Fixed CVE-2025-64458 -- Mitigated potential DoS in HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.

Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Follow-up to CVE-2025-27556 and 39e2297210.
2025-11-07 07:15:35 +00:00 · 2025-10-16 16:28:33 -04:00
parent 74564946c3
commit c880530ddd
5 changed files with 37 additions and 4 deletions
--- a/django/http/response.py
+++ b/django/http/response.py
@@ -22,7 +22,7 @@ from django.utils import timezone
 from django.utils.datastructures import CaseInsensitiveMapping
 from django.utils.encoding import iri_to_uri
 from django.utils.functional import cached_property
-from django.utils.http import content_disposition_header, http_date
+from django.utils.http import MAX_URL_LENGTH, content_disposition_header, http_date
 from django.utils.regex_helper import _lazy_re_compile

 _charset_from_content_type_re = _lazy_re_compile(
@@ -631,7 +631,12 @@ class HttpResponseRedirectBase(HttpResponse):
    def __init__(self, redirect_to, preserve_request=False, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self["Location"] = iri_to_uri(redirect_to)
-        parsed = urlsplit(str(redirect_to))
+        redirect_to_str = str(redirect_to)
+        if len(redirect_to_str) > MAX_URL_LENGTH:
+            raise DisallowedRedirect(
+                f"Unsafe redirect exceeding {MAX_URL_LENGTH} characters"
+            )
+        parsed = urlsplit(redirect_to_str)
        if preserve_request:
            self.status_code = self.status_code_preserve_request
        if parsed.scheme and parsed.scheme not in self.allowed_schemes:
--- a/docs/releases/4.2.26.txt
+++ b/docs/releases/4.2.26.txt
@@ -7,4 +7,12 @@ Django 4.2.26 release notes
 Django 4.2.26 fixes one security issue with severity "high" and one security
 issue with severity "moderate" in 4.2.25.

-...
+CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
+======================================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
+:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
+:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters (follow up to :cve:`2025-27556`).
--- a/docs/releases/5.1.14.txt
+++ b/docs/releases/5.1.14.txt
@@ -7,4 +7,12 @@ Django 5.1.14 release notes
 Django 5.1.14 fixes one security issue with severity "high" and one security
 issue with severity "moderate" in 5.1.13.

-...
+CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
+======================================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
+:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
+:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters (follow up to :cve:`2025-27556`).
--- a/docs/releases/5.2.8.txt
+++ b/docs/releases/5.2.8.txt
@@ -8,6 +8,16 @@ Django 5.2.8 fixes one security issue with severity "high", one security issue
 with severity "moderate", and several bugs in 5.2.7. It also adds compatibility
 with Python 3.14.

+CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
+======================================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
+:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
+:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters (follow up to :cve:`2025-27556`).
+
 Bugfixes
 ========

--- a/tests/httpwrappers/tests.py
+++ b/tests/httpwrappers/tests.py
@@ -24,6 +24,7 @@ from django.http import (
 )
 from django.test import SimpleTestCase
 from django.utils.functional import lazystr
+from django.utils.http import MAX_URL_LENGTH


 class QueryDictTests(SimpleTestCase):
@@ -490,6 +491,7 @@ class HttpResponseTests(SimpleTestCase):
            'data:text/html,<script>window.alert("xss")</script>',
            "mailto:test@example.com",
            "file:///etc/passwd",
+            "é" * (MAX_URL_LENGTH + 1),
        ]
        for url in bad_urls:
            with self.assertRaises(DisallowedRedirect):