d3e16537874999b3f3788ecbb5a8ac9980eba585 chinhli Tue Jun 5 16:47:41 2012 -0700 Change based on code review feedback (8116) from Brian, plus restrict username length to 32 no longer than 32 characters diff --git src/hg/hgLogin/hgLogin.c src/hg/hgLogin/hgLogin.c index a4710dd..fbcb487 100644 --- src/hg/hgLogin/hgLogin.c +++ src/hg/hgLogin/hgLogin.c @@ -234,94 +234,63 @@ if (*c <= ' ' || *c >= 127) return 0; } if (!*c++) return 0; if (*c == '@') break; if (*c != '.') return 0; continue; } if (*c == '@') break; if (*c <= ' ' || *c >= 127) return 0; if (strchr(rfc822_specials, *c)) return 0; } if (c == address || *(c - 1) == '.') return 0; /* next we validate the domain portion (name@domain) */ if (!*(domain = ++c)) return 0; -do { +do + { if (*c == '.') { if (c == domain || *(c - 1) == '.') return 0; count++; } if (*c <= ' ' || *c >= 127) return 0; if (strchr(rfc822_specials, *c)) return 0; } while (*++c); return (count >= 1); } -void backToHgSession(int nSec) -/* delay for N/10 micro seconds then go back to hgSession page */ -{ -char *hgLoginHost = wikiLinkHost(); -int delay=nSec*100; -hPrintf("<script language=\"JavaScript\">\n" - "<!-- \n" - "window.setTimeout(afterDelay, %d);\n" - "function afterDelay() {\n" - "window.location =\"http://%s/cgi-bin/hgSession?hgS_doMainPage=1\";\n}" - "\n//-->\n</script>", delay, hgLoginHost); -} - -void backToDoLoginPage(int nSec) -/* delay for N micro seconds then go back to Login page */ -{ -char *hgLoginHost = wikiLinkHost(); -int delay=nSec*1000; -hPrintf("<script language=\"JavaScript\">\n" - "<!-- \n" - "window.setTimeout(afterDelay, %d);\n" - "function afterDelay() {\n" - "window.location =\"http://%s/cgi-bin/hgLogin?hgLogin.do.displayLoginPage=1\";\n}" - "//-->\n</script>", delay, hgLoginHost); -} - -boolean tokenExpired(char *dateTime) -/* Is token expired? */ -{ -return FALSE; -} - char *getReturnToURL() /* get URL passed in with returnto URL */ { char *returnURL = cartUsualString(cart, "returnto", ""); char *hgLoginHost = wikiLinkHost(); -char returnTo[512]; +char returnTo[2048]; if (!returnURL || sameString(returnURL,"")) safef(returnTo, sizeof(returnTo), "http://%s/cgi-bin/hgSession?hgS_doMainPage=1", hgLoginHost); else safecpy(returnTo, sizeof(returnTo), returnURL); return cloneString(returnTo); } -void returnToURL(int nSec) -/* delay for N/10 micro seconds then return to the "returnto" URL */ +void returnToURL(int delay) +/* delay for delay mill-seconds then return to the "returnto" URL */ { char *returnURL = getReturnToURL(); -int delay=nSec*100; +//int delay=nSec*1000; hPrintf( "<script language=\"JavaScript\">\n" "<!-- " "\n" "window.setTimeout(afterDelay, %d);\n" "function afterDelay() {\n" "window.location =\"%s\";\n}" "\n//-->\n" "</script>", delay, returnURL); } void displayActMailSuccess() /* display Activate mail success box */ { char *returnURL = getReturnToURL(); @@ -800,32 +769,31 @@ return; } char encPwd[45] = ""; encryptNewPwd(newPassword1, encPwd, sizeof(encPwd)); safef(query,sizeof(query), "update gbMembers set password='%s' where userName='%s'", sqlEscapeString(encPwd), sqlEscapeString(user)); sqlUpdate(conn, query); clearNewPasswordFields(conn, user); hPrintf("<h2>UCSC Genome Browser</h2>" "<p align=\"left\">" "</p>" "<h3>Password has been changed.</h3>"); cartRemove(cart, "hgLogin_password"); cartRemove(cart, "hgLogin_newPassword1"); cartRemove(cart, "hgLogin_newPassword2"); -// backToDoLoginPage(1); -returnToURL(1); +returnToURL(150); } void signupPage(struct sqlConnection *conn) /* draw the signup page */ { hPrintf("<div id=\"signUpBox\" class=\"centeredContainer formBox\">" "<h2>UCSC Genome Browser</h2>" "\n" "<p>Signing up enables you to save multiple sessions and to share your sessions with others.</p>" "Already have an account? <a href=\"hgLogin?hgLogin.do.displayLoginPage=1\">Login</a>.<br>" "\n"); hPrintf("<h3>Sign Up</h3>" "<form method=\"post\" action=\"hgLogin\" name=\"mainForm\">" "<span style='color:red;'>%s</span>" "\n", errMsg ? errMsg : ""); @@ -853,47 +821,54 @@ "<div class=\"inputGroup\">" "<label for=\"password\">Re-enter Password</label>" "<input type=password name=\"hgLogin_password2\" value=\"%s\" size=\"30\" id=\"passwordCheck\">" "\n" "</div>" "\n" "<div class=\"formControls\">" " <input type=\"submit\" name=\"hgLogin.do.signup\" value=\"Sign Up\" class=\"largeButton\"> " " <a href=\"%s\">Cancel</a>" "</div>" "</form>" "</div><!