티스토리 수익 글 보기
{{ message }}
bpo-43882 – urllib.parse should sanitize urls containing ASCII newline and tabs.#25595
Merged
orsenthil merged 10 commits intopython:masterfrom Apr 29, 2021
orsenthil:issue43882
Merged
bpo-43882 – urllib.parse should sanitize urls containing ASCII newline and tabs.#25595orsenthil merged 10 commits intopython:masterfrom orsenthil:issue43882
orsenthil merged 10 commits intopython:masterfrom
orsenthil:issue43882
Conversation
Loading
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
bpo-43882: Strip ascii newline and tabs from the url input, following WHATWG specification
Presence newline or tab characters in URL allowed attackers to write scripts in URL, hijack the web-server.
Following the controlling specification for URLs defined by WHATWG urllib.parse strips ASCII newline and tabs from the url, preventing such attacks.
https://bugs.python.org/issue43882