rpms/python3.9
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Security fix for CVE-2026-4519

Browse Source 
Resolves: RHEL-158117
This commit is contained in:
Lumir Balhar 2026-03-26 09:36:50 +01:00
parent a5b026e783
commit a82a300625
2 changed files with 136 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
00478-cve-2026-4519.patch Normal file
View File

@ -0,0 +1,123 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: tomcruiseqi <tom33qi@gmail.com>
Date: Wed, 25 Mar 2026 02:23:45 +0800
Subject: 00478: CVE-2026-4519
Reject leading dashes in webbrowser URLs (GH-143931) (GH-146359)
Cherry-picked from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
Co-authored-by: Seth Michael Larson <seth@python.org>
---
Lib/test/test_webbrowser.py | 5 +++++
Lib/webbrowser.py | 14 ++++++++++++++
.../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst | 1 +
3 files changed, 20 insertions(+)
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
index 519a9432ab..f8e9234db8 100644
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -55,6 +55,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
options=[],
arguments=[URL])
+ def test_reject_dash_prefixes(self):
+ browser = self.browser_class(name=CMD_NAME)
+ with self.assertRaises(ValueError):
+ browser.open(f"--key=val {URL}")
+
class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
index 6023c1e138..f5349dbce5 100755
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -154,6 +154,12 @@ class BaseBrowser(object):
def open_new_tab(self, url):
return self.open(url, 2)
+ @staticmethod
+ def _check_url(url):
+ """Ensures that the URL is safe to pass to subprocesses as a parameter"""
+ if url and url.lstrip().startswith("-"):
+ raise ValueError(f"Invalid URL: {url}")
+
class GenericBrowser(BaseBrowser):
"""Class for all browsers started with a command
@@ -171,6 +177,7 @@ class GenericBrowser(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
try:
@@ -191,6 +198,7 @@ class BackgroundBrowser(GenericBrowser):
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
sys.audit("webbrowser.open", url)
+ self._check_url(url)
try:
if sys.platform[:3] == 'win':
p = subprocess.Popen(cmdline)
@@ -256,6 +264,7 @@ class UnixBrowser(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
if new == 0:
action = self.remote_action
elif new == 1:
@@ -357,6 +366,7 @@ class Konqueror(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
# XXX Currently I know no way to prevent KFM from opening a new win.
if new == 2:
action = "newTab"
@@ -441,6 +451,7 @@ class Grail(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
if new:
ok = self._remote("LOADNEW " + url)
else:
@@ -599,6 +610,7 @@ if sys.platform[:3] == "win":
class WindowsDefault(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
try:
os.startfile(url)
except OSError:
@@ -629,6 +641,7 @@ if sys.platform == 'darwin':
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
assert "'" not in url
# hack for local urls
if not ':' in url:
@@ -666,6 +679,7 @@ if sys.platform == 'darwin':
self._name = name
def open(self, url, new=0, autoraise=True):
+ self._check_url(url)
if self._name == 'default':
script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
else:
diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
new file mode 100644
index 0000000000..0f27eae99a
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
@@ -0,0 +1 @@
+Reject leading dashes in URLs passed to :func:`webbrowser.open`

14
python3.9.spec
View File

@ -17,7 +17,7 @@ URL: https://www.python.org/
#global prerel ...
%global upstream_version %{general_version}%{?prerel}
Version: %{general_version}%{?prerel:~%{prerel}}
Release: 5%{?dist}
Release: 6%{?dist}
License: Python
@ -476,6 +476,14 @@ Patch475: 00475-cve-2025-15367.patch
# gh-144125: email: verify headers are sound in BytesGenerator
Patch476: 00476-cve-2026-1299.patch
# 00478 # 88bb1e37c971fd1d6bda82a68b5ad873ed099f08
# CVE-2026-4519
#
# Reject leading dashes in webbrowser URLs (GH-143931) (GH-146359)
#
# Cherry-picked from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
Patch478: 00478-cve-2026-4519.patch
# (New patches go here ^^^)
#
# When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1887,6 +1895,10 @@ CheckPython optimized
# ======================================================
%changelog
* Thu Mar 26 2026 Lumír Balhar <lbalhar@redhat.com> - 3.9.25-6
- Security fix for CVE-2026-4519
Resolves: RHEL-158117
* Mon Mar 09 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.25-5
- Rebuilding previous fixes for different build target
Related: RHEL-143117, RHEL-143174, RHEL-144897