B?O)0v7zhiR<$vO;DVOVakN1gTuLy9kVGMF^UOHyk(WlH!Foo;d`H6S7P8z9Ip!~ z6~Upw%uIdDxgB;+U7D*ma_T{o8C4~GoY`vxJq!XG>Jdu=fB;dX;u8)l*YQ1HjA0~> zY!4tclL#WjvQc%S31-ca<0J3>hlJZe=ztyooQr2)h@cqHDGW_DmX#0Q7$P?d+RjP9 z?UFxAcLik*-lbP~cIs2Ns&0*0Hy{gYPl5F z2a4<_G1*irTk(jQ@o*biriXElpZx0u^}cs{lk3Q5Ng=2 zaBn&jlBaGHa+hu3lz}^BfZ`1C*-8k5bxl`cUD}d5&Eph5^>{nEglK3V6rL41+|CdV+Ve*v#rD7#^FNh7ej1ZUbm0q z+tK0K0p-N{C8EILH4it-K7N@qQdovL5dD)hSzuxUysE}7fBT8h| zoVuI1uKb4kOL^+M_yejQuE|w$Ozvy$sCKQwCf-P9y-;$Sf>a`u2*HD7d?O6E6u2M_ zSxh|Ti#w+x->;nN9!zVj^n(Y5nil9n*5+Xf?SG#G{-64bt;&NS_0})WII%=Hp?Cw+ z@dY0o{whMTGVHk7u(2f3!?!#<5oArZCP#9d3=|KA%9vUtx<)@1|iSX z+6n5{6=&{(uxlx*D`gFFk59Z+3CZ^zfiW@sy`N#5AN!II5bqJ~1q~m^72tBePBM?Q zU0Y1P24$x5+fMF%pixS@^UB2S2{6(70yPu@)}UkmrXQpVAKC`*g+bEm&#UR>=yC4uQj|$XwEP zXk+68svW=zfxxlbyZL2?g$va2wI)TLu(?g0P&-&@dKq zvlq~IKo#yRg6bSlJPQG|i*qzaP}F1wsQYJneo=;FfDOjfZ?GfO2Z2-l-L#D_sEOVv z{7+)C^Q}n5*S<%rI8elQVJiU!%VkSmP0uEq!gvvvND+^fsLY()&{PUrWR^}oz0x;q z5v_TDVU6gdU=a_6(ff?M+gH!(k7g>Y` zhM1`lHnd+ZWkt`n>~(jcJ&xM~1eehBY_ARZ5A34{n8hc?_x4a^(1>_B@x>j^PtEPhGc0H;bD+peas$Xpo-kHD6c-8 z^{NF4bLguSvJOSI_BVz6F*S;3BSV|XyIv*k-oixsyNDj&iAdQH59)SNoY!q~9SvE>!R<9>P5n9L zSBV7)tk+voeSbyg)7YM-R1O^6c zf<;k14XS&2lzb()gq4VhP9~Vh@PEu?8O9&Xr8i&SF0;rzn1M@-$VWKmqe&k(N3`@_ z)M(+2DY!-re0`IcP+nL_uCZ`rIFC$ZQnYI^(r;7*avn;9b)A-p-)zg02c?9iv?ZCd zhCsh}*W_=m5;3+fM=3^Q^0W$e3$zr57wXQEeJ78gjyqH`5|HxAOJtc$)Ev|&3%q5% zt22Dm``_gUA!b(8p>dIUvDjjh^&0J@TMXo#y=-goOe|>SamtQ zdAl0lrt^fosYnCH^j?B2#B#+D1Dfb)ZwV29emL{a8?h@X1uxM`8u)noN8W_x z%1h9c`NnS7*&9-S;``PYcZ6`uunlISBVXr{fOMd?05{$;xoR-+;KZFwvH2x**0 za9k`TF&Q&5hi6Y1BsTt6zDW*|k@yUcaDQZtYaoQIuY7SOns^yJ!UQiB( z1f*C_0R$$ye?}fK7^hBl6KUm%@^O4-%r#{g12Jmq?SuUu?6ItLbZC2A1N|ajf#Lbs zbVo_vW*zZQ(jK}{mOhIfuCC<|tJb#{NvsaFxEnC0An#YG)CmTXp za!J6N{?`z0#&QKR-|NDev^)kEmN@>cByl7L>3~}3HVuXvGvcv6xpyT;2z7a$+n?w!U3J z#xheqEMt>l0VglpB?S0w>;ww>&T0ND!qH(dE}miY3m?-x^7a;dx}JbMap3B~J{n0n zzknSv*y$+GgT6`Oxb?n}&N(R6ainTDxU`6e=osx?}eoSWZAWz3DairGnJ4_ zl5r8pf?Q+_m@FqX2OLpU^jl4ujIV1SL^A?>yxuo?WU#B8`;bILWa;ym7y(BFd^d{ewbA2DkV{X&0m$roXgs*& z6RrpX(WX5Nw@{-B#HMzK5U_z%yOR$^?Tm*YJ!MgqYA92r+P{o+so^p{KvO0r0bV802hnK^J4XA3q+ao_ z**{*l_ceLh+1akoU7fQJOl?y&fuzjTN0mk((N~n#q?tZV@SG@ z3E|#cm<#KRGa{UWE%G<2ohEUtf`AnaqhMpB&`EGw53rI-cEy%>(P|ZD0jXhjqTxSd zt&oHLs@N?7n(6fW7)a@AaKbHkbzOmWLxEZ)0SVxPG>|@chU(Ni`ydU{poGwO%tg84 zX0jD6W>#JF-IC!i0ST|sbUe)e;ha5`@nqf~#^X8Sg2TiV%evU#(>3qSvyF`B3LHZt z`T~zYop8;Jb4Mg@ln!1&Zecr27pNSxMV4=SILjs6xYwABM_Zny5I%OGahq+lo-r9f-u&r zrh0F$Uc5_|$?l7S>AOZE!#Ye+3y|%gmp#Wn)6rAWiYBu4IT64}E2k=XTKL2r>1Tvc zUl3tGuKsa-_fv8eaQ{8E7 zOkoL7vHvIys$YUdAY!cro;lMaBo=(Olhy^#a9VWs5Xo={q=*qfnK?`>ZlU8Zz*-!T z0n@Wk?BTA#xT3Sfd#j}kphyPUA%G&>$^eRFko+5xlM`Q<6P05WA_t#Ih>Y%Fuc@9P zO2b@$20`Ou1VN9O(H-HBZe6a~)wFkk*fLG#@o;?9kDbBYoG@oFzu6 zW2zC$HZl^9;u-)ePMOi5kfs4ACsZOO6oCV=^#O>B?WUjzWWGNvHt+=@Y|E)!Q|lA6 z%FEayxJA46tm&-a3R$U8OL{+$viQ1C#A+=%A(-V`B-NL_#iCr8`Q1$ccYFLHdX=vF z_e`JL{w>@E3QA>$!fdl=>FjJ=# zkl`B}1LnaN3AxGU=DlQ@i0_zE;jI`@qy#{dL=lq+XxulWV6b_EZLUOoolO-MGUK29 zfSw0=f4~wBxL+}W0G&68LkL<}RCStin#id1sfCEi==lZ>92V(JHrP?OHRpJAb{h3<~#-cW~jObSN zo2Whe%A13`WWf2dkR+Hz2b2hk&?`GqVgR=ITW{l00XY<@V*5Ub=`)0$edPl`-))s5 zOZB)s;}7`wUDN{sqHDUQ<7p!FaTw)C$uuPsF|bYjCK!!wK z7B-E|TC4N4t#6rJHhK2#eEl^{glgjD8*-o7DvfhxKy zD9wTkntJMutx#(9x1d?W1TkeD74=w9vYDA;De;op-~AuSp5i3-RmmQXCa`G2!t?Rs z!CnH4PH|;^Jg}G15iAy$wM>?es?TkWpv8`25D(JC_^fe<3sU3zy-|Ukjwft! za8qEoVeyVYn6_r4Y%2}$3cQ9>zU2zyBcSb zs$;~)gPib+OM;bOp%KI8cdG=G1srkE619RETNsoC-OdB>-jFp1!24D-0Pk<+E_ieh zT=rqTH@u=d?fAzROQbMjt$-vKTEND@0Lz&E^$V%jB@{ARgTP&Q5H74B2vZj|E7maJ zdSuQhz;PHbH-mt|+S(7>v}*)jUc~ltWJ4Ky#pwi3B3^DN&8^FU17)vLH8Nfi?7aSy z_RpW#aVelLAG1wzq^&F8L|{x|z>D;LOj!i?zJi{xjlh7J;y}tHfhDyEFydSuVR!IvX8oN~lyjKd1;ED~Yif?MKTw+mY|H}X204q2o!gQb4ZPW2vQO&Y( zU2j3(*K8=Xc_o?}kDo*nWAgH*H&Dydj@AA;;< z_64^nGCTT5q9>>Tl=P9@wUQ!>U0B?Y#23$-t_1SR==7q~aBiQZ*{PW*LU3}dC}kQDJGQUo*d}n8pk4VJ7tb`Vis1pr% zbQ@>DWV8F=2{kuR<9@vH;(q+Ph=f?Z{)0w*m-E)uQ9*E;IQYNldaJ0of^J5{0@ zVa;iV2V(`x5H~HR-ANnm^&*Z8e36)GiQOqZjgUu3o;tOw8Gu3CA zMKwAT{u>v(>5f3OPT$pUhd8v!Lrm?9`Ah0>zFDAu$@vrX0Zb~VwAIB*o#rM==^gMWpA4}4P~*`R}kbkf0Wj5!GfQARA$ z4(GhpCW4Z=-Hp-+*a|Y|(9b`=P~FB$iE||Bg+%-u_wiHqrjb%qf@UBWlY(nW#3cWG z%@5Iw@PPpa6L)2IMx>b$1PGk-lU=v9JcW-uU6Sb=uLQYfqG@v}&&QZob{I|B?JD4C z2quVZ8bPal3W$Q!=ECI1Qq4i8aBf|-ny;mCQ1mLA+i}v-OP?cB`(j3X)E7=xKj6}H z{eytqh-7F3gi8|xPcf(-!p4fRrz$ZCuU7A!PYG=#=(w4vG33@9q@ z;3_(C{{@U~OycCf`BO$&4LDh0Bb}lQI;6&)i0c;h>2!(RPs$4u#vRFl=Mhk`4^7Qz zf`-+IE#YFI4Nt1o;@DV_Rp^kqVtjyPjqK8}9tniuV`Vc*bL-K>fg^EH`*js!SXUv_ zdyKEEgj8x$c#4@l0nbnx(f!3ln;!e5NJHTT@6k+jSpz({q2GEm9I9>>U1gDFELhl+UjrA}f%3=UhpKvY94Izch` zI(;7;|5dRg7&V)B-vA^@?MxC=piIgvaG8(qcb)z&zqVEKK@`o>5rH!O6q78P&9cm0 z54d;)XT|nN^Vc}q2Pl~t;M`x#4n%o3fW+p3<4wvS{r*eqcM}Qh)Oe+ELWY@R;?>fR;{VLxN~L^n*Z;W=*}-l*ms+QmNtXDDTLAhdlW8opCxbyr&Bs3T z&FAO6Z%7d$i&DXq-X?9N>Mt8NtWW=S)a7Wj7kXNImaE5Pc`&kYpa4rUpmR zN!2xD%Vcv|k#{AKf&xXM*7zn6S8dF`e#c|!3_S4tpe#NBZJf-={Yh}!A3!*Gl;M$n z5@KIrELL}{liD}9VmO4QVHmD*Xl3|fF8K0W`kPg{IFi;8ts(tjEJbaFO5za=l1;9J z#}eaTJ6yR+egP>-r$0z=Aa7G1;aB3F%wKhgsPgkNkaj7u6$!+^H~}V2l@a(x zp-Q58w5_6=@2hWQmGq*CZ$pWxLKzY7Ze_#U-bmw+h^al$*)(GcdCBe3C_qS}8`H#5 zj%}3*MmI0rR(mTHG5WvLOf6ZY`1J*M;k>}Gc)frYM3K_)?rfww1M^I3>yXBLhJ zecUy{3o^+7=^mPGwz2C~B4r6HLZ9xc;dLtDh0Pj1y{)2fdOnnj7*Jy*UJVR~5RunO z*;0VUzRL}DF{r0Z_=XxXcIv6dM@yFhXxX^(Zg86_W zA%u^=busmt)GYBi~P)EqHIt|!DZ~I==5YNctxwnqsUuvQ!2JuR^hEFptYK`BB zv6D@*EiThU>_vX7hcuPbqZC*%SK{hrqGA9{37Xn}ZO6i>DCC!&+(cwk{`vuR&ve#N=gJB%5XN)PegXXuyzLR3s|xoPH6q zOC*5-zh9!X7TgXHi$s$t+OTb9=>^`nw{aqrkEm~S2k_VL*pda5zOTX|5et0;baMhQ zu(bSi!WT{@vAC*Wl#m2gdy;-YNm&En`3_O1Yeo(HGzI z4~W5CD!{vfq=x3}O{EP$1#$Hnn+qQnw!at2{^ZjC54eFbHm_m!3M_eNUNs5}kDGde zPJCUf?SA}Nq%<#ad-Nz?XZ8;?qqKa123@D^^+OH*EqOo_gwcE5eOmPpb-zu(Ci($d zlcMYhYX|7E-ctY?(%&hDaD@@%rHsx6rGDpx7zM#__R+%+h|@5$fT|r(^v?>DlMwW- zbGf#uwQvvkErps_zf2{}cum_pdhW(kqCMSUqu`xv5)uJ30+O-9)ZbGFR9?b+1KtB- zi%M>>cOtIgT$Hq{elP_0orrM2-Fbj%wSqu~X(v?5s2KA%N_oUk6o%ILk^~yN`fs#1 zvbu-lh^^*pty#M+2V;C|oNS77KW2Bv_Hx{hHfb}_suAp*aKywcC3!ec$)DP+(98eF z!dy#N(v|s6A$9-jr0G9w^^0uw{AbBi6$#P+KeE``?=&QXrXHm&qex0s!g&1uw}0ur z=4F&+>=|h&uR)IydQ6Nd?)SZqEci7FE~fK)UGW^zjN3aCv})!?v!Wux&Ov+JumC29 zMhu%`>eK{_!EA0ia2*^TeKjLL=NJG}zV>l-cXbtUnyGtBaOT=PS>!ooiW^xsIibF{ z^Tz-PJt74_=+WdnB=zTzU{~oA1#Lsu5Is_3P+`<2=Gg{kR{(Y8@2)umYGwC2d176U6`>TvkoqPg-pbHsRPH$hRJu4vbQj@+6TE6mh(a$Xh62M?RtxXT49 zntDf8FXfMJD6*IgRA++YjLQx_OAM+ju*$_&liH<&jM@qsZRvAsAYrA;jlS7fFUgi* zK)3Pucn+8Y;nJ#86wh+6#$}o-04~ps1zu|0gm6^Yks@P%VnK28e*1Zu$ZdKAt2l2V zaq?zZM9QM|)&!50StLOcNDyKt>>Xt{b^Z8#~WtBt*>P+-U6K6KZ_K3nwv^gU6x!%Z5weAD3BfD z!~yv{GAzc9xoyvo;Fmr{uR{J=bO{YQ+8(SRMK32jvWrr zR^;u0r}p!g$(bxStr%CAqvK2hCIb+0R3%B=!+g1$uDxqvNs^$8gPodUA@Yg z7V|vJWKm0>_igT@ExdRbbk~QSY54MJYt`s~B4!8Z8U}Uuru`}~Y8Xe4NP<8L1n4HR zE9K5yZM@lzg5l%!4#>d)o2oX@)r^}%bi|BLdC&9+botw0iEZK{RQsYVbe43zO$)dlD(h_s89a?SAE*sHJ0xUI(JT^2cR8JIaugl zHHiJ^af$sC&4&Teyd#_^TL<+QHSvPF5z3giH;$_>@RWaJ0Hv%iofy`j4bNJ_F=lFJ zqx9Ry?jLu3O3~~vlEjutRNHGQ+-EOL#X7%;p=Rg-SZ;|;hKO1ph6X!=WHm=eZBfZ8 zsC?|)N*J;P)Ub+Fi!uDL{GT?3vdL}PB>rMD<|D5wDs*g_~04Vvr~mm?jHy7cAxmZ)6)D%wgRMEL$Q zJSY9CvH@X)KH=?K*KtF9>*Qq;%)Yd89U(xkUiyrQg;xe_Nrs;<{F7}O!FeuexsGUb z#%cZUkd2XfzK5HOuY}Q9=f(4 z;z#=N`veC)Ol>ja!wc{F1mBxR5Eu>3;N_coQG(`ab<{Wo%VN9xp-oc=0G@ojb72p) zYC!9pz|1NdkrB?ux

