From nobody Thu Apr 16 21:38:40 2026
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fxWbj1b2Qz6Zj9K
	for <dev-commits-ports-main@mlmmj.nyi.freebsd.org>; Thu, 16 Apr 2026 21:38:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4fxWbh4RDjz3Hts
	for <dev-commits-ports-main@FreeBSD.org>; Thu, 16 Apr 2026 21:38:40 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1776375520;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=hdNwNeqsjno13QMKywDswuvftxUCgnSHuK7GyZMFm/A=;
	b=D7Y9RYMmXTdN+bN2zDl+W4m3opY9zw1M99RUkV5A7/JsYEL4h8Kjr59IQnRNu6R1LPC6Dn
	sG4ilI8YAWgeZ4fmmG5uwYM9C6csytaP1SK0J0gHfNqDxCor10CJux4cApV14+pwoOhxoT
	/dGdwOAfFYFnGRjWCsAAhtrLjI72JsbD9XC41odiyTfvqwy3JUia0zBn5n0atMvue+BqJW
	U+369alqW0JeTd8ZiDAFAkdB52dkMFhpTLdS1Aj5QYKrUgF2tqADJKeEyjaDpM2GO8imRp
	V2Zv1+q2g51qXMtcsEj2H+sibhDJWxsewP+IsHaglOCUQboM1x6Da6mFYXwqFA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1776375520; a=rsa-sha256; cv=none;
	b=e+CBeIZ4evu7/ycjHJl7hRTBfrDADKJYGAr1ns4XlBjDHDr9GwSAf6FzUbCH2GGf6mlxWR
	vgup5QsCoXGo/ftofXv/jfvixLWY90ym0CqSvuAu8eDmFV2fX8Cmp5BklgA8bKZFFySRfs
	nUuVXr8aZRyCB81DMI8OraZrsE80K8OOR6K5ZpaLM9Sjuvu7/MndKzCBrk/Y6JYXtLn7bl
	crMy9qGOi1fhjEiaqK6oVnnaUIVQcWOT7afHViMik7PAHDL4QMS1G/Yb3z06XFm61p5438
	4DYbkr36lCwolYVKk4/2sfjWtpfHdNCSHc9V9becfPU9gDTLptaRkH7cw6BhFQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1776375520;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=hdNwNeqsjno13QMKywDswuvftxUCgnSHuK7GyZMFm/A=;
	b=MbHn1tEak38YMgGsBLhXrIbl0KeHtQemwV/UloUoozLxKHhHhAhmf+jQw7nmFw/RZI8eKJ
	kacR44BnqD60FC7avqyQ7oAS350Xfawg3sCBkLRgUT+U7ikgAiRStuUrx2K0jmu+7Sll5H
	oLQ236jQgg1oYS4v+7hf6jlhRIgyLwhwJSQyC3eejCyOpNJVHu7VPR1Q3iU0bB1KI++W3/
	xjv4lI93Pyd2FwjEyLukA8OF9383Y0JcErxsk/Fspm5eB+sXHsTbJg0JWhumvAx9oW2ptM
	2uI7Dv7c0a7+EkCyJg861GxPuyycmUEsT1pjkJwRB/UNc77GIw0xu/rye47VVw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fxWbh3YjKz9RG
	for <dev-commits-ports-main@FreeBSD.org>; Thu, 16 Apr 2026 21:38:40 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 258b2
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Thu, 16 Apr 2026 21:38:40 +0000
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Cc: Matthias Andree <mandree@FreeBSD.org>
From: Daniel Engberg <diizzy@FreeBSD.org>
Subject: git: 965c6f73bbe0 - main - lang/python314: Fix incomplete mitigation of webbrowser.open()
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-main@freebsd.org
Sender: owner-dev-commits-ports-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: diizzy
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 965c6f73bbe0a9361fdd92952e3ac622736ebbb3
Auto-Submitted: auto-generated
Date: Thu, 16 Apr 2026 21:38:40 +0000
Message-Id: <69e156e0.258b2.7af66b57@gitrepo.freebsd.org>

The branch main has been updated by diizzy:

URL: https://cgit.FreeBSD.org/ports/commit/?id=965c6f73bbe0a9361fdd92952e3ac622736ebbb3

commit 965c6f73bbe0a9361fdd92952e3ac622736ebbb3
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2026-04-13 23:00:40 +0000
Commit:     Daniel Engberg <diizzy@FreeBSD.org>
CommitDate: 2026-04-16 21:38:32 +0000

    lang/python314: Fix incomplete mitigation of webbrowser.open()
    
