Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.2.X] Altered the behavior of URLField to avoid a potential DOS vec…

…tor, and to avoid potential leakage of local filesystem data. A security announcement will be made shortly.

Backport of r16760 from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@16766 bcc190cf-cafb-0310-a4f2-bffc1f526a37
commit 7268f8af86186518821d775c530d5558fd726930 1 parent ac7c3a1
Russell Keith-Magee freakboy3742 authored
2  django/db/models/fields/__init__.py
@@ -1119,7 +1119,7 @@ def formfield(self, **kwargs):
1119 1119 class URLField(CharField):
1120 1120 description = _("URL")
1121 1121
1122   - def __init__(self, verbose_name=None, name=None, verify_exists=True, **kwargs):
  1122 + def __init__(self, verbose_name=None, name=None, verify_exists=False, **kwargs):
1123 1123 kwargs['max_length'] = kwargs.get('max_length', 200)
1124 1124 CharField.__init__(self, verbose_name, name, **kwargs)
1125 1125 self.validators.append(validators.URLValidator(verify_exists=verify_exists))
8 docs/ref/models/fields.txt
@@ -814,7 +814,7 @@ shortcuts.
814 814 ``URLField``
815 815 ------------
816 816
817   -.. class:: URLField([verify_exists=True, max_length=200, **options])
  817 +.. class:: URLField([verify_exists=False, max_length=200, **options])
818 818
819 819 A :class:`CharField` for a URL. Has one extra optional argument:
820 820
@@ -827,6 +827,12 @@ A :class:`CharField` for a URL. Has one extra optional argument:
827 827 validating a URL being served by the same server will hang. This should not
828 828 be a problem for multithreaded servers.
829 829
  830 +.. versionchanged:: 1.2
  831 +
  832 + The default value of ``verify_exists`` has been changed to
  833 + ``False``. This argument should not be set to ``True`` because it
  834 + has security and performance problems.
  835 +
830 836 The admin represents this as an ``<input type="text">`` (a single-line input).
831 837
832 838 Like all :class:`CharField` subclasses, :class:`URLField` takes the optional
8 tests/modeltests/validation/tests.py
@@ -52,14 +52,6 @@ def test_wrong_url_value_raises_error(self):
52 52 mtv = ModelToValidate(number=10, name='Some Name', url='not a url')
53 53 self.assertFieldFailsValidationWithMessage(mtv.full_clean, 'url', [u'Enter a valid value.'])
54 54
55   - def test_correct_url_but_nonexisting_gives_404(self):
56   - mtv = ModelToValidate(number=10, name='Some Name', url='http://google.com/we-love-microsoft.html')
57   - self.assertFieldFailsValidationWithMessage(mtv.full_clean, 'url', [u'This URL appears to be a broken link.'])
58   -
59   - def test_correct_url_value_passes(self):
60   - mtv = ModelToValidate(number=10, name='Some Name', url='http://www.djangoproject.com/')
61   - self.assertEqual(None, mtv.full_clean()) # This will fail if there's no Internet connection
62   -
63 55 def test_text_greater_that_charfields_max_length_eaises_erros(self):
64 56 mtv = ModelToValidate(number=10, name='Some Name'*100)
65 57 self.assertFailsValidation(mtv.full_clean, ['name',])

0 comments on commit 7268f8a

Please sign in to comment.
Something went wrong with that request. Please try again.