From 54c11660a13972e259c04c011a707e97153abffe Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Mon, 28 May 2018 16:49:35 +0200 Subject: [PATCH 01/20] Upgrade libraries to more recent versions - spring boot to 1.5.13 - spring framework to 4.3.17 - snakeyaml to 1.21 - zmon-actuator to 0.9.8 - postgresql to 42.2.2 - spring-cloud-starter-hystrix to 1.3.6 - httpclient to 4.5.5 - json-schema to 1.8.0 --- build.gradle | 68 +++++++++++++++++++++++++++------------------------- 1 file changed, 35 insertions(+), 33 deletions(-) diff --git a/build.gradle b/build.gradle index 0f5d78607f..41c79de694 100644 --- a/build.gradle +++ b/build.gradle @@ -1,14 +1,35 @@ import java.util.concurrent.TimeUnit -apply plugin: 'java' -apply plugin: 'groovy' -apply plugin: 'eclipse' -apply plugin: 'application' -apply plugin: 'spring-boot' -apply plugin: "jacoco" -apply plugin: 'findbugs' -apply plugin: 'checkstyle' -apply plugin: 'project-report' +buildscript { + ext { + springBootVersion = '1.5.13.RELEASE' + springFrameworkVersion = '4.3.17.RELEASE' + } + + repositories { + mavenCentral() + maven { + url "https://plugins.gradle.org/m2/" + } + } + + dependencies { + classpath "org.springframework.boot:spring-boot-gradle-plugin:$springBootVersion" + classpath 'org.yaml:snakeyaml:1.21' + } +} + +plugins { + id 'java' + id 'groovy' + id 'eclipse' + id 'application' + id 'jacoco' + id 'findbugs' + id 'checkstyle' + id 'project-report' + id 'org.springframework.boot' version "1.5.13.RELEASE" +} group 'org.zalando' sourceCompatibility = 1.8 @@ -64,25 +85,6 @@ sourceSets { } } -buildscript { - ext { - springBootVersion = '1.5.3.RELEASE' - springFrameworkVersion = '4.3.8.RELEASE' - } - - repositories { - mavenCentral() - maven { - url "https://plugins.gradle.org/m2/" - } - } - - dependencies { - classpath "org.springframework.boot:spring-boot-gradle-plugin:1.2.5.RELEASE" - classpath 'org.yaml:snakeyaml:1.17' - } -} - jar { baseName = 'nakadi' } @@ -128,16 +130,16 @@ dependencies { // actuator compile "org.springframework.boot:spring-boot-starter-actuator:$springBootVersion" - compile 'org.zalando.zmon:zmon-actuator:0.9.7' + compile 'org.zalando.zmon:zmon-actuator:0.9.8' // storage compile "org.springframework.boot:spring-boot-starter-jdbc:$springBootVersion" - compile 'org.postgresql:postgresql:42.1.1' + compile 'org.postgresql:postgresql:42.2.2' - compile 'org.springframework.cloud:spring-cloud-starter-hystrix:1.3.0.RELEASE' + compile 'org.springframework.cloud:spring-cloud-starter-hystrix:1.3.6.RELEASE' // misc - compile 'org.apache.httpcomponents:httpclient:4.5.3' + compile 'org.apache.httpcomponents:httpclient:4.5.5' compile('org.zalando.stups:stups-spring-oauth2-server:1.0.19') { exclude module: "httpclient" } @@ -166,7 +168,7 @@ dependencies { compile "org.apache.zookeeper:zookeeper:$zookeeperVersion" // json - compile('com.github.everit-org.json-schema:org.everit.json.schema:6cb8ae440b0bc34030d7bea85ac609d980d741fb') { + compile('com.github.everit-org.json-schema:org.everit.json.schema:1.8.0') { exclude module: "json" } compile('com.fasterxml.jackson.datatype:jackson-datatype-json-org:2.8.8') { From 00f1d89fe9c24b63a18fe702f608b4efd2c26025 Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Wed, 30 May 2018 10:09:19 +0200 Subject: [PATCH 02/20] Upgrade more libraries - dropwizard to 3.1.3 - stups-spring-oauth2-server to 1.0.21 - guava to 25.1-jre - commons-lang3 to 3.7 - jackson libraries to 2.8.11 (match spring boot) - org.json to 20180130 - json-path to 2.4.0 - remove rs-api dependency --- build.gradle | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/build.gradle b/build.gradle index 41c79de694..1b391680a1 100644 --- a/build.gradle +++ b/build.gradle @@ -105,7 +105,7 @@ findbugs { dependencies { ext { - dropwizardVersion = '3.1.2' + dropwizardVersion = '3.1.3' curatorVersion = '4.0.1' zookeeperVersion = '3.4.10' } @@ -140,20 +140,19 @@ dependencies { // misc compile 'org.apache.httpcomponents:httpclient:4.5.5' - compile('org.zalando.stups:stups-spring-oauth2-server:1.0.19') { + compile('org.zalando.stups:stups-spring-oauth2-server:1.0.21') { exclude module: "httpclient" } compile 'org.zalando:jackson-datatype-problem:0.5.0' compile 'org.zalando:problem:0.5.0' compile 'org.zalando:problem-spring-web:0.5.0' - compile 'com.google.guava:guava:19.0' - compile 'javax.ws.rs:javax.ws.rs-api:2.0.1' + compile 'com.google.guava:guava:25.1-jre' compile 'org.slf4j:slf4j-log4j12:1.7.25' compile "io.dropwizard.metrics:metrics-core:$dropwizardVersion" compile "com.ryantenney.metrics:metrics-spring:$dropwizardVersion" compile "io.dropwizard.metrics:metrics-servlets:$dropwizardVersion" compile "io.dropwizard.metrics:metrics-jvm:$dropwizardVersion" - compile 'org.apache.commons:commons-lang3:3.5' + compile 'org.apache.commons:commons-lang3:3.7' compile 'org.zalando:nakadi-plugin-api:2.0.0' compile 'org.echocat.jomon:runtime:1.6.3' @@ -171,14 +170,14 @@ dependencies { compile('com.github.everit-org.json-schema:org.everit.json.schema:1.8.0') { exclude module: "json" } - compile('com.fasterxml.jackson.datatype:jackson-datatype-json-org:2.8.8') { + compile('com.fasterxml.jackson.datatype:jackson-datatype-json-org:2.8.11') { exclude module: "json" } - compile 'com.fasterxml.jackson.datatype:jackson-datatype-joda:2.8.8' - compile 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.8.8' + compile 'com.fasterxml.jackson.datatype:jackson-datatype-joda:2.8.11' + compile 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.8.11' compile 'org.zalando:twintip-spring-web:1.1.0' compile 'com.grack:nanojson:1.2' - compile 'org.json:json:20171018' + compile 'org.json:json:20180130' // tests testCompile 'org.hamcrest:hamcrest-all:1.3' @@ -195,7 +194,7 @@ dependencies { exclude module: "hamcrest-core" exclude module: "hamcrest-library" } - testCompile 'com.jayway.jsonpath:json-path:2.2.0' + testCompile 'com.jayway.jsonpath:json-path:2.4.0' testRuntime 'org.pegdown:pegdown:1.6.0' } // end::dependencies[] From da745a096d92d6dad32d4efd9d49230fdc1ceb7d Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Thu, 31 May 2018 07:59:06 +0200 Subject: [PATCH 03/20] Update changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0599387d36..8ec84a694e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/). ## [Unreleased] +### Fixed +- Upgraded dependencies + ## [2.7.2] - 2018-05-30 ### Changed From 1a346478980c0c0f7bfb98bd949abdab354b9b14 Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Fri, 1 Jun 2018 13:11:02 +0200 Subject: [PATCH 04/20] Upgrade gradle --- gradle/wrapper/gradle-wrapper.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index f9147d507d..2fb4764f65 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ -#Tue Jun 20 11:33:10 CEST 2017 +#Fri Jun 01 13:06:32 CEST 2018 distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-2.14.1-all.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-4.7-bin.zip From 39643bda9532e538494a3fbfebdc6e31a3208002 Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Fri, 1 Jun 2018 13:24:15 +0200 Subject: [PATCH 05/20] use gradle distribution with sources --- gradle/wrapper/gradle-wrapper.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 2fb4764f65..4a4216cc05 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ -#Fri Jun 01 13:06:32 CEST 2018 +#Fri Jun 01 13:23:16 CEST 2018 distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-4.7-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-4.7-all.zip From beb731dc099a8d1e285c5f20b1b4b8b36920f096 Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Mon, 4 Jun 2018 11:29:36 +0200 Subject: [PATCH 06/20] Same version for all jackson packages --- build.gradle | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 1b391680a1..f6b802dd26 100644 --- a/build.gradle +++ b/build.gradle @@ -4,6 +4,7 @@ buildscript { ext { springBootVersion = '1.5.13.RELEASE' springFrameworkVersion = '4.3.17.RELEASE' + jacksonVersion = '2.8.11' } repositories { @@ -170,11 +171,13 @@ dependencies { compile('com.github.everit-org.json-schema:org.everit.json.schema:1.8.0') { exclude module: "json" } - compile('com.fasterxml.jackson.datatype:jackson-datatype-json-org:2.8.11') { + compile("com.fasterxml.jackson.datatype:jackson-datatype-json-org:$jacksonVersion") { exclude module: "json" } - compile 'com.fasterxml.jackson.datatype:jackson-datatype-joda:2.8.11' - compile 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.8.11' + compile "com.fasterxml.jackson.datatype:jackson-datatype-joda:$jacksonVersion" + compile "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:$jacksonVersion" + compile "com.fasterxml.jackson.core:jackson-databind:$jacksonVersion" + compile "com.fasterxml.jackson.core:jackson-annotations:$jacksonVersion" compile 'org.zalando:twintip-spring-web:1.1.0' compile 'com.grack:nanojson:1.2' compile 'org.json:json:20180130' From be46623602374417fc87ae9f3bed4b33fb6e00ef Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Mon, 11 Jun 2018 14:10:32 +0200 Subject: [PATCH 07/20] set jackson-datatype-jdk8 --- build.gradle | 1 + 1 file changed, 1 insertion(+) diff --git a/build.gradle b/build.gradle index 63fa6f2044..b90cd5b867 100644 --- a/build.gradle +++ b/build.gradle @@ -178,6 +178,7 @@ dependencies { compile "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:$jacksonVersion" compile "com.fasterxml.jackson.core:jackson-databind:$jacksonVersion" compile "com.fasterxml.jackson.core:jackson-annotations:$jacksonVersion" + compile "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:$jacksonVersion" compile 'org.zalando:twintip-spring-web:1.1.0' compile 'org.json:json:20180130' From bf8880bd8b221203c92c7db0c324bfc43e3aa00c Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Tue, 12 Jun 2018 15:08:06 +0200 Subject: [PATCH 08/20] upgrade spring-cloud-starter-hystrix set versions of jackson-databind and jackson-annotions identical to spring boot dependencies --- build.gradle | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index b90cd5b867..fcd508d343 100644 --- a/build.gradle +++ b/build.gradle @@ -137,7 +137,7 @@ dependencies { compile "org.springframework.boot:spring-boot-starter-jdbc:$springBootVersion" compile 'org.postgresql:postgresql:42.2.2' - compile 'org.springframework.cloud:spring-cloud-starter-hystrix:1.3.6.RELEASE' + compile 'org.springframework.cloud:spring-cloud-starter-hystrix:1.4.4.RELEASE' // misc compile 'org.apache.httpcomponents:httpclient:4.5.5' @@ -176,8 +176,8 @@ dependencies { } compile "com.fasterxml.jackson.datatype:jackson-datatype-joda:$jacksonVersion" compile "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:$jacksonVersion" - compile "com.fasterxml.jackson.core:jackson-databind:$jacksonVersion" - compile "com.fasterxml.jackson.core:jackson-annotations:$jacksonVersion" + compile "com.fasterxml.jackson.core:jackson-databind:2.8.11.1" + compile "com.fasterxml.jackson.core:jackson-annotations:2.8.0" compile "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:$jacksonVersion" compile 'org.zalando:twintip-spring-web:1.1.0' compile 'org.json:json:20180130' From 71771d2d2d3949c8d4ab2de36d0089df1e55faa0 Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Thu, 14 Jun 2018 18:24:36 +0200 Subject: [PATCH 09/20] exclude old jackson dependencies --- build.gradle | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/build.gradle b/build.gradle index fcd508d343..070e76ae79 100644 --- a/build.gradle +++ b/build.gradle @@ -97,6 +97,11 @@ configurations { dbMigrationCompile.extendsFrom compile dbMigrationRuntime.extendsFrom runtime pgsql + + implementation { + exclude group: 'org.codehaus.jackson', module: 'jackson-mapper-asl' + exclude group: 'org.codehaus.jackson', module: 'jackson-core-asl' + } } findbugs { From 5bbe9cddf614c5af03713cb34b5d884aaf2227aa Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Mon, 18 Jun 2018 14:29:01 +0200 Subject: [PATCH 10/20] Upgrade spring boot and spring framework versions --- build.gradle | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 