From 4b672cbb93cd00bc7f9580b08e1445237c2d35c7 Mon Sep 17 00:00:00 2001 From: Senthil Kumaran Date: Thu, 20 May 2021 17:50:31 -0700 Subject: [PATCH 1/3] [3.10] bpo-43882 - Mention urllib.parse changes in Whats new section. --- Doc/whatsnew/3.10.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Doc/whatsnew/3.10.rst b/Doc/whatsnew/3.10.rst index 570af7f3b61814..ea2f1fcad62fd1 100644 --- a/Doc/whatsnew/3.10.rst +++ b/Doc/whatsnew/3.10.rst @@ -1337,6 +1337,13 @@ functions internally. For more details, please see their respective documentation. (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.) +The presence of newline or tab characters in parts of a URL allows for some +forms of attacks. Following the WHATWG specification that updates RFC 3986, +ASCII newline \n, \r and tab \t characters are stripped from the URL by the +parser :func:`urllib.parse` preventing such attacks. The removal characters are +controlled by a new module level variable +urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE. (See :issue:`43882`) + xml --- From 6227fcfb406c6d8a5d2a5d8f4179345b2e5d6a61 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Thu, 20 May 2021 17:58:24 -0700 Subject: [PATCH 2/3] escape the \n chars, ReSTify :rfc:, urllib.parse is a :mod: --- Doc/whatsnew/3.10.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Doc/whatsnew/3.10.rst b/Doc/whatsnew/3.10.rst index ea2f1fcad62fd1..c2cc15f510dc6a 100644 --- a/Doc/whatsnew/3.10.rst +++ b/Doc/whatsnew/3.10.rst @@ -1338,11 +1338,11 @@ documentation. (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.) The presence of newline or tab characters in parts of a URL allows for some -forms of attacks. Following the WHATWG specification that updates RFC 3986, -ASCII newline \n, \r and tab \t characters are stripped from the URL by the -parser :func:`urllib.parse` preventing such attacks. The removal characters are -controlled by a new module level variable -urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE. (See :issue:`43882`) +forms of attacks. Following the WHATWG specification that updates :rfc:`3986`, +ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL +by the parser in :mod:`urllib.parse` preventing such attacks. The removal +characters are controlled by a new module level variable +``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`) xml --- From bd97122b3dcdcaf2706a75304acf48e2cf35f9d1 Mon Sep 17 00:00:00 2001 From: Senthil Kumaran Date: Thu, 20 May 2021 18:26:32 -0700 Subject: [PATCH 3/3] minor formatting. --- Doc/whatsnew/3.10.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Doc/whatsnew/3.10.rst b/Doc/whatsnew/3.10.rst index c2cc15f510dc6a..2697cf9b6fe873 100644 --- a/Doc/whatsnew/3.10.rst +++ b/Doc/whatsnew/3.10.rst @@ -1339,8 +1339,8 @@ documentation. The presence of newline or tab characters in parts of a URL allows for some forms of attacks. Following the WHATWG specification that updates :rfc:`3986`, -ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the URL -by the parser in :mod:`urllib.parse` preventing such attacks. The removal +ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the +URL by the parser in :mod:`urllib.parse` preventing such attacks. The removal characters are controlled by a new module level variable ``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)