Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python310 for openSUSE:Factory checked in at 2026-04-01 19:51:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python310 (Old) and /work/SRC/openSUSE:Factory/.python310.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python310" Wed Apr 1 19:51:33 2026 rev:74 rq:1343945 version:3.10.20 Changes: -------- --- /work/SRC/openSUSE:Factory/python310/python310.changes 2026-03-22 14:12:53.799146045 +0100 +++ /work/SRC/openSUSE:Factory/.python310.new.21863/python310.changes 2026-04-01 19:52:35.458021083 +0200 @@ -1,0 +2,28 @@ +Fri Mar 27 17:51:07 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2026-4519-webbrowser-open-dashes.patch to reject + leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519, + gh#python/cpython#143930). + +------------------------------------------------------------------- +Wed Mar 25 16:40:18 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2025-13462-tarinfo-header-parse.patch which skips + TarInfo DIRTYPE normalization during GNU long name handling + (bsc#1259611, CVE-2025-13462). + +------------------------------------------------------------------- +Mon Mar 23 22:16:01 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding + unbound C recursion in conv_content_model in pyexpat.c + (bsc#1259735, CVE-2026-4224). + +------------------------------------------------------------------- +Mon Mar 23 17:15:50 UTC 2026 - Matej Cepl <[email protected]> + +- Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject + control characters in http.cookies.Morsel.update() and + http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644). + +------------------------------------------------------------------- New: ---- CVE-2025-13462-tarinfo-header-parse.patch CVE-2026-3644-cookies-Morsel-update-II.patch CVE-2026-4224-expat-unbound-C-recursion.patch CVE-2026-4519-webbrowser-open-dashes.patch ----------(New B)---------- New: - Add CVE-2025-13462-tarinfo-header-parse.patch which skips TarInfo DIRTYPE normalization during GNU long name handling New: - Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject control characters in http.cookies.Morsel.update() and New: - Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding unbound C recursion in conv_content_model in pyexpat.c New: - Add CVE-2026-4519-webbrowser-open-dashes.patch to reject leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519, ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python310.spec ++++++ --- /var/tmp/diff_new_pack.POxaDd/_old 2026-04-01 19:52:37.506106198 +0200 +++ /var/tmp/diff_new_pack.POxaDd/_new 2026-04-01 19:52:37.510106364 +0200 @@ -215,6 +215,18 @@ # PATCH-FIX-UPSTREAM CVE-2026-2297-SourcelessFileLoader-io_open_code.patch bsc#1259240 [email protected] # Ensure SourcelessFileLoader uses io.open_code Patch41: CVE-2026-2297-SourcelessFileLoader-io_open_code.patch +# PATCH-FIX-UPSTREAM CVE-2026-3644-cookies-Morsel-update-II.patch bsc#1259734 [email protected] +# Reject control characters in http.cookies.Morsel.update() and http.cookies.BaseCookie.js_output +Patch42: CVE-2026-3644-cookies-Morsel-update-II.patch +# PATCH-FIX-UPSTREAM CVE-2026-4224-expat-unbound-C-recursion.patch bsc#1259735 [email protected] +# Avoid unbound C recursion in conv_content_model +Patch43: CVE-2026-4224-expat-unbound-C-recursion.patch +# PATCH-FIX-UPSTREAM CVE-2025-13462-tarinfo-header-parse.patch bsc#1259611 [email protected] +# Skip TarInfo DIRTYPE normalization during GNU long name handling +Patch44: CVE-2025-13462-tarinfo-header-parse.patch +# PATCH-FIX-UPSTREAM CVE-2026-4519-webbrowser-open-dashes.patch