Bug 1254226: XSS through javascript: callback URLs in auth delegation

r=dylan

diff --git a/auth.cgi b/auth.cgi
index b249571857e796ce48c55b98d41f0d20dbb075ee..3f459095358ca0749f58d22095a8727e6f2c801b 100755 (executable)
--- a/auth.cgi
+++ b/auth.cgi
@@ -40,6 +40,8 @@ trick_taint($callback);
 trick_taint($description);
 
 my $callback_uri  = URI->new($callback);
+$callback_uri->scheme =~ /^https?$/
+  or ThrowUserError('auth_delegation_illegal_protocol', { protocol => $callback_uri->scheme });
 my $callback_base = $callback_uri->clone;
 $callback_base->query(undef);
 

diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 998aed4fee405d9ff396f0ba988098fa7e62ab7f..8c0cc8b7ac80190bf2c7134ee548592814fad35b 100644 (file)
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -122,6 +122,11 @@
     This site does not have auth delegation enabled.
     Please contact an administrator if you require this functionality.
 
+  [% ELSIF error == "auth_delegation_illegal_protocol" %]
+    [% title = "Invalid Protocol" %]
+    The callback URI uses an illegal protocol: <em>[% protocol FILTER html %]</em>.
+    Only <em>http</em> and <em>https</em> are allowed.
+
   [% ELSIF error == "auth_delegation_missing_callback" %]
     [% title = "Auth delegation impossible without callback URI" %]
     It looks like auth delegation was attempted, but no callback URI was passed.