f22dbc842a873deddcd0118623f90babc81990c8 galt Mon Mar 10 12:15:16 2014 -0700 Adding bottleneck delay call to cartDump to discourage hackers from abusing cartDump to snoop on carts. diff --git src/hg/cartDump/cartDump.c src/hg/cartDump/cartDump.c index 2fabc88..6e57241 100644 --- src/hg/cartDump/cartDump.c +++ src/hg/cartDump/cartDump.c @@ -1,120 +1,124 @@ /* cartDump - Dump contents of cart. */ #include "common.h" #include "linefile.h" #include "hash.h" #include "cheapcgi.h" #include "cart.h" #include "hdb.h" #include "jsHelper.h" #include "hui.h" +#include "botDelay.h" #define CART_DUMP_REMOVE_VAR "n/a" struct hash *oldVars = NULL; void doMiddle(struct cart *cart) /* cartDump - Dump contents of cart. */ { #define MATCH_VAR "match" char *vName = "cartDump.varName"; char *vVal = "cartDump.newValue"; char *wildcard; boolean asTable = cartVarExists(cart,CART_DUMP_AS_TABLE); +// To discourage hacking, call bottleneck +hgBotDelay(); + if (cgiVarExists("submit")) { char *varName = cgiOptionalString(vName); char *newValue = cgiOptionalString(vVal); if (isNotEmpty(varName) && isNotEmpty(newValue)) { varName = skipLeadingSpaces(varName); eraseTrailingSpaces(varName); if (sameString(newValue, CART_DUMP_REMOVE_VAR) || sameString(newValue, CART_VAR_EMPTY)) cartRemove(cart, varName); else cartSetString(cart, varName, newValue); } cartRemove(cart, vVal); cartRemove(cart, "submit"); } if (cgiVarExists("noDisplay")) { char *trackName = cgiOptionalString("g"); if (trackName != NULL && hashNumEntries(oldVars) > 0) { char *db = cartString(cart, "db"); struct trackDb *tdb = hTrackDbForTrack(db, trackName); if (tdb != NULL && tdbIsComposite(tdb)) { struct lm *lm = lmInit(0); cartTdbTreeCleanupOverrides(tdb,cart,oldVars,lm); lmCleanup(&lm); } } return; } if (asTable) { jsIncludeFile("utils.js",NULL); jsIncludeFile("ajax.js",NULL); printf("Show as plain text.
",CART_DUMP_AS_TABLE); printf("
\n"); cartSaveSession(cart); printf("Variables can be altered by changing the values and then leaving the field (onchange event will use ajax).\n"); printf("Enter %s or %s to remove a variable.", COLOR_DARKBLUE,CART_DUMP_REMOVE_VAR,COLOR_DARKBLUE,CART_VAR_EMPTY); printf("
Add a variable named: "); cgiMakeTextVar(vName, "", 12); printf(" value: "); cgiMakeTextVar(vVal, "", 24); printf(" "); cgiMakeButton("submit", "refresh"); // Says refresh but works as a submit. printf("      " "\n", COLOR_RED); printf("
\n"); } else { printf("Show as updatable table.
",CART_DUMP_AS_TABLE); } printf("
");
 wildcard = cgiOptionalString(MATCH_VAR);
 if (wildcard)
     cartDumpLike(cart, wildcard);
 else
     cartDump(cart);
 printf("
"); if (!asTable) { printf("
\n"); cartSaveSession(cart); printf("Add/alter a variable named: "); cgiMakeTextVar(vName, cartUsualString(cart, vName, ""), 12); printf(" new value "); cgiMakeTextVar(vVal, "", 24); printf(" "); cgiMakeButton("submit", "submit"); printf("
Put %s in for the new value to clear a variable.", COLOR_DARKBLUE,CART_DUMP_REMOVE_VAR); printf("
\n"); } printf("

Cookies passed to %s:
\n%s\n

\n", cgiServerNamePort(), getenv("HTTP_COOKIE")); } char *excludeVars[] = { "submit", "Submit", "noDisplay", MATCH_VAR, NULL }; int main(int argc, char *argv[]) /* Process command line. */ { long enteredMainTime = clock1000(); cgiSpoof(&argc, argv); oldVars = hashNew(10); setUdcCacheDir(); cartHtmlShell("Cart Dump", doMiddle, hUserCookie(), excludeVars, oldVars); cgiExitTime("cartDump", enteredMainTime); return 0; }