diff options
| author | Dylan William Hardison <dylan@hardison.net> | 2017-05-02 01:27:04 +0200 |
|---|---|---|
| committer | Dylan William Hardison <dylan@hardison.net> | 2017-05-02 01:27:22 +0200 |
| commit | e6423e215ca33695d93dcae2a9151b064052f145 (patch) | |
| tree | 2fe1563c40e77b053b373cf51d4c72f08d5901b1 /auth.cgi | |
| parent | dd4b9121d8b3703ac601d88ff5a7d2977ed3600c (diff) | |
| download | bugzilla-e6423e215ca33695d93dcae2a9151b064052f145.tar.gz bugzilla-e6423e215ca33695d93dcae2a9151b064052f145.tar.xz | |
Bug 1312735 - allow http auth delegation callbacks based on environmental variable
Diffstat (limited to 'auth.cgi')
| -rwxr-xr-x | auth.cgi | 8 |
1 files changed, 7 insertions, 1 deletions
@@ -43,8 +43,14 @@ ThrowUserError("auth_delegation_invalid_description") unless $description =~ /^[\w\s]{3,255}$/; my $callback_uri = URI->new($callback); + +my $legal_protocol + = $ENV{BUGZILLA_UNSAFE_AUTH_DELEGATION} + ? qr/^https?$/i # http or https + : qr/^https$/i; # https only + ThrowUserError('auth_delegation_illegal_protocol', { protocol => scalar $callback_uri->scheme }) - unless $callback_uri->scheme eq 'https'; + unless $callback_uri->scheme =~ $legal_protocol; my $callback_base = $callback_uri->clone; $callback_base->query(undef); |