[Python-checkins] [3.7] bpo-43882 - Mention urllib.parse changes in Whats New section for 3.7.11 (GH-26267)
ned-deily
webhook-mailer at python.org
Thu May 20 16:15:10 EDT 2021
https://github.com/python/cpython/commit/c723d5191110f99849f7b0944820f6c3cd5f7747
commit: c723d5191110f99849f7b0944820f6c3cd5f7747
branch: 3.7
author: Senthil Kumaran <senthil at uthcode.com>
committer: ned-deily <nad at python.org>
date: 2021-05-20T16:15:01-04:00
summary:
[3.7] bpo-43882 - Mention urllib.parse changes in Whats New section for 3.7.11 (GH-26267)
Co-authored-by: Gregory P. Smith <greg at krypto.org>
files:
M Doc/whatsnew/3.7.rst
diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst
index 85f924b2e41f3c..2cc380bf5aa6db 100644
--- a/Doc/whatsnew/3.7.rst
+++ b/Doc/whatsnew/3.7.rst
@@ -2594,3 +2594,13 @@ IPv4 address sent from the remote server when setting up a passive data
channel. We reuse the ftp server IP address instead. For unusual code
requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
attribute on your FTP instance to ``True``. (See :issue:`43285`)
+
+
+The presence of newline or tab characters in parts of a URL allows for some
+forms of attacks. Following the WHATWG specification that updates RFC 3986,
+ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
+URL by the parser :func:`urllib.parse` preventing such attacks. The removal
+characters are controlled by a new module level variable
+``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)
+
+
More information about the Python-checkins
mailing list