080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/lib/hui.c src/hg/lib/hui.c index d1c6714..d3966cb 100644 --- src/hg/lib/hui.c +++ src/hg/lib/hui.c @@ -3474,47 +3474,47 @@ if (filterBy->slChoices != NULL) slNameFreeList(filterBy->slChoices); if (filterBy->htmlName != NULL) freeMem(filterBy->htmlName); freeMem(filterBy->column); freeMem(filterBy); } } } static char *filterByClauseStd(filterBy_t *filterBy) // returns the SQL where clause for a single filterBy struct in the standard cases { int count = slCount(filterBy->slChoices); struct dyString *dyClause = newDyString(256); -dyStringAppend(dyClause, filterBy->column); +dyStringAppend(dyClause, sqlCkId(filterBy->column)); if (count == 1) dyStringPrintf(dyClause, " = "); else dyStringPrintf(dyClause, " in ("); struct slName *slChoice = NULL; boolean first = TRUE; for (slChoice = filterBy->slChoices;slChoice != NULL;slChoice=slChoice->next) { if (!first) dyStringAppend(dyClause, ","); first = FALSE; if (filterBy->useIndex) - dyStringAppend(dyClause, slChoice->name); + dyStringAppend(dyClause, slChoice->name); // a number converted to a string else - dyStringPrintf(dyClause, "\"%s\"",slChoice->name); + sqlDyStringPrintf(dyClause, "\"%s\"",slChoice->name); } if (dyStringLen(dyClause) == 0) { dyStringFree(&dyClause); return NULL; } if (count > 1) dyStringPrintf(dyClause, ")"); return dyStringCannibalize(&dyClause); } char *filterByClause(filterBy_t *filterBy) // returns the SQL where clause for a single filterBy struct { @@ -4601,88 +4601,88 @@ if (parentLevel) { assert(tdb->parent != NULL); char *aggregate = trackDbSetting(tdb->parent, "aggregate"); if (aggregate != NULL && parentLevel) { char *aggregateVal = cartOrTdbString(cart, tdb->parent, "aggregate", NULL); printf("<TR valign=center><th align=right>Overlay method:</th><td align=left>"); safef(option, sizeof(option), "%s.%s", name, AGGREGATE); aggregateDropDown(option, aggregateVal); puts("</td></TR>"); } } printf("<TR valign=center><th align=right>Type of graph:</th><td align=left>"); -snprintf( option, sizeof(option), "%s.%s", name, LINEBAR ); +safef( option, sizeof(option), "%s.%s", name, LINEBAR ); wiggleGraphDropDown(option, lineBar); if (boxed) { printf("</td><td align=right colspan=2>"); printf("<A HREF=\"%s\" TARGET=_blank>Graph configuration help</A>",WIGGLE_HELP_PAGE); } puts("</td></TR>"); printf("<TR valign=center><th align=right>Track height:</th><td align=left colspan=3>"); -snprintf(option, sizeof(option), "%s.%s", name, HEIGHTPER ); +safef(option, sizeof(option), "%s.%s", name, HEIGHTPER ); cgiMakeIntVarWithLimits(option, defaultHeight, "Track height",0, minHeightPixels, maxHeightPixels); printf("pixels (range: %d to %d)", minHeightPixels, maxHeightPixels); puts("</TD></TR>"); printf("<TR valign=center><th align=right>Vertical viewing range:</th>" "<td align=left> min: "); -snprintf(option, sizeof(option), "%s.%s", name, MIN_Y ); +safef(option, sizeof(option), "%s.%s", name, MIN_Y ); cgiMakeDoubleVarWithLimits(option, minY, "Range min", 0, NO_VALUE, NO_VALUE); printf("</td><td align=leftv colspan=2>max: "); -snprintf(option, sizeof(option), "%s.%s", name, MAX_Y ); +safef(option, sizeof(option), "%s.%s", name, MAX_Y ); cgiMakeDoubleVarWithLimits(option, maxY, "Range max", 0, NO_VALUE, NO_VALUE); printf(" (range: %g to %g)", tDbMinY, tDbMaxY); puts("</TD></TR>"); printf("<TR valign=center><th align=right>Data view scaling:</th><td align=left colspan=3>"); -snprintf(option, sizeof(option), "%s.%s", name, AUTOSCALE ); +safef(option, sizeof(option), "%s.