bsc#1260026 [email protected] +# reject leading dashes in webbrowser URLs +Patch45: CVE-2026-4519-webbrowser-open-dashes.patch ### END OF PATCHES BuildRequires: autoconf-archive BuildRequires: automake ++++++ CVE-2025-13462-tarinfo-header-parse.patch ++++++ >From 861656d8c21d329366e50c5081500d5941ebf566 Mon Sep 17 00:00:00 2001 From: Eashwar Ranganathan <[email protected]> Date: Tue, 18 Nov 2025 06:12:40 -0500 Subject: [PATCH] gh-141707: Skip TarInfo DIRTYPE normalization during GNU long name handling --- Lib/tarfile.py | 29 ++++++++-- Lib/test/test_tarfile.py | 19 ++++++ Misc/ACKS | 1 Misc/NEWS.d/next/Library/2025-11-18-06-35-53.gh-issue-141707.DBmQIy.rst | 2 4 files changed, 47 insertions(+), 4 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2025-11-18-06-35-53.gh-issue-141707.DBmQIy.rst Index: Python-3.10.20/Lib/tarfile.py =================================================================== --- Python-3.10.20.orig/Lib/tarfile.py 2026-03-26 14:16:08.336185235 +0100 +++ Python-3.10.20/Lib/tarfile.py 2026-03-26 14:16:15.535972192 +0100 @@ -1243,6 +1243,20 @@ @classmethod def frombuf(cls, buf, encoding, errors): """Construct a TarInfo object from a 512 byte bytes object. + + To support the old v7 tar format AREGTYPE headers are + transformed to DIRTYPE headers if their name ends in '/'. + """ + return cls._frombuf(buf, encoding, errors) + + @classmethod + def _frombuf(cls, buf, encoding, errors, *, dircheck=True): + """Construct a TarInfo object from a 512 byte bytes object. + + If ``dircheck`` is set to ``True`` then ``AREGTYPE`` headers will + be normalized to ``DIRTYPE`` if the name ends in a trailing slash. + ``dircheck`` must be set to ``False`` if this function is called + on a follow-up header such as ``GNUTYPE_LONGNAME``. """ if len(buf) == 0: raise EmptyHeaderError("empty header") @@ -1273,7 +1287,7 @@ # Old V7 tar format represents a directory as a regular # file with a trailing slash. - if obj.type == AREGTYPE and obj.name.endswith("/"): + if dircheck and obj.type == AREGTYPE and obj.name.endswith("/"): obj.type = DIRTYPE # The old GNU sparse format occupies some of the unused @@ -1308,8 +1322,15 @@ """Return the next TarInfo object from TarFile object tarfile. """ + return cls._fromtarfile(tarfile) + + @classmethod + def _fromtarfile(cls, tarfile, *, dircheck=True): + """ + See dircheck documentation in _frombuf(). + """ buf = tarfile.fileobj.read(BLOCKSIZE) - obj = cls.frombuf(buf, tarfile.encoding, tarfile.errors) + obj = cls._frombuf(buf, tarfile.encoding, tarfile.errors, dircheck=dircheck) obj.offset = tarfile.fileobj.tell() - BLOCKSIZE return obj._proc_member(tarfile) @@ -1367,7 +1388,7 @@ # Fetch the next header and process it. try: - next = self.fromtarfile(tarfile) + next = self._fromtarfile(tarfile, dircheck=False) except HeaderError as e: raise SubsequentHeaderError(str(e)) from None @@ -1502,7 +1523,7 @@ # Fetch the next header. try: - next = self.fromtarfile(tarfile) + next = self._fromtarfile(tarfile, dircheck=False) except HeaderError as e: raise SubsequentHeaderError(str(e)) from None Index: Python-3.10.20/Lib/test/test_tarfile.py =================================================================== --- Python-3.10.20.orig/Lib/test/test_tarfile.py 2026-03-26 14:16:09.736337739 +0100 +++ Python-3.10.20/Lib/test/test_tarfile.py 2026-03-26 14:16:15.537649922 +0100 @@ -1037,6 +1037,25 @@ self.assertIsNotNone(tar.getmember(longdir)) self.assertIsNotNone(tar.getmember(longdir.removesuffix('/'))) + def test_longname_file_not_directory(self): + # Test reading a longname file and ensure it is not handled as a