2@ud&P$NP-24-wWWh)J9n6*+;htnKF|a{$_~ z8dLleYFIv_gZJPM_|@V-pEZSUdowm2Qe|VMpP~WsIpVb!@r5AzEq_rTL=U_j`wGky z&v(5hbf;mnTT%6~+ozF+=9Ppt^UoRhg2to+O0kV-@|}*P^Wzy8~4fg-e1E9WjE)<$Yod zfN@iMvXU@;xr$ zL;`5nw?6CYuId>Tm9)A!^U zDtZza>!>S@M&rg-7=}eS>!_~xuvL6WWT+E&l;MJc%ejm&Of7V0U%foMS~iVQLF<~G!{ZXj?#Et3OpQ9{qkdE%gh9?cmy zj580GsIN2?-d~bU`^jH9|CO=I#-vr+{aS2mx~tZRU)_47UbU$&&BD`5;+qJ@#r)^U zCfJWL$NK+Sw@ReK{Y=6z4cWhlf{sf#8g#Fw$Vbq$_Q87hewC3(rao`lzf4(z``dst zTi&w2m9hY^HM0=Xp!&laNQUCiN{|viqqynLdOt)fdw5~G?V6SgG)U_yf5B6nH;$a~ zENS!aaBaC4o@kkD`yU%Jf0R_|!2(8}8rSEx)$hZPqzb|PYryh}VT*bI>)>j>1Y8}Q1`!cPq5mcO05Tsk_3Uj z!pe3ryoHRNHWv9hZ^MP5@A^>BreIg6j&Nuf=*ofmpz%`(PGu&Io5sPMc9;!g;R`yd z3&3LQxG*Z0O~^$=~qFe^AO z)w-F`_1VAFe{2K3*9T8s{m=#H$bh8Q#^6Cf`>8T{bpQ5Nx_*RgDIIBA*N3c{v#sk3 zXbxWew{OoDBC=YvI)ULP5<2qMZ3BOB$*oWh&sBXZjG2K@1$R%^Z$an4063|m56H-* zGq_lcWH$*4@U0lbIK?YY0q=TnAb{2gf4IF3#Uc%09vX+Myo$!OQ#The`XiJnC;^>$ zwZhwe73_%l`u640O7lRhZf;6$9Wf)J)TWTWP;Y09h|ejIexoae>Qm)bo@% zKg`N(r{uBWDQ}pNvYu^OR&v9Ss~7TdzK8p*3=3q(h7bYehsK;y__Am~G&&z-+pqsV z0|VTi2f83-7^<1Ucu&L+e^8T{`Lq6S?o+W*JHAmEguD;y*5lxubB{C>`RKDhm=wfY zICVmaO937;PYq_gj<>~}Pm7Xf7@7u=hD(VEhB6gz2|qBIV@fCziW{U9n6G>E4VO`h zi4IN4AfgzFZ_QwXBwI-(LrFjQBA%u(Fc;(JbWteg@_~oGqhs3(=Lo{`f4t({hg;$} zpH>Jx=Oi^4+et|(Fq(GOLrwJ$*r2_)$XoupDl5=l)-V;`Eb#j5qtw{Btxh8&V~#t{ zM|d4A>WPO+|2d=X_jNdIe4vJ`#jlW?7&2+Uyph_R=ueW-tZ~Pr4-Cb4t(12x;I7yf zL?SLya3HS*GpL8AONmrkxLCU@8q=hwl{TE~dtQ%`s4_@583CHy;46eBV^S0kC52a6 zdCgP`7n^j=45J$d)yMd{$IsM=^8axQXCYrGHnDgR%cv zJDW)XW@&w&X05bRP`D8a!Q3bFd$^#;y)xxfynl`SAd#jUOU5=Uo^qgC^5|~ina0>G zT;51-R|EU>#U1nfWe0^PZ^?=^p^9x|wy=j)F;Sj+R-6E3b%z0BnO;{S|~_tJ!=9Ju?`H;@@k*3R#3BHzS| z-}hEe6WxYK4RbVKfikp5ioh4NLY|F~1}Webyz}u6wk|$`L2EYrEP%G`@Ne-2mgM3y z`*|DNN^au5Ce3*?RK_$S1z+!lXKw&lcD?f_?m$jepNRO>sD>BuR+0V*a4_e8Zu-M$ zZvq_lCkci)W#DmSCD0C_Yfw()YrpNVR6^bc#$mkwA<$RL6yrH)DO75U+xp+?3 z;Ea!XJ$o0>VSlWtSe>5-ITH z0gt5ig8y7|1~_jtV9c=yDNs9TdBusdG=2hSN9_fUPx5`S(=htQ!^b^H>17pjWtsc4 zf?f*7R;i;fd=#O>Hz^(<7~$Xocp3R8KssV*0Sy(NZzs$WtWthHZXVWLAX%nPDuS;h zzJVX*{psgxYT(f0f`SIoaG$2sAqexpfB-SuyU_BV>GKAJK0sbyTuNn@OCzU)=md~s zJ6u8)GOC%eq{MU72k^r}qCvPuppj{BMIo_d97@Suov_B%qZL^ZG6ars^X@EYDc+`D zN@^vByXolQmO-ArVhWQOq8P?o(&E9|5tI+cRjY=uacRzBif6USGRskaPhDa_S9#pm zkglnCa!;H~M&=2s4J@)`OEkTd>@yn6h>u^8xb7^``iVOwLH)!jl~{*9J@F7m*;NFV zpV!lfCnwd!zQtTfO~EiLv#gAtCFs#=((&4-)$yoBa)s;Fp>*2jU2Ik?)c1_;c;?KV zkR?Q%c`nV(2s!<`oIKWWG52z>0D40d<_ZsY(UV-XOg*b>aeyMwKvXofl8}0*)f1>3sA%c3Z^H^dLv&4Vnf0gy2&LAoX{W_z#WN0%#N~tibd?T3IP3nF+gQ-k5lI zp$e_)w+QdVfakaJ;;qsG>7r!n>?5Bj6_jSc=p9=J_(RPLVDv`sy9UBdpvvW2ct8F& zN)i;|OgA)cn>@z}tTa)4UieThraSMz9g3s& zT(qX^i^qFxCIW7Y!M>Vkwry0MVxD4e~4okk9C1n=QCx}kt^RMgA;MS@T;rkkvQEQnkPXe%0= zK$3K%%fg?S7$#7A*O5O+#^kCK9i8lD$H9oBbK^pj zBrDb^JIOQyD#DaavOx`}lwf#VuOy6V7OglsBbfM*QbHwKRzgKR@1YVF{BBCArb4q;xfMzTXj#LMTi7^&R%8-)e-3K^KVyX{7 zIvX7aNS);|OejK0>1O3_gwPr*4oMOe5N;ZbN#aTViMHz`9haAhI+xn~*YH#P#PFv^ zAfXglc~Jp%`DpsCZS>{8Qcp^j1%Ab-+ry3j=>1(0pwotq1xX)p8Eev?9pL{Z$Tha# zz3%VbGyJnqbf2N%;*995hR~*p9LAH`?~UxiZIE{|pem6*k^P&%Dd(3F3~weX3C0C< z0Ah-_Jf-MBk1hjM^E9Y9G6u=Ml+?X7PtFKteu4CCPkXuaQ)M>%&44ny9AyVLKA^Tz!^!+m!uq_6z+Tj=u*UC+o&);bde&6unnA_NKmi25?|3o+LR~`XdVMl z=!P?NbW~_$FpNTH!d_TGq_$JE_D3_szB)+^AqGb1xAZphziav%| z=Fpbp9SwSN=M-#ELTu24lBST9I7an(dca%H4r^4+f=oWwKz=u>Or?;do)Wim8SRp! zUCZ06?al}3Lz4UqN-5oVB?m+-sR%ksG!yMm#vSD*BqKBZ&L;erohtq9h~Pvx8C%)9 zk!5$X95`m^Zj{f{>fgo7iY4LMoj~%CWFrnPuf)~Yr>wlf-%6fk z%0v73(gBeVWJ4Se@joz8A zsNv!=W>F!P;agp$6q<?-{IPZc z4P625Mu7dj_mK$I{Y608+6rwbmet2YDz){MsE|qM+p9_e85vO~0^8#}xwz`D?YO2j zn}*}X&wq*pBz+)F6_s+wQKg^Q<^uX=(rkM~>Hwp;6YLTj{@H9vidps74~oHs5&g#_ zr1rDIepO<97QaJOtn0_ef34gyv*}myQ|R*Pg^Y9TqGp20bA6HCjFle$_~AS^3`~xK z;$mzm{a|myJzS3TBndBZAuv|jyIw858BvSt^8mC%D3H2I$Aep^WKMx!eSZpo=2cwo zYzS_)7s$ntlNw4H$1`)KVIb(@zi! zBVGH)e?VAB<(&7uzX>Xqbn%LiK}+xupz{qCY6Fs=9k2}~V|092JnO~ovfsd9pYDx){Q{t8gNpa6vAAHJY zEDuc=GSJ24@#|{gc7caefbnx}PF<$y`Nk-S`=JnrNq36$6BpIAYzCQt{*|Z+$zTf6 z6ytl*!NX38B`W`C9{<3;w7q{(<3%4#Ea=@95cmX63BQ*rgv_GIn29cob5Q22Fp5wq z{wwcIY_O1_pud1(kucI=1S}?a#EbTTp?moQiOT5G=9t|5 zfwZJE*Weg;-rH#@J2TmMAxEzODNL!;L>YNrDF|ti8q%Q^m^M>Ri4Z{-b0?xUg*7^l zFGYMb1qnGOq-unvf~OY38%^wxSf_>lEg{t0DuEG|OD5<7YL_;ll|^}#Mx zf&&VG_|y|Xd7;m90Z*zW3Z4uz`472g<5*SeRFR$Cw|@~zL!0-2cHk%jh>R&(fWAH8 z%T}qixUTEWsb4w>uTiy!Nn$tNS17%cK^^1Hj+yjhXdZCZGCl&z^#3e`pHmQP;&)DA zXaHI7JSiSlcSlSk(T#NT3+4LXo22^Zp3+{TP=S51A*Yf=cEMRv)#XF;r@fkt#5w$TwE?*?ef}PgJaq$x*Icwlbo)b<&1S?%sQJR1f zkuonB&6H}T3RyON#WFGz2|1X!b7hKJrzm6opXQVG5T3vtfR;7J04JsJ?_-ztg37zT zpj8}QAjE$D!+g(ukIbt4tKb0^RLLNlh zias$c!m={BXxV>K*WiwkE>aTz9X;|~Ih{j+lU;AIn^67W<( zp#jWs_WI0_R5u$M>Uc#3(ypsNZx;}P-A3d8uouyg;Y9x3gCwy1>w4Yf9zR(!oS!z6 z)gQ|RenN7;*mpg?Lcp(y^9MMN5LdZItLMf;tns>4QFl>R0ktj5)4jvg2@G*{J zG6Nr^YMMpqYm>NiP8y013-f;r!7}^n7nR&DleTk5<=-PooKZ+g51tc>o6JNpN4J=m z5<>4s43O)SQ6#uN4YWkf^4zOfbpB@fXjn#=2vqeaHK3}W>-?+gwm@%JH;b$-ZR`^Z zcY+~jJr=#7s+j)IK%n2DnmFo8a>?8?MT+lxVtAg0ZY=BN6l=nna`7puw(@W(KQGG2 z6;7(8j#^=uGuycZnAIDxKz_3`XS#EjyF#o(hXi_h*gpMAngo!JGFlic_FnIH?e-HtcGK@0A|uW~0n{DlJkN0izL5@B&*q80Zzf05rsdS871~ zxK}fPHRN;w5{0L_=KjtSDU2qu?;ETdHV0ykf6|8UAKbs|ws9$F73Ov8>hg$0Q}8XG zF(K{SA2QsM!EkQ#=EtIHe~p|F`s+!}nj(Cx_eyl{*TbN^iKb z2X}a%Fx1pHR@JU(o1AL&a3_q9;iE^+ar&pTYM-piFbdM4p$%$*_t@ya7XyCv84m7m zl)2OXIjo!wIKdB+F+gTBa2PymrVk)M>pk3J9z z8V;2zBpSv$TvP&DR2b+xBqf?u^u83!p%1)6s?Pqn9mW}e*mAQR)%;oPR0UyvqI2U@ ziS~UKRFbEWKaB1p0I`1_a)?th3K5x{d{Wsz)xzhE4W{P4#mryvC`V*pcOE# z1@?HUkfMKc6mNOrtm=7o?d+CA!NWpbMbfNQ{dV>6qjAH^?ZmfMLiUG?vv+E<{dy(i z_e5^v)8=n7M{%yREnH}CFXwmdvq#;+mNPP7@mKfjus3F}dF0t<{`u~6TgQ6s14zx$ zmF4nvCp<6n`3nruU8~FGg^OpEHRRS(M{jg&*eUE;kfK+uH6vZEnQ(>OwUu|; zZ4=xYo1=1^O*D_JgXZL>=@G5hS=(#6{G2}*r!BQM+wlcD=()sHEeyf7b#$_&Vx6I6 zwUL1BvZ11a1KUl)md5t{&zy*S!>z0Y_DF+P>$$d`K}G5Cqu-jyIB>P$Y&S6S7AYSu z;}~LAIGe(1?=&G(ymX!LF(ynYi(ij6DeN1$N#Eh#Yh0bQ#l4^Nu3^I>Xn0qoam9p= zZN>7k|D9&!dCUIJm-$@3AgIYX>+7)ID<_>pzTa&}?i&L6pNa(diFX8)kF7JaUg$eN zpR|Z2I+uebWJFxrW-?(O#; z7VjBMH1Y)%Fra*G%EzQLP2D=P)UiE2-7h5!x!+}Yds>e=Hno^|gk~!|^p^Z#qGRm_ zn;}(Bt5^48RE{8X{H7^CZ+*;X1AmIrT+Y7yynEfZc<|7%PJUofH?6K=ju-YQ9`q`s zD`{Y}Ts7<2NQ7Oe)ymKY_I^G)T_>3})oBLc?37Ny6FtMD_*}l>LX+Q zRt{+ykXEZPyQ+|{;cyEwYmk-`VD04Kd$LZ-dumTweslf9sWCp6`PMM}YXz58ql|rO zN}8tltd0yiWTrYS?#H)%H%}%l3O9)jx7_>KFogU&*MR*4xtgWDJAP*S%>IV%lrw=E zGlX&1+KD+7?AnO7iC+w*i;tsQH6@j<>6Jku9ZPdZh6!c!5YHv=eynl5)`z6Mr1n3t z6=#>X9`vW}b^NpL?>MqYIGpExc&}A{UmA+j$06a(_K-Liz0Sz%f_&3*pyv*-Lh>M5q? z8=n?!X`@-Az>3t_bc0$QBq@auUojBE9yJ*}s>>Ay@!#WTpq2lws;4WZbyxS|9~F8huTe?-(&9efRUZT=|Dmzf11Z zQ|R>Y=yk!^CfK=Yf*Q+$)^rqODiS<>D|{RFB|h&W%&4_-jlJv$m_lyZT#>|JN))+Y zTU*<7{`&({&E4$lKS9eY(Q`*hEp%4R?UMa8?$w|m$b)88nQ!1)t9?&sen&=r;8X7( z7AVlS^?brk{N8fM+O;0i^_eHm)NfWJmV3um)hFcsg1phi|rEe%ePwfZsQy%CjTQTJq+LsE z$d;rxx9QP@&^E_sxqFY8ZHWzi+0Diwzis`(vIK!^x_olQKeqOLM5}2< z|7Cq-Gkd=L2@R&Hw}WE7m88P2@CYl7L4dJHZ~hx;Yhn4gIi6vI_OD7CGL$rv-Mr+lLoFdidkp3`B~G;AXB~qkMncq z(+IVQky%!?yNC^I&3+5}fj!9sHbrr&5bbtklWi0)^rThg*@D89wTa8@Afl@|SDjHN5@f zlnl!Wul}W71dhZC�!hKg%Fi)3Ag;v4RhIrAK16D@Ms*+Vy0WI3C(;jb+yul2X&( z5Q+lfO7`aGw%l(xEj$I>E#J}@TRq!;R%W9&!6710(KfHqkAPI~1y75qjGmJq zF=ur4$9`KqCZ^^@cEvQwg?EQzOBoO?>Al&lEGFvJiv0AUUCV-Hk5b-+0qN#@f!WorQhyJ9!EC6?6dh-gnRR*wDiN!zYLz;<4Y#=k7OQ4wJfVnPlRk! zdfYWj!R0O@iLZZgPd&04(5ect)@fjhPPH5QUauFAG;6a8sFu&Ju>#{~tSaQ$Q}xc< zs+`-6M^({JLofKqnrT)M*hR+Z8Pd2r(uMn@(VR4KWgO2&9FBgx_Da9HMJ1QpD2Zy( zOH*B6ZI>{q-qn$HrBCxX@u=K{B~-WxjCmti;y+A%olPfo(iF(NUBwpx70?sE94#$3 zZ11=JnHIVKGC$uW0?d*)Jx&pPYF*oDc&$JDHuY(|kx=$e*^?n>P@;)Dh~ddNW^Z|U zQMO3}&vSgQkKy(EJu&hVp) z^y2tqe#}$Rq_q*UCEt}pdtXgj?Tv@MTT>bTm{V!}{Un$5k>a$(%qY}374p);Sn1+} zaIK_pJB@|yB+cmq_Yd?>Z&qX9oZ~E~g7i7eYb82veSH3kVEAZ8t>mAy(}1dKf63fm zpD2Fji^EPWD0U&-*_;`%x)hw97@O+nJIS0ban)^*A~U3ed)Az{Y|)6n+Bm3(mg8Mb zS+``Nbf+BSgHcYZy-#>m=NFnpP&qq@!xN%CIz0J?wQJK{OeoCTMxtQNZ)*NTlvi^r?xX$!w~PyA?p-- z^%A%1Nnh>Kq~+IP=VVXMcuq{z1;M#Lz~+W4W=3&!HFGShd?ZWa!