Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python313 for openSUSE:Factory checked in at 2026-04-01 19:50:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python313 (Old) and /work/SRC/openSUSE:Factory/.python313.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python313" Wed Apr 1 19:50:22 2026 rev:39 rq:1343743 version:3.13.12 Changes: -------- --- /work/SRC/openSUSE:Factory/python313/python313.changes 2026-03-19 17:58:04.837099858 +0100 +++ /work/SRC/openSUSE:Factory/.python313.new.21863/python313.changes 2026-04-01 19:50:26.060629503 +0200 @@ -1,0 +2,28 @@ +Fri Mar 27 17:51:07 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2026-4519-webbrowser-open-dashes.patch to reject + leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519, + gh#python/cpython#143930). + +------------------------------------------------------------------- +Wed Mar 25 16:40:18 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2025-13462-tarinfo-header-parse.patch which skips + TarInfo DIRTYPE normalization during GNU long name handling + (bsc#1259611, CVE-2025-13462). + +------------------------------------------------------------------- +Mon Mar 23 22:16:01 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding + unbound C recursion in conv_content_model in pyexpat.c + (bsc#1259735, CVE-2026-4224). + +------------------------------------------------------------------- +Mon Mar 23 17:15:50 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject + control characters in http.cookies.Morsel.update() and + http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644). + +------------------------------------------------------------------- New: ---- CVE-2025-13462-tarinfo-header-parse.patch CVE-2026-3644-cookies-Morsel-update-II.patch CVE-2026-4224-expat-unbound-C-recursion.patch CVE-2026-4519-webbrowser-open-dashes.patch ----------(New B)---------- New: - Add CVE-2025-13462-tarinfo-header-parse.patch which skips TarInfo DIRTYPE normalization during GNU long name handling New: - Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject control characters in http.cookies.Morsel.update() and New: - Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding unbound C recursion in conv_content_model in pyexpat.c New: - Add CVE-2026-4519-webbrowser-open-dashes.patch to reject leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519, ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python313.spec ++++++ --- /var/tmp/diff_new_pack.KN12VM/_old 2026-04-01 19:50:27.480688662 +0200 +++ /var/tmp/diff_new_pack.KN12VM/_new 2026-04-01 19:50:27.484688829 +0200 @@ -239,6 +239,18 @@ # PATCH-FIX-UPSTREAM CVE-2026-2297-SourcelessFileLoader-io_open_code.patch bsc#1259240 [email protected] # Ensure SourcelessFileLoader uses io.open_code Patch49: CVE-2026-2297-SourcelessFileLoader-io_open_code.patch +# PATCH-FIX-UPSTREAM CVE-2026-3644-cookies-Morsel-update-II.patch bsc#1259734 [email protected] +# Reject control characters in http.cookies.Morsel.update() and http.cookies.BaseCookie.js_output +Patch50: CVE-2026-3644-cookies-Morsel-update-II.patch +# PATCH-FIX-UPSTREAM CVE-2026-4224-expat-unbound-C-recursion.patch bsc#1259735 [email protected] +# Avoid unbound C recursion in conv_content_model +Patch51: CVE-2026-4224-expat-unbound-C-recursion.patch +# PATCH-FIX-UPSTREAM CVE-2025-13462-tarinfo-header-parse.patch bsc#1259611 [email protected] +# Skip TarInfo DIRTYPE normalization during GNU long name handling +Patch52: CVE-2025-13462-tarinfo-header-parse.patch +# PATCH-FIX-UPSTREAM CVE-2026-4519-webbrowser-open-dashes.patch bsc#1260026 [email protected] +# reject leading dashes in webbrowser URLs +Patch53: CVE-2026-4519-webbrowser-open-dashes.patch #### END OF PATCHES BuildRequires: autoconf-archive BuildRequires: automake ++++++ CVE-2025-13462-tarinfo-header-parse.patch ++++++ >From 548d5f49ccf9978cc2a79cc5d1843a8b65ba8918 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson <[email protected]> Date: Wed, 11 Mar 2026 08:47:55 -0500 Subject: [PATCH] gh-141707: Skip TarInfo DIRTYPE normalization during GNU long name handling (cherry picked from commit 42d754e34c06e57ad6b8e7f92f32af679912d8ab) Co-authored-by: Seth Michael Larson <[email protected]> Co-authored-by: Eashwar Ranganathan <[email protected]> --- Lib/tarfile.py | 29 ++++++++-- Lib/test/test_tarfile.py | 19 ++++++ Misc/ACKS | 1 Misc/NEWS.d/next/Library/2025-11-18-06-35-53.gh-issue-141707.DBmQIy.rst | 2 4 files changed, 47 insertions(+), 4 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2025-11-18-06-35-53.gh-issue-141707.DBmQIy.rst Index: Python-3.13.12/Lib/tarfile.py =================================================================== --- Python-3.13.12.orig/Lib/tarfile.py 2026-03-26 00:08:07.286755903 +0100 +++ Python-3.13.12/Lib/tarfile.py 2026-03-26 00:08:10.270786027 +0100 @@ -1267,6 +1267,20 @@ @classmethod def frombuf(cls, buf, encoding, errors): """Construct a TarInfo object from a 512 byte bytes object. + + To support the old v7 tar format AREGTYPE headers are + transformed to DIRTYPE headers if their name ends in '/'. + """ + return cls._frombuf(buf, encoding, errors) + + @classmethod + def _frombuf(cls, buf, encoding, errors, *, dircheck=True): + """Construct a TarInfo object from a 512 byte bytes object. + + If ``dircheck`` is set to ``True`` then ``AREGTYPE`` headers will + be normalized to ``DIRTYPE`` if the name ends in a trailing slash. + ``dircheck`` must be set to ``False`` if this function is called + on a follow-up header such as ``GNUTYPE_LONGNAME``. """ if len(buf) == 0: raise EmptyHeaderError("empty header") @@ -1297,7 +1311,7 @@ # Old V7 tar format represents a directory as a regular # file with a trailing slash. - if obj.type == AREGTYPE and obj.name.endswith("/"): + if dircheck and obj.type == AREGTYPE and obj.name.endswith("/"): obj.type = DIRTYPE # The old GNU sparse format occupies some of the unused @@ -1332,8 +1346,15 @@ """Return the next TarInfo object from TarFile object tarfile. """ + return cls._fromtarfile(tarfile) + + @classmethod + def _fromtarfile(cls, tarfile, *, dircheck=True): + """ + See dircheck documentation in _frombuf(). + """ buf = tarfile.fileobj.read(BLOCKSIZE) - obj = cls.frombuf(buf, tarfile.encoding, tarfile.errors) + obj = cls._frombuf(buf, tarfile.encoding, tarfile.errors, dircheck=dircheck) obj.offset = tarfile.fileobj.tell() - BLOCKSIZE return obj._proc_member(tarfile) @@ -1391,7 +1412,7 @@ # Fetch the next header and process it. try: - next = self.fromtarfile(tarfile) + next = self._fromtarfile(tarfile, dircheck=False) except HeaderError as e: raise SubsequentHeaderError(str(e)) from None @@ -1526,7 +1547,7 @@ # Fetch the next header. try: - next = self.fromtarfile(tarfile) + next = self._fromtarfile(tarfile, dircheck=False) except HeaderError as e: raise SubsequentHeaderError(str(e)) from None Index: Python-3.13.12/Lib/test/test_tarfile.py =================================================================== --- Python-3.13.12.orig/Lib/test/test_tarfile.py 2026-02-03 18:53:27.000000000 +0100 +++ Python-3.13.12/Lib/test/test_tarfile.py 2026-03-26 00:08:10.274786068 +0100 @@ -1216,6 +1216,25 @@ self.assertIsNotNone(tar.getmember(longdir)) self.assertIsNotNone(tar.getmember(longdir.removesuffix('/'))) + def test_longname_file_not_directory(self): + # Test reading a longname file and ensure it is not handled as a directory + # Issue #141707 + buf = io.BytesIO() + with tarfile.open(mode='w', fileobj=buf, format=self.format) as tar: + ti = tarfile.TarInfo() + ti.type = tarfile.AREGTYPE + ti.name = ('a' * 99) + '/' + ('b' * 3) + tar.addfile(ti) + + expected = {t.name: t.type for t in