[5.2.x] Fixed #36743 -- Increased URL max length enforced in HttpResponseRedirectBase.

Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review. Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
author: varunkasyap <varunkasyap@hotmail.com> 2025-11-26 14:28:24 -0300
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-11-26 17:19:57 -0300
commit: 0ae15bb52e17768839d057bc1ae3d72f2866458d (patch)
tree: b35ffac38391749b414c405c330afba142e23920 /docs
parent: 31bc5c2d11e1d1cc728666d0785eea088b1dc1f2 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/docs/releases/5.2.9.txt b/docs/releases/5.2.9.txt
index edd82271d9..8a8000a9f1 100644
--- a/docs/releases/5.2.9.txt
+++ b/docs/releases/5.2.9.txt
@@ -21,3 +21,8 @@ Bugfixes
 * Fixed a regression in Django 5.2.2 that caused a crash when using aggregate
   functions with an empty ``Q`` filter over a queryset with annotations
   (:ticket:`36751`).
+
+* Fixed a regression in Django 5.2.8 where ``DisallowedRedirect`` was raised by
+  :class:`~django.http.HttpResponseRedirect` and
+  :class:`~django.http.HttpResponsePermanentRedirect` for URLs longer than 2048
+  characters. The limit is now 16384 characters (:ticket:`36743`).
author	varunkasyap <varunkasyap@hotmail.com>	2025-11-26 14:28:24 -0300
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-11-26 17:19:57 -0300
commit	0ae15bb52e17768839d057bc1ae3d72f2866458d (patch)
tree	b35ffac38391749b414c405c330afba142e23920 /docs
parent	31bc5c2d11e1d1cc728666d0785eea088b1dc1f2 (diff)