[Django] #36767: Allow overriding redirect URL max length in `HttpResponseRedirectBase`

[Django]

#36767: Allow overriding redirect URL max length in `HttpResponseRedirectBase`
-------------------------------------+-------------------------------------
     Reporter:  Natalia Bidart       |                     Type:
                                     |  Cleanup/optimization
       Status:  new                  |                Component:  HTTP
                                     |  handling
      Version:  dev                  |                 Severity:  Normal
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 Redirect URLs can legitimately get very large depending on the
 application. For example, S3 presigned URLs, signed download links, or
 OAuth/SSO protocols that stuff state, nonces, or signatures into the query
 string. Django currently enforces a hardcoded `MAX_URL_REDIRECT_LENGTH`
 (introduced in 880530ddd4fabd5939bab0e148bebe36699432a and
 a8cf8c292cfee98fe6cc873ca5221935f1d02271). This means fully valid URLs
 from these workflows may end up raising `DisallowedRedirect`, even though
 long redirect targets are perfectly fine in HTTP.

 I think we need to make the limit overridable, similarly to what was done
 in #35784. A simple approach would be to extend `HttpResponseRedirectBase`
 to accept an optional `max_length` argument. If provided, it overrides the
 default. If set to `None`, the check is disabled altogether. The current
 default stays in place for safety.

 This gives projects a documented and explicit escape hatch without
 changing the default behavior. And it is worth calling out that long
 redirect URLs have no performance impact on Django itself on non-Windows
 platforms. The original limit was mainly about avoiding unicode
 normalization costs in Python's URL parsing on Windows, which is not the
 common deployment case according to our usage surveys.

 There is an initial patch that adds the parameter, updates the checks
 accordingly, and adds tests. It needs some refinement and docs, but the
 approach seems sound.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36767>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019ae0607439-6c9c8f2f-278d-49e5-a121-977eaed4adb9-000000%40eu-central-1.amazonses.com.