Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths.

Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.

tests/urlpatterns/tests.py

@@ -169,6 +169,19 @@ class SimplifiedURLTests(SimpleTestCase):
         match = p.resolve('space%s/1/' % string.whitespace)
         self.assertEqual(match.kwargs, {'num': 1})
 
+    def test_path_trailing_newlines(self):
+        tests = [
+            '/articles/2003/\n',
+            '/articles/2010/\n',
+            '/en/foo/\n',
+            '/included_urls/extra/\n',
+            '/regex/1/\n',
+            '/users/1/\n',
+        ]
+        for url in tests:
+            with self.subTest(url=url), self.assertRaises(Resolver404):
+                resolve(url)
+
 
 @override_settings(ROOT_URLCONF='urlpatterns.converter_urls')
 class ConverterTests(SimpleTestCase):