diff options
| author | Dylan Hardison <dylan@mozilla.com> | 2016-03-22 14:25:16 +0100 |
|---|---|---|
| committer | Dylan Hardison <dylan@mozilla.com> | 2016-03-22 14:25:16 +0100 |
| commit | 0c94e1dd07b705ba000c008b08c8f5aa27731932 (patch) | |
| tree | 27d3080a25a493b56f3332e10b183ef1785c1d12 /auth.cgi | |
| parent | 3af55bfe0bd10a85b7cd69e26a19034a6d2e78f5 (diff) | |
| download | bugzilla-0c94e1dd07b705ba000c008b08c8f5aa27731932.tar.gz bugzilla-0c94e1dd07b705ba000c008b08c8f5aa27731932.tar.xz | |
Bug 1258547 - XSS through javascript: callback URLs in auth delegation
Diffstat (limited to 'auth.cgi')
| -rwxr-xr-x | auth.cgi | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -43,6 +43,8 @@ ThrowUserError("auth_delegation_invalid_description") unless $description =~ /^[\w\s]{3,255}$/; my $callback_uri = URI->new($callback); +$callback_uri->scheme =~ /^https?$/ + or ThrowUserError('auth_delegation_illegal_protocol', { protocol => $callback_uri->scheme }); my $callback_base = $callback_uri->clone; $callback_base->query(undef); |