urllib: Simplify splithost by calling into urlparse. (#1849)
The current regex based splitting produces a wrong result. For example::
http://abc#@def
Web browsers parse that URL as ``http://abc/#@def``, that is, the host
is ``abc``, the path is ``/``, and the fragment is ``#@def``.
diff --git a/Misc/ACKS b/Misc/ACKS
index 37905a1..4f98e98 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1091,6 +1091,7 @@
Anthon van der Neut
George Neville-Neil
Hieu Nguyen
+Nam Nguyen
Johannes Nicolai
Samuel Nicolary
Jonathan Niehof
diff --git a/Misc/NEWS b/Misc/NEWS
index 0d1ed64..47f3c37 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -12,7 +12,7 @@
- bpo-30682: Removed a too-strict assertion that failed for certain f-strings,
such as eval("f'\\\n'") and eval("f'\\\r'").
-
+
- bpo-30501: The compiler now produces more optimal code for complex condition
expressions in the "if", "while" and "assert" statement, the "if" expression,
and generator expressions and comprehensions.
@@ -365,6 +365,11 @@
Library
-------
+- [Security] bpo-30500: Fix urllib.parse.splithost() to correctly parse
+ fragments. For example, ``splithost('http://127.0.0.1#@evil.com/')`` now
+ correctly returns the ``127.0.0.1`` host, instead of treating ``@evil.com``
+ as the host in an authentification (``login@host``).
+
- bpo-30038: Fix race condition between signal delivery and wakeup file
descriptor. Patch by Nathaniel Smith.