8000 [3.8] bpo-43882 - Mention urllib.parse changes in Whats new section. … · python/cpython@634da2d · GitHub
[go: up one dir, main page]
Skip to content

Commit 634da2d

Browse files
orsenthilorsenthil
authored
[3.8] bpo-43882 - Mention urllib.parse changes in Whats new section. (#26277)
1 parent 71ba16b commit 634da2d

File tree

1 file changed

+12
-0
lines changed

1 file changed

+12
-0
lines changed

Doc/whatsnew/3.8.rst

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2294,4 +2294,16 @@ for and build on the oldest version in the range.
22942294
with fixes by FX Coudert and Eli Rykoff, and backported to 3.8 by Maxime Bélanger
22952295
and Ned Deily)
22962296

2297+
Notable changes in Python 3.8.10
2298+
================================
2299+
2300+
urllib.parse
2301+
------------
2302+
2303+
The presence of newline or tab characters in parts of a URL allows for some
2304+
forms of attacks. Following the WHATWG specification that updates :rfc:`3986`,
2305+
ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
2306+
URL by the parser in :mod:`urllib.parse` preventing such attacks. The removal
2307+
characters are controlled by a new module level variable
2308+
``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)
22972309

0 commit comments

Comments
 (0)
0