From b7777aee805f87b50d37977d2ce497d32cf32864 Mon Sep 17 00:00:00 2001
From: Max Kanat-Alexander <mkanat@bugzilla.org>
Date: Sat, 18 Sep 2010 16:47:01 -0700
Subject: Bug 593170: Disallow urls like "show_bug.cgi?id=2323" (with no
 domain) in the See Also field. r=timello, a=mkanat

---
 Bugzilla/Bug.pm | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'Bugzilla/Bug.pm')

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index db9f2438d..a8f6651e0 100644
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -2815,6 +2815,15 @@ sub add_see_also {
         ThrowUserError('bug_url_invalid', { url => $input, reason => 'http' });
     }
 
+    # This stops the following edge cases from being accepted:
+    # * show_bug.cgi?id=1
+    # * /show_bug.cgi?id=1
+    # * http:///show_bug.cgi?id=1
+    if (!$uri->authority or $uri->path !~ m{/}) {
+        ThrowUserError('bug_url_invalid',
+                       { url => $input, reason => 'path_only' });
+    }
+
     my $result;
     # Launchpad URLs
     if ($uri->authority =~ /launchpad.net$/) {
-- 
cgit v1.2.3-24-g4f1b