mirror of
https://git.yoctoproject.org/poky
synced 2026-07-16 15:57:04 +00:00
python3: Fix CVE-2026-4519 and CVE-2026-4786
Apply the upstream v3.12 fix [1], aligned with the original v3.11 fix [2], and follow-up fix [3] to address CVE-2026-4519 by disallowing URLs with leading dashes when invoking browser commands, as referenced in [5]. CVE-2026-4786 [6] revealed the CVE-2026-4519 fix was incomplete, as %action in URLs could bypass dash-prefix checks. Apply follow-up fix [4], noted in [5], to revalidate the URL after %action expansion. [1] https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48 [2] https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03 [3] https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c [4] https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769 [5] https://security-tracker.debian.org/tracker/CVE-2026-4519 [6] https://security-tracker.debian.org/tracker/CVE-2026-4786 References: https://nvd.nist.gov/vuln/detail/CVE-2026-4519 https://nvd.nist.gov/vuln/detail/CVE-2026-4786 (From OE-Core rev: e6d81b3be531e97058366c81056a38c0b6fa7380) Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
703b680089
commit
1401e6e003
@@ -0,0 +1,66 @@
|
|||||||
|
From b9af29b9f2f880cdcdc49a1460743680f59dcb4e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stan Ulbrych <stan@python.org>
|
||||||
|
Date: Mon, 13 Apr 2026 22:41:51 +0100
|
||||||
|
Subject: [PATCH] [3.11] gh-148169: Fix webbrowser `%action` substitution
|
||||||
|
bypass of dash-prefix check (GH-148170) (#148520)
|
||||||
|
|
||||||
|
CVE: CVE-2026-4519 CVE-2026-4786
|
||||||
|
Upstream-Status: Backport [https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769]
|
||||||
|
|
||||||
|
Backport Changes:
|
||||||
|
- This file is not present in the current version and is therefore omitted.
|
||||||
|
Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
|
||||||
|
|
||||||
|
(cherry picked from commit d22922c8a7958353689dc4763dd72da2dea03fff)
|
||||||
|
(cherry picked from commit f4654824ae0850ac87227fb270f9057477946769)
|
||||||
|
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
|
||||||
|
---
|
||||||
|
Lib/test/test_webbrowser.py | 8 ++++++++
|
||||||
|
Lib/webbrowser.py | 5 +++--
|
||||||
|
2 files changed, 11 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
|
||||||
|
index c9bf525360d..1d21f133725 100644
|
||||||
|
--- a/Lib/test/test_webbrowser.py
|
||||||
|
+++ b/Lib/test/test_webbrowser.py
|
||||||
|
@@ -103,6 +103,14 @@ class ChromeCommandTest(CommandTestMixin, unittest.TestCase):
|
||||||
|
options=[],
|
||||||
|
arguments=[URL])
|
||||||
|
|
||||||
|
+ def test_reject_action_dash_prefixes(self):
|
||||||
|
+ browser = self.browser_class(name=CMD_NAME)
|
||||||
|
+ with self.assertRaises(ValueError):
|
||||||
|
+ browser.open('%action--incognito')
|
||||||
|
+ # new=1: action is "--new-window", so "%action" itself expands to
|
||||||
|
+ # a dash-prefixed flag even with no dash in the original URL.
