8000 [3.6] bpo-43882 - Mention urllib.parse changes in Whats New section f… · python/cpython@6f743e7 · GitHub
[go: up one dir, main page]
Skip to content

Commit 6f743e7

Browse files
orsenthilgpshead
orsenthil
and
gpshead
authored
[3.6] bpo-43882 - Mention urllib.parse changes in Whats New section for 3.6.14 (GH-26268)
Co-authored-by: Gregory P. Smith <greg@krypto.org>< 8000 /div>
1 parent f68d2d6 commit 6f743e7

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

Doc/whatsnew/3.6.rst

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2481,3 +2481,10 @@ IPv4 address sent from the remote server when setting up a passive data
24812481
channel. We reuse the ftp server IP address instead. For unusual code
24822482
requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
24832483
attribute on your FTP instance to ``True``. (See :issue:`43285`)
2484+
2485+
The presence of newline or tab characters in parts of a URL allows for some
2486+
forms of attacks. Following the WHATWG specification that updates RFC 3986,
2487+
ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
2488+
URL by the parser :func:`urllib.parse` preventing such attacks. The removal
2489+
characters are controlled by a new module level variable
2490+
``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)

0 commit comments

Comments
 (0)
0