[3.13] gh-148169: Fix webbrowser `%action` substitution bypass of dash-prefix check...

author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

Wed, 29 Apr 2026 10:00:10 +0000 (12:00 +0200)

committer GitHub <noreply@github.com>

Wed, 29 Apr 2026 10:00:10 +0000 (13:00 +0300)
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Wed, 29 Apr 2026 10:00:10 +0000 (12:00 +0200)
committer GitHub <noreply@github.com>
Wed, 29 Apr 2026 10:00:10 +0000 (13:00 +0300)
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py

index e8b8b020deadb1b480c2e1c61325fd6c6ea35c17..135f116d46bb6682cd7f6652f1ca015b7a2f1ec2 100644 (file)
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -118,6 +118,15 @@ class ChromeCommandTest(CommandTestMixin, unittest.TestCase):
                         arguments=[URL],
                         kw=dict(new=999))
  
+    def test_reject_action_dash_prefixes(self):
+        browser = self.browser_class(name=CMD_NAME)
+        with self.assertRaises(ValueError):
+            browser.open('%action--incognito')
+        # new=1: action is "--new-window", so "%action" itself expands to
+        # a dash-prefixed flag even with no dash in the original URL.
+        with self.assertRaises(ValueError):
+            browser.open('%action', new=1)
+
  
  class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
  
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py

index ee5824100c7b9a661f3b8e4f9949a567f6e9e779..be033d707a9a313aa27df197c4b6a857cd7b3da5 100755 (executable)
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -275,7 +275,6 @@ class UnixBrowser(BaseBrowser):
  
      def open(self, url, new=0, autoraise=True):
          sys.audit("webbrowser.open", url)
-        self._check_url(url)
          if new == 0:
              action = self.remote_action
          elif new == 1:
@@ -289,7 +288,9 @@ class UnixBrowser(BaseBrowser):
              raise Error("Bad 'new' parameter to open(); "
                          f"expected 0, 1, or 2, got {new}")
  
-        args = [arg.replace("%s", url).replace("%action", action)
+        self._check_url(url.replace("%action", action))
+
+        args = [arg.replace("%action", action).replace("%s", url)
                  for arg in self.remote_args]
          args = [arg for arg in args if arg]
          success = self._invoke(args, True, autoraise, url)
diff --git a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst

new file mode 100644 (file)

index 0000000..45cdeeb
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
@@ -0,0 +1,2 @@
+A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
+the dash-prefix safety check.
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Wed, 29 Apr 2026 10:00:10 +0000 (12:00 +0200)
committer	GitHub <noreply@github.com>
	Wed, 29 Apr 2026 10:00:10 +0000 (13:00 +0300)
Lib/test/test_webbrowser.py		patch \| blob \| blame \| history
Lib/webbrowser.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst	[new file with mode: 0644]	patch \| blob