directory + # Issue #141707 + buf = io.BytesIO() + with tarfile.open(mode='w', fileobj=buf, format=self.format) as tar: + ti = tarfile.TarInfo() + ti.type = tarfile.AREGTYPE + ti.name = ('a' * 99) + '/' + ('b' * 3) + tar.addfile(ti) + + expected = {t.name: t.type for t in tar.getmembers()} + + buf.seek(0) + with tarfile.open(mode='r', fileobj=buf) as tar: + actual = {t.name: t.type for t in tar.getmembers()} + + self.assertEqual(expected, actual) + + class GNUReadTest(LongnameTest, ReadTest, unittest.TestCase): subdir = "gnu" Index: Python-3.10.20/Misc/ACKS =================================================================== --- Python-3.10.20.orig/Misc/ACKS 2026-03-03 01:49:35.000000000 +0100 +++ Python-3.10.20/Misc/ACKS 2026-03-26 14:16:15.538303682 +0100 @@ -1440,6 +1440,7 @@ Ashwin Ramaswami Jeff Ramnani Bayard Randel +Eashwar Ranganathan Varpu Rantala Brodie Rao Rémi Rampin Index: Python-3.10.20/Misc/NEWS.d/next/Library/2025-11-18-06-35-53.gh-issue-141707.DBmQIy.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.10.20/Misc/NEWS.d/next/Library/2025-11-18-06-35-53.gh-issue-141707.DBmQIy.rst 2026-03-26 14:16:15.538579401 +0100 @@ -0,0 +1,2 @@ +Don't change :class:`tarfile.TarInfo` type from ``AREGTYPE`` to ``DIRTYPE`` when parsing +GNU long name or link headers. ++++++ CVE-2026-3644-cookies-Morsel-update-II.patch ++++++ >From d46a4974216debdd3566b4594e7d02a4370202a7 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych <[email protected]> Date: Mon, 16 Mar 2026 13:43:43 +0000 Subject: [PATCH 1/2] gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (#145600) Reject control characters in `http.cookies.Morsel.update()` and `http.cookies.BaseCookie.js_output`. Co-authored-by: Victor Stinner <[email protected]> Co-authored-by: Victor Stinner <[email protected]> (cherry picked from commit 57e88c1cf95e1481b94ae57abe1010469d47a6b4) --- Lib/http/cookies.py | 24 +++++- Lib/test/test_http_cookies.py | 39 ++++++++++ Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst | 4 + 3 files changed, 63 insertions(+), 4 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst Index: Python-3.10.20/Lib/http/cookies.py =================================================================== --- Python-3.10.20.orig/Lib/http/cookies.py 2026-03-23 18:39:09.992410224 +0100 +++ Python-3.10.20/Lib/http/cookies.py 2026-03-23 18:39:15.352315697 +0100 @@ -335,9 +335,16 @@ key = key.lower() if key not in self._reserved: raise CookieError("Invalid attribute %r" % (key,)) + if _has_control_character(key, val): + raise CookieError("Control characters are not allowed in " + f"cookies {key!r} {val!r}") data[key] = val dict.update(self, data) + def __ior__(self, values): + self.update(values) + return self + def isReservedKey(self, K): return K.lower() in self._reserved @@ -363,9 +370,15 @@ } def __setstate__(self, state): - self._key = state['key'] - self._value = state['value'] - self._coded_value = state['coded_value'] + key = state['key'] + value = state['value'] + coded_value = state['coded_value'] + if _has_control_character(key, value, coded_value): + raise CookieError("Control characters are not allowed in cookies " + f"{key!r} {value!r} {coded_value!r}") + self._key = key + self._value = value + self._coded_value = coded_value def output(self, attrs=None, header="Set-Cookie:"): return "%s %s" % (header, self.OutputString(attrs)) @@ -377,13 +390,16 @@ def js_output(self, attrs=None): # Print javascript + output_string = self.OutputString(attrs) + if _has_control_character(output_string): + raise CookieError("Control characters are not allowed in cookies") return """ <script type="text/javascript"> <!