| Rev | Line | |
|---|
| [230] | 1 | 1.4.0 -- 2020-04-07
|
|---|
| 2 | -------------------
|
|---|
| 3 |
|
|---|
| 4 | Security
|
|---|
| 5 | ~~~~~~~~
|
|---|
| 6 |
|
|---|
| 7 | - Prevent users from receiving an invalid authority parsed from a malicious
|
|---|
| 8 | URL. Previously we did not stop parsing the authority section at the first
|
|---|
| 9 | backslash (``\\``) character. As a result, it was possible to trick our
|
|---|
| 10 | parser into parsing up to the first forward-slash (``/``) and thus
|
|---|
| 11 | generating an invalid authority.
|
|---|
| 12 |
|
|---|
| 13 | See also `GitHub pr-64`_ and `the blog post that sparked this change`_
|
|---|
| 14 |
|
|---|
| 15 | Bug Fixes and Features
|
|---|
| 16 | ~~~~~~~~~~~~~~~~~~~~~~
|
|---|
| 17 |
|
|---|
| 18 | - Add ``from_uri`` to ``URIBuilder`` to allow creation of a ``URIBuilder``
|
|---|
| 19 | from an existing URI.
|
|---|
| 20 |
|
|---|
| 21 | See also `GitHub pr-63`_
|
|---|
| 22 |
|
|---|
| 23 | - Fix a typographical error in our documentation.
|
|---|
| 24 |
|
|---|
| 25 | See also `GitHub pr-61`_
|
|---|
| 26 |
|
|---|
| 27 | .. links
|
|---|
| 28 |
|
|---|
| 29 | .. _GitHub pr-61:
|
|---|
| 30 | https://github.com/python-hyper/rfc3986/pull/61
|
|---|
| 31 |
|
|---|
| 32 | .. _GitHub pr-63:
|
|---|
| 33 | https://github.com/python-hyper/rfc3986/pull/63
|
|---|
| 34 |
|
|---|
| 35 | .. _GitHub pr-64:
|
|---|
| 36 | https://github.com/python-hyper/rfc3986/pull/64
|
|---|
| 37 |
|
|---|
| 38 | .. _the blog post that sparked this change:
|
|---|
| 39 | https://bugs.xdavidhu.me/google/2020/03/08/the-unexpected-google-wide-domain-check-bypass/
|
|---|
Note:
See
TracBrowser
for help on using the repository browser.
![(please configure the [header_logo] section in trac.ini)](/pubtrac/Utilities/chrome/site/your_project_logo.png){kind=logo}
