rpms/python3.12
14
0
Fork 0
Code Issues Pull Requests Releases Activity

Security fix for CVE-2026-4519

Browse Source 
Resolves: RHEL-158079
This commit is contained in:
Tomáš Hrnčiar 2026-03-27 08:08:44 +01:00
parent 44f9236dc9
commit 6349f8d8e9
2 changed files with 116 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
00478-cve-2026-4519.patch Normal file
View File

@ -0,0 +1,105 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Pinky <pinky00ch@gmail.com>
Date: Wed, 25 Mar 2026 01:02:37 +0530
Subject: 00478: CVE-2026-4519
Reject leading dashes in webbrowser URLs (GH-146360)
(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
Co-authored-by: Seth Michael Larson <seth@python.org>
---
Lib/test/test_webbrowser.py | 5 +++++
Lib/webbrowser.py | 12 ++++++++++++
.../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst | 1 +
3 files changed, 18 insertions(+)
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
index 2d695bc883..60f094fd6a 100644
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -59,6 +59,11 @@ def test_open(self):
options=[],
arguments=[URL])
+ def test_reject_dash_prefixes(self):
+ browser = self.browser_class(name=CMD_NAME)
+ with self.assertRaises(ValueError):
+ browser.open(f"--key=val {URL}")
+
class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
index 13b9e85f9e..0bdb644d7d 100755
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -158,6 +158,12 @@ def open_new(self, url):
def open_new_tab(self, url):
return self.open(url, 2)
+ @staticmethod
+ def _check_url(url):
+ """Ensures that the URL is safe to pass to subprocesses as a parameter"""
+ if url and url.lstrip().startswith("-"):
+ raise ValueError(f"Invalid URL: {url}")
+
class GenericBrowser(BaseBrowser):
"""Class for all browsers started with a command
@@ -175,6 +181,7 @@ def __init__(self, name):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
try:
@@ -195,6 +202,7 @@ def open(self, url, new=0, autoraise=True):
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
sys.audit("webbrowser.open", url)
+ self._check_url(url)
try:
if sys.platform[:3] == 'win':
p = subprocess.Popen(cmdline)
@@ -260,6 +268,7 @@ def _invoke(self, args, remote, autoraise, url=None):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
if new == 0:
action = self.remote_action
elif new == 1:
@@ -350,6 +359,7 @@ class Konqueror(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
# XXX Currently I know no way to prevent KFM from opening a new win.
if new == 2:
action = "newTab"
@@ -554,6 +564,7 @@ def register_standard_browsers():
class WindowsDefault(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
try:
os.startfile(url)
except OSError:
@@ -638,6 +649,7 @@ def _name(self, val):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
if self.name == 'default':
script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
else:
diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
new file mode 100644
index 0000000000..0f27eae99a
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
@@ -0,0 +1 @@
+Reject leading dashes in URLs passed to :func:`webbrowser.open`

12
python3.12.spec
View File

@ -17,7 +17,7 @@ URL: https://www.python.org/
#global prerel ... #global prerel ...
%global upstream_version %{general_version}%{?prerel} %global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}} Version: %{general_version}%{?prerel:~%{prerel}}
Release: 5%{?dist} Release: 6%{?dist}
License: Python-2.0.1 License: Python-2.0.1
@ -486,6 +486,12 @@ Patch475: 00475-cve-2025-15367.patch
# gh-144125: email: verify headers are sound in BytesGenerator # gh-144125: email: verify headers are sound in BytesGenerator
Patch476: 00476-cve-2026-1299.patch Patch476: 00476-cve-2026-1299.patch
# 00478 # eb93352dc8e31f4d52546b84daad875e6ff7f29e
# CVE-2026-4519
#
# Reject leading dashes in webbrowser URLs (GH-146360)
Patch478: 00478-cve-2026-4519.patch
# (New patches go here ^^^) # (New patches go here ^^^)
# #
# When adding new patches to "python" and "python3" in Fedora, EL, etc., # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1851,6 +1857,10 @@ CheckPython optimized
# ====================================================== # ======================================================
%changelog %changelog
* Fri Mar 27 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.12-6
- Security fix for CVE-2026-4519
Resolves: RHEL-158079
* Mon Mar 09 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.12-5 * Mon Mar 09 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.12-5
- Rebuilding previous fixes for different build target - Rebuilding previous fixes for different build target
Related: RHEL-143057, RHEL-143109, RHEL-144854 Related: RHEL-143057, RHEL-143109, RHEL-144854