| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(GH-102508) (GH-104575) (GH-104592) (#104593)
gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)
`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
I simplified the docs by eliding the state of the world explanatory
paragraph in this security release only backport. (people will see
that in the mainline /3/ docs)
(cherry picked from commit 2f630e1ce18ad2e07428296532a68b11dc66ad10)
(cherry picked from commit 610cc0ab1b760b2abaac92bd256b96191c46b941)
(cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946)
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
|
| |
|
|
|
| |
(#25853)
* Remove the newline, and tab early. From query and fragments.
|
| |
|
|
|
|
|
|
|
|
| |
and tabs. (GH-25595) (GH-25725)
* bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs. (GH-25595)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
(cherry picked from commit 76cd81d60310d65d01f9d7b48a8985d8ab89c8b4)
Co-authored-by: Senthil Kumaran <skumaran@gatech.edu>
|
| |
|
|
|
|
|
|
|
|
| |
* coerce bytes separator to string
* Add news
* Update Misc/NEWS.d/next/Library/2021-03-11-00-31-41.bpo-42967.2PeQRw.rst
(cherry picked from commit b38601d49675d90e1ee6faa47f7adaeca992d02d)
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
* [3.9] bpo-42967: only use '&' as a query string separator (GH-24297)
bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.
Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
- concurrent.futures
- ctypes
- http.cookies
- multiprocessing
- queue
- tempfile
- unittest.case
- urllib.parse
|
| | |
|
| |
|
| |
Ignore leading dots and no longer ignore a trailing newline.
|
| |
|
|
|
|
|
|
|
|
| |
* bpo-27657: Fix urlparse() with numeric paths
Revert parsing decision from bpo-754016 in favor of the documented
consensus in bpo-16932 of how to treat strings without a // to
designate the netloc.
* bpo-22891: Remove urlsplit() optimization for 'http' prefixed inputs.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
(GH-13017)
|
| |
|
|
|
|
| |
Fixes some mistakes and misleadings in the quote function docstring:
- reserved chars are never actually used by quote code, unreserved chars are
- reserved chars were wrong and incomplete
- mentioned that use-case is not minimal quoting wrt. RFC, but cautious quoting
|
| |
|
|
| |
(GH-12201)
|
| |
|
|
| |
Adding `max_num_fields` to `cgi.FieldStorage` to make DOS attacks harder by
limiting the number of `MiniFieldStorage` objects created by `FieldStorage`.
|
| | |
|
| |
|
|
| |
{Parse,Split}Result.port (GH-6078)
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The current regex based splitting produces a wrong result. For example::
http://abc#@def
Web browsers parse that URL as ``http://abc/#@def``, that is, the host
is ``abc``, the path is ``/``, and the fragment is ``#@def``.
|
| | |
|
| |
|
| |
* correct parse_qs and parse_qsl test case descriptions.
|
| |
|
|
|
|
|
|
|
|
| |
* bpo-16285: Update urllib quoting to RFC 3986
urllib.parse.quote is now based on RFC 3986, and hence
includes `'~'` in the set of characters that is not escaped
by default.
Patch by Christian Theune and Ratnadeep Debnath.
|
| | |
|
| |\ |
|
| | |
| |
| |
| | |
Patch by Gergely Imreh and Markus Holtermann.
|
| |\ \
| |/
| |
| | |
Remove unnecessary test case comment in urllib.parse.py. These are asserted as test cases.
|
| | |
| |
| |
| | |
as test cases.
|
| | |
| |
| |
| | |
Patch contributed by Swati Jaiswal.
|
| |/
|
|
| |
Patch by Martin Panter.
|
| |
|
|
|
| |
Patch by samwyse, completed by Arnon Yaari, and reviewed by
Martin Panter.
|
| |
|
|
| |
Patch by Demian Brecht.
|
| |
|
|
|
| |
ParseResultBytes, and SplitResultBytes to urllib.parse.__all__.
Patch by Martin Panter.
|
| | |
|
| |\ |
|
| | |
| |
| |
| | |
Patch by Wojtek Ruszczewski.
|
| | |
| |
| |
| |
| |
| | |
after changes to issue22118 were submitted.
Patch contributed by Demian Brecht and reviewed by Antoine Pitrou.
|
| | |
| |
| |
| |
| |
| | |
resolution of relative URLs, rather than RFCs 1808 and 2396.
Patch by Demian Brecht.
|
| |/
|
|
| |
class name instead of hardcoded one.
|
| |
|
|
|
|
| |
base32, ascii85 and base85 codecs in the base64 module, and delay the
initialization of the unquote_to_bytes() table of the urllib.parse module, to
not waste memory if these modules are not used.
|
| |\ |
|
| | | |
|
| |\ \
| |/
| |
| |
| | |
Improve urlencode docstring. Patch by Brian Brazil.
Closes issue #15350
|
| | | |
|
| |/ |
|
| |
|
|
| |
urllib.parse.unquote() and urllib.parse.unquote_to_bytes().
|
| | |
|
| |
|
|
| |
backward compatibility issue, since they have a public-seeming name.
|
| | |
|
