3ce41962a262ede824372d486cf8da609f3d3ae3
hiram
  Thu May 2 14:22:43 2019 -0700
checking for multiple instances of arguments and illegal strings on jsonOutputArrays and trackLeavesOnly refs #18869

diff --git src/hg/hubApi/hubApi.c src/hg/hubApi/hubApi.c
index 981363b..285b52f 100644
--- src/hg/hubApi/hubApi.c
+++ src/hg/hubApi/hubApi.c
@@ -1435,39 +1435,69 @@
 if (timedOut)
     hPrintf("<h1>Reached time out %ld seconds</h1>", timeOutSeconds);
 if (measureTiming)
     hPrintf("<em>Overall total time: %ld millis</em><br>\n", clock1000() - enteredMainTime);
 
 hPrintf("</div> <!-- end of text analysis output -->\n");
 hPrintf("</div> <!-- end of surrounding border-->\n");
 hPrintf("</div> <!-- end this page contents -->\n");
 
 webIncludeFile("inc/jWestFooter.html");
 webEndJWest();
 // cartWebEnd();
 }	/*	void doMiddle(struct cart *theCart)	*/
 
 static void setGlobalCgiVars()
-/* check for CGI variables and set global flags */
+/* check for legal CGI variables and set global flags */
 {
+/* count the arguments to see if any occur more than once */
+struct hash *varCounter = hashNew(0);
+struct cgiVar *varList = cgiVarList();
+struct cgiVar *el = varList;
+for ( ; el; el = el->next)
+    {
+    hashIncInt(varCounter, el->name);
+    }
+struct hashCookie cookie = hashFirst(varCounter);
+struct hashEl *hel = NULL;
+for ( hel = hashNext(&cookie); hel; hel = hashNext(&cookie))
+    {
+    if (ptToInt(hel->val) > 1)
+	apiErrAbort(err400, err400Msg, "parameter '%s' found %d times, only one instance allowed", hel->name, ptToInt(hel->val));
+    }
+
 char *trackLeaves = cgiOptionalString("trackLeavesOnly");
-if (sameOk("1", trackLeaves))
+if (isNotEmpty(trackLeaves))
+    {
+    if (sameString("1", trackLeaves))
 	trackLeavesOnly = TRUE;
+    else if (sameString("0", trackLeaves))
+	trackLeavesOnly = FALSE;
+    else
+	apiErrAbort(err400, err400Msg, "unrecognized 'trackLeavesOnly=%s' argument, can only be =1 or =0", trackLeaves);
+    }
 
 char *jsonArray = cgiOptionalString("jsonOutputArrays");
-if (sameOk("1", jsonArray))
+if (isNotEmpty(jsonArray))
+    {
+    if (sameString("1", jsonArray))
 	jsonOutputArrays = TRUE;
+    else if (sameString("0", jsonArray))
+	jsonOutputArrays = FALSE;
+    else
+	apiErrAbort(err400, err400Msg, "unrecognized 'jsonOutputArrays=%s' argument, can only be =1 or =0", jsonArray);
+    }
 
 int maybeDebug = cgiOptionalInt("debug", 0);
 if (1 == maybeDebug)
     debug = TRUE;
 
 char *measTime = cgiOptionalString("measureTiming");
 if (isNotEmpty(measTime) && sameWord("1", measTime))
     measureTiming = TRUE;
 char *maxOut = cgiOptionalString("maxItemsOutput");
 if (isNotEmpty(maxOut))
     {
     long long n = -2;
     struct errCatch *errCatch = errCatchNew();
     if (errCatchStart(errCatch))
         {