Skip to content

[3.10] gh-143930: Reject leading dashes in webbrowser URLs (GH-143931)#146359

Merged
ambv merged 1 commit intopython:3.10from
tomcruiseqi:backport-82a24a4-3.10
Mar 24, 2026
Merged

[3.10] gh-143930: Reject leading dashes in webbrowser URLs (GH-143931)#146359
ambv merged 1 commit intopython:3.10from
tomcruiseqi:backport-82a24a4-3.10

Conversation

@tomcruiseqi
Copy link

@tomcruiseqi tomcruiseqi commented Mar 24, 2026
edited by bedevere-app bot
Loading

Copilot AI review requested due to automatic review settings March 24, 2026 06:49
@bedevere-app bedevere-app bot mentioned this pull request Mar 24, 2026
Open
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR backports a security hardening change to webbrowser to prevent option-injection style issues by rejecting URLs that begin with - (after leading whitespace) before passing them to browser launchers.

Changes:

  • Add BaseBrowser._check_url() to reject leading-dash URLs with a ValueError.
  • Invoke _check_url() from multiple open() implementations that launch browsers.
  • Add a regression test and a Security NEWS blurb.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst Documents the security behavior change in webbrowser.open().
Lib/webbrowser.py Introduces URL validation and applies it to several browser controllers.
Lib/test/test_webbrowser.py Adds a test ensuring leading-dash inputs are rejected (currently for GenericBrowser).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@sethmlarson @tomcruiseqi
[3.10] pythongh-143930: Reject leading dashes in webbrowser URLs
c84b32d 
(cherry picked from commit 82a24a4)

Co-authored-by: Seth Michael Larson <seth@python.org>
@tomcruiseqi tomcruiseqi force-pushed the backport-82a24a4-3.10 branch from 69fd15b to c84b32d Compare March 24, 2026 07:16
@tomcruiseqi tomcruiseqi changed the title [3.10] gh-143930: Reject leading dashes in webbrowser URLs [3.10] gh-143930: Reject leading dashes in webbrowser URLs (GH-143931) Mar 24, 2026
@bedevere-app bedevere-app bot mentioned this pull request Mar 24, 2026
Merged
@bedevere-app bedevere-app bot added the type-security A security issue label Mar 24, 2026
@ambv ambv merged commit ad4d5ba into python:3.10 Mar 24, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ambv ambv ambv left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tomcruiseqi @ambv @sethmlarson