[3.11] gh-143930: Reject leading dashes in webbrowser URLs (GH-143931) (GH-146364)

author tomcruiseqi <tom33qi@gmail.com>

Tue, 24 Mar 2026 18:23:28 +0000 (02:23 +0800)

committer GitHub <noreply@github.com>

Tue, 24 Mar 2026 18:23:28 +0000 (19:23 +0100)
author tomcruiseqi <tom33qi@gmail.com>
Tue, 24 Mar 2026 18:23:28 +0000 (02:23 +0800)
committer GitHub <noreply@github.com>
Tue, 24 Mar 2026 18:23:28 +0000 (19:23 +0100)
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py

index 9d608d63a01ed30646b3b16f2f9b17abf34e6189..0ac985f56c840e1e55b4c107136e26b753cfc76d 100644 (file)
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -59,6 +59,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
                     options=[],
                     arguments=[URL])
  
+    def test_reject_dash_prefixes(self):
+        browser = self.browser_class(name=CMD_NAME)
+        with self.assertRaises(ValueError):
+            browser.open(f"--key=val {URL}")
+
  
  class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
  
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py

index 5d72524c0876774727c3aed4fdbc8ea9b50464e4..0fd0aeb3c1b6efe63c25ece3eefc1ce3b2c6a7b2 100755 (executable)
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -155,6 +155,12 @@ class BaseBrowser(object):
      def open_new_tab(self, url):
          return self.open(url, 2)
  
+    @staticmethod
+    def _check_url(url):
+        """Ensures that the URL is safe to pass to subprocesses as a parameter"""
+        if url and url.lstrip().startswith("-"):
+            raise ValueError(f"Invalid URL: {url}")
+
  
  class GenericBrowser(BaseBrowser):
      """Class for all browsers started with a command
@@ -172,6 +178,7 @@ class GenericBrowser(BaseBrowser):
  
      def open(self, url, new=0, autoraise=True):
          sys.audit("webbrowser.open", url)
+        self._check_url(url)
          cmdline = [self.name] + [arg.replace("%s", url)
                                   for arg in self.args]
          try:
@@ -192,6 +199,7 @@ class BackgroundBrowser(GenericBrowser):
          cmdline = [self.name] + [arg.replace("%s", url)
                                   for arg in self.args]
          sys.audit("webbrowser.open", url)
+        self._check_url(url)
          try:
              if sys.platform[:3] == 'win':
                  p = subprocess.Popen(cmdline)
@@ -257,6 +265,7 @@ class UnixBrowser(BaseBrowser):
  
      def open(self, url, new=0, autoraise=True):
          sys.audit("webbrowser.open", url)
+        self._check_url(url)
          if new == 0:
              action = self.remote_action
          elif new == 1:
@@ -358,6 +367,7 @@ class Konqueror(BaseBrowser):
  
      def open(self, url, new=0, autoraise=True):
          sys.audit("webbrowser.open", url)
+        self._check_url(url)
          # XXX Currently I know no way to prevent KFM from opening a new win.
          if new == 2:
              action = "newTab"
@@ -442,6 +452,7 @@ class Grail(BaseBrowser):
  
      def open(self, url, new=0, autoraise=True):
          sys.audit("webbrowser.open", url)
+        self._check_url(url)
          if new:
              ok = self._remote("LOADNEW " + url)
          else:
@@ -605,6 +616,7 @@ if sys.platform[:3] == "win":
      class WindowsDefault(BaseBrowser):
          def open(self, url, new=0, autoraise=True):
              sys.audit("webbrowser.open", url)
+            self._check_url(url)
              try:
                  os.startfile(url)
              except OSError:
@@ -637,6 +649,7 @@ if sys.platform == 'darwin':
  
          def open(self, url, new=0, autoraise=True):
              sys.audit("webbrowser.open", url)
+            self._check_url(url)
              assert "'" not in url
              # hack for local urls
              if not ':' in url:
@@ -689,6 +702,7 @@ if sys.platform == 'darwin':
  
          def open(self, url, new=0, autoraise=True):
              sys.audit("webbrowser.open", url)
+            self._check_url(url)
              if self.name == 'default':
                  script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
              else:
diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst

new file mode 100644 (file)

index 0000000..0f27eae
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
@@ -0,0 +1 @@
+Reject leading dashes in URLs passed to :func:`webbrowser.open`
author	tomcruiseqi <tom33qi@gmail.com>
	Tue, 24 Mar 2026 18:23:28 +0000 (02:23 +0800)
committer	GitHub <noreply@github.com>
	Tue, 24 Mar 2026 18:23:28 +0000 (19:23 +0100)
Lib/test/test_webbrowser.py		patch \| blob \| blame \| history
Lib/webbrowser.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst	[new file with mode: 0644]	patch \| blob