From 2ef22897cefde85ba010e587820bb758804543da Mon Sep 17 00:00:00 2001 From: Fionn Fitzmaurice Date: Sat, 9 Aug 2025 16:37:31 +0800 Subject: [PATCH 1/3] Open web browser with absolute path On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour. Depending on one's environment or level of paranoia, this may be considered a security vulnerability. --- Lib/test/test_webbrowser.py | 2 +- Lib/webbrowser.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py index 6b577ae100e419..837c7ca5180466 100644 --- a/Lib/test/test_webbrowser.py +++ b/Lib/test/test_webbrowser.py @@ -343,7 +343,7 @@ def test_default_open(self): url = "https://python.org" self.browser.open(url) self.assertTrue(self.popen_pipe._closed) - self.assertEqual(self.popen_pipe.cmd, "osascript") + self.assertEqual(self.popen_pipe.cmd, "/usr/bin/osascript") script = self.popen_pipe.pipe.getvalue() self.assertEqual(script.strip(), f'open location "{url}"') diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py index f2e2394089d5a1..90a3f22a5a9c9b 100644 --- a/Lib/webbrowser.py +++ b/Lib/webbrowser.py @@ -644,7 +644,7 @@ def open(self, url, new=0, autoraise=True): end ''' - osapipe = os.popen("osascript", "w") + osapipe = os.popen("/usr/bin/osascript", "w") if osapipe is None: return False From 882f3d6e5e9b83dd7b6f9cd5cc05649d5fa93cf8 Mon Sep 17 00:00:00 2001 From: Fionn Fitzmaurice Date: Fri, 17 Oct 2025 00:58:54 +0800 Subject: [PATCH 2/3] Invoke osascript with absolute path in turtledemo --- Lib/turtledemo/__main__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lib/turtledemo/__main__.py b/Lib/turtledemo/__main__.py index b49c0beab3ccf7..7c2d753f4c3111 100644 --- a/Lib/turtledemo/__main__.py +++ b/Lib/turtledemo/__main__.py @@ -136,7 +136,7 @@ def __init__(self, filename=None): # so that our menu bar appears. subprocess.run( [ - 'osascript', + '/usr/bin/osascript', '-e', 'tell application "System Events"', '-e', 'set frontmost of the first process whose ' 'unix id is {} to true'.format(os.getpid()), From 00682c55ddcd0a1a2ea93bc889e88e3c1179438f Mon Sep 17 00:00:00 2001 From: Fionn Fitzmaurice Date: Fri, 17 Oct 2025 01:08:09 +0800 Subject: [PATCH 3/3] Add NEWS entry for osascript path --- .../next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst | 1 + 1 file changed, 1 insertion(+) create mode 100644 Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst diff --git a/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst b/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst new file mode 100644 index 00000000000000..520b4e08247193 --- /dev/null +++ b/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst @@ -0,0 +1 @@ +Invoke osascript with absolute path.