%s", name, AUTOSCALE ); wiggleScaleDropDown(option, autoScale); -snprintf(option, sizeof(option), "%s.%s", name, ALWAYSZERO); +safef(option, sizeof(option), "%s.%s", name, ALWAYSZERO); printf("Always include zero: "); wiggleAlwaysZeroDropDown(option, alwaysZero); puts("</TD></TR>"); printf("<TR valign=center><th align=right>Transform function:</th><td align=left>"); -snprintf(option, sizeof(option), "%s.%s", name, TRANSFORMFUNC); +safef(option, sizeof(option), "%s.%s", name, TRANSFORMFUNC); printf("Transform data points by: "); wiggleTransformFuncDropDown(option, transformFunc); printf("<TR valign=center><th align=right>Windowing function:</th><td align=left>"); -snprintf(option, sizeof(option), "%s.%s", name, WINDOWINGFUNCTION ); +safef(option, sizeof(option), "%s.%s", name, WINDOWINGFUNCTION ); wiggleWindowingDropDown(option, windowingFunction); printf("<th align=right>Smoothing window:</th><td align=left>"); -snprintf(option, sizeof(option), "%s.%s", name, SMOOTHINGWINDOW ); +safef(option, sizeof(option), "%s.%s", name, SMOOTHINGWINDOW ); wiggleSmoothingDropDown(option, smoothingWindow); puts(" pixels</TD></TR>"); printf("<TR valign=center><td align=right><b>Draw y indicator lines:</b>" "<td align=left colspan=2>"); printf("at y = 0.0:"); -snprintf(option, sizeof(option), "%s.%s", name, HORIZGRID ); +safef(option, sizeof(option), "%s.%s", name, HORIZGRID ); wiggleGridDropDown(option, horizontalGrid); printf(" at y ="); -snprintf(option, sizeof(option), "%s.%s", name, YLINEMARK ); +safef(option, sizeof(option), "%s.%s", name, YLINEMARK ); cgiMakeDoubleVarWithLimits(option, yLineMark, "Indicator at Y", 0, tDbMinY, tDbMaxY); -snprintf(option, sizeof(option), "%s.%s", name, YLINEONOFF ); +safef(option, sizeof(option), "%s.%s", name, YLINEONOFF ); wiggleYLineMarkDropDown(option, yLineMarkOnOff); printf("</td>"); if (boxed) puts("</TD></TR></TABLE>"); else { puts("</TD></TR></TABLE>"); printf("<A HREF=\"%s\" TARGET=_blank>Graph configuration help</A>",WIGGLE_HELP_PAGE); } cfgEndBox(boxed); } void filterButtons(char *filterTypeVar, char *filterTypeVal, boolean none) @@ -5258,41 +5258,41 @@ boolean glvlScoreMin = (trackDbSettingClosestToHome(tdb, GRAY_LEVEL_SCORE_MIN) != NULL); if (! (scoreFilterOk || glvlScoreMin)) return; boxed = cfgBeginBoxAndTitle(tdb, boxed, title); if (scoreFilterOk) { int minLimit=0,maxLimit=maxScore,minVal=0,maxVal=maxScore; getScoreIntRangeFromCart(cart,tdb,parentLevel,SCORE_FILTER,&minLimit,&maxLimit, &minVal, &maxVal); boolean filterByRange = trackDbSettingClosestToHomeOn(tdb, SCORE_FILTER _BY_RANGE); if (!bigBed && filterByRange) { puts("<B>Filter score range: min:</B>"); - snprintf(option, sizeof(option), "%s.%s", name,SCORE_FILTER _MIN); + safef(option, sizeof(option), "%s.%s", name,SCORE_FILTER _MIN); cgiMakeIntVarWithLimits(option, minVal, "Minimum score",0, minLimit,maxLimit); puts("<B>max:</B>"); - snprintf(option, sizeof(option), "%s.%s", name,SCORE_FILTER _MAX); + safef(option, sizeof(option), "%s.%s", name,SCORE_FILTER _MAX); cgiMakeIntVarWithLimits(option, maxVal, "Maximum score",0,minLimit,maxLimit); printf("(%d to %d)\n",minLimit,maxLimit); } else { printf("<b>Show only items with score at or above:</b> "); - snprintf(option, sizeof(option), "%s.%s", name,SCORE_FILTER); + safef(option, sizeof(option), "%s.