From c84b32da52f2e1fb12d155eb14343ea1eac7baf1 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Fri, 20 Mar 2026 09:47:13 -0500 Subject: [PATCH] [3.10] gh-143930: Reject leading dashes in webbrowser URLs (cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b) Co-authored-by: Seth Michael Larson --- Lib/test/test_webbrowser.py | 5 +++ Lib/webbrowser.py | 13 ++++++++++ Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst | 1 3 files changed, 19 insertions(+) create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst Index: Python-3.6.15/Lib/test/test_webbrowser.py =================================================================== --- Python-3.6.15.orig/Lib/test/test_webbrowser.py 2026-03-27 20:21:01.196528339 +0100 +++ Python-3.6.15/Lib/test/test_webbrowser.py 2026-03-27 20:21:13.551806149 +0100 @@ -53,6 +53,11 @@ options=[], arguments=[URL]) + def test_reject_dash_prefixes(self): + browser = self.browser_class(name=CMD_NAME) + with self.assertRaises(ValueError): + browser.open(f"--key=val {URL}") + class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase): Index: Python-3.6.15/Lib/webbrowser.py =================================================================== --- Python-3.6.15.orig/Lib/webbrowser.py 2026-03-27 20:20:58.939998357 +0100 +++ Python-3.6.15/Lib/webbrowser.py 2026-03-27 20:25:49.889558447 +0100 @@ -119,6 +119,12 @@ def open_new_tab(self, url): return self.open(url, 2) + @staticmethod + def _check_url(url): + """Ensures that the URL is safe to pass to subprocesses as a parameter""" + if url and url.lstrip().startswith("-"): + raise ValueError(f"Invalid URL: {url}") + class GenericBrowser(BaseBrowser): """Class for all browsers started with a command @@ -135,6 +141,7 @@ self.basename = os.path.basename(self.name) def open(self, url, new=0, autoraise=True): + self._check_url(url) cmdline = [self.name] + [arg.replace("%s", url) for arg in self.args] try: @@ -152,6 +159,7 @@ background.""" def open(self, url, new=0, autoraise=True): + self._check_url(url) cmdline = [self.name] + [arg.replace("%s", url) for arg in self.args] try: @@ -218,6 +226,7 @@ return not p.wait() def open(self, url, new=0, autoraise=True): + self._check_url(url) if new == 0: action = self.remote_action elif new == 1: @@ -318,6 +327,7 @@ """ def open(self, url, new=0, autoraise=True): + self._check_url(url) # XXX Currently I know no way to prevent KFM from opening a new win. if new == 2: action = "newTab" @@ -507,6 +517,7 @@ if sys.platform[:3] == "win": class WindowsDefault(BaseBrowser): def open(self, url, new=0, autoraise=True): + self._check_url(url) try: os.startfile(url) except OSError: @@ -551,6 +562,7 @@ def open(self, url, new=0, autoraise=True): assert "'" not in url + self._check_url(url) # hack for local urls if not ':' in url: url = 'file:'+url @@ -587,6 +599,7 @@ self._name = name def open(self, url, new=0, autoraise=True): + self._check_url(url) if self._name == 'default': script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser else: Index: Python-3.6.15/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.6.15/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst 2026-03-27 20:21:13.553047250 +0100 @@ -0,0 +1 @@ +Reject leading dashes in URLs passed to :func:`webbrowser.open`