-N=Nr)${frQ=VS z$?9!1gyBLT-cPNr5j_ToK8jpA@dVe6XL)vrKE19fH&deoefu<}_Ti}qZ9I=82aHi? zrl^Zgg@48X!Vz{@7mkLQA1#e9k)Aj^>w36VdG9d(Il-P!qF7(>cMfiPcS`z;Z)MdQ z;@P&+jWPQ&_I59qx=#3`y|!LUOaF|8+ul)QemShw<_}83+0DC`g{l|T)CRjZi|O)mo8Jaik0uVsY3RKjO*l5P zu;r!|Ej2>9x1TyUg+v_rxXBx>XV}ai5Z+QWd9W*eH>YMl{p8ovcYI~PEFl^}Drmn()eFe>t)GkG)(6+Vi;Uc>G#ycMN`Y8IMa@}89nKVm7 z<;T%@elvVKYO;?Yf88EnpL{vP5Yq1<{d*q)^qHK(U^6IVgDUFh-+7931P^fJww~w9 z^08i~;-2GMrF?2BLpzuR{9Il(zuddHPZU}DaNG1qQYud#MU=X~_)G+L27_BQtptX> z=#P)5+xabsu6N(RJ||~9XFU)6;4kvPNRL{0UAzW8EkC%~C$>G?HM#9$pSWH=#p%gy z%~SLa7J9up3Cq`(JimZ1K&`(YUDe-!-({4{CYo0uGy>Hf?k^4!eESvjmHx z-2*AJe{nz6Oa1NmkX_)_EGL3$G>#U-UdUI$*dJR%+&>cp8oO5i36^@{e8l>C`I0<0 zyB2g1UUB}5IXv>K~N>$M;AM}!?rIme*)=jBlxluQlr zRq9k?kZyDKE+Wi%w_^DAx;wvLnk1h=E4K!c2gc((+cRrnkB?n(lpe>mGw8h#Ufv2E z9qbEuzUEJSjo;1Q`EJ@XtS!yCq#n}SKVRbUd3x*ub(TGulWqMEQCRd zv{HlkvO`uGajc&lNpo^gdClyl+DXD&7?;B0pZ5vx(>Qfnz;BsetqZ0!Zr~JP#&Yd! z`&vu$WB=gQblT#H)#Y^A^S$Q8z1riwR-Yrauwpc;p*HhSO3S)~9O+kKf!r&4+UFqL z$@BL0HfC;r^+&sm%Jo*MP>NeyuZQtF4Z;!KSq6rT>6^u-CUu5x>{>ITN`VZI*C)N# zYW(T>(mDOdA8~m_I}%0g0<6>dd1^P{>6ynB{=2*R%r_6Rh?o1u#s1UDhKi(f?5pjv zCZhdrE3nRswPP!{UecVqnz5)zb4wv+{k`mqd%>= zpB1inV_F)wb80>F+6z0qJMzllefWF1Jt^x60y}E+PlD;FFy|yjHH!uE7?z%-dtF|4 z<~dTv;`FSsB$n&rV@no_V!s==@@lnbuubWg|ZWG?rV> zXS!$J%^R(1RivnaK_D)Yj^hrN^Vg= zwnURfr>1Sqb$aXq>=bgZIb4FH--ilQ(;Myo=DH?jrV_6=G`*y)d%b10KR3m=^p1{P zXV%Uh|$w)k<7pbkH=YQ9?O)VfCV|QZ{2S5 z9u802-#lV->!0uPWx)r7c(N3=-)8wcGf`T!t@ik$Ea6kBqby#@ty8kSmShd_9~*}k zk32fo*`L`X{xmIk^1E?leuO*<**1Y49xfyIu-C6EqUL57Yf^37gF-z{ zKRkAq>C&4~FqE7wZy(2LL4&WC!yc8E;=(8d+TGlbYk2>>yfyY~T&W_3H0ouRyllJ9 z9^VXYHRx2660q4 zpgmM|yH8|+gDfPX$GF66SDU@L8pJ05a=)HIaeO@*6<3#*w+cFS%Uhk-IvaOCh*Z1X zCPq0zaJUlD^1e`QLbrvC?`NF5+wOjRRBg$p&9fDW>I4J@2Hk`BVWx!rORXQHjl4+YXTxYGV&usk@Q%U}`rdFhi5GHvVj?fZ+ zc32a_S&^UD<}8o0N3a+6ihVk}Fj~HBY>_57OQ`5~XJfgA{vw-(NOehRVYrxD$#fvf z8ky7};C0;25t)SPihMXtRNs|zuM&VN(a#X8)-TZRk$WBbEhu!xdNil_G*Tqzv&O@g zEeDYyopr*|jR~Y4tebh)ZN$$t8Fo&OU1|&Qesj*kw=h%A2^o32u;f~1?_Tke)a85G z{QcA+(ns@QeJG-+EuxhV6aV4<_9}HMcj65>LNd|ZtK+MZT^o=vpxwhitn;8jyO=)B z#L|<|x^p{Z5JJk$uF(o>zi0c(pnnAeEZ*2zCSP30pjsRCj^Bv32)%Au&!b45+A4IG z|9r>)LOtu$zVh~GjZklPnMhbpi3)Cww#31xz=8?-N5sCoP=L^YL0T&24O$jB(`p?v9 zUw?t#$elO)$t;=)R1;V=wt6kwY{Vc&k}B2|Q!xjLJ5ZBxOcqe}7+30=H`<>At49q2C) z%_7AxekFUj9Z#AsoIO;`)p&%Mo~EhbagTN$L8caW4-H0e zspK+Mh+Hs5`5=mIyxNQhn|3p{VYhc~4bPhoR-V=BDhQ#HY>IKE&c`k7rSdL)Kb8cz z+?=0}_T=Ame}vu(z4yWq-`@udntNY8)Y zPhqUE-fxxHY5ekk_TqlK-;cWI(hi%|Sbb8ZPh%n#&~C_HZoNtDjP0qckNVm=i;w^0 zU_Ud~r$@9}_Sq|yh~0aE;Hf|#TyNg6%WI|k=5{SHURSG~zH%gT;=6G`JZDh>MDbL{gBA1z__0*3j*v)!l{PlR{t?T)eTIuJ%PhW@^@Ex7M zr@7aDzWZByL(Tuvu)Y1`ebrf*6j4^O?D`B3Z?K=}LY|na2OvmTr#}duKOTg5#8-^Y zLN0gQ+)4OqwR#_9W-Bot`SO>Sp5{VU?jbAiEK9DJrSSqhei}h`AKs|G@qzbuPCM3h zLNE01E$wdrE>W=IxQ^oV-2!9`qVpH4h>p=n{4)CHOg?) zdv<}DX&!z1^D=M3WA=0xs!cyOUu!*kjd6QkfqfKkwVXTrm=`m0@0s;F+oC&n>^=|i zs(rANOC7HPZ*V}On*Tq_-Z4nGpjj7e8@p}W?%r+Nwr$(J+qP}nwr$(J+va=scV;H$ zMogS@V=AI@tyLLWSy2(s`cawnq?Vq&8&CZs&2s|BK}A*`-eJ{yqUAbn&fM7-;Nn~9 zhOcyn%GY;a{?YTry!Y_e&+^!jS?ZF}Cui60s=4_$^DX1*#7+{GZPASFknUU*`}5m> z^5|E5i1Zok`U*~4yFKf@R)QPRA77;ThP8X0arCb%$v>_y?&~I++D@j{Gz|}3_g=U9 z>vHh`M;U=@pFSJ6us<}Oc84eQ{MQ~mXMH%HJ=dqow^KduYgLE8y}zGQ)N1D1(r5n) z`L6k!MEi|4ZTN_5T-=V;`ElF@J;tyOd+X0nPjpzBeLe3*^7nBKU$HT%TB7z=uF5tn z*|6E0*J9S>zgOyar`B97eEB`9@x5=AjRZEU_$_6dcJzuR;Rn-W=Vy_^;yV@z2Z2)mO^)@L}k! zRE_^3m zgeyNk_ni1$gme3=0jtTUl@TniEB1@LIQac*f9~zvDx7mS$u49w-iYK^qCP~) zT&FIkuCB8-I=*gKT>GZ$*3QJ6sy4m~t!9Io?~Zlbb83oLxo!O%n(Z!y*H#v;-1JI) zY5|XcHusj92x8sO&u^OY_hxQs96hwM#tNZjEOS|-2$sj~mgi+u5NviRS_AS8eSde3 z{PO&u7)N%MYZJ7txeL3GlkBVRrv^3^7Xm{n{R+4XgT0?!t6xkt?h3!A`S`@a7ZNNa z=L8pRor zuqFFt+PYIu9nSp5tu0p`n)RA~9V1-rUgWHKgE;Z5JTryv#m$VAKv@zyQ0KsS9|bYYlr=> zG&C9pr}S?ko-7@2%?eS1mI6QvcQn%M0vCm6i;<>P+TtI`nYmpQ^OWgLfjVr>Kw_;z zn}g&#NKxD&AE84+C$vh1*RV}xx4Ei?(Y#V~0guFE+wmBhCtYu|F8)JRwqWg0(ARTs zhGz6t{`XoYG)f$cBTCc1g0piXGrU_2rWwWt0Hp}sZz69)6y{S~$1YyT?H*h5i6*Y3 zqjV+1mNBK%PAS5C(u^DA8*TUcez3ZZadWn?YQ0^Oi z&ROkZ9)@JoU!74-$i1;w$Vrdl3-%*=7gF()sO7TJa->K8nZJtBqt~AH82w?Tg)rk%|a3r z?9?xV9PDxQ6=}^GV30%tj=(aeSUmY;E$QZSEsLw>$5G(`wDSbF8Dhwgc$)GTBE#f1 zt+W?h(yI;`qv05xX>=0!!x0!#C8x{uI-jNdQ^Ijwuag8lj{c0*LhWKK$I~y5Is!=4 zwL?k);lyK`T6<2@alH@#?6y+=Fd@=vp!YM$q~Z7$sP}OCm8$iUswi-??zczOl*oW; zDBap$Zo7x(9~&M&Z_;Odd)`O0lFBF5kD$i0obL&<5FBGktQq{g$?8L#p!p3ov*Ib$ zJOm~W1MJ-KO1oIHvj>GuE^u2as}75VP^p}}+1jIH)DeSbmxD2|-A+wV@0O;@*riB-Qa61JcW(K*AVJ6ho)+<7*xW z;o-g>?!rJ7SotYm z=Fop4kNMbUZA&-WD9a*)e8A@1rJOK4q;f|<+0gkQXQ!Whmn5o}(5|E^8u}=k#EJhP z-nE#b?0Ge^dV`IDmuQr0$ZVr&G`6`bAx|Of#~~IBP zFhy0-inHz#{BHexD#C*3W`$D}C)*Ll>o7f~YU;)AHnRTHU866h_dh3OlW!lncNP9f z1B;+z{gT0`Gp+Z}@EV4*TXemea(mAhfi^x)&!k$vYX!%!;8Wrz{>!(nGqGs4zcH#8Lg1EZX<>+P^ib3|@QbgBsZ7u|fyH)|N1`@ot zdp@51y63zjZh8{QvR76=mg@voc*FWV&V=FS$)FvJ?~4uJGO|3+{%I_y{!GnhMZP-N zJqN8(Nq7lBJ_72o@jqGcr^vghf}#+AnQD5M)a-P}@?&b)dNFSobgRjhC7E@3{bs1y zc7^nAQ*eNmj92L%Unq2TM#s~pwl!$nA(!Oc7wOUs)o|)|#e==ci78;83G7dt9AD!M z+MPh~OQ*~;)f3?Vh&Yy(@bs*TJ@GVKf#G?u>rW57IImj9`Xm=jl0dG$_N7;MB1*wC zSpMv*be1kQTPfiZ%4bF2Xs_cTKT@{G`~&WjHO@=u;}G*mOy`9#F9dL;3kggoa!Yo*?0r+rSd_E^*a z>?-Hx314o#{{ECYRvDCFnnLxR6-3I2_wMbOHtxa3+MP-b_}FoIR{vazDm*)H8LQx1 z6IpCr>9iO|BHfBcyt%(nUwp6Ax#oM&cMZ$D=v&=(1)F9ezu`t%O;|w!Rcka7H}w!r z+-pexMGM)S^g?^t^3FnB1rI(yO?ckk8aT)Yut_rfNFLBFG}edL!f}NZprlu`*#6Wr ztwaM+R03|=J5RHM;W@;9Zd?WIBG7pTT!=m)D7j6KR)J9PlOjmy=mY2QF-Y51 zP_bvpYMnbKE?&I?ZCSz!STxXn=_U)-(M0LC4!vgP@XOw@VxcFd$4*n%ll8Fw`pAak z%83O!w(Hxvb)Xv;DfX64P}HKscgT@Lfy#!1rP9HT53TdMu9IZ`28cc;3pF$Ar%Yyl6`kp(@n?g^sXTVTNE8(1vL(tP&SeOR@;l3Ib=0OkRn@*I1rwBPihQUA z=cFa|aQ^$<6Ek#Zvnj$VV!t|<+WTeRY`jZApw?1A!I<>Hk(pZ4Zd=+(iNZDPxbwXx zQ}_4u1>p*QHAz7rhTCJ}{oZAse(tUv*DB8DemY|^f35wS7;l+-D0WV}{hLxMv?7t0 zl3nKc(|DGdWcpl%R0}Q3ZKR^i?PWfDCn+DHhhG^6+hj9uk^JjbeZRne?tCs9p@s9~ zRVJ)e5Ym5(6}8s#cA)4UPnk8j%HozO0D!;WNA(?@djKview8X`7nR>r-l1Sn3cpoa zpdksU&khm10`6f@mUj7u!7C|=dT5n#Pi&k2y_nI8i>F$cqzwHMsMqh$)k(+X5!$C+ z&-`Uak_*iHh*1yA9wXV$|Kw~ie-4AVjsz>mysW)!D&bn``Q*H8p3Da^`wN?_Dd_Jx z_{}rwvyaqKw<&AyeN=4h(VKrgcZG;xc$BPhA2oKZKX#2PHq3~l4q4}5T&yj-O8|1{ zyn?gFKd*~~2I}*aOBP3E3n{iwuwNLn=a4(4XY}8gg8&e(9Q6>rv6Mx5G^}U+gVxSI zC%0KECC5T=#h{%_Z6|x0ZOH>x#?aKH^4f_7Es|T$#3Qrm#37*=)Jv$ z>UoqCGuXSJc`%_inxNSAM1iymw$B~8F!SKut`+7kHep*?aQ=_;F6lTSy6^9tvWqx} zAs_cYECKsDc~W+$qbE+6mTuvLvS+n`hX!u!zODq<9XOE7suOZ|0Rqi$yL`FjgkeU3 zVP9Ev_)ZPOf`;h?E~27sqpU>R!c{Mi=v9kqyh1QfkFB>!j>ELeny)l zV@lCng+IWuB?OO}ahwT~_!uUWJrK%2Z0Rs{11di7r88>=n_lpxi`I;`eGtm2o@ljo z^%N0x4M>sy>1Vr8U7)IJ$-sZ9zoH}_X@!;V&szIS`JBa3RC@(CfPM-fbR#k1>f8ac zYT}I_s%Y2_c8~DCv6qK^S@D2UgqAdN%G)wQN1#b_75m^gt;PXT%6HpV4$HjBM-3(d z2h9R1w2Z@^vj&!_Qq=W4)dR{$xm+1^wwGC)B}U$e&nr(gSd%V+P$RE>gm!|F{R=sr zc;&{L2bk!w_c>ST;50ukIAe@T1C<_xhP(wPyv@#0$%kDIe^qE$?+Np}6@1siuo;r$ zQC+wB{osr`J;ow0KoVUR3KOXFx2QS%a5rl)Q!n2v9_(ZXgQ^T!)7$Z<1PXmJMz=ea z%Snf7`zsu1lt|W|8w4&t9ABVeF4?S+TGCZ=4&$wk>Ez+F`Ck$LU%nn}Ff8#`qt19t2_X5Zh3pSScWhnXUK;qYd zG|C0yvUbNlEIt(|dIaPM&A@Ewi(4gh98SYOYA>uds^%z#eP{&(`OsN=Cu~S3b@Zk#0RspH73(yc8@qU}mf>+NuMCh~dNd z?&v@B^L9Oobd;nW4++tHhoX|SB<~Li?0!PN_ro7EC|7NA)q8vme#MBX#6XA|At-*r zNwn&r)MC{GjGy6(efdfOmIMq*q7p)qJ z|Mc^z3f;CI?+M+GVyq#0#dfOu{|FEftN-Y&$G;`a*pBstZ~k9lLin1xY^(*h1Zvc@ z2O31_EMT_r@7knM(nXtxm!)6*`YN94!w2O8BA|#{=G3uw}+fZKK2b3Bv>j7Dn*vIl?MyCNu9J2LWI~_fX5Tw1~fUlA8#|FDNv$7 z6+N6baP!;6K|jOGW}!iHz_sKu2W$-5TBXt&Vzry_M+7w-rJNx)M9y@GmD1&#m5sGU z+{aMSF|&-#8ocU2ULa>X?j(*^K_)czS8D?rPp^O^f4{qBnc_zZ+zzdosKkIxNM|c_ zZAy(6s_G`#;-nhg2lgC7CR&XOZnJED!(oclQv}0O8RjFkR?VAZqEM^U3eCbem_0SE zPaR=C`BZW|ni`bC#^s^qN>-VweU4g>uhuiz7nPoW%r~LwqCV;AlF``$_R~Z@auKf$ zaMcC&HI>bcBrw;=CHjcXurX8CpZ!?