https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b
commit: 82a24a4442312bdcfc4c799885e8b3e00990f02b
branch: main
author: Seth Michael Larson <[email protected]>
committer: sethmlarson <[email protected]>
date: 2026-03-20T14:47:13Z
summary:
gh-143930: Reject leading dashes in webbrowser URLs
files:
A Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
M Lib/test/test_webbrowser.py
M Lib/webbrowser.py
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
index 20d347168b3af8..d5bb1400d2717a 100644
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -67,6 +67,11 @@ def test_open(self):
options=[],
arguments=[URL])
+ def test_reject_dash_prefixes(self):
+ browser = self.browser_class(name=CMD_NAME)
+ with self.assertRaises(ValueError):
+ browser.open(f"--key=val {URL}")
+
class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
index f2e2394089d5a1..9ead2990e818e5 100644
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -163,6 +163,12 @@ def open_new(self, url):
def open_new_tab(self, url):
return self.open(url, 2)
+ @staticmethod
+ def _check_url(url):
+ """Ensures that the URL is safe to pass to subprocesses as a
parameter"""
+ if url and url.lstrip().startswith("-"):
+ raise ValueError(f"Invalid URL: {url}")
+
class GenericBrowser(BaseBrowser):
"""Class for all browsers started with a command
@@ -180,6 +186,7 @@ def __init__(self, name):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
try:
@@ -200,6 +207,7 @@ def open(self, url, new=0, autoraise=True):
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
sys.audit("webbrowser.open", url)
+ self._check_url(url)
try:
if sys.platform[:3] == 'win':
p = subprocess.Popen(cmdline)
@@ -266,6 +274,7 @@ def _invoke(self, args, remote, autoraise, url=None):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
if new == 0:
action = self.remote_action
elif new == 1:
@@ -357,6 +366,7 @@ class Konqueror(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
# XXX Currently I know no way to prevent KFM from opening a new win.
if new == 2:
action = "newTab"
@@ -588,6 +598,7 @@ def register_standard_browsers():
class WindowsDefault(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
try:
os.startfile(url)
except OSError:
@@ -608,6 +619,7 @@ def __init__(self, name='default'):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
url = url.replace('"', '%22')
if self.name == 'default':
proto, _sep, _rest = url.partition(":")
@@ -664,6 +676,7 @@ def open(self, url, new=0, autoraise=True):
class IOSBrowser(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
# If ctypes isn't available, we can't open a browser
if objc is None:
return False
diff --git
a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
new file mode 100644
index 00000000000000..0f27eae99a0dfd
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
@@ -0,0 +1 @@
+Reject leading dashes in URLs passed to :func:`webbrowser.open`
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
