3eff31a9084b4a8a1587ba2fc43ab4e055e70979 hiram Tue Apr 28 14:53:55 2026 -0700 eliminate the HTTP_REFERER check and depend just on the userId cookie for security refs #31811 diff --git src/hg/hubApi/liftOver.c src/hg/hubApi/liftOver.c index aa800219b03..c39da3f64db 100644 --- src/hg/hubApi/liftOver.c +++ src/hg/hubApi/liftOver.c @@ -282,46 +282,36 @@ /* 'liftOver' function words[1] is the subCommand */ { char *extraArgs = verifyLegalArgs(argLiftRequest); if (extraArgs) apiErrAbort(err400, err400Msg, "extraneous arguments found for function /liftRequest '%s'", extraArgs); char *fromGenome = cgiOptionalString(argFromGenome); char *toGenome = cgiOptionalString(argToGenome); char *email = cgiOptionalString(argEmail); char *comment = cgiOptionalString(argComment); /* probably want a silent exit here */ if (isEmpty(fromGenome) || isEmpty(toGenome) || isEmpty(email) || isEmpty(comment)) apiErrAbort(err400, err400Msg, "must have all arguments: %s, %s, %s, %s for endpoint '/liftRequest", argFromGenome, argToGenome, argEmail, argComment); +/* Require a session cookie. Robots that have not + * passed the challenge will not have one. */ char *cookieName = hUserCookie(); char *userId = findCookieData(cookieName); -char *referer = getenv("HTTP_REFERER"); -char dir[PATH_LEN]; -char name[FILENAME_LEN]; -char ext[FILEEXT_LEN]; -/* expecting request to come from something.ucsc.edu/liftRequest.html */ -if (isNotEmpty(referer) && isNotEmpty(userId)) - { - splitPath(referer, dir, name, ext); - if (! (endsWith(dir, ".ucsc.edu/") && sameWord(name, "liftRequest") && sameWord(ext, ".html"))) - apiErrAbort(err400, err400Msg, "can not find required inputs for endpoint '/liftRequest"); - } else { - if (! debug) +if (isEmpty(userId)) apiErrAbort(err400, err400Msg, "can not find required inputs for endpoint '/liftRequest"); - } char *toAddr = cfgOption("chainFileRequestEmail"); char *fromAddr = cfgOption("apiFromEmail"); if (isNotEmpty(toAddr) && isNotEmpty(fromAddr)) { char nowTime[256]; time_t seconds = clock1(); struct tm *timeNow = localtime(&seconds); strftime(nowTime, sizeof nowTime, "%Y-%m-%d %H:%M:%S", timeNow); struct dyString *msg = newDyString(0); /* may need to encode these inputs to make them safe */ dyStringPrintf(msg, "%s\nLift over request\nfrom: %s\nto: %s\nemail '%s'\ncomment: '%s'", nowTime, fromGenome, toGenome, email, comment); /* Even if the mailViaPipe returned a relevant return code, and I'm not