|
||||||
|
+ with self.assertRaises(ValueError):
|
||||||
|
+ browser.open('%action', new=1)
|
||||||
|
|
||||||
|
class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
|
||||||
|
|
||||||
|
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
|
||||||
|
index 000e89275b7..97c4eec9080 100755
|
||||||
|
--- a/Lib/webbrowser.py
|
||||||
|
+++ b/Lib/webbrowser.py
|
||||||
|
@@ -268,7 +268,6 @@ class UnixBrowser(BaseBrowser):
|
||||||
|
|
||||||
|
def open(self, url, new=0, autoraise=True):
|
||||||
|
sys.audit("webbrowser.open", url)
|
||||||
|
- self._check_url(url)
|
||||||
|
if new == 0:
|
||||||
|
action = self.remote_action
|
||||||
|
elif new == 1:
|
||||||
|
@@ -282,7 +281,9 @@ class UnixBrowser(BaseBrowser):
|
||||||
|
raise Error("Bad 'new' parameter to open(); " +
|
||||||
|
"expected 0, 1, or 2, got %s" % new)
|
||||||
|
|
||||||
|
- args = [arg.replace("%s", url).replace("%action", action)
|
||||||
|
+ self._check_url(url.replace("%action", action))
|
||||||
|
+
|
||||||
|
+ args = [arg.replace("%action", action).replace("%s", url)
|
||||||
|
for arg in self.remote_args]
|
||||||
|
args = [arg for arg in args if arg]
|
||||||
|
success = self._invoke(args, True, autoraise, url)
|
||||||
|
--
|
||||||
|
2.35.6
|
||||||
|
|
||||||
@@ -0,0 +1,107 @@
|
|||||||
|
From 7df48dd3c6330611a04d85a5159c0ea424dc1e62 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pinky <pinky00ch@gmail.com>
|
||||||
|
Date: Wed, 25 Mar 2026 01:02:37 +0530
|
||||||
|
Subject: [PATCH] [3.12] gh-143930: Reject leading dashes in webbrowser
|
||||||
|
URLs (GH-146360)
|
||||||
|
|
||||||
|
CVE: CVE-2026-4519
|
||||||
|
Upstream-Status: Backport [https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48]
|
||||||
|
|
||||||
|
Backport Changes:
|
||||||
|
- This file is not present in the current version and is therefore omitted
|
||||||
|
Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
|
||||||
|
|
||||||
|
(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
|
||||||
|
|
||||||
|
Co-authored-by: Seth Michael Larson <seth@python.org>
|
||||||
|
(cherry picked from commit cbba6119391112aba9c5aebf7b94aea447922c48)
|
||||||
|
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
|
||||||
|
---
|
||||||
|
Lib/test/test_webbrowser.py | 5 +++++
|
||||||
|
Lib/webbrowser.py | 12 ++++++++++++
|
||||||
|
2 files changed, 17 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
|
||||||
|
index 2d695bc8831..60f094fd6a1 100644
|
||||||
|
--- a/Lib/test/test_webbrowser.py
|
||||||
|
+++ b/Lib/test/test_webbrowser.py
|
||||||
|
@@ -59,6 +59,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
|
||||||
|
options=[],
|
||||||
|
arguments=[URL])
|
||||||
|
|
||||||
|
+ def test_reject_dash_prefixes(self):
|
||||||
|
+ browser = self.browser_class(name=CMD_NAME)
|
||||||
|
+ with self.assertRaises(ValueError):
|
||||||
|
+ browser.open(f"--key=val {URL}")
|
||||||
|
+
|
||||||
|
|
||||||
|
class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
|
||||||
|
|
||||||
|
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
|
||||||
|
index 13b9e85f9e1..0bdb644d7db 100755
|
||||||
|
--- a/Lib/webbrowser.py
|
||||||
|
+++ b/Lib/webbrowser.py
|
||||||
|
