From aec8115a1f6b0a4bb662072053dc7a7e90f35962 Mon Sep 17 00:00:00 2001
From: Senthil Kumaran <senthil@python.org>
Date: Thu, 20 May 2021 18:32:49 -0700
Subject: [PATCH 1/2] [3.9] bpo-43882 - Mention urllib.parse changes in Whats
 new section.

---
 Doc/whatsnew/3.9.rst | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Doc/whatsnew/3.9.rst b/Doc/whatsnew/3.9.rst
index 7f790e5bd7555e..9ec307120eb511 100644
--- a/Doc/whatsnew/3.9.rst
+++ b/Doc/whatsnew/3.9.rst
@@ -1560,3 +1560,14 @@ IPv4 address sent from the remote server when setting up a passive data
 channel.  We reuse the ftp server IP address instead.  For unusual code
 requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
 attribute on your FTP instance to ``True``.  (See :issue:`43285`)
+
+Notable changes in Python 3.9.5
+===============================
+
+The presence of newline or tab characters in parts of a URL allows for some
+forms of attacks. Following the WHATWG specification that updates :rfc:`3986`,
+ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
+URL by the parser in :mod:`urllib.parse` preventing such attacks. The removal
+characters are controlled by a new module level variable
+``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)
+

From f63cbc9741a11c950982ccb44b50076c59f53236 Mon Sep 17 00:00:00 2001
From: Senthil Kumaran <senthil@python.org>
Date: Thu, 20 May 2021 18:41:10 -0700
Subject: [PATCH 2/2] Add the missing section.

---
 Doc/whatsnew/3.9.rst | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Doc/whatsnew/3.9.rst b/Doc/whatsnew/3.9.rst
index 9ec307120eb511..c29715d192f953 100644
--- a/Doc/whatsnew/3.9.rst
+++ b/Doc/whatsnew/3.9.rst
@@ -1564,6 +1564,9 @@ attribute on your FTP instance to ``True``.  (See :issue:`43285`)
 Notable changes in Python 3.9.5
 ===============================
 
+urllib.parse
+------------
+
 The presence of newline or tab characters in parts of a URL allows for some
 forms of attacks. Following the WHATWG specification that updates :rfc:`3986`,
 ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the