Fixed #36743 -- Increased URL max length enforced in HttpResponseRedirectBase.

Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review.
author: varunkasyap <varunkasyap@hotmail.com> 2025-11-26 14:28:24 -0300
committer: nessita <124304+nessita@users.noreply.github.com> 2025-11-26 17:17:46 -0300
commit: a8cf8c292cfee98fe6cc873ca5221935f1d02271 (patch)
tree: efd26baa8def23b4f6180bd824545deb73845782 /docs/releases
parent: 818a620f0847d6d9f4f641114627a9537e5fea0e (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/docs/releases/5.2.9.txt b/docs/releases/5.2.9.txt
index edd82271d9..8a8000a9f1 100644
--- a/docs/releases/5.2.9.txt
+++ b/docs/releases/5.2.9.txt
@@ -21,3 +21,8 @@ Bugfixes
 * Fixed a regression in Django 5.2.2 that caused a crash when using aggregate
   functions with an empty ``Q`` filter over a queryset with annotations
   (:ticket:`36751`).
+
+* Fixed a regression in Django 5.2.8 where ``DisallowedRedirect`` was raised by
+  :class:`~django.http.HttpResponseRedirect` and
+  :class:`~django.http.HttpResponsePermanentRedirect` for URLs longer than 2048
+  characters. The limit is now 16384 characters (:ticket:`36743`).
author	varunkasyap <varunkasyap@hotmail.com>	2025-11-26 14:28:24 -0300
committer	nessita <124304+nessita@users.noreply.github.com>	2025-11-26 17:17:46 -0300
commit	a8cf8c292cfee98fe6cc873ca5221935f1d02271 (patch)
tree	efd26baa8def23b4f6180bd824545deb73845782 /docs/releases
parent	818a620f0847d6d9f4f641114627a9537e5fea0e (diff)