From 881ff02c42844904233bc7b29b571fa72cb9ce97 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Mon, 13 Apr 2026 20:02:52 +0100
Subject: [PATCH] [3.10] gh-148169: Fix webbrowser `%action` substitution
 bypass of dash-prefix check (GH-148170) (cherry picked from commit
 d22922c8a7958353689dc4763dd72da2dea03fff)

Co-authored-by: Stan Ulbrych <stan@python.org>
---
 Lib/test/test_webbrowser.py                                              |    8 ++++++++
 Lib/webbrowser.py                                                        |    5 +++--
 Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst |    2 ++
 3 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst

Index: Python-3.6.15/Lib/test/test_webbrowser.py
===================================================================
--- Python-3.6.15.orig/Lib/test/test_webbrowser.py	2026-04-25 14:12:14.973667605 +0200
+++ Python-3.6.15/Lib/test/test_webbrowser.py	2026-04-25 14:12:19.185105870 +0200
@@ -93,6 +93,14 @@
                    options=[],
                    arguments=[URL])
 
+    def test_reject_action_dash_prefixes(self):
+        browser = self.browser_class(name=CMD_NAME)
+        with self.assertRaises(ValueError):
+            browser.open('%action--incognito')
+        # new=1: action is "--new-window", so "%action" itself expands to
+        # a dash-prefixed flag even with no dash in the original URL.
+        with self.assertRaises(ValueError):
+            browser.open('%action', new=1)
 
 class MozillaCommandTest(CommandTestMixin, unittest.TestCase):
 
Index: Python-3.6.15/Lib/webbrowser.py
===================================================================
--- Python-3.6.15.orig/Lib/webbrowser.py	2026-04-25 14:12:14.973991365 +0200
+++ Python-3.6.15/Lib/webbrowser.py	2026-04-25 14:14:36.511394271 +0200
@@ -226,7 +226,6 @@
             return not p.wait()
 
     def open(self, url, new=0, autoraise=True):
-        self._check_url(url)
         if new == 0:
             action = self.remote_action
         elif new == 1:
@@ -240,7 +239,9 @@
             raise Error("Bad 'new' parameter to open(); " +
                         "expected 0, 1, or 2, got %s" % new)
 
-        args = [arg.replace("%s", url).replace("%action", action)
+        self._check_url(url.replace("%action", action))
+
+        args = [arg.replace("%action", action).replace("%s", url)
                 for arg in self.remote_args]
         args = [arg for arg in args if arg]
         success = self._invoke(args, True, autoraise)
Index: Python-3.6.15/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ Python-3.6.15/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst	2026-04-25 14:12:19.185974375 +0200
@@ -0,0 +1,2 @@
+A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
+the dash-prefix safety check.