070e76ae79..eb9f165c32 100644 --- a/build.gradle +++ b/build.gradle @@ -2,8 +2,8 @@ import java.util.concurrent.TimeUnit buildscript { ext { - springBootVersion = '1.5.13.RELEASE' - springFrameworkVersion = '4.3.17.RELEASE' + springBootVersion = '1.5.14.RELEASE' + springFrameworkVersion = '4.3.18.RELEASE' jacksonVersion = '2.8.11' } @@ -29,7 +29,7 @@ plugins { id 'findbugs' id 'checkstyle' id 'project-report' - id 'org.springframework.boot' version "1.5.13.RELEASE" + id 'org.springframework.boot' version "1.5.14.RELEASE" } group 'org.zalando' From c20100cd6024f2d56abce75cfcc7e6037c63ac95 Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Mon, 18 Jun 2018 15:44:48 +0200 Subject: [PATCH 11/20] Upgrade jackson version --- build.gradle | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/build.gradle b/build.gradle index eb9f165c32..be30fd5a2c 100644 --- a/build.gradle +++ b/build.gradle @@ -4,7 +4,7 @@ buildscript { ext { springBootVersion = '1.5.14.RELEASE' springFrameworkVersion = '4.3.18.RELEASE' - jacksonVersion = '2.8.11' + jacksonVersion = '2.9.6' } repositories { @@ -179,11 +179,13 @@ dependencies { compile("com.fasterxml.jackson.datatype:jackson-datatype-json-org:$jacksonVersion") { exclude module: "json" } - compile "com.fasterxml.jackson.datatype:jackson-datatype-joda:$jacksonVersion" + compile "com.fasterxml.jackson.core:jackson-annotations:$jacksonVersion" + compile "com.fasterxml.jackson.core:jackson-core:$jacksonVersion" + compile "com.fasterxml.jackson.core:jackson-databind:$jacksonVersion" compile "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:$jacksonVersion" - compile "com.fasterxml.jackson.core:jackson-databind:2.8.11.1" - compile "com.fasterxml.jackson.core:jackson-annotations:2.8.0" compile "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:$jacksonVersion" + compile "com.fasterxml.jackson.datatype:jackson-datatype-joda:$jacksonVersion" + compile "com.fasterxml.jackson.module:jackson-module-afterburner:$jacksonVersion" compile 'org.zalando:twintip-spring-web:1.1.0' compile 'org.json:json:20180130' From f05f246b6f367496f964607c49f6724add819e23 Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Mon, 18 Jun 2018 17:56:48 +0200 Subject: [PATCH 12/20] Upgrade spring-security-oauth2 version --- build.gradle | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/build.gradle b/build.gradle index be30fd5a2c..02566c7c0d 100644 --- a/build.gradle +++ b/build.gradle @@ -97,11 +97,6 @@ configurations { dbMigrationCompile.extendsFrom compile dbMigrationRuntime.extendsFrom runtime pgsql - - implementation { - exclude group: 'org.codehaus.jackson', module: 'jackson-mapper-asl' - exclude group: 'org.codehaus.jackson', module: 'jackson-core-asl' - } } findbugs { @@ -129,7 +124,7 @@ dependencies { compile "org.springframework.boot:spring-boot-starter-jetty:$springBootVersion" // oauth - compile 'org.springframework.security.oauth:spring-security-oauth2:2.1.0.RELEASE' + compile 'org.springframework.security.oauth:spring-security-oauth2:2.3.3.RELEASE' compile('org.springframework.boot:spring-boot-starter-security') { exclude module: "logback-classic" } From 9aba22a5a5cb0521b425ed130a94ffe4eeb3db3d Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Tue, 19 Jun 2018 15:51:55 +0200 Subject: [PATCH 13/20] Exclude spring dependencies from spring-security-oauth2 --- build.gradle | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 02566c7c0d..1b051caa2c 100644 --- a/build.gradle +++ b/build.gradle @@ -124,7 +124,11 @@ dependencies { compile "org.springframework.boot:spring-boot-starter-jetty:$springBootVersion" // oauth - compile 'org.springframework.security.oauth:spring-security-oauth2:2.3.3.RELEASE' + compile ('org.springframework.security.oauth:spring-security-oauth2:2.3.3.RELEASE') { + exclude module: 'spring-beans' + exclude module: 'spring-core' + exclude module: 'spring-context' + } compile('org.springframework.boot:spring-boot-starter-security') { exclude module: "logback-classic" } From 09c72ceb3d014e6c5290110f19d1c93e12b299c6 Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Fri, 22 Jun 2018 12:16:57 +0200 Subject: [PATCH 14/20] Upgrade gradle to 4.8.1 --- gradle/wrapper/gradle-wrapper.jar | Bin 53324 -> 54413 bytes gradle/wrapper/gradle-wrapper.properties | 3 +-- gradlew | 26 +++++++++++++++-------- gradlew.bat | 6 ------ 4 files changed, 18 insertions(+), 17 deletions(-) diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar index 3baa851b28c65f87dd36a6748e1a85cf360c1301..91ca28c8b802289c3a438766657a5e98f20eff03 100644 GIT binary patch delta 38633 zcmZ5{Q*__Kw{L8-v2ELSW1GLQvGYyRuu)^%P8zd~ZQHh;-rjTXy8mmm3#w zu>UWj5+C6|5%E)G|9$pKhx?zsD<8eoD=09q1$ZzprbISnoJ1-PBEWM_3+)qYEQLZ6 z#~K_~7KyBX(o9_*Bxi%r3J;YfY7WPhk2TQk0re|sl$~+|xBUtAdNs8>1vfKA-RE@` zm=O^d(Ef$t^erRHHFf28x&X!BkM}2QFryw7c5yHLLDO*souA*t21%Jmb^59BQsZ~W z5|BtzEDd@zyE`%a5rER7@2%83?ICn{8#>9~BnCT%Wn0@|KXekmF+@DIwypVj=dySP zf3>WlU?9VV+8gSOmY|hgMnmH*#LEz(`GXr%jewSD6$^i?41&>T#$8HxS2A3R#E?(d z)il;*irKQ0oY|a~hcKg?qo+hj$(YmK4JvkYWM^>RVf8;j0%Zu@0i*}zzCp}y56zQ98k!spCSfbufqE;X&o^biVZ z0bYl(wxKHfn>Rqox182`p~T|-F<~{OIPN@lr?1-#vMW(d$Wx`e&4^bhx1{LkVT2w3 z)<~x^F+9+Ds3Fr-RcK*S9a_ur{Y!5_AW961%PQl)sBN3jHEiZdCR*NLRcH=U%r~Q- z{NVCJGChXtiFpjPy+2Lpm-}H67`q9CmMT3m&pM)0%rB#_h7}a>DH(E=&T1)mYTWA?lLY%PtqOOjy&wY&O2%5Dl1d_2>b2-O+n9b5W zBuk%68i0td9&+a92x|_PlXZDX4nY^?LUx-oOGh$xVJ-YPhG$}t>*)Y2)=v@N*bHl) zy7q|oW^eycBT*Gjtu5H7h8QY?D!CFpN_9%UX$`0=^n2X2>`msCs^w+poKP#|Qp0qA z&89T5KC(k(*r_?h#^;bShUX^asPg$Z-v-Ml0^s)Y1KH7#9<{sw+#<7$70W-eLpgi0 zsfQKEAzPja%x=0<*SR@nQZGvR+!E9BZ1!rq{yjeA6g=flB zc;HM4-yBR;BAQQ0))b8;=OVj3CB*NlTlfu~uxz@`IYo->0$X*7p94W2blq~IcO_Ed zN`UCvegpC}(Ue0>?X2|+tAFlGE-FN>cO!AJey~T7$6rb8UUPmoljy}jiS;=1M*14C zLGiT9}FTie36gu{TkRrV=6mi5rF9Ua|y$>HkzzRkcL>@k4d~6`29Mao}9Wb zYV^wjd#G;`hLjuGHxKzVhGJKWq=aY@7{KT=^~t6u1>uwiratlCY?A(vO`5X^?IvwX(i$-jd>m6@OG`((s07Ra z=$+znYu9e|-9WEn>u5#f2pTUK`Y#AXW!u{nP`#hVBtLpt{(jzJg|p|IvY@K4s!8on zW%nW_=;s8&foD+54xRY@AayQt-RBM_&LU$Ca6^AmDsazB<=pDkg;-We7LlQe4{u3K z7*i&H7T~>lmivVLPYL~355>R|nZQ^7TcI3v;&(-b00R^Kx5@cmh4L#ne4-M>7a&>P z&91!_>7G_7-FKR7y(jqFni?;g|Aw<{Av30HcHWN7I)2N z7xh{O?+Q#)9Dcz+&G#tB^-9Ro>hY-7NdzqEW?348j{wC5XAz?nWKKi?Z%1RN7diF%&QzAlbBtPO6Z@546F9@4=zY1 zX{HZtAPb}6i1?e9krNva#{}3p)KthjW1x@WKH4Fz;4wYg9r|b=Mn`hJ+7YI){D^3i z^5Ilyyc?cH?CpJIBR3w7BvrEW`|=(U)yPi)VPHT;AOW-D?2=pnGZr9opG_dp6HMS) zjY-+P+sk%7rG6l+lr$DQik{Zn<`W>KEZb;Bxwu?s01`U%3mh-ag7upQ!a|BNeCBxo>+-pPNnrmXJKVC z8fCpFknxvih4JG|4s-XFjT1SH=dP#J(t-Gi-=l|H7I#;_UQk#347vZ(VZX8v{dL%e`ji>saeJ=~ zbHZN^Pj&N)GVa-<4*A(dzbdOiz)KF%4u?-p$!U0;Q5LTr#%$|uYU`CseTt;Yg6}pn z3>XgJD}`{)6h$?)+bl{(F)!kM!98)}?iU+S;UXjKA(ILzByHUdWFOD`Hlz2;q6nC`9Kb=PhZ)l;r~ARY?Mhfw2?`^``v zN$^Pcs7Yam50f(*Ud-c`J(g7s2na4C*KVTTj$!q!J7y!YxU54*G1?`0ZTrP4Yn->ehvffRzXwWlcF;? z&Pm_PXzS8BiIGMp0hhZ;`AiZw7Jj-V`RJ5**Wc4!ax^DbxW{&eQq{>BRaq-+02$h` zC+2*oDecKJMS7dungB?tWL|fjj)BY6TaIs11?GK)QmG5Xm0VuXQDL<;;ktpk-xy?Ir&0Rz4qfvqts>8so_ zNaSSysm6FxAsp2p!c@r&?djqmq%h+?#OgNtySP(09Q&rHPdu&a`S~jo(R)`K3_ihq1 zY>FxMTBqb`N=Lhz3JYAdDi}8`6tRcg>Nt1uI4;=v6!k#9Pc`7y@;h&fiwLddSk*Bc z&AH~cVGh7z@d0T8sffgpI7#15#tsyOU6#h=%!A9l_j@~C98jqfRURJ zF;%C%0JLIIQ#H0H>;8Jk1*OGg^#t-Qp3}svnltl$i7R}=pi-*xqmO!j1G+26W)f3j zBrCH?tHP!EE;(`XM5faCo+&2rEVbW?#kZdRr@e{BjjF3D&xtWWkd$kwA4R=!hcBo` zlYOc=xdrwh!b8a|tw7xkRIrBC5|v%jDzOgQh3_2bhrMZ}^N8$73qVkvDHUH-P8vk{ zUc)Jo#4Ly2Vc8&q>6y7pJY&8~;WgNg=oKIK^VE}m%+9Qq?h^Y=vEF#y`UhlzHl}~c zF)l0@o5>G}-8woTR(2pK0oTAm?GT)W<7y3FiI8i6jg4|z18HMVstjHd0Vl$!adrk{ zkhvUpWq&1HiH$tg&TJlwraz6^tb~_tP>GE!Owm~$e}geJoo+J(R|!3J0yJaygX5Ry zZ~Mt#JKd;h&v@@uqF-O>9e%(LNI;~jJjBKz#S+HGmcmy8$MK0YGKKVFlBw1aWxhR+ z1t}5^bB|cA0d92glKwn;vTdsDQm71o3}&Zl=e~vXtecdKI``an3k4cH!5KwWld7n+ z#9afH7g=GFY6clUW9oFZo-d>2G}RLJ0Z3EnW@{Q%Lp#s| zamEBtSLlf+ME-nxMm)XM(F|-4)c?UgD(^($@CJJUVo2QWs;}QC){`!MWL3DM*i*4J z^)4ETAwW!>RExpR5XhDF0coyeQ+NBP7K_0jsOdJ9xLZ2lf~pPn8BY?9tdnNGCrSDu;?q~w5u+vXe`I=a@h1bM|@ofwJGihpk*;<@n| zmHrkJKnrTB!{|@l%N1ZKW@SCx9#{<~cGE_urh>KUj#ev_z@{?C&B{A#ltdH+C}Ee- z86Tj#XjaS>4Rv4m2J8Hk2q$-9vAoP}>P%~F<*;O7@b$rN@|*ga`FOR5 zvL=?mSxe_Ml~;}O`)HhYHe(EW%|{u{(o}F|_>x%@=~6ZnZkum^d&Q+$9T2O2d?IInYE|gUt8g%G6SEekP<_u$=k8muRUtmu|G?DaVS}lzzN6z`#*eH z)*{e(2(E+zROYy*FOnuAjK=V%XGg#N7_RMpK9V!n8*bYWia|YBgY0mLvZK&g${dJQ zLp1FRr|CX@m+i*TcYSaCPd!`lsbtG?ur!N()O4CKZfuPDF%9B>uRA#EOKR%BX==2% z8%gCcVYL1*(I3(bY0YCA*+7Z`F0|y=20xk$iCfH=93`NtmqUo;Qw`gQqT215Pk-qW zHOM~*7Dt`SRYPPQDA3g|kQGzaaaS2jOd!u2hoj?0m36_m%BA`YY>5%L6~J%EH>dB7 zjp2A9IgzvvcR&Q3}e{LT;-b*gVC(78(%x9MYW-{*-FKb^2JUHb-2rw9IoY88ko6H_cZ#IVfD{t@CT&ZCX!nKFVo? z>o+Vr%PXz=+VWwx2i3hd@(`rzp9+UIqw!PtxVtLhTucFH*+0S`&!VB6MB|_uj!!#- znkO0CbB7jl!bZuL7=Eh6fpf64#; z3Y@tIkH#QlBOHW^WqpRhvyq9cGMAiYC1MYzaVAtrJjLV<$}O=A$eGWj zc(9AuL*$KN*+J@#Zg@r@&cku`%XZ!RgV)m%2)7Gv+N*X6@Nkt6F?hiS1fq07k_-w& zYQ|u&?7`kJiyr`FFwY%$yIe_+vyywZ4cQ`IcpW#Oc_w_IYjx~ z82N4Z-Vp_K;MO0>&uo(oe5;|fXx^64fR;ihp{C0H@J0uw_Bm!gn;)gtg=SyqAy`7L zK&4fTJ~?6Kguhc`ui&9!pg~?HlEAmDWI!cTvAjv4e-(5XsP;>X}mu_8BtI?LtuaL zVhJ03;1L2NX5We^{4`?Ypm}4pc}!^sS8_y4NqfHGPzd$Nl49(ie(P)(@)L|w#fa_< z#?&6hPpqOD)1d%YjqIfPMznWx9TI(~&Y~`tJxsXwo9(c3NaNN^l4!-`O{=CG`OLe_ zu_TGOz$yAU3f=iAqHQRmWhjypRPc84@=)~58*cp+g{TrH!>&rjC3YI*+hB`ac3@W?p?XnAR9NjtRA>cP z${3!|>Vk9x|ERFyl%|^Bd<_v|!uT=p@Tk+tHs2$C7H!x!pUl22EYXxxEKYLJ^uf02 zH-+9zazykD@18`#7kVoLzk}5f*H|eR2dF6$QH@7*Rm5WSh*>OL;8LCAt{}SPZnO>> zMI_~_C5Xi6YLaW1W~`vZw7>s0lI?vK`JbS2UYTVh{~rxJ`fsrPKT!GA#mU;m($!TF z{sgqpt%ZSkaAOz`za=!N55F>udsWY85cJS zFZvMIv?Tj-@VzK~2c>k62C3^W=e-c|#o6#Kucpcxtw048Ifd0C2Os&>FqgT^L-M(F zD{6GKsStxEjxNX2-+8HRCrZ{ns;_<>zv59_F{hpdy2FqBw~lVHU6C5 zHWa}~crHa-UZ9pDmJZo?F20|y$y=e#Df&b8?GLwP-aHp}b;JoePnqPH*$L+c71n#Sf=!ZLre+{O#vr?Zs zG9rFA-L$%3wum>V>Z_m!X!m_tX9qfHa~J!pBH5kM6W|s=e{L2KV4O~VTGuma>q$D8 zFBX+C(Js)@=1pDtJubE*M9B?lElQwvy=xT*E(Wat5-5tkCiEv>ghQ^B+b5S9M@`^tHhQ!-I{*P;GG#eKt2O=_0UL^u7Ay-aM1 z{4Xs6pvAyW>lG@au@^FE#tkd{!ZLaNTVo|`b0U+sWBKLVEb=e!G3TVA9YuxtQtO&w zwY=z&GtD()lL#8PksJ9t2mx}jR1XE$lr#BK9DWn5J9^b$*hH8O7@~luK1k`3#{wvu9afgw08LNMQmz^14kJu4;nlCrPL^^w6$+Ls zEo`UpBO^N$^Gmwqy2$n}VH)Xm)`kpaZ}TK1>EqQ(_wiF26~l626b(WQ-{shy*F6Xa zQk&hvl2;AtajYyhZ)|VvH&TN7+#ZDP(TyafXjlZ~74(CK7UNAhF^x7@xX#+%X3h!J zfKiyRZ+(9P2w7PpAR(mfY+$-Woe%}PUqgwi*OYZ%VY{5tWH>clj71#=S>|l)GsI6_ElY?5Wo5PF=o{=4Go~wgAzp3>x zLH_PT);cx4XEH?%C~@rJY0UUR_PvDMC>x#wCv-h=vMOK*UrJdQ+sIMQdeJWZU&Fk` zgsJIs@t_w&4L#q7+IcK%a@Eda9!gfAq;;sf6!FOtW;j*@z3#EvloB?h^rw)6YpNXf zHX3^z-rf-P%f(63IE#DKXYn!jF|Gg)mPri+kpIPF$}p~R@jRD_Dm{zBF73DEMEtK& z+<4*q=?ht0?$OOjh^Z0v^Ab1n&_o_if6fCjlH zB57|j6mH`yq9Ke`F~Iley8a#Ie1Q7AZ%&Yng3FKCI3fTt#8I+UE!NBc0MLyKur~Tf zW%CfxrWnbEyM71tlPAo1<~gryiptbZ<_Ap*uqq?pa^tED5FEFMO4x4Rqwp`R`y+lt z9j7~Q(X{qo)o*e3Lf0>a^?keC zzA+$Aw%Lv}U{AIu#YPZ*27Kwgao5z~Q8;Hj?wFf@zine$n$;~lpuB1@<1eptM4f#w zm=LyxZ$R(~4M1{m%4*~*LHHe$7XPJNYU@@!`pB9gw^_IT{2Qqv#pAln#9fJJiH@26 z?YHs7cw@zqT@|)$s8CT5d9Q2Ln3Pt(+00l{*)Jci#dA%qBc;V72Y_(U!4L1Z3<~gv zb+Zo+e_pSjR*1N-ls6X04+I+g|H9JTfJveEf%12dR0(nYX(KLp$vo=Yt_}>tJYk)w z_lKd`OMdv?Un6n)I83X=TJQH@IJM%J$e`DB2UF}%5U={BSUbo@5tHMYp5uIq3CfHV zuz!XL<{VAUm}~H)09-?5-kow+Q#+Mp0OI?ROsU*MX`eve2lH!-iONCT7@X{E|n^}mcqI?o!P(KSK7%QV-_y8}<&grz398`6ibKjDnE2w864$(@+5S31|t zx(Q0Z=}ApV(xF-Z{ck$J|0Zvt%6&Er{_*~*4L;CG5dTdOIIFTvEJ64u27CbnqyMi* zDz^tFvArK1$ku`N!(77qEArF-_Qn3YJu5kq7#NFvXne?W$b3EW7YhP=b2C|Sl$Saw z%ItXMXe)P0BDu_FH|h-zIT|_rm6*hzlZ_|JPn!%IzHxs$1jc^31p*(?A{%d;ElY1k zIqy?_ap23O+~vz*9h&z23j4QeZJmleAZ#iOgWyyKz$=ub_I^*(<;fPiwnr#n{cOk% zyHi;zxxb?K>|lpLqZ8dp?b-^P3+0)KzIm@Y;b?9D)}yUcV!*%kpZbTec{0>NdAvcN zvL}SFS!ss7S!#wiN$d4>0Dt5_Sg>gOBfw8oib%MOJPQ7Wi!K#)TvhavMUtz14gK;W<^7x_ z_?}>KpG0Du65YK!q>b&TwCd7g(0w^Xbo)dQ;HN&&a_s=Ub+gxz@a#+99Y->J5KbQu zLQ?q*A5gJvO%HS98njCEagiNgBk=~){)&15oS&WW&$n3Db<}E;qVZLbEcH1H@!=EK zsnze>WQt0Krz`6F%;L}P;YpBcNN%ohEpHN?oQ~g=d#FBMo?YUPi=|Ekc54j%N~!QgU*Qw!lOqE ztZsSn*so25uY^18w2xm?s)xgcKU&cafxL??D=5h01_7vsHb(o0~!mu}irL74L zF}|^X&H-gArVoqBFDLTa<3Ho&*9>e+EU}Vyond>*VJi~YXRWBQxmM@;+3rLB6l6JW zjNC*Y1jX!K7#eh4K-EO03e zy8>xOwSF_D`5#nntKPOi!e`D%>ZjuD531<(d<}}Sh~kV^+0!!taSpC}MMm7^#eAB? z5^Q|7<5(z6GOU=hlY3qv0)Dd+@tStBO~QN%Iu7(7w+RAOr7>SOR^1H8syHtM{N^L{ zGIYqaZM7b}HbtS&@WVQvjVoEMnd zMp2y2s_04?IxHEwvBCCz8Ldz)3})Y};`C2KT)8pjx>Su&Z(6<0jBf`i$MT$BXLZ!K zSW}}~=G`8;)?EbwUeu`W6Jej6=J_Lb7LvKSi}D%8URga{HKrl$Nhle!!gMS|I|tP@ zCT?jXZ>q<6Hf=k>p)F<+>YShSUz>UwRw55~qsR;MYXm#_P6- z2kWDWOMl}WBnoKT==Xt>*X?8S?|FsFu%h@(dqKMZ@vzl~5*`q`=E|+FQDL_*EbXpH zr^41Y`f69+%*Dx5jhpIzw>gEWR<*%V$N0+_su6_G=(I~Eek3yGdJIogaxXm(ntOoJIUm=ktbV6g6Vg7`ZhSlZv zU30Ai6B2k&ecrywZ;;+^2$!gb7YuS_`;cL04cRfa2r#g6eur%-n?42C{eo;$_oADJaL;7EZc}*v{3`P z^Dy4OiWW%jc~r=0c@*@=7FBi&w7AN+l}%T^)!8GAwZUj9njJuitLtzP-m92AKr!d^ z;=AZ&4z%NSc#{2bXWHnDO<9~VL@tw}NGXKRtS1(j3GQ-R&bSrjKq)T*%tUD_W~5T>TVnLi>w1+mARd=g*Jw4nLkxpb z+r2fFJ(MPYb3m^wWTzS)G#iWJwCw9Nc6c>4_v%(18N23Dp-t{4z}wSWEF})ra1X`S zx}|P>xMk1#YIAX0)zd{y=o(}USaw`VNLe80hh z@Cw-bLs^sYhhwsRv{7aIl%u%{`hMb|hMIvE@(Zbb#I)GF35mM3Na8WR))lyZADU2m zAkea-yS~8cH8tou4C2c$Of&9|Gpx?FVpVt+kgSFz(sjFZ^n<`|wla+6UrX;7AXl0P zS*zy>L>UU5m9lv#L_c&1{@~07K*>#5@UN4X%~L+Q*Z$Tc{#2{SwkMY;Z@8^LET{Xf z3?FOFSEPM#-suaGvF)Lo6w8wpN4XTwseSkq0pp(M7PcTyHg``BhvKG~r0M?Xw(mwi zH!6sx`tIP3<&F{4CWF%s?*AZO*c3aL+C32qM4rqHit6I{UW&yeHm{${O%xdW02q)Q zeB1lwQt)_;mSp4my$BtFl%9y5ZR;(q>kOr=vL)C_tU>;vc<$=Nsq(2&CNpwXxPMXq zC&!c+4z-Q-AFrTM*qCE#x%DF94DD1t*w(4b0Q+oQ>^FZb(vH3lr2-Y?de-&oGpk-f_AlHp`yvQ za)HEP%=iQMeV{nN_fnBP9SMD0kMAhQ|8eC_z!$L2b;1)5G2AE7js(KzbNruvslG9#dHH~vFgrQgXv!;f9#XR zcXEVzjwE;v-4J(bQ(oB(yxoASKIb8kI1Yqg?`Zi!kt83Qv-uhH$MxU9`?1H$46N`9 zQ%#uTPYzt4d=bX%vo?P=AT)gLR1{=h1iI0VU`jXz^LL`~yNjkhM(YF|cG{OL!0GD^js1r842LZ8o80mWD^I z$t>Ps$8>I%1}wRgzS5K2bEQIsUs=2Eb*7(|DqZ{wW+sM1W;!g-WI<~ALf@-osHtXKs8fPyHTw4W}zR#r&lMn^>8-gjWP^Lb|ET=&l5(;F7-z?b6dV z`t>&YAWfop#CcA@B3glXl_MdgFU)$R^`Gg789Ofzl^;cDS-Rdv&1H-{^JKl>KO7Vt zX{+GDb;xt6f@9S{GAfs#U!@!h5I{;vZz-d`QhVzVv-NMIDV%;gu_tE&T%bSgq zTuju6%FeWO3l^ZwdsKV~2GXp-o1bhT?pgmD`yUSBr40frMZ!#InlJsKY+J~Z2rV?3 z3qynAOSagsw&gW{0873Iy#cTzm)-S$c7=-sCt}Wbc$mRqs|j+3SLwz3ardQD>b10} zg;VOm!_y>cF5CGA9gW001%K^5Cfo`5s0qHtOelvt&c$i&E@%!%VPp8SPEHNGNi&eF z!NM1F`;PI+QL9KHLD)8J(yPvZ;qOfm7pG(KIvBJkWIMF@m4UrGCAsXI% zOkCp5YU>f8j!HiHt2?%jbSjqOj`AGPZJvxF8+{H9#^h@Gmg!ME-nXWze$ZVyi8$cB zv`aK!w42i>18lU75{Dr4{O_nc6MoVgkv967>y2P<4huO?4#h{w`X}CJT0TZ&@1bbB ze~HfzPCK66(U_)}YZV;Q!sIvDVp24oIK|5)z3_K5$k}6L>Cv;LIo;t`=jQFjMAm4R zAPLz1Xw~}F_6e^edavIE6yQ|1yd$I6*BEsKFUQYI0gXxZ`v|)-%=uhjPAnN6j0a1i z4^p4q3OF?ef6!HJe3gE~(o)Tn{Gzzd`kjCUieW7`5Jx!fn+@*J4qg?Z9!F?m)T=Jn zSt&~vT&nY2noe%dSw+PKJiS}0Ge`2M4v}IF`d#F;Wfd|RI!e_ByViHE@A_}_4V{f| zp%%>sNwB{&j7Au70c@Oz6ZaYWLqkj(t;{E|M$uIyT9JuwtQ-X1f$~!A2+#) zXO);tL2LWog3Gud*6e~2u>3DhTWClU3p+%2go{jPIFfG59F;#K=D&sTw#BNV`caW{ z$j+S))=Ta~B%Nya*(Uv-5yw{M)tP9>CTX(+PDnaM(c4EalXxn(t|Bxrw2p^l9^yAq z4q=ai?irEx8L7I8I=6-pt;!PIqTx+EPLy9;m=r?io#()U2QZol&L$0mB3N-VnHgOS z$Tevjtd_f*3jT6;cFl^w6|(chGG6XzXX$m7y?@~T&j&ay1zQ&$6AY}14h)R+AIC)W z|6GIcei{c&A~YQ70(i{&q<`vSWhs4^;{$DEgC!+IA^JtJ9jzP_5F7dhJW0hW7lU;! z%r^8IncXEAH0u-coGTHVY8;v}o0_7ox`f|WkJer{&(0V=a(%6-6ZgqUe;aqdO|)b^ z0F$2GaZ8_%_pXxv+8Tm9;z=NNkS2ya#yBGwf)gAhJ)*)TS}dry!$!R8X$al`jbYMgYA!$Af0H-jRmNLmJn%LGKc=GlumGCiUUG0(VC7BVOm3&;!neiB3?R$ zQhl#Av<*%i%C!MA{8y&b(J6M&XmRK?FYa3UIHw~_{%{suGYWLM78slAuf~12Z*58e_VFd+ zJJsN}J5#iNa)I0o>I9l9^Qr(I;7VIOybdz+{%33hmg?gU)BQ z2~@kd2^SMbfF?bI2Fps1!s&0l$fQU5rv1ovRCC2txp_-8b}laU3OpR%XBg<&Ap1o0 zrA+mDkB#**Q#HY#aCS2j8KB{-`@E%7_U(V}p{xO(8QLP$5GBKgdmjoA8v(lrvz9^*VbSww|xj!%NUaOO&l-Hp+w)EAzPlRZD`Dt!)NEycS;V5LWp; z(3kQja+7Hd%}u+9DGjN#fYmAXPlH038l8I-u}bP@Uq8$z{>}(Wrk@cK8C#!j&U_!; zT%AuPumlkWX4W-RPQ$daLZ-|zdTSHyS;{!Q(DcPBo@{t2=kyq@?8w0|)W+^A^odKs zoE}VF2BL(HqDas33L@qtyIqqY&VEs;u#jg-ivR=O#AcKAL%Mmnrm{=@F`yn91}S zWIj~H+jH&mrsg%37P%o}DN<%~t>~fwGllK@DsuyBI%SmVkKW+kH)AB1!Db~WHY&@f z_|NEMNx46+*z%qkmvlzmCA*1R#y6{2>;=s2xLnk}kIN}VPD_?p?KmIW#E<#toq?E#@A;=nc z@8J({gz)qbRg}+)+NdP#;-@PFiS+bgcvw;g%Dxe7}1%>RMs}yW)jGn z?i-tuCzw3=J<)1QmNZA$lZ^_1RLxgx|GZiBQ}vV5dyZt7W4vTxnWZu}Y{Tl=!uvG& zw-;Mh;c5hRZhz%sf46G++|n)t*dt5^F6(Zz zw}MgQT^5N@17!3GCOcaO)gsz=>}03?TJj24-2Hy~i0Ltet)klrzo=25<<@~7i1{5m zziY%n>nD1!_JWf9yT`M_4|j`cLWmwv=WNwJcsm~Ag@)mAk{w{8D6wwfntQx+2o-M& z6}NG8c5$Rlm`=?1>P5(ZZ{(yPp55)zvD&RulI5;M;3`tt{Fw~rP8t<{PfR%b?~m5| zdHW{){Fm?VOHEgQ>PDY{J4mxSSWV$!Pj*8WakAOYM3Z>90pV;YdXawAN;ljd{;gdZ z4PmItZ>fe>c%}m2;TS|@Jb3(^ytFRT&YirQFwyNbk)W=8W`|T_+ocDu;aRf{7n5)g z0xfM#=XK`c37z57Sw>DDn;N?|A)a{$>bjXz$)()VvXeGh% zrs#4v4ywKQ{<1%$N!3j!WT&Jm!e*&dC@Me~a8vaqr(_2Ptjm1sUXk1>$1{EwMg2qm z-J`WP-+9BAWZaqPND)S`wINW5rFij(xc_+AIV*@Wg>pgExbfQCN+vNxT4)l6W{%e0 z5g`07ztw+l9u?UpF>`ED-z$Ho2#`7O#Or2sVY1hF{RtFYt7v|vw|*YI|7*`E5LlA| zaM;^7h-l!X&%fDG){>iwXX{WovLk?Q^DSAPWQGLmQ}n?2Zh`)9n3Ke=pmVQ`X(nF0 zmo%tl`@Z%M9@w(-xHA)iDV?YSKEZ*&6PD8(Exa>8C=VFOom`)NCYeULFi&GD7}SpE zCxQkWFWho?gctP1c3A5#?8LOXde}Jv-B+x?cLBNWC3vROXs%eSDDDEaEM>ON_1 zl=g23CxVWeOJcn6OJt~DCP(0*OZ|HppdI_ZZY{D9hkf1|I&Kuxcps*1Cmj52x{idS zZmFSn2$3$ojIfe(_zn(R(k-h8#v8^DhDp$y`>DLdUkb zY37pijO@>_fzE^Ag}$x8nOkgJ%&|xyD5Df6n9@919%Y|_~=E?}rm=-i9&_xZdwX&f_z&6`r8Tff~XEro7w z`5QqzsK+m#&sOs;^F~DdSxG+m(aQ=-*vfL1Ceo z_@s4^G_W^`t}bKKrQLLwPxkSqz1teE1JcqT7=lWV4dXxNdS@brh(;V&S`tUqB>}&~ z9vZJ+yT683auVWm%t`M?nErKErwj-ZUQj`5I0-ka z&5HpP5!ME_%0JPQ1Su@dbKcg-C;)_cKZl}w4RV+uTQ*z}=7x=&H-S=w>YXP=!S8Nk(5nbCF{RpXazf&TW213D)wG;L{4A4YY{pG9`yOmc6HqVg&yi*%`2kG!@%(g+ z=uKTWNUKr8jC-k9jQ9=A^ySM)4Q~&X{acg!v3u<32u>L~QG{-Wu{WD@JEd0^y8%2&DkOw5;OkdZZ)1E`S$p31R(MjgtsBd^Ibj=XNIY+7S?y{SnHLaGZRJ#b^1bwE3;&d z==kNBVEJNTQlK6-RaJ(>v0n#_;|-yduy}hFJY!XBQ)MngNTG9YXoll6L7dg1=$Nj<2Udlupu)SvA+`Hq%VukT#~VFhQY?mm}_5}f{pu)t?^psHO*KF5?oaveJtio zX$Hq%+YyhkQWcmeW<|ozZz#t+WIgs<6(g{r(UQDjkWN(%_F?nDPH%=6$jdwLhLxtz zL$qP@PrRi1O`FYi1_-yKN{jcKEPdRA6@5|YI2PlFYrs)UAnrwBv5`D6eZ?7X$1orf zn+m^@=a<|H%XC40rxi+p8RtktFXKw>sd<@5R+-U7+ET>JYjX&t+O#fjoKT-}NeaBY zJz~=j(s1$gX?J;UJff=@E#wRogWjdJDZTJ$N z-PXAx6P3`2UI~2BbYK`BPW&>ma02&G?CyhugI0r_JXBUwRgha@*O?sr>fJIY4rUf$ zw*xVN)74o#5fv25x%WACBPbQzJrxxi*2bl zlE>*i9YT(fXdt~>l_*_<&9@VEw|$rY<3qg6Eb-SM4`9XIrV@Sg_xPz?Q>L3RRV^75MtCnaEj-7~?B}VqZU(tbZ_Uc!Hjz8Y{&BJqmQ5u5 zMKD8j;KsuPsZ~6jGYZxeyf_f*;NK|qHAIEP;i7PA*kXt3m@v#yDsa?&-VAUmQ3A0# zY(LXZ5 ztMtK(1i%tIz>}=EGqty|Z}fQrmww3lhQ{_3tT{LO#Th}jFlUHu!H&OgHwGCMF75Q- zxBuMCteRG#FA{l_S?YI1HkEI$gS{$fMCm<|14XC^jyq$LAVD^vU(9xo zDPVECpDr+Q1TIV0s;}p0-i44mtT#1^hb?<;owPDto>mXGd_q%8h{Ee482 zTh23{`s*H+XuHyv7;YR-ByqkzMywzxfZk?7N~JYb4+^W774I-ecSG_(k`{Y#DeZXw zqKKkEzbA#!f2D#9>0uRe?&F>3Fsse$d^=;oyB4m4%MdmcB!@U(5yrXtwF5&lOUM@x z#RQNa&;N4`@i9vXlt|k(Vj<3vPW^!Y;q`X6jkx}d$osi7c=^VL&YoC@93cXqaw$Tk_~{<3Iq~fZy5lHkpZ_6^e?XO&v-tkkzAh& z-%iv-K}Qz~y67g#4L)0G;X*B@2R`4YWS(X?y z#PNmr;ppQk&x8MRNiyi)hI-votsx*uJNFMZ`buQf_mu7IJ>^r-{`hZwEE&GwRCML4 z>sm^pYUWE*@_YVa_IkkDI(O5@W1DD!CC3Y%rHi{|E^n5i$H^7gLzX#-u=z#0z_K5f+`+hIjf17Ge=jaij{{h4(0$2afWs^S^3Dkdl-2{WY z0{)+C284zG%z2EX>cPsjgHXF^iL-QBN-@FNY z#Rueg|E|_BDR_K1dEV*Dc+NVQp3?2U&%-o?tjGUC*lR!{Ks=acIlmSAsW|a-KN}8O z@eVMfE8=B~z;Q*&d+3 zAXi5Wu?$jyAzeb4m0q7#M$0sKOjJGzDD9(QgMCr&uwa$mgyJz=*?$wV z=BhE7e2Nta(HTRh-P)`;YYSGA0S%bO)1X{ik;+R@b{$nywcJ=Y>&5RzQ*9gskz3}{ z0VvI0tbn0#tZE$*R??4>Nx4<8CxP=@vg-8TaT&>9pq)PbcC|L|UxKNuz+Z_?m z#AbGfo;1<5gYcd{$HP89f~CSCXI1UUgpu@srvl!R92HhnXoFZsr*refvjUdvCXyhH z`4uCoDp+d?58WJllo~Iuz=-LT^2^vJZLze)dDS)Ph>_m__r%4}f5szF8&KO)69`op z)6^MGCNEgvqApcoKWKc5GgB=habe1j(f+L;76nJo*-Js&d#X?w4~HOr+Qam%qIKfv zUY0Y93NV)5a<2-h*He2`IRkXxFV(X*vhkI$&Ff}6ev41oB-v1VHc4LnrY&YREU&M~ zp;4B$tiT%~16SOPpH7|yTK~NmCK*@HPFW=JzDm?pR{g1qZ8-4yrO$F0)FwebWOHcW zI7r;4(U}><)+1l}5t-@Dc*j(|Ypz%Hspsrfp4|3`Jzc{DEj?Ol1p(mWkscA_bfj~L zwSXsi0HQC?sGQlAWL6l#D>#Y5?D4|%MBOwD+^BALOr9&>;&f^BBX{ZaD?ieBrBCAz zrw0-4h80s@P%ksIlvB6I;=;fXeFY3JUNN7g$Ph3{&EF_5MG%&q$vIyLm5ZA);UsYGi(o(GK#Ggn)UAt4T(T=4gQm+x7C? zXZJIUOeKTrJDk+qY29;eMZe6gTE5fu?cFyq^%Q>gUU6oE3vo~k2yTrOU@MjMToG51 z&ZmFhCihj>Uq|Zc0R8ACM*0;2f=Scm8w^?YWj^L?b+zvwQe9qLa8KvwOs}r_)%G%b zqeCugm6vX+9H4CEF{nm?!3R3aG?*7JEBsGK3xZed$46LvaC;KM)9PvApJvXyU*zehlCalXOENWATTN;wWv*r}{Y zn{N)Xa0+@ZagZQx4vv9@M_<$vJ(v9pw|E|7D+Dbj(*I{2>Kr_l3kacz)NSIOcSzpo zIRsm@1mLhwR*SEbDz^uwB$|9xOM6REk`!Yei!vH~V{UIg#ck_{U~DVH8PPa|l_i6L z1nC|aBPB&WmDc{O^*2UE{yh#1_&ZgCkJpjcwi?PsM$g6kwNuYnnGa0$pBjPe{ zUz;y1{lF75b-q2OYh6eXq|FqF=eTJX4$8xI*{I5P7s?L~V z3K3+x(vBEEW7NWd>K2F6TJ(g{TAAkxlOQFB%#;Fv&umWSx-cs)Ve5k>zHN&-PbmQ~iol3}l;1nTgE>+TG8%y~CIDPYe_1V$-k`Bmw* zSbc373rNjFK#GoEOd8TWCL!}mteqRxi5{VeQF9J%G2YLosHTJlMNXwY@bnRw+ULI1 z27a8liYzx%)BOwR6?E^eP(B-T8=ynTF{I%bdx zSOkFl_g3m4bk30AdjRblZ1RKj`(x>1Y-VRp@9B~RFy#A>JyVj45&3^Cn+l8qL9zb- zV9}oU2$S45SLftAPXFD-%#C0tAx@J4YBY2;an;d26}d{xi;^oVKe~`uW@Q>s z%uC0e>Mv_FN9vfQU*Ap9Wa>=rE6vY6H@j?;jqQzD*W=H%qAil>@gak;KTk0|+ju8( z=+w?6I*^cBH>}Bl4B{i=teRDb(yq%%Y_HHnxR<0x=N4ADum?x>v8WXT%FgFoRVu1% zV=^mrQemmrXtMATW9$hc}qjbDAIXKBwXGi3 zJDX>2d0;h9?~)lHE-Z2U(eDIE()}_(=P#rO`i0u>wYvCO7A0n{_V^>^s7rT0noGU>ofm#UUQ} z$^io8%7IuU0;H#b54=ded*m;L#T%A^!vxZFYaLq>Cq-kxt0fty3@Vk#Ml>Q~;{MJT z$qiWZiRo5dFfr5uGZ34j7GKoj1=-fEz3&#ZM|YqY3D23S6YnQPz<^iwSc7TwTf+lu zY508@C_+$@2o({Z^R2|iykPH0UIJ8a)GJI0T5=4Nxk*CfE%6bt{EG+ly6M0$sTQ$V zRQNoj!s&pC)&P4UMD${q5$H|F-O=XV(V6Q#80Up|W2@MmzT;}3YifjR@C>N4!#*h| zplxK~kXD*9H<-L}%w7hz;RRNX>nA^NQLD=2gKSn$>N1+c@3)EG|JJW2NSkPo{}d)b zg9gZd%=k24ErJX}{P@B7KlG*~kYD&oQa*?PPtmunA?e7<1Z9p*e5hH`?gp3q^)^SiZt5nZ~GD@~H7NMIoJ zvB;bJeDZwye6s$0e_Q?YqwCj=$yy);w&O6;fCz8vfe9~$v$U3D)Se68&8`fdW4G|>~dF393#MDQ*Elygh z)NhZ{ZdxS`&fd+)K*Vcn%9cbuB%`*P&Uz(#4K-vs+h(dNmEri>WXP=!b>R)r9mNZW zue8}LMQq1-G4+{iiCR0GGb$^h=mD#_x=J_iGBurs1P9$;8d`NgDC zkSD(}*0DSQbVCKquCHci1~Y+gElML%2N zTzw5ENK16Qa)+fI1qZ)aX9&Yx*}b=vpt`%5AV=}j?O7Q${JV@2Tb&t?A*No5&GmFn zcMU#1&%1Z)RH~O+sqk~aHS8GQYRb+t3q??s8kakN&9=#s)BL|BPlJ?1t4bb-_@Ye8 zl54fwYNUIk#bc}OM&-?FhK6Uj8Z9Ig3k(V}JH?o7lcoha3bPnh?TG=q*YN7gPpECfLf4g)7Cph$bA>!gYAoD#s_m1!6g2H zcqTv+ci_DzH2{?Q1FaxRaqj8o-s9}r?azdb$ZTzKwSlF6^=8@jFncx=l#heOGeaZ- zz0d(drsuDJ7sT@$@ki}Y%CWo=d1914^TGCq-LOT6Zon0AMZQ^7>s&1H>|Ws0BI|Gt zCbL|CS!fy)DAx)=0gvQiuo*p|idM4gty}JbO1ZLa!i8eS4rz&i3#w58Wq4nJ(hA)y z7&jk=Wu!&ZX$rzS*icwR!BUKZ!0S1ZdlJk|fmext*_1$Yy+$skO6%;ooxpRTYeG4M zdkWpTl)oGMu0@F0FrT>7(m#81TL?vg4Pt!_&TMUO748r~HliQTTOI8BM9ri1I3sOQ zcY#QSedix74{L2qj*^vU6lLl`>0@O-qn&7A;LhmEBUamD2LF4n z210>`pDw#q!cwUo% zjj6mQ_}w{R;RJ}X!hKG6sD&DPPWIY$4HUd)^wT6tQHA5)F1#&-2z{jRu7vSes*%Hd zKsQ$X_`&T*xYwG8qvqYOnaxngwK(mpbx5eYJH=7-b> z<($tg=J{hEhPaj^H2u!uz;RCO0R3JbM{VF=>CCov%*>>Gwm2iFFV5jeS-;gkHa#bv zfE9>&y-+fUpM)bdey<@J2E!bgEtK`ahWTRF24y;Qc{YgzZN+c(tGTcZiBGvv+&Ydt zEARiO93;`1?*E7SuOaYk@qv9K7QWfIyx;0imNYwy0~pr0P(W2i`kZO4ucuc+qS-;F z4K!H85bGn+QDRWhkxBvoqBpOBHBYm{yhHc<@dpeQo+jchFCuPV6zk*?gASuJH2&pe zDm#PwPew*g2EQNx@Bv8_XbxQypJg2(YZXkFU^f4J{xi z6Mri;1TaOW21;DCXuu3(f5)G+<6%o14b+bOl#|M0YUsrc6>U2^i_^)MeW5Kz+FGEo5Qi94&-1MyR@sRICeF!kxGnhPSA{`jjXuy*FHVEW^pSu z(5~bz${?q0YtjIk-OgTg+9+VAs7RAnDQgmn0x0*CvU}bQCs9>Y@u5Yd3Qp*Tn;XBO zxThqg*c6!LDMsI%5PuvWjfH& z@N>EGlVufZHjFYF{MsUB$n2S|hUUU9K)KyRg|nOxzMc|2uxEleL4Q-}VP$V!CLx?0 zM}1Vp*K@(E7AAso&Oe;lMKVj7HYFc+K#J8JJb(PL zA(J5iTq>QTIrJ3GJU_)iZ=0+` z`Y}~ggiskg^HdD9XjicYJhAv0+5hLKl&sMNtx=%W2JOfH=^?$|E;fpj-tx5p$bLV^ z#Zb+V4bt^mc`CPS&LY1dJilK=P*TKD1%DAvcsXcFn(M-hu$}RrY`FqXvVCXm0iUl= zU_!{UIBIe>Ql^z@WctI+Kr##V^mJ8aHRjp)iuS)e-+4-UI^cZb#qw0=i}`(U#+{=5dHcEWUBAr_q zkwq@g><#-^aR=Wm_`nm8VqAD7_B%(DcqVR7w9McO5gyfk7$Dz9&#-M|P$RJRz;AFo zQ@eabsw5HElWslsM3~Gku7ZfRZfSN#dWCEa6N8D~w6%Q$B#)1K8&wxiGXCq?ASwo0R zUh^hq0Y9;!GmK};Nc&`d(6Q<3_UZjhUVunMOJv-42{%CaR=4Gs$m9U2)+xd9UJU_GdWCy%oSA^qEq>09r!_s>)_4X<_gI@9T%SK1wIcWKd+!ahr zLI#%Bd}+yoLSWQsR&;aWewm+vkQVtL|A*nKTFP;D{#^_FzL7M1|62=?n&<&m#ll34 zAwOuOm0*|JP$KM;Im+!hjpa3y^evkzzTwFspRl}(2s$IJe|Q!dKL|gNb8>&Hqvx&*YZlx>W=9QkHWDz#qPtq# zbIB!!uAoa>**2@PB+7e|3c3?+PyMRE+IrQk$`~{2C{+>isMOeMMF${n&&C!+@0}R^ z!YA^@xnKh8}`-D;SNE=x}?wrK1J zaP)>OrAxak$L)bX3l$)*!}b6-AMnIHCf;PNP9-mf5bI%V5xNDVU@X^9wR6%w7|)j& zZStTGk@b>zKnp=`$1K)GrsjnBjLnjpaE%iO|4=bcimiy>T)az10bb>ZwGRcQ)lfOz zX|bl6r{26$Cb;Q>ZCxVXDA69C<(g12KC(n7>cl7rdnBndd<=Ne2#jnD*D`KD^)CJk zhQPMrEBsRO>a=%tE-VD73nA9qxq3x-;Y6$Fa;hPFR8|{W7c{1L_QW zt?U}HTg@A)qzup`@mytnD^H=;PtAToGoE?-(IhVB#AuffX%>NC&kdN6E>0MphE z1k4T@#Djn^!9IEAXPomryrtN3svR8Rf!^fBAFP2Ne>VUO#VUOL9!&MfZ`eJUSaMz9 z&wGe)<|WK$ipBa54TQ)Wp?Z;vY)GVC_kNgzC3DVa=nBd2|3?k$Wq}&wU z5b91 zg5Fl>O8##W$jY}JCr&7 zg{hRm#Y7^}KvXJw91~;KCmLusD_+n)i5a`lBA|v?0U_-(8yZORL{d}}GnX$@8QceV zWj8m1KgtiN!0?CRG?o$u_}#Zw8|ntg@zL?s@!5fHsyr-K%w#f0s6ew#d>CL$ts7wI zVZ5EO%XFuWI`O6x%puQ7vCz}{`xHlCD%iLmW4hJ(cT!r&KkvIDyN|GHPN@{Hd2-f7w(m)OBwgA`tyyQ!Aa;Gd~f|%xSm} zL=G&B3EL&D0iV0pT$MO0264siaOV-*%N3kE(#E31l zYy({0Vy9&5ek~q>VzzJaDx0cDlx3`?T_W|2QcZPZ^^Qzyaq%rE<|EY;n_|S($)oP~ zZ0G%b@LOUe&mlGr!|a44!h(84x)lLpl@edD#bp3%KHQYCKsCovvbZsu2AftbcVf_~ zSJ^!dk5g~Z-^8B?Pa?jUs{^_0IL;ZBc6%7whZ+H(|NT#M)Z^~`^UXi2NB;4H|9^|k zv@HSP?0rZAoM}#ZN%7%{cfc*avMRkG}pZ0 z$;%MpdcyXy5UauMcwgV0^^0Wr^NidAd0?