[3.7] bpo-43882 - Mention urllib.parse changes in Whats New section for 3.7.11 (GH...

author Senthil Kumaran <senthil@uthcode.com>

Thu, 20 May 2021 20:15:01 +0000 (13:15 -0700)

committer GitHub <noreply@github.com>

Thu, 20 May 2021 20:15:01 +0000 (16:15 -0400)
author Senthil Kumaran <senthil@uthcode.com>
Thu, 20 May 2021 20:15:01 +0000 (13:15 -0700)
committer GitHub <noreply@github.com>
Thu, 20 May 2021 20:15:01 +0000 (16:15 -0400)
diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst

index 85f924b2e41f3c1f47f0d39ca88d972c2dcfa2b8..2cc380bf5aa6dba144913c2afb29adabf7bcdc03 100644 (file)
--- a/Doc/whatsnew/3.7.rst
+++ b/Doc/whatsnew/3.7.rst
@@ -2594,3 +2594,13 @@ IPv4 address sent from the remote server when setting up a passive data
  channel.  We reuse the ftp server IP address instead.  For unusual code
  requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
  attribute on your FTP instance to ``True``.  (See :issue:`43285`)
+
+
+The presence of newline or tab characters in parts of a URL allows for some
+forms of attacks. Following the WHATWG specification that updates RFC 3986,
+ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
+URL by the parser :func:`urllib.parse` preventing such attacks. The removal
+characters are controlled by a new module level variable
+``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)
+
+
author	Senthil Kumaran <senthil@uthcode.com>
	Thu, 20 May 2021 20:15:01 +0000 (13:15 -0700)
committer	GitHub <noreply@github.com>
	Thu, 20 May 2021 20:15:01 +0000 (16:15 -0400)