gh-137586: Open web browser with absolute path

[fionn]

On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour.

Depending on one's environment or level of paranoia, this may be considered a security vulnerability.

• Issue: Use absolute paths when invoking built-in shell commands #137586

[python-cla-bot]

All commit authors signed the Contributor License Agreement.

[bedevere-app]

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

[bedevere-app]

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

[picnixz]

Please open an issue first.

[frenzymadness]

Could you please add a news entry and also fix the osascript invocation in Lib/turtledemo/__main__.py?

[fionn]

Yes, done. I wasn't sure if this was significant enough to warrant a news item.

[secengjeff]

#146439 takes a broader approach to this issue by replacing MacOSXOSAScript entirely with a new MacOSX class that uses /usr/bin/open via subprocess.run, rather than switching to /usr/bin/osascript. This eliminates the osascript dependency and the PATH-injection vector completely, and also addresses the related usability problem of webbrowser.open() failing silently on managed endpoints where osascript is blocked. It may be worth considering whether that PR supersedes this one.