Fixed CVE-2025-27556 -- Mitigated potential DoS in url_has_allowed_host_and_scheme() on Windows.

Thank you sw0rd1ight for the report.
2025-10-23 21:59:11 +00:00 · 2025-03-06 15:24:56 +01:00
parent 00c68f03b5
commit 39e2297210
6 changed files with 44 additions and 4 deletions
--- a/tests/utils_tests/test_http.py
+++ b/tests/utils_tests/test_http.py
@@ -7,6 +7,7 @@ from django.test import SimpleTestCase
 from django.utils.datastructures import MultiValueDict
 from django.utils.http import (
    MAX_HEADER_LENGTH,
+    MAX_URL_LENGTH,
    base36_to_int,
    content_disposition_header,
    escape_leading_slashes,
@@ -274,6 +275,21 @@ class URLHasAllowedHostAndSchemeTests(unittest.TestCase):
                    False,
                )

+    def test_max_url_length(self):
+        allowed_host = "example.com"
+        max_extra_characters = "é" * (MAX_URL_LENGTH - len(allowed_host) - 1)
+        max_length_boundary_url = f"{allowed_host}/{max_extra_characters}"
+        cases = [
+            (max_length_boundary_url, True),
+            (max_length_boundary_url + "ú", False),
+        ]
+        for url, expected in cases:
+            with self.subTest(url=url):
+                self.assertIs(
+                    url_has_allowed_host_and_scheme(url, allowed_hosts={allowed_host}),
+                    expected,
+                )
+

 class URLSafeBase64Tests(unittest.TestCase):
    def test_roundtrip(self):