@@ -11,7 +11,7 @@ msgid ""
1111msgstr ""
1212"Project-Id-Version : Python 3.11\n "
1313"Report-Msgid-Bugs-To : \n "
14- "POT-Creation-Date : 2023-05-08 19:31 +0000\n "
14+ "POT-Creation-Date : 2023-05-18 02:02 +0000\n "
1515"PO-Revision-Date : 2021-06-28 01:17+0000\n "
1616"
Last-Translator :
Maciej Olko <[email protected] >, 2023\n "
1717"Language-Team : Polish (https://app.transifex.com/python-doc/teams/5390/pl/)\n "
@@ -218,6 +218,11 @@ msgid ""
218218"object replacing specified fields with new values."
219219msgstr ""
220220
221+ msgid ""
222+ ":func:`urlparse` does not perform validation. See :ref:`URL parsing "
223+ "security <url-parsing-security>` for details."
224+ msgstr ""
225+
221226msgid "Added IPv6 URL parsing capabilities."
222227msgstr ""
223228
@@ -327,13 +332,23 @@ msgid ""
327332msgstr ""
328333
329334msgid ""
330- "Following the `WHATWG spec`_ that updates RFC 3986, ASCII newline ``\\ n``, "
331- "``\\ r`` and tab ``\\ t`` characters are stripped from the URL."
335+ "Following some of the `WHATWG spec`_ that updates RFC 3986, leading C0 "
336+ "control and space characters are stripped from the URL. ``\\ n``, ``\\ r`` and "
337+ "tab ``\\ t`` characters are removed from the URL at any position."
338+ msgstr ""
339+
340+ msgid ""
341+ ":func:`urlsplit` does not perform validation. See :ref:`URL parsing "
342+ "security <url-parsing-security>` for details."
332343msgstr ""
333344
334345msgid "ASCII newline and tab characters are stripped from the URL."
335346msgstr ""
336347
348+ msgid ""
349+ "Leading WHATWG C0 control and space characters are stripped from the URL."
350+ msgstr ""
351+
337352msgid ""
338353"Combine the elements of a tuple as returned by :func:`urlsplit` into a "
339354"complete URL as a string. The *parts* argument can be any five-item "
@@ -396,6 +411,42 @@ msgid ""
396411"without changes."
397412msgstr ""
398413
414+ msgid "URL parsing security"
415+ msgstr ""
416+
417+ msgid ""
418+ "The :func:`urlsplit` and :func:`urlparse` APIs do not perform **validation** "
419+ "of inputs. They may not raise errors on inputs that other applications "
420+ "consider invalid. They may also succeed on some inputs that might not be "
421+ "considered URLs elsewhere. Their purpose is for practical functionality "
422+ "rather than purity."
423+ msgstr ""
424+
425+ msgid ""
426+ "Instead of raising an exception on unusual input, they may instead return "
427+ "some component parts as empty strings. Or components may contain more than "
428+ "perhaps they should."
429+ msgstr ""
430+
431+ msgid ""
432+ "We recommend that users of these APIs where the values may be used anywhere "
433+ "with security implications code defensively. Do some verification within "
434+ "your code before trusting a returned component part. Does that ``scheme`` "
435+ "make sense? Is that a sensible ``path``? Is there anything strange about "
436+ "that ``hostname``? etc."
437+ msgstr ""
438+
439+ msgid ""
440+ "What constitutes a URL is not universally well defined. Different "
441+ "applications have different needs and desired constraints. For instance the "
442+ "living `WHATWG spec`_ describes what user facing web clients such as a web "
443+ "browser require. While :rfc:`3986` is more general. These functions "
444+ "incorporate some aspects of both, but cannot be claimed compliant with "
445+ "either. The APIs and existing user code with expectations on specific "
446+ "behaviors predate both standards leading us to be very cautious about making "
447+ "API behavior changes."
448+ msgstr ""
449+
399450msgid "Parsing ASCII Encoded Bytes"
400451msgstr ""
401452
0 commit comments