diff options
| author | Jacob Walls <jacobtylerwalls@gmail.com> | 2025-10-16 16:28:33 -0400 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2025-11-05 09:32:59 -0300 |
| commit | 4f5d904b63751dea9ffc3b0e046404a7fa5881ac (patch) | |
| tree | 181957879d992b28083160f3bd454bdd03222219 | |
| parent | cbdf128cb316bccf9ca3b3b4966e57bd050bfc8a (diff) | |
[5.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.
Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.
Follow-up to CVE-2025-27556 and 39e2297210d9d2938c75fc911d45f0e863dc4821.
Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
| -rw-r--r-- | django/http/response.py | 9 | ||||
| -rw-r--r-- | docs/releases/4.2.26.txt | 10 | ||||
| -rw-r--r-- | docs/releases/5.1.14.txt | 10 | ||||
| -rw-r--r-- | docs/releases/5.2.8.txt | 10 | ||||
| -rw-r--r-- | tests/httpwrappers/tests.py | 2 |
5 files changed, 37 insertions, 4 deletions
diff --git a/django/http/response.py b/django/http/response.py index 4a0ea67013..9f4bd6af90 100644 --- a/django/http/response.py +++ b/django/http/response.py @@ -22,7 +22,7 @@ from django.utils import timezone from django.utils.datastructures import CaseInsensitiveMapping from django.utils.encoding import iri_to_uri from django.utils.functional import cached_property -from django.utils.http import content_disposition_header, http_date +from django.utils.http import MAX_URL_LENGTH, content_disposition_header, http_date from django.utils.regex_helper import _lazy_re_compile _charset_from_content_type_re = _lazy_re_compile( @@ -630,7 +630,12 @@ class HttpResponseRedirectBase(HttpResponse): def __init__(self, redirect_to, preserve_request=False, *args, **kwargs): super().__init__(*args, **kwargs) self["Location"] = iri_to_uri(redirect_to) - parsed = urlsplit(str(redirect_to)) + redirect_to_str = str(redirect_to) + if len(redirect_to_str) > MAX_URL_LENGTH: + raise DisallowedRedirect( + f"Unsafe redirect exceeding {MAX_URL_LENGTH} characters" + ) + parsed = urlsplit(redirect_to_str) if preserve_request: self.status_code = self.status_code_preserve_request if parsed.scheme and parsed.scheme not in self.allowed_schemes: diff --git a/docs/releases/4.2.26.txt b/docs/releases/4.2.26.txt index e0db257c04..ae274c3361 100644 --- a/docs/releases/4.2.26.txt +++ b/docs/releases/4.2.26.txt @@ -7,4 +7,12 @@ Django 4.2.26 release notes Django 4.2.26 fixes one security issue with severity "high" and one security issue with severity "moderate" in 4.2.25. -... +CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows +====================================================================================================================================== + +Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on +Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`, +:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut +:func:`redirect() <django.shortcuts.redirect>` were subject to a potential +denial-of-service attack via certain inputs with a very large number of Unicode +characters (follow up to :cve:`2025-27556`). diff --git a/docs/releases/5.1.14.txt b/docs/releases/5.1.14.txt index 79a7a260e3..8dba96e487 100644 --- a/docs/releases/5.1.14.txt +++ b/docs/releases/5.1.14.txt @@ -7,4 +7,12 @@ Django 5.1.14 release notes Django 5.1.14 fixes one security issue with severity "high" and one security issue with severity "moderate" in 5.1.13. -... +CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows +====================================================================================================================================== + +Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on +Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`, +:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut +:func:`redirect() <django.shortcuts.redirect>` were subject to a potential +denial-of-service attack via certain inputs with a very large number of Unicode +characters (follow up to :cve:`2025-27556`). diff --git a/docs/releases/5.2.8.txt b/docs/releases/5.2.8.txt index 62cb32f55c..947fce8d84 100644 --- a/docs/releases/5.2.8.txt +++ b/docs/releases/5.2.8.txt @@ -8,6 +8,16 @@ Django 5.2.8 fixes one security issue with severity "high", one security issue with severity "moderate", and several bugs in 5.2.7. It also adds compatibility with Python 3.14. +CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows +====================================================================================================================================== + +Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on +Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`, +:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut +:func:`redirect() <django.shortcuts.redirect>` were subject to a potential +denial-of-service attack via certain inputs with a very large number of Unicode +characters (follow up to :cve:`2025-27556`). + Bugfixes ======== diff --git a/tests/httpwrappers/tests.py b/tests/httpwrappers/tests.py index f85d33e823..f62a9d9bba 100644 --- a/tests/httpwrappers/tests.py +++ b/tests/httpwrappers/tests.py @@ -24,6 +24,7 @@ from django.http import ( ) from django.test import SimpleTestCase from django.utils.functional import lazystr +from django.utils.http import MAX_URL_LENGTH class QueryDictTests(SimpleTestCase): @@ -490,6 +491,7 @@ class HttpResponseTests(SimpleTestCase): 'data:text/html,<script>window.alert("xss")</script>', "mailto:test@example.com", "file:///etc/passwd", + "é" * (MAX_URL_LENGTH + 1), ] for url in bad_urls: with self.assertRaises(DisallowedRedirect): |