Security fix for CVE-2026-4519

Resolves: RHEL-158029
2026-03-27 08:08:44 +01:00 · 2026-03-27 08:08:44 +01:00 · 9e31bfcd72
commit 9e31bfcd72
parent fdc8b7dbef
2 changed files with 116 additions and 1 deletions
--- a/00478-cve-2026-4519.patch
+++ b/00478-cve-2026-4519.patch
@ -0,0 +1,105 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pinky <pinky00ch@gmail.com>
+Date: Wed, 25 Mar 2026 01:02:37 +0530
+Subject: 00478: CVE-2026-4519
+
+Reject leading dashes in webbrowser URLs (GH-146360)
+
+(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+---
+ Lib/test/test_webbrowser.py                          |  5 +++++
+ Lib/webbrowser.py                                    | 12 ++++++++++++
+ .../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst   |  1 +
+ 3 files changed, 18 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+
+diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
+index 2d695bc883..60f094fd6a 100644
+--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
+@@ -59,6 +59,11 @@ def test_open(self):
+                    options=[],
+                    arguments=[URL])
+ 
+    def test_reject_dash_prefixes(self):
+        browser = self.browser_class(name=CMD_NAME)
+        with self.assertRaises(ValueError):
+            browser.open(f"--key=val {URL}")
+
+ 
+ class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
+ 
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index 13b9e85f9e..0bdb644d7d 100755
+--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
+@@ -158,6 +158,12 @@ def open_new(self, url):
+     def open_new_tab(self, url):
+         return self.open(url, 2)
+ 
+    @staticmethod
+    def _check_url(url):
+        """Ensures that the URL is safe to pass to subprocesses as a parameter"""
+        if url and url.lstrip().startswith("-"):
+            raise ValueError(f"Invalid URL: {url}")
+
+ 
+ class GenericBrowser(BaseBrowser):
+     """Class for all browsers started with a command
+@@ -175,6 +181,7 @@ def __init__(self, name):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
+        self._check_url(url)
+         cmdline = [self.name] + [arg.replace("%s", url)
+                                  for arg in self.args]
+         try:
+@@ -195,6 +202,7 @@ def open(self, url, new=0, autoraise=True):
+         cmdline = [self.name] + [arg.replace("%s", url)
+                                  for arg in self.args]
+         sys.audit("webbrowser.open", url)
+        self._check_url(url)
+         try:
+             if sys.platform[:3] == 'win':
+                 p = subprocess.Popen(cmdline)
+@@ -260,6 +268,7 @@ def _invoke(self, args, remote, autoraise, url=None):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
+        self._check_url(url)
+         if new == 0:
+             action = self.remote_action
+         elif new == 1:
+@@ -350,6 +359,7 @@ class Konqueror(BaseBrowser):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
+        self._check_url(url)
+         # XXX Currently I know no way to prevent KFM from opening a new win.
+         if new == 2:
+             action = "newTab"
+@@ -554,6 +564,7 @@ def register_standard_browsers():
+     class WindowsDefault(BaseBrowser):
+         def open(self, url, new=0, autoraise=True):
+             sys.audit("webbrowser.open", url)
+            self._check_url(url)
+             try:
+                 os.startfile(url)
+             except OSError:
+@@ -638,6 +649,7 @@ def _name(self, val):
+ 
+         def open(self, url, new=0, autoraise=True):
+             sys.audit("webbrowser.open", url)
+            self._check_url(url)
+             if self.name == 'default':
+                 script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
+             else:
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+new file mode 100644
+index 0000000000..0f27eae99a
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+@@ -0,0 +1 @@
+Reject leading dashes in URLs passed to :func:`webbrowser.open`
--- a/python3.12.spec
+++ b/python3.12.spec
@ -20,7 +20,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: Python-2.0.1


@ -444,6 +444,12 @@ Patch475: 00475-cve-2025-15367.patch
 # gh-144125: email: verify headers are sound in BytesGenerator
 Patch476: 00476-cve-2026-1299.patch

+# 00478 # eb93352dc8e31f4d52546b84daad875e6ff7f29e
+# CVE-2026-4519
+#
+# Reject leading dashes in webbrowser URLs (GH-146360)
+Patch478: 00478-cve-2026-4519.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1934,6 +1940,10 @@ fi
 # ======================================================

 %changelog
+* Fri Mar 27 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.12-4
+- Security fix for CVE-2026-4519
+Resolves: RHEL-158029
+
 * Fri Feb 27 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.12-3
 - Security fixes for CVE-2026-0865, CVE-2025-15366, CVE-2025-15367 and CVE-2026-1299
 Resolves: RHEL-143065