From e6973490373dca340e36f2db3eae1eb26a6a2d80 Mon Sep 17 00:00:00 2001
From: varunkasyap <varunkasyap@hotmail.com>
Date: Wed, 26 Nov 2025 14:28:24 -0300
Subject: [4.2.x] Fixed #36743 -- Increased URL max length enforced in
 HttpResponseRedirectBase.

Refs CVE-2025-64458.

The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.

Thanks Jacob Walls for report and review.

Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
---
 django/utils/http.py | 1 +
 1 file changed, 1 insertion(+)

(limited to 'django/utils/http.py')

diff --git a/django/utils/http.py b/django/utils/http.py
index 244ff7e866..0804937f38 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -48,6 +48,7 @@ ASCTIME_DATE = _lazy_re_compile(r"^\w{3} %s %s %s %s$" % (__M, __D2, __T, __Y))
 RFC3986_GENDELIMS = ":/?#[]@"
 RFC3986_SUBDELIMS = "!$&'()*+,;="
 MAX_URL_LENGTH = 2048
+MAX_URL_REDIRECT_LENGTH = 16384
 
 # TODO: Remove when dropping support for PY38.
 # Unsafe bytes to be removed per WHATWG spec.
-- 
cgit v1.3