Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows.

Thank you sw0rd1ight for the report.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-03-06 15:24:56 +0100
committer: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-04-02 10:21:33 +0200
commit: 39e2297210d9d2938c75fc911d45f0e863dc4821 (patch)
tree: 0fec68f7a688c827ecde281ea9fd44610c1dd331 /django/utils/http.py
parent: 00c68f03b5dc6c14618026347ee0da4d466c88e3 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/django/utils/http.py b/django/utils/http.py
index 1f9adeb707..1c7aec7141 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -39,6 +39,7 @@ ASCTIME_DATE = _lazy_re_compile(r"^\w{3} %s %s %s %s$" % (__M, __D2, __T, __Y))
 
 RFC3986_GENDELIMS = ":/?#[]@"
 RFC3986_SUBDELIMS = "!$&'()*+,;="
+MAX_URL_LENGTH = 2048
 
 
 def urlencode(query, doseq=False):
@@ -274,7 +275,10 @@ def url_has_allowed_host_and_scheme(url, allowed_hosts, require_https=False):
 def _url_has_allowed_host_and_scheme(url, allowed_hosts, require_https=False):
     # Chrome considers any URL with more than two slashes to be absolute, but
     # urlsplit is not so flexible. Treat any url with three slashes as unsafe.
-    if url.startswith("///"):
+    if url.startswith("///") or len(url) > MAX_URL_LENGTH:
+        # urlsplit does not perform validation of inputs. Unicode normalization
+        # is very slow on Windows and can be a DoS attack vector.
+        # https://docs.python.org/3/library/urllib.parse.html#url-parsing-security
         return False
     try:
         url_info = urlsplit(url)
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-03-06 15:24:56 +0100
committer	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-04-02 10:21:33 +0200
commit	39e2297210d9d2938c75fc911d45f0e863dc4821 (patch)
tree	0fec68f7a688c827ecde281ea9fd44610c1dd331 /django/utils/http.py
parent	00c68f03b5dc6c14618026347ee0da4d466c88e3 (diff)