From 0ae15bb52e17768839d057bc1ae3d72f2866458d Mon Sep 17 00:00:00 2001
From: varunkasyap <varunkasyap@hotmail.com>
Date: Wed, 26 Nov 2025 14:28:24 -0300
Subject: [5.2.x] Fixed #36743 -- Increased URL max length enforced in
 HttpResponseRedirectBase.

Refs CVE-2025-64458.

The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.

Thanks Jacob Walls for report and review.

Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
---
 docs/releases/5.2.9.txt | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'docs')

diff --git a/docs/releases/5.2.9.txt b/docs/releases/5.2.9.txt
index edd82271d9..8a8000a9f1 100644
--- a/docs/releases/5.2.9.txt
+++ b/docs/releases/5.2.9.txt
@@ -21,3 +21,8 @@ Bugfixes
 * Fixed a regression in Django 5.2.2 that caused a crash when using aggregate
   functions with an empty ``Q`` filter over a queryset with annotations
   (:ticket:`36751`).
+
+* Fixed a regression in Django 5.2.8 where ``DisallowedRedirect`` was raised by
+  :class:`~django.http.HttpResponseRedirect` and
+  :class:`~django.http.HttpResponsePermanentRedirect` for URLs longer than 2048
+  characters. The limit is now 16384 characters (:ticket:`36743`).
-- 
cgit v1.3