4cffc3eb6f43e109452b5b52d1f760cf1ea6a981 jcasper Sun Jun 7 21:47:37 2026 -0700 Adjusting sessionDb and userDb IDs to be 64-bit in the code, since the database is now ready for it and we're crossing the threshold. refs #33554 diff --git src/hg/lib/botDelay.c src/hg/lib/botDelay.c index e1200591629..3999733ddee 100644 --- src/hg/lib/botDelay.c +++ src/hg/lib/botDelay.c @@ -115,85 +115,85 @@ return user; } boolean isValidHguid(char *cookieUserId) /* Check if a particular hguid is valid, i.e. well-formatted, has matching id and secure string, * and isn't corrupted. */ { if (isEmpty(cookieUserId)) return FALSE; boolean isValid = FALSE; struct sqlConnection *conn = hConnectCentralNoCache(); char query[2048]; if (cartDbHasSessionKey(conn, userDbTable())) { char *sessionKey = NULL; - unsigned id = cartDbParseId(cookieUserId, &sessionKey); + unsigned long id = cartDbParseId(cookieUserId, &sessionKey); if (sessionKey == NULL) { sqlDisconnect(&conn); return FALSE; } - sqlSafef(query, sizeof(query), "select id from %s where id = %u and sessionKey = '%s'", + sqlSafef(query, sizeof(query), "select id from %s where id = %lu and sessionKey = '%s'", userDbTable(), id, sessionKey); } else { - sqlSafef(query, sizeof(query), "select id from %s where id = %u", userDbTable(), sqlUnsigned(cookieUserId)); + sqlSafef(query, sizeof(query), "select id from %s where id = %lu", userDbTable(), sqlUnsignedLong(cookieUserId)); } if (sqlExists(conn, query)) isValid = TRUE; sqlDisconnect(&conn); return isValid; } static void recordHguidIpAndMaybeForceCaptcha() /* When hguidIpTracking is enabled in hg.conf, upsert this request's * (hguid, REMOTE_ADDR) into the hgcentral tracking table. If a single * hguid has been seen from more than hguidIpTracking.maxIps distinct IPs * within the last hguidIpTracking.windowSeconds, set the "captcha" CGI * var so forceUserIdOrCaptcha() in cart.c forces the user through the * Cloudflare captcha (the bypass at cart.c:1618 honors this override). */ { if (!cfgOptionBooleanDefault("hguidIpTracking.enabled", FALSE)) return; char *cookieUserId = getCookieUser(); char *clientIp = getenv("REMOTE_ADDR"); if (isEmpty(cookieUserId) || isEmpty(clientIp)) return; if (!isValidHguid(cookieUserId)) return; -unsigned int userIdNum = cartDbParseId(cookieUserId, NULL); +unsigned long userIdNum = cartDbParseId(cookieUserId, NULL); int maxIps = atoi(cfgOptionDefault("hguidIpTracking.maxIps", "10")); int windowSeconds = atoi(cfgOptionDefault("hguidIpTracking.windowSeconds", "600")); char *table = cfgOptionDefault("hguidIpTracking.table", "hguidIpAccess"); struct sqlConnection *conn = hConnectCentralNoCache(); char query[512]; sqlSafef(query, sizeof(query), - "INSERT INTO %s (userId, ip, lastSeen) VALUES (%u, '%s', NOW()) " + "INSERT INTO %s (userId, ip, lastSeen) VALUES (%lu, '%s', NOW()) " "ON DUPLICATE KEY UPDATE lastSeen=NOW()", table, userIdNum, clientIp); sqlUpdate(conn, query); sqlSafef(query, sizeof(query), - "SELECT COUNT(DISTINCT ip) FROM %s WHERE userId=%u " + "SELECT COUNT(DISTINCT ip) FROM %s WHERE userId=%lu " "AND lastSeen > NOW() - INTERVAL %d SECOND", table, userIdNum, windowSeconds); int distinctIps = sqlQuickNum(conn, query); sqlDisconnect(&conn); if (distinctIps > maxIps) { cgiVarSet("captcha", "1"); } } boolean isValidHgsidForEarlyBotCheck(char *raw_hgsid) /* We want to use the hgsid from the CGI parameters, but sometimes requests come in with bogus strings that * need to be ignored. We don't want to run this against the database just yet, but we can at least check