rpms/python3
7
0
Fork 0
Code Issues Pull Requests Releases Activity
a8
python3/SOURCES/00478-cve-2026-4519.patch
AlmaLinux RelEng Bot 4ebccc1db3 import CS git python3-3.6.8-75.el8_10
2026-04-02 10:27:48 -04:00

124 lines
4.5 KiB
Diff
Raw Permalink Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: tomcruiseqi <tom33qi@gmail.com>
Date: Wed, 25 Mar 2026 02:23:45 +0800
Subject: 00478: CVE-2026-4519
Reject leading dashes in webbrowser URLs (GH-143931) (GH-146359)
(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
Backported from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
Co-authored-by: Seth Michael Larson <seth@python.org>
---
Lib/test/test_webbrowser.py | 5 +++++
Lib/webbrowser.py | 14 ++++++++++++++
.../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst | 1 +
3 files changed, 20 insertions(+)
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
index 7cbb8d0a29..ec4ba2f7ac 100644
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -53,6 +53,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
options=[],
arguments=[URL])
+ def test_reject_dash_prefixes(self):
+ browser = self.browser_class(name=CMD_NAME)
+ with self.assertRaises(ValueError):
+ browser.open(f"--key=val {URL}")
+
class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
index 1a553f0e65..f00f1a712a 100755
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -120,6 +120,12 @@ class BaseBrowser(object):
def open_new_tab(self, url):
return self.open(url, 2)
+ @staticmethod
+ def _check_url(url):
+ """Ensures that the URL is safe to pass to subprocesses as a parameter"""
+ if url and url.lstrip().startswith("-"):
+ raise ValueError(f"Invalid URL: {url}")
+
class GenericBrowser(BaseBrowser):
"""Class for all browsers started with a command
@@ -136,6 +142,7 @@ class GenericBrowser(BaseBrowser):
self.basename = os.path.basename(self.name)
def open(self, url, new=0, autoraise=True):
+ self._check_url(url)
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
try:
@@ -153,6 +160,7 @@ class BackgroundBrowser(GenericBrowser):
background."""
def open(self, url, new=0, autoraise=True):
+ self._check_url(url)
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
try:
@@ -219,6 +227,7 @@ class UnixBrowser(BaseBrowser):
return not p.wait()
def open(self, url, new=0, autoraise=True):
+ self._check_url(url)
if new == 0:
action = self.remote_action
elif new == 1:
@@ -319,6 +328,7 @@ class Konqueror(BaseBrowser):
"""
def open(self, url, new=0, autoraise=True):
+ self._check_url(url)
# XXX Currently I know no way to prevent KFM from opening a new win.
if new == 2:
action = "newTab"
@@ -402,6 +412,7 @@ class Grail(BaseBrowser):
return 1
def open(self, url, new=0, autoraise=True):
+ self._check_url(url)
if new:
ok = self._remote("LOADNEW " + url)
else:
@@ -508,6 +519,7 @@ if os.environ.get("TERM"):
if sys.platform[:3] == "win":
class WindowsDefault(BaseBrowser):
def open(self, url, new=0, autoraise=True):
+ self._check_url(url)
try:
os.startfile(url)
except OSError:
@@ -551,6 +563,7 @@ if sys.platform == 'darwin':
self.name = name
def open(self, url, new=0, autoraise=True):
+ self._check_url(url)
assert "'" not in url
# hack for local urls
if not ':' in url:
@@ -588,6 +601,7 @@ if sys.platform == 'darwin':
self._name = name
def open(self, url, new=0, autoraise=True):
+ self._check_url(url)
if self._name == 'default':
script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
else:
diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
new file mode 100644
index 0000000000..0f27eae99a
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
@@ -0,0 +1 @@
+Reject leading dashes in URLs passed to :func:`webbrowser.open`
Reference in New Issue View Git Blame Copy Permalink