diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2016-03-23 10:27:37 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2016-03-23 10:27:37 +0100 |
| commit | 3368986490028be41351d4329fb4976df2eb75e1 (patch) | |
| tree | 9b13b716d039c25ef1c5bb79de5db88a3cfa0c06 /auth.cgi | |
| parent | c7e80318e56b540caf778c11b79bac9e1bb03e68 (diff) | |
| download | bugzilla-3368986490028be41351d4329fb4976df2eb75e1.tar.gz bugzilla-3368986490028be41351d4329fb4976df2eb75e1.tar.xz | |
Bug 1254226: XSS through javascript: callback URLs in auth delegation
r=dylan
Diffstat (limited to 'auth.cgi')
| -rwxr-xr-x | auth.cgi | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -40,6 +40,8 @@ trick_taint($callback); trick_taint($description); my $callback_uri = URI->new($callback); +$callback_uri->scheme =~ /^https?$/ + or ThrowUserError('auth_delegation_illegal_protocol', { protocol => $callback_uri->scheme }); my $callback_base = $callback_uri->clone; $callback_base->query(undef); |