~GiQ;DB&IAn#!^%#mPMbZVnPS!VW1=s+u$Yx zcD#}aC|zKeVl@;fyjV~r{YwzZM2%L8r*=JUE-E^~+l@ygYJesk)UJS|J7<<=X9y`H zt;wKeYv=oogwjTA5^~6`rItnl|L7{%0D1UI6vct8X7HY*2U6OF{SdU!m&ap8x^8>M zcf05y!6UKuxV{f;NR)kn$32~mo)4@x#-7l{q4s+38@iog4aUZ>G{0&q)1kD@K}nwX z*7}QSi^Et$T1xP6MjDES<#&d$Qr^b$nG-^v?2AWVj%;?0H7gDeo6C+k5NuWHO_t%` zDC>_czxDwSl+^8d9x>&NX+24U%$J z^)ckn3obJHO>L$&8V_fVD5;ueF>y2(pQXy6%A@s!ZA&f~Q6(tc)Ofdg$uIb$%d1xK zYOp-z*NVc|;Btw`*m9d;?a=0bP&C$sVftjteL4mj19o^!E8{(tmWe?_!&AXlA1kzJ z*4t6OP?aIR$P)^E&`HMVI!<#hm35Gh>aMZ8D@R}8PEt!%O6o;Pu7zRRyfQc4q)%YC zxDn!y53mUTK3HD!Q6D399qDFoWC_tXa^H+@kh&8zjA?H-`6N~uIlt}18#?Fy{B0K~ z3NOVI8}2S7qJps@P`El`nKEw&r}2T7naoj)1RRFkY_D~P9RauX#4gpX=gRC^IbBb< z^@%y1r+&Ih-dhYkjYhyBJD~WIc=g-z?<-4*J&COQEb1sySq_n`#wPg;=y#yaL|KSl z5o;~m=O#wGBKnv`fU`g=4m60&{%3VlR4@T7)N7g*9{te1>-Oc2(pAjtmucvHI z+bQah=0Ex6X$@A)iEC^8p(!KcN}j=$B$FdqI!o$YJy8Bn(uVvSsI4iPB~><0tYDc) z9@@N;Vg8hR;7XbvF+8v*PMYS7cPJT|@Tpq?L7syaIDg&BUqUCFNB)p%+dA9QEsjSO z9h8?KRURY8(>Up>=NvNo01;MYM$xi_-H3Dkie@0szu4Q7{jqgX_Q2Ue-4o-;vM(A!UiVQlHFme zR4czje?4FLk%>RZ@ER*ATOH!r{zpleCj}}_yux}`hJq1PD%Uy{C0KLxZnw$2YgJAB zMNF^tKJI)FecW%!(GL$Vb>|=TJhN8&<(yG@+Ivcm2gdv!-nSC_H&^B3VG);R=*J=0 zCfwK~#8gPw8PK-GzCF19Qs{MF-Kpud7GNZsQ*Cvdz_h*lO15_=4ghpV8;Kts`cUl8 z-%FSB_z(;=&#&ocx^-HNF8e(ZaRqsOL^rOD08|}MuDuGn??R1>MEx}@faVHPPMz4S z;jsr@P|Pp6eJ;5RK`McdhUituKX@TBhkG_*eDt-Nz{Z|HL_raKzep^s-vp^C%6)ed zUjH`ygppdbVg0YeFG2(GI zSfF)~C9I!mI=Ov#=Q!qhOY*G?!d?M6=121gmO&*J+^@||IE!pUATu+Iriy-+?(&p_ zsyFg&S-49+@8|?EcuZ(Uo{?~Z;ZsO8A!io?0@26Amij{1urT$6z{5>3{|Et|e0tvI zXFdI$l8%>LUK*izLhD>mT1bzV59;UNW}P!+Y1bamZGj=s^&CesOR{&ijJYba=+~|X z9BcmBgU=rdoZPJKPU84Ewi=&4NrH7KH{NZv|1$hox+S)7EkBMh5an8Z|E`-%-ZcIp zJ7IjPxnR~=kyQ(_#mbW24;~5QY8^Q*rmA}SILi=H;P!&9-sf4OXf#%ty>edjVYc<4 zd?)edY|Fm%4r}ZDoc+GDnL={J?FmM#t8dsn0!4YkwYAD>#IG7fW4XO(Jpn)M(6d0S z5t(ZPL5Y@S?Nm4|&%RJkv3RYmV;|oWoWvL8#*8Rk^gy-LMkWkN!29PBGj0yks|9*PNe_AzBC1pu@IhJLX zQ;`2M#VzZVhxn%e`yWlA{%OrDZCp&9oEbp>%kJL*5XgVTzxLm|#QvxKf9%Zcom?!< zJoW#tZ+aIGmk<@{T1-x;?N3zsN$`FHo7D6<-oiA=hvI1*stF0_uXtHClIO~mYb#|` zQD2V<( zeZaladiNS#D$=5Vkg-~+lV}6(6Ucms#6=I+ewlLjQiv%qbnQ|ISV?1J3t+fP~?eH7!m@i{7Fs_I#WYVaOqPV_KK2x8%L$qS3>* z9PO?hoH(z}kHOOV$6|1$Vsmw*RrC{%SC^(UP{#REl!K*)C?xG(jDbi&IlQ0O9#vsA zvqmf_XlJ2NWF9hRQ^#$!TGxCO7f(^N#0I9G>qqC-k*E#_xM{VV9c7YqB=M%a7%dO7 zM#8%SB`iA;ZH04Lt%R*iYmR7XE5~ViOq4fZk%kW=Z+nb$bwpYF*~?jhd#KG#8`aA4I0@0 z0^eYzh8@a3`(OVf_z39SYl_VXAVub)25mv?s%n0EHNVtoXpH+j9o?nCz zwur8uWrUECo~fjmnI0F$e=W~sIge85pL2`u(C|uML*2 zcv⋙ord}?xpUnO)N`EH@UnDsGMMEf`Xz7NcSR0B7)rtsG@>*y^44JpS||qm7P}X z6W!`fJKwEo^8S1L1c5s@YpQj--+DXG)^sQ9n^cxGeQwK*y3Q_M*X6coIz{oCSsXgP zH5m-2s|fY}*o)#$V*H<5Ij_D~vvJ>7U(zU;n~b zZB5#kbUfCMzNDnQSIjT~^ljKGSF(ZSCWPlqJ}W7Typg zKL9|(r6siB(ftX|?fUN?)3FtShB?}f>%+m-q`l@@@$+hH3*D8Nlo@@~toIqC_l1MC zv$eOgwe{m&=<3W+R+#oCdo!H9h26&T>Tcs~x|8iojhGppe@{}Y?8`Cqj$Rsz`06zi z%#qoECWqz5k({DD&J{!#WGH0K)7yT!D(=hf{P14<8s1v{8mF6Aj!yhjdIEl%l-<-O z6Gz^Wbfda=LaI}X$=-awTC0QCf==41F0Z+%^e9(TJX7hq{5?UXYs>350ML)LgT=A^ zu;$o_^Fwhy%ZOl-?N7J^ndUy@xEiC8dR6a^vDVm^;$Gt>J=dC>^Q~Lkiv7LNt+~(N z%U*}^ZcqE3cev0Rx$@g(uON51EGkvg0q+*p{Oyr2dFrH&fmWt0gOV~jbHlfdc!Z{t3h!TF|-Gug{r&so&Wa&nu0rQ- z^&4>X2>>wU+nUIhb+dn>-xL7=RCyaIl1o@q4RPgf!AA{vc1~l_-GLGzWIBJFFeZfA zoFP&l{PmsIt7upUm?>M2qY$e|=NnlG|V(c1AwU&QBD!@auQM?fCu@EHF1 zFX_=}9VE?&Ns{ee03R+3H^%qvMapVq3a1mlv7`M&eTHs2OKEoYM23@DPHef?9W|+) zU>@eeHGs)*e43BMx?zsr!IK)R*cLFiIX6G6ZPNpDTEfng@%gp@sgFmQF-dc&H4=$d zV{T+=1i;f8h~sWLwq=2D_W>urE6^o+^&d5i@B1zQ1kU_vM8yXA#2Pyht!52(nA-1e z>IE^zeD4Pkan9>CNJ)p>8h52kJDa%LrBpo}00J4rT^@RG_2Fj&U(J))8pkB&DEp~y z0VALuJGH5sY|C5C5db}2Kv7*~-o_X}atlZ-VE9zf|4PZC zqnR1!P1^hwo*4zDtTp4ozx$&qGY;xE+efrf#!ULT9BQJ^Cfr!gO5C%;C&>rYGW84J zChT7-J=Y_qe~nKuqHvi#yYLwh$S>!zpe`*m{UrzjwUOlWAsOgB>4rFcB;&(?GF%I# zCsih@4^(pS$zqtHLE}G5G;*VU)E@$i)TXkkqPi-S7m+&`>ws>MnKh28)5rEI?VoCf z=LL=vD!7-vO|;mW97gH&_BIuXu2R+Ces`;TfbZd&9O#-GkeXeW&NpawW(*70QkL_} z+KgU-DyAIW*f009OSiC`ok}`pn2YR_^bi|$IrnsOEE z+ZFU<*EA+;Gjl5Q`aSKA6zfA*9qp2LQ;9H*Z#iVdS@Ybty3xy8$k3}$gza*K}^ ztyT{N691}J2QyzVDhd^%5$%kDi?8q$V||4&l0!1yDL+fu6#Y$V|HyAKU%@$?+<`+Y zikX**tx5hVjHv^_-q{}ql4CDL!Q>DIx&a6RV#X9!(G+?XCIi~TZ?@b6-}qPcE0Y~7>fYb=2-Vwjik5-j0p3IIbUtMVgRc99 zJB+khrB5xX)v3fMFd?1=R!p8~scz-b-$;ChFTP$;*+vGONg+v&ejgxun8uq`t=7S?9}7LEnaAgMva@rQoc@E?%zd&^?z>EZO7{Rb!DYZPmk(c_I#*2eKB z?5W*NK)^xR`7A@UQ1Hj^f?bkZli%p^&Ec(T(w@MBFT`!)#duNn6GoZCwHvk@N1-wN z-q8LsHb1D!(LH1@VlT$xK`S~^pVKN_=I4=hI$|4?KV!;o&S^`S1`)XvPcrqsXXJT` zjDPn(Ncd>`q$?rb<==xl|J`9$?y8Fnv0Os)zqk6kHitE((GM^B3v)bC3f^0aA!i zfc&f$T&~H(-fkGS=wb)&Ox7e;^6`pM`%HP2U;&YgCstIw%Kq>-#xQn+AH2OmOK|A` z^+k;d8Gr8;?7$jxH~eM`iFHKjDtXaTn6!s_e4vqFS1pFoWZ}`3R58OmTCquiDzz$D zm)Gf%^e`a1C>%uV@(+v`>d!qgbUSrb#Hr0fCFua-V=ig`h%`8_I7*z?=r~qwAP)T4 zd~~Sk(2zMi0?UfcRjnx^Ml@B(hR0tXF~0WxZamX^wgg2-f!3L#!z;MGB_8R8AXRYuIji-+)aBH*+`k3zxIlOz(9f zq}u4P&F6U4(=5yUhkeiMmV;w&`3{8Pu}$BqPUm-jp3k>h&FCrr9vy(3rMBDDD(oh9 z!hh>LSq$N=#aFVKO_$DA_xd`^JG0Z9qm`}2-ooB`b9?fq!c$p(Zd5j_Q){zp%OghY z3fR;|H`TTpr3CTnH}G_e0l>^dUvqmCsfiJdP|>JhP=$zda&_t=Ky?*m2?^@85F7^| zOFuEda35a85xxqkVy%oUT`tY5G{xs+gv z!QAuU02G0T1+T&fOV#Y&S%=WDPm^862E0}p)%lIzIzm$rT^5ROCYx;;>DFyaq_;Co zQ*GTwE1zZc9!B8SifC5wLSidhm2QppHI+4BmmX=!oRYRM-K_N@i-L;vGUu?HsAH-w zD?;Q!L0Ux$qboV5dyuPu=zJA%?NXvQ`W-?;MXx_26uo^Uzc^*wC20`0?TEp9JV^Z^VzJlA z&!iCGvM&RZ$+3+iHBl{*iGwW>W~DXj`O~T*Z97Dz6#`eM!N8fL22lk!7zN{D6pEoD zr0R_jQyS`A4`PS4HtBYN!j|7TI_>U+321CHzHaKf;70wdg z;R5YiSpWK92+|08u6#7zUuIZ4ZEH09SK`RFsh{v1>|>XmnSYl|S15F3lsTm_`&>0W z$rYky=2$^aLfn^p4oJc_gg$cAUWRGAM;yR=T%Skmq|C3k{G(btk*n zh_nq5{FBWV$ug|f;T!{wKqL;7Q!%SBzUrrD-zO34;sdr=#Fl8M(`AISj9d48^1w*P zNK5U+g`qc(IYA`i%@CPz(xA;=y48Ua-j0S-1P>Sd9=P141+bEeYNiXj^(Zeo=%YN1 z)aXT23tCk{YE^Sv)$(hX(L>0(Ws7} zBi(#2bm?DJL9-k%cSRZ2tZ zQOnzO0pX#NnG!Y*-Tg)w-iD^O(ClNw+9^k*23Zr!Je$GY6Hl!0P0(c#Od?zB+RTAq zS!873A*&@Kup~8SAobxdDA4OJpCE-1qk*UfVLkhpQcaZB3&qYPBJvu43(MLY9JbJK`X&Fi*+CwbI8XmZ9jF+=v7Q67f zWPmKs`?Av)oNAOPwL7+hJh1Z5$&kQf>hgUr8k_5T+b&T4So*pwPlixQd`5!NN^~WT z*KNl`A`?cQ=`b{f>jBnPr{#>#oS2F^?*e`>I=g;GLvjVRmFFLzr}~bRMzHXjbs0wU?7>S&Q4*2 z9bcm!s@TTlR2gE{VJI`(G@~*EkxDy5w_jikd4<^ouGrXMssG-_561QXS*BrQ!Urz} zt1ZHd53Z4ih|a*H1-30#U(_gbYb%JmWfgPm?ann;32mknagBSBRz} ziSa+H3NKuzhI6bMz%fRbJ0G?)*l!ViW@Z!E|EudVxjFFyvTR%DlCfEud;hN;NfFm5+;FG`P?vv0(41% zxD#2C#s{-dtb?S^7*43m^__%FO1NP14clfqX`2fy7~42U^AHZI{>}sr6f9R6_f~oI zpgGQEzsWlmc;_2C3VM}Q1>DTGc^3)aQHiFy^_C_A|1Uh&PK>zoi~DL@rlGp2$w0L) ztA#675Q)~W8j)KG_tpy(qS=!JWCgyy7)(zl7$+2ujzm=hHOcbmIdw9F*Rd^2trRSk zU7f~(Y=lio8lATjWQT-Z!6Ly0Ek^5sZ(n3>V8PpBBo!93bA|q@5{r$Opp>)QLZrs& zmbc)O?17f6-ig6G#yzYM$6E?L+@utS`ip}dk({|>qqfTEdtTNBjkF}=D&d?FF=&ky zCyWOC0_mq}TY_?~KL{N&PjCp=n;R_KT`k5_4uF5BEW+P-M3Mgz9!;=cK}F`KTqf0{!J?mX$$@bi z`9zw_aPf2CSp1mnpa|_|!z`zoHJ*&!+o!{^s4B$XeS=5o8+HwZxY02LlDEVwkdSs$ z7=N1uyce(F7QMpW4Y;8l`$V^Xz;a97q?=}?8L1)S(?yPe#S=F{7KLl7YNu&q+O2e} z7=ly%qX?cR_6r%Uw=?e{0!Elk&dYBQvI_nj2d;?#)aPkb8e&z1S?KFbF!NcU;iRZM(U{$qB&Ex4H&_MO*qtQeHmGm_ahY!=rt6>4S9M zAugrXC2&V1h3=Ga8&2AAlNr>WF0po^KakU1biJxm7xkmq@(WMn|IU52iT(H+>eVZP zNO+7?nSxV%n9MQ_n(1C60FIScG7(s>dI2pB^SQzH0#?YlN%EDzvmbUY}zrAE(T0={1mg(U+YrOqSA>a^%pK*Cah zu}D;wOPBuQH3EPpnpe$B+A&!1wevJ|2c^X{Hhl; zKeKKgIu(8R#Z`&b?r+BLNZARgPf^;F9;nUOIsg%BCGIQ(Dv3wNVR1uJ7js7mQPwx=a*q8$E;#Y%hYc z@RM`_Ndd9={%Fq@O+ZVaPkNdO{kfXSLeJ`HfXn`Qd=pVZpzqjw`AxWGAUOqiP4FM{ zVl*4g``D`rqWET78+1jWg>uNh+W6y$S(WJ+dt}s@2f*LK7g|=OYuV1xfIoFoipUJKUeb^_+4_jRYK+MJ z1qyWO8ES#^-mMFts4v;W^FAIa>QVzZH}-z@Ksws`me6y?i}`Gl-1q)mw{I zxtit>0fUd_75*v%M&=Zk;tNGs&nr?G1*YUyM?oT`4EaF@H;oKH;Lv;T*Z%#mU&l&A zRMBNu;+xOK^o`8u^1wm-NeT!ei0?yT$+u1~4s&e>cJprmqka7nN6oct8S;(>YYzF5 zR1S;68^U9B=3J^k7Xn}?s$Gm2$tfPb+aJ9hS~>|L_(-WY#bq%`Rqm0{G$*E)6;3Yash&8I*QdHKiv=QnUi1AqTz)frfTpdQ0O4#YPE2DC{5jZNrAEP9@-;^|LQ2a|}2%HyD>}>z?uRAi~K8Eyy$p(nu zi5%Y?jd!4_2(}1%6;Wr8o;c`W>7Q9Na;F9>~&0m33fzeL$on^UeJ^1tRuMH8UI-6obJ{!UTy(qh*qe zC~p^1^|Rn{#w$AdH)28{(@(>Yg*h#!