[3.6] bpo-43882 - Mention urllib.parse changes in Whats New section for 3.6.14 (GH-26268)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
author: Senthil Kumaran <senthil@python.org> 2021-05-20 20:16:15 (GMT)
committer: GitHub <noreply@github.com> 2021-05-20 20:16:15 (GMT)
commit: 6f743e7a4da904f61dfa84cc7d7385e4dcc79ac5 (patch)
tree: aba16c255460c6a4c620a4edb0846a43021c902f
parent: f68d2d69f1da56c2aea1293ecf93ab69a6010ad7 (diff)
download: cpython-6f743e7a4da904f61dfa84cc7d7385e4dcc79ac5.zip
cpython-6f743e7a4da904f61dfa84cc7d7385e4dcc79ac5.tar.gz
cpython-6f743e7a4da904f61dfa84cc7d7385e4dcc79ac5.tar.bz2
1 files changed, 7 insertions, 0 deletions
diff --git a/Doc/whatsnew/3.6.rst b/Doc/whatsnew/3.6.rst
index 561fb67..c14e790 100644
--- a/Doc/whatsnew/3.6.rst
+++ b/Doc/whatsnew/3.6.rst
@@ -2481,3 +2481,10 @@ IPv4 address sent from the remote server when setting up a passive data
 channel.  We reuse the ftp server IP address instead.  For unusual code
 requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
 attribute on your FTP instance to ``True``.  (See :issue:`43285`)
+
+The presence of newline or tab characters in parts of a URL allows for some
+forms of attacks. Following the WHATWG specification that updates RFC 3986,
+ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
+URL by the parser :func:`urllib.parse` preventing such attacks. The removal
+characters are controlled by a new module level variable
+``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)
author	Senthil Kumaran <senthil@python.org>	2021-05-20 20:16:15 (GMT)
committer	GitHub <noreply@github.com>	2021-05-20 20:16:15 (GMT)
commit	6f743e7a4da904f61dfa84cc7d7385e4dcc79ac5 (patch)
tree	aba16c255460c6a4c620a4edb0846a43021c902f
parent	f68d2d69f1da56c2aea1293ecf93ab69a6010ad7 (diff)
download	cpython-6f743e7a4da904f61dfa84cc7d7385e4dcc79ac5.zip cpython-6f743e7a4da904f61dfa84cc7d7385e4dcc79ac5.tar.gz cpython-6f743e7a4da904f61dfa84cc7d7385e4dcc79ac5.tar.bz2