Bug 1258547 - XSS through javascript: callback URLs in auth delegation

diff --git a/auth.cgi b/auth.cgi
index 49edd6abe46257256537fb971c3aa44f08edcd39..050280f5f49c15d494bbc5d075620c63e0bfbdb1 100755 (executable)
--- a/auth.cgi
+++ b/auth.cgi
@@ -43,6 +43,8 @@ ThrowUserError("auth_delegation_invalid_description")
   unless $description =~ /^[\w\s]{3,255}$/;
 
 my $callback_uri  = URI->new($callback);
+$callback_uri->scheme =~ /^https?$/
+  or ThrowUserError('auth_delegation_illegal_protocol', { protocol => $callback_uri->scheme });
 my $callback_base = $callback_uri->clone;
 $callback_base->query(undef);
 

diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index bf7455ad99d30634c8d42759608914242fa37be2..9cd1cc02f012cb4145b359db40e908f4e0e8fdd5 100644 (file)
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -134,6 +134,11 @@
     This site does not have auth delegation enabled.
     Please contact an administrator if you require this functionality.
 
+  [% ELSIF error == "auth_delegation_illegal_protocol" %]
+    [% title = "Invalid Protocol" %]
+    The callback URI uses an illegal protocol: <em>[% protocol FILTER html %]</em>.
+    Only <em>http</em> and <em>https</em> are allowed.
+
   [% ELSIF error == "auth_delegation_missing_callback" %]
     [% title = "Auth delegation impossible without callback URI" %]
     It looks like auth delegation was attempted, but no callback URI was passed.