diff --git a/CHANGELOG b/CHANGELOG
index 0878c03207ba3a7da94ab3edff416ebbaf44e869..f69f7471a547bd525b00783ea15fe17de70e8ff9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.10.0 (unreleased)
+  - Fix project import URL regex to prevent arbitary local repos from being imported.
   - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
   - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
   - Add ability to configure Reply-To address in gitlab.yml (Stan Hu)
diff --git a/app/models/project.rb b/app/models/project.rb
index 79572f255db19ecab87fafeb22dc85ad982cffda..d7712e64579f696a4d266e2b8222bc047176832e 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -137,7 +137,7 @@ class Project < ActiveRecord::Base
   validates_uniqueness_of :name, scope: :namespace_id
   validates_uniqueness_of :path, scope: :namespace_id
   validates :import_url,
-    format: { with: URI::regexp(%w(ssh git http https)), message: 'should be a valid url' },
+    format: { with: /\A#{URI.regexp(%w(ssh git http https))}\z/, message: 'should be a valid url' },
     if: :import?
   validates :star_count, numericality: { greater_than_or_equal_to: 0 }
   validate :check_limit, on: :create