Bug 593170: Disallow urls like "show_bug.cgi?id=2323" (with no domain) in

the See Also field. r=timello, a=mkanat

Bug 593170: Disallow urls like "show_bug.cgi?id=2323" (with no domain) in
b7777aee · Max Kanat-Alexander · f5474782 · b7777aee · b7777aee
Commit b7777aee authored Sep 18, 2010 by Max Kanat-Alexander
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

Bug.pm Bugzilla/Bug.pm +9 -0

user-error.html.tmpl template/en/default/global/user-error.html.tmpl +2 -0

No files found.
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -2815,6 +2815,15 @@ sub add_see_also {
        ThrowUserError('bug_url_invalid', { url => $input, reason => 'http' });
    }

+    # This stops the following edge cases from being accepted:
+    # * show_bug.cgi?id=1
+    # * /show_bug.cgi?id=1
+    # * http:///show_bug.cgi?id=1
+    if (!$uri->authority or $uri->path !~ m{/}) {
+        ThrowUserError('bug_url_invalid',
+                       { url => $input, reason => 'path_only' });
+    }
+
    my $result;
    # Launchpad URLs
    if ($uri->authority =~ /launchpad.net$/) {

--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -245,6 +245,8 @@
    <code>[% url FILTER html %]</code> is not a valid URL to [% terms.abug %].
    [% IF reason == 'http' %]
      URLs must start with "http" or "https".
+    [% ELSIF reason == 'path_only' %]
+      You must specify a full URL.
    [% ELSIF reason == 'show_bug' %]
      [%+ field_descs.see_also %] URLs should point to one of:
      <ul>