b55233c213cd87d929b7fc4ef021ac7333fa587d chinhli Thu Jun 13 14:36:59 2013 -0700 Limit length of input fields to 256/254, details to 4096. Increase internal char arrays length accordingly. diff --git src/hg/hgUserSuggestion/hgUserSuggestion.c src/hg/hgUserSuggestion/hgUserSuggestion.c index b6f4877..395a922 100644 --- src/hg/hgUserSuggestion/hgUserSuggestion.c +++ src/hg/hgUserSuggestion/hgUserSuggestion.c @@ -62,31 +62,31 @@ char *mailReturnAddr() /* Return the return addr. to be used by outbound mail. */ { return cloneString(cfgOption(CFG_SUGGEST_MAIL_RETURN_ADDR)); } char *browserName() /* Return the browser name like 'UCSC Genome Browser' */ { return cloneString(cfgOption(CFG_SUGGEST_BROWSER_NAME)); } static char *now() /* Return a mysql-formatted time like "2008-05-19 15:33:34". */ { -char nowBuf[256]; +char nowBuf[512]; time_t curtime; curtime = time (NULL); struct tm *theTime = localtime(&curtime); strftime(nowBuf, sizeof nowBuf, "%Y-%m-%d %H:%M:%S", theTime); return cloneString(nowBuf); } int spc_email_isvalid(const char *address) { /* Check the format of an email address syntactically. Return 1 if * valid, else 0 */ /* Code copied from the book: "Secure Programming Cookbook for C and C++" By: John Viega; Matt Messier Publisher: O'Reilly Media, Inc. Pub. Date: July 14, 2003 @@ -139,45 +139,45 @@ void printMainForm() /* Create the main suggestion form */ { hPrintf( " <FORM ACTION=\"../cgi-bin/hgUserSuggestion?do.suggestSendMail=1\" METHOD=\"POST\" ENCTYPE=\"multipart/form-data\" NAME=\"mainForm\" onLoad=\"document.forms.mainForm.name.focus()\">\n"); hPrintf( "<H2>User Suggestion Form</H2>\n" "<P>If you have ideas about how we can improve the value of the Genome Browser to your research, " "we'd like to hear from you. Please provide a concise description below. " "A copy of the suggestion will be sent to your email address along with a reference number. " "You may follow up on the status of your request at any time by <a href=\"../contacts.html#followup\">contacting us</a> and quoting the reference number.</P>"); hPrintf("<P>Please note: this form is not the proper place to submit questions regarding browser use or bug reports. Use the links on our contact page instead.</P>"); hPrintf("<HR><BR>"); hPrintf( " <div id=\"suggest\"> \n" - " <label for=\"name\">Your Name:</label><input type=\"text\" name=\"suggestName\" id=\"name\" size=\"50\"style=\"margin-left:20px\" /><BR><BR>\n" - " <label for=\"email\">Your Email:</label><input type=\"text\" name=\"suggestEmail\" id=\"email\" size=\"50\" style=\"margin-left:70px\"/><BR><BR>\n" + " <label for=\"name\">Your Name:</label><input type=\"text\" name=\"suggestName\" id=\"name\" size=\"50\"style=\"margin-left:20px\" maxlength=\"256\"/><BR><BR>\n" + " <label for=\"email\">Your Email:</label><input type=\"text\" name=\"suggestEmail\" id=\"email\" size=\"50\" style=\"margin-left:70px\" maxlength=\"254\"/><BR><BR>\n" " <label for=\"confirmEmail\">Re-enter Your Email:</label><input type=\"text\" \n" - " name=\"suggestCfmEmail\" id=\"cfmemail\" size=\"50\" style=\"margin-left:20px\"/><BR><BR>\n"); + " name=\"suggestCfmEmail\" id=\"cfmemail\" size=\"50\" style=\"margin-left:20px\" maxlength=\"254\"/><BR><BR>\n"); hPrintf( - " <label for=\"category\">Category:</label><select name=\"suggestCategory\" id=\"category\" style=\"margin-left:20px\">\n" + " <label for=\"category\">Category:</label><select name=\"suggestCategory\" id=\"category\" style=\"margin-left:20px\" maxlength=\"256\">\n" " <option selected>Tracks</option> \n" " <option>Genome Assemblies</option>\n" " <option>Browser Tools</option>\n" " <option>Command-line Utilities</option>\n" " <option>Others</option>\n" " </select><BR><BR>\n"); hPrintf( - " <label for=\"summary\">Summary:</label><input type=\"text\" name=\"suggestSummary\" id=\"summary\" size=\"74\" style=\"margin-left:20px\"/><BR><BR>\n" - " <label for=\"details\">Details:</label><BR><textarea name=\"suggestDetails\" id=\"details\" cols=\"100\" rows=\"15\"></textarea><BR><BR>\n" + " <label for=\"summary\">Summary:</label><input type=\"text\" name=\"suggestSummary\" id=\"summary\" size=\"74\" style=\"margin-left:20px\" maxlength=\"256\"/><BR><BR>\n" + " <label for=\"details\">Details:</label><BR><textarea