From a0c57a8d17eb0f5c4e620d83a13a47cf4d85e76f Mon Sep 17 00:00:00 2001
From: Fionn <1897918+fionn@users.noreply.github.com>
Date: Tue, 7 Apr 2026 00:42:10 +0800
Subject: [PATCH] gh-137586: Open external osascript program with absolute path
 (GH-137584)

Open web browser with absolute path

On macOS, web browsers are opened via popen calling osascript. However,
if a user has a colliding osascript executable earlier in their PATH,
this may fail or cause unwanted behaviour.

Depending on one's environment or level of paranoia, this may be considered a security vulnerability.

Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
---
 Lib/test/test_webbrowser.py                                     | 2 +-
 Lib/turtledemo/__main__.py                                      | 2 +-
 Lib/webbrowser.py                                               | 2 +-
 .../next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst   | 1 +
 4 files changed, 4 insertions(+), 3 deletions(-)
 create mode 100644 Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst

diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
index ea161ea1a43e..299dc185fcf2 100644
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -351,7 +351,7 @@ class MacOSXOSAScriptTest(unittest.TestCase):
         url = "https://python.org"
         self.browser.open(url)
         self.assertTrue(self.popen_pipe._closed)
-        self.assertEqual(self.popen_pipe.cmd, "osascript")
+        self.assertEqual(self.popen_pipe.cmd, "/usr/bin/osascript")
         script = self.popen_pipe.pipe.getvalue()
         self.assertEqual(script.strip(), f'open location "{url}"')
 
diff --git a/Lib/turtledemo/__main__.py b/Lib/turtledemo/__main__.py
index b49c0beab3cc..7c2d753f4c31 100644
--- a/Lib/turtledemo/__main__.py
+++ b/Lib/turtledemo/__main__.py
@@ -136,7 +136,7 @@ class DemoWindow(object):
             # so that our menu bar appears.
             subprocess.run(
                     [
-                        'osascript',
+                        '/usr/bin/osascript',
                         '-e', 'tell application "System Events"',
                         '-e', 'set frontmost of the first process whose '
                               'unix id is {} to true'.format(os.getpid()),
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
index deb6e64d1742..0e0b5034e5f5 100644
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -656,7 +656,7 @@ if sys.platform == 'darwin':
                    end
                    '''
 
-            osapipe = os.popen("osascript", "w")
+            osapipe = os.popen("/usr/bin/osascript", "w")
             if osapipe is None:
                 return False
 
diff --git a/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst b/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst
new file mode 100644
index 000000000000..8e42065392a2
--- /dev/null
+++ b/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst
@@ -0,0 +1 @@
+Invoke :program:`osascript` with absolute path in :mod:`webbrowser` and :mod:`!turtledemo`.
-- 
2.47.3