~O<7C$J_3zEMZQnos<2PS^5BR?%q9K(a z%pu`7L4T6c5M%s8q){a}B%TrFM8rYd%=iKjLqiMtke!0i0g-=28|3m|hG~Ptai;al{_59jnU77Le^-MAVV_ zV4Og`4Pr&j0$63!S+TFV@EVlyeZ<536lpEF1d=5O%ciEVIa1wjQ>R+ZJo^Bkt-AI= z5KZicPEn?IQqdq%q(x2VWnkR2TUN6RW~~~l|E=yCtO<0fL)}|o5 zdHagb?dZVGL7Ty~+AT;3qaaAVua6G1{YQ`!G3Pemai;QopY#tw59lK=-?nB$3uMSIQ> z@975~aTDLn(M2^*Oylu1dIFNoN}6VG5>~>UsbeR+2uI2Mhz>;Y((aHEWVnbAO#Mg> zR1qXxC0UGZ)vBzoG|COxm#Htl;PPZ&L`I}XcF}sWe|75$u=JR$^^U}c7zZlVnj|s@ zErQZA-0`4WWtzAvB4q+{LN$16Y(?@dc-R%}IX&HB)DC-Qx_ena4UklE^RV z-1gW0HM{N4!t)&JL)L9VXHU7V$HETc5^K`B?&}UoTgCDx2X;YNUZ4CR=wh{tLDAnl z=(hcuaH?2E!;Kb0P=3sK``=Ve^@JP^f;Jt;(`Wp6nyx(Q`fu?AvK;XH8UFN9ENk{!liQ=+Y$)qk<5wX37Q zb{(lNj96)`cP2-0i!Ynwr%VH?X&%={m4k}UUepfAoKBrP#0ey<=Tgzn`aG(n zCM;o!zSGa$uL`dh9n$fB|08IPgEiO~p@86w;X2fo>?f%76EO6#Px%<-`Y7~;9lXzn z5Mk)7@eXv|_k1V$bh@>nczjZsu+PswHpRp+A$6e4v4kGv%?9Tej<{a<$&0vZ(G{s+ z7eoa({)fRRLUESJ1-W;gxuIfc-T!l_LRxv_KuiDRz9dOzL|-j;Aj91og5crNP!o^20}LD3sDkzLJzU+bt9J$_-toj|%k} z6RO zo--EBGV>p(ZI>JTQdXf2WP6G@u^5}#V~+jy=^sE&fB5b;#c{*vu`q6TT4uSNp-^E% zPmiP4e`_jHEFM!98h;1-kQUBct%OFg!OWv^wFdCP(wx@&SSSGdL@Oo$-ytT~Obphk zyq-X~r0&grCjX#4@E8TH>pg_C&puB()zFN|Tpwe%Ui9Das$Osz1~X%GP;}5OGNd** zWY*#3(DUO=){0V5bF3+rP~nHLg2>yH>>|fR4^-aQM!&w%Nn|q%>sm&!u4MgbXsPq= z1P8=!+#xpqL{I?@j`X>ZEla-kcs0ZGP9T{62=>xr-V%4zU~tC(qKzRT<5K9WH{>l! z!Zc_&-S&Q@GP0cFpW~WL$U!$iXbSXnmuSN85#UMY^&kpeZVM-Ru@rxPG3D60uQo-^ z>q}Ua%c?k5(7_*Rkn+YfA$(+$R&(`W^&h0;Y#TIoj%z&by>~L5f!4i+)i)VMnSs(n zR$Sy*%zsg7jnU3AH3rldD9<9?_6h%cI~V+lRFRRCP%8sicUV+H;^%Ze7;=`Tve%kW zSxBb1PUI+0W}qu6ELTyB4oi*B`1r{5LcibA_;^f`GjBqpSQN+dU2pliHM(5_6e}fhZ^}4TgF$ zR-${`^1cF~$c~#rwDmIb8>8bj$PwkfNh7d7z>1p%V6uf{{>nHy!hp>8b;=PTp1=6U zhqPf691ia7-G|ZyH=c2nuP4J@HtVvh@*T5hk&v3V&0Nu7ralJelWdxg@%ioP);8Tm zMhVsIyXM`$wjQLLEFR}tqBxK@Pi`4eyw;sz08|02P_(Is57pp9tVf(1g4)gJY@yCLblAu_$1s(-c z=}{(yv-Ut|^hq8E6Y=57SoUgGx=u<-I$FIdTDrY%Hcju;GA>@i@kjatly7vj9&gHlLr+G%@ zhnoL6o2x-xR&JWEPJR@xdvq05+T%Y!N8>1e)|Eg@lB@Zk^8|P|vAd6_1QU%Wo>bY< zf+`tI=#y0lg)gv+g}Bgcab!v$y}yUZWD0Oi`pR4mv873uNyFTYkkp)% zXKyYV5p&uYPT~oM8K4%>2}HVNI~QgNv0wkE1z8%A0rY=2yEWf!2xp_ZQ(v$)Xf_HK)VwW#$knd9WFv_VmU^WO4l4~B{EeW zNen7pqimov74OR%(@JTe5Vbr7XrFLAb7Jj#yQc}$aKBLu3WaVSdo(pzb~;A$N3n^b zmsx2222KtOsL6ctUNf6{AoyRek(W7JwF7V3;VK&KvmC}*_-4t5Oop8=bhg=_=vAw< z^+@do>z~EbSAiE94%aMDM-;0%yfBY600`mT3Q5u>7H1y%jxi?eD<=?uVSW=w`z=l- z9+o7~0^38s>Xo7G!pDeoOs!|Sy~)#P#jjhnDAl~0H9s_tPF5MyKB7C%a!em;dQSJq zee*V}&>;mtzVz5p@HX&H>%vI*1WTf`B^Hv~hpyb+eGxHe&K+;6%HC9o-Tz~v37ihD=<1F>$_3_hpY2oa z$*&}<`>pTH=ETgPQ|Q~iS}Hf6TGXx1bC~5~a+HBOG)vTNUMA%yGRu8{xbd&U?k zL8ThSoPR~8+`qxH5M&w-Xf0%bm@-x)-X6HppqOkIO}zE{^*f#D4>ivke`4_zhPkKU zltU=pP}Jk&6!)u^#Tg)I=?+~|4yvDJKMht|!#XDPukrQ;E5;877WrLbf&~3T@>}on z8h0E{tDNG@5@n(~x^ale6f*fhoP-iZ1(3Le5BUF9=NwYE=A;*ZGdQ3?u&l}cmk$Wy z|DQ~QcZ(KDPP!?Q05sWuA61#t8x~r@Xjr!;mxSjL;n>PWgUc~ty>m9(YBz4%dtesD z?W4Y6q6CVe683$c16g(w%~6C3dR}+4p6s|@PrZM>9bo=~$$dV6iNwKH6@?^6o+(yd zVS<$%&W1!MH>MewDsxuM)>pa{8WshDBjUiVr{I4^=rTOx09Jg^xC~4a3T7R}V{a0g z4!snbrAGMZKD(dVt(WDIf>y>Ce62^vYgsB z8vlk1t>d3XsANDC&GM*07qrrf`L(LQS=kY*{x?hhdRaWGjqm3b5dcRKlm(vG=PZOi z4WNA_f6l5$1@J)4jD2sd+eZe&+R>A;bQD16hCO=7WfN_Gy0Ln*)P zM6_Z{bm}?Wfpxp=*sL4moOs=0Qz6H5v*i1w-%L@aQPPexKNW+rwJ`?wCG z*{dYyyU+274A9{dSppu=oZEn@R8^Fj~eLb9$%DOr`6v1f&b zld}VF9Z2Is5=QX1u8bu1pE^?oEI6oTY130%>3%tTlf!IZ`|AY*b(;sIzW&cpOGm0C zZ@{-+tAD4J{>L(+N$Qz`Od=RVqRLU5RYVm=`?T=b3@r(bR6?gG(XgU!L_-ph2``S2 zPLhygBJ;tWC{BvA#00b!sx*%b&b%@I@x967bbPvKi^~H^Zm=;$YT~f#)}qo%Z!$J9 zV2q=uJGD=Y4Hbtq2Oa|N)tbkR&?0}sSuFoagCli68b7Hi;>Yen^JVasxCjt!|4pK_ zam_P*DijL0esv)AZ$|-*s!scFT&y?|iJ+0xGM^%(x@JfL*%rWO8!=OX73r+^jdYlGvaZA|0qRu3EnqKl{!PSpGk?fIo2X^MuJy1>^-D2`T z5#NbO@O(c8wK`R-d~cLE3T5ibw3>vBhF*G3Xf@r^{$+^+-+S}1AwAU=QI%y0{SOpF zbP`;0@;)|B`L6*KC5@i%8gucp$vwaA6gwdBlSN?8&{7*r_MitBd+@4AlGz!P4a!N} zNqob00|-NExl#tW8sRdky0BM1T`dA+SFAAx*WAB%9oGOAt2yU4eA#zRxkmBjUwj@KioZ- zZiy?_v98uJZ~Dmbd)-Q925%_8LoRXuW(R9cE{SogV87omLp&8S&w39XpELmG798k} z!tG!TM9lBAPyUCL>diyZyg&%5|-fTp0b&M(ciN_#A{7c?=Xt zYF)i9@OEK6^Zylo1ba&Uy(a`tDe`Y4muvcED(+{fX#t7iUlZh}rWXSlMR!nSaRS2D z&H|hcQgUG62?FS!tB`|+cu{@g=_-YiHs~2GzcXLEikDN<%do_HgBw6@l;Qw<2wq3G z)<2gehisJl05|MJWSe5`nIU8i5$;e6<1{6izqVb9CukX}9?rb1Yf}YC6N5?yiT;E7KMFJq;oRp|HaP?YN!7l-JJaU@SoYhUe?E7(tjzS=O2`=Z;8mYI zHkWOg7*COFlH(##^=$w-->vOl5d6Qh-NJHSJ@1Fmn^9T6HR!e>pP4Z3cI6CrCrH4X z1^}7}uMI}0$hRmC4M&ZKF+{)Lz(zPV;MU%!ttq*w>J8+;v}!>qScR!UXqx1NH?qyG zPA#|}@Q+t0 ziBY}0U{krg!cJVe(6dq_p!;UA?Q4m*l9om*$|O+skcj?4Ny4p0q!Ux4!Uzu|dK+ zN_?K3)r2TP+n1g@0e@>NB!!d@ z&rdP=iM(xwmEx#v$OVa1E27ZA%`z!Md1USw6jRSKr{T%iBolmhmqv;Qce*5q%w#K-O4HEn!Xg6N25@jWN(Jp|0$De1bp_R?lFX$ebs>+keH5?;}Gm~%Alm?o+0A)o);(G0=UO=-rt!df} z_!!GRMXuv8a=~HRNMcLD!M}N$u|B@=Crbva&8oe)SLPZ%sWeB8?IdOerhz0w`VKf| zb(EYOgL;@c+DUIk3fo}YIDSbnVmo32SH@{44&aizz|!3%G*p*HlA?rNX2hc;$&C@M z(FlSov#6`i##=b;Zl-e%*t)bp3eHHdKD{yr@~Vr!GZkuU@sQ$NG@DeAxM-y4bTd~? zB8c0R5Q)~n7ql-dHLadg+Uc19-@M9aBgst8yXUc^8kw7i3^erSdqQM{G~u-a-%T!? z0D-)^Lm3t33x}4}@<)EgKEXwndEP?xM%7UIi*07n!lT5xdltY=sQwh+vmrthO@W(S zt8nbrM!H~tJ{w*u&t>@Ul4e+~f8n1rV;NGd4gQFsR9j7)2WLvr{J{m`x@W0_e|A=v zOH5dNw}fr4@ZI&&Ugsfpo#mlyjm@G9FmlJ_Z=) zJ_T5wY7^rwhseSyvSrpC0YTBYgD3;a!uP!<7-)(iod;(1I&9XQ#iBgk;acay0Hm6% z+l&2;Q|fC6c^|j{wr8ux)%f~LRx%Rhf$=pYoCR9U#qH%~;82LQHve8hhJ86tR7IJ( z=1sfPa;=Q$>!FD#L&66TFFrt&A!RZg*W7mhNIFuT9UZ90ph;Dzi0x9MCvMmLyxh7m zeBuo2n|Y}7w>A^T0sv`K;?pt$(4xa(J+vu#tiBsYhViWIMBZ?Z(X$B4oWOXK49IZNA*ogBelHtQLwkdJ#dfp(EwXv5VT z-I2W&&%cG4(#sgHQe9+V_h54q;g#n(wK z#Sh-A6R6lop4rM3dpS3lFdc%Z+p=y8D<(mqfBf(bjMfOxU$FeaT|DSlQ9f69RkMU!_?WA>R3q=tP0mIFX>_}ZZi*K ziZyufGQ9?($s?b`Q22*ot1wrv+ClQ>4{?EfByl$P^6JQM;Jg&n4O}?T&zPQKq|mHr z1%=)G79qz&BKX7j{Lxxas&q5&YL@GR*P-l$S@jCH?Eg}UH_A+#^gw_~%Ap z9266#{{Ly~O2DC7-}tx*Wv#4*v0TX-NeD@$tSK20kx;gVOoW(`H6nBv`;s-pSaR)T z4}&DTYiAH;kDBy9GuOS%;r~6);hg9B{oeQe-tYZ5&-uRZeHG0#V{aRvF_pZcuJKG) zizkYPan-{Eih=AF6N)_zQFVcpJh_DkOv=d%MR!;KEZDwn1k%%u{0l3c680neGJn8JLKUy~) z`V@|Re%0rr+^mg}>=)wU@T3s07Z>}CmtPp3STDMXD{niAT5kEXYHHMOedtRI{BQd+ zk&it@`MILJeinJ_92r|S#w5Ux5#!I!O%hF{+z}nxPY>KtUKREOhDD#82CHz7SIZa2 zj?d_z=a0u!v^-x~(M_{+(W^)iyqGui(`;BHH+VzobLP_Nyv7B)h1bc>3v;&uaRzDi ztt;X6BMVZwj^V@cFXdz}#(tNhl}_&t3b<=<|9eInOLFM3TeRIh)k_$(c2@;4EEFi9 zB~UGmQ}>KGVN;QfEFQgyqj(k5u*I!hTk+^zJ3f{3E1lEO<>V5Cl3%>} z)B*oH4Cb1vbSp!m*_L!Sj70;kzx(VhH_Ov>x>nUqt^MHs(Z)4*Gv^O-&$wu(yOMGF z)+{p2DR-!g23bEZV5!QY+G-je%A1E-%kNy za^8CWlM!FT{4TAdtz15+1p6thebW|dOH%6UWm3^;&Fiz*l+bWVfITD$yZn&`ZeI5{4Pg7Tx zD9o5HH{p`s7>4y;<7m;BD^v0M7`Uc)shp=!4Xke^kF+^Yxv-ip?nUGWcY*9!$U?)iqVf1mtijBA|}sj>XAeYC&xHPn#aCHS2&Nn z|J9g3wC=sqnn^Ye>Jpsp7tFN4y%i8w%-7xE6Rnz!6mu*X_KjA0R;pC@EwjL^It1-T z71f%v8ByscHvPENVB72SG_F+jTwREQg1Bzv51$ihrs&~-A6u12R+regXBMcmi~CO7 z-jlER)cC5~b{9dcPJE4hd|1)NO&U9gzbZqnES<=C^ptpXw4r2nwOP;4;f8V|BA01a zsdfuk!|jvMDoYVH%~?9fsM~mgW!7bR^nwtw{rnM$EMLbSgfAxe$U{Z7;c?aZ5tfLKc`t(}>Tf_a{b+AMx%!DEphBR$d-{op=B zWVIp}t_;6VSoEw6#_icAfxjO+PB&K>?XTBFkdheI4l-A&FGfULG~+F_)XfQ3gZulr z?#y70b$*n|QdbbW@<13JpgF|5Y@eo-l0|f+ZW|O0$d6w#(lxx@b(z&f!51OXW8=Zo zWLtih+HSU7X1=QDFS+?Za}7*o$~}#MO&)1RP5iB(g77dlOpT5#egnjk`y*dMyJl8>aj)GJjm4{>37O+p6wo z@Z7pqMr)jQ(&N$*F=n$O^ zm6{24WycP>K~DT)`$$jZ$vQLF4*wwYh4=Q_*JACp=RHwO{3St8N6KJTEEFSgRn0# zt*`m;7au|610i$8tcCu`2I{*(ZR0J?Eg^{yA_QlFM>MlTYYvW&lDBVC4^SnJd)YH9 zr@lFNYrw?$QE_I6@l*ne^G8llrPjRXnZoZctJEE-D~1l9)MWRqJA(3 z{SdV2e812>2XmT{<7qYZ9pB{E+8qY2RR%~Bd81HYj}ilU-IF3W?)UyOGgOABz4D}S zx3~UweFSmlEx{4($GFJ*eM|4yVAWK@T|#kGI})RDbTBmI)lciggAV2%2%RZb>LrKG zZ&Q5**wmolm3%_DwCBdh;IApnzg|(l+)^=env6j;otgWB|26Gis6AmBOB|gOyOL0~ zFJ6l02~9zi;{uOY-|C<2tp1^QMuB|Zk|D3IuSC5JH=g^yERxo0W{b^{qOa^ja}D=3 zKX*HHJ?LRD%A{7hwjgv;D54-~lFDfVRrx7r^3;nclqY+$m^?aYGIF?+;L6sVqhLDO zUR%tK6a2Z(t)f#NvMFe~LfBS;eibTOe%b*^tmL0Vgd|>S32cQN#uY4Sp?n4=tJT={ zQM1D6=)iPKU}?Vp8qi?|$B1c3h<4yRSH;?OG$jgUyJTp=szb%2! zRDZC-ey{G31c0BZ$PGN>wX5l<>8na;T)lj9H!a#SqfrF}>w_04?4JgHcLy5~P{Tt{ zp#i|vu#=J_z+%D6!Rh`US-^M=`#BPzdI#`N3WYs5669Y~N!|I~=72*84zXQ5`|5rx z>MOWUxd-f)#BVHk$4v#is$&C$WR8mO?w7T<<-Jr8(gR+kY!1Jh0S%dSjf!Otsny{u ziW#)*JgDvTZw7dGmUf490MPk^a}P0W`A`Ql>0CAFAASfi?!XR_4rpzp7p8D0r06k( zGsp2S=feN5fxNr3kQ&1fQ3IT0QHpeYEW1envX&F<=QB7NkyHz(G!9Y_5+d=Wzz&{N zACessAG~CNJQ8GpZY?XNz~A+DU@!rQKw3#Mo}m$fhg1uI;Dcnzcs!hO&oHFBNtGLr zA`1*)IE2)tP9`z3GXQ+``zZ~x<+BZYO9g`&fCpmaAskCBGAEgn5wK~5&IGA?lIxH< zJAfm5EU|RQkG=#U%3#b&L8Qj&gCsdh3-FAlm%~A;x4`WQ(D-&YA}cU$pal$>_9}s7 zYlA2;FxepAcAQqo{PqLW*0Wj9a4M^E?>~XX(wK@YA zIDGd(3q&Xd!b*^2()kWZTtTuRK=2%nWW2gN!yYB4%&bB)K=3Shf#38g8m|jT5&%pr z==P8xCvGVyFxbJzWKu^bAEj@|X9r2W02dl$AowKr9Xt(Sf~n;D17lhV!YO)A=BQh8 zi|zi4MBZBldLSDlDMLsFz-XHw@C8K+)aSA9)&<$#1EHmdlXZPT?Ts7KPKit~ZZh^v z`-+Gi5-lL+b!fLT@+Jz<#&|H=p`%oa{f}3TKSb$3$a*%!z=RkI4rz&-jgm)NZ=?lv zRe)3A6olszPv#*zIhZM?F=?p^c-X=U!rK$c0G7w_-5r1|PC%jVm()twf6u=fgT)%vk+2q zHP9ER1e|Y!gcSf&j3MEPpdtkbKJFbLU81-f&-|1&bhl}$=7zhYRBT-O^ANv9;>m2LR`N0_& z=zll8i9SmH^8f<*pW$Bv`_~;ypoQ1NncHM3K6c5pOvcC|8d`8V_Q5^{63G_!ZLGBI*>aHco0HF9w& zRk3qG7DDt#rwkuoJgPLTP2F1aRy~PwSTw|jj*Wz7lB<%F6|ge`wW#wjbx3@ye~z|e zeSmx~j%gN5B?Lyf8=kx7eVXCr>3%ytTfYOE^0X$74T1*z0tdCB+F@^ui$!Hu(OkR5 zL(%E5A%-6xXbbd#oy5>TsMHJVP~kO|Tp21e)U5Ie^jzlSLVu(ac%?F4ABK2C=zMK}cQuZPyzH2eKscM5tSwEmofnB>IL~J^JqC_6?(n2tswv*a> z4&6@f5m5zrFkFNCPh@95{ZhwF(-FQ=>C~spHp#$%fW?t-{0Rj7wkJ&C;j1)0;0KlL zV^NXmEP_Pg*)^h^kuqgO7^<_4(8$AAI0d1$qC#iZEWvg$Wuk3My-eZ$GjT^u1jpN; z7$oCy57}{GZ8|QvIV8fngolsgIn?k87&e>uR_6i$*UaSriMR_sdo4JJ`(ZBq$qU>4 z1FIwNM=K`9V5t@b2*=Emllqddc4rnRR@Jm|(MnB9jtEiVtz!CJ-ojaRaiyQ>BwMp+ zU@io38hNf=BGE3&l}Xb_MQ@u&{FIf4)zVH5CLA}@t~CO&)g{Rmg#SS5lvav8=_mTx zlh2Vi8I<1|<5D(oynsC|k90P!(e>Ai8-TTsnc}0s!Lc%0Zv7nwO+vS&GdK%u=avBY zr7^knyHsfeEu%voeRGB3ztc6DhVI}$vadOfAQuGnf71{5NN;--90=$SO!5OJ4?xBd z#SHhaT^6}jmmQHHk)kb7Xp3SHCHitu+J>>Eb^%-|I9mH8yI$9BY_^XlNc3K}E{0IKuv%9~4*adz*SK)vVj*|)7 z3Y$TYN=BAWBs>uHao>(b5&2!CrU6n;m(T?o*H%JYWNCeb^2Ph{fk1O$N+c0%oH!#a zp6rq;^WaYK^Ph!ajFhM>z^0*D*rIe{)QQ86h}d%)#$a6p#r~N78OUoTaTMJ1Zlo$V zXWj~KuB4x2A{VG}-GFLBA!+G~ zx$LeyR@+r<6<49>R_icxf;2^ZIdYsoq@F0|X;Excvx?o(#lcmn>JV;f?<_1)d*zy0 z9qAGJKAOd;no}*#jX9;JZfxxKR3AOoqgxE7&&EPHDm<)ucGIRS!i6$SDLK|i6$(yJ z$XiABxLH^z&UCl6mNwqBCIIZrBD2acJQ>O^dfqnHndm?72VQI@%NhAZI_}xCnDI!- z_U7WGE1gLYa28=`!-_9K$ALyM5wev}hfFNLj3O3NKxS9|A`n6YAI`HijVZ^}a9u)N zC9%(M-e`@W49HBJ?$8QlJ2Iry>Sg?m{IZ3^*Tplk;of!5_#?C?G7H$o#tHFTtUiGq zrPp4$vz8lAH-EYJTOD;<8c-YBQZh4Elsh*U;?r7D)yXG(_gTXY(~)V*j^~sOG#=)K za*?#EC1#;vFxq7n$JDIXYGE#AUaQ}6^9gN=p?qYigiz8?WDG?6_mCc&^$;5^ON*r+G>)0+j#T^WCOu&5 zrzZ}m`1cSU%gHtw+ZdASp~apRtgMURqQmDE679`WW?mM5oRf|;xnQGfEl1Q&L z+eR@kk@2{>lU8ejK!0X}D!eIR+PJ5}803N}<(^~}*h_%J zX)NF4D-+jYXEk6r$`8f<&Iutwm}j~!M&0$id@oD~o@4>N8@Q!PnIGU_gcFDlq*4tD z(k)Zug6r&#+@VsrfMjUx8)G=kROSDMon@)OvV^J49NX&P zxXu-()Cb^~U2;qOxt%wnu1E0cR4lc9#Aes+;~}|boh@)L03&Qk%nO~QvV{rtA}^Y4 zHf-D3alvy#K0-4p+PTCeB_Ah0+;u^$dnd-%)hG94(dSZVcqC`};3{*9&g=@^&-Ekl zAHqBPX>U&F%IuHuuItWtqjcFAkmXQrf`-g^2nO($zH`(Pe114wBEcqd2aP94uqJ#I9;J4 zUpZpP{~sUy4~*g5Yum*^0Rp;CE@Yzu{PIOTX%(R8-rS@era>HOill3JkLu=Z zeS6*8{-k~bn7eain<5@D^naV5`sAGb&AIb6(Et8imWZ?@0w5Of&!vx1#1h8>46=ei zSb?p^Cd;u4nDOiH!4Mv@=fNolP|R$TSd&3@Csax@u@8vz&60#i&Iq5hm|VO9+GkcO-@u{#N0;XObtws%fVtzBC0nTb&>p43HK5v)2md|N z`Pn5^aL->3YVX9M+onrxK(%K#z}AP+XnRNn>WAAy>F*!PA04t;)S)i`pjM~up+X?L zGk1aTZ`=1yk>5A82lVV>)zjZSDtSmq;r!*x}lsT{q^7biXNs&~c z9#lIh1@@UZXZl(T6jAzE2i5P^A3fT8{B-=C+J`n7L2$7)m+Tx4T`h%`Zp&k3tJxfE zwGN%GBD-a+vZ1r-SKZHmtO)$88mm@h^BNcM<@Z0Hv{n~PHqrP}LXS3?zKNa|<%xz_ zi?|A|Yp&$ajw2NpQs=w7;zebf_#@H)&OMaqkr&2g+xAE~xC^JlrCJ?5x5*MDyLhOR zPWxZ%zvl*vmSgr5NmE%puxw@`lrUhhCVzADm2Eezb|_i$9)ctQo@!Z5%37l?l9u8Z zua4QcIycO8GJ0Mf8U|S#H)F8qDlNMcH%d$tc@YsV66w5$Qtn*K*DslqWm)vNq8*5l zBnhC%V0W3ZXG%t0+o~aSaw%}PjNHqRyUfN+Xr^$>vmdYZR*WcGSmCk-TTQks-6uF@;I=XLT4}29EceI|B9%}zxg>vg zmJU^?c7i6C&7PSXBMne+w~dnLqltyhxt5c~DN`A1`?A~s0pyOGhVIx>GV1P75K&FM zS;o6mzg*$?qLjkad~Yh_;D!A6URR;|Uikxr+Fi>)7~Mz>v-qW}R$r+XGB&L=-5T%F zNsQc|PqwU0c;O}KFbnrBU&M(jIoDU=#FPC!$rjaO|7||73a`1_Wn#7ehsA*FGI?1_5gHZ?vw)ciqq7)6Tf|eHH zR?YediqdY=HS`{oGWNM^I|<(zrke;c{iM6wR19ZIL*Zh|B8uqv=|g-* z`q|9SXd6q$CLtNyOf(4aJ>+BK^yQzs{NF9|{GiSK72`w61lay{J zbMkwXgo}cRt1;!?ZhCTXMwN`7OLDg={F)(vEl^; zdpiuBA$1fZZ|JD;bhT%1R75uoIvvf#-NU}cRFaOMxvi;VRsIbAX!W_rI z-CyXT#x46z{hi}qxJ1ZTyyW(bm0DM5qvjoguXZ8chaWSp>Nr(2U)7RruXy48r)H>I ztuN3)^@Dt``2Otov3aV)p^n-Q?|#(H$B6VSXpPjlpU?@zV|syDT@uv!TC1B{g$n9V z)0EE#JDB@zNRA^olDE*|wpw3sf6*gA<3m36?LlvX{?;sb$fNp;?Wb$%?cP82?!-aT zC4cHI8X2MDi|`v3XK>*twlc#^Jl1x|yzAOmhk~wMec?2n^vve4BXPypNk&A-`odgx z*~Bj+ZNMKV9ap`Ut&GE9Hp&K1@^{u^v>*3UIo-_MRke5~(+I%t^WY5a zwSV+2%Og)In&p8^d!