d95aae72e5192d7f7172522f042c373868f55ec3
galt
  Thu Mar 3 09:21:05 2022 -0800
Fixing cartReset destination redirect which should not allow quote marks, spaces, or empty strings which make the page go into an infinite loop. Reported by NetSparker scan.

diff --git src/hg/cartReset/cartReset.c src/hg/cartReset/cartReset.c
index a26528a..515802b 100644
--- src/hg/cartReset/cartReset.c
+++ src/hg/cartReset/cartReset.c
@@ -2,48 +2,66 @@
 
 /* Copyright (C) 2013 The Regents of the University of California 
  * See kent/LICENSE or http://genome.ucsc.edu/license/ for licensing information. */
 #include "common.h"
 #include "linefile.h"
 #include "hash.h"
 #include "cheapcgi.h"
 #include "htmshell.h"
 #include "hui.h"
 #include "cart.h"
 
 
 
 static char *defaultDestination = "../cgi-bin/hgGateway";
 
+boolean problem = FALSE;
+char *destination = NULL;
+
 void doMiddle()
 /* cartReset - Reset cart. */
 {
-
+if (problem)
+    {	
+    warn("To stop Open Redirect abuse, only relative URLs are supported. "
+	   "Request for destination=[%s] rejected.\n", destination);
+    }
 cartResetInDb(hUserCookie());
 }
 
 int main(int argc, char *argv[])
 /* Process command line. */
 {
 long enteredMainTime = clock1000();
 struct dyString *headText = newDyString(512);
-char *destination = cgiUsualString("destination", defaultDestination);
-if (strstr(destination, "//"))
-    errAbort("To stop Open Redirect abuse, only relative URLs are supported. "
-	    "Request for destination=[%s] rejected.\n", destination);
+destination = cgiUsualString("destination", defaultDestination);
+// Only allow relative URL that does not contain space or quote characters.
+if (strstr(destination, "//") // absolute URL
+   || strchr(destination, '\'') // single quote
+   || strchr(destination, '"') // double quote
+   || strchr(destination, ' ') // space
+   || sameString(destination, "") // empty string
+    )
+    {
+    problem = TRUE;
+    }
 
-char *meta = getCspMetaHeader();  // ContentSecurityPolicy stops XSS js in destination
+char *csp = getCspMetaHeader();  // ContentSecurityPolicy stops XSS js in destination
+dyStringPrintf(headText, "%s",csp);
 
-dyStringPrintf(headText, "%s"
+if (!problem)
+    {
+    dyStringPrintf(headText, 
 		   "<META HTTP-EQUIV=\"REFRESH\" CONTENT=\"0;URL=%s\">"
 		   "<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cache\">"
 		   "<META HTTP-EQUIV=\"Expires\" CONTENT=\"-1\">"
-	       ,meta,destination);
+		   ,destination);
+    }
 
 htmShellWithHead("Reset Cart", headText->string, doMiddle, NULL);
 
-freeMem(meta);
+freeMem(csp);
 dyStringFree(&headText);
 
 cgiExitTime("cartReset", enteredMainTime);
 return 0;
 }