(aGJg=U<1+feweTll1OoS>F}azfgxA5qLq> zMSZNGd3@dwlSbl;YA$5$x#nfLOmsfLv4uTVtJwFQlfJKN1k}KqUaqX3HR}tk%7{4N zw`10v>OhKnV18Dy;BWKK@)}!V`s*wpJCb&EUiTb zOgpkVDzSum3i;8NeS+_coUGp?-G4zVH=&hxZf3@=w#MMq;CN?kcCp)9SnbU(Y&BPS z3X3ayTbnz}kA=q6TxD@U(i)Pj-0M*S-_aK%S#U9iDhh2R=IC;$Ms>UR|deUQe1x^`s20?$iWQRF_p8_DuG3 z>}ZGo7_lyr;CxH4^2YM`i|nO)Rp=mwO6#0N9vUAMNY-FhsC$Xou`pSIT}hKOd2MP? z?phsEx|qrpdc=t0W?+V|@m#=n(nvI3S2Micsvbsg2&PM%j|WR>MKZeorZPX!Y>R$B z8KuFU0PMly7=FH6EJE?N|J;mNickT0R?)rhj6`>O$c9+%5Lhm)>B^a(Xk z9khNi3@`J=hDoJ|@VH{0d7xNj+V(a{@4~Ww#t+UN42=Yf^cvS_LG``8c` z21L^tp6KKSZDH_h<>4n<5tOm{l7u`b@U0!6CWuvI4Xaxv#v_OdD1|X7(n&=t(zSpx zn+0)ePU}69y@o6tY(Ml`1D?nNztsk>mlqsh)7e75>-SaBCR=Nghr)9`(#TsIcs%7U z;R3}jM;)nv!o3A>a5jbt7u$x_SXa1sFd*T5$JeJ?DE!kw2 zd#$g>*`fx!Kkj@mWa><&q;7nQn|~VwK5P4M`|ZgLe&2!=O5ViS!Wx8Ff{d5yNlYu5 zMl1FtJJWoUm|LfC>w=U%`!j)F08MuZnh3Bsyj>Iy!NH)kJdfvuXmEP zdZ(i+=$?SmzIyR!kFBc|JC*LDwxXIQUt?!?<*U)y)Y2Dt9PUhZSNB$q=a=S}=4ZF& zr)C=)#4iMZ6|3>_lcnEx$Xxq&6luQDoOnVCl!B`d{?I$NTD3y>ctu0_*%JH9hxHEi z-Z03}ylA0fnK|=xt#g0O!sN799N6^9bxA^^(}P*Of$A3#@HMVLgzR#=59k*-KUw^K znQ)O|Lj9MQbjS94XstwNyNWbrK+IH`=_9^2Wr6ggh2^95;7_&T?hKf0Ny(E-r#H1o z(QF@hJkJPe45(FhVJ^hkV&1(@FC-%NoHA=+s)s!es}lrAFPBr~VVLEmSv!5Yg5FFs zw>n5EA4AOY8-y(k335Hk5qPu11jz2$l_S`r2WT*I9!-FVte%9)Tz!pgL>;WfPC)Tg zI1!m~X?dlI!yPiU_A!sDlr(Sx$N*rCX{<6^@fthbQGdf!K< zO(#Q8MT-_21|o95_^0SeVm?uj>E$?Gq>v%Jeqz0{2tz$a3a^uGjbXmHjU428^Y%#c z;7JagL#^|F!F4G{6tMS6tHZoBYu#GIm0X4rym;085DRT8{=#%O+^$d$Y&^>KdnyYW z()`_?RJR|GGblu|;EbkEMPLz+UYpo(7z#cV3g#!P_3hv^6qdX<@Vq86#!S+DNkHU# z4C+Hf`~L!vKySbIXqcS3j+j@QsiO5e{IWcY1akB%Y0OhUW59(->Xff-0dp{8*Aty? zBVTl}s~G+H8N4O_UUcJbh$u+^swjd?ezt(;BDlE-6QQprIy+u%Vo0h!!@vziXu#e` zjIr-B3vSB>^^C9BP5cEhf{X}cLYyrDO^DYJgK)6WZKY`bcJ-Wz;b}|_ryA4qBI@-1`wh9A-a)5C+vn0c@W$Y;iKJW{MX>KO^Rj!rI=Fk!R zDv5rT1ehfmdp&i>6f)|Txk*_BQ|7G_a7N0l#1Kfqn8N1bs)kXV&%g_J8vr41pz-Dc z@2c)W*Ru7j!s34;(T=j1em338E6l0|p)ZhQ7+^i#n}}Qx-x*RTG%z!h4<&*A=xtQL zV7ibFVZF3Sz?8w8X{@<0oilX1p9`xAy|PI{B@fC251=NwohT2I-^ID|Ewp8?-=%+P zq}1wt)MPC)M8I7levG4X_5gOL-%Ctkj2qJqzS{4PtZo2~Oxw%wS`C{z{DCM=p*qO; zEB4>f3;AOA(NtP&bEq8sSrR7$dhVz3B6bx9?5O=9HP_12xFRz2Kt!>>4-wTz-P7T$ zA?;R8#Q$KF?ZedApUV!6?}-4%Njw+O@eyje)3y|SZXcz6VO>EuFA9hKV^PR}a;PLN zFGp|k>e%*4f^TVJi~#i6AEbS3?XcjR5J{^)2_S_dA19_rJ1vWO$pI?JwL>JJwekrX zn;j6rfgGfaJdj^>FZoYDxc>K={4==RfF@i@a1?8p1Sw?0Pu z)&=_;n)pY5p7w@iws*I8X0Vh_8;;XyWw2Z|UYoL76O-4VmVbPH9S<(jpJX^45b^}k z+z40pal8b$gD>_4qEFyjE(pUPh8knezU8?`0=8v+k)~N1GDgmDjV|5B(pSo`QHg=y zm;`0#mx!?%F$*AsPB}^dQNCX$+x>dw#NcXHz%>F$1=Ck(d&LL)Gl!>;#l^^1iEh@Y zW%n2GM}I8}VW8}u;iI3qwF$cgz8+CJ;~O-lP33iXN3K70Uyf|S((`Z9xVE8Sby>~EboPvAwA-zM53(1P_xktG2QweJuu>!K(v=?`-y z&NBjtqIi-feCi#;?Q)!sT&3=+WIisR4-y8fLczh7ts0v9Y2U7<5ulhT+8q> z4U1#_khUa?NA&b~*5*TF`tv+|U6WbHoQsVX3Jhle=&wdd}M!!lOaJd~CT9Ut{an6!SV`SWP zhittdCgO(3?Y~$+>jK36ie@RH`6@pdwAV?%SnaQ)U~50-IxmEQ zd#eD#Q@VHi>1reNe;>u6Rty%%^XF@rCH)85d9EE3BbDbQ z|Mo{3A1rVU$L-!efOXbY8@=~Z0i>eqPc$B=$?=5X`615A9RkR3sXr6X3LnL&p11ZF zYQmp=Sh(!TIy79-The?5-_^;ues6u;E4X4STIp4 zIAi9hBBAvk;`v`QraR%nslSof3>Nagv=5H8&29Z!TqB0#*ui%L7D6XC2*B#Tcx-OU zI4U_I9w+Kz$8bAb*EUB=;8<5P4n8jdWNth`6Lm{@-EL>eb**xJ2>#v4D6F!ITeEnP z+esRdCW)trfi-6N`7XCxE0F+H)Xjhz8-L ztrx>~L&tx@@COYsoa6OGBVJw%iJyoD+QS=NYlm&5O-D>`L|)KHR63qj;MaiJApyo` z#1{~mj9+vTL3lF0kjQgRX>`=Aoc-qSL@t(qi?xUvX+f@Sowb(YZV51sFupj7q?GC| z7C!m+Um7wiA-;sh$#r{6dclPeRYmW?lmy7p#h21{2dPW)H^}n@2@rIOFN?++jxVQu zY3K$c?HmaZ@{6yCf)}gBFTTsbud)TMbNnEh=w2>LdU__9wZz*jj6$g5?@tM6ivfKr zX`*d`#Wt^Mq9eX4io%C#8IDusL_!edj2}$fjHOwl+;Zl0PH)rmiZ4EdCW98v%oN&c zg_(67`;Y))#T^<&I#T7B4`@QqgZjw$VMGhRVI98khtn25Y3QI5DS-X3O#;jTi623< zA4I2hh^gnd2q60DNMdr6=|YQXpUQ$3KkWG?0azLxKZ@w_&ZN@(-e|d00>qBut0S6H>mK*TZ6UVi8r0mM~5HVQSbu=Flx zxPoB_P_c$4bP~+o59Jv=ECH$?ia5; z@=QYLwzbgo@e)J0F}=2x_lEJ|AKOX{rlgq^)6IetP@QaG;8UfcRn|rmc=fxDkwGgx zt~yEW{7GRaPL^};_@mcT52=D5H~3M6u@CO22z?s(ytgSEs&Cf2LxTebW;W7JPoum@ z@m$lWjPq6t2wW+k9S7*yL_0>yc}8oFpk3s<+Ex3vU*5)kV+oUfK(ioXY~}UR?mGCfPzesWHr|oMkE-WWK&<<19R( zDK46h_Y(uyBk)ogKM~nc0mNWCi<*D3zO1|#aw`{f>@0Jk_6vLOg4!UflzlJ zE2ogg2dQTy%rLOSBtRW`e2AtFYevnS8>TiOe!qZrA|PoOG4sS+heFmk*Ra)vXXnxs zo?<{vH4*+i3CIw;iCkLLZO7PVOd@RIPvh}omYjxJh3CaZ)(boMo!QgHAWi5`3m}aBd?I6y8`C3}ZinHY zOC(@9+C{`g68sY~smw2#^e&o&7VpKx0KeDT5z62_QUdDFVH!=fqlWI5KmkcLx9xrb zI0_|x3H6Nq1J?xlJg4on4>RzZJ<#|cAE8Oxx>CV#(t1&m2}lzS;&jQjje=J#9^yd0 zO9DpDGV@$DkYK!?;6uk?BH5rV(JHgR&y@_w?>5~rFNGS=vetOm;zpFdQ5t;j!8~@Rscz_?xlNFdM*cwOqE-u?g+4nR-NbD`RfVUDFN+phiY1e zyHjW;`3rf*jp&4y{8S|bF3+p-!ik7P*d*~#jTvTkEW|vU#Ek-QB1U|Q%0+p0rtq(w zrlucY^xB_pDoH?>{!-!w@btARb^QX`=hi!=5vNLE`h~Q|uk@@$Bjfe{bn$x#hs=Da z2wzbEsg=Bpwz?^u-`)%ES%|-gn1tWsfawnvmFh=HK&AX*qR#0p71C<6{PHPMg;+z@ zaJ#I6YfJ^mp~l`Wfb<5ugqn4l83Gn2i1L5{93>aOf_Q4J(NQPV+k1%{(!=jDXMG=`$@#jkzxO{|F`>!P0enk^z zE5clJAHP0|B#yd>;vfk)gXIPq>(;HAi)alra9%}}@Cy{pv#+KxK5c@#KRKou53PhosWisPU&ljNe%hEMLSHxd!k1G zncVU^qWT$y1$8RXdWQsz`rb@qW%V=7SpE#PItjQ( zw?q`Xxph{{$ko=YZ*A>tX>Z%y)Uml^LsNTmOM6piXLDQArj4DOT3R=6+R)k68PIl8 z>Ev>8s#unpYS51{d{e``s5em4D2j!7qpyW&?(J+|-`vyG-Py6eseNPfrl!tKo!w2F zH?}r+ceHG7+qh{XI}AGw$12%rV|BlmbK~Qr11%QQle}SNGzTU(RZGoXB>}CeHxZes z{%U;9Zlh_(x^lJ;220*dlMV}9i^qkkRY=}WbWwSilT0NJ=tcY;Z<)vZT8#Z4@Bf8G zbaxQ_PGm~mY!!XyNkFmxR@%na7mUe4uI567X5wcEAayryBZg)S-C>LtLP=jHpxpyV zdOJ09#W&8_ z@1lKr;}*l>bGFrC(>tS(4$3s(X$+^Md;D&yMh!X{~GRJabVw^Epbc}QElyM!(0jEe$_&6P==l4hILdyUU|x>Jo0MRg!M#M1>TFE9sGMMa z#UH;-Zwa8|{j?*U7%>$F+y`g|T*~tv@kifBw3yO{S$XQ!7u9}B0!|OTpLp<#C1-5V zh4m}d*XZ4xPVv#ET?gD&j*CIouzPBo#rC8MT_02jvxV_*Z{| zCV>yQ7YF(NYOHfH1FznI*3v_??_R*fMZQapcfddUlSIX%kA~_=t1@HkQ&D7xsxAMe z0?6_|O!S((a=smUwj8$!ek2~(#GoBm*z;*(GAC>ShW0iIs8l~gQ}MOgY7_DwiNdi{ zO&{ke5Z*Zg>nT4=JTF-D&};#y@B1fQd=_)IBOBUc1YcX`GFRJD)N&dD-f zGbMUns<%u$76lLZDLUfw%DUK(uLGa{`6!$v_4@BY*Z*;9ZjQ^T0liStLrnYC9+iNR z$R}v*nH*!U@mZg8w*VrQzChI{igvay5(TihrX)n<_XzmC$B%t&D z}IL;Hy!HF@Kd0Jgo6&4QrqJ8rfa4GYDDA zAPY~3{z}7~*RRtkS(Y)<%*5NZv%kyA7p($&XQ(2P3nW?rf#0AVvqToyT~*32Ibh|| zH;HE|wH+5~-y#aNqHe?W4j@HVOTa_(ZQ7#O*v8G||y@tzE?;I@_w6tv{K6gakBYe?X&X|Feehke~DRZibJdwEd8nXqdpRPCS&Z)oV_HJEK+Z@9hFwC-}-=(7rO2wo1UD z^Rw<>5I}hImo#Nlmp2Rj$c%kIL|rd{=;L3}h+5#d%z7U}3wZn-8(jc#S$|C&AYz~_X+V!1y@!4Q57DqeWR8~C8O`^&RM z5+BRRhyB6$1Yx=EXfBfP^9bPSa4ep6cuf zlZrf10)}Y*L8B?f4XgD5R_AX5h%5U~8YNzT5-!~SMH8e8%NG#4x?A$u;!_^23XQsd z)8t#dS4Yr~w*o8LYIuV7DGj?d?LV}YspokoF9a3dH9JWHuGD{t#|8J+{n<=klK@j# z5*ls)pjO_=Cj+C5n}`v`S5as72A`iA!qEP&0JPE)@hGCYen?^-e4LlPHUp9pMDwM~ zD( z>AOt;UZ0z&CB{X^jmk6QPj0+Z0`5i~QN8i9UVIPgY5Tmu;C1}T-t`&jbb2VKb?0T?bw95T<`lw>+R$y>S_04aw?A%$_ng5OZXXU2laVB#D7 z>jfH;@l2dd+xVLFq?vKU4Dr8800}dm5`_}h!azyPq3AjdU zX{KwHo1+5wL#In50eS0a=QnOTp|`Ny+5lO-nHpqyI-J;zou`SbWx=$BL<^0p66r7( zf5pEofXLm}i0s<7sVKVQ`K_3lOxWws`UQ|xXs2;+vH*v#sM;tWmjF#!iS@*|hX~@! zTvG_==L`vGD{P2Di7L{mhx4`3kgRcHBh@oiu<9n-y36w15DR{a#2WCan`!(QwgWx> z2LU7~cWT52HK_D>n1RkN|B9 ziRTj2VOx5JLQ!;s1emd%ID@!MrGhb`#WG_H(#aVKq4J-%fq6zO%ZtToZM`%cN6Ag*82Dfj+ zIlYINv)P`@1TTG9Dgi2;6TQSpy5w^FTelF?jK);aw84kYHd3N&|G*>NNA*vGOt32Z zSfB|w(N9}*KC823gL+nH;w--GVP|#j4LVVdD+`{bfj-jNG*(}lW~*siIfvglq??5> z@_l9;K0M-EX}f?8R}bKUm#0Y90J;XEu+Wt0^Rm+o3aAs?<~x_g8}II6Kb8TcY$tjQ z3towkqONr32{nFu1!zrA>>y?