a3cc0ea56291f64c876d1d422d432e0234638059 jcasper Fri Jun 12 11:34:25 2026 -0700 Suppressing stack dump for bad returnto url in hgLogin, refs #37699 diff --git src/hg/hgLogin/hgLogin.c src/hg/hgLogin/hgLogin.c index 3c29b15f158..ba1ec79f035 100644 --- src/hg/hgLogin/hgLogin.c +++ src/hg/hgLogin/hgLogin.c @@ -18,30 +18,31 @@ #include "cart.h" #include "hPrint.h" #include "hdb.h" #include "hui.h" #include "web.h" #include "ra.h" #include "hgColors.h" #include "net.h" #include "wikiLink.h" #include "hgLogin.h" #include "gbMembers.h" #include "versionInfo.h" #include "mailViaPipe.h" #include "dystring.h" #include "autoUpgrade.h" +#include "hCommon.h" #define EMAILSEP ";" /* ---- Global variables. ---- */ char msg[4096] = ""; char *incorrectUsernameOrPassword="The username or password you entered is incorrect."; char *incorrectUsername="The username you entered is incorrect."; /* The excludeVars are not saved to the cart. */ char *excludeVars[] = { "submit", "Submit", "debug", "fixMembers", "update", "hgLogin_password", "hgLogin_password2", "hgLogin_newPassword1", "hgLogin_newPassword2", NULL }; struct cart *cart; /* This holds cgi and other variables between clicks. */ char *database; /* Name of genome database - hg15, mm3, or the like. */ struct hash *oldCart; /* Old cart hash. */ char *errMsg = NULL; /* Error message to show user when form data rejected */ @@ -332,30 +333,31 @@ char *getReturnToURL() /* get URL from cart var returnto; if empty, make URL to hgSession on login host. */ { char *returnURL = cartUsualString(cart, "returnto", ""); char returnTo[2048]; if (!returnURL || sameString(returnURL,"")) safef(returnTo, sizeof(returnTo), "%shgSession?hgS_doMainPage=1", hLoginHostCgiBinUrl()); else if (cfgOptionDefault(CFG_APPROVED_HOSTS, NULL)) { if (isValidReturnUrl(returnURL)) safecpy(returnTo, sizeof(returnTo), returnURL); else { + hDumpStackDisallow(); errAbort("Error: Invalid returnto URL. Please send email to genome-www@soe.ucsc.edu " "with the returnto argument from the URL (or just the full URL) so we can " "fix this."); } } else safecpy(returnTo, sizeof(returnTo), returnURL); return cloneString(returnTo); } void returnToURL(int delay) /* delay for delay mill-seconds then return to the "returnto" URL */ { char *returnURL = getReturnToURL(); jsInlineF(