[4.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.

Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.

Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.

2 files changed, 2 insertions, 2 deletions

diff --git a/django/utils/html.py b/django/utils/html.py
index 84c37d1186..11ffd53eb5 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -9,12 +9,11 @@ from urllib.parse import parse_qsl, quote, unquote, urlencode, urlsplit, urlunsp
 from django.core.exceptions import SuspiciousOperation
 from django.utils.encoding import punycode
 from django.utils.functional import Promise, cached_property, keep_lazy, keep_lazy_text
-from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS
+from django.utils.http import MAX_URL_LENGTH, RFC3986_GENDELIMS, RFC3986_SUBDELIMS
 from django.utils.regex_helper import _lazy_re_compile
 from django.utils.safestring import SafeData, SafeString, mark_safe
 from django.utils.text import normalize_newlines
 
-MAX_URL_LENGTH = 2048
 MAX_STRIP_TAGS_DEPTH = 50
 
 # HTML tag that opens but has no closing ">" after 1k+ chars.
diff --git a/django/utils/http.py b/django/utils/http.py
index 94ad60bdbc..244ff7e866 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -47,6 +47,7 @@ ASCTIME_DATE = _lazy_re_compile(r"^\w{3} %s %s %s %s$" % (__M, __D2, __T, __Y))
 
 RFC3986_GENDELIMS = ":/?#[]@"
 RFC3986_SUBDELIMS = "!$&'()*+,;="
+MAX_URL_LENGTH = 2048
 
 # TODO: Remove when dropping support for PY38.
 # Unsafe bytes to be removed per WHATWG spec.