-- begin hiding document.cookie = \"%s\"; // end hiding --> </script> - """ % (self.OutputString(attrs).replace('"', r'\"')) + """ % (output_string.replace('"', r'\"')) def OutputString(self, attrs=None): # Build up our result Index: Python-3.10.20/Lib/test/test_http_cookies.py =================================================================== --- Python-3.10.20.orig/Lib/test/test_http_cookies.py 2026-03-23 18:39:11.756654108 +0100 +++ Python-3.10.20/Lib/test/test_http_cookies.py 2026-03-23 18:39:15.352545790 +0100 @@ -527,6 +527,14 @@ with self.assertRaises(cookies.CookieError): morsel["path"] = c0 + # .__setstate__() + with self.assertRaises(cookies.CookieError): + morsel.__setstate__({'key': c0, 'value': 'val', 'coded_value': 'coded'}) + with self.assertRaises(cookies.CookieError): + morsel.__setstate__({'key': 'key', 'value': c0, 'coded_value': 'coded'}) + with self.assertRaises(cookies.CookieError): + morsel.__setstate__({'key': 'key', 'value': 'val', 'coded_value': c0}) + # .setdefault() with self.assertRaises(cookies.CookieError): morsel.setdefault("path", c0) @@ -541,6 +549,18 @@ with self.assertRaises(cookies.CookieError): morsel.set("path", "val", c0) + # .update() + with self.assertRaises(cookies.CookieError): + morsel.update({"path": c0}) + with self.assertRaises(cookies.CookieError): + morsel.update({c0: "val"}) + + # .__ior__() + with self.assertRaises(cookies.CookieError): + morsel |= {"path": c0} + with self.assertRaises(cookies.CookieError): + morsel |= {c0: "val"} + def test_control_characters_output(self): # Tests that even if the internals of Morsel are modified # that a call to .output() has control character safeguards. @@ -561,6 +581,25 @@ with self.assertRaises(cookies.CookieError): cookie.output() + # Tests that .js_output() also has control character safeguards. + for c0 in support.control_characters_c0(): + morsel = cookies.Morsel() + morsel.set("key", "value", "coded-value") + morsel._key = c0 # Override private variable. + cookie = cookies.SimpleCookie() + cookie["cookie"] = morsel + with self.assertRaises(cookies.CookieError): + cookie.js_output() + + morsel = cookies.Morsel() + morsel.set("key", "value", "coded-value") + morsel._coded_value = c0 # Override private variable. + cookie = cookies.SimpleCookie() + cookie["cookie"] = morsel + with self.assertRaises(cookies.CookieError): + cookie.js_output() + + def test_main(): run_unittest(CookieTests, MorselTests) run_doctest(cookies) Index: Python-3.10.20/Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.10.20/Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst 2026-03-23 18:39:15.353179836 +0100 @@ -0,0 +1,4 @@ +Reject control characters in :class:`http.cookies.Morsel` +:meth:`~http.cookies.Morsel.update` and +:meth:`~http.cookies.BaseCookie.js_output`. +This addresses `CVE-2026-3644 <https://www.cve.org/CVERecord?id=CVE-2026-3644>`_. ++++++ CVE-2026-4224-expat-unbound-C-recursion.patch ++++++ >From 0c50fa41c639b7523f9a09f48928c72ea1f0bbcc Mon Sep 17 00:00:00 2001 From: Stan Ulbrych <[email protected]> Date: Sun, 15 Mar 2026 21:46:06 +0000 Subject: [PATCH 1/2] [3.10] gh-145986: Avoid unbound C recursion in `conv_content_model` in `pyexpat.c` (CVE 2026-4224) (GH-145987) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix C stack overflow (CVE-2026-4224) when an Expat parser with a registered `ElementDeclHandler` parses inline DTD containing deeply nested content model. --------- (cherry picked from commit eb0e8be3a7e11b87d198a2c3af1ed0eccf532768) (cherry picked from commit e5caf45faac74b0ed869e3336420cffd3510ce6e) Co-authored-by: