d3e16537874999b3f3788ecbb5a8ac9980eba585
chinhli
  Tue Jun 5 16:47:41 2012 -0700
Change based on code review feedback (8116) from Brian, plus restrict username length to 32 no longer than 32 characters
diff --git src/hg/hgLogin/hgLogin.c src/hg/hgLogin/hgLogin.c
index a4710dd..fbcb487 100644
--- src/hg/hgLogin/hgLogin.c
+++ src/hg/hgLogin/hgLogin.c
@@ -234,94 +234,63 @@
             if (*c <= ' ' || *c >= 127) return 0;
             }
          if (!*c++) return 0;
          if (*c == '@') break;
          if (*c != '.') return 0;
          continue;
         }
     if (*c == '@') break;
     if (*c <= ' ' || *c >= 127) return 0;
     if (strchr(rfc822_specials, *c)) return 0;
     }
 if (c == address || *(c - 1) == '.') return 0;
 
 /* next we validate the domain portion (name@domain) */
 if (!*(domain = ++c)) return 0;
-do {
+do 
+    {
     if (*c == '.') 
         {
         if (c == domain || *(c - 1) == '.') return 0;
         count++;
         }
     if (*c <= ' ' || *c >= 127) return 0;
     if (strchr(rfc822_specials, *c)) return 0;
 } while (*++c);
 
 return (count >= 1);
 }
 
-void backToHgSession(int nSec)
-/* delay for N/10 micro seconds then go back to hgSession page */
-{
-char *hgLoginHost = wikiLinkHost();
-int delay=nSec*100;
-hPrintf("<script  language=\"JavaScript\">\n"
-    "<!-- \n"
-    "window.setTimeout(afterDelay, %d);\n"
-    "function afterDelay() {\n"
-    "window.location =\"http://%s/cgi-bin/hgSession?hgS_doMainPage=1\";\n}"
-    "\n//-->\n</script>", delay, hgLoginHost);
-}
-
-void backToDoLoginPage(int nSec)
-/* delay for N micro seconds then go back to Login page */
-{
-char *hgLoginHost = wikiLinkHost();
-int delay=nSec*1000;
-hPrintf("<script  language=\"JavaScript\">\n"
-    "<!-- \n"
-    "window.setTimeout(afterDelay, %d);\n"
-    "function afterDelay() {\n"
-    "window.location =\"http://%s/cgi-bin/hgLogin?hgLogin.do.displayLoginPage=1\";\n}"
-    "//-->\n</script>", delay, hgLoginHost);
-}
-
-boolean tokenExpired(char *dateTime)
-/* Is token expired? */
-{
-return FALSE;
-}
-
 char *getReturnToURL()
 /* get URL passed in with returnto URL */
 {
 char *returnURL = cartUsualString(cart, "returnto", "");
 char *hgLoginHost = wikiLinkHost();
-char returnTo[512];
+char returnTo[2048];
 if (!returnURL || sameString(returnURL,""))
    safef(returnTo, sizeof(returnTo),
         "http://%s/cgi-bin/hgSession?hgS_doMainPage=1", hgLoginHost);
 else
    safecpy(returnTo, sizeof(returnTo), returnURL);
 return cloneString(returnTo);
 }
 
-void returnToURL(int nSec)
-/* delay for N/10  micro seconds then return to the "returnto" URL */
+void returnToURL(int delay)
+/* delay for delay mill-seconds then return to the "returnto" URL */
 {
 char *returnURL = getReturnToURL();
-int delay=nSec*100;
+//int delay=nSec*1000;
 hPrintf(
     "<script  language=\"JavaScript\">\n"
     "<!-- "
     "\n"
     "window.setTimeout(afterDelay, %d);\n"
     "function afterDelay() {\n"
     "window.location =\"%s\";\n}"
     "\n//-->\n"
     "</script>", delay, returnURL);
 }
 
