https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd
commit: 3681d47a440865aead912a054d4599087b4270dd
branch: main
author: Ćukasz Langa <[email protected]>
committer: ambv <[email protected]>
date: 2026-04-03T17:31:25+02:00
summary:
gh-143930: Tweak the exception message and increase test coverage (GH-146476)
files:
M Lib/test/test_webbrowser.py
M Lib/webbrowser.py
M Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
index d5bb1400d2717a..ea161ea1a43ea5 100644
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -57,6 +57,14 @@ def _test(self, meth, *, args=[URL], kw={}, options,
arguments):
popen_args.pop(popen_args.index(option))
self.assertEqual(popen_args, arguments)
+ def test_reject_dash_prefixes(self):
+ browser = self.browser_class(name=CMD_NAME)
+ with self.assertRaisesRegex(
+ ValueError,
+ r"^Invalid URL \(leading dash disallowed\): '--key=val http.*'$"
+ ):
+ browser.open(f"--key=val {URL}")
+
class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
@@ -67,11 +75,6 @@ def test_open(self):
options=[],
arguments=[URL])
- def test_reject_dash_prefixes(self):
- browser = self.browser_class(name=CMD_NAME)
- with self.assertRaises(ValueError):
- browser.open(f"--key=val {URL}")
-
class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
@@ -326,7 +329,6 @@ def close(self):
@unittest.skipUnless(sys.platform == "darwin", "macOS specific test")
@requires_subprocess()
class MacOSXOSAScriptTest(unittest.TestCase):
-
def setUp(self):
# Ensure that 'BROWSER' is not set to 'open' or something else.
# See: https://github.com/python/cpython/issues/131254.
@@ -376,6 +378,13 @@ def test_explicit_browser(self):
self.assertIn('tell application "safari"', script)
self.assertIn('open location "https://python.org";', script)
+ def test_reject_dash_prefixes(self):
+ with self.assertRaisesRegex(
+ ValueError,
+ r"^Invalid URL \(leading dash disallowed\): '--key=val http.*'$"
+ ):
+ self.browser.open(f"--key=val {URL}")
+
class BrowserRegistrationTest(unittest.TestCase):
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
index 9ead2990e818e5..deb6e64d17421b 100644
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -167,7 +167,7 @@ def open_new_tab(self, url):
def _check_url(url):
"""Ensures that the URL is safe to pass to subprocesses as a
parameter"""
if url and url.lstrip().startswith("-"):
- raise ValueError(f"Invalid URL: {url}")
+ raise ValueError(f"Invalid URL (leading dash disallowed): {url!r}")
class GenericBrowser(BaseBrowser):
diff --git
a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
index 0f27eae99a0dfd..c561023c3c2d7a 100644
--- a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
@@ -1 +1 @@
-Reject leading dashes in URLs passed to :func:`webbrowser.open`
+Reject leading dashes in URLs passed to :func:`webbrowser.open`.
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
