rpms/python3.11
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Security fix for CVE-2026-4519

Browse Source 
Resolves: RHEL-158053
This commit is contained in:
Lumir Balhar 2026-03-26 11:48:28 +01:00 committed by Charalampos Stratakis
parent 02554ac74f
commit a7c61d424f
2 changed files with 132 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
00478-cve-2026-4519.patch Normal file
View File

@ -0,0 +1,121 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: tomcruiseqi <tom33qi@gmail.com>
Date: Wed, 25 Mar 2026 02:23:28 +0800
Subject: 00478: CVE-2026-4519
Reject leading dashes in webbrowser URLs (GH-143931) (GH-146364)
(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
Co-authored-by: Seth Michael Larson <seth@python.org>
---
Lib/test/test_webbrowser.py | 5 +++++
Lib/webbrowser.py | 14 ++++++++++++++
.../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst | 1 +
3 files changed, 20 insertions(+)
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
index 9d608d63a0..0ac985f56c 100644
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -59,6 +59,11 @@ def test_open(self):
options=[],
arguments=[URL])
+ def test_reject_dash_prefixes(self):
+ browser = self.browser_class(name=CMD_NAME)
+ with self.assertRaises(ValueError):
+ browser.open(f"--key=val {URL}")
+
class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
index 5d72524c08..0fd0aeb3c1 100755
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -155,6 +155,12 @@ def open_new(self, url):
def open_new_tab(self, url):
return self.open(url, 2)
+ @staticmethod
+ def _check_url(url):
+ """Ensures that the URL is safe to pass to subprocesses as a parameter"""
+ if url and url.lstrip().startswith("-"):
+ raise ValueError(f"Invalid URL: {url}")
+
class GenericBrowser(BaseBrowser):
"""Class for all browsers started with a command
@@ -172,6 +178,7 @@ def __init__(self, name):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
try:
@@ -192,6 +199,7 @@ def open(self, url, new=0, autoraise=True):
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
sys.audit("webbrowser.open", url)
+ self._check_url(url)
try:
if sys.platform[:3] == 'win':
p = subprocess.Popen(cmdline)
@@ -257,6 +265,7 @@ def _invoke(self, args, remote, autoraise, url=None):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
if new == 0:
action = self.remote_action
elif new == 1:
@@ -358,6 +367,7 @@ class Konqueror(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
# XXX Currently I know no way to prevent KFM from opening a new win.
if new == 2:
action = "newTab"
@@ -442,6 +452,7 @@ def _remote(self, action):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
if new:
ok = self._remote("LOADNEW " + url)
else:
@@ -605,6 +616,7 @@ def register_standard_browsers():
class WindowsDefault(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
try:
os.startfile(url)
except OSError:
@@ -637,6 +649,7 @@ def __init__(self, name):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
assert "'" not in url
# hack for local urls
if not ':' in url:
@@ -689,6 +702,7 @@ def _name(self, val):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
if self.name == 'default':
script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
else:
diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
new file mode 100644
index 0000000000..0f27eae99a
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
@@ -0,0 +1 @@
+Reject leading dashes in URLs passed to :func:`webbrowser.open`

12
python3.11.spec
View File

@ -20,7 +20,7 @@ URL: https://www.python.org/
#global prerel ...
%global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}}
Release: 7%{?dist}
Release: 8%{?dist}
License: Python
@ -441,6 +441,12 @@ Patch475: 00475-cve-2025-15367.patch
# gh-144125: email: verify headers are sound in BytesGenerator
Patch476: 00476-cve-2026-1299.patch
# 00478 # 40c5c88950b10eaf1c10c5afcc39887b8e23c997
# CVE-2026-4519
#
# Reject leading dashes in webbrowser URLs (GH-143931) (GH-146364)
Patch478: 00478-cve-2026-4519.patch
# (New patches go here ^^^)
#
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1719,6 +1725,10 @@ CheckPython optimized
# ======================================================
%changelog
* Thu Mar 26 2026 Lumír Balhar <lbalhar@redhat.com> - 3.11.13-8
- Security fix for CVE-2026-4519
Resolves: RHEL-158053
* Mon Mar 09 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.11.13-7
- Rebuilding previous fixes for different build target
Related: RHEL-143110, RHEL-143170, RHEL-144894