tar.getmembers()} + + buf.seek(0) + with tarfile.open(mode='r', fileobj=buf) as tar: + actual = {t.name: t.type for t in tar.getmembers()} + + self.assertEqual(expected, actual) + + class GNUReadTest(LongnameTest, ReadTest, unittest.TestCase): subdir = "gnu" Index: Python-3.13.12/Misc/ACKS =================================================================== --- Python-3.13.12.orig/Misc/ACKS 2026-02-03 18:53:27.000000000 +0100 +++ Python-3.13.12/Misc/ACKS 2026-03-26 00:08:10.276245113 +0100 @@ -1511,6 +1511,7 @@ Jeff Ramnani Grant Ramsay Bayard Randel +Eashwar Ranganathan Varpu Rantala Brodie Rao Rémi Rampin Index: Python-3.13.12/Misc/NEWS.d/next/Library/2025-11-18-06-35-53.gh-issue-141707.DBmQIy.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.13.12/Misc/NEWS.d/next/Library/2025-11-18-06-35-53.gh-issue-141707.DBmQIy.rst 2026-03-26 00:08:10.277119773 +0100 @@ -0,0 +1,2 @@ +Don't change :class:`tarfile.TarInfo` type from ``AREGTYPE`` to ``DIRTYPE`` when parsing +GNU long name or link headers. ++++++ CVE-2026-3644-cookies-Morsel-update-II.patch ++++++ >From 49a411665363afc18d14b875f072a96b641064d5 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych <[email protected]> Date: Mon, 16 Mar 2026 13:43:43 +0000 Subject: [PATCH] gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (GH-145600) Reject control characters in `http.cookies.Morsel.update()` and `http.cookies.BaseCookie.js_output`. (cherry picked from commit 57e88c1cf95e1481b94ae57abe1010469d47a6b4) Co-authored-by: Stan Ulbrych <[email protected]> Co-authored-by: Victor Stinner <[email protected]> Co-authored-by: Victor Stinner <[email protected]> --- Lib/http/cookies.py | 24 +++++- Lib/test/test_http_cookies.py | 38 ++++++++++ Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst | 4 + 3 files changed, 62 insertions(+), 4 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst Index: Python-3.13.12/Lib/http/cookies.py =================================================================== --- Python-3.13.12.orig/Lib/http/cookies.py 2026-02-03 18:53:27.000000000 +0100 +++ Python-3.13.12/Lib/http/cookies.py 2026-03-23 18:27:41.919900162 +0100 @@ -335,9 +335,16 @@ key = key.lower() if key not in self._reserved: raise CookieError("Invalid attribute %r" % (key,)) + if _has_control_character(key, val): + raise CookieError("Control characters are not allowed in " + f"cookies {key!r} {val!r}") data[key] = val dict.update(self, data) + def __ior__(self, values): + self.update(values) + return self + def isReservedKey(self, K): return K.lower() in self._reserved @@ -363,9 +370,15 @@ } def __setstate__(self, state): - self._key = state['key'] - self._value = state['value'] - self._coded_value = state['coded_value'] + key = state['key'] + value = state['value'] + coded_value = state['coded_value'] + if _has_control_character(key, value, coded_value): + raise CookieError("Control characters are not allowed in cookies " + f"{key!r} {value!r} {coded_value!r}") + self._key = key + self._value = value + self._coded_value = coded_value def output(self, attrs=None, header="Set-Cookie:"): return "%s %s" % (header, self.OutputString(attrs)) @@ -377,13 +390,16 @@ def js_output(self, attrs=None): # Print javascript + output_string = self.OutputString(attrs) + if _has_control_character(output_string): + raise CookieError("Control characters are not allowed in cookies") return """ <script type="text/javascript"> <!-- begin hiding document.cookie = \"%s\"; // end hiding --> </script> - """ % (self.OutputString(attrs).replace('"', r'\"')) + """ % (output_string.replace('"', r'\"')) def OutputString(self, attrs=None): # Build up our result Index: Python-3.13.12/Lib/test/test_http_cookies.py =================================================================== --- Python-3.13.12.orig/Lib/test/test_http_cookies.py 2026-02-03 18:53:27.000000000 +0100 +++ Python-3.13.12/Lib/test/test_http_cookies.py 2026-03-23 18:27:41.919996675 +0100 @@ -574,6 +574,14 @@ with self.assertRaises(cookies.CookieError): morsel["path"] = c0 + # .