Commits for galt

v375_base to v376_preview (2018-12-10 to 2018-12-17) v376

3247510dde097fab841ab57d3a1fb34fbff8d69e Fri Dec 7 19:51:05 2018 -0800

• Blank identifiers should not be allowed as parameters in SQL statements in unquoted %s format strings. refs #22596
  • src/hg/lib/jksql.c - lines changed 4, context: html, text, full: html, text

cf7bc66b112f6a96139222a17b1ae2211f8031f3 Fri Dec 7 19:52:20 2018 -0800

• cartReset as too permissive allowing Open Redirect problems. Reported by Anthony. refs #22596
  • src/hg/cartReset/cartReset.c - lines changed 3, context: html, text, full: html, text

e81403a315a24af601884b8a19e89bcecc92f267 Sat Dec 8 20:04:28 2018 -0800

• Fixing hFindSplitTable and its use. Standard size, give real string size so no undetected overflows. Test result and abort if not found. Avoids SQL errors that otherwise will popup. Handles uninitialzed stack better for the output name. refs #22596.
  • src/hg/altSplice/altSplice/orthoSplice.c - lines changed 2, context: html, text, full: html, text
  • src/hg/das/das.c - lines changed 2, context: html, text, full: html, text
  • src/hg/featureBits/featureBits.c - lines changed 8, context: html, text, full: html, text
  • src/hg/hgGene/altSplice.c - lines changed 3, context: html, text, full: html, text
  • src/hg/hgGene/hgGene.c - lines changed 3, context: html, text, full: html, text
  • src/hg/hgGenome/wiggle.c - lines changed 9, context: html, text, full: html, text
  • src/hg/hgTables/identifiers.c - lines changed 1, context: html, text, full: html, text
  • src/hg/hgTables/wiggle.c - lines changed 11, context: html, text, full: html, text
  • src/hg/hgTracks/rmskJoinedTrack.c - lines changed 2, context: html, text, full: html, text
  • src/hg/hgTracks/rmskTrack.c - lines changed 2, context: html, text, full: html, text
  • src/hg/hgc/dbRIP.c - lines changed 3, context: html, text, full: html, text
  • src/hg/hgc/hgc.c - lines changed 153, context: html, text, full: html, text
  • src/hg/hgc/lowelab.c - lines changed 3, context: html, text, full: html, text
  • src/hg/hgc/regMotif.c - lines changed 3, context: html, text, full: html, text
  • src/hg/hgc/retroClick.c - lines changed 6, context: html, text, full: html, text
  • src/hg/hgc/rmskJoinedClick.c - lines changed 8, context: html, text, full: html, text
  • src/hg/hgc/wiggleClick.c - lines changed 4, context: html, text, full: html, text
  • src/hg/inc/hdb.h - lines changed 7, context: html, text, full: html, text
  • src/hg/lib/annoStreamDb.c - lines changed 1, context: html, text, full: html, text
  • src/hg/lib/chainNetDbLoad.c - lines changed 2, context: html, text, full: html, text
  • src/hg/lib/hAnno.c - lines changed 3, context: html, text, full: html, text
  • src/hg/lib/hdb.c - lines changed 12, context: html, text, full: html, text
  • src/hg/mouseStuff/knownVsBlat/knownVsBlat.c - lines changed 17, context: html, text, full: html, text
  • src/hg/orthoMap/orthoMap.c - lines changed 2, context: html, text, full: html, text
  • src/hg/ratStuff/mafGene/mafGene.c - lines changed 4, context: html, text, full: html, text

83fcfc003aad68c20e56e546e75f79c63c7332d6 Fri Dec 14 12:36:43 2018 -0800

• Simple testing shows that this gets an error when just switching from one db to another. Although it is a nice idea, it could be a lot of work to be sure nowhere in the code is using the blank identifier. So it stays in for now.
  • src/hg/lib/jksql.c - lines changed 5, context: html, text, full: html, text