[5.0.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows.

Thank you sw0rd1ight for the report. Backport of 39e2297210d9d2938c75fc911d45f0e863dc4821 from main.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-03-06 15:24:56 +0100
committer: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-04-02 10:42:15 +0200
commit: 8c6871b097b6c49d2a782c0d80d908bcbe2116f1 (patch)
tree: 521c270381ec399e0da4c1c7eaf31d0484bfe1f6 /django/core/validators.py
parent: 2be56bc534a1ef7c9bae63182e6053513daa0d25 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/django/core/validators.py b/django/core/validators.py
index fe8d46526a..14b89ff11e 100644
--- a/django/core/validators.py
+++ b/django/core/validators.py
@@ -7,6 +7,7 @@ from urllib.parse import urlsplit, urlunsplit
 from django.core.exceptions import ValidationError
 from django.utils.deconstruct import deconstructible
 from django.utils.encoding import punycode
+from django.utils.http import MAX_URL_LENGTH
 from django.utils.ipv6 import is_valid_ipv6_address
 from django.utils.regex_helper import _lazy_re_compile
 from django.utils.translation import gettext_lazy as _
@@ -104,7 +105,7 @@ class URLValidator(RegexValidator):
     message = _("Enter a valid URL.")
     schemes = ["http", "https", "ftp", "ftps"]
     unsafe_chars = frozenset("\t\r\n")
-    max_length = 2048
+    max_length = MAX_URL_LENGTH
 
     def __init__(self, schemes=None, **kwargs):
         super().__init__(**kwargs)
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-03-06 15:24:56 +0100
committer	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-04-02 10:42:15 +0200
commit	8c6871b097b6c49d2a782c0d80d908bcbe2116f1 (patch)
tree	521c270381ec399e0da4c1c7eaf31d0484bfe1f6 /django/core/validators.py
parent	2be56bc534a1ef7c9bae63182e6053513daa0d25 (diff)