diff options
author | postmasters <namnguyen@google.com> | 2017-06-20 13:02:44 (GMT) |
---|---|---|
committer | Victor Stinner <victor.stinner@gmail.com> | 2017-06-20 13:02:44 (GMT) |
commit | 90e01e50ef8a9e6c91f30d965563c378a4ad26de (patch) | |
tree | e467f98aa737fb5c517df080f25d7734d81a5d55 /Misc/NEWS | |
parent | 5cc7ac24da10568d2a910a91a24183b904118cf8 (diff) | |
download | cpython-90e01e50ef8a9e6c91f30d965563c378a4ad26de.zip cpython-90e01e50ef8a9e6c91f30d965563c378a4ad26de.tar.gz cpython-90e01e50ef8a9e6c91f30d965563c378a4ad26de.tar.bz2 |
urllib: Simplify splithost by calling into urlparse. (#1849)
The current regex based splitting produces a wrong result. For example::
http://abc#@def
Web browsers parse that URL as ``http://abc/#@def``, that is, the host
is ``abc``, the path is ``/``, and the fragment is ``#@def``.
Diffstat (limited to 'Misc/NEWS')
-rw-r--r-- | Misc/NEWS | 7 |
1 files changed, 6 insertions, 1 deletions
@@ -12,7 +12,7 @@ Core and Builtins - bpo-30682: Removed a too-strict assertion that failed for certain f-strings, such as eval("f'\\\n'") and eval("f'\\\r'"). - + - bpo-30501: The compiler now produces more optimal code for complex condition expressions in the "if", "while" and "assert" statement, the "if" expression, and generator expressions and comprehensions. @@ -365,6 +365,11 @@ Extension Modules Library ------- +- [Security] bpo-30500: Fix urllib.parse.splithost() to correctly parse + fragments. For example, ``splithost('http://127.0.0.1#@evil.com/')`` now + correctly returns the ``127.0.0.1`` host, instead of treating ``@evil.com`` + as the host in an authentification (``login@host``). + - bpo-30038: Fix race condition between signal delivery and wakeup file descriptor. Patch by Nathaniel Smith. |