routing match includes newline

CHANGES.rst

@@ -83,6 +83,9 @@ Unreleased
     instead of bytes. :pr:`2337`
 -   ``safe_join`` ensures that the path remains relative if the trusted
     directory is the empty string. :pr:`2349`
+-   Percent-encoded newlines (``%0a``), which are decoded by WSGI
+    servers, are considered when routing instead of terminating the
+    match early. :pr:`2350`
 
 
 Version 2.0.3

src/werkzeug/routing.py

@@ -666,6 +666,11 @@ def foo_with_slug(adapter, id):
         ``wss://``) requests. By default, rules will only match for HTTP
         requests.
 
+    .. versionchanged:: 2.1
+        Percent-encoded newlines (``%0a``), which are decoded by WSGI
+        servers, are considered when routing instead of terminating the
+        match early.
+
     .. versionadded:: 1.0
         Added ``websocket``.
 
@@ -892,7 +897,9 @@ def _build_regex(rule: str) -> None:
         else:
             tail = ""
 
-        regex = f"^{''.join(regex_parts)}{tail}$"
+        # Use \Z instead of $ to avoid matching before a %0a decoded to
+        # a \n by WSGI.
+        regex = rf"^{''.join(regex_parts)}{tail}$\Z"
         self._regex = re.compile(regex)
 
     def match(

tests/test_routing.py

@@ -1346,3 +1346,11 @@ def test_rule_websocket_methods():
             methods=["get", "head", "options", "post"],
         )
     r.Rule("/ws", endpoint="ws", websocket=True, methods=["get", "head", "options"])
+
+
+def test_newline_match():
+    m = r.Map([r.Rule("/hello", endpoint="hello")])
+    a = m.bind("localhost")
+
+    with pytest.raises(r.NotFound):
+        a.match("/hello\n")