src/hg/lib/hdb.c 72e4774cd62b49fe88984f0ae6eba75ee5f02843

72e4774cd62b49fe88984f0ae6eba75ee5f02843
braney
  Wed Dec 13 12:54:16 2023 -0800
add hg.conf variable (trustTrackDb) to force the CGI's to validate
trackDb instead of just trusting it

diff --git src/hg/lib/hdb.c src/hg/lib/hdb.c
index b37a1e6..2f97a67 100644
--- src/hg/lib/hdb.c
+++ src/hg/lib/hdb.c
@@ -3949,31 +3949,40 @@
 boolean trackDataAccessible(char *database, struct trackDb *tdb)
 /* Return TRUE if underlying data are accessible - meaning the track has either
  * a bigDataUrl with remote URL (http:// etc), a bigDataUrl with an existing local file,
  * or a database table with the same name.
  * Note: this returns FALSE for composite tracks; use this on subtracks or simple tracks. */
 {
 return trackDataAccessibleHash(database, tdb, NULL);
 }
 
 
 static void addTrackIfDataAccessible(char *database, struct trackDb *tdb,
 	       boolean privateHost, struct trackDb **tdbRetList)
 /* check if a trackDb entry should be included in display, and if so
  * add it to the list, otherwise free it */
 {
-if ((!tdb->private || privateHost))
+// normally we trust trackDb, but sometimes we don't!
+static boolean checkedTrust = FALSE;
+static boolean trustTrackDb = TRUE;
+if (!checkedTrust)
+    {
+    trustTrackDb = cfgOptionBooleanDefault("trustTrackDb", TRUE);
+    checkedTrust = TRUE;
+    }
+
+if ((!tdb->private || privateHost) && (trustTrackDb || trackDataAccessible(database, tdb)) )
     {
     // we now allow references to native tracks in track hubs (for track collections)
     // so we need to give the downstream code the table name if there is no bigDataUrl.
     char *bigDataUrl = trackDbSetting(tdb, "bigDataUrl");
     if (bigDataUrl == NULL)
         tdb->table = trackHubSkipHubName(tdb->table);
     slAddHead(tdbRetList, tdb);
     }
 else if (tdbIsDownloadsOnly(tdb))
     {
     // While it would be good to make table NULL, since we should support tracks
     // without tables (composties, etc) and even data tracks without tables (bigWigs).
     // However, some CGIs still need careful bullet-proofing.  I have done so with
     //   hgTrackUi, hgTracks, hgTable and hgGenome
     //if (tdb->table != NULL && sameString(tdb->table,tdb->track))