src/hg/hgSession/hgSession.c eca99d569898b0e1f599d9336563db410c096400

eca99d569898b0e1f599d9336563db410c096400
jcasper
  Sun Aug 4 18:20:13 2024 -0700
hgSession can only load sessions from URLs that are actually URLs, and no
longer reports the content of bad settings (it was a security flaw). refs #34223

diff --git src/hg/hgSession/hgSession.c src/hg/hgSession/hgSession.c
index c612bbb..092d02e 100644
--- src/hg/hgSession/hgSession.c
+++ src/hg/hgSession/hgSession.c
@@ -499,30 +499,36 @@
 cgiMakeButton(hgsDoLoadLocal, "Submit");
 printf("</TD></TR>\n");
 printf("<TR><TD colspan=2></TD></TR>\n");
 
 printf("<TR><TD colspan=2>Use settings from a URL (http://..., ftp://...):"
        "</TD>\n");
 printf("<TD>\n");
 cgiMakeOnKeypressTextVar(hgsLoadUrlName,
 			 cartUsualString(cart, hgsLoadUrlName, ""),
 			 20, jsPressOnEnter(hgsDoLoadUrl));
 printf("&nbsp;&nbsp;");
 cgiMakeButton(hgsDoLoadUrl, "Submit");
 printf("</TD></TR>\n");
 
 printf("</TABLE>\n");
+
+printf("<P></P>\n");
+printf("Please note: the above URL option is <em>not</em> for loading track hubs or assembly hubs.\n");
+printf("To load those data resources into the browser, please visit the <a href=\"../cgi-bin/hgHubConnect\"\n");
+printf("target=\"_blank\">Track Hubs</a> listing page, click the \"Connected Hubs\" tab, and enter the hub URL there.\n");
+
 printf("<P></P>\n");
 }
 
 static struct dyString *dyPrintCheckExistingSessionJs(struct slName *existingSessionNames,
                                                       char *exceptName)
 /* Write JS that will pop up a confirm dialog if the user's new session name is the same
  * (case-insensitive) as any existing session name, i.e. they would be overwriting it.
  * If exceptName is given, then it's OK for the new session name to match that. */
 {
 struct dyString *js = dyStringNew(1024);
 struct slName *sn;
 // MySQL does case-insensitive comparison because our DEFAULT CHARSET=latin1;
 // use case-insensitive comparison here to avoid clobbering (#15051).
 dyStringAppend(js, "var su, si = document.getElementsByName('" hgsNewSessionName "'); ");
 dyStringAppend(js, "if (si[0]) { su = si[0].value.trim().toUpperCase(); ");
@@ -1429,30 +1435,32 @@
 char *doLoad(boolean fromUrl, char *actionVar)
 /* Load settings from a file or URL sent by the user.
  * Return a message confirming what we did. */
 {
 struct dyString *dyMessage = dyStringNew(1024);
 struct lineFile *lf = NULL;
 webPushErrHandlersCartDb(cart, cartUsualString(cart, "db", NULL));
 if (fromUrl)
     {
     char *url = trimSpaces(cartString(cart, hgsLoadUrlName));
     if (isEmpty(url))
 	errAbort("Please go back and enter the URL (http://..., ftp://...) "
 		 "of a file that contains "
 		 "previously saved browser settings, and then click "
 		 "\"submit\" again.");
+    if (!startsWith("http://",url) && !startsWith("https://",url) && !startsWith("ftp://",url))
+        errAbort("Unsupported protocol for loading a file via URL.  Please use http, https, or ftp");
     lf = netLineFileOpen(url);
     dyStringPrintf(dyMessage, "Loaded settings from URL %s .  %s %s",
 		   url, getUrlLink(url), getUrlEmailLink(url));
     }
 else
     {
     char *filePlainContents = cartOptionalString(cart, hgsLoadLocalFileName);
     char *fileBinaryCoords = cartOptionalString(cart,
 					hgsLoadLocalFileName "__binary");
     char *fileName = cartOptionalString(cart,
 					hgsLoadLocalFileName "__filename");
     if (isNotEmpty(filePlainContents))
 	{
 	char *settings = trimSpaces(filePlainContents);
 	dyStringAppend(dyMessage, "Loaded settings from local file ");