From 0e0506c246d1478f649a80c3d087d50871e8041b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Langa?= Date: Fri, 3 Apr 2026 22:20:03 +0200 Subject: [PATCH 1/2] [3.12] gh-143930: Tweak the exception message and increase test coverage (GH-146476) (GH-148045) (GH-148051) (cherry picked from commit cc023511238ad93ecc8796157c6f9139a2bb2932) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ɓukasz Langa (cherry picked from commit 89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4) (cherry picked from commit 3681d47a440865aead912a054d4599087b4270dd) --- Lib/test/test_webbrowser.py | 81 +++++++++++++++++-- Lib/webbrowser.py | 2 +- ...-01-16-12-04-49.gh-issue-143930.zYC5x3.rst | 2 +- 3 files changed, 77 insertions(+), 8 deletions(-) diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py index 5e12f1222d2680..108441e6186736 100644 --- a/Lib/test/test_webbrowser.py +++ b/Lib/test/test_webbrowser.py @@ -1,6 +1,7 @@ +import io +import os import webbrowser import unittest -import os import sys import subprocess from unittest import mock @@ -47,6 +48,14 @@ def _test(self, meth, *, args=[URL], kw={}, options, arguments): popen_args.pop(popen_args.index(option)) self.assertEqual(popen_args, arguments) + def test_reject_dash_prefixes(self): + browser = self.browser_class(name=CMD_NAME) + with self.assertRaisesRegex( + ValueError, + r"^Invalid URL \(leading dash disallowed\): '--key=val http.*'$" + ): + browser.open(f"--key=val {URL}") + class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase): @@ -57,11 +66,6 @@ def test_open(self): options=[], arguments=[URL]) - def test_reject_dash_prefixes(self): - browser = self.browser_class(name=CMD_NAME) - with self.assertRaises(ValueError): - browser.open(f"--key=val {URL}") - class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase): @@ -222,6 +226,71 @@ def test_open_new_tab(self): arguments=['openURL({},new-tab)'.format(URL)]) +class MockPopenPipe: + def __init__(self, cmd, mode): + self.cmd = cmd + self.mode = mode + self.pipe = io.StringIO() + self._closed = False + + def write(self, buf): + self.pipe.write(buf) + + def close(self): + self._closed = True + return None + + +@unittest.skipUnless(sys.platform == "darwin", "macOS specific test") +class MacOSXOSAScriptTest(unittest.TestCase): + def setUp(self): + # Ensure that 'BROWSER' is not set to 'open' or something else. + # See: https://github.com/python/cpython/issues/131254. + env = self.enterContext(os_helper.EnvironmentVarGuard()) + env.unset("BROWSER") + + support.patch(self, os, "popen", self.mock_popen) + self.browser = webbrowser.MacOSXOSAScript("default") + + def mock_popen(self, cmd, mode): + self.popen_pipe = MockPopenPipe(cmd, mode) + return self.popen_pipe + + def test_default(self): + browser = webbrowser.get() + assert isinstance(browser, webbrowser.MacOSXOSAScript) + self.assertEqual(browser.name, "default") + + def test_default_open(self): + url = "https://python.org" + self.browser.open(url) + self.assertTrue(self.popen_pipe._closed) + self.assertEqual(self.popen_pipe.cmd, "osascript") + script = self.popen_pipe.pipe.getvalue() + self.assertEqual(script.strip(), f'open location "{url}"') + + def test_url_quote(self): + self.browser.open('https://python.org/"quote"') + script = self.popen_pipe.pipe.getvalue() + self.assertEqual( + script.strip(), 'open location "https://python.org/%22quote%22"' + ) + + def test_explicit_browser(self): + browser = webbrowser.MacOSXOSAScript("safari") + browser.open("https://python.org") + script = self.popen_pipe.pipe.getvalue() + self.assertIn('tell application "safari"', script) + self.assertIn('open location "https://python.org"', script) + + def test_reject_dash_prefixes(self): + with self.assertRaisesRegex( + ValueError, + r"^Invalid URL \(leading dash disallowed\): '--key=val http.*'$" + ): + self.browser.open(f"--key=val {URL}") + + class BrowserRegistrationTest(unittest.TestCase): def setUp(self): diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py index b7d4845c61b568..98904163c28c77 100755 --- a/Lib/webbrowser.py +++ b/Lib/webbrowser.py @@ -158,7 +158,7 @@ def open_new_tab(self, url): def _check_url(url): """Ensures that the URL is safe to pass to subprocesses as a parameter""" if url and url.lstrip().startswith("-"): - raise ValueError(f"Invalid URL: {url}") + raise ValueError(f"Invalid URL (leading dash disallowed): {url!r}") class GenericBrowser(BaseBrowser): diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst index 0f27eae99a0dfd..c561023c3c2d7a 100644 --- a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst +++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst @@ -1 +1 @@ -Reject leading dashes in URLs passed to :func:`webbrowser.open` +Reject leading dashes in URLs passed to :func:`webbrowser.open`. From 0027ecd22cc8eea2bb9d72324cda2e70ffb0a84b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Langa?= Date: Fri, 3 Apr 2026 22:39:57 +0200 Subject: [PATCH 2/2] Adapt backport to 3.10 --- Lib/test/test_webbrowser.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py index 108441e6186736..a3b31f169d72c6 100644 --- a/Lib/test/test_webbrowser.py +++ b/Lib/test/test_webbrowser.py @@ -246,7 +246,9 @@ class MacOSXOSAScriptTest(unittest.TestCase): def setUp(self): # Ensure that 'BROWSER' is not set to 'open' or something else. # See: https://github.com/python/cpython/issues/131254. - env = self.enterContext(os_helper.EnvironmentVarGuard()) + ctx = os_helper.EnvironmentVarGuard() + env = ctx.__enter__() + self.addCleanup(ctx.__exit__) env.unset("BROWSER") support.patch(self, os, "popen", self.mock_popen) @@ -259,7 +261,7 @@ def mock_popen(self, cmd, mode): def test_default(self): browser = webbrowser.get() assert isinstance(browser, webbrowser.MacOSXOSAScript) - self.assertEqual(browser.name, "default") + self.assertEqual(browser._name, "default") def test_default_open(self): url = "https://python.org"