From: Senthil Kumaran Date: Thu, 20 May 2021 20:16:15 +0000 (-0700) Subject: [3.6] bpo-43882 - Mention urllib.parse changes in Whats New section for 3.6.14 (GH... X-Git-Tag: v3.6.14~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f743e7a4da904f61dfa84cc7d7385e4dcc79ac5;p=thirdparty%2FPython%2Fcpython.git [3.6] bpo-43882 - Mention urllib.parse changes in Whats New section for 3.6.14 (GH-26268) Co-authored-by: Gregory P. Smith --- diff --git a/Doc/whatsnew/3.6.rst b/Doc/whatsnew/3.6.rst index 561fb67d6696..c14e790935a2 100644 --- a/Doc/whatsnew/3.6.rst +++ b/Doc/whatsnew/3.6.rst @@ -2481,3 +2481,10 @@ IPv4 address sent from the remote server when setting up a passive data channel. We reuse the ftp server IP address instead. For unusual code requiring the old behavior, set a ``trust_server_pasv_ipv4_address`` attribute on your FTP instance to ``True``. (See :issue:`43285`) + +The presence of newline or tab characters in parts of a URL allows for some +forms of attacks. Following the WHATWG specification that updates RFC 3986, +ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the +URL by the parser :func:`urllib.parse` preventing such attacks. The removal +characters are controlled by a new module level variable +``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)