325cbfe133124a17017edda28f0789217e86c61f max Wed Jun 10 06:17:25 2026 -0700 just a few comments diff --git src/hg/lib/cart.c src/hg/lib/cart.c index dfefd94fd91..813b1b50043 100644 --- src/hg/lib/cart.c +++ src/hg/lib/cart.c @@ -1548,31 +1548,31 @@ exit(0); } static boolean isUserAgentException() /* return true if HTTP user-agent is in list of exceptions in hg.conf */ { return botExceptionUserAgent(); } void forceUserIdOrCaptcha(struct cart* cart, char *userId, boolean userIdFound, boolean fromCommandLine) /* print captcha if user did not sent a valid hguid cookie or a valid * cloudflare token. Allow certain IPs and user-agents. */ { static boolean captchaCheckDone = FALSE; -// No need to do this again. Can happen if cartNew() is called somewhere else in a CGI +// No need to do this again in a CGI run. Can happen if cartNew() is called somewhere else in a CGI a second time if (captchaCheckDone) return; captchaCheckDone = TRUE; if (fromCommandLine || isEmpty(cfgOption(CLOUDFLARESITEKEY))) return; // no captcha for our own QA scripts running on a server with our IP address if (botException()) return; // certain user agents are allowed to use the website without a captcha if (isUserAgentException()) return; @@ -1678,31 +1678,32 @@ boolean userIdFound = FALSE, sessionIdFound = FALSE; AllocVar(cart); cart->hash = newHash(12); cart->exclude = newHash(7); cart->userId = userId; cart->sessionId = sessionId; cart->userInfo = loadDb(conn, userDbTable(), userId, &userIdFound); cart->sessionInfo = loadDb(conn, sessionDbTable(), sessionId, &sessionIdFound); boolean fromCli = cgiWasSpoofed(); // QA runs our CGIs from the command line and we debug from there forceUserIdOrCaptcha(cart, userId, userIdFound, fromCli); -// we rely on the cookie being validated, so if we reset a cookie, do this after the captcha +// we rely on the cookie being validated later, so if user requested to reset the cookie settings +// load the settings after the captcha has been checked if ( cgiOptionalString("ignoreCookie") != NULL ) cart->userInfo = loadDb(conn, userDbTable(), NULL, &userIdFound); if (sessionIdFound) cartParseOverHash(cart, cart->sessionInfo->contents); else if (userIdFound) cartParseOverHash(cart, cart->userInfo->contents); else { char *defaultCartContents = getDefaultCart(conn); cartParseOverHash(cart, defaultCartContents); } char when[1024]; safef(when, sizeof(when), "open %s %s", userId, sessionId); cartTrace(cart, when, conn);