From e6973490373dca340e36f2db3eae1eb26a6a2d80 Mon Sep 17 00:00:00 2001 From: varunkasyap Date: Wed, 26 Nov 2025 14:28:24 -0300 Subject: [4.2.x] Fixed #36743 -- Increased URL max length enforced in HttpResponseRedirectBase. Refs CVE-2025-64458. The previous limit of 2048 characters reused the URLValidator constant and proved too restrictive for legitimate redirects to some third-party services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH` constant (defaulting to 16384) and uses it in HttpResponseRedirectBase. Thanks Jacob Walls for report and review. Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main. --- django/http/response.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'django/http') diff --git a/django/http/response.py b/django/http/response.py index 763fd2a8ac..28b8fa6d36 100644 --- a/django/http/response.py +++ b/django/http/response.py @@ -21,7 +21,11 @@ from django.http.cookie import SimpleCookie from django.utils import timezone from django.utils.datastructures import CaseInsensitiveMapping from django.utils.encoding import iri_to_uri -from django.utils.http import MAX_URL_LENGTH, content_disposition_header, http_date +from django.utils.http import ( + MAX_URL_REDIRECT_LENGTH, + content_disposition_header, + http_date, +) from django.utils.regex_helper import _lazy_re_compile _charset_from_content_type_re = _lazy_re_compile( @@ -615,9 +619,9 @@ class HttpResponseRedirectBase(HttpResponse): super().__init__(*args, **kwargs) self["Location"] = iri_to_uri(redirect_to) redirect_to_str = str(redirect_to) - if len(redirect_to_str) > MAX_URL_LENGTH: + if len(redirect_to_str) > MAX_URL_REDIRECT_LENGTH: raise DisallowedRedirect( - f"Unsafe redirect exceeding {MAX_URL_LENGTH} characters" + f"Unsafe redirect exceeding {MAX_URL_REDIRECT_LENGTH} characters" ) parsed = urlparse(redirect_to_str) if parsed.scheme and parsed.scheme not in self.allowed_schemes: -- cgit v1.3