From b36311bbfb8efc1de9184e4ff55a82b42e839b8e Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Sun, 10 Nov 2024 20:13:12 -0500
Subject: [PATCH] Added a warning to the urljoin docs, indicating that it is
 not safe to use with attacker controlled URLs

This was flagged to me at a party today by someone who works in red-teaming as a frequently encountered footgun. Documenting the potentially unexpected behavior seemed like a good place to start.
---
 Doc/library/urllib.parse.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
index fb5353e1895bf9..69daa381013ae0 100644
--- a/Doc/library/urllib.parse.rst
+++ b/Doc/library/urllib.parse.rst
@@ -403,6 +403,15 @@ or on combining URL components into a URL string.
       If you do not want that behavior, preprocess the *url* with :func:`urlsplit` and
       :func:`urlunsplit`, removing possible *scheme* and *netloc* parts.
 
+   .. warning::
+
+      Because an absolute URL may be passed as the ``url`` parameter, it is
+      generally **not secure** to use ``urljoin`` with an attacker-controlled
+      ``url``. For example in,
+      ``urljoin("https://website.com/users/", username)``, if ``username`` can
+      contain an absolute URL, the result of ``urljoin`` will be the absolute
+      URL.
+
 
    .. versionchanged:: 3.5