1 files changed, 23 insertions, 4 deletions

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index e231f93b0..4168cac19 100755
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -501,10 +501,29 @@ sub EmitDependList {
 }
 
 sub ValidateTime {
-  my ($time, $field) = @_;
-  if ($time > 99999.99 || $time < 0 || !($time =~ /^(?:\d+(?:\.\d*)?|\.\d+)$/)) {
-    ThrowUserError("need_positive_number", {field => "$field"}, "abort");
-  }
+    my ($time, $field) = @_;
+
+    # regexp verifies one or more digits, optionally followed by a period and
+    # zero or more digits, OR we have a period followed by one or more digits
+    # (allow negatives, though, so people can back out errors in time reporting)
+    if ($time !~ /^-?(?:\d+(?:\.\d*)?|\.\d+)$/) {
+        ThrowUserError("number_not_numeric",
+                       {field => "$field", num => "$time"},
+                       "abort");
+    }
+
+    # Only the "work_time" field is allowed to contain a negative value.
+    if ( ($time < 0) && ($field ne "work_time") ) {
+        ThrowUserError("number_too_small",
+                       {field => "$field", num => "$time", min_num => "0"},
+                       "abort");
+    }
+
+    if ($time > 99999.99) {
+        ThrowUserError("number_too_large",
+                       {field => "$field", num => "$time", max_num => "99999.99"},
+                       "abort");
+    }
 }
 
 sub GetComments {