diff options
| author | varunkasyap <varunkasyap@hotmail.com> | 2025-11-26 14:28:24 -0300 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2025-11-26 17:31:17 -0300 |
| commit | e6973490373dca340e36f2db3eae1eb26a6a2d80 (patch) | |
| tree | 614503d6f6049610d3789dd4ea7802c0d687235f /tests | |
| parent | 7d7f27bc9881dede6337212db1e9ccdbd37addae (diff) | |
[4.2.x] Fixed #36743 -- Increased URL max length enforced in HttpResponseRedirectBase.
Refs CVE-2025-64458.
The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.
Thanks Jacob Walls for report and review.
Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/httpwrappers/tests.py | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/tests/httpwrappers/tests.py b/tests/httpwrappers/tests.py index b20d9a1ca1..3af20f9309 100644 --- a/tests/httpwrappers/tests.py +++ b/tests/httpwrappers/tests.py @@ -24,7 +24,7 @@ from django.http import ( ) from django.test import SimpleTestCase from django.utils.functional import lazystr -from django.utils.http import MAX_URL_LENGTH +from django.utils.http import MAX_URL_REDIRECT_LENGTH class QueryDictTests(SimpleTestCase): @@ -486,12 +486,25 @@ class HttpResponseTests(SimpleTestCase): r.writelines(["foo\n", "bar\n", "baz\n"]) self.assertEqual(r.content, b"foo\nbar\nbaz\n") + def test_redirect_url_max_length(self): + base_url = "https://example.com/" + for length in ( + MAX_URL_REDIRECT_LENGTH - 1, + MAX_URL_REDIRECT_LENGTH, + ): + long_url = base_url + "x" * (length - len(base_url)) + with self.subTest(length=length): + response = HttpResponseRedirect(long_url) + self.assertEqual(response.url, long_url) + response = HttpResponsePermanentRedirect(long_url) + self.assertEqual(response.url, long_url) + def test_unsafe_redirect(self): bad_urls = [ 'data:text/html,<script>window.alert("xss")</script>', "mailto:test@example.com", "file:///etc/passwd", - "é" * (MAX_URL_LENGTH + 1), + "é" * (MAX_URL_REDIRECT_LENGTH + 1), ] for url in bad_urls: with self.assertRaises(DisallowedRedirect): |