src/hg/lib/trackHub.c 289c4a361a8f5192a4928b05a3a68c05afe7f816

289c4a361a8f5192a4928b05a3a68c05afe7f816
galt
  Thu Dec 11 15:50:12 2025 -0800
Little patch for udc.localDir and trackHub security for local bigDataUrl disallowed for non-local hubUrl. We have to double check the cached trackDb data. fixes #34544

diff --git src/hg/lib/trackHub.c src/hg/lib/trackHub.c
index 0df9264a79b..4a967f0f4bd 100644
--- src/hg/lib/trackHub.c
+++ src/hg/lib/trackHub.c
@@ -1931,32 +1931,39 @@
     {
     boolean doCache = trackDbCacheOn();
 
     if (doCache)
         {
         // we have to open the trackDb file to get the udc cache to check for an update
         struct udcFile *checkCache = udcFileMayOpen(hubGenome->trackDbFile, NULL);
         if (checkCache != NULL)
             {
             time_t time = udcUpdateTime(checkCache);
             udcFileClose(&checkCache);
 
             struct trackDb *cacheTdb = trackDbHubCache(hubGenome->trackDbFile, time);
 
             if (cacheTdb != NULL)
+		{
+		struct trackDb *tdb;
+		for (tdb = cacheTdb; tdb != NULL; tdb = tdb->next)
+		    {  // disallow local bigDataUrl with non-local hub.
+		    expandBigDataUrl(hubGenome->trackHub, hubGenome, tdb);
+		    }
                 return cacheTdb;
 		}
+            }
 
         memCheckPoint(); // we want to know how much memory is used to build the tdbList
         }
 
     struct dyString *incFiles = newDyString(4096);
     boolean foundFirstGenome = FALSE;
     tdbList = trackHubTracksForGenome(hubGenome->trackHub, hubGenome, incFiles, &foundFirstGenome);
     tdbList = trackDbLinkUpGenerations(tdbList);
     tdbList = trackDbPolishAfterLinkup(tdbList, hubGenome->name);
     trackDbPrioritizeContainerItems(tdbList);
     trackHubPolishTrackNames(hubGenome->trackHub, tdbList);
 
     if (doCache)
         trackDbHubCloneTdbListToSharedMem(hubGenome->trackDbFile, tdbList, memCheckPoint(), incFiles->string);
     }