bpo-30458: Disallow control chars in http URLs. (GH-12755)

Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
author: Gregory P. Smith <greg@krypto.org> 2019-05-01 02:12:21 (GMT)
committer: GitHub <noreply@github.com> 2019-05-01 02:12:21 (GMT)
commit: c4e671eec20dfcb29b18596a89ef075f826c9f96 (patch)
tree: ed97dd046a1467e029caed8416ed6de7182ef53a /Misc
parent: 5f38b8407b071acd96da2c8cde411d0e26967735 (diff)
download: cpython-c4e671eec20dfcb29b18596a89ef075f826c9f96.zip
cpython-c4e671eec20dfcb29b18596a89ef075f826c9f96.tar.gz
cpython-c4e671eec20dfcb29b18596a89ef075f826c9f96.tar.bz2
1 files changed, 1 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-36276.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-36276.51E-DA.rst
new file mode 100644
index 0000000..4fed4d5
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-36276.51E-DA.rst
@@ -0,0 +1 @@
+Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request.  Such potentially malicious header injection URLs now cause a ValueError to be raised.
+\ No newline at end of file
author	Gregory P. Smith <greg@krypto.org>	2019-05-01 02:12:21 (GMT)
committer	GitHub <noreply@github.com>	2019-05-01 02:12:21 (GMT)
commit	c4e671eec20dfcb29b18596a89ef075f826c9f96 (patch)
tree	ed97dd046a1467e029caed8416ed6de7182ef53a /Misc
parent	5f38b8407b071acd96da2c8cde411d0e26967735 (diff)
download	cpython-c4e671eec20dfcb29b18596a89ef075f826c9f96.zip cpython-c4e671eec20dfcb29b18596a89ef075f826c9f96.tar.gz cpython-c4e671eec20dfcb29b18596a89ef075f826c9f96.tar.bz2