@@ -158,6 +158,12 @@ class BaseBrowser(object):
|
||||||
|
def open_new_tab(self, url):
|
||||||
|
return self.open(url, 2)
|
||||||
|
|
||||||
|
+ @staticmethod
|
||||||
|
+ def _check_url(url):
|
||||||
|
+ """Ensures that the URL is safe to pass to subprocesses as a parameter"""
|
||||||
|
+ if url and url.lstrip().startswith("-"):
|
||||||
|
+ raise ValueError(f"Invalid URL: {url}")
|
||||||
|
+
|
||||||
|
|
||||||
|
class GenericBrowser(BaseBrowser):
|
||||||
|
"""Class for all browsers started with a command
|
||||||
|
@@ -175,6 +181,7 @@ class GenericBrowser(BaseBrowser):
|
||||||
|
|
||||||
|
def open(self, url, new=0, autoraise=True):
|
||||||
|
sys.audit("webbrowser.open", url)
|
||||||
|
+ self._check_url(url)
|
||||||
|
cmdline = [self.name] + [arg.replace("%s", url)
|
||||||
|
for arg in self.args]
|
||||||
|
try:
|
||||||
|
@@ -195,6 +202,7 @@ class BackgroundBrowser(GenericBrowser):
|
||||||
|
cmdline = [self.name] + [arg.replace("%s", url)
|
||||||
|
for arg in self.args]
|
||||||
|
sys.audit("webbrowser.open", url)
|
||||||
|
+ self._check_url(url)
|
||||||
|
try:
|
||||||
|
if sys.platform[:3] == 'win':
|
||||||
|
p = subprocess.Popen(cmdline)
|
||||||
|
@@ -260,6 +268,7 @@ class UnixBrowser(BaseBrowser):
|
||||||
|
|
||||||
|
def open(self, url, new=0, autoraise=True):
|
||||||
|
sys.audit("webbrowser.open", url)
|
||||||
|
+ self._check_url(url)
|
||||||
|
if new == 0:
|
||||||
|
action = self.remote_action
|
||||||
|
elif new == 1:
|
||||||
|
@@ -350,6 +359,7 @@ class Konqueror(BaseBrowser):
|
||||||
|
|
||||||
|
def open(self, url, new=0, autoraise=True):
|
||||||
|
sys.audit("webbrowser.open", url)
|
||||||
|
+ self._check_url(url)
|
||||||
|
# XXX Currently I know no way to prevent KFM from opening a new win.
|
||||||
|
if new == 2:
|
||||||
|
action = "newTab"
|
||||||
|
@@ -554,6 +564,7 @@ if sys.platform[:3] == "win":
|
||||||
|
class WindowsDefault(BaseBrowser):
|
||||||
|
def open(self, url, new=0, autoraise=True):
|
||||||
|
sys.audit("webbrowser.open", url)
|
||||||
|
+ self._check_url(url)
|
||||||
|
try:
|
||||||
|
os.startfile(url)
|
||||||
|
except OSError:
|
||||||
|
@@ -638,6 +649,7 @@ if sys.platform == 'darwin':
|
||||||
|
|
||||||
|
def open(self, url, new=0, autoraise=True):
|
||||||
|
sys.audit("webbrowser.open", url)
|
||||||
|
+ self._check_url(url)
|
||||||
|
if self.name == 'default':
|
||||||
|
script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
|
||||||
|
else:
|
||||||
|
--
|
||||||
|
2.35.6
|
||||||
|
|
||||||
@@ -0,0 +1,159 @@
|
|||||||
|
From 3ca64ff1722d2410a4e50e760de70f6279fa99fa Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Miss Islington (bot)"
|
||||||
|
<31488909+miss-islington@users.noreply.github.com>
|
||||||
|
Date: Sat, 4 Apr 2026 00:53:49 +0200
|
||||||
|
Subject: [PATCH] [3.11] gh-143930: Tweak the exception message and
|
||||||
|
increase test coverage (GH-146476) (GH-148045) (GH-148051) (GH-148052)
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
CVE: CVE-2026-4519
|
||||||
|
Upstream-Status: Backport [https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c]
|
||||||
|
|
||||||
|
Backport Changes:
|
||||||
|
- This file is not present in the current version and is therefore omitted.
|
||||||
|
Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
|
||||||
|
- The file introduced in v3.12 by this commit;
|
||||||
|
https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48
|
||||||
|
|
||||||
|
(cherry picked from commit cc023511238ad93ecc8796157c6f9139a2bb2932)
|
||||||
|
(cherry picked from commit 89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4)
|
||||||
|
(cherry picked from commit 3681d47a440865aead912a054d4599087b4270dd)
|
||||||
|
|
||||||
|
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
|
||||||
|
(cherry picked from commit 96fc5048605863c7b6fd6289643feb0e97edd96c)
|
||||||
|
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
|
||||||
|
---
|
||||||
|
Lib/test/test_webbrowser.py | 81 ++++++++++++++++++++++++++++++++++---
|
||||||
|
Lib/webbrowser.py | 2 +-
|
||||||
|
2 files changed, 76 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
|
||||||
|
index 60f094fd6a1..c9bf525360d 100644
|
||||||
|
--- a/Lib/test/test_webbrowser.py
|
||||||
|
+++ b/Lib/test/test_webbrowser.py
|
||||||
|
@@ -1,6 +1,7 @@
|
||||||
|
+import io
|
||||||
|
+import os
|
||||||
|
import webbrowser
|
||||||
|
import unittest
|
||||||
|
-import os
|
||||||
|
import sys
|
||||||
|
import subprocess
|
||||||
|
from unittest import mock
|
||||||
|
@@ -49,6 +50,14 @@ class CommandTestMixin:
|
||||||
|
popen_args.pop(popen_args.index(option))
|
||||||
|
self.assertEqual(popen_args, arguments)
|
||||||
|
|
||||||
|
+ def test_reject_dash_prefixes(self):
|
||||||
|
+ browser = self.browser_class(name=CMD_NAME)
|
||||||
|
+ with self.assertRaisesRegex(
|
||||||
|
+ ValueError,
|
||||||
|
+ r"^Invalid URL \(leading dash disallowed\): '--key=val http.*'$"
|
||||||
|
+ ):
|
||||||
|
+ browser.open(f"--key=val {URL}")
|
||||||
|
+
|
||||||
|
|
||||||
|
class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
|
||||||
|
|
||||||
|
@@ -59,11 +68,6 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
|
||||||
|
options=[],
|
||||||
|
arguments=[URL])
|
||||||
|
|
||||||
|
- def test_reject_dash_prefixes(self):
|
||||||
|
- browser = self.browser_class(name=CMD_NAME)
|
||||||
|
- with self.assertRaises(ValueError):
|
||||||
|
- browser.open(f"--key=val {URL}")
|
||||||
|
-
|
||||||
|
|
||||||
|
class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
|
||||||
|
|
||||||
|
@@ -224,6 +228,71 @@ class ELinksCommandTest(CommandTestMixin, unittest.TestCase):
|
||||||
|
arguments=['openURL({},new-tab)'.format(URL)])
|
||||||
|
|
||||||
|
|
||||||
|
+class MockPopenPipe:
|
||||||
|
+ def __init__(self, cmd, mode):
|
||||||
|
+ self.cmd = cmd
|
||||||
|
+ self.mode = mode
|
||||||
|
+ self.pipe = io.StringIO()
|
||||||
|
+ self._closed = False
|
||||||
|
+
|
||||||
|
+ def write(self, buf):
|
||||||
|
+ self.pipe.write(buf)
|
||||||
|
+
|
||||||
|
+ def close(self):
|
||||||
|
+ self._closed = True
|
||||||
|
+ return None
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+@unittest.skipUnless(sys.platform == "darwin", "macOS specific test")
|
||||||
|
+class MacOSXOSAScriptTest(unittest.TestCase):
|
||||||
|
+ def setUp(self):
|
||||||
|
+ # Ensure that 'BROWSER' is not set to 'open' or something else.
|
||||||
|
+ # See: https://github.com/python/cpython/issues/131254.
