django.git/django/utils/http.py, branch 4.2.30

django.git/django/utils/http.py, branch 4.2.30 django http://cgit.adnoto.dev/django.git/atom?h=4.2.30 2025-11-26T20:31:17Z [4.2.x] Fixed #36743 -- Increased URL max length enforced in HttpResponseRedirectBase. 2025-11-26T20:31:17Z varunkasyap varunkasyap@hotmail.com 2025-11-26T17:28:24Z urn:sha1:e6973490373dca340e36f2db3eae1eb26a6a2d80 Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review. Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main. [4.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. 2025-11-05T12:52:56Z Jacob Walls jacobtylerwalls@gmail.com 2025-10-16T20:28:33Z urn:sha1:770eea38d7a0e9ba9455140b5a9a9e33618226a7 Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main. [4.2.x] Refs CVE-2024-11168 -- Updated vendored _urlsplit() to properly validate IPv6 and IPvFuture addresses. 2024-12-03T08:50:11Z Mariusz Felisiak felisiak.mariusz@gmail.com 2024-12-01T11:31:12Z urn:sha1:f663277a4c22ef96cbdebfd0ed76155b9d37b4f8 Refs Python CVE-2024-11168. Django should not affected, but others who incorrectly use internal function _urlsplit() with unsanitized input could be at risk. https://github.com/python/cpython/pull/103849 Fixed #34194 -- Added django.utils.http.content_disposition_header(). 2022-12-05T12:08:00Z Alex Vandiver alex@chmrr.net 2022-11-30T20:09:49Z urn:sha1:cbce427c17b66faec7ced0639346dc6905a498f9 Updated documentation and comments for RFC updates. 2022-11-10T12:52:17Z Nick Pope nick@nickpope.me.uk 2022-11-04T12:33:09Z urn:sha1:9bd174b9a75299dce33e673a559f2b673399b971 - Updated references to RFC 1123 to RFC 5322 - Only partial as RFC 5322 sort of sub-references RFC 1123. - Updated references to RFC 2388 to RFC 7578 - Except RFC 2388 Section 5.3 which has no equivalent. - Updated references to RFC 2396 to RFC 3986 - Updated references to RFC 2616 to RFC 9110 - Updated references to RFC 3066 to RFC 5646 - Updated references to RFC 7230 to RFC 9112 - Updated references to RFC 7231 to RFC 9110 - Updated references to RFC 7232 to RFC 9110 - Updated references to RFC 7234 to RFC 9111 - Tidied up style of text when referring to RFC documents Updated vendored _urlsplit() to strip newline and tabs. 2022-07-01T06:48:38Z Michael Manfre mike@manfre.net 2022-06-30T00:39:51Z urn:sha1:03eec9ff6cc78e7c1bcf88bb76ecd11f0d433c72 Refs Python CVE-2022-0391. Django is not affected, but others who incorrectly use internal function url_has_allowed_host_and_scheme() with unsanitized input could be at risk. Refs #33697 -- Used django.utils.http.parse_header_parameters() for parsing boundary streams. 2022-06-28T07:42:47Z Mehrdad mhrddmoradii@gmail.com 2022-06-24T18:46:34Z urn:sha1:d4d5427571b4bf3a21c902276c2a00215c2a37cc This also removes unused parse_header() and _parse_header_params() helpers in django.http.multipartparser. Refs #33173 -- Removed use of deprecated cgi module. 2022-05-11T12:06:31Z Carlton Gibson carlton.gibson@noumenal.es 2022-05-10T10:12:17Z urn:sha1:34e2148fc725e7200050f74130d7523e3cd8507a https://peps.python.org/pep-0594/#cgi Refs #33476 -- Reformatted code with Black. 2022-02-07T19:37:05Z django-bot ops@djangoproject.com 2022-02-03T19:24:19Z urn:sha1:9c19aff7c7561e3a82978a272ecdaad40dda5c00 Fixed #28628 -- Changed \d to [0-9] in regexes where appropriate. 2022-01-07T11:25:06Z Ad Timmering awtimmering@gmail.com 2021-11-26T01:44:54Z urn:sha1:bdf3e156b4b47d45b8e37823164b598afc533ce0