1 files changed, 2 insertions, 0 deletions

diff --git a/auth.cgi b/auth.cgi
index 49edd6abe..050280f5f 100755
--- a/auth.cgi
+++ b/auth.cgi
@@ -43,6 +43,8 @@ ThrowUserError("auth_delegation_invalid_description")
   unless $description =~ /^[\w\s]{3,255}$/;
 
 my $callback_uri  = URI->new($callback);
+$callback_uri->scheme =~ /^https?$/
+  or ThrowUserError('auth_delegation_illegal_protocol', { protocol => $callback_uri->scheme });
 my $callback_base = $callback_uri->clone;
 $callback_base->query(undef);