https://github.com/python/cpython/commit/a0c57a8d17eb0f5c4e620d83a13a47cf4d85e76f commit: a0c57a8d17eb0f5c4e620d83a13a47cf4d85e76f branch: main author: Fionn <[email protected]> committer: gpshead <[email protected]> date: 2026-04-06T09:42:10-07:00 summary:
gh-137586: Open external osascript program with absolute path (GH-137584) Open web browser with absolute path On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour. Depending on one's environment or level of paranoia, this may be considered a security vulnerability. Co-authored-by: Hugo van Kemenade <[email protected]> files: A Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst M Lib/test/test_webbrowser.py M Lib/turtledemo/__main__.py M Lib/webbrowser.py diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py index ea161ea1a43ea5..299dc185fcf211 100644 --- a/Lib/test/test_webbrowser.py +++ b/Lib/test/test_webbrowser.py @@ -351,7 +351,7 @@ def test_default_open(self): url = "https://python.org"; self.browser.open(url) self.assertTrue(self.popen_pipe._closed) - self.assertEqual(self.popen_pipe.cmd, "osascript") + self.assertEqual(self.popen_pipe.cmd, "/usr/bin/osascript") script = self.popen_pipe.pipe.getvalue() self.assertEqual(script.strip(), f'open location "{url}"') diff --git a/Lib/turtledemo/__main__.py b/Lib/turtledemo/__main__.py index b49c0beab3ccf7..7c2d753f4c3111 100644 --- a/Lib/turtledemo/__main__.py +++ b/Lib/turtledemo/__main__.py @@ -136,7 +136,7 @@ def __init__(self, filename=None): # so that our menu bar appears. subprocess.run( [ - 'osascript', + '/usr/bin/osascript', '-e', 'tell application "System Events"', '-e', 'set frontmost of the first process whose ' 'unix id is {} to true'.format(os.getpid()), diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py index deb6e64d17421b..0e0b5034e5f53d 100644 --- a/Lib/webbrowser.py +++ b/Lib/webbrowser.py @@ -656,7 +656,7 @@ def open(self, url, new=0, autoraise=True): end ''' - osapipe = os.popen("osascript", "w") + osapipe = os.popen("/usr/bin/osascript", "w") if osapipe is None: return False diff --git a/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst b/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst new file mode 100644 index 00000000000000..8e42065392a2de --- /dev/null +++ b/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst @@ -0,0 +1 @@ +Invoke :program:`osascript` with absolute path in :mod:`webbrowser` and :mod:`!turtledemo`. _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: [email protected]
