0aeff60fc05530d3afddec03f650f9d6c8909458 chinhli Fri Jun 15 13:32:26 2012 -0700 Soft code the domain value in cookies, use central.domain or domain in returnTo URL. diff --git src/hg/hgLogin/hgLogin.c src/hg/hgLogin/hgLogin.c index 2bd7cc7..f01d318 100644 --- src/hg/hgLogin/hgLogin.c +++ src/hg/hgLogin/hgLogin.c @@ -22,31 +22,44 @@ #include "gbMembers.h" #include "versionInfo.h" /* ---- Global variables. ---- */ char msg[4096] = ""; /* The excludeVars are not saved to the cart. */ char *excludeVars[] = { "submit", "Submit", "debug", "fixMembers", "update", "hgLogin_password", "hgLogin_password2", "hgLogin_newPassword1", "hgLogin_newPassword2", NULL }; struct cart *cart; /* This holds cgi and other variables between clicks. */ char *database; /* Name of genome database - hg15, mm3, or the like. */ struct hash *oldCart; /* Old cart hash. */ char *errMsg; /* Error message to show user when form data rejected */ char signature[256]="\nUCSC Genome Browser\nhttp://www.genome.ucsc.edu "; -/* -------- password functions depend on optionally installed openssl lib ---- */ +/* ---- Global helper functions ---- */ +char *mailSignature() +/* Return the signature to be used by outbound mail or NULL. Allocd here. */ +{ +return cloneString(cfgOption(CFG_LOGIN_SIGNATURE)); +} + +char *mailReturnAddr() +/* Return the return addr. to be used by outbound mail or NULL. Allocd here. */ +{ +return cloneString(cfgOption(CFG_LOGIN_RETURN_ADDR)); +} + +/* ---- password functions depend on optionally installed openssl lib ---- */ #ifdef USE_SSL #include <openssl/md5.h> void cryptWikiWay(char *password, char *salt, char* result) /* encrypt password in mediawiki format - ':B:'.$salt.':'. md5($salt.'-'.md5($password ) */ { int i; unsigned char result1[MD5_DIGEST_LENGTH]; unsigned char result2[MD5_DIGEST_LENGTH]; char firstMD5[MD5_DIGEST_LENGTH*2 + 1]; char secondMD5[MD5_DIGEST_LENGTH*2 + 1]; i = MD5_DIGEST_LENGTH; MD5((unsigned char *)password, strlen(password), result1); @@ -1011,50 +1024,69 @@ return; } boolean usingNewPassword(struct sqlConnection *conn, char *userName) /* The user is using requested new password */ { char query[256]; safef(query,sizeof(query), "select passwordChangeRequired from gbMembers where userName='%s'", userName); char *change = sqlQuickString(conn, query); if (change && sameString(change, "Y")) return TRUE; else return FALSE; } +char *cookieDomainName() +/* Return the domain name to be used by the cookies or NULL. Allocd + * here. */ +/* Return central.domain if the returnToURL is also in the same domain + * */ +/* else return the domain in returnTo URL generated by (remote) + * hgSession.*/ +{ +char *centralDomain=cloneString(cfgOption(CFG_CENTRAL_DOMAIN)); +char *returnURL = getReturnToURL(); +char returnToDomain[256]; +sscanf(returnURL, "http://%[^/]", returnToDomain); +if (endsWith(returnToDomain,centralDomain)) + return centralDomain; +else + return returnToDomain; +} + void displayLoginSuccess(char *userName, int userID) /* display login success msg, and set cookie */ { hPrintf("<h2>UCSC Genome Browser</h2>" "<p align=\"left\">" "</p>" "<span style='color:red;'></span>" "\n"); /* Set cookies */ +char *domainName=cookieDomainName(); hPrintf("<script language=\"JavaScript\">" " document.write(\"Login successful, setting cookies now...\");" "</script>\n" "<script language=\"JavaScript\">" - "document.cookie = \"wikidb_mw1_UserName=%s; domain=ucsc.edu; expires=Thu, 31 Dec 2099, 20:47:11 UTC; path=/\"; " + "document.cookie = \"wikidb_mw1_UserName=%s; domain=%s; expires=Thu, 31 Dec 2099, 20:47:11 UTC; path=/\"; " "\n" - "document.cookie = \"wikidb_mw1_UserID=%d; domain=ucsc.edu; expires=Thu, 31 Dec 2099, 20:47:11 UTC; path=/\";" + "document.cookie = \"wikidb_mw1_UserID=%d; domain=%s; expires=Thu, 31 Dec 2099, 20:47:11 UTC; path=/\";" " </script>" - "\n", userName,userID); + "\n", userName, domainName, userID, domainName); cartRemove(cart,"hgLogin_userName"); -returnToURL(150); +returnToURL(15); } void displayLogin(struct sqlConnection *conn) /* display and process login info */ { struct sqlResult *sr; char **row; char query[256]; char *userName = cartUsualString(cart, "hgLogin_userName", ""); if (sameString(userName,"")) { freez(&errMsg); errMsg = cloneString("User name cannot be blank."); displayLoginPage(conn); return; @@ -1110,35 +1142,36 @@ errMsg = cloneString("Invalid user name or password."); displayLoginPage(conn); return; } gbMembersFree(&m); } void displayLogoutSuccess() /* display logout success msg, and reset cookie */ { hPrintf("<h2>UCSC Genome Browser Sign Out</h2>" "<p align=\"left\">" "</p>" "<span style='color:red;'></span>" "\n"); +char *domainName=cookieDomainName(); hPrintf("<script language=\"JavaScript\">" - "document.cookie = \"wikidb_mw1_UserName=; domain=ucsc.edu; expires=Thu, 01-Jan-70 00:00:01 GMT; path=/\"; " + "document.cookie = \"wikidb_mw1_UserName=; domain=%s; expires=Thu, 01-Jan-70 00:00:01 GMT; path=/\"; " "\n" - "document.cookie = \"wikidb_mw1_UserID=; domain=ucsc.edu; expires=Thu, 01-Jan-70 00:00:01 GMT; path=/\";" - "</script>\n"); + "document.cookie = \"wikidb_mw1_UserID=; domain=%s; expires=Thu, 01-Jan-70 00:00:01 GMT; path=/\";" + "</script>\n", domainName, domainName); /* return to "returnto" URL */ returnToURL(150); } void doMiddle(struct cart *theCart) /* Write the middle parts of the HTML page. * This routine sets up some globals and then * dispatches to the appropriate page-maker. */ { struct sqlConnection *conn = hConnectCentral(); cart = theCart; if (cartVarExists(cart, "hgLogin.do.changePasswordPage")) changePasswordPage(conn); else if (cartVarExists(cart, "hgLogin.do.changePassword"))