Stan Ulbrych <[email protected]> Co-authored-by: Bénédikt Tran <[email protected]> --- Lib/test/test_pyexpat.py | 20 +++++++++- Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst | 4 ++ Modules/pyexpat.c | 8 +++- 3 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst Index: Python-3.10.20/Lib/test/test_pyexpat.py =================================================================== --- Python-3.10.20.orig/Lib/test/test_pyexpat.py 2026-03-24 09:45:50.042220049 +0100 +++ Python-3.10.20/Lib/test/test_pyexpat.py 2026-03-24 09:45:50.175714430 +0100 @@ -16,7 +16,7 @@ from xml.parsers import expat from xml.parsers.expat import errors -from test.support import import_helper +from test.support import import_helper, infinite_recursion from test.support import sortdict @@ -648,6 +648,24 @@ parser.Parse(xml2, True) self.assertEqual(self.n, 4) +class ElementDeclHandlerTest(unittest.TestCase): + def test_deeply_nested_content_model(self): + # This should raise a RecursionError and not crash. + # See https://github.com/python/cpython/issues/145986. + N = 500_000 + data = ( + b'<!DOCTYPE root [\n<!ELEMENT root ' + + b'(a, ' * N + b'a' + b')' * N + + b'>\n]>\n<root/>\n' + ) + + parser = expat.ParserCreate() + parser.ElementDeclHandler = lambda _1, _2: None + with infinite_recursion(): + with self.assertRaises(RecursionError): + parser.Parse(data) + + class MalformedInputTest(unittest.TestCase): def test1(self): xml = b"\0\r\n" Index: Python-3.10.20/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.10.20/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst 2026-03-24 09:45:50.176635968 +0100 @@ -0,0 +1,4 @@ +:mod:`xml.parsers.expat`: Fixed a crash caused by unbounded C recursion when +converting deeply nested XML content models with +:meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler`. +This addresses `CVE-2026-4224 <https://www.cve.org/CVERecord?id=CVE-2026-4224>`_. Index: Python-3.10.20/Modules/pyexpat.c =================================================================== --- Python-3.10.20.orig/Modules/pyexpat.c 2026-03-03 01:49:35.000000000 +0100 +++ Python-3.10.20/Modules/pyexpat.c 2026-03-24 09:45:50.176398300 +0100 @@ -574,6 +574,10 @@ conv_content_model(XML_Content * const model, PyObject *(*conv_string)(const XML_Char *)) { + if (Py_EnterRecursiveCall(" in conv_content_model")) { + return NULL; + } + PyObject *result = NULL; PyObject *children = PyTuple_New(model->numchildren); int i; @@ -585,7 +589,7 @@ conv_string); if (child == NULL) { Py_XDECREF(children); - return NULL; + goto done; } PyTuple_SET_ITEM(children, i, child); } @@ -593,6 +597,8 @@ model->type, model->quant, conv_string,model->name, children); } +done: + Py_LeaveRecursiveCall(); return result; } ++++++ CVE-2026-4519-webbrowser-open-dashes.patch ++++++ >From c84b32da52f2e1fb12d155eb14343ea1eac7baf1 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson <[email protected]> Date: Fri, 20 Mar 2026 09:47:13 -0500 Subject: [PATCH] [3.10] gh-143930: Reject leading dashes in webbrowser URLs (cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b) Co-authored-by: Seth Michael Larson <[email protected]> --- Lib/test/test_webbrowser.py | 5 +++ Lib/webbrowser.py | 14 ++++++++++ Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst | 1 3 files changed, 20 insertions(+) create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst Index: Python-3.10.20/Lib/test/test_webbrowser.py =================================================================== --- Python-3.10.20.orig/Lib/test/test_webbrowser.py 2026-03-27 20:15:33.400626413 +0100 +++ Python-3.10.20/Lib/test/test_webbrowser.py 