gh-137586: Open external osascript program with absolute path by fionn · Pull Request #137584 · python/cpython

fionn · 2025-08-09T08:54:51Z

On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour.

Depending on one's environment or level of paranoia, this may be considered a security vulnerability.

Issue: Use absolute paths when invoking built-in shell commands #137586

python-cla-bot · 2025-08-09T08:54:56Z

All commit authors signed the Contributor License Agreement.

bedevere-app · 2025-08-09T08:54:57Z

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

bedevere-app · 2025-08-09T09:00:02Z

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

picnixz · 2025-08-09T09:05:20Z

Please open an issue first.

frenzymadness · 2025-10-07T13:03:35Z

Could you please add a news entry and also fix the osascript invocation in Lib/turtledemo/__main__.py?

On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour. Depending on one's environment or level of paranoia, this may be considered a security vulnerability.

fionn · 2025-10-16T17:11:23Z

Yes, done. I wasn't sure if this was significant enough to warrant a news item.

secengjeff · 2026-03-26T01:32:04Z

#146439 takes a broader approach to this issue by replacing MacOSXOSAScript entirely with a new MacOSX class that uses /usr/bin/open via subprocess.run, rather than switching to /usr/bin/osascript. This eliminates the osascript dependency and the PATH-injection vector completely, and also addresses the related usability problem of webbrowser.open() failing silently on managed endpoints where osascript is blocked. It may be worth considering whether that PR supersedes this one.

gpshead · 2026-04-05T22:53:40Z

This is one think is worthwhile backporting given not relying on $PATH for this system binary seems like a good thing security wise.

Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst

hugovk · 2026-04-06T09:21:29Z

@fionn Please could you sign the CLA again?

#137584 (comment)

See https://devguide.python.org/getting-started/pull-request-lifecycle/#why-do-i-need-to-sign-the-cla-again

Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

fionn · 2026-04-06T10:02:16Z

Ah, I guess this happened because I accepted the suggestion via the GitHub UI, which added a commit with the GitHub email address.

I amended the commit to match the email address I signed the CLA with instead.

hugovk · 2026-04-06T10:19:27Z

Thanks, yes, that'll be it.

But you'll still need to add the GH account email to the CLA when the first backport PR is opened.

miss-islington-app · 2026-04-06T16:42:14Z

Thanks @fionn for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11, 3.12, 3.13, 3.14.
🐍🍒⛏🤖

bedevere-app · 2026-04-06T16:42:35Z

GH-148173 is a backport of this pull request to the 3.14 branch.

…ythonGH-137584) Open web browser with absolute path On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour. Depending on one's environment or level of paranoia, this may be considered a security vulnerability. (cherry picked from commit a0c57a8) Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

bedevere-app · 2026-04-06T16:42:41Z

GH-148174 is a backport of this pull request to the 3.13 branch.

…ythonGH-137584) Open web browser with absolute path On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour. Depending on one's environment or level of paranoia, this may be considered a security vulnerability. (cherry picked from commit a0c57a8) Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

bedevere-app · 2026-04-06T16:42:46Z

GH-148175 is a backport of this pull request to the 3.12 branch.

…ythonGH-137584) Open web browser with absolute path On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour. Depending on one's environment or level of paranoia, this may be considered a security vulnerability. (cherry picked from commit a0c57a8) Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

bedevere-app · 2026-04-06T16:42:51Z

GH-148176 is a backport of this pull request to the 3.11 branch.

…ythonGH-137584) Open web browser with absolute path On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour. Depending on one's environment or level of paranoia, this may be considered a security vulnerability. (cherry picked from commit a0c57a8) Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

bedevere-app · 2026-04-06T16:42:55Z

GH-148177 is a backport of this pull request to the 3.10 branch.

gpshead · 2026-04-06T16:43:46Z

But you'll still need to add the GH account email to the CLA when the first backport PR is opened.

confirming - #148173 (comment) - yup, looks like it needs the CLA as well. @fionn

bedevere-app bot added the awaiting review label Aug 9, 2025

fionn force-pushed the no-path-injection branch from 091f610 to 8700060 Compare August 9, 2025 08:59

fionn changed the title ~~Open web browser with absolute path~~ gh-137586: Open web browser with absolute path Aug 9, 2025

bedevere-app bot mentioned this pull request Aug 9, 2025

Use absolute paths when invoking built-in shell commands #137586

Open

fionn requested a review from terryjreedy as a code owner October 16, 2025 17:08

fionn added 3 commits October 17, 2025 01:09

Invoke osascript with absolute path in turtledemo

882f3d6

Add NEWS entry for osascript path

00682c5

fionn force-pushed the no-path-injection branch from e9ed37f to 00682c5 Compare October 16, 2025 17:10

secengjeff mentioned this pull request Mar 26, 2026

gh-137586: Replace 'osascript' with 'open' on macOS in webbrowser #146439

Open

Merge branch 'main' into no-path-injection

7e51307

gpshead added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes type-security A security issue needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes labels Apr 5, 2026

hugovk reviewed Apr 6, 2026

View reviewed changes

Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst Outdated Show resolved Hide resolved

Be more specific in news item

489d186

Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

fionn force-pushed the no-path-injection branch from f6b048c to 489d186 Compare April 6, 2026 10:00

merwok changed the title ~~gh-137586: Open web browser with absolute path~~ gh-137586: Open external osascript program with absolute path Apr 6, 2026

gpshead approved these changes Apr 6, 2026

View reviewed changes

bedevere-app bot added awaiting merge and removed awaiting review labels Apr 6, 2026

gpshead merged commit a0c57a8 into python:main Apr 6, 2026
55 checks passed

bedevere-app bot removed the awaiting merge label Apr 6, 2026

bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Apr 6, 2026

bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Apr 6, 2026

bedevere-app bot removed the needs backport to 3.12 only security fixes label Apr 6, 2026

bedevere-app bot removed the needs backport to 3.11 only security fixes label Apr 6, 2026

bedevere-app bot removed the needs backport to 3.10 only security fixes label Apr 6, 2026

Uh oh!

Conversation

fionn commented Aug 9, 2025 • edited by bedevere-app bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

python-cla-bot bot commented Aug 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bedevere-app bot commented Aug 9, 2025

Uh oh!

bedevere-app bot commented Aug 9, 2025

Uh oh!

picnixz commented Aug 9, 2025

Uh oh!

frenzymadness commented Oct 7, 2025

Uh oh!

fionn commented Oct 16, 2025

Uh oh!

secengjeff commented Mar 26, 2026

Uh oh!

gpshead commented Apr 5, 2026

Uh oh!

Uh oh!

hugovk commented Apr 6, 2026

Uh oh!

fionn commented Apr 6, 2026

Uh oh!

hugovk commented Apr 6, 2026

Uh oh!

Uh oh!

miss-islington-app bot commented Apr 6, 2026

Uh oh!

bedevere-app bot commented Apr 6, 2026

Uh oh!

bedevere-app bot commented Apr 6, 2026

Uh oh!

bedevere-app bot commented Apr 6, 2026

Uh oh!

bedevere-app bot commented Apr 6, 2026

Uh oh!

bedevere-app bot commented Apr 6, 2026

Uh oh!

gpshead commented Apr 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

fionn commented Aug 9, 2025 •

edited by bedevere-app bot

Loading

python-cla-bot bot commented Aug 9, 2025 •

edited

Loading