WebOb 1.8.10 fixes Location header normalization bypass

WebOb 1.8.10 fixes a security bypass in Location header normalization where ASCII tab, carriage return, and newline characters could be used to bypass previous fixes (GHSA-mg3v-6m49-jhp3) and redirect users to attacker-controlled hosts.

Applications using WebOb's Response class with a location header that may be set from user input or untrusted sources.

Upgrade to WebOb 1.8.10 or later, or ensure redirect targets are validated to start with a scheme (e.g., http:// or https://) before assigning to Response.location.