Re: [Django] #36743: Max URL length of 2048 is too conservative for redirect targets

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Varun Kasyap Pentamaraju):

* owner: (none) => Varun Kasyap Pentamaraju
* status: new => assigned

--
Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Mariusz Felisiak):

* cc: Mariusz Felisiak (added)

Comment:

I'm not sure why we want to consider this as a release blocker, we've
discussed and agreed on this limit within the security team. Moreover,
users can adjust the current limit themselves. As far as I'm aware, this
is not a bug but a cleanup, even then, I'm not convinced that we should
change it (even in the current `main` branch).
--
Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:3>

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Jacob Walls):

Thanks Mariusz. My position is that we got the limit wrong.

> we've discussed and agreed on this limit within the security team

I think this overstates the extent to which it was discussed.

> Moreover, users can adjust the current limit themselves.

Do you not find the arguments convincing that this is a poor practice, not
composable for reusable apps, and degrades URLField validation?
--
Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:4>

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 1

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Jacob Walls):

* needs_docs: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:5>

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 1

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):

* has_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:6>

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: assigned
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Varun Kasyap Pentamaraju):

* needs_docs: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:7>

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju

Type: Bug | Status: closed

Component: HTTP handling | Version: 4.2

Severity: Release blocker | Resolution: fixed

Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by nessita <124304+nessita@…>):

* resolution: => fixed
* status: assigned => closed

Comment:

In [changeset:"a8cf8c292cfee98fe6cc873ca5221935f1d02271" a8cf8c2]:
{{{#!CommitTicketReference repository=""
revision="a8cf8c292cfee98fe6cc873ca5221935f1d02271"
Fixed #36743 -- Increased URL max length enforced in
HttpResponseRedirectBase.

Refs CVE-2025-64458.

The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.

Thanks Jacob Walls for report and review.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:8>

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: closed
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Natalia <124304+nessita@…>):

In [changeset:"ce7d65fc8156e6b1e2163c3988eecbf214a8b031" ce7d65fc]:
{{{#!CommitTicketReference repository=""
revision="ce7d65fc8156e6b1e2163c3988eecbf214a8b031"
[6.0.x] Fixed #36743 -- Increased URL max length enforced in

HttpResponseRedirectBase.

Refs CVE-2025-64458.

The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.

Thanks Jacob Walls for report and review.

Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:9>

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: closed
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia <124304+nessita@…>):

In [changeset:"0ae15bb52e17768839d057bc1ae3d72f2866458d" 0ae15bb]:
{{{#!CommitTicketReference repository=""
revision="0ae15bb52e17768839d057bc1ae3d72f2866458d"
[5.2.x] Fixed #36743 -- Increased URL max length enforced in

HttpResponseRedirectBase.

Refs CVE-2025-64458.

The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.

Thanks Jacob Walls for report and review.

Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
}}}
--

Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:10>

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: closed
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia <124304+nessita@…>):

In [changeset:"f3542966c3b91d46e82b38c6334badad8dc7e588" f354296]:
{{{#!CommitTicketReference repository=""
revision="f3542966c3b91d46e82b38c6334badad8dc7e588"
[5.1.x] Fixed #36743 -- Increased URL max length enforced in

HttpResponseRedirectBase.

Refs CVE-2025-64458.

The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.

Thanks Jacob Walls for report and review.

Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
}}}
--

Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:11>

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: closed
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia <124304+nessita@…>):

In [changeset:"e6973490373dca340e36f2db3eae1eb26a6a2d80" e697349]:
{{{#!CommitTicketReference repository=""
revision="e6973490373dca340e36f2db3eae1eb26a6a2d80"
[4.2.x] Fixed #36743 -- Increased URL max length enforced in

HttpResponseRedirectBase.

Refs CVE-2025-64458.

The previous limit of 2048 characters reused the URLValidator constant
and proved too restrictive for legitimate redirects to some third-party
services. This change introduces a separate `MAX_URL_REDIRECT_LENGTH`
constant (defaulting to 16384) and uses it in HttpResponseRedirectBase.