|
||||||
|
+ env = self.enterContext(os_helper.EnvironmentVarGuard())
|
||||||
|
+ env.unset("BROWSER")
|
||||||
|
+
|
||||||
|
+ support.patch(self, os, "popen", self.mock_popen)
|
||||||
|
+ self.browser = webbrowser.MacOSXOSAScript("default")
|
||||||
|
+
|
||||||
|
+ def mock_popen(self, cmd, mode):
|
||||||
|
+ self.popen_pipe = MockPopenPipe(cmd, mode)
|
||||||
|
+ return self.popen_pipe
|
||||||
|
+
|
||||||
|
+ def test_default(self):
|
||||||
|
+ browser = webbrowser.get()
|
||||||
|
+ assert isinstance(browser, webbrowser.MacOSXOSAScript)
|
||||||
|
+ self.assertEqual(browser.name, "default")
|
||||||
|
+
|
||||||
|
+ def test_default_open(self):
|
||||||
|
+ url = "https://python.org"
|
||||||
|
+ self.browser.open(url)
|
||||||
|
+ self.assertTrue(self.popen_pipe._closed)
|
||||||
|
+ self.assertEqual(self.popen_pipe.cmd, "osascript")
|
||||||
|
+ script = self.popen_pipe.pipe.getvalue()
|
||||||
|
+ self.assertEqual(script.strip(), f'open location "{url}"')
|
||||||
|
+
|
||||||
|
+ def test_url_quote(self):
|
||||||
|
+ self.browser.open('https://python.org/"quote"')
|
||||||
|
+ script = self.popen_pipe.pipe.getvalue()
|
||||||
|
+ self.assertEqual(
|
||||||
|
+ script.strip(), 'open location "https://python.org/%22quote%22"'
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ def test_explicit_browser(self):
|
||||||
|
+ browser = webbrowser.MacOSXOSAScript("safari")
|
||||||
|
+ browser.open("https://python.org")
|
||||||
|
+ script = self.popen_pipe.pipe.getvalue()
|
||||||
|
+ self.assertIn('tell application "safari"', script)
|
||||||
|
+ self.assertIn('open location "https://python.org"', script)
|
||||||
|
+
|
||||||
|
+ def test_reject_dash_prefixes(self):
|
||||||
|
+ with self.assertRaisesRegex(
|
||||||
|
+ ValueError,
|
||||||
|
+ r"^Invalid URL \(leading dash disallowed\): '--key=val http.*'$"
|
||||||
|
+ ):
|
||||||
|
+ self.browser.open(f"--key=val {URL}")
|
||||||
|
+
|
||||||
|
+
|
||||||
|
class BrowserRegistrationTest(unittest.TestCase):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
|
||||||
|
index 0bdb644d7db..000e89275b7 100755
|
||||||
|
--- a/Lib/webbrowser.py
|
||||||
|
+++ b/Lib/webbrowser.py
|
||||||
|
@@ -162,7 +162,7 @@ class BaseBrowser(object):
|
||||||
|
def _check_url(url):
|
||||||
|
"""Ensures that the URL is safe to pass to subprocesses as a parameter"""
|
||||||
|
if url and url.lstrip().startswith("-"):
|
||||||
|
- raise ValueError(f"Invalid URL: {url}")
|
||||||
|
+ raise ValueError(f"Invalid URL (leading dash disallowed): {url!r}")
|
||||||
|
|
||||||
|
|
||||||
|
class GenericBrowser(BaseBrowser):
|
||||||
|
--
|
||||||
|
2.35.6
|
||||||
|
|
||||||
@@ -37,6 +37,9 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
|
|||||||
file://CVE-2026-1502.patch \
|
file://CVE-2026-1502.patch \
|
||||||
file://CVE-2026-6100.patch \
|
file://CVE-2026-6100.patch \
|
||||||
file://CVE-2026-3644_CVE-2026-0672.patch \
|
file://CVE-2026-3644_CVE-2026-0672.patch \
|
||||||
|
file://CVE-2026-4519_p1.patch \
|
||||||
|
file://CVE-2026-4519_p2.patch \
|
||||||
|
file://CVE-2026-4519_CVE-2026-4786.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI:append:class-native = " \
|
SRC_URI:append:class-native = " \
|
||||||
|
|||||||
Reference in New Issue
Block a user