a0b5687117ecc4f594719d5bd97fcf6ee3f51921
hiram
  Fri Sep 16 12:02:02 2022 -0700
more strict acceptance of the five required arguments refs #30003

diff --git src/hg/gar/gar.cgi.pl src/hg/gar/gar.cgi.pl
index a03b456..cf95979 100755
--- src/hg/gar/gar.cgi.pl
+++ src/hg/gar/gar.cgi.pl
@@ -18,32 +18,35 @@
 my %incoming = (
   "name" => "noName",
   "email" => "noEmail",
   "asmId" => "noAsmId",
   "betterName" => "noBetterName",
   "comment" => "noComment",
 );
 
 my $validIncoming = 0;
 
 if (defined($ENV{"QUERY_STRING"})) {
   my $qString = $ENV{"QUERY_STRING"};
   my @idVal = split("&", $qString);
   foreach $id (@idVal) {
     my ($tag, $value) = split("=", $id, 2);
-    $incoming{$tag} = uri_unescape( $value ) if (defined($value));
-    ++$validIncoming if (defined($value));
+    # only accept known inputs, the five defined above for %incoming defaults
+    if (defined($incoming{$tag}) && defined($value)) {
+      $incoming{$tag} = uri_unescape( $value );
+      ++$validIncoming;
+    }
   }
 }
 
 if ($validIncoming != 5) {
   # not a legitimate request from our own business, do nothing.
   print "</body></html>\n";
   exit 0;
 }
 
 printf "<ul>\n";
 printf "<li> name: '%s'</li>\n", $incoming{"name"};
 printf "<li>email: '%s'</li>\n", $incoming{"email"};
 printf "<li>asmId: '%s'</li>\n", $incoming{"asmId"};
 printf "<li>betterName '%s'</li>\n", $incoming{"betterName"};
 printf "<li>comment '%s'</li>\n", $incoming{"comment"};