[1.3.X] Altered the behavior of URLField to avoid a potential DOS vector, and to avoid potential leakage of local filesystem data. A security announcement will be made shortly.

Backport of r16760 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16763 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-24 14:16:09 +00:00 · 2011-09-10 01:08:24 +00:00
parent fbe2eead2f
commit 1a76dbefdf
10 changed files with 87 additions and 57 deletions
--- a/docs/ref/models/fields.txt
+++ b/docs/ref/models/fields.txt
@@ -831,14 +831,21 @@ shortcuts.
 ``URLField``
 ------------

-.. class:: URLField([verify_exists=True, max_length=200, **options])
+.. class:: URLField([verify_exists=False, max_length=200, **options])

 A :class:`CharField` for a URL. Has one extra optional argument:

+.. deprecated:: 1.3.1
+
+   ``verify_exists`` is deprecated for security reasons as of 1.3.1
+   and will be removed in 1.4. Prior to 1.3.1, the default value was
+   ``True``.
+
 .. attribute:: URLField.verify_exists

-    If ``True`` (the default), the URL given will be checked for existence
-    (i.e., the URL actually loads and doesn't give a 404 response).
+    If ``True``, the URL given will be checked for existence (i.e.,
+    the URL actually loads and doesn't give a 404 response) using a
+    ``HEAD`` request. Redirects are allowed, but will not be followed.

    Note that when you're using the single-threaded development server,
    validating a URL being served by the same server will hang. This should not