From 3afcf187ae45b8eced2c1d2b32dbd84d43a8a4af Mon Sep 17 00:00:00 2001 From: Senthil Kumaran Date: Thu, 20 May 2021 07:06:48 -0700 Subject: [PATCH 1/2] Add What's New for bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs --- Doc/whatsnew/3.7.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst index 85f924b2e41f3c..89f9030fd37263 100644 --- a/Doc/whatsnew/3.7.rst +++ b/Doc/whatsnew/3.7.rst @@ -2594,3 +2594,13 @@ IPv4 address sent from the remote server when setting up a passive data channel. We reuse the ftp server IP address instead. For unusual code requiring the old behavior, set a ``trust_server_pasv_ipv4_address`` attribute on your FTP instance to ``True``. (See :issue:`43285`) + + +The presence of newline or tab characters in parts of a URL allows for some +forms of attacks. Following the WHATWG specification that updates RFC 3986, +ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the +URL by the parser :func:`urllib.parse` preventing such attacks. The removal +characters are controlled by module level variable +``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`) + + From 5aec800c93d1387f9d73ee3f85c4538b3cc3396e Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Thu, 20 May 2021 09:41:49 -0700 Subject: [PATCH 2/2] add "a new" --- Doc/whatsnew/3.7.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst index 89f9030fd37263..2cc380bf5aa6db 100644 --- a/Doc/whatsnew/3.7.rst +++ b/Doc/whatsnew/3.7.rst @@ -2600,7 +2600,7 @@ The presence of newline or tab characters in parts of a URL allows for some forms of attacks. Following the WHATWG specification that updates RFC 3986, ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL by the parser :func:`urllib.parse` preventing such attacks. The removal -characters are controlled by module level variable +characters are controlled by a new module level variable ``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)