From: Frédéric Buclin <LpSolit@gmail.com>
Date: Wed, 23 Mar 2016 09:27:37 +0000 (+0100)
Subject: Bug 1254226: XSS through javascript: callback URLs in auth delegation
X-Git-Tag: release-5.1.1~48
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3368986490028be41351d4329fb4976df2eb75e1;p=thirdparty%2Fbugzilla.git

Bug 1254226: XSS through javascript: callback URLs in auth delegation
r=dylan
---

diff --git a/auth.cgi b/auth.cgi
index b249571857..3f45909535 100755
--- a/auth.cgi
+++ b/auth.cgi
@@ -40,6 +40,8 @@ trick_taint($callback);
 trick_taint($description);
 
 my $callback_uri  = URI->new($callback);
+$callback_uri->scheme =~ /^https?$/
+  or ThrowUserError('auth_delegation_illegal_protocol', { protocol => $callback_uri->scheme });
 my $callback_base = $callback_uri->clone;
 $callback_base->query(undef);
 
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 998aed4fee..8c0cc8b7ac 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -122,6 +122,11 @@
     This site does not have auth delegation enabled.
     Please contact an administrator if you require this functionality.
 
+  [% ELSIF error == "auth_delegation_illegal_protocol" %]
+    [% title = "Invalid Protocol" %]
+    The callback URI uses an illegal protocol: <em>[% protocol FILTER html %]</em>.
+    Only <em>http</em> and <em>https</em> are allowed.
+
   [% ELSIF error == "auth_delegation_missing_callback" %]
     [% title = "Auth delegation impossible without callback URI" %]
     It looks like auth delegation was attempted, but no callback URI was passed.