From 0593ae84af9e0e8332644e7ed13d7fd8306c4e1a Mon Sep 17 00:00:00 2001 From: Senthil Kumaran Date: Fri, 21 May 2021 05:30:04 -0700 Subject: [PATCH] [3.9] bpo-43882 - Mention urllib.parse changes in Whats new section. (GH-26276) * [3.9] bpo-43882 - Mention urllib.parse changes in Whats new section. * Add the missing section. --- Doc/whatsnew/3.9.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Doc/whatsnew/3.9.rst b/Doc/whatsnew/3.9.rst index 7f790e5bd7555e..c29715d192f953 100644 --- a/Doc/whatsnew/3.9.rst +++ b/Doc/whatsnew/3.9.rst @@ -1560,3 +1560,17 @@ IPv4 address sent from the remote server when setting up a passive data channel. We reuse the ftp server IP address instead. For unusual code requiring the old behavior, set a ``trust_server_pasv_ipv4_address`` attribute on your FTP instance to ``True``. (See :issue:`43285`) + +Notable changes in Python 3.9.5 +=============================== + +urllib.parse +------------ + +The presence of newline or tab characters in parts of a URL allows for some +forms of attacks. Following the WHATWG specification that updates :rfc:`3986`, +ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the +URL by the parser in :mod:`urllib.parse` preventing such attacks. The removal +characters are controlled by a new module level variable +``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`) +