&GFE#hr8$KXA)qRTH^Uc$t><88Z-)l2G4L! zzDmPFe;3gfsovl%1HoofYY$7D0jRlnZVYj7UWbX^j2^nK`AY(bop}lE?8e&X_8O>! zKKFL7A4B{`38>je=3A6710&v~VOlRuH3TqH4lie!OO9*hnTFHTUgP<`Wb-3@l$(Yn zn=`~1sbjdj_>Pb&Y?6SXWP`>?bXQ}U?8{usI0Sc9u@A_)ZEBb|3R&70!TIS^gL_gT*JYY|K&90 zpYk#r{_MhT2^cwhNkn$x6@Ki(uC|Sv*LO0zu%&H%b5ncg=8mS0=9Z03J)1Uf-n^l= zx4CW8`rx&f{PUe%cBLJUpV#FQP@G;#+x~iPAnXoTgr0b#0HSZMB1#eVo*?r=)t4hB zuBIK-8ult?T>9f*N#L9mDT6tQY#_5d}bAL9}%o%MMcqUG7YWJs8&!4`#ubJUisHk)KGM z1c-ViF=EJ+DR1V-x8QoBd!lDDwgLQ0W!T{P5>T7oKs@?JzUYQ9e6@2VATzv*w(bkP z3w}gozaLB1;VqB+&Z996n<(;Xn$fd3trz^1YYsp~ zn*b8$zbT@u;cJM`UHp6exvwRfuSHv-=Aim7U+4h~YhOnczP6!bTs>P6CU56$*D!nJ z<|q`NO7HT)PIscr^m^Ln)EYUF4hOq_3z3@=|HirLRvN*{qMof}CiRH2M-Gj3 zKQ%huNXFqb?59+PmhKWjI!N9~PW)j(x5Fy)wL-(~Tb#QkU=Za^M8kqFj+w5Yr=A(L z6ZgbQ>|=hndy5_S!4~ZOAth!$>2prB_-R!3*hbC+>q@EE$eJKsf2c&+y_V{CSw9f&Dot%Bs%0Uww(C$l%i zw2QsUJ1G_%PAl9)XqJ)mX_CK=kQHh>mDlPmcw;vhVc* zNDJymX-iU9jsf@$e0NJgZT7KRT`Ef{S?hELGCJ526Or(;Jl!RX$-a0 zHW(8-Zm*d$2B#g@$m1OFX<~eJ%r-{pV&XG2K1>ux!_3Pq*AT*y36BtUihAVBXKCwQ zBL=$$IC13*eqfH|b3_^HSgO41qqL7)$&}iX^(Xey= zSVU6w^AU?Ou*dxUynP=!wU5(8S*mDT#Q?#X#IOJ|NcM>+{7*%+fxDZ0H1`mo;tMp+ ztQ*svkn{Vz@%J3h0YrU~$}b8&{L-`J@+VUaH5wKV`|>=-oOt;jZwm%jS|`3j%z~N) ztj5w`D&sX0uqNuOME{{@V8_t;p=i2S0?uRmS`?y8QMAS~p4Hc*$P)xes%+B4 zY$X`I{032;D5m)Zpe-!{+upuOjbzzg`+K)Bs+V$p%chT!fU$^g(a2e4dd*+5scEkZyBEoBUKAGPu%WHmMHPm;A*;XzLhb$NLEC%l~eliLjQZ2s1 zWMhn9CJSZJcWJgvt%1ZbAbBRb7tON$d(0VMkH6w#FDW?l%Brb_}kP)}0>3sbI9 zEi4C2;PL=Zs64(;RAH*hq#s1&J^YYJZ=>Q`x*rjZp3uE|@rwlzIrj|lTUA%^{g@bV zwkC63x@|EVrBZ?_Zm#{d1iVi1C$ytkBiP(;JgHFvdiy`6(NUicKaMc*RRL`$pz3Ed zInj`wsX_J|geo`oz;fT86N5gq(TKwm(2n~BZRZ-jUD@s#{D?00=OJ`3Y(|UWhKu zZ)m%;G%MOHF0~5A_R&#CbqVHgiFT`5U;>6;JRM;DFOz@==XXRSWK_=>{UNFgl0yQB zq4s;?SytbJqH@T}@doIS{UOTaa3vZ13Tl28FHBbck;a;Jlg7xXW#=)st6HS;99}%C zVI={7q7l@{ga3nR+bp^ceoFpK%(?J_KICitXkz|)ZXZBl^%vS#*NoY&3FhRf>#&ZJ zfPvz_Miz2{AwnKcLhi+0VdN2}Z#FLu4@3 zrRD!6dSd$(z=rTVuM~iaIH}EzBIfOe0c@3WlmgNdBf5!>%R_!4IQ69h2uX3GIjy!; zf?UoFiUpDh+EOjZI|DqcJYZzZ%0`Q7d-o;@(8iEVMj`C{tkE9?V4f|RqV3(1d@1Le z#hh`rF+F1Gc9>eJOC*5PpRAz~$J?@p3J?npz*B1Aw4^2r}2+nGB=U`;PUnCzHbHaBV!EdTPU+1eFcZB0vOOY6q2u8yXz%^No~wKs2UZtCo4?rrMY*xa*z zb8~xhZ*Ozp5mE&Rh4z9}f$eO7+EmSw05>!wn`j%KfOT|gzq&;N8t-dqGG@_8 z$;`QCVVGGChU&zvJMb*yj$LbW>&D*p?vAFG^}QRL+Shk(YTDG+)!Edxp=W(7`(JN& zcT4b2^`&P9H2Kys;5I{ZB-UpY-L4#tlx!h-e|X8?Y!QKPNSq4jX{9GQTyUeGqMP6s z5}+0)*+!%y^l+KN(&f8# zLB&h*G^%a#4}7Ihr>(TObaH4K^ws-Gy8TpQ6ZqQa5|eJ@#&j2)Ug?LX5edlaXAq-Y zu~U&lr;L*RkbzIag5i+o(ez}pSaK>oI)4GcCndl<|Kyoe<_yqy_cn%iqer!axG)pC z9mWH{O+Xt21a;E5I5ip4`F^#4)&(f)qDiw=dd|!iq@(Bz>Uks3EhUR3pvvqf<~&Eu z96rJz*+Y|WOH9XW=N}YP0Kq-c)vWHn3LySTZ$!zaEyTo{_*C!uI{XEFv;YRGmuIUp zEDs5-1IyS?T*hD$nV)g~EGUuBq6wY@E@BUF7oRNw<|-u5CZ4V_6R6TTiI{GULT$`C z8v5-F@6fPR%m7h=?6E*&h(FExlmygi+lVfWcZ;!I>1`=_ynG!vD7j2-r->G?5>)7o z&S}v9q^eKZC4d-XJ80{&oL52dlGLrH;|30VCNctA51{KD+A`JmF?y`5t>=Ba4CN*| zSY5J{c)S$T0+WL@mD(Ue68)}G`H|I@e3bxFO)?aP6j6`e=jZfk4Vg5Y+(lcLnr)^0 zh+*Svel9T;?ig+{fD-FGqQ9mxvd*U+@jBU? z8e|s4DgoG!l)Qk*{K>!IA9*2-mlrU8>u{O08YzKN_-d!TB9_=>B^{BQo1t+*9n&MOnFbZgeu6!(6+kRfgQ{)<#K3ORM0W@54j3hda~&`1 zV2&yZ7_!71o%a>nD`#-d76Diz0X@huVyb0wzln_@tfN0mKy_sjBQds-WuAax`@I3S ze8US=414Cr4Du;0ZbA-R+Dnsu38PSX{d&c{VJjt);H&I; z)Gl0(@Fe8nfC`5gAj|0>yYA=MGz%aH*(Dxiub41ItL_c~Bo$Vov0vl9I9ZTuhRzT` zoRtY0JvD+stF!G!38;J~Y5OBhWc)Nv5o-?u&tT`5W%F_H(CV5ddIIS&-R=kwfQ-FR z015hC8bvg$+Nx}3I2Dx^FNk7;6f$d);RWd4ypU!QC&%=V>GHA{3tffFXs05!evbQh zUPPnk5YSS*LwB4>%f@eKOum@N7Yl!Z@P!|#y^DdDw1Ekb$;)X>vh;wFs+|@nZ&TEe zt&)I_%}a>(U|KnHsWQj%2?2yHt{{q%Ivd$1rRTuM7V}#UVT|)isvHT~!5UvKfaDym zBF2EjPiBvuCV-e8R}+I{leXy^xdMJ@UrIY62t)d@{4NtfcHo+bVoTT37O}zM_qyk- zLZDkBO#!4R`eigmOBU3_04l3buau{ zq91(dbB`?YAiGh8+kRG!XY0Dd^(TA}2ICA5d z3l3-xzG@z=(rX#6L#cQ*(JFP!Oa0#z|8WVZT5qH=eB9U@La1LOfJnQWh_Ra<+Xi=b zH<=f3f ziR(=g3nwFzX9{Qw09CIiiY>)d^W-hGI6;axFOTDozLh3W8oaQl*TG6kNW#eW8;DkE z*Y<%O9bH4n9{Z#0gA9D!0hBgxq%9fR+A&)y>s$#air+Nfftv(FO2Yy-w-Lix%o}Fv zDcq@yGZQqjaS2skhQ3P<`6U7fY^@*&V{NZx=vDS-fqYw=8+H0Fonkdt}Ka z81mv>b~z2J=6?rG952io?yjM(0kgpN%E6W7JE^f?W>NbLtGz}5>1}%#F~X3ZxoQ&s z$UBK@Ew6s`yPqw0?g32{Vr>Si`5u}SUMYs8m1jcq+IluvEqL-O0i;;%E@CP$)C~`b z`vefR{$8SmvFfX#jW9kZ{4fox5xbjc5<6oCxWKrY)$@J8k_kWl%|_$D}d=7Y5JTk9B(14l{)znUre0F{t2 zbE0c-Fn|vFy#O+Z=|ePH8hEpUZRNJZ|^6ilR);ruG%Ji`fqj!#A5 z=_u*obq_qS1BXyO90eVUY}G>yU(v7;{GX4bbpd6w!F)`QORFui%5K>+`geSG&e3>S!SNp3($Ju5sip`FyuUd!A5-{Zc zHJYTYVOA&{*y>04|4?EKko0vLNei4ja}&nISSo}S{ls0mM6Ew!oqmI|Z7QuW+k{en zH_k6LER*m}nsTVm>*IzutvW~O_P%`OgGJ9M8FL3 zcZd=UnI}|Dl$I}{gR?rGBwAEO9h5bOnPK@|qOEE29)lors>`FNpmO;hRX;1nX+A{^ z7LS@aS2Y9XY2vesx(z*|5I1zd$v5Ap@z;u?ZDmSnx7%=aGq;7A?{F@Hs%p7T0&ejS zXhba%!@qlNE8m6Jn5j~~oebS5Nk5E2e<-~QE|k#Aw39!g38nzuCGQnLCS^S{uO1e^ zHKj?zVzfVwVoy}u$`b}FG%S_!6XKTGfwG`C2p}pV@lyr{)*^OW({{p zx3fk_D?V`~!?Eaz|1~ikU>iA0_dCL{UjXqfe>1NFkcXEpW;hAZ@mrc%u|)JfI>vBO zpGFo&nO5E{0Y`=Wj%b`Ep2S)5_p~pSgA4gwvk)z~Gn)(1Bmn|oDUImW2o>u)1a_PRDCtbaXoNI+8?b{< zX!L7J3Qv}YYulwfT&R_ zMNEkdj_J0M*=^b5ipXNBhUOL~-C(zFUoHTBqEszWY#2^jFXEF1Qgy^=eA+5bhqjeI zz`(2WK~OwZPc(74OJ1$8Ce=VxIDsc8-_Bc#G~`O!RO8&}zF=D6C_DPtTN*hFF30)un z>mX7qh~{D1Dx`IV_&taibaJK(>7FUm0f|pPrdIiiTu{Q5T1j=KaW^Ejinf#?TZBvj z7|2Q;Of)HjwaV~<#-D3QekXMZ&H8BMf%a}Mx1zA&4yC;yw#Mfv>Xz9}$Wn(9mpXO` z{$+>HO_ByY_Xy&t7ZXtkP2rGRkED@Q>*`s@@5u1-%_&fC9YqW#fhMZzSIZua60v$d z!!>*zcp(vJ=1Lt+3}t!)YR(H0TziQC!X(Ggwx=O$xPwfR6lCZZoQq?L=PlT^daq!3 zCA#!$qKTBHj-y#a*i1b?H=cvCnbh$_v&=Ev{(@`R6W}Tf6`z-nTLYlw1R5>8RgGdF zexBh68WxK=k?0@uZps0XAwy`JZD0m(6^EMcIW(bA=cH{bmm8|Q%s{nk<>5*-fRK}j zarWJYK0crq@pE!A@%+_29g-RP<$yTo8=pdy#%RH^%F=mE0A^cKO;PA3yf{6UV&G*% zperl2mgqS-pk&C8OYtKKkYGuzBg)lcE=(nI@?rrv;49TkBPcQ0Q`xTNFWC1A2~c{H zY9TUC;@=44_#^5C4BVc8dbX7q7^Phgd%gs?^CHzo+rDLdeo9);8Qr>TRGEyJYNwr} zl-EBLPSnLNXZWs$RIsPkN96Tv;E&iB>yL@w;(w3bH}izp2aEhAu?MF7%T{LkSS74l zOKJLbGH_QCQ~;$mQssPZQlIu)qxw?;I0rJdiN=8oomodxr8d);Z{e1lHKOMRUCY+9 zip0mML_NOpBK*0h5jRN`So@olf4Btb{!5)6g)R;tzc>@~Yqz0XeJ*W%YW0Gd4>dVP zJvKdc2GPtPWoGHja7Vxq&m&6Gl56HLD_vz6^S*gr*a!v4nM4b{JP-{3&JNnsLro4H zlsFcAYbP;jTGVYlUnwjV=WwkA^ohD?QHjNlYZZ9|sh-tcIEKfME`3@6sk-PU$_Q2J ztB2^Dc3GC4F$?UFJD}Jt)l0Nqm44k8qFmx(hhUd?uM|M!Q6Etr6)nf*L2iET()v|#b1(1q^v!l?M)$+CPW4NFF*m;1It;7Rl zOd07eE1%a3c!Ni3fc65J*$c4jbppt;ZzG;(y;ymHyFx}Uk!S)WY$qoDYW|L|@($W6 zCyS+!cWnJe;zaPN=MaMtdZ;RYuO^z~96->{`OIgWz}G~>Qr&|Q1=WYB`Q)HNR&<>?6Gt4EzoItkmlS5MN}3cDfb~p0jnf zVZy0&1d#)k5m0Whgt6re(Hk+Q_$^13N^4C&= zT|ro!?{F87FL^O0Sgf&^7#?>F-3E$A8DJcefNNqCHJ-c(EmWN3%@VL8!J)2>Yn$T= zLGRK8eQlm;G3bioqu|Q7t;5Re(mY2d5_=imqG1Jp6ExA@kk$(wnF+lBx@G(r9G??F z-1JGJTPYKjUj3hgES8^|=)W-hRm0Tt6m8KKm<49}xSa;G7z0E#k{bjNoit56GW_!I zK-W8bS^zN>FQxLf!asfiO;**U$8@`+idP0g02v9$oG*+bZtBMb7-Pt3SY6p=#A7TC zbialAD3CH{$K&d$ zC`#x;m>O}NVMN2C8ZVujJdbZuV(SDDDRm8T8yauMx8YjqCk8d_E@BvEKXw%O#Fr6m z6cIugvUm`|r|*8g0Mg3wa-#EP8xu_QgfTJSBmnPINxgz5C}p&lr}~wdn(JuNr@<-= z@j~97Fk^>e?-0;hz?Z+0Xukw&K;>0`mur|CbUiVwG#ctM!Prp(h;+Vz$fmB<%LjY< zJT7G&4hGStUPX-my3@rl_n-Vl0*dZe6OD>7Z}@!()2mkwzCRg|bYm1jFC`O~Bw*Iy zCfd?8GXFGfn?l*`{v`!8o-NFc$dQxzA*%BDNbO zz%xe|~ggGwYZ>CAGxEZEbyF7C581SL5r+sLhE#j?}M5%kF50!wmi?xj5pAjWs!_&iKf;tjPp+cB%<*~qTtAxd5{D4ql(`w zplt&by@}}W&&(1H6`cN=1oZfCqaCq^QPXzZfYV=R0)K6QoHr8{vlyd;uy?hSc0B_h z)egf@w^IyW)k#y-l=85HfpYU(Xa{YX7#P26XFoIUi&jBt-rqqy(1YT7->RKbZ>7DX zwrE>vn0d#eddh2KQg5TN*%Eddy}J*$nvQD}KqZzR8{_>Fu!{NZMD?E2L5eZRSl1~) z&^u@ZEl8Jael3b8=R*k9&kG=q-#dwA1^eC=qA7Z}0AioLi?&{gJeY%8EkN~<0MfmF z=X|H-+8OwD>agnW-Lzxh=uDb!daOTRmMi{jmo`mQ;J|>{dx)-j06RV|0g1SaXx@gu zySmC@e=m_JdEtB}80(}=UiYD4fxo+nA#d3stS)lChxUS{R$*Xp3v)9{w$U}F7f=rM zBj^6W_=H~u3gbBMqj78KDGTbFhI@$#+B7z}x0;RCF9GgyNxh$@1Y)hBmgX!87|8hm z(Nm-pp*$f0H|#!YD9|>uS)eBaG;xZg6vjwT2p~f(K2FU^ z=vfd~RF=j+EdjH3pP=z}(l)?#P}S6^DFIU=4@D7FRMa={G3|UD47j=@^+{rQAoM_w znam9I$3I2XPs5|`==3lT8C2_ndpL?vlRvBBlMD}Qm@V^ZnrXaB&zaeR{A_1X&l}2H zqgCD$&voCXVSd49Xtbpa+qNo2ih^Gsk${b`k3`{Os}ijDGdzs0#b={no&d((Vom5E z7-{<)?Leoz_l37Q*Ga&+j*rq#_2L7XPy-5w*#;KMfHvgPwpu!maP z@tZh)p<$V;$Ej98xC#kP0BJROf@%fWW*%SjFA&!