Fixed #36743 -- Increased URL max length enforced in HttpResponseRedirectBase.

Refs CVE-2025-64458.

The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.

Thanks Jacob Walls for report and review.

1 files changed, 7 insertions, 3 deletions

diff --git a/django/http/response.py b/django/http/response.py
index 020b2fcf3a..9bf0b14df5 100644
--- a/django/http/response.py
+++ b/django/http/response.py
@@ -22,7 +22,11 @@ from django.utils import timezone
 from django.utils.datastructures import CaseInsensitiveMapping
 from django.utils.encoding import iri_to_uri
 from django.utils.functional import cached_property
-from django.utils.http import MAX_URL_LENGTH, content_disposition_header, http_date
+from django.utils.http import (
+    MAX_URL_REDIRECT_LENGTH,
+    content_disposition_header,
+    http_date,
+)
 from django.utils.regex_helper import _lazy_re_compile
 
 _charset_from_content_type_re = _lazy_re_compile(
@@ -632,9 +636,9 @@ class HttpResponseRedirectBase(HttpResponse):
         super().__init__(*args, **kwargs)
         self["Location"] = iri_to_uri(redirect_to)
         redirect_to_str = str(redirect_to)
-        if len(redirect_to_str) > MAX_URL_LENGTH:
+        if len(redirect_to_str) > MAX_URL_REDIRECT_LENGTH:
             raise DisallowedRedirect(
-                f"Unsafe redirect exceeding {MAX_URL_LENGTH} characters"
+                f"Unsafe redirect exceeding {MAX_URL_REDIRECT_LENGTH} characters"
             )
         parsed = urlsplit(redirect_to_str)
         if preserve_request: