Security fix for CVE-2026-4519

Resolves: RHEL-158114
2026-03-26 09:12:33 +01:00 · 2026-03-26 09:12:33 +01:00 · 2dad57ee32
commit 2dad57ee32
parent f02202cb27
2 changed files with 125 additions and 1 deletions
--- a/00478-cve-2026-4519.patch
+++ b/00478-cve-2026-4519.patch
@ -0,0 +1,114 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Tue, 24 Mar 2026 00:16:27 +0100
+Subject: 00478: CVE-2026-4519
+
+Reject leading dashes in webbrowser URLs (GH-146214)
+
+(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+---
+ Lib/test/test_webbrowser.py                         |  5 +++++
+ Lib/webbrowser.py                                   | 13 +++++++++++++
+ .../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst  |  1 +
+ 3 files changed, 19 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+
+diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
+index 4c3ea1cd8d..22e9d7493a 100644
+--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
+@@ -67,6 +67,11 @@ def test_open(self):
+                    options=[],
+                    arguments=[URL])
+ 
+    def test_reject_dash_prefixes(self):
+        browser = self.browser_class(name=CMD_NAME)
+        with self.assertRaises(ValueError):
+            browser.open(f"--key=val {URL}")
+
+ 
+ class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
+ 
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index f2e2394089..9ead2990e8 100644
+--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
+@@ -163,6 +163,12 @@ def open_new(self, url):
+     def open_new_tab(self, url):
+         return self.open(url, 2)
+ 
+    @staticmethod
+    def _check_url(url):
+        """Ensures that the URL is safe to pass to subprocesses as a parameter"""
+        if url and url.lstrip().startswith("-"):
+            raise ValueError(f"Invalid URL: {url}")
+
+ 
+ class GenericBrowser(BaseBrowser):
+     """Class for all browsers started with a command
+@@ -180,6 +186,7 @@ def __init__(self, name):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
+        self._check_url(url)
+         cmdline = [self.name] + [arg.replace("%s", url)
+                                  for arg in self.args]
+         try:
+@@ -200,6 +207,7 @@ def open(self, url, new=0, autoraise=True):
+         cmdline = [self.name] + [arg.replace("%s", url)
+                                  for arg in self.args]
+         sys.audit("webbrowser.open", url)
+        self._check_url(url)
+         try:
+             if sys.platform[:3] == 'win':
+                 p = subprocess.Popen(cmdline)
+@@ -266,6 +274,7 @@ def _invoke(self, args, remote, autoraise, url=None):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
+        self._check_url(url)
+         if new == 0:
+             action = self.remote_action
+         elif new == 1:
+@@ -357,6 +366,7 @@ class Konqueror(BaseBrowser):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
+        self._check_url(url)
+         # XXX Currently I know no way to prevent KFM from opening a new win.
+         if new == 2:
+             action = "newTab"
+@@ -588,6 +598,7 @@ def register_standard_browsers():
+     class WindowsDefault(BaseBrowser):
+         def open(self, url, new=0, autoraise=True):
+             sys.audit("webbrowser.open", url)
+            self._check_url(url)
+             try:
+                 os.startfile(url)
+             except OSError:
+@@ -608,6 +619,7 @@ def __init__(self, name='default'):
+ 
+         def open(self, url, new=0, autoraise=True):
+             sys.audit("webbrowser.open", url)
+            self._check_url(url)
+             url = url.replace('"', '%22')
+             if self.name == 'default':
+                 proto, _sep, _rest = url.partition(":")
+@@ -664,6 +676,7 @@ def open(self, url, new=0, autoraise=True):
+     class IOSBrowser(BaseBrowser):
+         def open(self, url, new=0, autoraise=True):
+             sys.audit("webbrowser.open", url)
+            self._check_url(url)
+             # If ctypes isn't available, we can't open a browser
+             if objc is None:
+                 return False
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+new file mode 100644
+index 0000000000..0f27eae99a
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+@@ -0,0 +1 @@
+Reject leading dashes in URLs passed to :func:`webbrowser.open`
--- a/python3.14.spec
+++ b/python3.14.spec
@ -49,7 +49,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Python-2.0.1


@ -438,6 +438,12 @@ Patch475: 00475-cve-2025-15367.patch
 # direct call to the check function.
 Patch477: 00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch

+# 00478 # d9d794656850591a4e6aeddcf853505aeea08028
+# CVE-2026-4519
+#
+# Reject leading dashes in webbrowser URLs (GH-146214)
+Patch478: 00478-cve-2026-4519.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1975,6 +1981,10 @@ CheckPython freethreading
 # ======================================================

 %changelog
+* Thu Mar 26 2026 Lumír Balhar <lbalhar@redhat.com> - 3.14.3-2
+- Security fix for CVE-2026-4519
+Resolves: RHEL-158114
+
 * Wed Feb 04 2026 Karolina Surma <ksurma@redhat.com> - 3.14.3-1
 - Update to Python 3.14.3
 - Security fixes for CVE-2025-11468, CVE-2026-0672,CVE-2026-0865,