}wH<%%7m3eB4LX&?Ih$dth6VJ# zM6@ew+wsr)GL1uO1P=sk2d|TW;_E9>RAp4F@w-?6i57m9W+^TdE$PF$<1n3!FaFnv zp|-41zO~i~_SwlZ7|ztN#QWEYu`f7+Rq4HKm4FkHzd;idd|`GCb@f>#+rd}Z!_RN}9WxNkxA=2Xgsshciexlu<${_E073T_K_dXzC+789Y z%3W~nqlv6*53ctlUyv(sI|+3^a+sQt8ly2k9Mgy#5-pv`B&j5$*k=+JeL4`A0k<$I zR{<#a;)N(g1aoiim_Z)c2Q+JM@9ep_ic_kxIHsATmSam z>-rXQPWz46b8B}2W=zEB2hbZWS3MWqtqWqQ)|UYDt(Cz-n=3r8jox#to)DrRk2N}n zU)3h~XA8wQNVo-fYR>A%4@r?3?0=NBhJEzEeZ8Is;Z1kAXx@Il*u#@m*PdHgXtQvV zx3W_<)3&nutu86KIQljVJH4%KmEF0?+1dK=(AxFydy&j^Rd|uz=!|ezS}#C#+Qu)u zK-iXsU1NJ0lyB48@Y3S)W_Yb;w6U?>vozi}IkUOAHo3CdtT%i#GIKf!zN?1kCEOH> zyruwy-xJ)aecGpI!ILunxA{q`AA7*aqQkI0293@OF)f_fQIQr_P6A!5pbsIbh+xz949sw>aa5J1}NSgliVSY6h^ z97MMb#%g9sFFT4cSNwQ8z^w}Ce=t9G`+j=6gm@kLa6dV)ODNjAf(Ex_DIx7Wp_Fc1 zCN)pr6`rt89R3Vwht6eLSt-v346IAIGA4X8UM-Yq2 za7uK*8uQA1D0A3`L+<=3#3u+9?fv;(ZvDYa0cD(t<{R|S5JHLgJ9`|#8LZ=jJdtG3 zRu2k>6Rn4;((;VVRBLdc=HKp5vq0QPRHgK%6>8EmM8LAiE{emCZll;34iEp;d)6S zH*dQ*f0#p(bOCt}IhNNta%Eb)@p>gwgBE%nk(E=_)qHxYtGaB6<~583Y0hq8F*{`c z33XOkm5XCa@7ATssL^|m^06gWp$|s5sw3`PMo)(nG?#aCb{(pK8Q%#-<876v9FuQB zu>>cob3)4C5zAk!naSJ^HH~V$vs$KjcaU=tH|o{$XQCh(RR?t*uTUh!uw^kwX9)z$ zLbdovXAmUJ$w&KYm-Z9A?gj5PCOol3d4!j=NB1V#ov}aQV4GjnDbk~-`JmZrWRh2K z_GA{NM>QbI72gsBt%u2hoXH3b7gKB>-a>6&4=U#z%FL!u^fOcL*99}ov4V&=XGtaI zhGa)MeY0Re$P8??scVKM=o&fd2bW*8=XT_L?#q#W`mx%OM1O2idAXXS`_MuLIo7lO zgej6o08`U9S=S~8$UE`qXD(||so$4bwW!EBB7&ZVohI}b`Nkc}Ltg9>%_ci*7gbz=QQHvhX4Rhr7AOUDbL4N&E^<3L}GG~s$m-y9}g-+ zozhIbeFIPSYoW%@EDTsB+%jCn{?t+3(mkyDG{ndYQ;bE1xd)v5#%MV?72{ezauAz^ ztp1H^FDy+2{(a_}^T7yc$gr7apFSwAk|#6>L1Cu^ZHTE2QJHPyN@wU+V_g?-SLmJy z6st*6vC&5piwE*^U$)G*el*ZfRr}5LQUt%a(l3yKai!N5uzEX*VmJ&^81(5>TjU5y zV-Wp~3eIT@IuZ?^;N5+^0lF@Q;4IkL^2)`q;amwxYl^zZLj>Ld;E@u#B0IsstkH_| zHX9IuBhQ?O-ANj-@7g&=V_o+wzTeh#Ab(KfMVN|uzO`~s)>UD6soO`+&lK7Bd-|S< zO-dkr!jimyt7d8D@!2(6xjGFBinOIv1_d!Bh3VF_{IX_TVJ8=z$-G}4$GHlyO@O5c z9*pMF_1xbXmxrLhD7Efu4Vi;)>z4;UUTYF|;Oa`*-L~qRr+|_ka)KP@6hi#>Q zh&vKmtK*04<~s zVvL%Py30L)>B+j1(RfaAD6){ENoL#2^(7K-dT(M5j%6{TML5uA#xJCiX?($0)n5Fg zcH-g+s({cuw8HG3IfG$D2{U{mew;et0p#qgz#WD)ngmpt7y>lBqc!TfPS@^t9fT29 zXPw0U5Pd~;rpj3o8&*SDK@%!2#zJVL%ao=4h+;tW5Nd^UOmCOo%ucC2Z;E-Q zVqVU($d3ednfOW~jmXxx@7%J3S~;kK6ng%wYx@4HaS4pvM0mYu%WhtX0a9NwMa|h9 zKk2Z@hixmtZW@lzR+8e%87&0=v6(3qMAAvOqNQx^?XCI-t4U_RD+J| zX2D@U$e>jm1UF>$h5Jb6wByaj0=WfXqz;m9s~>sw?G*Xl;gRcun&n?!iDmwm}sdcth z-)M-9NK&b1((J5NPlaUKZwifS>C2Y~m8`MR?g(7$KZt&ZNBtJvN}RB6Npnn2*T+YF z(Zn|9^#w;LI0rR%)Q6F*uRy2Q(W`GisZ6?dLVXo%e>%k6S&p(@TJTd6qJEs+J(G3& z-uSJAna$i6*xC$>V2JccsV?Q%f74%+!36lxs%%q29d*2GVh8h@5Pei zF_!#aD++}qiP5Z2N1VN3>olZTc3BJ5pLgtJ& z$oUT{vHRO*e`onDwR(Uf-j<#W1$))gRxq^IrDPb$|PtXp?7@Ge_BK$lsx z{J#BagVFm`}q?*=NM1mXU`-p z?6yH~WX{94FYRoo0{8xb8*XZytD6F$8|(FT<+_5nf%_LEG$5 z?%MF0IkQcEJNKc0oy(TgRx6P7JcPU?aAZeIdqC5M-QVI}V`av3ul+_AplM8cALyV+ z#qEa|7J(|(BUto|F`}X!4#|BD*_0VQGXLQYFZ;nr{rz zf|Z05H+(^~!Ykw%86rcqvtgB-_KdBj0o?Hel|#GDEVi)$#e(Mb@HngPUvf)`xt`&3 z1J|~`$Qafp$yJ{?wg#EAl=?!>H@eS$(VEBxEw)Fm`ZirYVwerVN}O$LhJ_SdIhuqx z`|hDN@BL>3#U2)fFvit)U);0tf^)}zavUO!FJGsQq7!q*LW2DCy@Ie-B`#(jVzG z_Bo+<95f9;PXTFnrJ#Tc8d)nUjRq4sUusmR)eYq|X@8jK1c=uW=d2N3+kFF3K;C>o9 zulAFNPl`H^kKxz%d$EP1Z1BX~J_LPva45r6e1I&G{e5>_S1@KtY>30yPl$|G`qshb zJ82~aCiqR6j5M3Bk;bFr4XNmJ?`Ic?LND6t0ZG|00!Qy5Ui)3WBUhql^m0CV)=c|E ze>5@48#f5Lw1w&kOCSIE29C1GR8TQ?MLzjSvk4PaMTRfv2(w17g4W0tsd+_QJL*I3 z&4Jnbjg*{r{x~=Eqykmhimmp%uBN8qw&E^R%iF}G1gnaZW7ixl-Fj^s_$Q;Kk@k6+ z*Qo|7;L)5YS?eSbmQ$F=>~!Z=I!lek31VGexZfhAC^L~ik`ktjBO$i)o4s3Yx9H(n_u&^MtBDO?#uG$@}K zAwhvQfgJeu zq;IcxN?p^?F!@ers#9Z@0`IZTOE`^!%SR|~iF=Ue-gFwhC;0ZJv8d?i#RhF=B2Dd0 zHDX(R7pXG4L4>*n>Xp5i#KcUwM!=r4?@(cTB~V+w&THTe=H14ky?|5?V=G`%l&}l= zFS5LbaUn51Zm1pGufE_NFhSn4Thy#|=TDQn?6qm1a*8HU-fg8$N84GgQ6~*+iJ6Lx zby42$nXED;_Lo%mV(N{ho5jZMz{uxo`malQzE7o9*cAxGY|yC?R=O(sAilGIOlp8E zSsV~3s$By!t(*LbPOxO>LH8U9ck%X%`By_;bO@J}3q^L=@8L`4$ggrsg4E1Xdb;H? zp+tUh^e!FY9~;R$JPJ~b(2GjZ4ZS6l@j5}38`q~(K*b;sa>3BX!V*wug zCQ4bUz^gq&xxHL@_}i-51(hZ^Z)a(~w?&9|np6D09ld%z7yQ7JzG4NnedIs(5i5fOn(b4n3P*YV1_$kNDyU+uWy<@s8>sbj+eRzd>6C=znw z(^B-l66_`i0BDy&w5k#7b?}W_yRcQz z6rkkgd>suXO?~mEx3`fYeM8HNNYglfc7;JKqCt?tRpt@ewxPR-!b!Dsf-%Q|z`_200Y zr2HFpgn!3Q_b=FaETT;TfVgS?YuGXUS7P_?ls@MFN(BEs(#P@(JE(WRQ*&8eV!Nfl z1d#?qLd^-^e`*ZU>5Pby9lcKM5oIWzv2|L3r+$jr2;0TthTR$<{{esM4d^8^D7g4m zsn;`DWqOeD=*xV41F=RawBkON7*nb`rgDQ&l)+4`$Y2xr(I~vw&~!J{R}|An3Z=|A zu{y2;ul6`1e40|0qDG z>~Dc``d=Nb!f#=o_TR!hy1#|UT*UupnAbUs0tyB+csl>9(L)59#s3e{qLk6|0b8q`O9VeE|-qKQ+?+8`m~q(E%%%o$tJg#v*+un@u&Tlw=TD-13d?#^D1*| zyQmNmrW+OpTb%-)zF( ze%|dTFBkLT))lh1_P+hVdia6$`~&OyJ8Q*v-B&+2;O_X5WEpE~&xmp)z=N`_%)Yc1 znaVa8Nvey_Qg3!x+@7{|I@sm&;27V0qqyy;Zed@JRmDcBP;Yc;dVP!FyYQFQj?r#( z7zqBk!}i!kb>v&~`0co$AS~-Oqyq6 zhM}34w6glpEHS*vu6X;ChhE%c8HecNOYd!061U;yY>aK&-qwMRg8HuLapyL30c{rJ zR!`pdr$yH$+lYaw?t{^A;p&H-0ntH`zWoGvSXyoL81Z`+7V>!AgAOf+v+EgbPt3N> zu>E?&-Zi)TU_Y(og?YR6xwfiK6HRSpu<^lt5o_tauQnGvK5k}l>M9qw@rSG0+>2!E z&L(Uo_Te7}3)zViD9^Gk2Qj*qQkluAoxH(i#gvzdpeCeqs^+axz*cB-fvniZzAJA9GAzQ zFnjdlWk#1z&4a>hW?RML?pr$%ZR7d`knkj(iQZ426rs_Zv)-@tR5!dAcncy0c|QEP z$yubDQ;TeO8AO6yh>bRKV__eeD%_2P}Y@<7BT;}{1QU+#N8Ls<>Lk+yJx!zWy z$G`^a0Ob`Q4A#AD`M!C=UX!u9AkEs_0Y}CQ6pL=m4RN!7fI?EEC z!sPHWJylP3efm2vHN|JjK7R~~G2xV*3*&3rXOUIJFIkpRKHPn!BsZ!PyV^XK5W5mh z^cKLIGY%h-M(YFg?6NR2&{78i>UJh} zj>YDxZqqbfh#b*5mP~>#CLWP4lm!#6RvyLpudjqWKr)%IlH7SGcV@kiWI~@e&E&|) znCzDo4o>G81t`JjU7BHO7@}cmz@1<;++SaOa6O+o8gc`@>tfn6GrbE-cr%d5L+G&f z35Me`As&D5Kt6)w@2J4_f$TsFCqX|~ViY3vXc+G7PK%l#e8L&AqIf(+^{BB8*Fy-@!Ot%MnfKaHtuai6HULq}#vQg%R!m@n|*Ay>aroFa>i?Ku{^Bb?=auO(EU)FB_1ERyG=+bhABY9al+mnvUeO;XvB<5 zA(EqYysjQrh;b5fnR>7YP>fMAu#1(OjWxoftTE~&HPy1C{TI z(4(h952)QOcOfXZ0`WjvaKa5eZUq#39dIHoTmvG#yTBA>f$->m%Ox>XU{vg!4k#5H zD)MQ&KW1aDefDuxWmaO`)5COQ$$HF`nWo259IPL>fvMc~wiH{i1o9m1K zkx{`v7Emz?U5&70>Y45sKoD`k^$$BHg&-`S@dDo0X+~cz`5Z#WH4f~;(M!<>+@Eym zJ;EeGYO9P2J#c&uj%h|Idx|O<9Th5!G+>d^%&ZGk!L$If@|1{?q9vX&kegk@YMLo8M{{j zeALFk+0O}M{b!00c`t>_b5`92fV)*h%+p4Ere&+{C_u8HIQO*gZ;z8;HUvn$t8mMG zspXk%e7($8dx`@I-pAb$c*2D@SiR7wYk^mmpQ!UkW^(Pkw?9>Bl^x*PFgi`CL*=sHUj*%*h+O3z zj||ksS+I+( zwCju=uPEE+c-75Wcl^0?_w7`^a{es?UIh*tFg90sa8-%Hrc7>!S`ng`{T*R(z_Sk7yxjI6zaLzrnUGar#6e6=HMMlskK)Ab!CI>VZny6S zuMNVxvMfdCIK7-rK$g-~#|vVxwVVxSFyfMrk^gh>PDDVSt%)T3D@Zm8Sqqy{uaA)zOix#xDCE;1I_4?%S{4xPl5ps1J8RMpX~N`81%O4Y zOtSP6yNOz!$uG9nBLLy+e1!R(GQi@pElNa2*TouSt(~>Q>0K0U*rvUIlm||3S6vdu zc%9%tEpAVKvt*>6kI@=Zs4+B$kda_!#!k57$*2uBs$~Ot_*fM(xokB>9f^|ZLsA=9O$zZ z1$XCjzXDK8Z|k2eylDRo)RN69(Ar6p81w8dr+%a?iw(B~pbTg22_(CLXl%WJU3T~} zu%qPPmsetI-(>&R_gh}Xq$@#r+`6911w`%c>d7~_PibQ!w}`l*mYM6EiO=gi;m4ZU zt~F1sfb`b=X`g@_CIHF;|0KnTvvT16%q_x8I5eh#`6eIKCs+I)y=gswL4c2**lj-Z z1&{yJErO3U(a$$;sQ3qOfO6Fb4hmR~Rv8UF4Wu^daNf@IHY9_Z_SjxMH^M;R8}J^c zLn5d)X~#HD=h;I;z??3>LvA}mE4s!B-Ea0K0{5^w0wCk|(m>$+!P73f@m%O)<%I6H zhoA#~F?LE?9Vxux0K9?s zx52AdHU4$cN7nY4QB$1lstZ44gL=ky5JS(aABA18@CJOAUCfTgKuqBO~bXZ42SsCfpFr*l;ssF za5W&oa~7Ubm0mjwa>+mlHZ*rIdnhb7?L@B0$|k%(1qLGDt0-GTVx-?krV19osqD&w zm?~eHi87Yqx1)N6R8)kZdhIX54(;M}YOBD}gK4<)q%iV0>$49VXUoxc12Ci~y!2S? z%2#=LKrr%cw6sjKWsToAiB zutp9bE8H3{op$E)Lt)^WU{%$X2wnLJRVO`r^2`pnd0O3H>!PkV%zd=AMV>R?$+!2n zl9cOODulg ze-Xyy42&E52hWH`*}lk@C+iPuVD)d$f~@}vCe*T7ZV4PML5 z?UO`Q!md9Hb@#!ai|NkMMX;}KPHZr9+GQe9<+>f;KQ#&d#uRmbniAdE!0|8#Q#wKQ zQ^@YysF|lPZG48h%hrf}k5hLHM*dEt9J+2{P38;OkM#@c^b-C3 zCj^7e#y|uHmYVLs;~8=QieemyVM#7tJBHVB6|UiFS+lEgq~5|}w1gx84=*J2dmi0; z%InH|#A%=pghwS!^L!HkH|X{gz{&OaR8_8=0L4KO^QwL!kV^+MflX6f;tTbu6eoDM zj-||vVAzP>K_MLy+<+U2s0abosJKI!mVIs;J)KW+x@(p(uA{90~eDp z{-j1OcklGG5^%%dnSr%=K;=+aQ=zwM!