From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: tomcruiseqi Date: Wed, 25 Mar 2026 02:23:45 +0800 Subject: 00478: CVE-2026-4519 Reject leading dashes in webbrowser URLs (GH-143931) (GH-146359) Cherry-picked from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5 (cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b) Co-authored-by: Seth Michael Larson --- Lib/test/test_webbrowser.py | 5 +++++ Lib/webbrowser.py | 14 ++++++++++++++ .../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst | 1 + 3 files changed, 20 insertions(+) create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py index 519a9432ab..f8e9234db8 100644 --- a/Lib/test/test_webbrowser.py +++ b/Lib/test/test_webbrowser.py @@ -55,6 +55,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase): options=[], arguments=[URL]) + def test_reject_dash_prefixes(self): + browser = self.browser_class(name=CMD_NAME) + with self.assertRaises(ValueError): + browser.open(f"--key=val {URL}") + class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase): diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py index 6023c1e138..f5349dbce5 100755 --- a/Lib/webbrowser.py +++ b/Lib/webbrowser.py @@ -154,6 +154,12 @@ class BaseBrowser(object): def open_new_tab(self, url): return self.open(url, 2) + @staticmethod + def _check_url(url): + """Ensures that the URL is safe to pass to subprocesses as a parameter""" + if url and url.lstrip().startswith("-"): + raise ValueError(f"Invalid URL: {url}") + class GenericBrowser(BaseBrowser): """Class for all browsers started with a command @@ -171,6 +177,7 @@ class GenericBrowser(BaseBrowser): def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) cmdline = [self.name] + [arg.replace("%s", url) for arg in self.args] try: @@ -191,6 +198,7 @@ class BackgroundBrowser(GenericBrowser): cmdline = [self.name] + [arg.replace("%s", url) for arg in self.args] sys.audit("webbrowser.open", url) + self._check_url(url) try: if sys.platform[:3] == 'win': p = subprocess.Popen(cmdline) @@ -256,6 +264,7 @@ class UnixBrowser(BaseBrowser): def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) if new == 0: action = self.remote_action elif new == 1: @@ -357,6 +366,7 @@ class Konqueror(BaseBrowser): def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) # XXX Currently I know no way to prevent KFM from opening a new win. if new == 2: action = "newTab" @@ -441,6 +451,7 @@ class Grail(BaseBrowser): def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) if new: ok = self._remote("LOADNEW " + url) else: @@ -599,6 +610,7 @@ if sys.platform[:3] == "win": class WindowsDefault(BaseBrowser): def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) try: os.startfile(url) except OSError: @@ -629,6 +641,7 @@ if sys.platform == 'darwin': def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) assert "'" not in url # hack for local urls if not ':' in url: @@ -666,6 +679,7 @@ if sys.platform == 'darwin': self._name = name def open(self, url, new=0, autoraise=True): + self._check_url(url) if self._name == 'default': script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser else: diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst new file mode 100644 index 0000000000..0f27eae99a --- /dev/null +++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst @@ -0,0 +1 @@ +Reject leading dashes in URLs passed to :func:`webbrowser.open`