| @@ -2481,3 +2481,10 @@ IPv4 address sent from the remote server when setting up a passive data |
|
|
| 2481 |
2481 |
channel. We reuse the ftp server IP address instead. For unusual code |
| 2482 |
2482 |
requiring the old behavior, set a ``trust_server_pasv_ipv4_address`` |
| 2483 |
2483 |
attribute on your FTP instance to ``True``. (See :issue:`43285`) |
|
2484 |
+ |
|
2485 |
+The presence of newline or tab characters in parts of a URL allows for some |
|
2486 |
+forms of attacks. Following the WHATWG specification that updates RFC 3986, |
|
2487 |
+ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the |
|
2488 |
+URL by the parser :func:`urllib.parse` preventing such attacks. The removal |
|
2489 |
+characters are controlled by a new module level variable |
|
2490 |
+``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`) |