Skip to content

[3.14] gh-148169: Fix webbrowser %action substitution bypass of dash-prefix check (GH-148170)#148516

Open
miss-islington wants to merge 1 commit intopython:3.14from
miss-islington:backport-d22922c-3.14
Open

[3.14] gh-148169: Fix webbrowser %action substitution bypass of dash-prefix check (GH-148170)#148516
miss-islington wants to merge 1 commit intopython:3.14from
miss-islington:backport-d22922c-3.14

Conversation

@miss-islington
Copy link
Copy Markdown
Contributor

@miss-islington miss-islington commented Apr 13, 2026
edited by bedevere-app bot
Loading

(cherry picked from commit d22922c)

Co-authored-by: Stan Ulbrych stan@python.org

@StanFromIreland @miss-islington
pythongh-148169: Fix webbrowser %action substitution bypass of dash…
f529b94 
…-prefix check (pythonGH-148170)

(cherry picked from commit d22922c8a7958353689dc4763dd72da2dea03fff)

Co-authored-by: Stan Ulbrych <stan@python.org>
This was referenced Apr 13, 2026
Merged
Open
mandree added a commit to mandree/freebsd-ports that referenced this pull request Apr 13, 2026
@mandree
lang/python314: fix incomplete mitigation of webbrowser.open()
0327280 
Cherry-pick fix to resolve
Incomplete mitigation of CVE-2026-4519,
%action expansion for command injection to webbrowser.open()

Obtained from:	python/cpython#148516
Security:       CVE-2026-4786
Security:       cf75f572-378a-11f1-a119-e36228bfe7d4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@miss-islington @StanFromIreland