| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit #25595.
This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/#url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
---------
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
|
|
|
|
|
|
|
|
|
| |
of IPv6 or IPvFuture format (#103849)
* Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format
---------
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
|
|
|
| |
Teach unsplit to retain the `"//"` when assembling `itms-services://?action=generate-bugs` style
[Apple Platform Deployment](https://support.apple.com/en-gb/guide/deployment/depce7cefc4d/web) URLs.
|
|
|
|
|
|
|
|
|
|
|
| |
an alphabetical ASCII character. (#99421)
Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
The WHATWG URL spec defines a scheme like this:
`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
|
|
|
| |
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
|
|
|
| |
on large input values. Based on Dennis Sweeney's chunking idea.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch to lru_cache in urllib.parse.
urllib.parse now uses functool.lru_cache for its internal URL splitting and
quoting caches instead of rolling its own like its the 90s.
The undocumented internal Quoted class API is now deprecated
as it had no reason to be public and no existing OSS users were found.
The clear_cache() API remains undocumented but gets an explicit test as it
is used in a few projects' (twisted, gevent) tests as well as our own regrtest.
|
|
|
|
| |
(GH-25921)
|
|
|
|
|
|
|
|
| |
tabs. (GH-25595)
* issue43882 - urllib.parse should sanitize urls containing ASCII newline and tabs.
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
|
|
|
|
|
|
| |
* coerce bytes separator to string
* Add news
* Update Misc/NEWS.d/next/Library/2021-03-11-00-31-41.bpo-42967.2PeQRw.rst
|
|
|
|
|
|
|
|
|
|
|
| |
bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.
Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Éric Araujo <merwok@netwok.org>
|
|
|
|
|
|
|
|
|
|
| |
* bpo-27657: Fix urlparse() with numeric paths
Revert parsing decision from bpo-754016 in favor of the documented
consensus in bpo-16932 of how to treat strings without a // to
designate the netloc.
* bpo-22891: Remove urlsplit() optimization for 'http' prefixed inputs.
|
| |
|
| |
|
|
|
|
| |
(GH-13017)
|
|
|
|
| |
(GH-12201)
|
| |
|
|
|
|
| |
Adding `max_num_fields` to `cgi.FieldStorage` to make DOS attacks harder by
limiting the number of `MiniFieldStorage` objects created by `FieldStorage`.
|
| |
|
| |
|
|
|
|
| |
{Parse,Split}Result.port (GH-6078)
|
| |
|
|
|
|
|
|
|
|
| |
The current regex based splitting produces a wrong result. For example::
http://abc#@def
Web browsers parse that URL as ``http://abc/#@def``, that is, the host
is ``abc``, the path is ``/``, and the fragment is ``#@def``.
|
|
|
| |
* correct parse_qs and parse_qsl test case descriptions.
|
|\ |
|
| |
| |
| |
| | |
Patch by Gergely Imreh and Markus Holtermann.
|
|\ \
| |/
| |
| |
| | |
issue26775 - Improve test coverage for urllib.parse
Patch contributed by Luiz Poleto.
|
| |
| |
| |
| | |
Patch contributed by Luiz Poleto.
|
|/
|
|
| |
Patch by Martin Panter.
|
|\
| |
| |
| |
| |
| | |
ParseResult and SplitResult objects.
Patch by Martin Panter.
|
| |
| |
| |
| |
| |
| | |
ParseResult and SplitResult objects.
Patch by Martin Panter.
|
| |
| |
| |
| |
| | |
Patch by samwyse, completed by Arnon Yaari, and reviewed by
Martin Panter.
|
| |
| |
| |
| | |
Patch by Demian Brecht.
|
| |
| |
| |
| |
| | |
ParseResultBytes, and SplitResultBytes to urllib.parse.__all__.
Patch by Martin Panter.
|
|\ \
| |/
| |
| | |
These functions are not documented but used in third-party code.
|
| |
| |
| |
| | |
These functions are not documented but used in third-party code.
|
| |
| |
| |
| |
| |
| | |
after changes to issue22118 were submitted.
Patch contributed by Demian Brecht and reviewed by Antoine Pitrou.
|
|/
|
|
|
|
| |
resolution of relative URLs, rather than RFCs 1808 and 2396.
Patch by Demian Brecht.
|
|\ |
|
| | |
|
|\ \
| |/
| |
| |
| |
| |
| | |
requires them. Disable executable bits and shebang lines in test and
benchmark files in order to prevent using a random system python, and in
source files of modules which don't provide command line interface. Fixed
shebang lines in the unittestgui and checkpip scripts.
|
| |
| |
| |
| |
| |
| |
| | |
requires them. Disable executable bits and shebang lines in test and
benchmark files in order to prevent using a random system python, and in
source files of modules which don't provide command line interface. Fixed
shebang line to use python3 executable in the unittestgui script.
|
|/
|
|
| |
Original patch by Daniel Wozniak.
|
| |
|
| |
|
|
|
|
| |
stricter.
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| | |
basic types (str, bytes, datetime)
in order to make algorithmic complexity attacks on (e.g.) web apps much more complicated.
The environment variable PYTHONHASHSEED and the new command line flag -R control this
behavior.
|
| | |
|