2026-03-27 20:15:36.296005941 +0100 @@ -57,6 +57,11 @@ options=[], arguments=[URL]) + def test_reject_dash_prefixes(self): + browser = self.browser_class(name=CMD_NAME) + with self.assertRaises(ValueError): + browser.open(f"--key=val {URL}") + class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase): Index: Python-3.10.20/Lib/webbrowser.py =================================================================== --- Python-3.10.20.orig/Lib/webbrowser.py 2026-03-27 20:15:33.850491032 +0100 +++ Python-3.10.20/Lib/webbrowser.py 2026-03-27 20:15:36.296202151 +0100 @@ -153,6 +153,12 @@ def open_new_tab(self, url): return self.open(url, 2) + @staticmethod + def _check_url(url): + """Ensures that the URL is safe to pass to subprocesses as a parameter""" + if url and url.lstrip().startswith("-"): + raise ValueError(f"Invalid URL: {url}") + class GenericBrowser(BaseBrowser): """Class for all browsers started with a command @@ -170,6 +176,7 @@ def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) cmdline = [self.name] + [arg.replace("%s", url) for arg in self.args] try: @@ -190,6 +197,7 @@ cmdline = [self.name] + [arg.replace("%s", url) for arg in self.args] sys.audit("webbrowser.open", url) + self._check_url(url) try: if sys.platform[:3] == 'win': p = subprocess.Popen(cmdline) @@ -255,6 +263,7 @@ def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) if new == 0: action = self.remote_action elif new == 1: @@ -356,6 +365,7 @@ def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) # XXX Currently I know no way to prevent KFM from opening a new win. if new == 2: action = "newTab" @@ -440,6 +450,7 @@ def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) if new: ok = self._remote("LOADNEW " + url) else: @@ -602,6 +613,7 @@ class WindowsDefault(BaseBrowser): def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) try: os.startfile(url) except OSError: @@ -632,6 +644,7 @@ def open(self, url, new=0, autoraise=True): sys.audit("webbrowser.open", url) + self._check_url(url) assert "'" not in url # hack for local urls if not ':' in url: @@ -669,6 +682,7 @@ self._name = name def open(self, url, new=0, autoraise=True): + self._check_url(url) if self._name == 'default': script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser else: Index: Python-3.10.20/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ Python-3.10.20/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst 2026-03-27 20:15:36.296497608 +0100 @@ -0,0 +1 @@ +Reject leading dashes in URLs passed to :func:`webbrowser.open` ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.POxaDd/_old 2026-04-01 19:52:37.978125803 +0200 +++ /var/tmp/diff_new_pack.POxaDd/_new 2026-04-01 19:52:37.990126302 +0200 @@ -1,6 +1,6 @@ -mtime: 1773847372 -commit: 22234fcccd2d3959f01902c5a089736702587658965ac9d3b6aa2bdf157298a3 +mtime: 1774638947 +commit: 36c3b23be58827bfbbc3b6dacd0e2a5dd034e5c835af0646372fcd3eedfd16ec url: https://src.opensuse.org/python-interpreters/python310.git -revision: 22234fcccd2d3959f01902c5a089736702587658965ac9d3b6aa2bdf157298a3 +revision: 36c3b23be58827bfbbc3b6dacd0e2a5dd034e5c835af0646372fcd3eedfd16ec projectscmsync: https://src.opensuse.org/python-interpreters/_ObsPrj ++++++ build.specials.obscpio ++++++ --- old/.gitignore 2026-03-18 16:23:58.000000000 +0100 +++ new/.gitignore 2026-03-27 20:16:13.000000000 +0100 @@ -3,6 +3,5 @@ *.osc _build.* .pbuild -*.orig *.rej python310-*-build/ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-03-27 20:16:13.000000000 +0100 @@ -0,0 +1,7 @@ +.osc +*.obscpio +*.osc +_build.* +.pbuild +*.rej +python310-*-build/
