From: Max Kanat-Alexander Date: Sat, 18 Sep 2010 23:48:36 +0000 (-0700) Subject: Bug 593170: Disallow urls like "show_bug.cgi?id=2323" (with no domain) in X-Git-Tag: bugzilla-4.0rc1~64 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ffd84a9cfa09128a1f31cb74625ddb6bd9e03932;p=thirdparty%2Fbugzilla.git Bug 593170: Disallow urls like "show_bug.cgi?id=2323" (with no domain) in the See Also field. r=timello, a=mkanat --- diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 0d7a5c98b3..93269d4806 100644 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -2793,6 +2793,15 @@ sub add_see_also { ThrowUserError('bug_url_invalid', { url => $input, reason => 'http' }); } + # This stops the following edge cases from being accepted: + # * show_bug.cgi?id=1 + # * /show_bug.cgi?id=1 + # * http:///show_bug.cgi?id=1 + if (!$uri->authority or $uri->path !~ m{/}) { + ThrowUserError('bug_url_invalid', + { url => $input, reason => 'path_only' }); + } + my $result; # Launchpad URLs if ($uri->authority =~ /launchpad.net$/) { diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index fbefc91322..b7179de114 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -250,6 +250,8 @@ [% url FILTER html %] is not a valid URL to [% terms.abug %]. [% IF reason == 'http' %] URLs must start with "http" or "https". + [% ELSIF reason == 'path_only' %] + You must specify a full URL. [% ELSIF reason == 'show_bug' %] [%+ field_descs.see_also %] URLs should point to one of: