From e6423e215ca33695d93dcae2a9151b064052f145 Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@hardison.net>
Date: Mon, 1 May 2017 19:27:04 -0400
Subject: Bug 1312735 - allow http auth delegation callbacks based on
 environmental variable

---
 auth.cgi      | 8 +++++++-
 heartbeat.cgi | 1 +
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/auth.cgi b/auth.cgi
index 00e6b94d6..adf5d3475 100755
--- a/auth.cgi
+++ b/auth.cgi
@@ -43,8 +43,14 @@ ThrowUserError("auth_delegation_invalid_description")
   unless $description =~ /^[\w\s]{3,255}$/;
 
 my $callback_uri  = URI->new($callback);
+
+my $legal_protocol
+    = $ENV{BUGZILLA_UNSAFE_AUTH_DELEGATION}
+    ? qr/^https?$/i # http or https
+    : qr/^https$/i; # https only
+
 ThrowUserError('auth_delegation_illegal_protocol', { protocol => scalar $callback_uri->scheme })
-    unless $callback_uri->scheme eq 'https';
+    unless $callback_uri->scheme =~ $legal_protocol;
 my $callback_base = $callback_uri->clone;
 $callback_base->query(undef);
 
diff --git a/heartbeat.cgi b/heartbeat.cgi
index 47f3d59a2..e26dfe6ba 100644
--- a/heartbeat.cgi
+++ b/heartbeat.cgi
@@ -29,6 +29,7 @@ my $ok = eval {
     die "database not available"            unless $database_ok;
     die "memcached server(s) not available" unless $memcached_ok;
     die "mod_perl not configured?"          unless $ENV{MOD_PERL};
+    die "BUGZILLA_UNSAFE_AUTH_DELEGATION"   if $ENV{BUGZILLA_UNSAFE_AUTH_DELEGATION};
     1;
 };
 warn "heartbeat error: $@" if !$ok && $@;
-- 
cgit v1.2.3-24-g4f1b