+rGELHG0{AHJVOO$a=2#`3DFhsj;qM>6kE!U&lE9{(HC>$0# zT$V8=Yh)i-ag$fQTkd++3tO|tWSU(n-fgn5;VWBJ(?f2Sc@|Y|?sEMVTR7`MH*jXN z8_9{T?T1afOVNYdpjJAlo{J9%-^yC4&B_dMLM|e~MM)#e$_uc(2!V*%xL%rWjT7aq zy2whEBpcP2hf|}Avg#Zy3u~%Ur;$ndCnkP%oxHQG~hO7=O99&d@yx`J;|LC_`QzylQ<=CnqTpy;ty)VCr?)K zm<^lXKPn)Bb*cSR@l5nr_^@5=r?lW$<4b;Qsd$Pt6#z%@?(O6q_M|DL zvQ$p)F$WN(0Y-`IG=(bG*iuW3!T8gsqSycOkNj1@kFYP=a1 zQSU7@W)1M#oDK!-=65_|*|(~w&-Ic%U0fW?=3Z@%h_k;ADZ*e0n6Ivga7Hc|t>ey} z!hl=&&genR%_#1#F`x(i{L-5{HKXW+%{)r#ONhIN`bFMePj3?>UU}PKFZB@&4_Vgd zs14>|m8qK~i=UTy?KAA8?t8P~C#7VSOta_9+32dR=Z*`2VrXo}Wwc0Hi_gpNHLm1s ztg~PKR_7%d4>?5RPhn1uU9|rtA!-nwn|9+eLwUI^(LJt~Ps}m-yNuaN9~#B`ph;(!JusR=f+{4m>;fEx6DF_@0{4aN|(1dDr4-svKY ztLub@SVIONUT@{I@xa-4y`n*=!2)9Wd0K3{k~_`GvY9}&K^TM|#xl?Ok&2-y8zleY zO^Yu=h2fNvrGDuQZFnYAz;C3(yq+N9L69urHZ@j~jozmJY3d?ZvOWyk)>g14tVwfpHvZ*t+gXp-h*dm>l9>gFh2H#G`(i#3$DG|9En~6s;!(_l zyS))GNW>A>RZ}_HI@l0hfpTb8g+o^vK;pz??T^6REmW>TkcykGh7JcR<69CT3=6OhvlH&>SVNM;3QNVe$}au7gUJDoO>u0{Ah z4(=1m+ET}V27jWVse-7e$S>oQ7>$ojXolrZ3w9)!RU z(pSi8FDO{p!ci}=Ib7Kb5ODr@D_)c*5jEEoPFl7LUq@RKw*q5t9}L~FhSQgQw19?n zh0GD-okA^spq9m&E|{$dk-IISS$-~f(23cixC;(WH~i7ZtPG$pD1Cxvtf4 zEPOK}6GK$v7eEq?if)PRmw+4FLf z$Cm*=!HR=f)15Tf_{*%SxRMWZEJIrP>ljtOX;IreskY%06?7kAiqj-Yzm|tri^Kcm z6ZRyDRd%T>|!!R$E3PAhsRi2Z_BjJJaA7j|<+wCe2XF zeey&V>g2;K1!|X@8v-2dYP=IKr)eN7%GPwqDhwPk=pYEu?dfz&Hi|S_+PoGUJ6h@b zt6FC2bY!akhIxRn_cY6b>YI+7dSbMsfn2)GZGj#g+Drz* z`BNbX{rS!FVk>&4)SH>A%}Myo&Tzd@zRors6t!o4M`tEKc;tYJLAEJyj3s6+TEEKc!mb@32L`nNkza5UQm zwF}j5A7=AZr1S+f{7?hH`hw>|H8X)2z_;$&gI%fB2D&5~{ka|eXT*15-=Dd9PNE&P zz^|74pM$eJ85pkk%Fm>peb?D<-tK+!^c|O|`a$Wz&;KGua9a>~A;2j+>4+Ux0dsrc zwZkrX+4Wge*3GJPVAs*qgdZRDhphoyyFPAX|K{kp{pvo4CFKN|C9Dl;%7tP)FPD!j zdOoYT2-NZj+CWs6+9j;DPkzCHx*h`ArN}NufoEHzG3}qWY5$E@#Z`rA=Tt=aqw{HX zrT!aD3JRkYx4;U1+s+g3tVe$bWFz&2d7mk%6Bb=RC|zWs7wX{)(K&)QUl87Dz#ST` zco*Sn|5x;GxZD}Q-)GEN)Q|4SpKYy$WXK2cY@MjjK}hyaVuUw>(i7^{AF~C2_!Fh! z+2{)nByJpN!~>{j|5(O%8_w~S5W8Q2Vd!$*=+i4wA7Y%3HCi7S_4^>LK;weVvopJ7AO#@GOxwt7L}DkwTtXB-|Vv# zwahe-`5@!|Vi}%`p_YrII{}0~9TZ>dDb0RRPImSQF9BwOKt)7U@uK+Q ztRs$*gscqWtCCf?xeUTvcpnDjG$zXg9LqFoNYgpP-n_PAmrMGSk*WFux4QJ+M~Hf( zM@K`5%TnvgYF9~>E0(W)`NQ8_2nX}@~cD=7q&mwMFVMHhFCOVsiHR}8)mk9<}>#5QS=d;3P<885Y zWzCMsvW-e&Ix1k!#MRZ0NvnQ2hAHw81J9B*;vpf-zD&>Tu~CKRl0l$vFKR8tb#XTV zY#9`G7X6vLYE$jY!^%3(Hit>K+u4>Uqz_6r7GqRpXR#*r%(+axh0(mKOzCee<=s@L zFDW2()Vy=CN)XY(R;*eQj?L$!o4C$Y|B-jZJHbJObyS{^?O?9D3EaTamEwc&OUUkM zmK(|UqJeQSAi)Si8OX0_zA!RE=&lq1?{jRiohq?skmCtHi}^;%iNk<}rxldisB0?E zC=p<}v!l;#A5~~*2^jw2GcnUp)`igZR=c>PU*HBuG~o01Y!A-E@#w?x;$iqGUNS=* zFnyyQs@G3I)m+1C%-1!BAm$b`Ie9SHWq2!<*X+Nxx@pgqq0s#xFz#v~*or9u@>VH! zc0A*JV33ea!ARiq4}9UT!2yGRKU&UXb3kc?ez(rPs8PGBQ0jW`VvtYMv??~lsA-K& zG}RKXk7~DY>&Pmb>nMAca?F%cBefwHwKH>YU80FJ<4=Vvnc9 zxUILcoDBI3d3>u`V|@0fhfqZitrG+KqS%##OOm0w@^t5Mj3{+iWk`v8iyk3#^M0Di zcU7s1S+G{i!UgfStxI2#kan2pn5zgiN#fa{^2F*cd_mXG|E?kYJP95E=wipNTB4U| z7q0QR!|sF7-Oh^_&!Bh~6pD|q4T0*HW#dtZnvTN%lJi8K&K4$`tkmWVB_jgDGwx$f z4`+ul1OihezL~JeM^Gk!nc~+$iVP-?mqIuWUJS^u#zM-$t{vx)BOOm+#;I8er;0Upj(sY zFDLatcbH!=C?&g;NIgPVPE&m4+;T?2U>-peo=%yUOp#RF>$1Q1$!f#-1L}_Xv?Fo% zw4~E=MDK(4-H&!Y5dQnLlU!>jUH&IQlVB#>>oNko3~|-4{>n8?+Osc**eA77QPGmw zEzOEe@1~JRsbEj6+Ad`ktxevtYHeJHY;NL1!BA3C7vU14ii*{?3td1&1Qel<;@o}m zKMa97+`rArvNvzr!2zzb-+JGA@812!eLjD?APB%1_98zX)A{cp4d?_@4(9srpowC^ zLlgoI?6o?_j@kXj_^D!5YajqBBXJjkM)F9j}5`O_UVRwOgTx1eNLV~O+EV? zd(rrt!F9*r{nNCU7w_85jGK;JWb2@-CGnWrHbY4#z_JShXhPk1PX$G<&E10+VH z#zVeQgmU5(qH^P>uT_{oU4inE2;$x!Lhb>$iMgMquUZ297$cjUm;=d=-@ZTwPzTY# zzElAWkoT!Tebmzm9}lgBT_HDDkKbXi3Tj8$?`e`BZ3O$!MHu^NWc$C4KHmc~UWW<& zLkJ)rP`+3L@~JBJmvHc~Zf~&hF7R+S__%l4eJnj4D=a)sWrZs4nC#5Emhlq8Kc|Xk6YTS+Q9ZNgZF9RgbG$Ylt}Ov^O9Fma@3kDmYK*nXq9M+mpH#Naq?!9 z@~4|NFXl3HvKUl^)oUhMY}ZWu<~CBX z1L9Hy)3Px)7tuHw-q?(^ox)7$!d;o63HYBn!_t3$f{nEG1{5S8g$3sSaN8 za4&LAOCpoWuLu1N=u=q9&j**W{gu`Zx+P4u{ zxh-ki9D|CGn6Hqg+S0<2NFG4cP8&5VNQW@d80m6LRUT#jxh$i2?vY%;f3QN~JPiXO zXfU;hR&`?Lm?SoXlyVJQGE< zq$~m+JJC^;+LAL*7`*jZ>^DKNcy!iKjN?WdmdbNy(tT&5Vb3}{fgNC{%lNg*KA(%R zATq@zDo3ZLq@zz_n)K}RrZYOJrMjXbpwb}GXg#tS#)FD-`zoTw1PiNdHD9uPvi-o8 z(Rw{bwa%R2odTFuYjRB4PJs=9*CfPJEE-6p?6k?M>QhRQBYxrx1cQ^|^VHveI6 zJx5Q@&Lkg1KDPd$i-18v9jG_M%j5x+N=1>5)TROtu;?jV<6ZHS&V8xR3|?hravo z#I_^YUlsNrG8{HBZ`QJKLki$2E64*UUR4e zhV4;jt+yqZUw=M)opf5FVjAcfX3pwliLug`UM*&RGty|Op_YbZ?kWLgs02#m@IBJs zEzGvuEHd9&dnf};(5|H-3=Mb+l~R>?SrEki9W?IWotC5SK%-;H@Z!$sV;k~{sGZq5 z#W`BTvSDKBbY1A|U~DQqf98T(q3>U#LtN(8}OQR`KzrFJXN+ zlilT#?Wb&N{oqudtwzr@roeig(b{2trh8v5JB=~rN9zI9z@YbM6_IS{C`IbPSA!4%%fgx&#)w{Imz za<>q;&oz18*B&dr(I;XmTeK#fde>IjJEBOiNL)W`?95i!pUw(nFj0|Xyr>H= z^ONsiTG|PZuQJlyEFx>V&$*UoYKd?ls502dZK>n_MockG%sQ{d+jTLc{G{5KBC~&yyt{-sdV( z{SyF@dNE0R_c;;g&TWIeyVvw}{(iNJfH0@Lh(v5bE(Ktkvx1n}LQ`5~>fBHVcr%k` zN{7r)z*rj2ndTgeAd73x-TEfKPVFWO9tw!OR%?QycmADyO|b5YC2aZP>G zhJwq6g2%?l*j*aEI(JkhcT_yvDYm(7P0OZfJqw}GsCYh%*tR#R!aY$R26AU#+){4}-A>e5N8!QK}o@ z<3!YS-UiGYys#5}(gB;Uf-fYDtiqns%w7@2mkdkYXaV9tb>@rZoKi97CI5;It!YD` zWa|U+;(p2-kVU)Ixiknnb<~oX778#7v$fNy{3fnwab=@_0Bc!nEsFWzi>0v)m6{rN z$of>5e{=VNL);K4e9^My3@UZu%+>1lN4J77 z8AWWWjyr%JqJs{zuT(pW^-j$RT#&VTa@95IdCYWW3H06U{4@m`K${Iz*8U91r#^)6 z9CTGJWZLXJ;oW{Pa~XKPQ_mkZ?Ht-T-iOZxzw{mYmvj5rAz64~x2ESpL?z4?N zYNy@1b%LZgXE1al>We+2`MC3uC>zh~2d_WcCYbL_D*AE(k^X#f9C0^n(v1q1h#B2+ zmM(-}@sXiVSiv5^xz~s-$<>wArl?*@TGNqVh$|GtrI9vsII9~^_iUzm{ivadG!2fh#473&Oiu6(6K{ z3lCIa_-l<>@>CzNeAnXVrLyKfAHcy4Qt}Ow!WAZm8Dzx&VPmw(^J;%zxxw{PI*-W{ z9RD49K>x*fyQ(kFzS6y(Kp#b9fBg~Ud!ep>$yAQDSiilt~A;-AcWt5-0O9ZL?r=AIdu2)LINCWym2OosOJ-H{CO*xDAdSg(~h zW}V^~GYBMe3xAYrE4_+DdaSwXCltPDnC8|Eou3N9}_hE5JwUy+oK2uNa- ztLBs58FJ!FWPNYs)|r>2#kOY|AA5dpV0F)r6%iLhV(|}(Assa91nVtNPGf3gAfb*H z0&KHlc~PErpqYK~if%cFHJ?Z5=gk<&U~s*b)>zW=f~LE3_x!26rgw>PM<1I>M5??N z(^oogLXgrp73P-5N=z|B?jQRFaAZ$&^%<{>V6u}B<>$@00u4-cYc6K;p#ZJsHpY$B z_+7AmHs+jIE!P(F*u~2#q(6;kxYIE74S?kKQ5dKDRuwlodN+~P`N);R!cgm4LSr!` zO=1^6X^F|H_8by&yaiR0!jxi3jlisxI>P*uF>n-PpZoBTauOg_g(oFuG7K3LfrQu2 zY{~vm*TJDt??Ynv9_x&va}8gq~i+kQ+AJMNHN9Z>vB zj})$dWZ6}%jt7hFCzYo}j>?!lmYIt63#MQF9tW;}^e)0hx8T5&+IqnP=Wjes#o^m~ zaG1c60?bd%A;UXOvh}I(%~Epl?w^jZ{=+-$fA#9tl1K1x%BbH@$4yjby>e;927Tma6>!%t4x&qplHyX2x7E?v0-HJ&3a;Oo)a+EO@_bO~kA={eb zbw(X1Y#^hXq{3*UN%AJ0849r)qLJj%VwuEKY>kp&s7i&A(v6x(GOS8uRe*~Yu3MUK zzGMbSWhWYLb5r|K75Yag$5yy7$zj)#Ed-IxaH=; zVsql(RXE0HP*i&W9NQwx{7xrqGA1~vixrV>MUm@D33i$& z=?Cm$HR*51=-h`rqoT?V2{%OOEDEpV4iQh-&$1k`SzUiVSoegNR{?L%^ACpb=zPm= zu5nE($IJ})tI4&Ii7OdM?erzuVf8uCapDrn(E2rOUS=Hon46C<*OexHYo2l7TBh!c zCN$VgHP>~Te7lX0kl>@aCSY}062%ioLsK24{1y!16)CIK)%peW80lkmefN|?W?mSO zEX|Lt(>=Omr=9}3I?~lfNd@+m@c&ZRR4hoZcb*5c-UIhy^ zf1Lp14fO@0@SdhIm5}9F-ua%cP`b0Dr*58Ua5#Kgm+m`yaz$BqF|?VPUkYI#US<|8 zc?Wi`%!QQA>2xa%ub0lIE68J>vgyUr#FN3ZZci}9>x>#a0s!SK19nimWlvdJe14G0F?z(-x$tL4iq}z{Ot=CQ?ddE@51VP@Zl@_jxjvkX*;3^wZF>_HM*Wg8$5edc0J=GH z5A3V7Kf$7gL;%cXtZ^FNAg77oF`9&EKFb>(Q;Gz(%aALq^}eBC0urRi%qBC|ncU)L(8TShM{Azo;XIDrzr4F+8MZH~-@-jC zc+NLpj30!>!#jVM?y(&`=Dc^^Gf&|voyH1p4ZnfZjR2r+!1qKEz_8AueOcY$lt=!Q zHucT`MjL~n@4^~CDyk6QHOJn#1jgSTaHy=Zg1m;sxTo5dpc)6>by>kccoOeAAy8qF zV#ZEkM^Vr|zR172uqhfFvZEdDP+`Kz6*rE4{aI3k2<{7#I3Uo*q`bs?1Yg->japtX zA0R{4r3MTJt5A}ddC3Sh2rkjX{J~y=YC)ARDiVXH4ndbMOrnfl)=UytOQ2Y#`zh$R zLKf=O+EQ+z*JO>1)?O*tVhlAC87!irJ;T;yicCd;k~3OWTo4FcMd|Q_Vf)=m9^1;2 zb|)Tih0X0vXIEP~e5n))K`TK*KgxYA%<{TyrvWhG>upAYC@gP)ZZ~GJm-wY0RLdDm z^MI*scNfcpPrRqZ;~W3T#U&k&en=$xK_>D@NRU>nDarMA3^5YXN-)k8#@Xx7*K407 zL&T*kV+jId*6Kuw7n;As{;-%v+|IIc1t!l-TyDz+vio&fJqPC+(u02Ap4OKme4{8* zU=IL!NiGPk)>Sk?w;UrXRfV;b0OvkW!fR8K!By`_lpgruHpeNQ!f2woXXa>*nyg#= z@L;Ft=Wc$i-gx~radZkBt&UMYrOp}a_GJUZ3OQt@%N+R9dEM2#p=P%6@N(PKonDvh zeOEUS#>!siWQCnx+GsWJM|qJobXqtDtqX99W7Y=IS=#VMs3K!@EWJar#nIka;EB9J z@m%B5$XtWgbz4hQli%09wQdSx4$vQhfVvSO`;*BXEL&9V1wb(G(U?rwjXF!{%aMB0 z<&Agj_oeIZ;-5uCzxN2}g4kNJ++V&2leYEa#wBxSbn|d$Q%=^44V+_j_o&Yv+W?R- zt=*g`X)JG|dxdue^||<5H~03O^PNrjk+m%hE=}6KGBo5)?$6%szSf(}L;OMcqAofm zqXkxzElHIf#V&Ip@xv)guQyz2XSDNRF?wUvDvgCpS&)=*D8FfvZao6`Bs!#l_Cre6 zL~PE$_iV%~CcSmM*|R98|K32Pl-4!b->q;>O3nVZ!cE}M7rm4HoqOFvNfcTt`!^F- z)5rj4a(5_~{%w~2ZHekR(F&SOwm^U*-hSpt`O+Dw#~S&n^#4`1Hs_E$3m|}iTHuoj z=&1oV9yqILyX)9mQM^*Pz`#o3V2p$`8`7}Qr1HWjJOM&XMDj;tayny6gz+qSN)jX# zg$M;bLnI3zr5PRsh?X)q+BKXdaPjW7b*ui@68_+T0yBbG)9I!o@)vFXw>_4#yyiQu zPyXlmzrN1+1L9wPSY1wKqQ`ln1B1bdDgu%Ds`;jip;P@oVvMoo{@sWcLSOV)|g!^IkFDL=@2S?QS zh(C*%{z2o$p1MadN0F3yF-KGvd58}!GXQe&mU;1eT`&p~PyIr_sRkZ94x5c)^+SOC zG&`EQDR~SPiCw1^)*Dqzq}&|!AJDXNM=iVGS|()s&bgp@d>oTZ-_L=5!8t9`Gfj0* z1*r^PVH;GgX1Wadb3Wp8?8_2-#fpr*&yowT>)Fo!MNBjI9gE#oPmWf~MEGFMa1{CY zWr4|OA?kn~YIl3Zb4zry1*$(`cF}-c_UXniJeYWjbY|U*5cA?KZ3b_pXeAFk)rCL1 zxXpdcCS0eAR?aieuQ(>k;hy4C&I|XnSQ@EWHOjy+e+rHngX~bF$=TLv8#Cr&b=$=) zXjOfhsvG;508NY<--_~4JH~F*y7-vPpYGlZ9Gx)hC{I$uJjULEAI{^fE~5b8w+fSP zae1Lw7!lTWha3U4ebASGHGM(w}NW(^;_ z+4}j6$B=K`o7!|tjovbTI;H_G2j$%UVHj?kb`il?0dZxTzIwV|Wr#lepFFf%a&OKE|bc%d%?kGci zV8YI>-b*V0p$074wZ^Vp^1R>VK^|^B;VRsFf?9!K6nI22;6|5h-D<-l4FH; z7chdW3?u=w>oX%p!>uv~c}X1dm6y2XU91^#NA+SLGXbw%J%bDh4t4v?#`u%t&CP_A1G_M86eaWouBlMQ( zKRV5N7CLk0gAj*I^67d#h_zRl*`D8EaxCatt^G@RQ$}|IO9f!kEqjSJd+Fqe?_4jq z=YEj@X@k>r2f}0c6A^oQ+GUdrr?D6m15-ySB~f(a;YGr6FGQ^u>^J>4Y?smNp|H=m zFs!lmvUD(+e{=PVIg(+`*(U~Pl;{al&r-g$a*RB2J zYgoLVU|wXKbOCVN4`ul>)0qLM{i{I>nTMME6IBtE~$ zlBJzPdN-WmwvL_Gu$s2Mb86a~Zt02G#F=ZvU%!p9&F#(YXmrtyy$o#u(9|w32)fE! ztPo{rI|yxRq&y+cRLfi;n@d6ARR^G$8l;iMno^ z&!Gx=9NPfqC1K|1>#z^Y+M%`D!aTq9tClzDdu`D8MOpbISaWX24`{#M6BG}qAk=@`Jt=&#i#YhjN@ zb?NaZEzGTJ5U%2mT21MdOcK$VD1z;D$>@cg$Uy;^&PqL=im1Qx*8UC5edlmLq!%~KAr_sfb;KL6dBbC3`gZ60zbO?fvF!9E`@ccz z{?->)Ldy$NG28L=h9(ZL20GnQ#IM*O7?CXfMu%7Hi#^(w1$uW$p049i)ZUQ*>(L*`(c_v9&OVR<-M` zda-ZCS1Zv+(}_=Ov!z@(Qd8yCu2t9h!uY~iIm_O?MpB<)_=tP^+&lKkKl3@8P6gxx zzz5vFRLo358$h`hcNnk%I%da|j%vT1WXFnNz{k~c20*F#LlB}*NsQ-%squ#-%zS0X z#?@GlQK+--rO*(LRg6EDVepmy@h$4C`6>@yzCxoI4`hqH*hM$vsJ>dG8uuMB_0;cK zQM2#fKzs9|-9Zi&o*?_G4|F-I4JxvIbTK)|Nh&aTs`q%{`)c<9KJa~wdr)wN$@jvj z<@dyxax-3%<8fp{q3Fyqqj+<-aVA`7ya$vx8`|sk+8m>9tl`7+_sGK@9)}Ej^2+Ws zxZae@FK_IZ;CB- znnMiNq|4#7H#zMAn-_sCwdGA?14XrG=T3$@I=D#-BVOv9Gn%I%eTI@y@dT^!7ob|Z zvIrx3JSJtGbh@o}V-0xju1+>%GaWvpF{1Uy$J#FI(p~1H?-I4ByBx6=vL?j+j5ZsP z&zm(E38^d1EM2)sPe}`Ra~2unaxb`dt?08grRA7!a8lENoavIMwnpZ`J!tHrq2?rN zD#;CGItUBw+kt1*8dU2sY|Lp>I0jiQg;Lw$!n?7pT2Uf1PWv(1P5YYF)Ph@{JXUAp z#l!~`=-Fv|lQNr)vOF_hFP`q9drmf-r#K^o@>t~anJ-&^d-;GX9^RpZnXjP~q9KQ= zO?7Qi4(k&@sFLz2y>{zkT}YcVZ?YFhx<{tBh(UpyfXj&I`uhLj>Ybu9iMn>}*tTtS zY}-kvV|HxYPi%DZ#I|kQwr#t^PV(p7dw*lR-+xdCYt%^{%vx*Keb4(U56TI7a@xQn zq~DJ1M;xdHFS!ya*Rnua2pII z(zAb#RN=#}4*6q-syegS#mhaVl5uC5E-hB091&X%1n@#x@&Sgb?C!>y5n1kAx&XzW zVh~IRC3t?J=9HIhNL6;9U+x;MK8nM*h%*O}xJ*{uQGub9nG4J@u((W?+;Q-SCr*k| z{K7G+9GruN>7q+={e2R1oeT$_p?9ai%>J+%r8FyJPDz|K_lik9p>AdpRyi}IP?p<>nKl&tNyBe$Y zRji$?&6dB8cvJQ-*`q--#W+S^R;NT(Kss|lvQTe&ueN^S-4b&KRmJS;eKqK@BaG2Umk@}QlCqx!Uj&m8ZqH#9pZf)dEYk>rtcvzR!Nu2+89*th1JAHoMl{2>t zTOcd{#lupdE+7eK@Og5Qjew#8{9#|FPL#EB)e4ZVOk=l_7P!2^B6gK*XeQc3FrS-l zJHhw8SYQ8Hs3DecnI{}XLAU61WTWayqnPC)cq3+H@`ZFBVbz^!|0I|78$ zfD4L;Xuo4NOoykZ%BmaM@XmLSn?aC8U+DZV==EBZugwUzbKA;{pYJnT;dOSyt?P5P zgc!hmN9%c* z20sD^kNbF}8lw;A#As#R;g;ZV!lDy|l9Z9u1<7j2o7^2V%g4#SXr=T-nf^S9U$zw* zeUs5f(Ya-HXHloO9IP>DOQ1_mvuj=#c?$5?Y4aq_nyEYyc{W()@>!RCuPZg*EYnzs z5}G?(-;L@cidJtbsbW5u9p{ub*OA!+R3QT1LUGo50<9lC-T>4ZNM%0Y%b zi*<)xYsWlWU-g>LS{m$D7B4JLYv5~SKKe{SHADKVHcpn1tsrUG1L`F=4KM0T)WM%VrH^g)^ zB6o{NzoC-tXk#6nLuqrskKY*x-Uh@%c;*4opW_jc+FnT3USL#SX$-k#%=jhj_{G?B zC_$Kh9`Kvi{BjGaU!n01s&9b}1!0tmtGLB6bNKTwI$`E{K2DzLrX)uU!XvW-nJp6K zDC|~nTn$tm_qf6|wIv z%cC_zwVQf#z>REk!flrL8eNZMld0XnL)gXXCE4uA)JBQ@X9a2Y?eiddfHX-qjAY%#VsjUm`^SCjy4wS6eLP*wCU%@b4+Oc4dk_F;*wHyeOk= zRNU+hNIK@*x=8QR7uf&qJAjU+YB>KF*Kz%w!JY`2EO!5f&cu9QI3Pg1MLYnE#& z35M`qmIjMutHCR-=BBRhBjojwCZ=*Hc`ImL}A ze)PH}?cpr&_d*c%cX_8_9x}8%&Z=M+!m9o1!YNOWIP{ zYV?0+j;gZn$UXn_m{2ev|9LRrtSROH%aZ?R+3;l=@IP7d|8twcZU6r@N&i{?5``r! z{f6E=e=7t0!1zoGAngo3AS+2vX~6(vWW8c<~3`j5%Br>hL{_S ziOF)PHmDp9WT#xJphHVdHkY8C5@*35;(!`jcSV#FXBlCBTm|L;95&{z5K}sMgPw$8 zw)ENB4o;B)^Msxz+_9wPg7?jOh~?Us*%DGp zbd+ib_ARdSHY)&tlyd!1%0En|bY0ab{AvZei8jVi=9UW99&#q!gk%d58&_c$|EHCY zV9I4iM;y92)}1BAHh1I&JQC9gDqu&xXp^~fhO(|X$iPE)==N60A*1B!RCH$&4prAlWS%4jK(%Gb}QaKrKx zEVjv~ZQ)S)XE$bfB4cj90^?BURr@FM!QH4PtB{8~25yg&f$lSfmmzN!nL{10i@w8E@i^ zZL1Q|k1KpmhcOUp%A`V+F>Gcce|sp{Vaime=w>k?t|J_K;e!