[4.2.x] Fixed #36743 -- Increased URL max length enforced in HttpResponseRedirectBase.

Refs CVE-2025-64458.

The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.

Thanks Jacob Walls for report and review.

Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.

3 files changed, 23 insertions, 5 deletions

diff --git a/django/http/response.py b/django/http/response.py
index 763fd2a8ac..28b8fa6d36 100644
--- a/django/http/response.py
+++ b/django/http/response.py
@@ -21,7 +21,11 @@ from django.http.cookie import SimpleCookie
 from django.utils import timezone
 from django.utils.datastructures import CaseInsensitiveMapping
 from django.utils.encoding import iri_to_uri
-from django.utils.http import MAX_URL_LENGTH, content_disposition_header, http_date
+from django.utils.http import (
+    MAX_URL_REDIRECT_LENGTH,
+    content_disposition_header,
+    http_date,
+)
 from django.utils.regex_helper import _lazy_re_compile
 
 _charset_from_content_type_re = _lazy_re_compile(
@@ -615,9 +619,9 @@ class HttpResponseRedirectBase(HttpResponse):
         super().__init__(*args, **kwargs)
         self["Location"] = iri_to_uri(redirect_to)
         redirect_to_str = str(redirect_to)
-        if len(redirect_to_str) > MAX_URL_LENGTH:
+        if len(redirect_to_str) > MAX_URL_REDIRECT_LENGTH:
             raise DisallowedRedirect(
-                f"Unsafe redirect exceeding {MAX_URL_LENGTH} characters"
+                f"Unsafe redirect exceeding {MAX_URL_REDIRECT_LENGTH} characters"
             )
         parsed = urlparse(redirect_to_str)
         if parsed.scheme and parsed.scheme not in self.allowed_schemes:
diff --git a/django/utils/http.py b/django/utils/http.py
index 244ff7e866..0804937f38 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -48,6 +48,7 @@ ASCTIME_DATE = _lazy_re_compile(r"^\w{3} %s %s %s %s$" % (__M, __D2, __T, __Y))
 RFC3986_GENDELIMS = ":/?#[]@"
 RFC3986_SUBDELIMS = "!$&'()*+,;="
 MAX_URL_LENGTH = 2048
+MAX_URL_REDIRECT_LENGTH = 16384
 
 # TODO: Remove when dropping support for PY38.
 # Unsafe bytes to be removed per WHATWG spec.
diff --git a/tests/httpwrappers/tests.py b/tests/httpwrappers/tests.py
index b20d9a1ca1..3af20f9309 100644
--- a/tests/httpwrappers/tests.py
+++ b/tests/httpwrappers/tests.py
@@ -24,7 +24,7 @@ from django.http import (
 )
 from django.test import SimpleTestCase
 from django.utils.functional import lazystr
-from django.utils.http import MAX_URL_LENGTH
+from django.utils.http import MAX_URL_REDIRECT_LENGTH
 
 
 class QueryDictTests(SimpleTestCase):
@@ -486,12 +486,25 @@ class HttpResponseTests(SimpleTestCase):
         r.writelines(["foo\n", "bar\n", "baz\n"])
         self.assertEqual(r.content, b"foo\nbar\nbaz\n")
 
+    def test_redirect_url_max_length(self):
+        base_url = "https://example.com/"
+        for length in (
+            MAX_URL_REDIRECT_LENGTH - 1,
+            MAX_URL_REDIRECT_LENGTH,
+        ):
+            long_url = base_url + "x" * (length - len(base_url))
+            with self.subTest(length=length):
+                response = HttpResponseRedirect(long_url)
+                self.assertEqual(response.url, long_url)
+                response = HttpResponsePermanentRedirect(long_url)
+                self.assertEqual(response.url, long_url)
+
     def test_unsafe_redirect(self):
         bad_urls = [
             'data:text/html,<script>window.alert("xss")</script>',
             "mailto:test@example.com",
             "file:///etc/passwd",
-            "é" * (MAX_URL_LENGTH + 1),
+            "é" * (MAX_URL_REDIRECT_LENGTH + 1),
         ]
         for url in bad_urls:
             with self.assertRaises(DisallowedRedirect):