    Cherry-pick fix to resolve
    Incomplete mitigation of CVE-2026-4519,
    %action expansion for command injection to webbrowser.open()
    
    Obtained from:  GitHub repo
                    https://github.com/python/cpython/pull/148516
    Security:       CVE-2026-4786
                    cf75f572-378a-11f1-a119-e36228bfe7d4
---
 lang/python314/Makefile                            |  2 +-
 ...action_substitution-bypass-of-dash-prefix-check | 66 ++++++++++++++++++++++
 2 files changed, 67 insertions(+), 1 deletion(-)

diff --git a/lang/python314/Makefile b/lang/python314/Makefile
index ed0a5c6cb643..404a636e7cf6 100644
--- a/lang/python314/Makefile
+++ b/lang/python314/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	python
 DISTVERSION=	${PYTHON_DISTVERSION}  # see Makefile.version
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	lang python
 MASTER_SITES=	PYTHON/ftp/python/${DISTVERSION:C/[a-z].*//}
 PKGNAMESUFFIX=	${PYTHON_SUFFIX}
diff --git a/lang/python314/files/patch-gh-148169-fix-webbrowser-_action_substitution-bypass-of-dash-prefix-check b/lang/python314/files/patch-gh-148169-fix-webbrowser-_action_substitution-bypass-of-dash-prefix-check
new file mode 100644
index 000000000000..5407326b750a
--- /dev/null
+++ b/lang/python314/files/patch-gh-148169-fix-webbrowser-_action_substitution-bypass-of-dash-prefix-check
@@ -0,0 +1,66 @@
+From f529b9470752c28ab69c96f31b0dbc10db69b404 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Mon, 13 Apr 2026 20:02:52 +0100
+Subject: [PATCH] gh-148169: Fix webbrowser `%action` substitution bypass of
+ dash-prefix check (GH-148170) (cherry picked from commit
+ d22922c8a7958353689dc4763dd72da2dea03fff)
+
+Co-authored-by: Stan Ulbrych <stan@python.org>
+---
+ Lib/test/test_webbrowser.py                              | 9 +++++++++
+ Lib/webbrowser.py                                        | 5 +++--
+ .../2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst       | 2 ++
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+
+diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
+index 404b3a31a5d2c9..bfbcf112b0b085 100644
+--- ./Lib/test/test_webbrowser.py
++++ b/Lib/test/test_webbrowser.py
+@@ -119,6 +119,15 @@ def test_open_bad_new_parameter(self):
+                        arguments=[URL],
+                        kw=dict(new=999))
+ 
++    def test_reject_action_dash_prefixes(self):
++        browser = self.browser_class(name=CMD_NAME)
++        with self.assertRaises(ValueError):
++            browser.open('%action--incognito')
++        # new=1: action is "--new-window", so "%action" itself expands to
++        # a dash-prefixed flag even with no dash in the original URL.
++        with self.assertRaises(ValueError):
++            browser.open('%action', new=1)
++
+ 
+ class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
+ 
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index 0e0b5034e5f53d..97aad6eea509eb 100644
+--- ./Lib/webbrowser.py
++++ b/Lib/webbrowser.py
+@@ -274,7 +274,6 @@ def _invoke(self, args, remote, autoraise, url=None):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
+-        self._check_url(url)
+         if new == 0:
+             action = self.remote_action
+         elif new == 1:
+@@ -288,7 +287,9 @@ def open(self, url, new=0, autoraise=True):
+             raise Error("Bad 'new' parameter to open(); "
+                         f"expected 0, 1, or 2, got {new}")
+ 
+-        args = [arg.replace("%s", url).replace("%action", action)
++        self._check_url(url.replace("%action", action))
++
++        args = [arg.replace("%action", action).replace("%s", url)
+                 for arg in self.remote_args]
+         args = [arg for arg in args if arg]
+         success = self._invoke(args, True, autoraise, url)
+diff --git a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+new file mode 100644
+index 00000000000000..45cdeebe1b6d64
+--- /dev/null
++++ ./Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+@@ -0,0 +1,2 @@
++A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
++the dash-prefix safety check.