__setstate__() + with self.assertRaises(cookies.CookieError): + morsel.__setstate__({'key': c0, 'value': 'val', 'coded_value': 'coded'}) + with self.assertRaises(cookies.CookieError): + morsel.__setstate__({'key': 'key', 'value': c0, 'coded_value': 'coded'}) + with self.assertRaises(cookies.CookieError): + morsel.__setstate__({'key': 'key', 'value': 'val', 'coded_value': c0}) + # .setdefault() with self.assertRaises(cookies.CookieError): morsel.setdefault("path", c0) @@ -588,6 +596,18 @@ with self.assertRaises(cookies.CookieError): morsel.set("path", "val", c0) + # .update() + with self.assertRaises(cookies.CookieError): + morsel.update({"path": c0}) + with self.assertRaises(cookies.CookieError): + morsel.update({c0: "val"}) + + # .__ior__() + with self.assertRaises(cookies.CookieError): + morsel |= {"path": c0} + with self.assertRaises(cookies.CookieError): + morsel |= {c0: "val"} + def test_control_characters_output(self): # Tests that even if the internals of Morsel are modified # that a call to .output() has control character safeguards. @@ -608,6 +628,24 @@ with self.assertRaises(cookies.CookieError): cookie.output() + # Tests that .js_output() also has control character safeguards. + for c0 in support.control_characters_c0(): + morsel = cookies.Morsel() + morsel.set("key", "value", "coded-value") + morsel._key = c0 # Override private variable. + cookie = cookies.SimpleCookie() + cookie["cookie"] = morsel + with self.assertRaises(cookies.CookieError): + cookie.js_output() + + morsel = cookies.Morsel() + morsel.set("key", "value", "coded-value") + morsel._coded_value = c0 # Override private variable. + cookie = cookies.SimpleCookie() + cookie["cookie"] = morsel + with self.assertRaises(cookies.CookieError): + cookie.js_output() + def load_tests(loader, tests, pattern): tests.addTest(doctest.DocTestSuite(cookies)) Index: Python-3.13.12/Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.13.12/Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst 2026-03-23 18:27:41.920273686 +0100 @@ -0,0 +1,4 @@ +Reject control characters in :class:`http.cookies.Morsel` +:meth:`~http.cookies.Morsel.update` and +:meth:`~http.cookies.BaseCookie.js_output`. +This addresses :cve:`2026-3644`. ++++++ CVE-2026-4224-expat-unbound-C-recursion.patch ++++++ >From 1822fc7b168882a72d5af21443c5c9f25c8bd246 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych <[email protected]> Date: Sun, 15 Mar 2026 21:46:06 +0000 Subject: [PATCH 1/3] gh-145986: Avoid unbound C recursion in `conv_content_model` in `pyexpat.c` (CVE 2026-4224) (GH-145987) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix C stack overflow (CVE-2026-4224) when an Expat parser with a registered `ElementDeclHandler` parses inline DTD containing deeply nested content model. --------- (cherry picked from commit eb0e8be3a7e11b87d198a2c3af1ed0eccf532768) Co-authored-by: Stan Ulbrych <[email protected]> Co-authored-by: Bénédikt Tran <[email protected]> --- Lib/test/test_pyexpat.py | 19 +++++++++++++++++++ ...-03-14-17-31-39.gh-issue-145986.ifSSr8.rst | 4 ++++ Modules/pyexpat.c | 9 ++++++++- 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py index 6f6c85755be452..3c273c96842877 100644 --- a/Lib/test/test_pyexpat.py +++ b/Lib/test/test_pyexpat.py @@ -688,6 +688,25 @@ def test_trigger_leak(self): parser.ElementDeclHandler = lambda _1, _2: None self.assertRaises(TypeError, parser.Parse, data, True) + @support.skip_if_unlimited_stack_size + @support.skip_emscripten_stack_overflow() + @support.skip_wasi_stack_overflow() + def test_deeply_nested_content_model(self): + # This should raise a RecursionError and