| @@ -2294,4 +2294,16 @@ for and build on the oldest version in the range. |
|
|
| 2294 |
2294 |
with fixes by FX Coudert and Eli Rykoff, and backported to 3.8 by Maxime Bélanger |
| 2295 |
2295 |
and Ned Deily) |
| 2296 |
2296 |
|
|
2297 |
+Notable changes in Python 3.8.10 |
|
2298 |
+================================ |
|
2299 |
+ |
|
2300 |
+urllib.parse |
|
2301 |
+------------ |
|
2302 |
+ |
|
2303 |
+The presence of newline or tab characters in parts of a URL allows for some |
|
2304 |
+forms of attacks. Following the WHATWG specification that updates :rfc:`3986`, |
|
2305 |
+ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the |
|
2306 |
+URL by the parser in :mod:`urllib.parse` preventing such attacks. The removal |
|
2307 |
+characters are controlled by a new module level variable |
|
2308 |
+``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`) |
| 2297 |
2309 |
|