diff --git a/zerver/tests.py b/zerver/tests.py
index ce5607dac5..f2aa5f2191 100644
--- a/zerver/tests.py
+++ b/zerver/tests.py
@@ -1479,6 +1479,21 @@ class SubscriptionRestApiTest(AuthedTestCase):
         check_for_error([{'bogus': 'foo'}], 'name key is missing from add[0]')
         check_for_error([{'name': {}}], 'add[0]["name"] is not a string')
 
+    def test_bad_principals(self):
+        email = 'hamlet@zulip.com'
+        self.login(email)
+
+        request = {
+            'add': ujson.dumps([{'name': 'my_new_stream'}]),
+            'principals': ujson.dumps([{}]),
+        }
+        result = self.client_patch(
+            "/api/v1/users/me/subscriptions",
+            request,
+            **self.api_auth(email)
+        )
+        self.assert_json_error(result, 'principals[0] is not a string')
+
     def test_bad_delete_parameters(self):
         email = 'hamlet@zulip.com'
         self.login(email)
diff --git a/zerver/views/__init__.py b/zerver/views/__init__.py
index 54ff2de2ed..3e7a673c26 100644
--- a/zerver/views/__init__.py
+++ b/zerver/views/__init__.py
@@ -1641,6 +1641,11 @@ def add_subscriptions_backend(request, user_profile,
                               principals = REQ(converter=json_to_list, default=None),
                               authorization_errors_fatal = REQ(converter=json_to_bool, default=True)):
 
+    if principals is not None:
+        error = check_list(check_string)('principals', principals)
+        if error:
+            return json_error(error)
+
     stream_names = []
     for stream in streams_raw:
         if not isinstance(stream, dict):