| @@ -2594,3 +2594,13 @@ IPv4 address sent from the remote server when setting up a passive data |
|
|
| 2594 |
2594 |
channel. We reuse the ftp server IP address instead. For unusual code |
| 2595 |
2595 |
requiring the old behavior, set a ``trust_server_pasv_ipv4_address`` |
| 2596 |
2596 |
attribute on your FTP instance to ``True``. (See :issue:`43285`) |
|
2597 |
+ |
|
2598 |
+ |
|
2599 |
+The presence of newline or tab characters in parts of a URL allows for some |
|
2600 |
+forms of attacks. Following the WHATWG specification that updates RFC 3986, |
|
2601 |
+ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the |
|
2602 |
+URL by the parser :func:`urllib.parse` preventing such attacks. The removal |
|
2603 |
+characters are controlled by a new module level variable |
|
2604 |
+``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`) |
|
2605 |
+ |
|
2606 |
+ |