~0g;tDQEPerD<=C0e z7Nw-?OL(Kpim(MAG2#?31w%6bP11?lom%kPk7g4IeJ-`t&Dsh5gCZA5puU9G44V`O zIIg$_H>CyYD>}U)#67lpzr;M-qd48ue~mQ$r=UA465AIsZ_~rc~Z!wR9Whk;quJ&;Z7>QG*Q9 zSrqBb+kn5w9iwYVB=&V#TN<{r%rt&Fa!1^&UWlMX=YVoh( z?u|#QW%x2Xj;$p-8A4f-0245!x@zN~JhTm!Z)&y zAIz)guYcKW4N9~UXcWVy5)w1inK?L=_Y~^+6M%n{*|wlu;D*Z#V((e_k?tB&;cbbG zP1rDqML`P=1xTV6Nwy3?mHxa!{?9)Bf4AudCfjJx|A&A2Pu&V(TYQZ`gMfsgf7h)9 zz}f@j2-B~}1gJ#?9vT7?pk9*x$HW;KG-|eyG`}!Z7+*fRaox~e9*T=?BW(@ha!6L^ zYD<5XQ{B4`X5A}57EQEsQNK3-?{dD<*OTWPzwg^lPL+VUnOj4~R&9jP`$@(_*3D+O z^ZWGm&{sA9RG4o&sSeV;I+v2P0Nof3AdgF`87*^v@2PL2PoS?`tR#bjY%JQ3io3E~ ziU8@(@)*M0tr@_yHzDuRBER3$zu`^cqc-g2BM|LvYBS)=`kgPoA8RrBw*3wJZ$j?` zhBto)+#Eo6{`=V<_wvF`EJSjELzH-HjO$w4{{jo3_VlEQ&bfa!#EsiEmw$f%!2JVz zmV2SB@Ko)up~yt}Sy^bUdF*eEe;ghR3|>nK$+NAoJaqsv90=XWKSUee;`gbLpVU0E7v*)rjn#e+T#Y#r04#q_7O`R0kVyB8ny*IW$rn zB3pgYp>RlNe{C)^cyYSw$`!rdN`ioy1azg4Ct<1E?)J%h3iZlh_s11%L&yVbsB0{u<@{>npu&KhgS)wkVg z*ACWk{xGmqyQvCmjq4fj;|Nx<`ka3CbRnhti*Z)H$A+*%(#1XQcv44Sd&i-|9d}=z z%H>HmEu|ieQZlA@y|VMt)m6utak>(2f^g}|R|J<%hN{&Knk=awhcr*5O+K;wY~r>z?0_FW=?(7m~69$yvCB8;iFBY$hVl8C)_W^8&At_E725VfbhJPpy9kV$mq6 zd>3sSwe<=7$tob0vN@KZcnQ*BYT{f3Oku*3V9tg8YKlJ4Q_|Z<$xZ%sr(X_E->50?o|*nM&1tnJAh(=^3j*iiv{!VmPlyLU zW_ecf*bD}UW%_J9ih+z0=vD2Gb;Lf~>|}>xjWy!LiEfO43;mbpW=vIjCYXe|S&JHt z@@R3yY#xIZ@55j^RC;{7DF&6XZEou;=J(5SbpP&kuQ<}CP0&Kb{+z1F&$$oK=MZn!ZVdX7kIAD%>{jK{prz7_ z;iQ}34ofsYip#aGPRC>7FjPH#_vJsmt&0)CXxOq+kyr|F9|!xxK65A?4I%y;cf!`PI!c71B!Z>{ z{996|l_`?qfz`EN=^o_T{WOXAc4vw3#}*9Q!P(#dMN8>`(@I9p15XWDYUbOZNzELQ zRr{IyP|&kNx=E0&Gq-yhB$xD6_5DIe$61Kk`1}A+2(La^eE*{OnT_14$y=(G88nKLqu<%;CIfZ9*x-mP;|h)G5?cAQ?5*m9_Dz>T!ZQnu*w_65lmm z-<`2)mF=P|wcO@v{xpQ!7YU)A4T4i~2-7e`h%s2afDSF$V-`H8)Z%I0!>JC5j$3#} zC;h~~#4+`SwJTww8_-nRsR{V9}Uz5n_zGUsWXi|hYY;M<$}lOUjG8ew5Gr;*+n<4!T0Y0tY2=IkNwMg8uTHhQ^? zBg@|4bgq@%6Z4)CIN_OTd+uxmRQr8E{p^j6W>S&B%C(!g|HRI#= z-!b%MG!JfFVI^Sk(e&9|Y;ltJY*{IsUVWhebtc5;2)>vD^X?fj;9IYigsFwNrK=oM zn=1rCH)2Jnz8t!tliPLXtLkHR1lF;~Ye+%Ani;le)6y@_gEh-n74@q4*7M3LI2L}w zZp>DS5gh}MTie+@fd!)^OaBNV-~M!jklZp1li!=}H~O~qGNazi1~Sd-;X^&+l@eG2 zsMD>i)b*;oVhxv~0%Ay1+Bgrk`{MN+qO$r~B;__n+MRM58RX!ZzQkETQcEH*=-43^dU&AMAoh%?-Ce8zD@BpA`V0s|hp z%iMN}c@8&it!{O>P6%SkMFm)K_V9Fide4C*?4=)VK05fSuGp^oR zQYrcg*3d`aUo0nIE*OYrc||#tr4fwWC zdlAe+9*aFDDILHcU^fQ=jCUS#!yB-hp>)O~l7g|*=VgI^*h#y{3-dh~hI2<8q-b_x z`cTR#9hWhXz0pi64o{P{l4m*mq`E4O>0<2;i`mUJMMo0#+0{yntkIs9dkD+y z5SJK^iwShNq6VlvMU}6NOl8=z&Y&rY)=_HlI2N7Ks50q$JD@VrICYa8f%nS$ZU+18FQXm$qi`;$)4@6TsJay7!a}*syJs~33eIY4IP&DtmMsTruOaK2 zOQ5-lbUrjRV5FIFwRf0s_J{%jqvPOmp<4`2vXl3Ms0NRb<) ztuQ)idT7t}RvJD3b6dVkVl&@}wU@80Z-N2IS0^W_6%f<~_Y^KAX+Z~fy`LTZ4o74l z-}n9^Eb49yP%`l;-6i*#L|WF3yD)9$Tgu;ndot_^RJtt-1Q&fn$cehbeq{M=ExKbs z%+#a^Z6}IOEzHMhFE-g-_t#|QzT59fOz`n}9)ZnYLxv%Rq@oHxUxF2tBT7JWnXr6!WNv-^( z_{emb0H)cZe#qkaF;WDjG4v>UsL`L`_t%DB{5tB^e2-U)t z1D6GW&$o!}_4os4WFw#J!Y_>W*(jpp`V7s`h$H?Y7VS>)C8STtb;_r*ekBc0J@4$fF579KbGih^IU3J! zA$~1<&?>iCI9H568{Xjh7EFeFYjNz&OcAN$C7p*SNO@)~N56la&87ZK@1Rou*_lQQ zQ1`=lfMMm(xv*hk^@VVM?Yi64CVh&EE6Tl}<_vC(XomAIN>@yCSM?Zc^CCz#31y%9 z@ao`?Yp=C1J%(97H={qeM26WlsK;8Ldc!=r)Skx<@jaqUkmEI;utN?}ZYR26nIn)) zO)7o*ZeitYefo;cr$woBdzWOd+OBT>0D3nr=V&Lz?l1z+VCnZbMDYx`#g2`d=b~f3 z)fQsymo(e+6Q_s6guKJ!w9P53F~Zvfxp#TId*QLPQS?I5X}g6qyk7Emk6~XT$P%VC zZeMNS8F)22pq**}A0+_v{09hf>mC41AuXaBmp!<>8^w#ZtXbrrS=Y1>B!bYV3DF*>Cy5 z!IfC0&nN=~x)KppU0SVj?RLuod_zs-c<8u|!jtH!5$>A#5)ttAjz--VWB|XtM)K`d zD0W<-`vp<6=ig~?kOk>-_C$1E>JMJ#@6>XqO_^>J+3Y%iY1LHgCG=5L0+_o2mGzBk3YB zo@=dK-IBa_Eii^yw?e~SBVp;5=2uCT znfym4;ZPT)7(!I}CbX&^Jy$%MjW_b&)@|?P`Qwk9Wn6#k6N&5$%Qm|eS>yXS(4j3- zxgluNI%G|a&~>1)Svvpiu>3a4;To)MDkl%!`fJ5vBN=zRdKFE$0tB=R4m?Fd7ec4& z=i)|QoXVgD3383+BQqmayXI%f@I^5o5=WeC+%g?Hm{=;DlPK-;z8(|!BOd1Ez{=oI z#=#I$XVfe)q42H0Mh{NQzu&C|($=8zhfpYy53n(};nu64q@h+kH7mo=A2|Z~72TN~ z;agBAy7JTA^V9873rvXrR4x0FD3^ReCNv~rGff9Xp=oUnb=8Vv@g3d~NJkin{|jV@ zOEjoRqL~DR?}tDYEPTLm6Z=P=DEf}W)i20BrY{zI?U%#gRJQZKt2Csj5!)OM1Z0@* z|1=pt=dl4YRS_cGKE|z+{xR=Xo1Nv#p>`#`N86&(WXR5uSim&{l2l2d^ccuK(CxQGw4%rUb zv=7L#kZy5^;}%wH7AS~r4%m*KAztM%B4v2>27tc04CLlx=8@6zfA82W#uj{i znuh^wE^y3IhiEZ!uH{Bgj%kfY_pqapaIdOxL3De3DuNB-N=;Dx zO~Vf^+T#x#`nirViW44ricOu;;aJw4;w2A5aB{BgKh3Zn+VED+UFw*1hn;;tg{}BxD_wfPM+6q*bwr9a3=c`A9=802Q%Pl5vM(5JVR6gv#x%`HqDnUEo zm|IMc{GdrCOjwnL-e~ktCC);sTGpKb#U@T1)PSvPe5@jy)iAkoObd%bHJkBrq{Act zZY1z-SCKv=oOVY)tJ{ump;c~RV<2A7(A%jAH%4o2xD~gB9Z6(=s3h&efX)F2i4AiJ z+L$H0+1$Fo)(XzM%r-_x*_*xCG1#&Zk4Fe6W(dEdS+oX;Z4(S?qHNZqXnk^C_9}IeMcqVn6WCJYu6fV`sT2K&T6!~MBTtqT0_)j4k_EFx+$Ax zD=V69g;i8KBWXoB4@RZzrL8Hm&D!`6U9fCOGa8IFHR4U%CW^_SLHt^9j_f@E(=e-XODP4vT^)ZFzDwc66GK7#72|9tHyRfn2ICWzj|I zrfWQw94CAeUOR8I_FR)Fj50m>l$k{qF5>vjU@qS_Q81p0prL)UxwwyvY)!B%8IzFr zpRom6xzyt%8v>i5c^lGD03+> z8Nl#@GzVGds^%h%`*_mGqe8=edzBbW7qK)TDn6EY7dJPcquQBcqV0s6kUXABHx5No z0Y`~2n?UTV#xcj@|FHv_)S-;?%d9(=5LZ_%L)%FfjYAHUU%NK#qFCcS)A5qk;;UOB zatlI7g)_wn&$&lU9Q~Yd*vZ)vL!GiwDg&0646n`7(``jYZnKh`@)rIux~zvTupG2{ zUC)jH4|t!OrBP6uODSx9^(Zjv)00NBMAtzp`MIeE$Ihgitu6qZ%&40xz`8{GdedG^ z7J9W&j~2J4=18SsM6^cvsqj{HT4L6jXVB27aT8;?EO!dvz~*Af^rRcv#u}@B&b2I8Rd^>4V}TL38%Z5d{ImN|u|(vr26%y9ZhmDkb54zG#lu zXLV$@i}P(kmno-k?EosVE(wCcJH@CbsWmfXX*F&uu%r#%5=lvR@8>&
FthV|n}K8`HchILSWFRVJ(jmE6!=!>lMdWy zOq>86?MQMSFbj{7^;V5^=gR3DnIx|%~7x=C6y9ubC{u--)=_Z4JbTL6T(P;N`W@MDLi4k(%y2d$pfaK|Humbwf;AEDXzNuQOeK$~p(?L@Vt#YIAS#=P zjujVqbGquQ;e+jT;j45-GGOo(UiJK(}W2YqbEU-V)fixa{UhbTd!FG zmQN);Qi#xzN)M7O?j8=jr(;H~ubCeXeHbt7DMfp`zQ+YpuV-h3znDHc&tiwFVnvW) zpBy_Kaw}(eOVzZ5yk;2zLG8!pd068DHMr=P32+t%yY00u4rxMU;O)J_nE!U!s|x{- zE=2`j>>(AW?8~piacNfrG{K?WvPizz*+qqzNXuYQrFQoSVAZ-`vz(S=J=WkCIjAPTmKQQ=Bd|*Y+90e@$L(++~@Wh^FFbb*)Si3_A-i zH-up!v}kr5>Gj4iR-q8rIBcg^lgLuiFR)Ut_-LZ`>)@)#^jH0nWgjPD}bn1oBBK*OIP@oBUzJyl(};Iv zqCikM5WO|{-W#Y?WNr47FP~huy5gMGEKFVdF6YiY1fyEw+gtNjCZrpd+^xX0Yi6}E zVXA4tW^~!r%{k@LFtN&4sqHayd3SI*7Bev?G*;-iJaAH3`!3l zl{+Z%kYtjwyBU0xSn47Ca*Wsb2r6ex^cGb9c%}LvO%pD+*v;veB4_%@R;Zx;jot!&jw{7gAWvt+NVBohHWP z7DkEi{;Eb+X`Hpt#i-dus{IfUjWha$d8@yw+5H-L#AypIyC8X-0mpY2I^z1PBBHX^ zaClxITCC4okRrMAtfH)<i1z{|=9`iTzE3N_-ZXsi{4~psatYe!BJuO= z`H<;4uc4xg(-f7)45sRM<=@Luw`dh(Up{!qtAcR?@kyM$BL!*I^|=n%ZI1N(MYP0sy0x*a?2X;BX~uC(pqh~QLmmCU1mCIBIX10x z*krHBqs`E7Y4~t)Ldt^HWlTncivjQMz3$4fcmB$N806FP_uXd0{<}ZOeEApH-#M>TVxwl8cj!-ID@#wcQu>f?&Gc}8( zvOrFJ73W}=|0k>$O8~Dk3mI-rQX6Tp4G4_QZacm#fh_nBMo3-gEUiNXBS$99&68du z;)D;%49JeWw$M6-K>V)8-0sf2eetFZwJX|tj5cCXSu9Vp6%X*S&GNB6H|*otw-2Jh z8zwM-Z)12_UOyB%o=$vk!cZV{0Fk!S;o`d~I13NtG8IW0a&sC)$E3IpB2#4m@$$e7 z{w~*?JNiEkSVseI2`LJ|_XKY5J=zLQa@pob z+vg@kitD_baN`e>Usrzq#V@{!I15sL4cvmMkmZ$d_dz@1R?u*Mbl-Iw~(t8Ngh8T zL7$w1=iXsbc1VK-MQ45FskKU4Kq7Ybe7rJFX5C+P--uS`p4(!!_w*ir?8pioYMhSz z7ZtL=L>!UJTFEr z&Hkn7-;(1n5le)wM}+jlQ~G7;h%mbf)%qpa6;;QvTRKcp3bYK^{wCtWyz2U;`H2fj zqP@Ioy}`0O%-M89uWw7*U0y=ImC3Tnr1MzV3ILMlA5K8jbe5Tz%^p0+hYkb^i+(Uo zM7*7(SmZ(LEh=gBrkQnl%e-0x4jFYD>MP@#i?ONL1(Z`4J*bF^H$kTV9sdR8xzsK^ z0jvK9lidW>Tl8yQ{V{-w%$cGPYqkcI=nE;=lUVp6hX(QsK54_=g2y+vvkqb%;-}pQ z{RjTjv6K+#8#f&w#f_|3{o!zIBS9ZV;g2_ zvO+z60ZyIVTD~Q59f3SoEgbLd79&MkL9HD1@?O?dR?8RzXPXn!sA|8t3dBMZ(Ke5<0g(7@SbY9L?=4S4H?4^Z}j z852i$iRff;wFFeXs3@4-3XF@%lSK-zk=Znot* zNv+#xW9_W}v_ zk%!h%j3Nb`m>NWl*n^Ec7q%aJHfy?iR+s{bvK%!Q^aLkZMsti(FzULJl8Vaq?~?Ijj?`d?X}yO01khVNJB? zlgpP$t!^_kuH)mPbLL_MYPY~~yTeUW&m34=G3+uDshDxiTzGVOB&Z=zT@>jM z5aL%X@n#B-kY{@#N$}*@^HYlexdA*DJ^z)@`;Uh!HD`920Gvpc1S}voCpPJgr_iJa zs;x7c((Y4-596VegQ6oqeIZ_HCfm4YYz>_jyg+;=iIdC?Lf_^^yBE`oZa};^pKS9v zUkjW}Pu>U#`GJ=1uaQ*eCQ=y}$BSr%I@7Aor-l_7k|H9ST9(f<6gy~S>&-j-9sm#J ze$GH>YZCa3*Fkd604$rGZrC}e8TML-HJ>Cj75DO&tk`H& z-n6&{ePKcL=OJV9YYP8Rt)odRb*o?XT>w>EgDPif*kyP72yE*y3r3&Ne39)w6u$nT5wU?~xt>eXA(vWYG0%zi9AWs| z(B|{bCt{t<1PHNtO-S(A6=V>eA&Fjx_3`m-n&MnIw-r4pVq;1^kBWPt_=E@ZxWl;R<{HB#=RWfU zLoBe2meNcZWZu6bA)vQH(I_<=jss(i4i{|2Z3Rnl0Gcd4<3XhM-SohWEOKhLS!Tj1;eqJ%fJeJL|JL|^+s!jW$^G^;OY>BPig}hv zI-S8ny7mN|t!n{Y2|O;#koY(F|Lp>JQ0=Q4e1pF6;6Xt6fCy%IK(Pr5z;~k49ZwD8 z6A3|{HSIVskAtd81_2Wcv8vgUkzICS(O^uXEW(oB%^x-m!_2`fT>LBOruxYH_XWJI zuAD~B2jM4@Yfb=(No|o<|Gw_in)!`A;62m#<)G#_0NMdkNSZrrgDjacbBJ)eQo1!t ziL#PxswC%bP5>6SQbuzGFpR=^_lnXjoXqtMeOm;9+zeGK5bWqPM9tUfNwQD6^CdmF zLgs|V6?uv?a9t&Op4#%!zmYXVyumeqj)v8%NwuW{| z{BSUnRfB^DmO()V;FV8gM|+gs{;MXv+?3}JSl8;Kh4Y|GSQ$H|cpV~9^eV#eIcf|( zVUVh=c^Yvh@O0XZICJ3qZm(^*D&1wkMJ~CuC&^31mJH(#(Uhwq$z{l`{`~;|VXb6i zl(w(>32}6-Eq+G>-i>S@OL_b}#nZWnui)xvAE4K-ufgOAD0d)uYLJ{_D0Sz^?zaG7 z`vz1D*_v_kmf=zn9f=s22jgFEdqL{A>*$s15Yr-Si?&wRCfJu915r2Q=& zJVltL`sp+EjFg*C&i-0drYl2z&&TkY_|MPOyS9c=FDY=ng{2a z65H(bYl!DI4rbV1py_6oK~Z2!;pI3d=tC47nX2qBUq4B4?@d*K|3fPX3>XulqR_&* zxu+8EjbXKEqwKo=Ig_MsPhZ19mVIx=7HTPaJ>tu<5#q~=5j!S6&g$oiH3(P}5W*$0 z`vjE?5J%AGvY?F~zy>!L7rzaomdku)*6HyF>-m$~^I0V)%Bcqtfs=&LFx>EC9@Qi? zr&ctG4S{K|jaD8eU=KyrREEE%V)VK5oHUGlJ=i~`#Gq+HY!gCqv0jCmjSC$s}Z zh@8KZwm_}2D=pFbBdvZ$(XF$Qh5JVqLC3en|6&mS=g0(Rbz*jYH+duts~r#jJrC8~ zTkD+qeWM)e|AkqI09T6W$|wRYdhJ(kb(nd6yU<3c?HF(zqa|=?EEI_8i|l=XmMd-S zmX71=9t zMoz@1b^F+kIzZt*7!YoVlSX%Sr_pKPT%t_#-tUB0(N=<>`~$CkFPkD}(A7=%B%H*v za_#-&w4YCKyI9>#C*RCY>)wM^;8d$Dmpr5~wn1~2C7g}d&RBIQKbDfALUXPzk|Q+a z=TVG#H*GV+-s_P%hcp|)GrU|A9|9Zo0Y5)6Uh4LhEC6Y}X-H-I59t?^dD%V@I1bf- z1|Q#!{#NS|A)*_D%?d7*XV>R$43kI52IB+Mgz8z*xpGO`gZ9*8=Vd>E-ev^4u0&fQ z)8|Bzz}cG3b7@w#H9tW~^c?=L5_fZm0jHq=7wsPc68S$Z;zBLzPe$oc$z(Zg~P$mP_9L}wCKF{dp5*1(vv9iH&&?>x4azsnv`+J%mm3M-mn)aR^D3*-^TMxP4 zC4qJJV*kGn*oGlH_5Z;!{HMsp=CF>>znKj_-v{phO&ab_;RCOI(EzK`LBjelA{D|Y z@Th;#B5V^mS6dV`7nV#`)@;fFc|v(#{nL#>$z@ME=5Iw`1w#1?&hExARJDDM#lNp7 z+P;Tg+h(%8pFaQI*fW6?I{qHkn#{^K)0f0?Ccwo-!!l*q)drDkoxY1mWpJ*9Sw+NU zRp(iTs-1RJ8HN%}VgZCJ#AZgLG;`k*wBWv7-Td`(2{mLe*G^I$`sH4sU9P*NqSc_T z60?p%8rM~3P`sT?WoJymWm)10E&RTBTMJm zpvZT2?9ED^-UzTT!_DuyH2wo`HbAG69!@}T-762@hM74K9%$G(;TT5hNrpRg+yU2o z2RV`g7rAN}?jcjUOVn+Y`W)@D;$e{*7xQDxg7{$vM;oqw(> zB(?nXTDJzc)TBfGHW$Ur{MAsL!0@2wvCXGnrrw0){{QuLCE!r4eSEB0Ci}jVZ7kWc z3~>$DmMmRdM3M|DvS!y9MY?vUE3(tom766#xyUvqODIbpk*q~>sjgcR`rb1w=J4F_ zeV%z{<~hILe|i7!`=0ZjGynfQRh-@Wn-M=YH#)t=zTVntmDi~#wN}J3te4Disib+h zo4xS&_iG;_)4a6LtlVvC>OA))?f1@UnH&yZg4+pk6EXqV;xFdlN+l1IAR0p znjL&_MktZfEut~4-D9zCO>cl_tEWSQ{)6gTka%&)ScXW3o8(l)cuAC4-lEslrTxiw z9g=G_rN?yDeJ?#v!d}_NUw2AsNnk$8<)?O|B!iu1St5a6H0Ij8g@@2j90Y0S#)yW) zcg#nE&6Goner^pQ@#U+k@ei?()GU`YyhC~hEt3z(;uMJuKjEF!wuq|MQnZGEmGq75bU$V<_NXR9QsXt3 z;0a~u?>uQjm#NT%mipL0$=Nxm?}-4-U}>+CL*hADX&T*gxu z7+V%X;@&!S7gwgwJKP$YxZL3s{i?~gd~wlko*}c^ZIw`vWI3~Ll$z&u^Dy?Twl%Y} zN;8WEv*wVJ_bihlG0&*B+EQM2WB>D8!N2rjni}#2eP5=t&YzN~>Tby&eKZuzGH>6l zhpl@o9cx>mlA!DJ+E2K!ko)#$Zma63_IRO&RsH+xDLL6$=jGX1o#Pw`+*t#O~zaZW%?^CQ?aQV3o8;*%}y8JUA{x^pOnw?y%Z&o?XHmDRwhF)Gv?H5|{w`z(54{tY|#f)@RC<+15EOv_cdJ5M}q6z9MgYGSzH!`9@9u(N#Y$J-a@6qLNQ{zs0O&)`OdO za^~Oh6s~C&9x5o}x}~2ocQ4>NUJzqYeu`X&Elv2OBwqWY`k)VqhFK7P z8n)%wwsv85b!MH^8yEv7E0L!-O z*a=q+1*5j?SUuVYCgFiLmlHqHiZPiJR7Z0CM~ozTALkFHxJr9>S47BU_E%)wY^jkv zSAlV`utpF#PQztoX}Yd$%5_ zvv8<3=%R&|eTxc<{<9Ma^_}PJ)MOn>-M#96{v{nflw5`}RafC>VR25;*$~iSyF!>< z^I}&{v#^SgMq4#zso_aS{cqf^WHwi?8*h%`#aMMjKFvK2P4#9p|M5afaM<=guFbAP z3(FCLS|6vgQbcTA1;t{plXvBA9Wk=x$3JPg@5jymCY=WT+WXy1J}JqWJQK-?K7Q?hCKkt=6?k`0&w;c*5=L~S zir5A)vc@*A(#@;>z&Hng_ANJWqfNPep!og|=bQ6zdRYTG$8*E#%Z@oJj<4FG3zm4@ z`kQtB*>+s&ki(hqZ@q9?)NhM6FnF98Od>A`_rKN}w;FzKWzUjeK;lKmhs|u8NAZuJ z@q4LTpQ!tu-YpBauSeJ1?7dD}QY?Wy=qV*g;%)3V-HK%lPn3--oZg_dSyx@xQFQ`Wj#JpGvB!~CL{ zL82bBtC{wn?SBe){wcpGPuswJFRgTq@5E6%pUs=@jwF^P}Bf!f051Bic+H$oH)fSKPc z09S)w8_Z}2pJ9e~&?!$}{Qo6#f8znuw{XiyVi*+5xKD}N1z4|7oTpbQ06qb)1K;VO zBqmXu2AX-m3-vKGL1~Okdx+%c@&Dxk76*VEMn58mbhO`ySZTY6;1Il@ZIFKeJ}Bf2 zJ{WuokHB3B@xh-DIdl3{h=0(R0%W_*f<(In=i9|NkD z5vor!0K72ND$cXVUXj@o6J(G_vjL*6fgrIkQIzODkU>N&pa-@aSDE=i;Eh+^GANW`)y5~g1^`)PL1FBD=ZXB9wDDj zhl1bi5u(OZ{ciwD0f84W26#1U>`v)b6iNz#<+G;9ENY##>WKGFf?78s3Oj2942J=5py39p z?R{y} zrUks$5m`Jbc+4XSYWz+u5HN5Nc(gabV?bpPVQT#1f&K5yXh6k4;ENgpzkUYbMWCvO zBGmYunhm?BIH*G13VV;ANW3jV1MC+xfx)~c~BSP2Lyg7lp-Hp zC0{T4=t&F2F>-*10pwuAQ(g_l0T1U^_}l*g`bnWJ diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 4a4216cc05..debd024022 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,5 @@ -#Fri Jun 01 13:23:16 CEST 2018 distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-4.8.1-all.zip zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-4.7-all.zip diff --git a/gradlew b/gradlew index 27309d9231..cccdd3d517 100755 --- a/gradlew +++ b/gradlew @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/usr/bin/env sh ############################################################################## ## @@ -33,11 +33,11 @@ DEFAULT_JVM_OPTS="" # Use the maximum available, or set MAX_FD != -1 to use that value. MAX_FD="maximum" -warn ( ) { +warn () { echo "$*" } -die ( ) { +die () { echo echo "$*" echo @@ -154,11 +154,19 @@ if $cygwin ; then esac fi -# Split up the JVM_OPTS And GRADLE_OPTS values into an array, following the shell quoting and substitution rules -function splitJvmOpts() { - JVM_OPTS=("$@") +# Escape application args +save () { + for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done + echo " " } -eval splitJvmOpts $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS -JVM_OPTS[${#JVM_OPTS[*]}]="-Dorg.gradle.appname=$APP_BASE_NAME" +APP_ARGS=$(save "$@") -exec "$JAVACMD" "${JVM_OPTS[@]}" -classpath "$CLASSPATH" org.gradle.wrapper.GradleWrapperMain "$@" +# Collect all arguments for the java command, following the shell quoting and substitution rules +eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" + +# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong +if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then + cd "$(dirname "$0")" +fi + +exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat index f6d5974e72..e95643d6a2 100644 --- a/gradlew.bat +++ b/gradlew.bat @@ -49,7 +49,6 @@ goto fail @rem Get command-line arguments, handling Windows variants if not "%OS%" == "Windows_NT" goto win9xME_args -if "%@eval[2+2]" == "4" goto 4NT_args :win9xME_args @rem Slurp the command line arguments. @@ -60,11 +59,6 @@ set _SKIP=2 if "x%~1" == "x" goto execute set CMD_LINE_ARGS=%* -goto execute - -:4NT_args -@rem Get arguments from the 4NT Shell from JP Software -set CMD_LINE_ARGS=%$ :execute @rem Setup the command line From 85252fd5d29047a43c7a1a98e63de9da5cf6d919 Mon Sep 17 00:00:00 2001 From: Lionel Montrieux Date: Fri, 22 Jun 2018 16:51:33 +0200 Subject: [PATCH 15/20] Use spring dependency management plugin --- build.gradle | 56 ++++++++++++++++++++++++++++++---------------------- 1 file changed, 32 insertions(+), 24 deletions(-) diff --git a/build.gradle b/build.gradle index 1b051caa2c..47a9b6d2c8 100644 --- a/build.gradle +++ b/build.gradle @@ -15,7 +15,7 @@ buildscript { } dependencies { - classpath "org.springframework.boot:spring-boot-gradle-plugin:$springBootVersion" + classpath "org.springframework.boot:spring-boot-gradle-plugin" classpath 'org.yaml:snakeyaml:1.21' } } @@ -32,6 +32,8 @@ plugins { id 'org.springframework.boot' version "1.5.14.RELEASE" } +apply plugin: 'io.spring.dependency-management' + group 'org.zalando' sourceCompatibility = 1.8 targetCompatibility = 1.8 @@ -110,21 +112,27 @@ dependencies { curatorVersion = '4.0.1' zookeeperVersion = '3.4.10' } + // Override spring-boot BOM versions + ext['json.version'] = '20180130' + ext['json-path'] = '2.4.0' + ext['jsonassert'] = '1.5.0' + ext['postgresql.version'] = '42.2.2' + ext['spring-security-oauth2.version'] = '2.3.3.RELEASE' // spring - compile("org.springframework.boot:spring-boot-starter-web:$springBootVersion") { + compile("org.springframework.boot:spring-boot-starter-web") { exclude module: 'logback-classic' exclude module: 'log4j-over-slf4j' exclude module: 'spring-boot-starter-tomcat' } - compile "org.springframework:spring-context:$springFrameworkVersion" - compile "org.springframework:spring-web:$springFrameworkVersion" - compile "org.springframework:spring-webmvc:$springFrameworkVersion" - compile "org.springframework.boot:spring-boot-test:$springBootVersion" - compile "org.springframework.boot:spring-boot-starter-jetty:$springBootVersion" + compile "org.springframework:spring-context" + compile "org.springframework:spring-web" + compile "org.springframework:spring-webmvc" + compile "org.springframework.boot:spring-boot-test" + compile "org.springframework.boot:spring-boot-starter-jetty" // oauth - compile ('org.springframework.security.oauth:spring-security-oauth2:2.3.3.RELEASE') { + compile ('org.springframework.security.oauth:spring-security-oauth2') { exclude module: 'spring-beans' exclude module: 'spring-core' exclude module: 'spring-context' @@ -134,17 +142,17 @@ dependencies { } // actuator - compile "org.springframework.boot:spring-boot-starter-actuator:$springBootVersion" + compile "org.springframework.boot:spring-boot-starter-actuator" compile 'org.zalando.zmon:zmon-actuator:0.9.8' // storage - compile "org.springframework.boot:spring-boot-starter-jdbc:$springBootVersion" - compile 'org.postgresql:postgresql:42.2.2' + compile "org.springframework.boot:spring-boot-starter-jdbc" + compile 'org.postgresql:postgresql' compile 'org.springframework.cloud:spring-cloud-starter-hystrix:1.4.4.RELEASE' // misc - compile 'org.apache.httpcomponents:httpclient:4.5.5' + compile 'org.apache.httpcomponents:httpclient' compile('org.zalando.stups:stups-spring-oauth2-server:1.0.21') { exclude module: "httpclient" } @@ -152,7 +160,7 @@ dependencies { compile 'org.zalando:problem:0.5.0' compile 'org.zalando:problem-spring-web:0.5.0' compile 'com.google.guava:guava:25.1-jre' - compile 'org.slf4j:slf4j-log4j12:1.7.25' + compile 'org.slf4j:slf4j-log4j12' compile "io.dropwizard.metrics:metrics-core:$dropwizardVersion" compile "com.ryantenney.metrics:metrics-spring:$dropwizardVersion" compile "io.dropwizard.metrics:metrics-servlets:$dropwizardVersion" @@ -175,16 +183,16 @@ dependencies { compile('com.github.everit-org.json-schema:org.everit.json.schema:1.8.0') { exclude module: "json" } - compile("com.fasterxml.jackson.datatype:jackson-datatype-json-org:$jacksonVersion") { + compile("com.fasterxml.jackson.datatype:jackson-datatype-json-org") { exclude module: "json" } - compile "com.fasterxml.jackson.core:jackson-annotations:$jacksonVersion" - compile "com.fasterxml.jackson.core:jackson-core:$jacksonVersion" - compile "com.fasterxml.jackson.core:jackson-databind:$jacksonVersion" - compile "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:$jacksonVersion" - compile "com.fasterxml.jackson.datatype:jackson-datatype-jdk8:$jacksonVersion" - compile "com.fasterxml.jackson.datatype:jackson-datatype-joda:$jacksonVersion" - compile "com.fasterxml.jackson.module:jackson-module-afterburner:$jacksonVersion" + compile "com.fasterxml.jackson.core:jackson-annotations" + compile "com.fasterxml.jackson.core:jackson-core" + compile "com.fasterxml.jackson.core:jackson-databind" + compile "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml" + compile "com.fasterxml.jackson.datatype:jackson-datatype-jdk8" + compile "com.fasterxml.jackson.datatype:jackson-datatype-joda" + compile "com.fasterxml.jackson.module:jackson-module-afterburner" compile 'org.zalando:twintip-spring-web:1.1.0' compile 'org.json:json:20180130' @@ -193,17 +201,17 @@ dependencies { testCompile('junit:junit:4.12') { exclude module: "hamcrest-core" } - testCompile "org.springframework:spring-test:$springFrameworkVersion" + testCompile "org.springframework:spring-test" testCompile 'org.springframework.boot:spring-boot-test' testCompile 'org.springframework.boot:spring-boot-starter-test' - testCompile 'org.skyscreamer:jsonassert:1.5.0' + testCompile 'org.skyscreamer:jsonassert' testCompile 'uk.co.datumedge:hamcrest-json:0.2' testCompile 'org.mockito:mockito-all:1.10.19' testCompile('com.jayway.restassured:rest-assured:2.9.0') { exclude module: "hamcrest-core" exclude module: "hamcrest-library" } - testCompile 'com.jayway.jsonpath:json-path:2.4.0' + testCompile 'com.jayway.jsonpath:json-path' testRuntime 'org.pegdown:pegdown:1.6.0' } // end::dependencies[] From 86ff082bd84aadf424a0cee067cc6b20716ad89b Mon Sep 17 00:00:00 2001 From: Andrey Dyachkov Date: Wed, 15 Aug 2018 15:57:02 +0200 Subject: [PATCH 16/20] bump deps versions --- build.gradle | 15 ++++----------- gradle/wrapper/gradle-wrapper.properties | 2 +- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/build.gradle b/build.gradle index 0f73570bbb..0a1535516a 100644 --- a/build.gradle +++ b/build.gradle @@ -2,9 +2,7 @@ import java.util.concurrent.TimeUnit buildscript { ext { - springBootVersion = '1.5.14.RELEASE' - springFrameworkVersion = '4.3.18.RELEASE' - jacksonVersion = '2.9.6' + springBootVersion = '1.5.15.RELEASE' } repositories { @@ -29,7 +27,7 @@ plugins { id 'findbugs' id 'checkstyle' id 'project-report' - id 'org.springframework.boot' version "1.5.14.RELEASE" + id 'org.springframework.boot' } apply plugin: 'io.spring.dependency-management' @@ -43,9 +41,6 @@ springBoot { layout = "ZIP" } -def dockerGroup = "aruha" -def dockerApplicationName = "nakadi" - repositories { mavenCentral() maven { url 'https://jitpack.io' } @@ -98,7 +93,6 @@ dependencies { ext['json-path'] = '2.4.0' ext['jsonassert'] = '1.5.0' ext['postgresql.version'] = '42.2.2' - ext['spring-security-oauth2.version'] = '2.3.3.RELEASE' // spring compile("org.springframework.boot:spring-boot-starter-web") { @@ -109,7 +103,6 @@ dependencies { compile "org.springframework:spring-context" compile "org.springframework:spring-web" compile "org.springframework:spring-webmvc" - compile "org.springframework.boot:spring-boot-test" compile "org.springframework.boot:spring-boot-starter-jetty" // oauth @@ -130,11 +123,11 @@ dependencies { compile "org.springframework.boot:spring-boot-starter-jdbc" compile 'org.postgresql:postgresql' - compile 'org.springframework.cloud:spring-cloud-starter-hystrix:1.4.4.RELEASE' + compile 'org.springframework.cloud:spring-cloud-starter-hystrix:1.4.5.RELEASE' // misc compile 'org.apache.httpcomponents:httpclient' - compile('org.zalando.stups:stups-spring-oauth2-server:1.0.21') { + compile('org.zalando.stups:stups-spring-oauth2-server:1.0.22') { exclude module: "httpclient" } compile 'org.zalando:jackson-datatype-problem:0.5.0' diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index debd024022..7dc503f149 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,5 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-4.8.1-all.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-4.9-all.zip zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists From a1abea91ace92a348c6132cb335730bd74bcbf7e Mon Sep 17 00:00:00 2001 From: Andrey Dyachkov Date: Wed, 15 Aug 2018 16:24:07 +0200 Subject: [PATCH 17/20] apply plugins --- build.gradle | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/build.gradle b/build.gradle index 0a1535516a..0be33a08e8 100644 --- a/build.gradle +++ b/build.gradle @@ -13,23 +13,20 @@ buildscript { } dependencies { - classpath "org.springframework.boot:spring-boot-gradle-plugin" + classpath "org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}" classpath 'org.yaml:snakeyaml:1.21' } } -plugins { - id 'java' - id 'groovy' - id 'eclipse' - id 'application' - id 'jacoco' - id 'findbugs' - id 'checkstyle' - id 'project-report' - id 'org.springframework.boot' -} - +apply plugin: 'java' +apply plugin: 'groovy' +apply plugin: 'eclipse' +apply plugin: 'application' +apply plugin: 'jacoco' +apply plugin: 'findbugs' +apply plugin: 'checkstyle' +apply plugin: 'project-report' +apply plugin: 'org.springframework.boot' apply plugin: 'io.spring.dependency-management' group 'org.zalando' @@ -106,7 +103,7 @@ dependencies { compile "org.springframework.boot:spring-boot-starter-jetty" // oauth - compile ('org.springframework.security.oauth:spring-security-oauth2') { + compile('org.springframework.security.oauth:spring-security-oauth2') { exclude module: 'spring-beans' exclude module: 'spring-core' exclude module: 'spring-context' From d74d2c64de26811ffe230809df289b4dd6acb30f Mon Sep 17 00:00:00 2001 From: Andrey Dyachkov Date: Fri, 17 Aug 2018 14:32:41 +0200 Subject: [PATCH 18/20] changed http firewall --- .../nakadi/config/SecurityConfiguration.java | 99 +++++++++++++++++++ 1 file changed, 99 insertions(+) diff --git a/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java b/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java index b57de03e68..5a568549b9 100644 --- a/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java +++ b/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java @@ -4,6 +4,7 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpOutputMessage; import