mirror of
https://git.yoctoproject.org/poky
synced 2026-06-27 11:13:38 +02:00
1401e6e003
Apply the upstream v3.12 fix [1], aligned with the original v3.11 fix [2], and follow-up fix [3] to address CVE-2026-4519 by disallowing URLs with leading dashes when invoking browser commands, as referenced in [5]. CVE-2026-4786 [6] revealed the CVE-2026-4519 fix was incomplete, as %action in URLs could bypass dash-prefix checks. Apply follow-up fix [4], noted in [5], to revalidate the URL after %action expansion. [1]cbba611939[2]ceac1efc66[3]96fc504860[4]f4654824ae[5] https://security-tracker.debian.org/tracker/CVE-2026-4519 [6] https://security-tracker.debian.org/tracker/CVE-2026-4786 References: https://nvd.nist.gov/vuln/detail/CVE-2026-4519 https://nvd.nist.gov/vuln/detail/CVE-2026-4786 (From OE-Core rev: e6d81b3be531e97058366c81056a38c0b6fa7380) Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
67 lines
2.6 KiB
Diff
67 lines
2.6 KiB
Diff
From b9af29b9f2f880cdcdc49a1460743680f59dcb4e Mon Sep 17 00:00:00 2001
|
|
From: Stan Ulbrych <stan@python.org>
|
|
Date: Mon, 13 Apr 2026 22:41:51 +0100
|
|
Subject: [PATCH] [3.11] gh-148169: Fix webbrowser `%action` substitution
|
|
bypass of dash-prefix check (GH-148170) (#148520)
|
|
|
|
CVE: CVE-2026-4519 CVE-2026-4786
|
|
Upstream-Status: Backport [https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769]
|
|
|
|
Backport Changes:
|
|
- This file is not present in the current version and is therefore omitted.
|
|
Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
|
|
|
|
(cherry picked from commit d22922c8a7958353689dc4763dd72da2dea03fff)
|
|
(cherry picked from commit f4654824ae0850ac87227fb270f9057477946769)
|
|
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
|
|
---
|
|
Lib/test/test_webbrowser.py | 8 ++++++++
|
|
Lib/webbrowser.py | 5 +++--
|
|
2 files changed, 11 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
|
|
index c9bf525360d..1d21f133725 100644
|
|
--- a/Lib/test/test_webbrowser.py
|
|
+++ b/Lib/test/test_webbrowser.py
|
|
@@ -103,6 +103,14 @@ class ChromeCommandTest(CommandTestMixin, unittest.TestCase):
|
|
options=[],
|
|
arguments=[URL])
|
|
|
|
+ def test_reject_action_dash_prefixes(self):
|
|
+ browser = self.browser_class(name=CMD_NAME)
|
|
+ with self.assertRaises(ValueError):
|
|
+ browser.open('%action--incognito')
|
|
+ # new=1: action is "--new-window", so "%action" itself expands to
|
|
+ # a dash-prefixed flag even with no dash in the original URL.
|
|
+ with self.assertRaises(ValueError):
|
|
+ browser.open('%action', new=1)
|
|
|
|
class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
|
|
|
|
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
|
|
index 000e89275b7..97c4eec9080 100755
|
|
--- a/Lib/webbrowser.py
|
|
+++ b/Lib/webbrowser.py
|
|
@@ -268,7 +268,6 @@ class UnixBrowser(BaseBrowser):
|
|
|
|
def open(self, url, new=0, autoraise=True):
|
|
sys.audit("webbrowser.open", url)
|
|
- self._check_url(url)
|
|
if new == 0:
|
|
action = self.remote_action
|
|
elif new == 1:
|
|
@@ -282,7 +281,9 @@ class UnixBrowser(BaseBrowser):
|
|
raise Error("Bad 'new' parameter to open(); " +
|
|
"expected 0, 1, or 2, got %s" % new)
|
|
|
|
- args = [arg.replace("%s", url).replace("%action", action)
|
|
+ self._check_url(url.replace("%action", action))
|
|
+
|
|
+ args = [arg.replace("%action", action).replace("%s", url)
|
|
for arg in self.remote_args]
|
|
args = [arg for arg in args if arg]
|
|
success = self._invoke(args, True, autoraise, url)
|
|
--
|
|
2.35.6
|
|
|