gh-137586: Open external osascript program with absolute path (GH-137584)

Open web browser with absolute path

On macOS, web browsers are opened via popen calling osascript. However,
if a user has a colliding osascript executable earlier in their PATH,
this may fail or cause unwanted behaviour.

Depending on one's environment or level of paranoia, this may be considered a security vulnerability.

Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
index ea161ea1a43ea5795c6483f7809a58ac50af808c..299dc185fcf21155d67c0a478c549d9d81bed64b 100644 (file)
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -351,7 +351,7 @@ class MacOSXOSAScriptTest(unittest.TestCase):
         url = "https://python.org"
         self.browser.open(url)
         self.assertTrue(self.popen_pipe._closed)
-        self.assertEqual(self.popen_pipe.cmd, "osascript")
+        self.assertEqual(self.popen_pipe.cmd, "/usr/bin/osascript")
         script = self.popen_pipe.pipe.getvalue()
         self.assertEqual(script.strip(), f'open location "{url}"')
 

diff --git a/Lib/turtledemo/__main__.py b/Lib/turtledemo/__main__.py
index b49c0beab3ccf7b5e8a609301ce684350a8b3b72..7c2d753f4c311132a957a9d7d852348dcb383b16 100644 (file)
--- a/Lib/turtledemo/__main__.py
+++ b/Lib/turtledemo/__main__.py
@@ -136,7 +136,7 @@ class DemoWindow(object):
             # so that our menu bar appears.
             subprocess.run(
                     [
-                        'osascript',
+                        '/usr/bin/osascript',
                         '-e', 'tell application "System Events"',
                         '-e', 'set frontmost of the first process whose '
                               'unix id is {} to true'.format(os.getpid()),

diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
index deb6e64d17421b90d94cafe9796a8744e6fb7b60..0e0b5034e5f53d981ea95cf034a3a3c30e4ea735 100644 (file)
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -656,7 +656,7 @@ if sys.platform == 'darwin':
                    end
                    '''
 
-            osapipe = os.popen("osascript", "w")
+            osapipe = os.popen("/usr/bin/osascript", "w")
             if osapipe is None:
                 return False
 

diff --git a/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst b/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst
new file mode 100644 (file)
index 0000000..8e42065
--- /dev/null
+++ b/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst
@@ -0,0 +1 @@
+Invoke :program:`osascript` with absolute path in :mod:`webbrowser` and :mod:`!turtledemo`.