Skip to content

Commit 6f743e7

Browse files
orsenthilgpshead
andauthored
[3.6] bpo-43882 - Mention urllib.parse changes in Whats New section for 3.6.14 (GH-26268)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
1 parent f68d2d6 commit 6f743e7

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

Doc/whatsnew/3.6.rst

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2481,3 +2481,10 @@ IPv4 address sent from the remote server when setting up a passive data
24812481
channel. We reuse the ftp server IP address instead. For unusual code
24822482
requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
24832483
attribute on your FTP instance to ``True``. (See :issue:`43285`)
2484+
2485+
The presence of newline or tab characters in parts of a URL allows for some
2486+
forms of attacks. Following the WHATWG specification that updates RFC 3986,
2487+
ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
2488+
URL by the parser :func:`urllib.parse` preventing such attacks. The removal
2489+
characters are controlled by a new module level variable
2490+
``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy