From 0c94e1dd07b705ba000c008b08c8f5aa27731932 Mon Sep 17 00:00:00 2001
From: Dylan Hardison <dylan@mozilla.com>
Date: Tue, 22 Mar 2016 09:25:16 -0400
Subject: Bug 1258547 - XSS through javascript: callback URLs in auth
 delegation

---
 auth.cgi | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'auth.cgi')

diff --git a/auth.cgi b/auth.cgi
index 49edd6abe..050280f5f 100755
--- a/auth.cgi
+++ b/auth.cgi
@@ -43,6 +43,8 @@ ThrowUserError("auth_delegation_invalid_description")
   unless $description =~ /^[\w\s]{3,255}$/;
 
 my $callback_uri  = URI->new($callback);
+$callback_uri->scheme =~ /^https?$/
+  or ThrowUserError('auth_delegation_illegal_protocol', { protocol => $callback_uri->scheme });
 my $callback_base = $callback_uri->clone;
 $callback_base->query(undef);
 
-- 
cgit v1.2.3-24-g4f1b