From: Stan Ulbrych <stan@python.org>
Date: Mon, 13 Apr 2026 19:02:52 +0000 (+0100)
Subject: gh-148169: Fix webbrowser `%action` substitution bypass of dash-prefix check (#148170)
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d22922c8a7958353689dc4763dd72da2dea03fff;p=thirdparty%2FPython%2Fcpython.git

gh-148169: Fix webbrowser `%action` substitution bypass of dash-prefix check (#148170)
---

diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
index 299dc185fcf2..2ba3af8d5bf2 100644
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -119,6 +119,15 @@ class ChromeCommandTest(CommandTestMixin, unittest.TestCase):
                        arguments=[URL],
                        kw=dict(new=999))
 
+    def test_reject_action_dash_prefixes(self):
+        browser = self.browser_class(name=CMD_NAME)
+        with self.assertRaises(ValueError):
+            browser.open('%action--incognito')
+        # new=1: action is "--new-window", so "%action" itself expands to
+        # a dash-prefixed flag even with no dash in the original URL.
+        with self.assertRaises(ValueError):
+            browser.open('%action', new=1)
+
 
 class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
 
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
index 0e0b5034e5f5..97aad6eea509 100644
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -274,7 +274,6 @@ class UnixBrowser(BaseBrowser):
 
     def open(self, url, new=0, autoraise=True):
         sys.audit("webbrowser.open", url)
-        self._check_url(url)
         if new == 0:
             action = self.remote_action
         elif new == 1:
@@ -288,7 +287,9 @@ class UnixBrowser(BaseBrowser):
             raise Error("Bad 'new' parameter to open(); "
                         f"expected 0, 1, or 2, got {new}")
 
-        args = [arg.replace("%s", url).replace("%action", action)
+        self._check_url(url.replace("%action", action))
+
+        args = [arg.replace("%action", action).replace("%s", url)
                 for arg in self.remote_args]
         args = [arg for arg in args if arg]
         success = self._invoke(args, True, autoraise, url)
diff --git a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
new file mode 100644
index 000000000000..45cdeebe1b6d
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
@@ -0,0 +1,2 @@
+A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
+the dash-prefix safety check.