src/hg/lib/cart.c c68d2c9b63b22488a6746004246a235c65a1dec9

c68d2c9b63b22488a6746004246a235c65a1dec9
galt
  Wed Oct 5 17:25:13 2016 -0700
Fixes problem with crashing in hgTables, hgIntegrator and hgSession when bogus XSS hgsid is given. It had been generating an errAbort with the wrong handler such that the content-type never appeared in the output. also did minor removal of commented out code cleanup. refs #18163.

diff --git src/hg/lib/cart.c src/hg/lib/cart.c
index 0997d3f..3d21b9a 100644
--- src/hg/lib/cart.c
+++ src/hg/lib/cart.c
@@ -1584,34 +1584,31 @@
 cartExclude(cart, sessionVar);
 if (sameOk(cfgOption("signalsHandler"), "on"))  /* most cgis call this routine */
     initSigHandlers(hDumpStackEnabled());
 char *httpProxy = cfgOption("httpProxy");  /* most cgis call this routine */
 if (httpProxy)
     setenv("http_proxy", httpProxy, TRUE);   /* net.c cannot see the cart, pass the value through env var */
 return cart;
 }
 
 struct cart *cartAndCookieWithHtml(char *cookieName, char **exclude,
                                    struct hash *oldVars, boolean doContentType)
 /* Load cart from cookie and session cgi variable.  Write cookie
  * and optionally content-type part HTTP preamble to web page.  Don't
  * write any HTML though. */
 {
-if (doContentType)
 htmlPushEarlyHandlers();
-else
-    pushWarnHandler(cartEarlyWarningHandler);
 struct cart *cart = cartForSession(cookieName, exclude, oldVars);
 popWarnHandler();
 cartWriteCookie(cart, cookieName);
 if (doContentType)
     {
     puts("Content-Type:text/html");
     puts("\n");
     }
 return cart;
 }
 
 struct cart *cartAndCookie(char *cookieName, char **exclude,
                            struct hash *oldVars)
 /* Load cart from cookie and session cgi variable.  Write cookie and
  * content-type part HTTP preamble to web page.  Don't write any HTML though. */
@@ -2844,43 +2841,35 @@
  * For virtual modes, returns the type and extraState. 
 */
 {
 // position=lastDbPos in URL? -> go back to the last browsed position for this db
 char *position = NULL;
 char *defaultPosition = hDefaultPos(database);
 struct cart *lastDbPosCart = cartOfNothing();
 boolean gotCart = FALSE;
 char dbPosKey[256];
 safef(dbPosKey, sizeof(dbPosKey), "position.%s", database);
 if (sameOk(cgiOptionalString("position"), "lastDbPos"))
     {
     char *dbLocalPosContent = cartUsualString(cart, dbPosKey, NULL);
     if (dbLocalPosContent)
 	{
-	//warn("dbLocalPosContent=%s",dbLocalPosContent); // DEBUG REMOVE
 	if (strchr(dbLocalPosContent, '='))
 	    {
 	    gotCart = TRUE;
 	    cartParseOverHash(lastDbPosCart, cloneString(dbLocalPosContent)); // this function chews up input
 	    position = cloneString(cartUsualString(lastDbPosCart, "position", NULL));
-	    //warn("gotCart position=%s",position); // DEBUG REMOVE
-
-	    // DEBUG REMOVE:
-	    //struct dyString *dbPosValue = newDyString(4096);
-	    //cartEncodeState(lastDbPosCart, dbPosValue);
-	    //warn("gotCart dbPosValue->string=[%s]",dbPosValue->string);
-
 	    }
 	else
 	    {
 	    position = dbLocalPosContent;  // old style value
 	    }
 	}
     else
 	{
 	position = defaultPosition; // no value was set
 	}
     }
     
 if (position == NULL)
     {
     position = cloneString(cartUsualString(cart, "position", NULL));