I have already implemented it. It is the same upload page, just with the textbox instead of the <input type=file>.
Still sounds like a separate page (for the user) instead of a simple radio button. Why?
This isn't really a security feature, as an Evil User (tm) can still upload any file (s)he wants.
People can *already* upload any file they want (subject to size restrictions). I wasn't addressing that problem because it is not a problem of "upload via URL". I was trying to address the security issues that come from the user's ability to cause the server to perform any GET request to any server. But now that I think about it more, I haven't actually solved that issue at all: the necessity to retrieve the "token file" would still grant the user that ability... so scratch it all :)
So, to solve my original problem, I'd have to find a commons admin, and write on his/her talk page to please upload the files I stored at (URL), maybe give the file description/license there or insert it myself once it's up.
(You can actually place that information on the Image page even before it's up.)
Timwi