Skip to content

[3.12] gh-143930: Reject leading dashes in webbrowser URLs #146360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ambv merged 2 commits into from
Mar 24, 2026
Merged

[3.12] gh-143930: Reject leading dashes in webbrowser URLs #146360

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d498b7e
gh-143930: Reject leading dashes in webbrowser URLs
sethmlarson Mar 20, 2026
1155efb
Simplify error message for invalid URL- backport
Pinky-Chaudhary Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions Lib/test/test_webbrowser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,11 @@ def test_open(self):
options=[],
arguments=[URL])

def test_reject_dash_prefixes(self):
browser = self.browser_class(name=CMD_NAME)
with self.assertRaises(ValueError):
browser.open(f"--key=val {URL}")


class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):

Expand Down
12 changes: 12 additions & 0 deletions Lib/webbrowser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,12 @@ def open_new(self, url):
def open_new_tab(self, url):
return self.open(url, 2)

@staticmethod
def _check_url(url):
"""Ensures that the URL is safe to pass to subprocesses as a parameter"""
if url and url.lstrip().startswith("-"):
raise ValueError(f"Invalid URL {url!r}: URLs must not start with '-' after leading whitespace")


class GenericBrowser(BaseBrowser):
"""Class for all browsers started with a command
Expand All @@ -175,6 +181,7 @@ def __init__(self, name):

def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
self._check_url(url)
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
try:
Expand All @@ -195,6 +202,7 @@ def open(self, url, new=0, autoraise=True):
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
sys.audit("webbrowser.open", url)
self._check_url(url)
try:
if sys.platform[:3] == 'win':
p = subprocess.Popen(cmdline)
Expand Down Expand Up @@ -260,6 +268,7 @@ def _invoke(self, args, remote, autoraise, url=None):

def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
self._check_url(url)
if new == 0:
action = self.remote_action
elif new == 1:
Expand Down Expand Up @@ -350,6 +359,7 @@ class Konqueror(BaseBrowser):

def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
self._check_url(url)
# XXX Currently I know no way to prevent KFM from opening a new win.
if new == 2:
action = "newTab"
Expand Down Expand Up @@ -554,6 +564,7 @@ def register_standard_browsers():
class WindowsDefault(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
self._check_url(url)
try:
os.startfile(url)
except OSError:
Expand Down Expand Up @@ -638,6 +649,7 @@ def _name(self, val):

def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
self._check_url(url)
if self.name == 'default':
script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
else:
Expand Down
1 change: 1 addition & 0 deletions Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Reject leading dashes in URLs passed to :func:`webbrowser.open`
Loading