Thanks Jacob Walls for report and review.

Backport of a8cf8c292cfee98fe6cc873ca5221935f1d02271 from main.
}}}
--

Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:12>

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: closed
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by nessita <124304+nessita@…>):

In [changeset:"18b13cf6c48ff0a20b2a74d3b90d1fc1602608e4" 18b13cf]:
{{{#!CommitTicketReference repository=""
revision="18b13cf6c48ff0a20b2a74d3b90d1fc1602608e4"
Refs #36743 -- Added missing release notes for 5.1.15 and 4.2.27.

The fix landed in a8cf8c292cfee98fe6cc873ca5221935f1d02271 will be
backported to 5.1 and 4.2 since the 2048 limit was rolled out as part of
the security release for CVE-2025-64458.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:13>

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: closed
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Natalia <124304+nessita@…>):

In [changeset:"1f349005f842ae09a195e8de2a5f2de1b3d90874" 1f34900]:
{{{#!CommitTicketReference repository=""
revision="1f349005f842ae09a195e8de2a5f2de1b3d90874"
[6.0.x] Refs #36743 -- Added missing release notes for 5.1.15 and 4.2.27.

The fix landed in a8cf8c292cfee98fe6cc873ca5221935f1d02271 will be
backported to 5.1 and 4.2 since the 2048 limit was rolled out as part of
the security release for CVE-2025-64458.

Backport of 18b13cf6c48ff0a20b2a74d3b90d1fc1602608e4 from main.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:14>

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: closed
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia <124304+nessita@…>):

In [changeset:"2171933c5a66d9c99bb38bb5c9ecd0f68542c8a3" 2171933]:
{{{#!CommitTicketReference repository=""
revision="2171933c5a66d9c99bb38bb5c9ecd0f68542c8a3"
[5.2.x] Refs #36743 -- Added missing release notes for 5.1.15 and 4.2.27.

The fix landed in a8cf8c292cfee98fe6cc873ca5221935f1d02271 will be
backported to 5.1 and 4.2 since the 2048 limit was rolled out as part of
the security release for CVE-2025-64458.

Backport of 18b13cf6c48ff0a20b2a74d3b90d1fc1602608e4 from main.
}}}
--

Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:15>

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: closed
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia <124304+nessita@…>):

In [changeset:"ca4251d04e4b1de7d1a365f1b9928de04728e048" ca4251d0]:
{{{#!CommitTicketReference repository=""
revision="ca4251d04e4b1de7d1a365f1b9928de04728e048"
[5.1.x] Refs #36743 -- Added missing release notes for 5.1.15 and 4.2.27.

The fix landed in a8cf8c292cfee98fe6cc873ca5221935f1d02271 will be
backported to 5.1 and 4.2 since the 2048 limit was rolled out as part of
the security release for CVE-2025-64458.

Backport of 18b13cf6c48ff0a20b2a74d3b90d1fc1602608e4 from main.
}}}
--

Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:16>

[Django]

#36743: Max URL length of 2048 is too conservative for redirect targets
-------------------------------------+-------------------------------------
Reporter: Jacob Walls | Owner: Varun
| Kasyap Pentamaraju
Type: Bug | Status: closed
Component: HTTP handling | Version: 4.2
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Natalia <124304+nessita@…>):

In [changeset:"0e85bdbde1c1fdbd3a92cdb6d31fab788811da63" 0e85bdb]:
{{{#!CommitTicketReference repository=""
revision="0e85bdbde1c1fdbd3a92cdb6d31fab788811da63"
[4.2.x] Refs #36743 -- Added missing release notes for 5.1.15 and 4.2.27.

The fix landed in a8cf8c292cfee98fe6cc873ca5221935f1d02271 will be
backported to 5.1 and 4.2 since the 2048 limit was rolled out as part of
the security release for CVE-2025-64458.

Backport of 18b13cf6c48ff0a20b2a74d3b90d1fc1602608e4 from main.
}}}
--

Ticket URL: <https://code.djangoproject.com/ticket/36743#comment:17>