156dbcfc96c9a4a5eba481f8d979700b0ca1024e galt Mon Feb 3 06:28:18 2025 -0800 Fixing security concern in hgEncodeVocab. fixes #287. Note that actual full cleanup by removing the unneeded encode/cv.ra from trackDb files has not been done yet., and making the code tolerate its presence or absence in the trackDb.ra files, at the start of the controlledVocabulary setting. diff --git src/hg/encode/hgEncodeVocab/hgEncodeVocab.c src/hg/encode/hgEncodeVocab/hgEncodeVocab.c index 17761f67329..5da1c29b01b 100644 --- src/hg/encode/hgEncodeVocab/hgEncodeVocab.c +++ src/hg/encode/hgEncodeVocab/hgEncodeVocab.c @@ -18,31 +18,31 @@ /* hgEncodeVocab - A CGI script to display the different types of encode controlled vocabulary. * usage: * hgEncodeVocab type=[Antibody|"Cell Line"|localization|rnaExtract|"Gene Type"] [tier=(1|2|3)] * options:\n" * type=TypeName : Type to display * tier=N : If type="Cell Line" then this is the tier to display * bgcolor=RRGGBB : Change background color (hex digits) * term=a[,b,c] : Display row for a single term [or comma delimited set of terms] * tag=a[,b,c] : Display row for a single term, using tag as identifier [or comma delimited * set of tags] * target=a[,b,c] : Display all antibodies for a single target. If 'a'[,b,c] is a term, * corresponding targets will be looked up and used * label=a[,b,c] : Display row for a single term with the specific label. * Must use with 'type' or terms must have same type. - * deprectate=y : Include deprecated terms. Usually these are excluded unles the term + * deprecated=y : Include deprecated terms. Usually these are excluded unless the term * is reqested by name. * Hint: try "hgEncodeVocab type=typeOfTerm" for a complete list of types with links to * each specific type. */ //options that apply to all vocab types #define ORGANISM "organism" #define ORG_HUMAN "human" #define ORG_MOUSE "mouse" #define MAX_TABLE_COLS 11 #define TABLE_COLS_AVAILABLE(colsUsed) (MAX_TABLE_COLS - (colsUsed)) static char *termOpt = NULL; @@ -750,30 +750,34 @@ char *queryByTarget = CV_TARGET; type = findType(cvHash,requested,requestCount,&queryByTarget,org,TRUE); // silent here if (type != NULL) *queryBy = queryByTarget; } if (type == NULL && !silent) // Still not type? abort errAbort("Error: Required %s=%s ['%s', '%s', '%s', '%s' or '%s'] argument not found\n", *queryBy,(requested != NULL) ? *requested : "?", CV_TYPE, CV_TERM, CV_TAG, CV_TARGET, CV_LABEL); return normalizeType(type); } void doMiddle() { +// The location of encode/cv.ra is no longer passed as an option from trackDb cgi option via raReadAll(cgiUsualString("ra", cv_file()), "term"); +// Thus the original ra CGI variable is no longer a potential security concern. +// Note that Larry added it in 2010, but Tim D removed it by putting in the library for cvFile() by 2011, but somebody flagged it as a potential security concern in 2014. +// and so the cgi variable "ra" is not used and can be ignored as it has not been used since 2011. struct hash *cvHash = raReadAll((char *)cvFile(), CV_TERM); struct hashCookie hc = hashFirst(cvHash); struct hashEl *hEl; struct slList *termList = NULL; struct hash *ra; int totalPrinted = 0; boolean excludeDeprecated = (cgiOptionalString("deprecated") == NULL); // Prepare an array of selected terms (if any) int requestCount = 0; char **requested = NULL; char *requestVal = termOpt; char *queryBy = CV_TERM; if (tagOpt) {