@k>RTtOki&UP!jMmTz?jynvmC$!HDvNP)u~>}K=qG!ghuEmNf#Fl zYV|KeN%+l*B;dR&cK~@P^KcX^Dkmm4LL4axjaD7YQ`wMi_7k`bQr6-WzAnc}B*WoG zQBijKph7uzbnIu`MnN@S@fLRka;pBO47Uip6a`rZejbd$c}!~R;J>dxn=EPxYCplL z%py;JJk4{m;Kv1Y+M0%^M;{Iqr{(f?>#rsCb_lFY!M`aPM@v-eccakOpt%&YKKgQ9 z8_?Dyh?#a*&IIjs0C=qS!(Y|uYsB{<4aQF5JP?RV*Z_1jA-mVigB{VCyIvAq1UVmD zB}mxcinY|_G$(i6vLx_K{TCg{ywD?df8yGvBHVB?#gP(u+~*Mu?XmNCxV#|#R=Z`T zem}5`3;>*0|8JGP|B%gQ`jbr{|EJA?GX0uE{%f`L@0`kG`jZu`{>RDRpKL1m|Nq4f z|7ZgLWV6Zti4d|+Wa?V0451ATvAy_RM6v?`eFMF^stET5a2s;kD{JsH|@+CjRRU8FEhgN8}K3}od zaI}9}!PEEd1YgSb<$?Mjco1?jCKEfwWInTH4Nuwgr6|uEyMw)(XCp6JyPI|BB zIcb$` zYQ#}{8ezS$gcK3kGZyYSIxIIi2d z)V7r86L|Iv__VgQ-zR7ieZOLvD-E+i%O0}%askyt8O7Rf+|IBUlC~2tkE$^Uk;X8CttvhcaS+A zxJn;wX^nSwN`m2%ewLbcG&anbKaTBe)qSbr;f~CR+HJAC6W4vTg$d61nLSn;Cc8WS zMeA0~qu21q1c@&uaW=MK1!GrIfAddv#P`Kk5*=-e+S}}b#|&K)LrdrcjWJQ5Jf*$i z-%VL$ef3?fS`dnqEQ3vsR6|0TYnWG+7Q;ToGTbeyX2#U)*NAT$FkYu)+CA4|VhcES zXs#hOgP4phNSAtWb7v|5oA;NsCYRN@K#U;YS@PG43)@h_9(9^aT~=fwwXE&0S@`-O z=NM%9@mu39f@MIbl9v$EypVT8hdY~XH8HoR4Q5?vNM@U>CKH=KXkAO!uDu1^O1OAo zHoaXiGns2#9fn~G#&fWQkPoi;he10M;m)Lh638b={?XA3k|ZiSSnT7BVKtSq#xu)` zOE*Se<}h_HinT%d3_Y0nc)Nfoy`MD-S*6 z50((i}HSb+GeGr5HIxRp(U(Ck~{FL!0J?oN^gNRm<5qMOBSM z9GvLW{2ao|6Ei-2-}hA@h}aNE(3T5=f{5t7h#@IkhK1Rsfs*7YDU}MgzzBUp6J2?i7XthH6l5ZIafgO z7NUFY1SYm^2;FIoD46XMiRscqEJbmHkI;qAxLH3T9eU;LzHsy13Lbx~ClZshFWqf@ zY~D3g8U2`1>NKZNbw=h&x}|Lrl&c7X(47|3Pr(4LV@1ae6$tXREJ6HtDUT{9Gk0}h zmQ+TD{H-kZFj?XPUW~68D>I7Y?=#c+2ENVTjJV?wZ0ye8KnY9`9=9fDWO~va?Gs>5 zonY7^e5%c`EU{|$5R^5M!6A}8HBRLK|4L?yb{8`vff6E#!r99N_m#|*`BMKz?sbth=gky{@hT4(78Y@)qfhHq0po!-KN% zn+@t+1Z0vLE|TZLm|R6UB#<+W`3u;#OF>0Gf$d}63_ zs@G+?h6BNe?-`a1YrONE3gm1K>+E&KfHKN45lgokbe}a)aHh+;$6+>ge5fwIHm``F}ad2zuf(aOJxX4?*Jq2N7-}H$u%ad)}SC1KZ!!A=KyuSz872j@PT!_Teng|3~ zA32h&#DjfZiC-{lV_yQ88|cutEV(H25U=`A51Np?=f8+wodcGkofOFI!)Aix@JljMppuV<{* zJb}hiP%%tVD?9u_AmARnI-$V-dKQ1LxXn7o%RRTJ?=y`B(ScwUUMUB}yP1qZk(fwP zxz1-UbNIojlv5Jzj;5~njsEEiHaQQu8Z2a+1hTt{H)V3$i8nKm)-pN-++oU6OSIF0 zmmbJdltor2h##K~N6wPYj62_b9ZPC!(qP(zf*8GI2dV=3ob9J@T(vs*xh27XqjPi% zLtNCD3Pg)$gt)S4olNickBk_or~B9GRRj13V(ef?9@Pg(C?54?~e!j zmx$A#oKqneKd}$@2V8$GYQpQjEM|JfB@~bMWFBft{v@=~;&ETrHo{pe!ZO)05c5GOl4pH6~Q}_+O-!&DxC#KL8XenUCb)08&g` zS+4O~PsbN8XHYe_2P*>f7m&1`7b-sQ+uZA&y_gdcUt&?@zY2>OYWC zGXHnhJN|pBY?*&8toozHqRhYY;(sWw%gp@Ccl<8j!Tcvni2swm z9W=lOgS=S%YzNj0ft|?_U?5C@`nB;Mi~ckOSU-G1MwCbB{h3S^OF~#FU&Jyey*pR6 zNUcmo^;r7!_T}N(jx6694Pa zS-@Ybhg($=qrxm7C7F_xCN*uVT71oF<$z#zMXhtM8)_H4ie)X`b_0xl_|zL?Pt8l*-I0HM zvgO^l{fs{*auiw`MOrl+%DP9QT#!GQCb@EyW=s>G=5sEPe7$tNAe30DzT{}ULXVfE zq*tpv;rH}h^48_*q+UjWiH4?LxtvK0p>w=>Kda+CE4T4*rS}xy?$@bYE|O?W8ech( zWKEIu1${8zg52p${_Nh*jF&>$dGF}({xqa{Dy5Ge92Y?etFT6J$}-Q$)OE#1*d9aXfAu z=*xHYCBK!|wSu=eG8~kN_g-A-q2<^&QPGFABvOuatR^R3NgOYtVZ;#TkA=JXmlgcj z6Iz8zo8AgqA}S@g)O*7zD`*PpSq*PJ#KYaR(LaOD)Nr`8{Z3AjO!9@k$dej5UG|rj zhKr)y*%J|E$#r6>Z;|?W4#*WH9U~H-lTzF2qpOQbn%?DsapaGrM+KMcPJA!bs-GUX z@y>eQh4mkPR@bXfYxv1}D=2!Wy2I`*(P^i&DxqS!)yVg$15_bs#7g3d4K4b07P-;jmRwyl7Z6Tv)Rl z<&mhMdPlG*>Qw!U?j@Gw{SW$0vM~6rb)%SmIzJe?2}+IZB8sWFC25uV;S^BISobPq zS(;#~s2*9=_~mWVa9tEu+WZLH*uxt`WA%=GQP&w4nqW(SUN2!-=PRo92&G0+QR!8# z0VyD&S>}+or{a_LGM!Y=$onv1nqc%E215?IOCd!#qtNe({bBhSa{DXgleHMDfIauT zl(>M!T=cb+FmUb}bYmi7vkAk4yq6WOk&@ z(7plUq>pl8jiQ=0)beoE_j_+oBzNwYeoG=Yg)h2+4kJ?rS4kuuW#5v^uzXUzZ;2Lr zo(FW{HB!hOpETh*0R@n@h`GZSP&^|%a*`3+oTH zS}=cg1>Fw1FDM45I#wg^lt{tod8;7|?iC&l!fKFB>P2GspK6G&r;wXIodAL_Tp(jP zZ@1ZuuBvf7Op^1NdX5#(o;r@>t~%*@&vM%VR_}%Jy&PEkAp3t*ek0SEV2CCE(?qjBpez>+@;kKL>KCH7ObJ1@w*?*^dYZcX5LvgV~>m-=d6 zmuE_F^CY}EZoKnVdX7~{U3`7uOb`wmqB)QZZ5>s>bAFeb!NU#^RJ7QMpKwoW_;Dpc z8Y{-|5Ug@40lldXBN!m|5tB-T^>Q>`X#27$*w;T!rLWNa7$?7r;_|CRhuLRa&Q`dJ zTK5+a4%c_n0VB=p0C9_J zJoRwRqZ??p@r1lb+-f@13+H1spe(~X>Z%90W9%4a)h%MFf`&SD}N4G;J zAwqVz*HCXd$%`)KerR5DS`wggC-A>19f_*`NCEuPNf&$qJ`wMb-%@ThQUoCggXQbT zS*Hi>KEfWyDaj;5jL}E7l-|-zM5yU`f-Ad~oO_AEYXI>9KH)&cNAYTOJLT-Qh?L|w zpyp&F5}YG|tuj7h9C^jm@0Xyn`=`HASn#@B#vg;{VkO`cM{q45T$e+Xmnxqz)a2z- zx%zg>u586~j2Uu3a)e;eNs5FU)?S0R^ciA6&2O7{wi+z-S7bK2qeyh93L#py!b#F> zUS_(tTv&aKa6_H`)UPc6gZ94h6YeQPp3MB%Bv@hC;0Q&v2~;|n8^a^GWOh_#{%JQ> zLJonC9Vd5>JmAN6dBlCCI=F#xZ36J0Sr!F}{wOJ6gm>wl=KyISa!$Q_H{XL0r4G3D z5DIMWRfKjGux~D5^k;v@v1*wVXR1bqb77lXu_=O^uhjeo*qBPEreolgv zrC9KrbDm}(?xp3c#(HE+a6TSFNp5$gn6CTKs+)lm$^fHw9(8+m{o^r_V@nf84Sz10 zO)Cg1LcO}YK4X(?u1s<~rD?P&B9yG3iOmIBU=4;>l1gsAaq>si*#tW_uESosm&KqG zSLxpLWHI0h238x~jIFZCp`*1Opi_|FHk5DqI^r5kd*rFgBh>SUKn5@8S&leePK)wT zRX$v}TS6K{lF-F&Uy38oAEkL(X0yi&z_e{o#C8qgOUi&@F?uu@D12yUdE^OktM!03 zpqUV5VtJ;I^5h9wTDO3xcprE?fat{-SMjX~fX)uX5G`g@c#C%+AimbkJ(UMzmn*DA zFQ*mbS6ev})sRUr@(6}o<@GK>pKPZ(Q&!JBw?1p&2WAh(VWGs-cSL78Ftvj;m8<>& z3^DL#(iu3hqTSfL14L(}){qW%LgK0r7~X3y<8u(~EF+e1UaN0I`(`x`#!Z z23!qTWRa$OTgv_|a8oR>!>_w`u@>JQCRa-b;0+e<$bJ*=yY>^nPT|igoX5BO%BU~= zev5bLJx`Ug%sOB zmSY-hIEMn6H%LS*1#F#CLs9X2FRG_2y>XZf-}o%(da8R~EbPg(IK< zyDZG5-h?vFSI)U&TfYYxoH>k<*m$%7E#mgm3h7uvyXXVNcaX6cySRZ-%ru@4*8Sl9 zGQ2B)a{jk|Ho*KHdT!tUT_XKYjQkmqe=<_y`H_fZbzhdaNC3TNjO5l1qB9>Tu=gj3 zz_ym6OW^2Gfzn8BZ2q8+_1YjuedwbVBC|{NU;&8m!Z*nDdi&gRI{#ALFzc^_RQ{=hRQ_QlD(jyt`Td_oAb(}P|HaH1`u};Rg@vuLi94OU zjrD?tbj&IPQrEqDVJk`klykG88{$)}r$!^ynv|E&AZ93Go$}iE8GZebAkdH78^jV6 zL@{>TX^&lL4v=mYMEB^qEGgTAh=J7?0R~KahMqfbo*u_Kk8aI5z%!t`wz@lB-EX8w zr4@n$?}BUkQijZ?rXnf3k(ml$u@0rcWzb1jDOdQhmX)`(R`l!0@9IE5xBA52jT)c9 zn-pQV-%DAZy?lnIXh-_d6^5#|Y1jS*WJQn<{#3E5le5y!n@C!i%uYIgod{QWo8oL#{&^|BZcMfK$8|*U7h88Ua>9Tl#Y9XA_Ac|{md1|U@Lg{i zQ-XaR^Dl{()zYK>aQNBc!Xx{AGRXxK*j%^RFy-(R`Dnx@tdpF?H2)7}_Y|c`8?+0$ zY}-bcZQC~9vTav&*|u%lwv8^^wyUSVfA5(&m^BCcFxSe%jLf*=esTpUds+%~&@`GS zEu4N+UEM@xQzX^A*$mY1qJxK6WF zkoY|j&aZWVKgH75SdlmmG|%Hek?t2RZdiA+8(Qs28(eHDGQ~+^@&no`;3GH&!BH)- zZ&{l)Ozv%1G8ne2TwsUYAjR(z^0n*7c2F_h7^f@mQFnCFbf{SJpKuS02?2j5J^&H& zj5{NQgj=yGJIz6lf4`a>xBBD%^ioc*=fNy81NvUl{RQ$elRCY4ze9yC+!BeK*Ur-Ul)ff)Jdl> zFv!}uZAk$JK5`DTYc=^mMV!_(q7g~w62@w%?>j%XRZXpRa1$da-!ANe-Oh{O1}eM5 z`?~g<{muy&<{k)0949lpTOyccznihw+|WXmMwxgO^sYw;xr`Z3sWDrQGg z;tzwFKX^P&yr7|Qi9JD+LI?tXe?b5H0ylZ`kA;8&0eSwb)&Kwfjqv}wkPV%TEiBzk z85pnee!FjqKHQ$D&=w+YB27Tkxl7<=L0WQo)iv{>v>yV;wWY4EvNx(*Xvo7Ib?r{q z`fVhVa}m$?K6*#kTAI1JxtY0{v0g5{=Js-Tz5P7198{Sy@^OxEpv*fkHE3GMA@0Ex z5p<(^F``Ir4yO?w5e6z2a^S=iBC55@#}uXo zfxsdMBk;Q77UN1Ljw2~Wu)O;48L^VA=In|T)h%@x;X78~Z9SlGdQKA=6shHew>e+* zmy5NA@|5jlibKORj9C4R1!!>I*OPuorUQTHjkI#GEc8K6o7W4`o8F0kL{GX%Ox%r_ z$1HxoY42M_>M*&aLH0J?*UGp<*8pbu^+w&!+%|Upt;Y&Vpob!0_Bhe6L7hl>c#r2_ zY^)w4uFGAk84I8i$XX&tTurifa2=UAEGimO*t@;GdxiRmjf;igvJW1nO@}MihLrt? zt^iiL43~q51kjMNk7IevwMGDww(@P8OoAxR#LLyCqsg4~gUg_{!5pab?a2CLRHlp1 zCWiSUS&pZvHuPE?P&?@2M2R-$Gvq#KJs!bGSu!eb*(7H`IGPD93MM<)8(CVp4JleD z3?C=dwm(cLd-%)(A|V#L4eUr#G;eZa8dyk--Hmz@4$~)~rbVK@Vwy|Kj6oF_R77B- zWji8Bw!}!;ie}GY`nZ+a`;igk$12vibD-_v?Pd;XSWJ;;ETW(GrO&-2HI6SKNAT|e zTubXM%dypiSkH7E`O2AH$zim!chrL6h&U*lG8E(he;(5He4To(fqp%&m;132VCQzS z@qRO=>GhbT<7x={l!K?_Qj#V5RUvnKxjv97Zu}*PYNmX)MV?nNw0j33!ACW|vvW@9 zN(~+pw#773kb|58C2Y`>9(|@7`O(cm7#S+Z3bAh#!S}^ zjy#IeNH1A};%FuanV;MkdIy0|$-5c-PrK0YhB`X0LmwC~o+u;rkFP`ClO;5X^@MRL zQhHEgL3U?AD?*8qRfnDVWh^_;%ToyLs(@7A>gX_=GJ&w`r?|y91+NG@*l%N+ympG9 zQP(o-d46{wVHxW?K?q@1Lp=jjR)*jE+2vYM2E z%&u!OI@B{zG+ci^AFQ|S`P z{-Q}8X&}NqDtdK9=h}PSJk!h52kJOVnC)n&$`_WU5Qys5Ha?erQjbQCVq|2_ zt#b~OZq+R3UhJ)h<$c#M_N~I@6yrD+xUZ$^?nTJoV-y+wcv(}w@-I;($A~M<6==J>`@Ddp`;*IShK&M5iQfZi z$a};O!BYiy%0f+fdMv+4^;$|9v+Pb7*!OQK$GrgXOV+mjwO0EvGB+=doe?`^_%{L7m4=bH@yV)EyV8p#GIE`ytY!7=2gm z7Dmo>bd5mF?4%xX(ue#ZwRy$i^c4$IVhIj7b=T3mfqI=#qejfMfFd5s4CQwBF2