1f954876a8847da234e0c89b3b43390b40c6ca4e
chmalee
  Tue Feb 25 10:45:31 2025 -0800
Special handle the parentDir setting during uploads by cgi-encoding the components of parentDir but leaving the slash characters in place. This allows hubtools uploads to preserve the filesystem layout on the host on our end, but prevent writing of files outside of the users hubspace directory. Any '..' characters in the parentDir are simply ignored. This commit also fixes some other hubtools related UI bugs, like preventing infinite recursion when doing a row select, displaying file names unencoded, and fixing a bug when deleting subdirectories, refs #31058

diff --git src/hg/hgHubConnect/trackHubWizard.c src/hg/hgHubConnect/trackHubWizard.c
index 500677e76f4..510c6f3f858 100644
--- src/hg/hgHubConnect/trackHubWizard.c
+++ src/hg/hgHubConnect/trackHubWizard.c
@@ -38,66 +38,94 @@
     {
     if (fileExists(fileName))
         {
         fprintf(stderr, "deleting file: '%s'\n", fileName);
         removeFileForUser(fileName, userName);
         fflush(stderr);
         }
     else
         {
         fprintf(stderr, "file '%s' does not exist\n", fileName);
         fflush(stderr);
         }
     }
 }
 
+int pathDepth(char *path)
+{
+return countChars(path, '/');
+}
+
+int sortByFullPathCmp(const void *va, const void *vb)
+/* Compare two fullPaths */
+{
+struct jsonElement *a = (struct jsonElement *)(*(struct slRef **)va)->val;
+struct jsonElement *b = (struct jsonElement *)(*(struct slRef **)vb)->val;
+char *aFullpath = jsonStringField(a, "fullPath");
+char *bFullpath = jsonStringField(b, "fullPath");
+int aDepth = pathDepth(aFullpath);
+int bDepth = pathDepth(bFullpath);
+// ensure subdirectories order before their parents:
+if (aDepth != bDepth)
+    return bDepth - aDepth;
+// if equal depth than lexicographic sort is fine
+return strcmp(jsonStringField(a,"fullPath"), jsonStringField(b, "fullPath"));
+}
+
+void sortByFullPath(struct jsonElement *listJson)
+{
+slSort(&(listJson->val.jeList), sortByFullPathCmp);
+}
+
 void doRemoveFile(struct cartJson *cj, struct hash *paramHash)
 /* Process the request to remove a file */
 {
 char *userName = getUserName();
 if (userName)
     {
     // our array of objects, each object represents a track file
     struct jsonElement *deleteJson = hashFindVal(paramHash, "fileList");
     struct slRef *copy, *f, *fileList = deleteJson->val.jeList;
-    struct slRef *dirList = NULL;
+    struct jsonElement *dirListJsonEle = newJsonList(NULL);
     jsonWriteListStart(cj->jw, "deletedList");
     for (f = fileList; f != NULL; )
         {
         struct jsonElement *fileObj = (struct jsonElement *)f->val;
         char *fileName = jsonStringField(fileObj, "fileName");
         char *fileType = jsonStringField(fileObj, "fileType");
         char *db = jsonStringField(fileObj, "genome");
         char *fullPath = jsonStringField(fileObj, "fullPath");
         copy = f->next;
         if (sameString(fileType, "dir"))
             {
             f->next = NULL;
-            slAddHead(&dirList, f);
+            jsonListAdd(dirListJsonEle, fileObj);
             }
         else
             {
             removeOneFile(userName, fileName, fullPath, db, fileType);
             // write out the fullPath so the DataTable can remove the correct row:
             jsonWriteString(cj->jw, NULL, fullPath);
             }
         f = copy;
         }
     // now attempt to delete any requested directories, but don't die if they still have contents
-    for (f = dirList; f != NULL; f = f->next)
+    sortByFullPath(dirListJsonEle);
+    struct slRef *dir = NULL;
+    for (dir = dirListJsonEle->val.jeList; dir != NULL; dir = dir->next)
         {
-        struct jsonElement *fileObj = (struct jsonElement *)f->val;
+        struct jsonElement *fileObj = (struct jsonElement *)dir->val;
         char *fileName = jsonStringField(fileObj, "fileName");
         char *fileType = jsonStringField(fileObj, "fileType");
         char *db = jsonStringField(fileObj, "genome");
         char *fullPath = jsonStringField(fileObj, "fullPath");
         removeOneFile(userName, fileName, fullPath, db, fileType);
         // write out the fullPath so the DataTable can remove the correct row:
         jsonWriteString(cj->jw, NULL, fullPath);
         }
     jsonWriteListEnd(cj->jw);
     }
 }
 
 void doMoveFile(struct cartJson *cj, struct hash *paramHash)
 /* Move a file to a new hub */
 {
@@ -106,31 +134,30 @@
 static void outUiDataForUser(struct jsonWrite *jw)
 /* List out the currently stored files for the user as well as other data
  * needed to create the hubSpace table */
 {
 char *userName = getUserName();
 jsonWriteObjectStart(jw, "userFiles");
 if (userName)
     {
     // the url for this user:
     jsonWriteString(jw, "userUrl", webDataDir(userName));
     jsonWriteListStart(jw, "fileList");
     struct hubSpace *file, *fileList = listFilesForUser(userName);
     for (file = fileList; file != NULL; file = file->next)
         {
         jsonWriteObjectStart(jw, NULL);
-        cgiDecodeFull(file->fileName, file->fileName, strlen(file->fileName));
         jsonWriteString(jw, "fileName", file->fileName);
         jsonWriteNumber(jw, "fileSize", file->fileSize);
         jsonWriteString(jw, "fileType", file->fileType);
         jsonWriteString(jw, "parentDir", file->parentDir);
         jsonWriteString(jw, "genome", file->db);
         jsonWriteString(jw, "lastModified", file->lastModified);
         jsonWriteString(jw, "uploadTime", file->creationTime);
         jsonWriteString(jw, "fullPath", stripDataDir(file->location, userName));
         jsonWriteString(jw, "md5sum", file->md5sum);
         jsonWriteObjectEnd(jw);
         }
     jsonWriteListEnd(jw);
     }
 jsonWriteBoolean(jw, "isLoggedIn", getUserName() ? TRUE : FALSE);
 jsonWriteString(jw, "hubNameDefault", defaultHubNameForUser(getUserName()));