38d05d1d1259c64a71c7d46444a9e9bb91e21676
galt
Fri Jan 10 23:46:22 2020 -0800
Changing cartReset to use CSP meta head to suppress XSS javascript in the destination CGI parameter. refs#24750
diff --git src/hg/cartReset/cartReset.c src/hg/cartReset/cartReset.c
index bdf6330..74e87c4 100644
--- src/hg/cartReset/cartReset.c
+++ src/hg/cartReset/cartReset.c
@@ -1,52 +1,49 @@
/* cartReset - Reset cart. */
/* Copyright (C) 2013 The Regents of the University of California
* See README in this or parent directory for licensing information. */
#include "common.h"
#include "linefile.h"
#include "hash.h"
#include "cheapcgi.h"
#include "htmshell.h"
#include "hui.h"
#include "cart.h"
static char *defaultDestination = "../cgi-bin/hgGateway";
void doMiddle()
/* cartReset - Reset cart. */
{
cartResetInDb(hUserCookie());
-/*
-//Keep in case we need it later. The standards say we should provide
-//a clickable link for browsers that do not support meta refresh
-printf("Your settings are now reset to defaults.
");
-char *destination = cgiUsualString("destination", defaultDestination);
-printf("You will be automatically redirected to the gateway page in 0 second,\n"
-" or you can
click here to continue.\n",
- destination);
-*/
}
int main(int argc, char *argv[])
/* Process command line. */
{
long enteredMainTime = clock1000();
struct dyString *headText = newDyString(512);
char *destination = cgiUsualString("destination", defaultDestination);
if (strstr(destination, "//"))
errAbort("To stop Open Redirect abuse, only relative URLs are supported. "
"Request for destination=[%s] rejected.\n", destination);
-dyStringPrintf(headText,
+char *meta = getCspMetaHeader(); // ContentSecurityPolicy stops XSS js in destination
+
+dyStringPrintf(headText, "%s"
""
""
""
- ,destination);
+ ,meta,destination);
+
htmShellWithHead("Reset Cart", headText->string, doMiddle, NULL);
+
+freeMem(meta);
dyStringFree(&headText);
+
cgiExitTime("cartReset", enteredMainTime);
return 0;
}