[6.0.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.

This simplicaftion mitigates a potential DoS in URLField on Windows. The
usage of `urlsplit()` in `URLField.to_python()` was replaced with
`str.partition(":")` for URL scheme detection. On Windows, `urlsplit()`
performs Unicode normalization which is slow for certain characters,
making `URLField` vulnerable to DoS via specially crafted POST payloads.

Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger
for the review.

Refs #36923.

Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>

Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.

0 files changed, 0 insertions, 0 deletions