 void  displayActMailSuccess()
 /* display Activate mail success box */
 {
 char *returnURL = getReturnToURL(); 
@@ -800,32 +769,31 @@
     return;
     }
 char encPwd[45] = "";
 encryptNewPwd(newPassword1, encPwd, sizeof(encPwd));
 safef(query,sizeof(query), "update gbMembers set password='%s' where userName='%s'", sqlEscapeString(encPwd), sqlEscapeString(user));
 sqlUpdate(conn, query);
 clearNewPasswordFields(conn, user);
 
 hPrintf("<h2>UCSC Genome Browser</h2>"
     "<p align=\"left\">"
     "</p>"
     "<h3>Password has been changed.</h3>");
 cartRemove(cart, "hgLogin_password");
 cartRemove(cart, "hgLogin_newPassword1");
 cartRemove(cart, "hgLogin_newPassword2");
-// backToDoLoginPage(1);
-returnToURL(1);
+returnToURL(150);
 }
 
 void signupPage(struct sqlConnection *conn)
 /* draw the signup page */
 {
 hPrintf("<div id=\"signUpBox\" class=\"centeredContainer formBox\">"
     "<h2>UCSC Genome Browser</h2>"
     "\n"
     "<p>Signing up enables you to save multiple sessions and to share your sessions with others.</p>"
     "Already have an account? <a href=\"hgLogin?hgLogin.do.displayLoginPage=1\">Login</a>.<br>"
     "\n");
 hPrintf("<h3>Sign Up</h3>"
     "<form method=\"post\" action=\"hgLogin\" name=\"mainForm\">"
     "<span style='color:red;'>%s</span>"
     "\n", errMsg ? errMsg : "");
@@ -853,47 +821,54 @@
     "<div class=\"inputGroup\">"
     "<label for=\"password\">Re-enter Password</label>"
     "<input type=password name=\"hgLogin_password2\" value=\"%s\" size=\"30\" id=\"passwordCheck\">"
     "\n"
     "</div>"
     "\n"
     "<div class=\"formControls\">"
     "    <input type=\"submit\" name=\"hgLogin.do.signup\" value=\"Sign Up\" class=\"largeButton\"> &nbsp; "
     "    <a href=\"%s\">Cancel</a>"
     "</div>"
     "</form>"
     "</div><!-- END - signUpBox -->",
     cartUsualString(cart, "hgLogin_password", ""), 
     cartUsualString(cart, "hgLogin_password2", ""),
     getReturnToURL());
-/**** new validate code *****/
-
 cartSaveSession(cart);
 }
 
 void signup(struct sqlConnection *conn)
 /* process the signup form */
 {
 char query[256];
 char *user = cartUsualString(cart, "hgLogin_userName", "");
 if (!user || sameString(user,""))
     {
     freez(&errMsg);
     errMsg = cloneString("User name cannot be blank.");
     signupPage(conn);
     return;
     }
+/* Make sure the escaped usrename is less than 32 characters */
+if (strlen(user) > 32)
+    {
+    freez(&errMsg);
+    errMsg = cloneString("Encoded username longer than 32 characters.");
+    signupPage(conn);
+    return;
+    }
+
 safef(query,sizeof(query), "select password from gbMembers where userName='%s'", user);
 
 char *password = sqlQuickString(conn, query);
 if (password)
     {
     freez(&errMsg);
     errMsg = cloneString("A user with this name already exists.");
     signupPage(conn);
     freez(&user);
     return;
     }
 
 char *email = cartUsualString(cart, "hgLogin_email", "");
 if (!email || sameString(email,""))
     {
@@ -949,45 +924,42 @@
     {
     freez(&errMsg);
     errMsg = cloneString("Passwords do not match.");
     signupPage(conn);
     return;
     }
 
