Skip to content

gh-143930: Reject leading dashes in webbrowser URLs#143931

Merged
sethmlarson merged 1 commit intopython:mainfrom
sethmlarson:reject-leading-dash-webbrowser-open
Mar 20, 2026
Merged

gh-143930: Reject leading dashes in webbrowser URLs#143931
sethmlarson merged 1 commit intopython:mainfrom
sethmlarson:reject-leading-dash-webbrowser-open

Conversation

@sethmlarson
Copy link
Contributor

@sethmlarson sethmlarson commented Jan 16, 2026
edited by bedevere-app bot
Loading

@sethmlarson sethmlarson requested a review from gpshead January 16, 2026 18:06
@sethmlarson sethmlarson added type-security A security issue needs backport to 3.10 only security fixes stdlib Standard Library Python modules in the Lib/ directory needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Jan 16, 2026
@bedevere-app bedevere-app bot mentioned this pull request Jan 16, 2026
Open
@Yhg1s
Copy link
Member

Yhg1s commented Jan 19, 2026

What about / or other common option prefixes?

@sethmlarson
Copy link
Contributor Author

sethmlarson commented Jan 19, 2026

@Yhg1s I'm concerned that there are use-cases for calling webbrowser.open() on paths, so we'd have to be more cautious in this case. Another option I suggested was to percent-encode spaces?

@gpshead
Copy link
Member

gpshead commented Jan 24, 2026

on windows a '/' prefix is typically a command line flag - does it actually work as an absolute current drive path on edge/chrome/firefox? to be a url for that it really should be "file://"

@sethmlarson
Copy link
Contributor Author

sethmlarson commented Mar 20, 2026

Yeah we currently support opening absolute paths via /index.html as a URL. Maybe we want to deprecate this in favor of forcing folks to use file:// but doing so here would result in breakages most likely. Let's move forward with only leading dashes for now.

@sethmlarson sethmlarson merged commit 82a24a4 into python:main Mar 20, 2026
67 checks passed
@miss-islington-app
Copy link

miss-islington-app bot commented Mar 20, 2026

Thanks @sethmlarson for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11, 3.12, 3.13, 3.14.
🐍🍒⛏🤖

@sethmlarson sethmlarson deleted the reject-leading-dash-webbrowser-open branch March 20, 2026 14:47
@miss-islington-app
Copy link

miss-islington-app bot commented Mar 20, 2026

Sorry, @sethmlarson, I could not cleanly backport this to 3.12 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 82a24a4442312bdcfc4c799885e8b3e00990f02b 3.12

@miss-islington-app
Copy link

miss-islington-app bot commented Mar 20, 2026

Sorry, @sethmlarson, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 82a24a4442312bdcfc4c799885e8b3e00990f02b 3.11

@miss-islington-app
Copy link

miss-islington-app bot commented Mar 20, 2026

Sorry, @sethmlarson, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 82a24a4442312bdcfc4c799885e8b3e00990f02b 3.10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpshead gpshead gpshead approved these changes

Assignees

@sethmlarson sethmlarson

Labels

needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes stdlib Standard Library Python modules in the Lib/ directory type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sethmlarson @Yhg1s @gpshead