%s", name,SCORE_FILTER); cgiMakeIntVarWithLimits(option, minVal, "Minimum score",0, minLimit,maxLimit); printf(" (range: %d to %d)\n", minLimit, maxLimit); if (!boxed) printf("<BR>\n"); } if (glvlScoreMin) printf("<BR>"); } if (glvlScoreMin) scoreGrayLevelCfgUi(cart, tdb, name, maxScore); if (!bigBed) { // filter top-scoring N items in track @@ -5322,47 +5322,47 @@ else printf(" (range: 1 to 100,000)\n"); } } cfgEndBox(boxed); } // Moved from hgTrackUi for consistency static void filterByChromCfgUi(struct cart *cart, struct trackDb *tdb) { char *filterSetting; char filterVar[256]; char *filterVal = ""; printf("<p><b>Filter by chromosome (e.g. chr10):</b> "); -snprintf(filterVar, sizeof(filterVar), "%s.chromFilter", tdb->track); +safef(filterVar, sizeof(filterVar), "%s.chromFilter", tdb->track); filterSetting = cartUsualString(cart, filterVar, filterVal); cgiMakeTextVar(filterVar, cartUsualString(cart, filterVar, ""), 15); } // Moved from hgTrackUi for consistency void crossSpeciesCfgUi(struct cart *cart, struct trackDb *tdb) // Put up UI for selecting rainbow chromosome color or intensity score. { char colorVar[256]; char *colorSetting; // initial value of chromosome coloring option is "on", unless // overridden by the colorChromDefault setting in the track char *colorDefault = trackDbSettingOrDefault(tdb, "colorChromDefault", "on"); printf("<p><b>Color track based on chromosome:</b> "); -snprintf(colorVar, sizeof(colorVar), "%s.color", tdb->track); +safef(colorVar, sizeof(colorVar), "%s.color", tdb->track); colorSetting = cartUsualString(cart, colorVar, colorDefault); cgiMakeRadioButton(colorVar, "on", sameString(colorSetting, "on")); printf(" on "); cgiMakeRadioButton(colorVar, "off", sameString(colorSetting, "off")); printf(" off "); printf("<br><br>"); filterByChromCfgUi(cart,tdb); } void pslCfgUi(char *db, struct cart *cart, struct trackDb *tdb, char *name, char *title, boolean boxed) /* Put up UI for psl tracks */ { boxed = cfgBeginBoxAndTitle(tdb, boxed, title); @@ -6031,31 +6031,31 @@ safef(option, sizeof(option), "%s.%s", name, wmSpecies->name); label = hOrganism(wmSpecies->name); if (label == NULL) label = wmSpecies->name; strcpy(trackName, tdb->track); /* try AaMaf first */ chp = strstr(trackName, "AaMaf"); /* if it is not a AaMaf track, try Maf next */ if (chp == NULL) chp = strstr(trackName, "Maf"); /* test if the entry actually is part of the specific maf track data */ if (chp != NULL) { *chp = '\0'; - safef(query, sizeof(query), + sqlSafef(query, sizeof(query), "select id from %sMsa where id = 'ss.%s'", trackName, label); conn = hAllocConn(db); sr = sqlGetResult(conn, query); row = sqlNextRow(sr); /* offer it only if the entry is found in current maf data set */ if (row != NULL) { puts("<TD>"); cgiMakeCheckBoxWithId(option,cartUsualBooleanClosestToHome( cart, tdb, parentLevel,wmSpecies->name, checked),id); printf("%s", label); puts("</TD>"); fflush(stdout); @@ -6208,35 +6208,35 @@ char *currentCodonMode = cartCgiUsualString(cart, option, MAF_FRAME_GENE); /* Disable codon highlighting */ cgiMakeRadioButton(option, MAF_FRAME_NONE, sameString(MAF_FRAME_NONE, currentCodonMode)); puts("None "); /* Use gene pred */ cgiMakeRadioButton(option, MAF_FRAME_GENE, sameString(MAF_FRAME_GENE, currentCodonMode)); puts("CDS-annotated frame based on"); safef(option, sizeof(option), "%s.%s", name, MAF_GENEPRED_VAR); genePredDropDown(cart, makeTrackHash(db, chromosome), NULL, option); #else - snprintf(option, sizeof(option), "%s.%s", name, BASE_COLORS_VAR); + safef(option, sizeof(option), "%s.%s", name, BASE_COLORS_VAR); puts(" Alternate colors every"); cgiMakeIntVar(option, cartCgiUsualInt(cart, option, 0), 1); puts("bases<BR>"); - snprintf(option, sizeof(option), "%s.