diff options
| author | Senthil Kumaran <senthil@uthcode.com> | 2021-04-29 17:16:50 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-04-29 17:16:50 (GMT) |
| commit | 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 (patch) | |
| tree | 9a68f606c0d7a11720853a4acaf2b61d718061ac /Lib/urllib | |
| parent | 14fc2bdfab857718429029e53ceffca456178827 (diff) | |
| download | cpython-76cd81d60310d65d01f9d7b48a8985d8ab89c8b4.zip cpython-76cd81d60310d65d01f9d7b48a8985d8ab89c8b4.tar.gz cpython-76cd81d60310d65d01f9d7b48a8985d8ab89c8b4.tar.bz2 | |
bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs. (GH-25595)
* issue43882 - urllib.parse should sanitize urls containing ASCII newline and tabs.
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Diffstat (limited to 'Lib/urllib')
| -rw-r--r-- | Lib/urllib/parse.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py index 21cae47..c11c695 100644 --- a/Lib/urllib/parse.py +++ b/Lib/urllib/parse.py @@ -78,6 +78,9 @@ scheme_chars = ('abcdefghijklmnopqrstuvwxyz' '0123456789' '+-.') +# Unsafe bytes to be removed per WHATWG spec +_UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n'] + # XXX: Consider replacing with functools.lru_cache MAX_CACHE_SIZE = 20 _parse_cache = {} @@ -469,6 +472,9 @@ def urlsplit(url, scheme='', allow_fragments=True): else: scheme, url = url[:i].lower(), url[i+1:] + for b in _UNSAFE_URL_BYTES_TO_REMOVE: + url = url.replace(b, "") + if url[:2] == '//': netloc, url = _splitnetloc(url, 2) if (('[' in netloc and ']' not in netloc) or |