e5c786377cee95f737ff9d4bbada817e14f94aa4
angie
  Mon Dec 12 09:25:06 2016 -0800
Better cookies and validation for hgLogin: instead of sending gbMembers.idx as
the login cookie and then never checking the value of the incoming cookie, use
a salted hash.  The salt is a secret text value specified by login.cookieSalt
in hg.conf.private.  For remote login, both hosts' hg.conf.private files must
specify the same login.cookieSalt.  In order to avoid logging out all users,
for now the correct value of gbMembers.idx is accepted in place of the salted
hash for local logins.  For remote logins without login.cookieSalt, there is
still no way to check the incoming cookie.  For local logins without
login.cookieSalt, the correct gbMembers.idx is accepted.
refs #17327

diff --git src/lib/common.c src/lib/common.c
index b44b3ee..3c48e49 100644
--- src/lib/common.c
+++ src/lib/common.c
@@ -852,30 +852,33 @@
     slAddHead(&list, el);
     }
 slReverse(&list);
 return list;
 }
 
 char *slNameListToString(struct slName *list, char delimiter)
 /* Return string created by joining all names with the delimiter. */
 {
 struct slName *el;
 int elCount = 0;
 int len = 0;
 char del[2];
 char *s;
 
+if (list == NULL)
+    return cloneString("");
+
 del[0] = delimiter;
 del[1] = '\0';
 
 for (el = list; el != NULL; el = el->next, elCount++)
 	len += strlen(el->name);
 len += elCount;
 
 AllocArray(s, len);
 
 for (el = list; el != NULL; el = el->next)
 	{
 	strcat(s, el->name);
 	if (el->next != NULL)
 		strcat(s, del);
 	}