Author: russellm
Date: 2011-09-09 18:28:50 -0700 (Fri, 09 Sep 2011)
New Revision: 16766
Modified:
django/branches/releases/1.2.X/django/db/models/fields/__init__.py
django/branches/releases/1.2.X/docs/ref/models/fields.txt
django/branches/releases/1.2.X/tests/modeltests/validation/tests.py
Log:
[1.2.X] Altered the behavior of URLField to avoid a potential DOS vector, and
to avoid potential leakage of local filesystem data. A security announcement
will be made shortly.
Backport of r16760 from trunk.
Modified: django/branches/releases/1.2.X/django/db/models/fields/__init__.py
===================================================================
--- django/branches/releases/1.2.X/django/db/models/fields/__init__.py
2011-09-10 01:28:40 UTC (rev 16765)
+++ django/branches/releases/1.2.X/django/db/models/fields/__init__.py
2011-09-10 01:28:50 UTC (rev 16766)
@@ -1119,7 +1119,7 @@
class URLField(CharField):
description = _("URL")
- def __init__(self, verbose_name=None, name=None, verify_exists=True,
**kwargs):
+ def __init__(self, verbose_name=None, name=None, verify_exists=False,
**kwargs):
kwargs['max_length'] = kwargs.get('max_length', 200)
CharField.__init__(self, verbose_name, name, **kwargs)
self.validators.append(validators.URLValidator(verify_exists=verify_exists))
Modified: django/branches/releases/1.2.X/docs/ref/models/fields.txt
===================================================================
--- django/branches/releases/1.2.X/docs/ref/models/fields.txt 2011-09-10
01:28:40 UTC (rev 16765)
+++ django/branches/releases/1.2.X/docs/ref/models/fields.txt 2011-09-10
01:28:50 UTC (rev 16766)
@@ -814,7 +814,7 @@
``URLField``
------------
-.. class:: URLField([verify_exists=True, max_length=200, **options])
+.. class:: URLField([verify_exists=False, max_length=200, **options])
A :class:`CharField` for a URL. Has one extra optional argument:
@@ -827,6 +827,12 @@
validating a URL being served by the same server will hang. This should not
be a problem for multithreaded servers.
+.. versionchanged:: 1.2
+
+ The default value of ``verify_exists`` has been changed to
+ ``False``. This argument should not be set to ``True`` because it
+ has security and performance problems.
+
The admin represents this as an ``<input type="text">`` (a single-line input).
Like all :class:`CharField` subclasses, :class:`URLField` takes the optional
Modified: django/branches/releases/1.2.X/tests/modeltests/validation/tests.py
===================================================================
--- django/branches/releases/1.2.X/tests/modeltests/validation/tests.py
2011-09-10 01:28:40 UTC (rev 16765)
+++ django/branches/releases/1.2.X/tests/modeltests/validation/tests.py
2011-09-10 01:28:50 UTC (rev 16766)
@@ -52,14 +52,6 @@
mtv = ModelToValidate(number=10, name='Some Name', url='not a url')
self.assertFieldFailsValidationWithMessage(mtv.full_clean, 'url',
[u'Enter a valid value.'])
- def test_correct_url_but_nonexisting_gives_404(self):
- mtv = ModelToValidate(number=10, name='Some Name',
url='http://google.com/we-love-microsoft.html')
- self.assertFieldFailsValidationWithMessage(mtv.full_clean, 'url',
[u'This URL appears to be a broken link.'])
-
- def test_correct_url_value_passes(self):
- mtv = ModelToValidate(number=10, name='Some Name',
url='http://www.djangoproject.com/')
- self.assertEqual(None, mtv.full_clean()) # This will fail if there's
no Internet connection
-
def test_text_greater_that_charfields_max_length_eaises_erros(self):
mtv = ModelToValidate(number=10, name='Some Name'*100)
self.assertFailsValidation(mtv.full_clean, ['name',])
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
