From 7d3fe4ef08478f95fccff443b332e5cbcefcf684 Mon Sep 17 00:00:00 2001 From: Senthil Kumaran Date: Thu, 20 May 2021 07:41:46 -0700 Subject: [PATCH 1/3] [3.6] bpo-43882 - Mention urllib.parse changes in Whats New section for 3.6.14 --- Doc/whatsnew/3.6.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Doc/whatsnew/3.6.rst b/Doc/whatsnew/3.6.rst index 561fb67d6696a6..12dfa0e8d4c5db 100644 --- a/Doc/whatsnew/3.6.rst +++ b/Doc/whatsnew/3.6.rst @@ -2481,3 +2481,10 @@ IPv4 address sent from the remote server when setting up a passive data channel. We reuse the ftp server IP address instead. For unusual code requiring the old behavior, set a ``trust_server_pasv_ipv4_address`` attribute on your FTP instance to ``True``. (See :issue:`43285`) + +The presence of newline or tab characters in parts of a URL allows for some +forms of attacks. Following the WHATWG specification that updates RFC 3986, +ASCII newline \n, \r and tab \t characters are stripped from the URL by the +parser :func:`urllib.parse` preventing such attacks. The removal characters are +controlled by module level variable +``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`) From 6c022f60f2a43d5aba95f05de09a3b0d1b3f6264 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Thu, 20 May 2021 09:38:54 -0700 Subject: [PATCH 2/3] minor formatting and wording fixup. --- Doc/whatsnew/3.6.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Doc/whatsnew/3.6.rst b/Doc/whatsnew/3.6.rst index 12dfa0e8d4c5db..729500f58edacf 100644 --- a/Doc/whatsnew/3.6.rst +++ b/Doc/whatsnew/3.6.rst @@ -2485,6 +2485,6 @@ attribute on your FTP instance to ``True``. (See :issue:`43285`) The presence of newline or tab characters in parts of a URL allows for some forms of attacks. Following the WHATWG specification that updates RFC 3986, ASCII newline \n, \r and tab \t characters are stripped from the URL by the -parser :func:`urllib.parse` preventing such attacks. The removal characters are -controlled by module level variable +parser :func:`urllib.parse` preventing such attacks. The removal characters +are controlled by a new module level variable ``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`) From f5f2e72862e773e2c9bf9d3175a68c80eeaa9e54 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Thu, 20 May 2021 09:42:35 -0700 Subject: [PATCH 3/3] apply the same formatting as 3.7. --- Doc/whatsnew/3.6.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Doc/whatsnew/3.6.rst b/Doc/whatsnew/3.6.rst index 729500f58edacf..c14e790935a208 100644 --- a/Doc/whatsnew/3.6.rst +++ b/Doc/whatsnew/3.6.rst @@ -2484,7 +2484,7 @@ attribute on your FTP instance to ``True``. (See :issue:`43285`) The presence of newline or tab characters in parts of a URL allows for some forms of attacks. Following the WHATWG specification that updates RFC 3986, -ASCII newline \n, \r and tab \t characters are stripped from the URL by the -parser :func:`urllib.parse` preventing such attacks. The removal characters -are controlled by a new module level variable -``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`) +ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the +URL by the parser :func:`urllib.parse` preventing such attacks. The removal +characters are controlled by a new module level variable +``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)