org.springframework.http.converter.HttpMessageConverter; @@ -19,13 +20,22 @@ import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler; import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint; import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices; +import org.springframework.security.web.firewall.FirewalledRequest; +import org.springframework.security.web.firewall.HttpFirewall; +import org.springframework.security.web.firewall.RequestRejectedException; +import org.springframework.security.web.firewall.StrictHttpFirewall; import org.zalando.stups.oauth2.spring.security.expression.ExtendedOAuth2WebSecurityExpressionHandler; +import javax.servlet.http.HttpServletRequest; import javax.ws.rs.core.Response; import java.io.IOException; import java.text.MessageFormat; import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashSet; import java.util.List; +import java.util.Set; import static org.springframework.http.HttpMethod.DELETE; import static org.springframework.http.HttpMethod.GET; @@ -189,5 +199,94 @@ public String getDetail() { } } + // TODO: REMOVE IT AFTER EVERYONE HAS NORMALIZED THEIR URLS + @Bean + public HttpFirewall allowUrlEncodedSlashHttpFirewall() { + return new AllowForwardSlashesStrictHttpFirewall(); + } + + // TODO: REMOVE IT AFTER EVERYONE HAS NORMALIZED THEIR URLS + private static class AllowForwardSlashesStrictHttpFirewall extends StrictHttpFirewall { + + private static final String ENCODED_PERCENT = "%25"; + private static final String PERCENT = "%"; + private static final List FORBIDDEN_ENCODED_PERIOD = Collections.unmodifiableList(Arrays.asList("%2e", "%2E")); + private Set encodedUrlBlacklist = new HashSet<>(); + private Set decodedUrlBlacklist = new HashSet<>(); + + public AllowForwardSlashesStrictHttpFirewall() { + super(); + this.encodedUrlBlacklist.add(ENCODED_PERCENT); + this.encodedUrlBlacklist.addAll(FORBIDDEN_ENCODED_PERIOD); + this.decodedUrlBlacklist.add(PERCENT); + } + + private static boolean containsOnlyPrintableAsciiCharacters(String uri) { + int length = uri.length(); + for (int i = 0; i < length; i++) { + char c = uri.charAt(i); + if (c < '\u0020' || c > '\u007e') { + return false; + } + } + + return true; + } + + private static boolean encodedUrlContains(HttpServletRequest request, String value) { + if (valueContains(request.getContextPath(), value)) { + return true; + } + return valueContains(request.getRequestURI(), value); + } + + private static boolean decodedUrlContains(HttpServletRequest request, String value) { + if (valueContains(request.getServletPath(), value)) { + return true; + } + if (valueContains(request.getPathInfo(), value)) { + return true; + } + return false; + } + + private static boolean valueContains(String value, String contains) { + return value != null && value.contains(contains); + } + + @Override + public FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException { + rejectedBlacklistedUrls(request); + + // ONLY THIS PART IS REMOVED, ALL OTHER CODE IS THE SAME AS IN StrictHttpFirewall + //if (!isNormalized(request)) { + // throw new RequestRejectedException("The request was rejected because the URL was not normalized."); + //} + + String requestUri = request.getRequestURI(); + if (!containsOnlyPrintableAsciiCharacters(requestUri)) { + throw new RequestRejectedException("The requestURI was rejected because it can only contain printable ASCII characters."); + } + return new FirewalledRequest(request) { + @Override + public void reset() { + } + }; + } + + private void rejectedBlacklistedUrls(HttpServletRequest request) { + for (String forbidden : this.encodedUrlBlacklist) { + if (encodedUrlContains(request, forbidden)) { + throw new RequestRejectedException("The request was rejected because the URL contained a potentially malicious String \"" + forbidden + "\""); + } + } + for (String forbidden : this.decodedUrlBlacklist) { + if (decodedUrlContains(request, forbidden)) { + throw new RequestRejectedException("The request was rejected because the URL contained a potentially malicious String \"" + forbidden + "\""); + } + } + } + + } } From 96fc62218ecfd0ef8b2948b116713cef32f26499 Mon Sep 17 00:00:00 2001 From: Andrey Dyachkov Date: Fri, 17 Aug 2018 14:44:25 +0200 Subject: [PATCH 19/20] removed only forward slashes check --- .../nakadi/config/SecurityConfiguration.java | 50 +++++++++++++++++-- 1 file changed, 46 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java b/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java index 5a568549b9..6ce380c535 100644 --- a/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java +++ b/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java @@ -258,10 +258,9 @@ private static boolean valueContains(String value, String contains) { public FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException { rejectedBlacklistedUrls(request); - // ONLY THIS PART IS REMOVED, ALL OTHER CODE IS THE SAME AS IN StrictHttpFirewall - //if (!isNormalized(request)) { - // throw new RequestRejectedException("The request was rejected because the URL was not normalized."); - //} + if (!isNormalized(request)) { + throw new RequestRejectedException("The request was rejected because the URL was not normalized."); + } String requestUri = request.getRequestURI(); if (!containsOnlyPrintableAsciiCharacters(requestUri)) { @@ -274,6 +273,49 @@ public void reset() { }; } + private static boolean isNormalized(HttpServletRequest request) { + if (!isNormalized(request.getRequestURI())) { + return false; + } + if (!isNormalized(request.getContextPath())) { + return false; + } + if (!isNormalized(request.getServletPath())) { + return false; + } + if (!isNormalized(request.getPathInfo())) { + return false; + } + return true; + } + + private static boolean isNormalized(String path) { + if (path == null) { + return true; + } + + // ONLY THIS PART IS REMOVED, ALL OTHER CODE IS THE SAME AS IN StrictHttpFirewall + // if (path.indexOf("//") > -1) { + // return false; + // } + + for (int j = path.length(); j > 0;) { + int i = path.lastIndexOf('/', j - 1); + int gap = j - i; + + if (gap == 2 && path.charAt(i + 1) == '.') { + // ".", "/./" or "/." + return false; + } else if (gap == 3 && path.charAt(i + 1) == '.' && path.charAt(i + 2) == '.') { + return false; + } + + j = i; + } + + return true; + } + private void rejectedBlacklistedUrls(HttpServletRequest request) { for (String forbidden : this.encodedUrlBlacklist) { if (encodedUrlContains(request, forbidden)) { From 5b6ea5e8e5325a2ff08d355338d1cf00c3d43eb9 Mon Sep 17 00:00:00 2001 From: Andrey Dyachkov Date: Mon, 20 Aug 2018 11:58:34 +0200 Subject: [PATCH 20/20] fixed checkstyle --- .../nakadi/config/SecurityConfiguration.java | 45 ++++++++++--------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java b/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java index 6ce380c535..81b10df382 100644 --- a/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java +++ b/src/main/java/org/zalando/nakadi/config/SecurityConfiguration.java @@ -210,21 +210,22 @@ private static class AllowForwardSlashesStrictHttpFirewall extends StrictHttpFir private static final String ENCODED_PERCENT = "%25"; private static final String PERCENT = "%"; - private static final List FORBIDDEN_ENCODED_PERIOD = Collections.unmodifiableList(Arrays.asList("%2e", "%2E")); + private static final List FORBIDDEN_ENCODED_PERIOD = + Collections.unmodifiableList(Arrays.asList("%2e", "%2E")); private Set encodedUrlBlacklist = new HashSet<>(); private Set decodedUrlBlacklist = new HashSet<>(); - public AllowForwardSlashesStrictHttpFirewall() { + AllowForwardSlashesStrictHttpFirewall() { super(); this.encodedUrlBlacklist.add(ENCODED_PERCENT); this.encodedUrlBlacklist.addAll(FORBIDDEN_ENCODED_PERIOD); this.decodedUrlBlacklist.add(PERCENT); } - private static boolean containsOnlyPrintableAsciiCharacters(String uri) { - int length = uri.length(); + private static boolean containsOnlyPrintableAsciiCharacters(final String uri) { + final int length = uri.length(); for (int i = 0; i < length; i++) { - char c = uri.charAt(i); + final char c = uri.charAt(i); if (c < '\u0020' || c > '\u007e') { return false; } @@ -233,14 +234,14 @@ private static boolean containsOnlyPrintableAsciiCharacters(String uri) { return true; } - private static boolean encodedUrlContains(HttpServletRequest request, String value) { + private static boolean encodedUrlContains(final HttpServletRequest request, final String value) { if (valueContains(request.getContextPath(), value)) { return true; } return valueContains(request.getRequestURI(), value); } - private static boolean decodedUrlContains(HttpServletRequest request, String value) { + private static boolean decodedUrlContains(final HttpServletRequest request, final String value) { if (valueContains(request.getServletPath(), value)) { return true; } @@ -250,21 +251,23 @@ private static boolean decodedUrlContains(HttpServletRequest request, String val return false; } - private static boolean valueContains(String value, String contains) { + private static boolean valueContains(final String value, final String contains) { return value != null && value.contains(contains); } @Override - public FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException { + public FirewalledRequest getFirewalledRequest(final HttpServletRequest request) + throws RequestRejectedException { rejectedBlacklistedUrls(request); if (!isNormalized(request)) { throw new RequestRejectedException("The request was rejected because the URL was not normalized."); } - String requestUri = request.getRequestURI(); + final String requestUri = request.getRequestURI(); if (!containsOnlyPrintableAsciiCharacters(requestUri)) { - throw new RequestRejectedException("The requestURI was rejected because it can only contain printable ASCII characters."); + throw new RequestRejectedException("The requestURI was rejected because it can only " + + "contain printable ASCII characters."); } return new FirewalledRequest(request) { @Override @@ -273,7 +276,7 @@ public void reset() { }; } - private static boolean isNormalized(HttpServletRequest request) { + private static boolean isNormalized(final HttpServletRequest request) { if (!isNormalized(request.getRequestURI())) { return false; } @@ -289,7 +292,7 @@ private static boolean isNormalized(HttpServletRequest request) { return true; } - private static boolean isNormalized(String path) { + private static boolean isNormalized(final String path) { if (path == null) { return true; } @@ -300,8 +303,8 @@ private static boolean isNormalized(String path) { // } for (int j = path.length(); j > 0;) { - int i = path.lastIndexOf('/', j - 1); - int gap = j - i; + final int i = path.lastIndexOf('/', j - 1); + final int gap = j - i; if (gap == 2 && path.charAt(i + 1) == '.') { // ".", "/./" or "/." @@ -316,15 +319,17 @@ private static boolean isNormalized(String path) { return true; } - private void rejectedBlacklistedUrls(HttpServletRequest request) { - for (String forbidden : this.encodedUrlBlacklist) { + private void rejectedBlacklistedUrls(final HttpServletRequest request) { + for (final String forbidden : this.encodedUrlBlacklist) { if (encodedUrlContains(request, forbidden)) { - throw new RequestRejectedException("The request was rejected because the URL contained a potentially malicious String \"" + forbidden + "\""); + throw new RequestRejectedException("The request was rejected because the URL contained " + + "a potentially malicious String \"" + forbidden + "\""); } } - for (String forbidden : this.decodedUrlBlacklist) { + for (final String forbidden : this.decodedUrlBlacklist) { if (decodedUrlContains(request, forbidden)) { - throw new RequestRejectedException("The request was rejected because the URL contained a potentially malicious String \"" + forbidden + "\""); + throw new RequestRejectedException("The request was rejected because the URL contained " + + "a potentially malicious String \"" + forbidden + "\""); } } }