[1.2.X] Altered the behavior of URLField to avoid a potential DOS vector, and to avoid potential leakage of local filesystem data. A security announcement will be made shortly.
Backport of r16760 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@16766 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
ac7c3a110f
commit
7268f8af86
|
@ -1119,7 +1119,7 @@ class TimeField(Field):
|
||||||
class URLField(CharField):
|
class URLField(CharField):
|
||||||
description = _("URL")
|
description = _("URL")
|
||||||
|
|
||||||
def __init__(self, verbose_name=None, name=None, verify_exists=True, **kwargs):
|
def __init__(self, verbose_name=None, name=None, verify_exists=False, **kwargs):
|
||||||
kwargs['max_length'] = kwargs.get('max_length', 200)
|
kwargs['max_length'] = kwargs.get('max_length', 200)
|
||||||
CharField.__init__(self, verbose_name, name, **kwargs)
|
CharField.__init__(self, verbose_name, name, **kwargs)
|
||||||
self.validators.append(validators.URLValidator(verify_exists=verify_exists))
|
self.validators.append(validators.URLValidator(verify_exists=verify_exists))
|
||||||
|
|
|
@ -814,7 +814,7 @@ shortcuts.
|
||||||
``URLField``
|
``URLField``
|
||||||
------------
|
------------
|
||||||
|
|
||||||
.. class:: URLField([verify_exists=True, max_length=200, **options])
|
.. class:: URLField([verify_exists=False, max_length=200, **options])
|
||||||
|
|
||||||
A :class:`CharField` for a URL. Has one extra optional argument:
|
A :class:`CharField` for a URL. Has one extra optional argument:
|
||||||
|
|
||||||
|
@ -827,6 +827,12 @@ A :class:`CharField` for a URL. Has one extra optional argument:
|
||||||
validating a URL being served by the same server will hang. This should not
|
validating a URL being served by the same server will hang. This should not
|
||||||
be a problem for multithreaded servers.
|
be a problem for multithreaded servers.
|
||||||
|
|
||||||
|
.. versionchanged:: 1.2
|
||||||
|
|
||||||
|
The default value of ``verify_exists`` has been changed to
|
||||||
|
``False``. This argument should not be set to ``True`` because it
|
||||||
|
has security and performance problems.
|
||||||
|
|
||||||
The admin represents this as an ``<input type="text">`` (a single-line input).
|
The admin represents this as an ``<input type="text">`` (a single-line input).
|
||||||
|
|
||||||
Like all :class:`CharField` subclasses, :class:`URLField` takes the optional
|
Like all :class:`CharField` subclasses, :class:`URLField` takes the optional
|
||||||
|
|
|
@ -52,14 +52,6 @@ class BaseModelValidationTests(ValidationTestCase):
|
||||||
mtv = ModelToValidate(number=10, name='Some Name', url='not a url')
|
mtv = ModelToValidate(number=10, name='Some Name', url='not a url')
|
||||||
self.assertFieldFailsValidationWithMessage(mtv.full_clean, 'url', [u'Enter a valid value.'])
|
self.assertFieldFailsValidationWithMessage(mtv.full_clean, 'url', [u'Enter a valid value.'])
|
||||||
|
|
||||||
def test_correct_url_but_nonexisting_gives_404(self):
|
|
||||||
mtv = ModelToValidate(number=10, name='Some Name', url='http://google.com/we-love-microsoft.html')
|
|
||||||
self.assertFieldFailsValidationWithMessage(mtv.full_clean, 'url', [u'This URL appears to be a broken link.'])
|
|
||||||
|
|
||||||
def test_correct_url_value_passes(self):
|
|
||||||
mtv = ModelToValidate(number=10, name='Some Name', url='http://www.djangoproject.com/')
|
|
||||||
self.assertEqual(None, mtv.full_clean()) # This will fail if there's no Internet connection
|
|
||||||
|
|
||||||
def test_text_greater_that_charfields_max_length_eaises_erros(self):
|
def test_text_greater_that_charfields_max_length_eaises_erros(self):
|
||||||
mtv = ModelToValidate(number=10, name='Some Name'*100)
|
mtv = ModelToValidate(number=10, name='Some Name'*100)
|
||||||
self.assertFailsValidation(mtv.full_clean, ['name',])
|
self.assertFailsValidation(mtv.full_clean, ['name',])
|
||||||
|
|
Loading…
Reference in New Issue