diff options
| author | varunkasyap <varunkasyap@hotmail.com> | 2025-11-26 14:28:24 -0300 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2025-11-26 17:19:18 -0300 |
| commit | ce7d65fc8156e6b1e2163c3988eecbf214a8b031 (patch) | |
| tree | d236670937c30ca96beacadd739deae73d3a18c0 /django/utils/http.py | |
| parent | 122b2dc569bb2074367188621e1acd87f35d91a1 (diff) | |
[6.0.x] Fixed #36743 -- Increased URL max length enforced in HttpResponseRedirectBase.
Refs CVE-2025-64458.
The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.
Thanks Jacob Walls for report and review.
Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
Diffstat (limited to 'django/utils/http.py')
| -rw-r--r-- | django/utils/http.py | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/django/utils/http.py b/django/utils/http.py index fe0b21f150..53e368285c 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -39,6 +39,7 @@ ASCTIME_DATE = _lazy_re_compile(r"^\w{3} %s %s %s %s$" % (__M, __D2, __T, __Y)) RFC3986_GENDELIMS = ":/?#[]@" RFC3986_SUBDELIMS = "!$&'()*+,;=" MAX_URL_LENGTH = 2048 +MAX_URL_REDIRECT_LENGTH = 16384 def urlencode(query, doseq=False): |