src/hg/lib/userdata.c 28ac91cd29f92b006199680053b5b93c42f27c74

28ac91cd29f92b006199680053b5b93c42f27c74
chmalee
  Fri Jan 24 17:11:10 2025 -0800
When hubspace UI requests to remove a file, ensure realpath gets called on the requested file and check that the file is belonging to the userName, right before deletion, refs #35109

diff --git src/hg/lib/userdata.c src/hg/lib/userdata.c
index 6de5d1b893d..52bd776b7a3 100644
--- src/hg/lib/userdata.c
+++ src/hg/lib/userdata.c
@@ -340,38 +340,40 @@
     addHubSpaceRowForFile(hubTextRow);
 }
 
 static void deleteHubSpaceRow(char *fname, char *userName)
 /* Deletes a row from the hubspace table for a given fname */
 {
 struct sqlConnection *conn = hConnectCentral();
 struct dyString *deleteQuery = sqlDyStringCreate("delete from hubSpace where location='%s' and userName='%s'", fname, userName);
 sqlUpdate(conn, dyStringCannibalize(&deleteQuery));
 }
 
 void removeFileForUser(char *fname, char *userName)
 /* Remove a file for this user if it exists */
 {
 // The file to remove must be prefixed by the hg.conf userDataDir
-if (!startsWith(getDataDir(userName), fname))
+char canonicalPath[PATH_MAX];
+realpath(fname, canonicalPath);
+if (!startsWith(getDataDir(userName), canonicalPath))
     return;
-if (fileExists(fname))
+if (fileExists(canonicalPath))
     {
     // delete the actual file
-    mustRemove(fname);
+    mustRemove(canonicalPath);
     // delete the table row
-    deleteHubSpaceRow(fname, userName);
+    deleteHubSpaceRow(canonicalPath, userName);
     }
 // TODO: we should also modify the hub.txt associated with this file
 }
 
 struct hubSpace *listFilesForUser(char *userName)
 /* Return the files the user has uploaded */
 {
 struct sqlConnection *conn = hConnectCentral();
 struct dyString *query = sqlDyStringCreate("select userName, fileName, fileSize, fileType, creationTime, DATE_FORMAT(lastModified, '%%c/%%d/%%Y, %%l:%%i:%%s %%p') as lastModified, db, location, md5sum, parentDir from hubSpace where userName='%s' order by location,creationTime", userName);
 struct hubSpace *fileList = hubSpaceLoadByQuery(conn, dyStringCannibalize(&query));
 hDisconnectCentral(&conn);
 return fileList;
 }
 
 #define defaultHubName "defaultHub"