106 lines
4.0 KiB
Diff
106 lines
4.0 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Pinky <pinky00ch@gmail.com>
|
|
Date: Wed, 25 Mar 2026 01:02:37 +0530
|
|
Subject: 00478: CVE-2026-4519
|
|
|
|
Reject leading dashes in webbrowser URLs (GH-146360)
|
|
|
|
(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
|
|
|
|
Co-authored-by: Seth Michael Larson <seth@python.org>
|
|
---
|
|
Lib/test/test_webbrowser.py | 5 +++++
|
|
Lib/webbrowser.py | 12 ++++++++++++
|
|
.../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst | 1 +
|
|
3 files changed, 18 insertions(+)
|
|
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
|
|
|
|
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
|
|
index 2d695bc883..60f094fd6a 100644
|
|
--- a/Lib/test/test_webbrowser.py
|
|
+++ b/Lib/test/test_webbrowser.py
|
|
@@ -59,6 +59,11 @@ def test_open(self):
|
|
options=[],
|
|
arguments=[URL])
|
|
|
|
+ def test_reject_dash_prefixes(self):
|
|
+ browser = self.browser_class(name=CMD_NAME)
|
|
+ with self.assertRaises(ValueError):
|
|
+ browser.open(f"--key=val {URL}")
|
|
+
|
|
|
|
class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
|
|
|
|
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
|
|
index 13b9e85f9e..0bdb644d7d 100755
|
|
--- a/Lib/webbrowser.py
|
|
+++ b/Lib/webbrowser.py
|
|
@@ -158,6 +158,12 @@ def open_new(self, url):
|
|
def open_new_tab(self, url):
|
|
return self.open(url, 2)
|
|
|
|
+ @staticmethod
|
|
+ def _check_url(url):
|
|
+ """Ensures that the URL is safe to pass to subprocesses as a parameter"""
|
|
+ if url and url.lstrip().startswith("-"):
|
|
+ raise ValueError(f"Invalid URL: {url}")
|
|
+
|
|
|
|
class GenericBrowser(BaseBrowser):
|
|
"""Class for all browsers started with a command
|
|
@@ -175,6 +181,7 @@ def __init__(self, name):
|
|
|
|
def open(self, url, new=0, autoraise=True):
|
|
sys.audit("webbrowser.open", url)
|
|
+ self._check_url(url)
|
|
cmdline = [self.name] + [arg.replace("%s", url)
|
|
for arg in self.args]
|
|
try:
|
|
@@ -195,6 +202,7 @@ def open(self, url, new=0, autoraise=True):
|
|
cmdline = [self.name] + [arg.replace("%s", url)
|
|
for arg in self.args]
|
|
sys.audit("webbrowser.open", url)
|
|
+ self._check_url(url)
|
|
try:
|
|
if sys.platform[:3] == 'win':
|
|
p = subprocess.Popen(cmdline)
|
|
@@ -260,6 +268,7 @@ def _invoke(self, args, remote, autoraise, url=None):
|
|
|
|
def open(self, url, new=0, autoraise=True):
|
|
sys.audit("webbrowser.open", url)
|
|
+ self._check_url(url)
|
|
if new == 0:
|
|
action = self.remote_action
|
|
elif new == 1:
|
|
@@ -350,6 +359,7 @@ class Konqueror(BaseBrowser):
|
|
|
|
def open(self, url, new=0, autoraise=True):
|
|
sys.audit("webbrowser.open", url)
|
|
+ self._check_url(url)
|
|
# XXX Currently I know no way to prevent KFM from opening a new win.
|
|
if new == 2:
|
|
action = "newTab"
|
|
@@ -554,6 +564,7 @@ def register_standard_browsers():
|
|
class WindowsDefault(BaseBrowser):
|
|
def open(self, url, new=0, autoraise=True):
|
|
sys.audit("webbrowser.open", url)
|
|
+ self._check_url(url)
|
|
try:
|
|
os.startfile(url)
|
|
except OSError:
|
|
@@ -638,6 +649,7 @@ def _name(self, val):
|
|
|
|
def open(self, url, new=0, autoraise=True):
|
|
sys.audit("webbrowser.open", url)
|
|
+ self._check_url(url)
|
|
if self.name == 'default':
|
|
script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
|
|
else:
|
|
diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
|
|
new file mode 100644
|
|
index 0000000000..0f27eae99a
|
|
--- /dev/null
|
|
+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
|
|
@@ -0,0 +1 @@
|
|
+Reject leading dashes in URLs passed to :func:`webbrowser.open`
|