From 4f5d904b63751dea9ffc3b0e046404a7fa5881ac Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Thu, 16 Oct 2025 16:28:33 -0400 Subject: [5.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Follow-up to CVE-2025-27556 and 39e2297210d9d2938c75fc911d45f0e863dc4821. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main. --- django/http/response.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'django') diff --git a/django/http/response.py b/django/http/response.py index 4a0ea67013..9f4bd6af90 100644 --- a/django/http/response.py +++ b/django/http/response.py @@ -22,7 +22,7 @@ from django.utils import timezone from django.utils.datastructures import CaseInsensitiveMapping from django.utils.encoding import iri_to_uri from django.utils.functional import cached_property -from django.utils.http import content_disposition_header, http_date +from django.utils.http import MAX_URL_LENGTH, content_disposition_header, http_date from django.utils.regex_helper import _lazy_re_compile _charset_from_content_type_re = _lazy_re_compile( @@ -630,7 +630,12 @@ class HttpResponseRedirectBase(HttpResponse): def __init__(self, redirect_to, preserve_request=False, *args, **kwargs): super().__init__(*args, **kwargs) self["Location"] = iri_to_uri(redirect_to) - parsed = urlsplit(str(redirect_to)) + redirect_to_str = str(redirect_to) + if len(redirect_to_str) > MAX_URL_LENGTH: + raise DisallowedRedirect( + f"Unsafe redirect exceeding {MAX_URL_LENGTH} characters" + ) + parsed = urlsplit(redirect_to_str) if preserve_request: self.status_code = self.status_code_preserve_request if parsed.scheme and parsed.scheme not in self.allowed_schemes: -- cgit v1.3