[1.2.X] Altered the behavior of URLField to avoid a potential DOS vector, and to avoid potential leakage of local filesystem data. A security announcement will be made shortly.

freakboy3742 · freakboy3742 · commit 7268f8af8618 · 2011-09-10T01:28:50.000Z
Backport of r16760 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@16766 bcc190cf-cafb-0310-a4f2-bffc1f526a37
diff --git a/django/db/models/fields/__init__.py b/django/db/models/fields/__init__.py
@@ -1119,7 +1119,7 @@ def formfield(self, **kwargs):
 class URLField(CharField):
     description = _("URL")
 
-    def __init__(self, verbose_name=None, name=None, verify_exists=True, **kwargs):
+    def __init__(self, verbose_name=None, name=None, verify_exists=False, **kwargs):
         kwargs['max_length'] = kwargs.get('max_length', 200)
         CharField.__init__(self, verbose_name, name, **kwargs)
         self.validators.append(validators.URLValidator(verify_exists=verify_exists))
diff --git a/docs/ref/models/fields.txt b/docs/ref/models/fields.txt
@@ -814,7 +814,7 @@ shortcuts.
 ``URLField``
 ------------
 
-.. class:: URLField([verify_exists=True, max_length=200, **options])
+.. class:: URLField([verify_exists=False, max_length=200, **options])
 
 A :class:`CharField` for a URL. Has one extra optional argument:
 
@@ -827,6 +827,12 @@ A :class:`CharField` for a URL. Has one extra optional argument:
     validating a URL being served by the same server will hang. This should not
     be a problem for multithreaded servers.
 
+.. versionchanged:: 1.2
+
+    The default value of ``verify_exists`` has been changed to
+    ``False``. This argument should not be set to ``True`` because it
+    has security and performance problems.
+
 The admin represents this as an ``<input type="text">`` (a single-line input).
 
 Like all :class:`CharField` subclasses, :class:`URLField` takes the optional
diff --git a/tests/modeltests/validation/tests.py b/tests/modeltests/validation/tests.py
@@ -52,14 +52,6 @@ def test_wrong_url_value_raises_error(self):
         mtv = ModelToValidate(number=10, name='Some Name', url='not a url')
         self.assertFieldFailsValidationWithMessage(mtv.full_clean, 'url', [u'Enter a valid value.'])
 
-    def test_correct_url_but_nonexisting_gives_404(self):
-        mtv = ModelToValidate(number=10, name='Some Name', url='http://google.com/we-love-microsoft.html')
-        self.assertFieldFailsValidationWithMessage(mtv.full_clean, 'url', [u'This URL appears to be a broken link.'])
-
-    def test_correct_url_value_passes(self):
-        mtv = ModelToValidate(number=10, name='Some Name', url='http://www.djangoproject.com/')
-        self.assertEqual(None, mtv.full_clean()) # This will fail if there's no Internet connection
-
     def test_text_greater_that_charfields_max_length_eaises_erros(self):
         mtv = ModelToValidate(number=10, name='Some Name'*100)
         self.assertFailsValidation(mtv.full_clean, ['name',])
