File CVE-2026-4519-webbrowser-open-dashes.patch of Package python313
From 94963466a9af37420aa3f119d19df8e1bd5dd6d8 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 20 Mar 2026 09:47:13 -0500
Subject: [PATCH] gh-143930: Reject leading dashes in webbrowser URLs (cherry
picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
Co-authored-by: Seth Michael Larson <seth@python.org>
---
Lib/test/test_webbrowser.py | 5 +++
Lib/webbrowser.py | 13 ++++++++++
Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst | 1
3 files changed, 19 insertions(+)
create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
Index: Python-3.13.12/Lib/test/test_webbrowser.py
===================================================================
--- Python-3.13.12.orig/Lib/test/test_webbrowser.py 2026-02-03 18:53:27.000000000 +0100
+++ Python-3.13.12/Lib/test/test_webbrowser.py 2026-03-27 20:06:46.532467955 +0100
@@ -65,6 +65,11 @@
options=[],
arguments=[URL])
+ def test_reject_dash_prefixes(self):
+ browser = self.browser_class(name=CMD_NAME)
+ with self.assertRaises(ValueError):
+ browser.open(f"--key=val {URL}")
+
class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
Index: Python-3.13.12/Lib/webbrowser.py
===================================================================
--- Python-3.13.12.orig/Lib/webbrowser.py 2026-03-27 20:06:44.373345163 +0100
+++ Python-3.13.12/Lib/webbrowser.py 2026-03-27 20:06:46.533477088 +0100
@@ -164,6 +164,12 @@
def open_new_tab(self, url):
return self.open(url, 2)
+ @staticmethod
+ def _check_url(url):
+ """Ensures that the URL is safe to pass to subprocesses as a parameter"""
+ if url and url.lstrip().startswith("-"):
+ raise ValueError(f"Invalid URL: {url}")
+
class GenericBrowser(BaseBrowser):
"""Class for all browsers started with a command
@@ -181,6 +187,7 @@
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
try:
@@ -201,6 +208,7 @@
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
sys.audit("webbrowser.open", url)
+ self._check_url(url)
try:
if sys.platform[:3] == 'win':
p = subprocess.Popen(cmdline)
@@ -267,6 +275,7 @@
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
if new == 0:
action = self.remote_action
elif new == 1:
@@ -358,6 +367,7 @@
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
# XXX Currently I know no way to prevent KFM from opening a new win.
if new == 2:
action = "newTab"
@@ -576,6 +586,7 @@
class WindowsDefault(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
try:
os.startfile(url)
except OSError:
@@ -596,6 +607,7 @@
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
url = url.replace('"', '%22')
if self.name == 'default':
script = f'open location "{url}"' # opens in default browser
@@ -627,6 +639,7 @@
class IOSBrowser(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
# If ctypes isn't available, we can't open a browser
if objc is None:
return False
Index: Python-3.13.12/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.13.12/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst 2026-03-27 20:06:46.533691813 +0100
@@ -0,0 +1 @@
+Reject leading dashes in URLs passed to :func:`webbrowser.open`
