threatcode · pull · May 13, 2026 · May 12, 2026 · May 12, 2026
diff --git a/AUTHORS b/AUTHORS
@@ -598,6 +598,7 @@ answer newbie questions, and generally made Django that much better:
     Karderio <karderio@gmail.com>
     Karen Tracey <kmtracey@gmail.com>
     Karol Sikora <elektrrrus@gmail.com>
+    Kasey Steinhauer <kstein257@gmail.com>
     Kasun Herath <kasunh01@gmail.com>
     Katherine “Kati” Michel <kthrnmichel@gmail.com>
     Kathryn Killebrew <kathryn.killebrew@gmail.com>

diff --git a/django/http/response.py b/django/http/response.py
@@ -642,12 +642,11 @@ def __init__(
     ):
         super().__init__(*args, **kwargs)
         self["Location"] = iri_to_uri(redirect_to)
-        redirect_to_str = str(redirect_to)
-        if max_length is not None and len(redirect_to_str) > max_length:
+        if max_length is not None and len(self["Location"]) > max_length:
             raise DisallowedRedirect(
                 f"Unsafe redirect exceeding {max_length} characters"
             )
-        parsed = urlsplit(redirect_to_str)
+        parsed = urlsplit(str(redirect_to))
         if preserve_request:
             self.status_code = self.status_code_preserve_request
         if parsed.scheme and parsed.scheme not in self.allowed_schemes:

diff --git a/tests/admin_scripts/tests.py b/tests/admin_scripts/tests.py
@@ -2450,7 +2450,8 @@ def test_invalid_choice_db_option(self):
         if PY314:
             expected_error = (
                 r"Error: argument --database: invalid choice: 'deflaut', "
-                r"maybe you meant 'default'\? \(choose from default, other\)"
+                r"maybe you meant 'default'\? "
+                r"\(choose from '?default'?, '?other'?\)"
             )
         else:
             expected_error = (

diff --git a/tests/httpwrappers/tests.py b/tests/httpwrappers/tests.py
@@ -24,6 +24,7 @@
     parse_cookie,
 )
 from django.test import SimpleTestCase
+from django.utils.encoding import iri_to_uri
 from django.utils.functional import lazystr
 from django.utils.http import MAX_URL_REDIRECT_LENGTH
 
@@ -498,6 +499,18 @@ def test_redirect_url_max_length(self):
                 response = response_class(long_url)
                 self.assertEqual(response.url, long_url)
 
+    def test_redirect_url_max_length_checks_encoded_location(self):
+        long_url = "/" + "é" * (MAX_URL_REDIRECT_LENGTH - 1)
+        self.assertLessEqual(len(long_url), MAX_URL_REDIRECT_LENGTH)
+        self.assertGreater(len(iri_to_uri(long_url)), MAX_URL_REDIRECT_LENGTH)
+        for response_class in (HttpResponseRedirect, HttpResponsePermanentRedirect):
+            msg = f"Unsafe redirect exceeding {MAX_URL_REDIRECT_LENGTH} characters"
+            with (
+                self.subTest(response_class=response_class),
+                self.assertRaisesMessage(DisallowedRedirect, msg),
+            ):
+                response_class(long_url)
+
     def test_redirect_url_max_length_override_via_param(self):
         base_url = "https://example.com/"
         for (max_length, length), response_class in itertools.product(