 /* pass all the checks, OK to create the account now */
 char encPwd[45] = "";
 encryptNewPwd(password, encPwd, sizeof(encPwd));
 safef(query,sizeof(query), "insert into gbMembers set "
     "userName='%s',password='%s',email='%s', "
     "lastUse=NOW(),accountActivated='N'",
     sqlEscapeString(user),sqlEscapeString(encPwd),sqlEscapeString(email));
 sqlUpdate(conn, query);
-/********** new signup process start *******************/
 setupNewAccount(conn, email, user);
 /* send out activate code mail, and display the mail confirmation box */
-/* and comback here to contine back to URL */
 hPrintf("<h2>UCSC Genome Browser</h2>\n"
     "<p align=\"left\">\n"
     "</p>\n"
     "<h3>User %s successfully added.</h3>\n", user);
 cartRemove(cart, "hgLogin_email");
 cartRemove(cart, "hgLogin_email2");
 cartRemove(cart, "hgLogin_userName");
 cartRemove(cart, "user");
 cartRemove(cart, "token");
-//backToHgSession(1);
-returnToURL(1);
+returnToURL(150);
 }
 
 void accountHelp(struct sqlConnection *conn)
 /* email user username(s) or new password */
 {
 char query[256];
 char *email = cartUsualString(cart, "hgLogin_email", "");
 char *username = cartUsualString(cart, "hgLogin_userName", "");
 char *helpWith = cartUsualString(cart, "hgLogin_helpWith", "");
 
 /* Forgot username */
 if (sameString(helpWith,"username"))
     {
     if (sameString(email,""))
         {
@@ -1059,31 +1031,31 @@
     "<p align=\"left\">"
     "</p>"
     "<span style='color:red;'></span>"
     "\n");
 /* Set cookies */
 hPrintf("<script language=\"JavaScript\">"
     " document.write(\"Login successful, setting cookies now...\");"
     "</script>\n"
     "<script language=\"JavaScript\">"
     "document.cookie =  \"wikidb_mw1_UserName=%s; domain=ucsc.edu; expires=Thu, 31 Dec 2099, 20:47:11 UTC; path=/\"; "
     "\n"
     "document.cookie =  \"wikidb_mw1_UserID=%d; domain=ucsc.edu; expires=Thu, 31 Dec 2099, 20:47:11 UTC; path=/\";"
     " </script>"
     "\n", userName,userID);
 cartRemove(cart,"hgLogin_userName");
-returnToURL(1);
+returnToURL(150);
 }
 
 void displayLogin(struct sqlConnection *conn)
 /* display and process login info */
 {
 struct sqlResult *sr;
 char **row;
 char query[256];
 char *userName = cartUsualString(cart, "hgLogin_userName", "");
 if (sameString(userName,""))
     {
     freez(&errMsg);
     errMsg = cloneString("User name cannot be blank.");
     displayLoginPage(conn);
     return;
@@ -1145,31 +1117,31 @@
 
 void  displayLogoutSuccess()
 /* display logout success msg, and reset cookie */
 {
 hPrintf("<h2>UCSC Genome Browser Sign Out</h2>"
     "<p align=\"left\">"
     "</p>"
     "<span style='color:red;'></span>"
     "\n");
 hPrintf("<script language=\"JavaScript\">"
     "document.cookie =  \"wikidb_mw1_UserName=; domain=ucsc.edu; expires=Thu, 01-Jan-70 00:00:01 GMT; path=/\"; "
     "\n"
     "document.cookie =  \"wikidb_mw1_UserID=; domain=ucsc.edu; expires=Thu, 01-Jan-70 00:00:01 GMT; path=/\";"
     "</script>\n");
 /* return to "returnto" URL */
-returnToURL(1);
+returnToURL(150);
 }
 
 void doMiddle(struct cart *theCart)
 /* Write the middle parts of the HTML page.
  * This routine sets up some globals and then
  * dispatches to the appropriate page-maker. */
 {
 struct sqlConnection *conn = hConnectCentral();
 cart = theCart;
 
 if (cartVarExists(cart, "hgLogin.do.changePasswordPage"))
     changePasswordPage(conn);
 else if (cartVarExists(cart, "hgLogin.do.changePassword"))
     changePassword(conn);
 else if (cartVarExists(cart, "hgLogin.do.displayAccHelpPage"))