From b9af29b9f2f880cdcdc49a1460743680f59dcb4e Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Mon, 13 Apr 2026 22:41:51 +0100
Subject: [PATCH] [3.11] gh-148169: Fix webbrowser `%action` substitution
 bypass of dash-prefix check (GH-148170) (#148520)

CVE: CVE-2026-4519 CVE-2026-4786
Upstream-Status: Backport [https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769]

Backport Changes:
- This file is not present in the current version and is therefore omitted.
  Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst

(cherry picked from commit d22922c8a7958353689dc4763dd72da2dea03fff)
(cherry picked from commit f4654824ae0850ac87227fb270f9057477946769)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
---
 Lib/test/test_webbrowser.py | 8 ++++++++
 Lib/webbrowser.py           | 5 +++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
index c9bf525360d..1d21f133725 100644
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -103,6 +103,14 @@ class ChromeCommandTest(CommandTestMixin, unittest.TestCase):
                    options=[],
                    arguments=[URL])
 
+    def test_reject_action_dash_prefixes(self):
+        browser = self.browser_class(name=CMD_NAME)
+        with self.assertRaises(ValueError):
+            browser.open('%action--incognito')
+        # new=1: action is "--new-window", so "%action" itself expands to
+        # a dash-prefixed flag even with no dash in the original URL.
+        with self.assertRaises(ValueError):
+            browser.open('%action', new=1)
 
 class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
 
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
index 000e89275b7..97c4eec9080 100755
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -268,7 +268,6 @@ class UnixBrowser(BaseBrowser):
 
     def open(self, url, new=0, autoraise=True):
         sys.audit("webbrowser.open", url)
-        self._check_url(url)
         if new == 0:
             action = self.remote_action
         elif new == 1:
@@ -282,7 +281,9 @@ class UnixBrowser(BaseBrowser):
             raise Error("Bad 'new' parameter to open(); " +
                         "expected 0, 1, or 2, got %s" % new)
 
-        args = [arg.replace("%s", url).replace("%action", action)
+        self._check_url(url.replace("%action", action))
+
+        args = [arg.replace("%action", action).replace("%s", url)
                 for arg in self.remote_args]
         args = [arg for arg in args if arg]
         success = self._invoke(args, True, autoraise, url)
-- 
2.35.6