mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-27 11:13:38 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
c0d690e103eec99e329a222fdeed7d4380f23a48
poky/meta/recipes-devtools/python/python3/CVE-2026-4519_p1.patch
Sudhir Dumbhare 1401e6e003 python3: Fix CVE-2026-4519 and CVE-2026-4786 
Apply the upstream v3.12 fix [1], aligned with the original v3.11 fix [2],
and follow-up fix [3] to address CVE-2026-4519 by disallowing URLs with
leading dashes when invoking browser commands, as referenced in [5].

CVE-2026-4786 [6] revealed the CVE-2026-4519 fix was incomplete, as %action
in URLs could bypass dash-prefix checks. Apply follow-up fix [4], noted in
[5], to revalidate the URL after %action expansion.

[1] cbba611939
[2] ceac1efc66
[3] 96fc504860
[4] f4654824ae
[5] https://security-tracker.debian.org/tracker/CVE-2026-4519
[6] https://security-tracker.debian.org/tracker/CVE-2026-4786

References:
https://nvd.nist.gov/vuln/detail/CVE-2026-4519
https://nvd.nist.gov/vuln/detail/CVE-2026-4786

(From OE-Core rev: e6d81b3be531e97058366c81056a38c0b6fa7380)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00

108 lines
3.9 KiB
Diff
Raw Blame History

From 7df48dd3c6330611a04d85a5159c0ea424dc1e62 Mon Sep 17 00:00:00 2001
From: Pinky <pinky00ch@gmail.com>
Date: Wed, 25 Mar 2026 01:02:37 +0530
Subject: [PATCH] [3.12] gh-143930: Reject leading dashes in webbrowser
URLs (GH-146360)
CVE: CVE-2026-4519
Upstream-Status: Backport [https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48]
Backport Changes:
- This file is not present in the current version and is therefore omitted
Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
Co-authored-by: Seth Michael Larson <seth@python.org>
(cherry picked from commit cbba6119391112aba9c5aebf7b94aea447922c48)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
---
Lib/test/test_webbrowser.py | 5 +++++
Lib/webbrowser.py | 12 ++++++++++++
2 files changed, 17 insertions(+)
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
index 2d695bc8831..60f094fd6a1 100644
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -59,6 +59,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
options=[],
arguments=[URL])
+ def test_reject_dash_prefixes(self):
+ browser = self.browser_class(name=CMD_NAME)
+ with self.assertRaises(ValueError):
+ browser.open(f"--key=val {URL}")
+
class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
index 13b9e85f9e1..0bdb644d7db 100755
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -158,6 +158,12 @@ class BaseBrowser(object):
def open_new_tab(self, url):
return self.open(url, 2)
+ @staticmethod
+ def _check_url(url):
+ """Ensures that the URL is safe to pass to subprocesses as a parameter"""
+ if url and url.lstrip().startswith("-"):
+ raise ValueError(f"Invalid URL: {url}")
+
class GenericBrowser(BaseBrowser):
"""Class for all browsers started with a command
@@ -175,6 +181,7 @@ class GenericBrowser(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
try:
@@ -195,6 +202,7 @@ class BackgroundBrowser(GenericBrowser):
cmdline = [self.name] + [arg.replace("%s", url)
for arg in self.args]
sys.audit("webbrowser.open", url)
+ self._check_url(url)
try:
if sys.platform[:3] == 'win':
p = subprocess.Popen(cmdline)
@@ -260,6 +268,7 @@ class UnixBrowser(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
if new == 0:
action = self.remote_action
elif new == 1:
@@ -350,6 +359,7 @@ class Konqueror(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
# XXX Currently I know no way to prevent KFM from opening a new win.
if new == 2:
action = "newTab"
@@ -554,6 +564,7 @@ if sys.platform[:3] == "win":
class WindowsDefault(BaseBrowser):
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
try:
os.startfile(url)
except OSError:
@@ -638,6 +649,7 @@ if sys.platform == 'darwin':
def open(self, url, new=0, autoraise=True):
sys.audit("webbrowser.open", url)
+ self._check_url(url)
if self.name == 'default':
script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
else:
--
2.35.6
Reference in New Issue View Git Blame Copy Permalink