Added a warning to the urljoin docs, indicating that it is not safe to use with attacker controlled URLs (GH-126659)
This was flagged to me at a party today by someone who works in red-teaming as a frequently encountered footgun. Documenting the potentially unexpected behavior seemed like a good place to start.
(cherry picked from commit d6bcc154e9)
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
gh-120522: Apply App Store compliance patch during installation (GH-121947)
Adds a --with-app-store-compliance configuration option that patches out code known to be an issue with App Store review processes. This option is applied automatically on iOS, and optionally on macOS.
(cherry picked from commit 728432c804)
Co-authored-by: Russell Keith-Magee <russell@keith-magee.com>
This reverts commit 0dfb437a32 prior
to the release of 3.13.0b4 to allow for additional review time.
(cherry picked from commit f27593a87c)
Co-authored-by: Ned Deily <nad@python.org>
gh-120522: Add a `--with-app-store-compliance` configure option to patch out problematic code (GH-120984)
* Add --app-store-compliance configuration option.
* Added blurb.
* Correct tab-vs-spaces formatting issue.
* Correct source file name in docs.
* Correct source code reference in Mac docs
* Only apply the patch forward, and ensure the working directory is correct.
* Make patching reslient to multiple builds.
* Documentation fixes found during review
* Documentation and configure.ac syntax improvements
* Regenerate configure script.
* Silence the patch echo output.
---------
(cherry picked from commit 48cd104b0c)
Co-authored-by: Russell Keith-Magee <russell@keith-magee.com>
Co-authored-by: Nice Zombies <nineteendo19d0@gmail.com>
Co-authored-by: Alyssa Coghlan <ncoghlan@gmail.com>
Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>
gh-120896: Fix typo in version changed note of `urllib.parse.urlparse()` (GH-120898)
(cherry picked from commit b6fa8fe86a)
Co-authored-by: Nice Zombies <nineteendo19d0@gmail.com>
docs: module page titles should not start with a link to themselves (GH-117099)
(cherry picked from commit bcb435ee8f)
Co-authored-by: Ned Batchelder <ned@nedbatchelder.com>
* GH-104554: Add RTSPS support to `urllib/parse.py`
RTSPS is the permanent scheme defined in
https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
alongside RTSP and RTSPU schemes.
* 📜🤖 Added by blurb_it.
---------
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.
Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Éric Araujo <merwok@netwok.org>
* bpo-16285: Update urllib quoting to RFC 3986
urllib.parse.quote is now based on RFC 3986, and hence
includes `'~'` in the set of characters that is not escaped
by default.
Patch by Christian Theune and Ratnadeep Debnath.
