From d11a500e0aa3d438e2d6725edcde181e4a9cd764 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=81ukasz=20Langa?= <lukasz@langa.pl>
Date: Fri, 3 Apr 2026 19:45:02 +0200
Subject: [PATCH] [3.12] gh-143930: Tweak the exception message and increase
 test coverage (GH-146476) (GH-148045) (cherry picked from commit
 89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit 3681d47a440865aead912a054d4599087b4270dd)
---
 Lib/test/test_webbrowser.py                   | 81 +++++++++++++++++--
 Lib/webbrowser.py                             |  2 +-
 ...-01-16-12-04-49.gh-issue-143930.zYC5x3.rst |  2 +-
 3 files changed, 77 insertions(+), 8 deletions(-)

diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
index 60f094fd6a112e..c9bf525360d434 100644
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -1,6 +1,7 @@
+import io
+import os
 import webbrowser
 import unittest
-import os
 import sys
 import subprocess
 from unittest import mock
@@ -49,6 +50,14 @@ def _test(self, meth, *, args=[URL], kw={}, options, arguments):
             popen_args.pop(popen_args.index(option))
         self.assertEqual(popen_args, arguments)
 
+    def test_reject_dash_prefixes(self):
+        browser = self.browser_class(name=CMD_NAME)
+        with self.assertRaisesRegex(
+            ValueError,
+            r"^Invalid URL \(leading dash disallowed\): '--key=val http.*'$"
+        ):
+            browser.open(f"--key=val {URL}")
+
 
 class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
 
@@ -59,11 +68,6 @@ def test_open(self):
                    options=[],
                    arguments=[URL])
 
-    def test_reject_dash_prefixes(self):
-        browser = self.browser_class(name=CMD_NAME)
-        with self.assertRaises(ValueError):
-            browser.open(f"--key=val {URL}")
-
 
 class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
 
@@ -224,6 +228,71 @@ def test_open_new_tab(self):
                    arguments=['openURL({},new-tab)'.format(URL)])
 
 
+class MockPopenPipe:
+    def __init__(self, cmd, mode):
+        self.cmd = cmd
+        self.mode = mode
+        self.pipe = io.StringIO()
+        self._closed = False
+
+    def write(self, buf):
+        self.pipe.write(buf)
+
+    def close(self):
+        self._closed = True
+        return None
+
+
+@unittest.skipUnless(sys.platform == "darwin", "macOS specific test")
+class MacOSXOSAScriptTest(unittest.TestCase):
+    def setUp(self):
+        # Ensure that 'BROWSER' is not set to 'open' or something else.
+        # See: https://github.com/python/cpython/issues/131254.
+        env = self.enterContext(os_helper.EnvironmentVarGuard())
+        env.unset("BROWSER")
+
+        support.patch(self, os, "popen", self.mock_popen)
+        self.browser = webbrowser.MacOSXOSAScript("default")
+
+    def mock_popen(self, cmd, mode):
+        self.popen_pipe = MockPopenPipe(cmd, mode)
+        return self.popen_pipe
+
+    def test_default(self):
+        browser = webbrowser.get()
+        assert isinstance(browser, webbrowser.MacOSXOSAScript)
+        self.assertEqual(browser.name, "default")
+
+    def test_default_open(self):
+        url = "https://python.org"
+        self.browser.open(url)
+        self.assertTrue(self.popen_pipe._closed)
+        self.assertEqual(self.popen_pipe.cmd, "osascript")
+        script = self.popen_pipe.pipe.getvalue()
+        self.assertEqual(script.strip(), f'open location "{url}"')
+
+    def test_url_quote(self):
+        self.browser.open('https://python.org/"quote"')
+        script = self.popen_pipe.pipe.getvalue()
+        self.assertEqual(
+            script.strip(), 'open location "https://python.org/%22quote%22"'
+        )
+
+    def test_explicit_browser(self):
+        browser = webbrowser.MacOSXOSAScript("safari")
+        browser.open("https://python.org")
+        script = self.popen_pipe.pipe.getvalue()
+        self.assertIn('tell application "safari"', script)
+        self.assertIn('open location "https://python.org"', script)
+
+    def test_reject_dash_prefixes(self):
+        with self.assertRaisesRegex(
+            ValueError,
+            r"^Invalid URL \(leading dash disallowed\): '--key=val http.*'$"
+        ):
+            self.browser.open(f"--key=val {URL}")
+
+
 class BrowserRegistrationTest(unittest.TestCase):
 
     def setUp(self):
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
index 0bdb644d7dbc80..000e89275b7a7c 100755
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -162,7 +162,7 @@ def open_new_tab(self, url):
     def _check_url(url):
         """Ensures that the URL is safe to pass to subprocesses as a parameter"""
         if url and url.lstrip().startswith("-"):
-            raise ValueError(f"Invalid URL: {url}")
+            raise ValueError(f"Invalid URL (leading dash disallowed): {url!r}")
 
 
 class GenericBrowser(BaseBrowser):
diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
index 0f27eae99a0dfd..c561023c3c2d7a 100644
--- a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
@@ -1 +1 @@
-Reject leading dashes in URLs passed to :func:`webbrowser.open`
+Reject leading dashes in URLs passed to :func:`webbrowser.open`.