-- END - signUpBox -->", cartUsualString(cart, "hgLogin_password", ""), cartUsualString(cart, "hgLogin_password2", ""), getReturnToURL()); -/**** new validate code *****/ - cartSaveSession(cart); } void signup(struct sqlConnection *conn) /* process the signup form */ { char query[256]; char *user = cartUsualString(cart, "hgLogin_userName", ""); if (!user || sameString(user,"")) { freez(&errMsg); errMsg = cloneString("User name cannot be blank."); signupPage(conn); return; } +/* Make sure the escaped usrename is less than 32 characters */ +if (strlen(user) > 32) + { + freez(&errMsg); + errMsg = cloneString("Encoded username longer than 32 characters."); + signupPage(conn); + return; + } + safef(query,sizeof(query), "select password from gbMembers where userName='%s'", user); char *password = sqlQuickString(conn, query); if (password) { freez(&errMsg); errMsg = cloneString("A user with this name already exists."); signupPage(conn); freez(&user); return; } char *email = cartUsualString(cart, "hgLogin_email", ""); if (!email || sameString(email,"")) { @@ -949,45 +924,42 @@ { freez(&errMsg); errMsg = cloneString("Passwords do not match."); signupPage(conn); return; } /* pass all the checks, OK to create the account now */ char encPwd[45] = ""; encryptNewPwd(password, encPwd, sizeof(encPwd)); safef(query,sizeof(query), "insert into gbMembers set " "userName='%s',password='%s',email='%s', " "lastUse=NOW(),accountActivated='N'", sqlEscapeString(user),sqlEscapeString(encPwd),sqlEscapeString(email)); sqlUpdate(conn, query); -/********** new signup process start *******************/ setupNewAccount(conn, email, user); /* send out activate code mail, and display the mail confirmation box */ -/* and comback here to contine back to URL */ hPrintf("<h2>UCSC Genome Browser</h2>\n" "<p align=\"left\">\n" "</p>\n" "<h3>User %s successfully added.</h3>\n", user); cartRemove(cart, "hgLogin_email"); cartRemove(cart, "hgLogin_email2"); cartRemove(cart, "hgLogin_userName"); cartRemove(cart, "user"); cartRemove(cart, "token"); -//backToHgSession(1); -returnToURL(1); +returnToURL(150); } void accountHelp(struct sqlConnection *conn) /* email user username(s) or new password */ { char query[256]; char *email = cartUsualString(cart, "hgLogin_email", ""); char *username = cartUsualString(cart, "hgLogin_userName", ""); char *helpWith = cartUsualString(cart, "hgLogin_helpWith", ""); /* Forgot username */ if (sameString(helpWith,"username")) { if (sameString(email,"")) { @@ -1059,31 +1031,31 @@ "<p align=\"left\">" "</p>" "<span style='color:red;'></span>" "\n"); /* Set cookies */ hPrintf("<script language=\"JavaScript\">" " document.write(\"Login successful, setting cookies now...\");" "</script>\n" "<script language=\"JavaScript\">" "document.cookie = \"wikidb_mw1_UserName=%s; domain=ucsc.edu; expires=Thu, 31 Dec 2099, 20:47:11 UTC; path=/\"; " "\n" "document.cookie = \"wikidb_mw1_UserID=%d; domain=ucsc.edu; expires=Thu, 31 Dec 2099, 20:47:11 UTC; path=/\";" " </script>" "\n", userName,userID); cartRemove(cart,"hgLogin_userName"); -returnToURL(1); +returnToURL(150); } void displayLogin(struct sqlConnection *conn) /* display and process login info */ { struct sqlResult *sr; char **row; char query[256]; char *userName = cartUsualString(cart, "hgLogin_userName", ""); if (sameString(userName,"")) { freez(&errMsg); errMsg = cloneString("User name cannot be blank."); displayLoginPage(conn); return; @@ -1145,31 +1117,31 @@ void displayLogoutSuccess() /* display logout success msg, and reset cookie */ { hPrintf("<h2>UCSC Genome Browser Sign Out</h2>" "<p align=\"left\">" "</p>" "<span style='color:red;'></span>" "\n"); hPrintf("<script language=\"JavaScript\">" "document.cookie = \"wikidb_mw1_UserName=; domain=ucsc.edu; expires=Thu, 01-Jan-70 00:00:01 GMT; path=/\"; " "\n" "document.cookie = \"wikidb_mw1_UserID=; domain=ucsc.edu; expires=Thu, 01-Jan-70 00:00:01 GMT; path=/\";" "</script>\n"); /* return to "returnto" URL */ -returnToURL(1); +returnToURL(150); } void doMiddle(struct cart *theCart) /* Write the middle parts of the HTML page. * This routine sets up some globals and then * dispatches to the appropriate page-maker. */ { struct sqlConnection *conn = hConnectCentral(); cart = theCart; if (cartVarExists(cart, "hgLogin.do.changePasswordPage")) changePasswordPage(conn); else if (cartVarExists(cart, "hgLogin.do.changePassword")) changePassword(conn); else if (cartVarExists(cart, "hgLogin.do.displayAccHelpPage"))