not crash. + # See https://github.com/python/cpython/issues/145986. + N = 500_000 + data = ( + b'<!DOCTYPE root [\n<!ELEMENT root ' + + b'(a, ' * N + b'a' + b')' * N + + b'>\n]>\n<root/>\n' + ) + + parser = expat.ParserCreate() + parser.ElementDeclHandler = lambda _1, _2: None + with support.infinite_recursion(): + with self.assertRaises(RecursionError): + parser.Parse(data) + class MalformedInputTest(unittest.TestCase): def test1(self): xml = b"\0\r\n" diff --git a/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst new file mode 100644 index 00000000000000..79536d1fef543f --- /dev/null +++ b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst @@ -0,0 +1,4 @@ +:mod:`xml.parsers.expat`: Fixed a crash caused by unbounded C recursion when +converting deeply nested XML content models with +:meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler`. +This addresses :cve:`2026-4224`. diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c index 06b7a10782802f..1eeff2ea91a39b 100644 --- a/Modules/pyexpat.c +++ b/Modules/pyexpat.c @@ -3,6 +3,7 @@ #endif #include "Python.h" +#include "pycore_ceval.h" // _Py_EnterRecursiveCall() #include "pycore_import.h" // _PyImport_SetModule() #include "pycore_pyhash.h" // _Py_HashSecret #include "pycore_traceback.h" // _PyTraceback_Add() @@ -572,6 +573,10 @@ static PyObject * conv_content_model(XML_Content * const model, PyObject *(*conv_string)(const XML_Char *)) { + if (_Py_EnterRecursiveCall(" in conv_content_model")) { + return NULL; + } + PyObject *result = NULL; PyObject *children = PyTuple_New(model->numchildren); int i; @@ -583,7 +588,7 @@ conv_content_model(XML_Content * const model, conv_string); if (child == NULL) { Py_XDECREF(children); - return NULL; + goto done; } PyTuple_SET_ITEM(children, i, child); } @@ -591,6 +596,8 @@ conv_content_model(XML_Content * const model, model->type, model->quant, conv_string,model->name, children); } +done: + _Py_LeaveRecursiveCall(); return result; } >From 04a88d8785eed23276192bcd3700b86c94f0a8aa Mon Sep 17 00:00:00 2001 From: Stan Ulbrych <[email protected]> Date: Sun, 15 Mar 2026 22:17:06 +0000 Subject: [PATCH 2/3] Remvoe `skip_if_unlimited_stack_size` decorator --- Lib/test/test_pyexpat.py | 1 - 1 file changed, 1 deletion(-) diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py index 3c273c96842877..93b784faaee054 100644 --- a/Lib/test/test_pyexpat.py +++ b/Lib/test/test_pyexpat.py @@ -688,7 +688,6 @@ def test_trigger_leak(self): parser.ElementDeclHandler = lambda _1, _2: None self.assertRaises(TypeError, parser.Parse, data, True) - @support.skip_if_unlimited_stack_size @support.skip_emscripten_stack_overflow() @support.skip_wasi_stack_overflow() def test_deeply_nested_content_model(self): >From 54309bf9b7e586276c661462712be7f4b6accf50 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych <[email protected]> Date: Sun, 15 Mar 2026 22:30:04 +0000 Subject: [PATCH 3/3] Remove more decorators not on this branch --- Lib/test/test_pyexpat.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py index 93b784faaee054..cceeff4341e89d 100644 --- a/Lib/test/test_pyexpat.py +++ b/Lib/test/test_pyexpat.py @@ -688,8 +688,6 @@ def test_trigger_leak(self): parser.ElementDeclHandler = lambda _1, _2: None self.assertRaises(TypeError, parser.Parse, data, True) - @support.skip_emscripten_stack_overflow() - @support.skip_wasi_stack_overflow() def test_deeply_nested_content_model(self): # This should raise a RecursionError and not crash. # See https://github.com/python/cpython/issues/145986. ++++++ CVE-2026-4519-webbrowser-open-dashes.patch ++++++ >From 94963466a9af37420aa3f119d19df8e1bd5dd6d8 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson <[email protected]> Date: Fri, 20 Mar 2026 09:47:13 -0500 Subject: [PATCH] gh-143930: Reject leading dashes in webbrowser URLs (cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b) Co-authored-by: Seth Michael Larson <[email protected]> --- Lib/test/test_webbrowser.py | 5 +++ Lib/webbrowser.py | 13 ++++++++++ Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst | 1 3 files changed, 19 insertions(+) create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst Index: Python-3.13.12/Lib/test/test_webbrowser.py =================================================================== --- Python-3.13.12.orig/Lib/test/test_webbrowser.py 2026-02-03 18:53:27.000000000 +0100 +++ Python-3.13.12/Lib/test/test_webbrowser.py 2026-03-27 20:06:46.532467955 +0100 @@ -65,6 +65,11 @@ options=[], arguments=[URL]) + def test_reject_dash_prefixes(self): + browser = self.browser_class(name=CMD_NAME) + with self.assertRaises(ValueError): + browser.open(f"--key=val {URL}") + class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase): Index: Python-3.13.12/Lib/webbrowser.py =================================================================== --- Python-3.13.12.orig/Lib/webbrowser.py 2026-03-27 20:06:44.373345163 +0100 +++ Python-3.13.12/Lib/webbrowser.py 2026-03-27 20:06:46.533477088 +0100 @@ -164,6 +164,12 @@ def open_new_tab(self, url): return self.open(url, 2) + @staticmethod + def _check_url(url): + """Ensures that the URL is safe to pass to subprocesses as a parameter""" + if url and url.lstrip().startswith("-"): + raise ValueError(f"Invalid URL: {url}") + class GenericBrowser(BaseBrowser): """Class for all browsers started with a command @@ -181,6 +187,7 @@ def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) cmdline = [self.name] + [arg.replace("%s", url) for arg in self.args] try: @@ -201,6 +208,7 @@ cmdline = [self.name] + [arg.replace("%s", url) for arg in self.args] sys.audit("webbrowser.open", url) + self._check_url(url) try: if sys.platform[:3] == 'win': p = subprocess.Popen(cmdline) @@ -267,6 +275,7 @@ def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) if new == 0: action = self.remote_action elif new == 1: @@ -358,6 +367,7 @@ def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) # XXX Currently I know no way to prevent KFM from opening a new win. if new == 2: action = "newTab" @@ -576,6 +586,7 @@ class WindowsDefault(BaseBrowser): def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) try: os.startfile(url) except OSError: @@ -596,6 +607,7 @@ def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) url = url.replace('"', '%22') if self.name == 'default': script = f'open location "{url}"' # opens in default browser @@ -627,6 +639,7 @@ class IOSBrowser(BaseBrowser): def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) # If ctypes isn't available, we can't open a browser if objc is None: return False Index: Python-3.13.12/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.13.12/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst 2026-03-27 20:06:46.533691813 +0100 @@ -0,0 +1 @@ +Reject leading dashes in URLs passed to :func:`webbrowser.open` ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.KN12VM/_old 2026-04-01 19:50:27.832703330 +0200 +++ /var/tmp/diff_new_pack.KN12VM/_new 2026-04-01 19:50:27.852704163 +0200 @@ -1,6 +1,6 @@ -mtime: 1773872025 -commit: d6de58baa7aba037bb151e70777a09eaa9adb1edafed89b0eb53b695cce8fad5 +mtime: 1774638418 +commit: 35eea28331c5655850bcdfdc09dfb0773648eb58882b50175fba39d9d9fbe5d4 url: https://src.opensuse.org/python-interpreters/python313.git -revision: d6de58baa7aba037bb151e70777a09eaa9adb1edafed89b0eb53b695cce8fad5 +revision: 35eea28331c5655850bcdfdc09dfb0773648eb58882b50175fba39d9d9fbe5d4 projectscmsync: https://src.opensuse.org/python-interpreters/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-03-27 20:07:25.000000000 +0100 @@ -0,0 +1,6 @@ +.osc +*.obscpio +*.osc +_build.* +.pbuild +python313-*-build/