name=\"suggestDetails\" id=\"details\" cols=\"100\" rows=\"15\" maxlength=\"4096\"></textarea><BR><BR>\n" " </div>\n"); hPrintf( " <p>\n" " <label for=\"code\">Enter the following value below: <span id=\"txtCaptchaDiv\" style=\"color:#F00\"></span><BR> \n" " <input type=\"hidden\" id=\"txtCaptcha\" /></label>\n" " <input type=\"text\" name=\"txtInput\" id=\"txtInput\" size=\"30\" />\n" " </p>\n"); hPrintf( " <div class=\"formControls\">\n" " <input id=\"sendButton\" type=\"button\" value=\"Send\" onclick=\"submitform()\"/> \n" " <input type=\"reset\" name=\"suggestClear\" value=\"Clear\" class=\"largeButton\"> \n" " </div>\n" " \n" " </FORM>\n\n"); } @@ -334,51 +334,51 @@ "<h2>Invalid email address format.</h2>"); hPrintf( "<p>" "The email address \"%s\" is invalid. Please correct it and " "<a href=\"javascript: history.go(-1)\">submit</a> again.</p>", invalidEmailAddr); } void sendSuggestionBack(char *sName, char *sEmail, char *sCategory, char *sSummary, char *sDetails, char *suggestID) /* send back the suggestion */ { /* parameters from hg.cong */ char *mailTo = mailToAddr(); char *mailFrom=mailFromAddr(); char *filter=filterKeyword(); -char subject[256]; -char msg[4096]; /* need to make larger */ +char subject[512]; +char msg[4608]; /* need to make larger */ safef(msg, sizeof(msg), "SuggestionID:: %s\nUserName:: %s\nUserEmail:: %s\nCategory:: %s\nSummary:: %s\n\n\nDetails::\n%s", suggestID, sName, sEmail, sCategory, sSummary, sDetails); safef(subject, sizeof(subject),"%s %s", filter, suggestID); int result; result = mailViaPipe(mailTo, subject, msg, mailFrom); } void sendConfirmMail(char *emailAddr, char *suggestID, char *summary, char *details) /* send user suggestion confirm mail */ { -char subject[256]; -char msg[4096]; +char subject[512]; +char msg[4608]; char *remoteAddr=getenv("REMOTE_ADDR"); -char brwName[256]; -char returnAddr[256]; -char signature[256]; -char userEmailAddr[256]; +char brwName[512]; +char returnAddr[512]; +char signature[512]; +char userEmailAddr[512]; safecpy(brwName,sizeof(brwName), browserName()); safecpy(returnAddr,sizeof(returnAddr), mailReturnAddr()); safecpy(signature,sizeof(signature), mailSignature()); safecpy(userEmailAddr, sizeof(userEmailAddr),emailAddr); safef(subject, sizeof(subject),"Thank you for your suggestion to the %s", brwName); safef(msg, sizeof(msg), " Someone (probably you, from IP address %s) submitted a suggestion to the %s regarding \"%s\".\n\n The suggestion has been assigned a reference number of \"%s\". If you wish to follow up on the progress of this suggestion with browser staff, you may contact us at %s. Please include the reference number of your suggestion in the email.\n\nThank you for your input,\n%s\n\nYour suggestion summary:\n%s\n\nYour suggestion details:\n%s", remoteAddr, brwName, summary, suggestID, returnAddr, signature, summary, details); int result; result = mailViaPipe(userEmailAddr, subject, msg, returnAddr); } void askForSuggest(char *organism, char *db) /* Put up the suggestion form. */ { @@ -390,33 +390,33 @@ } void submitSuggestion() /* send the suggestion to ,.. */ { /* parameters from hg.cong */ char *filter=filterKeyword(); /* values from cart */ char *sName=cartUsualString(cart,"suggestName",""); char *sEmail=cartUsualString(cart,"suggestEmail",""); char *sCategory=cartUsualString(cart,"suggestCategory",""); char *sSummary=cartUsualString(cart,"suggestSummary",""); char *sDetails=cartUsualString(cart,"suggestDetails",""); -char suggestID[256]; +char suggestID[512]; safef(suggestID, sizeof(suggestID),"%s %s", sEmail, now()); -char subject[256]; +char subject[512]; safef(subject, sizeof(subject),"%s %s", filter, suggestID); /* Send back suggestion only with valid user email address */ if (spc_email_isvalid(sEmail) != 0) { /* send back the suggestion */ sendSuggestionBack(sName, sEmail, sCategory, sSummary, sDetails, suggestID); /* send confirmation mail to user */ sendConfirmMail(sEmail,suggestID, sSummary, sDetails); /* display confirmation page */ printSuggestionConfirmed(sSummary, suggestID, sEmail, mailReturnAddr(), sDetails); } else { /* save all field value in cart */ printInvalidEmailAddr(sEmail); } cartRemove(cart, "do.suggestSendMail");