diff options
| author | varunkasyap <varunkasyap@hotmail.com> | 2025-11-26 14:28:24 -0300 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2025-11-26 17:19:57 -0300 |
| commit | 0ae15bb52e17768839d057bc1ae3d72f2866458d (patch) | |
| tree | b35ffac38391749b414c405c330afba142e23920 /django | |
| parent | 31bc5c2d11e1d1cc728666d0785eea088b1dc1f2 (diff) | |
[5.2.x] Fixed #36743 -- Increased URL max length enforced in HttpResponseRedirectBase.
Refs CVE-2025-64458.
The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.
Thanks Jacob Walls for report and review.
Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
Diffstat (limited to 'django')
| -rw-r--r-- | django/http/response.py | 10 | ||||
| -rw-r--r-- | django/utils/http.py | 1 |
2 files changed, 8 insertions, 3 deletions
diff --git a/django/http/response.py b/django/http/response.py index 9f4bd6af90..8b23a92517 100644 --- a/django/http/response.py +++ b/django/http/response.py @@ -22,7 +22,11 @@ from django.utils import timezone from django.utils.datastructures import CaseInsensitiveMapping from django.utils.encoding import iri_to_uri from django.utils.functional import cached_property -from django.utils.http import MAX_URL_LENGTH, content_disposition_header, http_date +from django.utils.http import ( + MAX_URL_REDIRECT_LENGTH, + content_disposition_header, + http_date, +) from django.utils.regex_helper import _lazy_re_compile _charset_from_content_type_re = _lazy_re_compile( @@ -631,9 +635,9 @@ class HttpResponseRedirectBase(HttpResponse): super().__init__(*args, **kwargs) self["Location"] = iri_to_uri(redirect_to) redirect_to_str = str(redirect_to) - if len(redirect_to_str) > MAX_URL_LENGTH: + if len(redirect_to_str) > MAX_URL_REDIRECT_LENGTH: raise DisallowedRedirect( - f"Unsafe redirect exceeding {MAX_URL_LENGTH} characters" + f"Unsafe redirect exceeding {MAX_URL_REDIRECT_LENGTH} characters" ) parsed = urlsplit(redirect_to_str) if preserve_request: diff --git a/django/utils/http.py b/django/utils/http.py index 65b8eb7990..3b25f33621 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -38,6 +38,7 @@ ASCTIME_DATE = _lazy_re_compile(r"^\w{3} %s %s %s %s$" % (__M, __D2, __T, __Y)) RFC3986_GENDELIMS = ":/?#[]@" RFC3986_SUBDELIMS = "!$&'()*+,;=" MAX_URL_LENGTH = 2048 +MAX_URL_REDIRECT_LENGTH = 16384 def urlencode(query, doseq=False): |