bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs. by orsenthil · Pull Request #25595 · python/cpython (original) (raw)

bpo-43882: Strip ascii newline and tabs from the url input, following WHATWG specification

Presence newline or tab characters in URL allowed attackers to write scripts in URL, hijack the web-server.

Following the controlling specification for URLs defined by WHATWG urllib.parse strips ASCII newline and tabs from the url, preventing such attacks.

https://bugs.python.org/issue43882