The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient
regular expression which can be exploited by an attacker to cause a denial of service.
Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben
Caller and Matt Schwager.
Disallow control characters in hostnames in http.client, addressing CVE-2019-18348.
Such potentially malicious header injection URLs now cause a InvalidURL to be raised.
Disallow CR or LF in email.headerregistry.Address arguments to guard against header
injection attacks.