Bug 593170: Disallow urls like "show_bug.cgi?id=2323" (with no domain) in

the See Also field.
r=timello, a=mkanat

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index 0d7a5c98b3c5a831c4d627d80de193dc0505df57..93269d4806c1b59fcddedff544f21d6047f5614d 100644 (file)
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -2793,6 +2793,15 @@ sub add_see_also {
         ThrowUserError('bug_url_invalid', { url => $input, reason => 'http' });
     }
 
+    # This stops the following edge cases from being accepted:
+    # * show_bug.cgi?id=1
+    # * /show_bug.cgi?id=1
+    # * http:///show_bug.cgi?id=1
+    if (!$uri->authority or $uri->path !~ m{/}) {
+        ThrowUserError('bug_url_invalid',
+                       { url => $input, reason => 'path_only' });
+    }
+
     my $result;
     # Launchpad URLs
     if ($uri->authority =~ /launchpad.net$/) {

diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index fbefc91322de94483bebff6fd86c8186873995a9..b7179de1140e9466608b5af953a27e5bfb25697f 100644 (file)
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -250,6 +250,8 @@
     <code>[% url FILTER html %]</code> is not a valid URL to [% terms.abug %].
     [% IF reason == 'http' %]
       URLs must start with "http" or "https".
+    [% ELSIF reason == 'path_only' %]
+      You must specify a full URL.
     [% ELSIF reason == 'show_bug' %]
       [%+ field_descs.see_also %] URLs should point to one of:
       <ul>