[Django] #36767: Allow overriding redirect URL max length in `HttpResponseRedirectBase`
0 views
Skip to first unread message
Django
Dec 2, 2025, 1:43:36 PM (13 hours ago) Dec 2
to django-...@googlegroups.com
#36767: Allow overriding redirect URL max length in `HttpResponseRedirectBase`
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component: HTTP
| handling
Version: dev | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Redirect URLs can legitimately get very large depending on the
application. For example, S3 presigned URLs, signed download links, or
OAuth/SSO protocols that stuff state, nonces, or signatures into the query
string. Django currently enforces a hardcoded `MAX_URL_REDIRECT_LENGTH`
(introduced in 880530ddd4fabd5939bab0e148bebe36699432a and
a8cf8c292cfee98fe6cc873ca5221935f1d02271). This means fully valid URLs
from these workflows may end up raising `DisallowedRedirect`, even though
long redirect targets are perfectly fine in HTTP.
I think we need to make the limit overridable, similarly to what was done
in #35784. A simple approach would be to extend `HttpResponseRedirectBase`
to accept an optional `max_length` argument. If provided, it overrides the
default. If set to `None`, the check is disabled altogether. The current
default stays in place for safety.
This gives projects a documented and explicit escape hatch without
changing the default behavior. And it is worth calling out that long
redirect URLs have no performance impact on Django itself on non-Windows
platforms. The original limit was mainly about avoiding unicode
normalization costs in Python's URL parsing on Windows, which is not the
common deployment case according to our usage surveys.
There is an initial patch that adds the parameter, updates the checks
accordingly, and adds tests. It needs some refinement and docs, but the
approach seems sound.
--
Ticket URL: <https://code.djangoproject.com/ticket/36767>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component: HTTP
| handling
Version: dev | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Redirect URLs can legitimately get very large depending on the
application. For example, S3 presigned URLs, signed download links, or
OAuth/SSO protocols that stuff state, nonces, or signatures into the query
string. Django currently enforces a hardcoded `MAX_URL_REDIRECT_LENGTH`
(introduced in 880530ddd4fabd5939bab0e148bebe36699432a and
a8cf8c292cfee98fe6cc873ca5221935f1d02271). This means fully valid URLs
from these workflows may end up raising `DisallowedRedirect`, even though
long redirect targets are perfectly fine in HTTP.
I think we need to make the limit overridable, similarly to what was done
in #35784. A simple approach would be to extend `HttpResponseRedirectBase`
to accept an optional `max_length` argument. If provided, it overrides the
default. If set to `None`, the check is disabled altogether. The current
default stays in place for safety.
This gives projects a documented and explicit escape hatch without
changing the default behavior. And it is worth calling out that long
redirect URLs have no performance impact on Django itself on non-Windows
platforms. The original limit was mainly about avoiding unicode
normalization costs in Python's URL parsing on Windows, which is not the
common deployment case according to our usage surveys.
There is an initial patch that adds the parameter, updates the checks
accordingly, and adds tests. It needs some refinement and docs, but the
approach seems sound.
--
Ticket URL: <https://code.djangoproject.com/ticket/36767>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
2:23 AM (3 minutes ago) 2:23 AM
to django-...@googlegroups.com
#36767: Allow overriding redirect URL max length in `HttpResponseRedirectBase`
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Varun
-------------------------------------+-------------------------------------
Type: | Kasyap Pentamaraju
Cleanup/optimization | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Antoliny):
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* has_patch: 0 => 1
* owner: (none) => Varun Kasyap Pentamaraju
* status: new => assigned
Comment:
[https://github.com/django/django/pull/20273 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/36767#comment:1>
Reply all
Reply to author
Forward
0 new messages