diff options
| author | Senthil Kumaran <senthil@python.org> | 2021-06-28 10:05:21 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-06-28 10:05:21 (GMT) |
| commit | 634da2de88af06eb8c6ebdb90d8c00005847063d (patch) | |
| tree | 63fc580d7714e81a67b1efe6d3a859046e0d0d76 | |
| parent | 71ba16b21cb35923098026117b5e6d823c5f5707 (diff) | |
| download | cpython-634da2de88af06eb8c6ebdb90d8c00005847063d.zip cpython-634da2de88af06eb8c6ebdb90d8c00005847063d.tar.gz cpython-634da2de88af06eb8c6ebdb90d8c00005847063d.tar.bz2 | |
[3.8] bpo-43882 - Mention urllib.parse changes in Whats new section. (#26277)
| -rw-r--r-- | Doc/whatsnew/3.8.rst | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/Doc/whatsnew/3.8.rst b/Doc/whatsnew/3.8.rst index 6c30ac1..109a06e 100644 --- a/Doc/whatsnew/3.8.rst +++ b/Doc/whatsnew/3.8.rst @@ -2294,4 +2294,16 @@ for and build on the oldest version in the range. with fixes by FX Coudert and Eli Rykoff, and backported to 3.8 by Maxime BĂ©langer and Ned Deily) +Notable changes in Python 3.8.10 +================================ + +urllib.parse +------------ + +The presence of newline or tab characters in parts of a URL allows for some +forms of attacks. Following the WHATWG specification that updates :rfc:`3986`, +ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the +URL by the parser in :mod:`urllib.parse` preventing such attacks. The removal +characters are controlled by a new module level variable +``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`) |