8ada9901deb92361b234d654e108bdaa9399eb45 max Wed May 21 13:37:30 2025 -0700 trying to lock out bots that make hgsids, no redmine diff --git src/hg/lib/cart.c src/hg/lib/cart.c index bc291260264..8c629cc249a 100644 --- src/hg/lib/cart.c +++ src/hg/lib/cart.c @@ -643,30 +643,40 @@ char **row = NULL; char *userName = wikiLinkUserName(); char *encSessionName = cgiEncodeFull(sessionName); char *encSessionOwner = cgiEncodeFull(sessionOwner); char query[512]; if (isEmpty(sessionOwner)) errAbort("Please go back and enter a wiki user name for this session."); if (isEmpty(sessionName)) errAbort("Please go back and enter a session name to load."); sqlSafef(query, sizeof(query), "SELECT shared, contents FROM %s " "WHERE userName = '%s' AND sessionName = '%s';", namedSessionTable, encSessionOwner, encSessionName); sr = sqlGetResult(conn, query); + +if (sqlCountRows(sr)==0 && cfgOption("namedSessionAlt")) + { + sqlFreeResult(&sr); + sqlSafef(query, sizeof(query), "SELECT shared, contents FROM %s " + "WHERE userName = '%s' AND sessionName = '%s';", + cfgOption("namedSessionAlt"), encSessionOwner, encSessionName); + sr = sqlGetResult(conn, query); + } + if ((row = sqlNextRow(sr)) != NULL) { boolean shared = atoi(row[0]); if (shared || (userName && sameString(sessionOwner, userName))) { char *sessionVar = cartSessionVarName(); char *hgsid = cartSessionId(cart); char *sessionTableString = cartOptionalString(cart, hgSessionTableState); sessionTableString = cloneString(sessionTableString); char *pubSessionsTableString = cartOptionalString(cart, hgPublicSessionsTableState); pubSessionsTableString = cloneString(pubSessionsTableString); struct sqlConnection *conn2 = hConnectCentral(); sessionTouchLastUse(conn2, encSessionOwner, encSessionName); if (!merge) @@ -1460,30 +1470,37 @@ struct sqlConnection *conn = cartDefaultConnector(); char *ex; boolean userIdFound = FALSE, sessionIdFound = FALSE; AllocVar(cart); cart->hash = newHash(12); cart->exclude = newHash(7); cart->userId = userId; cart->sessionId = sessionId; cart->userInfo = loadDb(conn, userDbTable(), userId, &userIdFound); cart->sessionInfo = loadDb(conn, sessionDbTable(), sessionId, &sessionIdFound); if (sessionIdFound && !userIdFound && !cgiWasSpoofed() && cfgOptionBooleanDefault("noCookieTrace", FALSE)) fprintf(stderr, "HGSID_WITHOUT_COOKIE\n"); +if (sessionId && !sessionIdFound && (!userId || !userIdFound) && cfgOptionBooleanDefault("punishInvalidHgsid", FALSE)) + { + fprintf(stderr, "HGSID_WAIT hgsid but no cookies: 10 seconds penalty"); + sleep(10); + } + + if (sessionIdFound) cartParseOverHash(cart, cart->sessionInfo->contents); else if (userIdFound) cartParseOverHash(cart, cart->userInfo->contents); else { char *defaultCartContents = getDefaultCart(conn); cartParseOverHash(cart, defaultCartContents); } char when[1024]; safef(when, sizeof(when), "open %s %s", userId, sessionId); cartTrace(cart, when, conn); loadCgiOverHash(cart, oldVars); @@ -2541,35 +2558,34 @@ } } struct cart *cartAndCookieWithHtml(char *cookieName, char **exclude, struct hash *oldVars, boolean doContentType) /* Load cart from cookie and session cgi variable. Write cookie * and optionally content-type part HTTP preamble to web page. Don't * write any HTML though. */ { // Note: early abort works fine but early warn does not htmlPushEarlyHandlers(); struct cart *cart = cartForSession(cookieName, exclude, oldVars); popWarnHandler(); popAbortHandler(); -cartWriteCookie(cart, cookieName); - if (doContentType && !cartDidContentType) { addHttpHeaders(); + cartWriteCookie(cart, cookieName); puts("Content-Type:text/html"); puts("\n"); cartDidContentType = TRUE; } return cart; } struct cart *cartAndCookie(char *cookieName, char **exclude, struct hash *oldVars) /* Load cart from cookie and session cgi variable. Write cookie and * content-type part HTTP preamble to web page. Don't write any HTML though. */ { return cartAndCookieWithHtml(cookieName, exclude, oldVars, TRUE); }