summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xauth.cgi2
-rw-r--r--template/en/default/global/user-error.html.tmpl5
2 files changed, 7 insertions, 0 deletions
diff --git a/auth.cgi b/auth.cgi
index 49edd6abe..050280f5f 100755
--- a/auth.cgi
+++ b/auth.cgi
@@ -43,6 +43,8 @@ ThrowUserError("auth_delegation_invalid_description")
unless $description =~ /^[\w\s]{3,255}$/;
my $callback_uri = URI->new($callback);
+$callback_uri->scheme =~ /^https?$/
+ or ThrowUserError('auth_delegation_illegal_protocol', { protocol => $callback_uri->scheme });
my $callback_base = $callback_uri->clone;
$callback_base->query(undef);
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index bf7455ad9..9cd1cc02f 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -134,6 +134,11 @@
This site does not have auth delegation enabled.
Please contact an administrator if you require this functionality.
+ [% ELSIF error == "auth_delegation_illegal_protocol" %]
+ [% title = "Invalid Protocol" %]
+ The callback URI uses an illegal protocol: <em>[% protocol FILTER html %]</em>.
+ Only <em>http</em> and <em>https</em> are allowed.
+
[% ELSIF error == "auth_delegation_missing_callback" %]
[% title = "Auth delegation impossible without callback URI" %]
It looks like auth delegation was attempted, but no callback URI was passed.