From 7268f8af86186518821d775c530d5558fd726930 Mon Sep 17 00:00:00 2001 From: Russell Keith-Magee Date: Sat, 10 Sep 2011 01:28:50 +0000 Subject: [PATCH] [1.2.X] Altered the behavior of URLField to avoid a potential DOS vector, and to avoid potential leakage of local filesystem data. A security announcement will be made shortly. Backport of r16760 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@16766 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/db/models/fields/__init__.py | 2 +- docs/ref/models/fields.txt | 8 +++++++- tests/modeltests/validation/tests.py | 8 -------- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/django/db/models/fields/__init__.py b/django/db/models/fields/__init__.py index fd0a295483..ddb228ac11 100644 --- a/django/db/models/fields/__init__.py +++ b/django/db/models/fields/__init__.py @@ -1119,7 +1119,7 @@ class TimeField(Field): class URLField(CharField): description = _("URL") - def __init__(self, verbose_name=None, name=None, verify_exists=True, **kwargs): + def __init__(self, verbose_name=None, name=None, verify_exists=False, **kwargs): kwargs['max_length'] = kwargs.get('max_length', 200) CharField.__init__(self, verbose_name, name, **kwargs) self.validators.append(validators.URLValidator(verify_exists=verify_exists)) diff --git a/docs/ref/models/fields.txt b/docs/ref/models/fields.txt index 4b03dc58c7..a24d5eeb17 100644 --- a/docs/ref/models/fields.txt +++ b/docs/ref/models/fields.txt @@ -814,7 +814,7 @@ shortcuts. ``URLField`` ------------ -.. class:: URLField([verify_exists=True, max_length=200, **options]) +.. class:: URLField([verify_exists=False, max_length=200, **options]) A :class:`CharField` for a URL. Has one extra optional argument: @@ -827,6 +827,12 @@ A :class:`CharField` for a URL. Has one extra optional argument: validating a URL being served by the same server will hang. This should not be a problem for multithreaded servers. +.. versionchanged:: 1.2 + + The default value of ``verify_exists`` has been changed to + ``False``. This argument should not be set to ``True`` because it + has security and performance problems. + The admin represents this as an ```` (a single-line input). Like all :class:`CharField` subclasses, :class:`URLField` takes the optional diff --git a/tests/modeltests/validation/tests.py b/tests/modeltests/validation/tests.py index 00273931c7..6a6660e100 100644 --- a/tests/modeltests/validation/tests.py +++ b/tests/modeltests/validation/tests.py @@ -52,14 +52,6 @@ class BaseModelValidationTests(ValidationTestCase): mtv = ModelToValidate(number=10, name='Some Name', url='not a url') self.assertFieldFailsValidationWithMessage(mtv.full_clean, 'url', [u'Enter a valid value.']) - def test_correct_url_but_nonexisting_gives_404(self): - mtv = ModelToValidate(number=10, name='Some Name', url='http://google.com/we-love-microsoft.html') - self.assertFieldFailsValidationWithMessage(mtv.full_clean, 'url', [u'This URL appears to be a broken link.']) - - def test_correct_url_value_passes(self): - mtv = ModelToValidate(number=10, name='Some Name', url='http://www.djangoproject.com/') - self.assertEqual(None, mtv.full_clean()) # This will fail if there's no Internet connection - def test_text_greater_that_charfields_max_length_eaises_erros(self): mtv = ModelToValidate(number=10, name='Some Name'*100) self.assertFailsValidation(mtv.full_clean, ['name',])