156dbcfc96c9a4a5eba481f8d979700b0ca1024e
galt
  Mon Feb 3 06:28:18 2025 -0800
Fixing security concern in hgEncodeVocab. fixes #287. Note that actual full cleanup by removing the unneeded encode/cv.ra from trackDb files has not been done yet., and making the code tolerate its presence or absence in the trackDb.ra files, at the start of the controlledVocabulary setting.

diff --git src/hg/encode/hgEncodeVocab/hgEncodeVocab.c src/hg/encode/hgEncodeVocab/hgEncodeVocab.c
index 17761f67329..5da1c29b01b 100644
--- src/hg/encode/hgEncodeVocab/hgEncodeVocab.c
+++ src/hg/encode/hgEncodeVocab/hgEncodeVocab.c
@@ -18,31 +18,31 @@
 
 /* hgEncodeVocab - A CGI script to display the different types of encode controlled vocabulary.
  * usage:
  *   hgEncodeVocab type=[Antibody|"Cell Line"|localization|rnaExtract|"Gene Type"] [tier=(1|2|3)]
  * options:\n"
  *    type=TypeName  : Type to display
  *    tier=N         : If type="Cell Line" then this is the tier to display
  *    bgcolor=RRGGBB : Change background color (hex digits)
  *    term=a[,b,c]   : Display row for a single term [or comma delimited set of terms]
  *    tag=a[,b,c]    : Display row for a single term, using tag as identifier [or comma delimited
  *                     set of tags]
  *    target=a[,b,c] : Display all antibodies for a single target.  If 'a'[,b,c] is a term,
  *                     corresponding targets will be looked up and used
  *    label=a[,b,c]  : Display row for a single term with the specific label.
  *                     Must use with 'type' or terms must have same type.
- *    deprectate=y   : Include deprecated terms.  Usually these are excluded unles the term
+ *    deprecated=y   : Include deprecated terms.  Usually these are excluded unless the term
  *                     is reqested by name.
  * Hint: try  "hgEncodeVocab type=typeOfTerm" for a complete list of types with links to
  *       each specific type.
  */
 
 //options that apply to all vocab types
 
 #define ORGANISM           "organism"
 #define ORG_HUMAN          "human"
 #define ORG_MOUSE          "mouse"
 
 #define MAX_TABLE_COLS     11
 #define TABLE_COLS_AVAILABLE(colsUsed) (MAX_TABLE_COLS - (colsUsed))
 
 static char *termOpt = NULL;
@@ -750,30 +750,34 @@
     char *queryByTarget = CV_TARGET;
     type = findType(cvHash,requested,requestCount,&queryByTarget,org,TRUE); // silent here
     if (type != NULL)
         *queryBy = queryByTarget;
     }
 if (type == NULL && !silent)    // Still not type? abort
     errAbort("Error: Required %s=%s ['%s', '%s', '%s', '%s' or '%s'] argument not found\n",
                     *queryBy,(requested != NULL) ? *requested : "?",
                     CV_TYPE, CV_TERM, CV_TAG, CV_TARGET, CV_LABEL);
 
 return normalizeType(type);
 }
 
 void doMiddle()
 {
+// The location of encode/cv.ra is no longer passed as an option from trackDb cgi option via raReadAll(cgiUsualString("ra", cv_file()), "term");
+// Thus the original ra CGI variable is no longer a potential security concern.  
+// Note that Larry added it in 2010, but Tim D removed it by putting in the library for cvFile() by 2011, but somebody flagged it as a potential security concern in 2014.
+// and so the cgi variable "ra" is not used and can be ignored as it has not been used since 2011.
 struct hash *cvHash = raReadAll((char *)cvFile(), CV_TERM);
 struct hashCookie hc = hashFirst(cvHash);
 struct hashEl *hEl;
 struct slList *termList = NULL;
 struct hash *ra;
 int totalPrinted = 0;
 boolean excludeDeprecated = (cgiOptionalString("deprecated") == NULL);
 
 // Prepare an array of selected terms (if any)
 int requestCount = 0;
 char **requested = NULL;
 char *requestVal = termOpt;
 char *queryBy = CV_TERM;
 if (tagOpt)
     {