[5.0.x] Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows.

Thank you sw0rd1ight for the report.

Backport of 39e2297210d9d2938c75fc911d45f0e863dc4821 from main.

1 files changed, 16 insertions, 0 deletions

diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py
index 818c35e597..20fe2c4c70 100644
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -6,6 +6,7 @@ from unittest import mock
 from django.test import SimpleTestCase
 from django.utils.datastructures import MultiValueDict
 from django.utils.http import (
+    MAX_URL_LENGTH,
     base36_to_int,
     content_disposition_header,
     escape_leading_slashes,
@@ -273,6 +274,21 @@ class URLHasAllowedHostAndSchemeTests(unittest.TestCase):
                     False,
                 )
 
+    def test_max_url_length(self):
+        allowed_host = "example.com"
+        max_extra_characters = "é" * (MAX_URL_LENGTH - len(allowed_host) - 1)
+        max_length_boundary_url = f"{allowed_host}/{max_extra_characters}"
+        cases = [
+            (max_length_boundary_url, True),
+            (max_length_boundary_url + "ú", False),
+        ]
+        for url, expected in cases:
+            with self.subTest(url=url):
+                self.assertIs(
+                    url_has_allowed_host_and_scheme(url, allowed_hosts={allowed_host}),
+                    expected,
+                )
+
 
 class URLSafeBase64Tests(unittest.TestCase):
     def test_roundtrip(self):