[Python-checkins] [3.10] bpo-43882 - Mention urllib.parse changes in Whats new section. (GH-26275)
orsenthil
webhook-mailer at python.org
Fri May 21 08:29:37 EDT 2021
https://github.com/python/cpython/commit/f14015adf52014c2345522fe32d43f15f001c986
commit: f14015adf52014c2345522fe32d43f15f001c986
branch: 3.10
author: Senthil Kumaran <senthil at python.org>
committer: orsenthil <skumaran at gatech.edu>
date: 2021-05-21T05:29:24-07:00
summary:
[3.10] bpo-43882 - Mention urllib.parse changes in Whats new section. (GH-26275)
* [3.10] bpo-43882 - Mention urllib.parse changes in Whats new section.
* escape the \n chars, ReSTify :rfc:, urllib.parse is a :mod:
* minor formatting.
Co-authored-by: Gregory P. Smith <greg at krypto.org>
files:
M Doc/whatsnew/3.10.rst
diff --git a/Doc/whatsnew/3.10.rst b/Doc/whatsnew/3.10.rst
index 570af7f3b6181..2697cf9b6fe87 100644
--- a/Doc/whatsnew/3.10.rst
+++ b/Doc/whatsnew/3.10.rst
@@ -1337,6 +1337,13 @@ functions internally. For more details, please see their respective
documentation.
(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
+The presence of newline or tab characters in parts of a URL allows for some
+forms of attacks. Following the WHATWG specification that updates :rfc:`3986`,
+ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
+URL by the parser in :mod:`urllib.parse` preventing such attacks. The removal
+characters are controlled by a new module level variable
+``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)
+
xml
---
More information about the Python-checkins
mailing list