%s", name, + safef(option, sizeof(option), "%s.%s", name, BASE_COLORS_OFFSET_VAR); puts(" Offset alternate colors by"); cgiMakeIntVar(option, cartCgiUsualInt(cart, option, 0), 1); puts("bases<BR>"); #endif } } treeImage = trackDbSetting(tdb, "treeImage"); if (treeImage) printf("</TD><TD VALIGN=\"TOP\"><IMG SRC=\"../images/%s\"></TD></TR></TABLE>", treeImage); else puts("</TD></TR></TABLE>"); if (trackDbSetting(tdb, CONS_WIGGLE) != NULL) @@ -7635,31 +7635,31 @@ /* check if normScore column is specified in trackDb as available */ { boolean normScoreAvailable = FALSE; char * normScoreTest = trackDbSettingClosestToHomeOrDefault(tdb, "chainNormScoreAvailable", "no"); if (differentWord(normScoreTest, "no")) normScoreAvailable = TRUE; return normScoreAvailable; } void hPrintAbbreviationTable(struct sqlConnection *conn, char *sourceTable, char *label) /* Print out table of abbreviations. */ { char query[256]; -safef(query, sizeof(query), "select name,description from %s order by name", sourceTable); +sqlSafef(query, sizeof(query), "select name,description from %s order by name", sourceTable); struct sqlResult *sr = sqlGetResult(conn, query); webPrintLinkTableStart(); webPrintLabelCell("Symbol"); webPrintLabelCell(label); char **row; while ((row = sqlNextRow(sr)) != NULL) { printf("</TR><TR>\n"); char *name = row[0]; char *description = row[1]; webPrintLinkCell(name); webPrintLinkCell(description); } sqlFreeResult(&sr); webPrintLinkTableEnd(); @@ -7687,31 +7687,31 @@ } void hPrintFactorSourceAbbrevTable(struct sqlConnection *conn, struct trackDb *tdb) /* Print out table of abbreviations. With 'pack' setting, * show cell name only (before '+') and uniqify */ { char *label = "Cell Type"; char *sourceTable = trackDbRequiredSetting(tdb, SOURCE_TABLE); boolean cellsOnly = trackDbSettingOn(tdb, SOURCE_TABLE_PACK); if (!cellsOnly) { hPrintAbbreviationTable(conn, sourceTable, label); return; } char query[256]; -safef(query, sizeof(query), "select name,description from %s order by name", sourceTable); +sqlSafef(query, sizeof(query), "select name,description from %s order by name", sourceTable); struct sqlResult *sr = sqlGetResult(conn, query); webPrintLinkTableStart(); webPrintLabelCell("Symbol"); webPrintLabelCell(label); char **row; char *plus; struct factorSourceInfo *source = NULL, *sources = NULL; while ((row = sqlNextRow(sr)) != NULL) { char *name = row[0]; char *description = row[1]; if (cellsOnly) { // truncate description to just the cell type if ((plus = strchr(description, '+')) != NULL) @@ -8002,38 +8002,38 @@ asObj = vcfAsObj(); else if (startsWithWord("makeItems", tdb->type)) asObj = makeItemsItemAsObj(); else if (sameWord("bedDetail", tdb->type)) asObj = bedDetailAsObj(); else if (sameWord("pgSnp", tdb->type)) asObj = pgSnpAsObj(); else { if (sqlTableExists(conn, "tableDescriptions")) { char query[256]; char *asText = NULL; // Try unsplit table first. - safef(query, sizeof(query), + sqlSafef(query, sizeof(query), "select autoSqlDef from tableDescriptions where tableName='%s'",tdb->table); asText = sqlQuickString(conn, query); // If no result try split table. if (asText == NULL) { - safef(query, sizeof(query), + sqlSafef(query, sizeof(query), "select autoSqlDef from tableDescriptions where tableName='chrN_%s'",tdb->table); asText = sqlQuickString(conn, query); } if (asText != NULL && asText[0] != 0) asObj = asParseText(asText); freez(&asText); } } return asObj; } struct asObject *asForTdb(struct sqlConnection *conn, struct trackDb *tdb) // Get autoSQL description if any associated with table. {