File CVE-2026-4519-webbrowser-open-dashes.patch of Package python.43465

From c84b32da52f2e1fb12d155eb14343ea1eac7baf1 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <seth@python.org>
Date: Fri, 20 Mar 2026 09:47:13 -0500
Subject: [PATCH] [3.10] gh-143930: Reject leading dashes in webbrowser URLs
 (cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)

Co-authored-by: Seth Michael Larson <seth@python.org>
---
 Lib/webbrowser.py                                                        |   13 ++++++++++
 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst |    1 
 2 files changed, 14 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst

Index: Python-2.7.18/Lib/webbrowser.py
===================================================================
--- Python-2.7.18.orig/Lib/webbrowser.py	2020-04-19 23:13:39.000000000 +0200
+++ Python-2.7.18/Lib/webbrowser.py	2026-03-28 20:57:36.175543159 +0100
@@ -153,6 +153,12 @@
     def open_new_tab(self, url):
         return self.open(url, 2)
 
+    @staticmethod
+    def _check_url(url):
+        """Ensures that the URL is safe to pass to subprocesses as a parameter"""
+        if url and url.lstrip().startswith("-"):
+            raise ValueError("Invalid URL: {}".format(url))
+
 
 class GenericBrowser(BaseBrowser):
     """Class for all browsers started with a command
@@ -169,6 +175,7 @@
         self.basename = os.path.basename(self.name)
 
     def open(self, url, new=0, autoraise=True):
+        self._check_url(url)
         cmdline = [self.name] + [arg.replace("%s", url)
                                  for arg in self.args]
         try:
@@ -186,6 +193,7 @@
        background."""
 
     def open(self, url, new=0, autoraise=True):
+        self._check_url(url)
         cmdline = [self.name] + [arg.replace("%s", url)
                                  for arg in self.args]
         try:
@@ -257,6 +265,7 @@
             return not p.wait()
 
     def open(self, url, new=0, autoraise=True):
+        self._check_url(url)
         if new == 0:
             action = self.remote_action
         elif new == 1:
@@ -348,6 +357,7 @@
     """
 
     def open(self, url, new=0, autoraise=True):
+        self._check_url(url)
         # XXX Currently I know no way to prevent KFM from opening a new win.
         if new == 2:
             action = "newTab"
@@ -538,6 +548,7 @@
 if sys.platform[:3] == "win":
     class WindowsDefault(BaseBrowser):
         def open(self, url, new=0, autoraise=True):
+            self._check_url(url)
             try:
                 os.startfile(url)
             except WindowsError:
@@ -582,6 +593,7 @@
 
         def open(self, url, new=0, autoraise=True):
             assert "'" not in url
+            self._check_url(url)
             # hack for local urls
             if not ':' in url:
                 url = 'file:'+url
@@ -618,6 +630,7 @@
             self._name = name
 
         def open(self, url, new=0, autoraise=True):
+            self._check_url(url)
             if self._name == 'default':
                 script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
             else:
Index: Python-2.7.18/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ Python-2.7.18/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst	2026-03-28 20:55:43.738090721 +0100
@@ -0,0 +1 @@
+Reject leading dashes in URLs passed to :func:`webbrowser.open`