f20e513a5dcae8e821aaf7dcccfaf57ee4cd3cb1
galt
  Thu Feb 6 13:37:43 2025 -0800
Reapply "Fixing security concern in hgEncodeVocab. fixes #287. Note that actual full cleanup by removing the unneeded encode/cv.ra from trackDb files has not been done yet., and making the code tolerate its presence or absence in the trackDb.ra files, at the start of the controlledVocabulary setting."

This reverts commit c5af95b7146dde46f2d2f70ecad1eb9b4c37b57f.

diff --git src/hg/encode/hgEncodeVocab/hgEncodeVocab.c src/hg/encode/hgEncodeVocab/hgEncodeVocab.c
index 17761f67329..5da1c29b01b 100644
--- src/hg/encode/hgEncodeVocab/hgEncodeVocab.c
+++ src/hg/encode/hgEncodeVocab/hgEncodeVocab.c
@@ -18,31 +18,31 @@
 
 /* hgEncodeVocab - A CGI script to display the different types of encode controlled vocabulary.
  * usage:
  *   hgEncodeVocab type=[Antibody|"Cell Line"|localization|rnaExtract|"Gene Type"] [tier=(1|2|3)]
  * options:\n"
  *    type=TypeName  : Type to display
  *    tier=N         : If type="Cell Line" then this is the tier to display
  *    bgcolor=RRGGBB : Change background color (hex digits)
  *    term=a[,b,c]   : Display row for a single term [or comma delimited set of terms]
  *    tag=a[,b,c]    : Display row for a single term, using tag as identifier [or comma delimited
  *                     set of tags]
  *    target=a[,b,c] : Display all antibodies for a single target.  If 'a'[,b,c] is a term,
  *                     corresponding targets will be looked up and used
  *    label=a[,b,c]  : Display row for a single term with the specific label.
  *                     Must use with 'type' or terms must have same type.
- *    deprectate=y   : Include deprecated terms.  Usually these are excluded unles the term
+ *    deprecated=y   : Include deprecated terms.  Usually these are excluded unless the term
  *                     is reqested by name.
  * Hint: try  "hgEncodeVocab type=typeOfTerm" for a complete list of types with links to
  *       each specific type.
  */
 
 //options that apply to all vocab types
 
 #define ORGANISM           "organism"
 #define ORG_HUMAN          "human"
 #define ORG_MOUSE          "mouse"
 
 #define MAX_TABLE_COLS     11
 #define TABLE_COLS_AVAILABLE(colsUsed) (MAX_TABLE_COLS - (colsUsed))
 
 static char *termOpt = NULL;
@@ -750,30 +750,34 @@
     char *queryByTarget = CV_TARGET;
     type = findType(cvHash,requested,requestCount,&queryByTarget,org,TRUE); // silent here
     if (type != NULL)
         *queryBy = queryByTarget;
     }
 if (type == NULL && !silent)    // Still not type? abort
     errAbort("Error: Required %s=%s ['%s', '%s', '%s', '%s' or '%s'] argument not found\n",
                     *queryBy,(requested != NULL) ? *requested : "?",
                     CV_TYPE, CV_TERM, CV_TAG, CV_TARGET, CV_LABEL);
 
 return normalizeType(type);
 }
 
 void doMiddle()
 {
+// The location of encode/cv.ra is no longer passed as an option from trackDb cgi option via raReadAll(cgiUsualString("ra", cv_file()), "term");
+// Thus the original ra CGI variable is no longer a potential security concern.  
+// Note that Larry added it in 2010, but Tim D removed it by putting in the library for cvFile() by 2011, but somebody flagged it as a potential security concern in 2014.
+// and so the cgi variable "ra" is not used and can be ignored as it has not been used since 2011.
 struct hash *cvHash = raReadAll((char *)cvFile(), CV_TERM);
 struct hashCookie hc = hashFirst(cvHash);
 struct hashEl *hEl;
 struct slList *termList = NULL;
 struct hash *ra;
 int totalPrinted = 0;
 boolean excludeDeprecated = (cgiOptionalString("deprecated") == NULL);
 
 // Prepare an array of selected terms (if any)
 int requestCount = 0;
 char **requested = NULL;
 char *requestVal = termOpt;
 char *queryBy = CV_TERM;
 if (tagOpt)
     {