diff options
| author | Jacob Walls <jacobtylerwalls@gmail.com> | 2025-10-16 16:28:33 -0400 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2025-11-05 09:52:56 -0300 |
| commit | 770eea38d7a0e9ba9455140b5a9a9e33618226a7 (patch) | |
| tree | ad731e4465db6a4ee3f88c609612ce0aa473ea9a | |
| parent | 80976bd89e9e1fdfb98c4d902ca4dc59bd3d1d46 (diff) | |
[4.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.
Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.
Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
| -rw-r--r-- | django/http/response.py | 9 | ||||
| -rw-r--r-- | django/utils/html.py | 3 | ||||
| -rw-r--r-- | django/utils/http.py | 1 | ||||
| -rw-r--r-- | docs/releases/4.2.26.txt | 10 | ||||
| -rw-r--r-- | tests/httpwrappers/tests.py | 2 |
5 files changed, 20 insertions, 5 deletions
diff --git a/django/http/response.py b/django/http/response.py index ea3114170e..763fd2a8ac 100644 --- a/django/http/response.py +++ b/django/http/response.py @@ -21,7 +21,7 @@ from django.http.cookie import SimpleCookie from django.utils import timezone from django.utils.datastructures import CaseInsensitiveMapping from django.utils.encoding import iri_to_uri -from django.utils.http import content_disposition_header, http_date +from django.utils.http import MAX_URL_LENGTH, content_disposition_header, http_date from django.utils.regex_helper import _lazy_re_compile _charset_from_content_type_re = _lazy_re_compile( @@ -614,7 +614,12 @@ class HttpResponseRedirectBase(HttpResponse): def __init__(self, redirect_to, *args, **kwargs): super().__init__(*args, **kwargs) self["Location"] = iri_to_uri(redirect_to) - parsed = urlparse(str(redirect_to)) + redirect_to_str = str(redirect_to) + if len(redirect_to_str) > MAX_URL_LENGTH: + raise DisallowedRedirect( + f"Unsafe redirect exceeding {MAX_URL_LENGTH} characters" + ) + parsed = urlparse(redirect_to_str) if parsed.scheme and parsed.scheme not in self.allowed_schemes: raise DisallowedRedirect( "Unsafe redirect to URL with protocol '%s'" % parsed.scheme diff --git a/django/utils/html.py b/django/utils/html.py index 84c37d1186..11ffd53eb5 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -9,12 +9,11 @@ from urllib.parse import parse_qsl, quote, unquote, urlencode, urlsplit, urlunsp from django.core.exceptions import SuspiciousOperation from django.utils.encoding import punycode from django.utils.functional import Promise, cached_property, keep_lazy, keep_lazy_text -from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS +from django.utils.http import MAX_URL_LENGTH, RFC3986_GENDELIMS, RFC3986_SUBDELIMS from django.utils.regex_helper import _lazy_re_compile from django.utils.safestring import SafeData, SafeString, mark_safe from django.utils.text import normalize_newlines -MAX_URL_LENGTH = 2048 MAX_STRIP_TAGS_DEPTH = 50 # HTML tag that opens but has no closing ">" after 1k+ chars. diff --git a/django/utils/http.py b/django/utils/http.py index 94ad60bdbc..244ff7e866 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -47,6 +47,7 @@ ASCTIME_DATE = _lazy_re_compile(r"^\w{3} %s %s %s %s$" % (__M, __D2, __T, __Y)) RFC3986_GENDELIMS = ":/?#[]@" RFC3986_SUBDELIMS = "!$&'()*+,;=" +MAX_URL_LENGTH = 2048 # TODO: Remove when dropping support for PY38. # Unsafe bytes to be removed per WHATWG spec. diff --git a/docs/releases/4.2.26.txt b/docs/releases/4.2.26.txt index e0db257c04..ae274c3361 100644 --- a/docs/releases/4.2.26.txt +++ b/docs/releases/4.2.26.txt @@ -7,4 +7,12 @@ Django 4.2.26 release notes Django 4.2.26 fixes one security issue with severity "high" and one security issue with severity "moderate" in 4.2.25. -... +CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows +====================================================================================================================================== + +Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on +Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`, +:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut +:func:`redirect() <django.shortcuts.redirect>` were subject to a potential +denial-of-service attack via certain inputs with a very large number of Unicode +characters (follow up to :cve:`2025-27556`). diff --git a/tests/httpwrappers/tests.py b/tests/httpwrappers/tests.py index fa2c8fd5d2..b20d9a1ca1 100644 --- a/tests/httpwrappers/tests.py +++ b/tests/httpwrappers/tests.py @@ -24,6 +24,7 @@ from django.http import ( ) from django.test import SimpleTestCase from django.utils.functional import lazystr +from django.utils.http import MAX_URL_LENGTH class QueryDictTests(SimpleTestCase): @@ -490,6 +491,7 @@ class HttpResponseTests(SimpleTestCase): 'data:text/html,<script>window.alert("xss")</script>', "mailto:test@example.com", "file:///etc/passwd", + "é" * (MAX_URL_LENGTH + 1), ] for url in bad_urls: with self.assertRaises(DisallowedRedirect): |