diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2021-04-29 17:57:31 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-04-29 17:57:31 (GMT) |
| commit | 491fde0161d5e527eeff8586dd3972d7d3a631a7 (patch) | |
| tree | ec36ee7cb682f714570318fd8dc50970018269fd /Misc | |
| parent | 8d47f92d46a92a5931b8f3dcb4a484df672fc4de (diff) | |
| download | cpython-491fde0161d5e527eeff8586dd3972d7d3a631a7.zip cpython-491fde0161d5e527eeff8586dd3972d7d3a631a7.tar.gz cpython-491fde0161d5e527eeff8586dd3972d7d3a631a7.tar.bz2 | |
[3.9] bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs. (GH-25595) (GH-25725)
* bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs. (GH-25595)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4)
Co-authored-by: Senthil Kumaran <skumaran@gatech.edu>
Diffstat (limited to 'Misc')
| -rw-r--r-- | Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst b/Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst new file mode 100644 index 0000000..a326d07 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-04-25-07-46-37.bpo-43882.Jpwx85.rst @@ -0,0 +1,6 @@ +The presence of newline or tab characters in parts of a URL could allow +some forms of attacks. + +Following the controlling specification for URLs defined by WHATWG +:func:`urllib.parse` now removes ASCII newlines and tabs from URLs, +preventing such attacks. |