From 7a6cb58fd14e125ff1acf6169955d33a1b5d9347 Mon Sep 17 00:00:00 2001
From: Fionn <1897918+fionn@users.noreply.github.com>
Date: Tue, 7 Apr 2026 00:42:10 +0800
Subject: [PATCH] gh-137586: Open external osascript program with absolute path
 (GH-137584)

Open web browser with absolute path

On macOS, web browsers are opened via popen calling osascript. However,
if a user has a colliding osascript executable earlier in their PATH,
this may fail or cause unwanted behaviour.

Depending on one's environment or level of paranoia, this may be considered a security vulnerability.
(cherry picked from commit a0c57a8d17eb0f5c4e620d83a13a47cf4d85e76f)

Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
---
 Lib/test/test_webbrowser.py                                     | 2 +-
 Lib/turtledemo/__main__.py                                      | 2 +-
 Lib/webbrowser.py                                               | 2 +-
 .../next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst   | 1 +
 4 files changed, 4 insertions(+), 3 deletions(-)
 create mode 100644 Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst

diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
index 522219bc8c55b3..74eca81c707ead 100644
--- a/Lib/test/test_webbrowser.py
+++ b/Lib/test/test_webbrowser.py
@@ -267,7 +267,7 @@ def test_default_open(self):
         url = "https://python.org"
         self.browser.open(url)
         self.assertTrue(self.popen_pipe._closed)
-        self.assertEqual(self.popen_pipe.cmd, "osascript")
+        self.assertEqual(self.popen_pipe.cmd, "/usr/bin/osascript")
         script = self.popen_pipe.pipe.getvalue()
         self.assertEqual(script.strip(), f'open location "{url}"')
 
diff --git a/Lib/turtledemo/__main__.py b/Lib/turtledemo/__main__.py
index 2ab6c15e2c079e..7bf8c960eb4c22 100755
--- a/Lib/turtledemo/__main__.py
+++ b/Lib/turtledemo/__main__.py
@@ -137,7 +137,7 @@ def __init__(self, filename=None):
             # so that our menu bar appears.
             subprocess.run(
                     [
-                        'osascript',
+                        '/usr/bin/osascript',
                         '-e', 'tell application "System Events"',
                         '-e', 'set frontmost of the first process whose '
                               'unix id is {} to true'.format(os.getpid()),
diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
index 52ad205bd1b881..ce6ec9a27d7d8b 100755
--- a/Lib/webbrowser.py
+++ b/Lib/webbrowser.py
@@ -713,7 +713,7 @@ def open(self, url, new=0, autoraise=True):
                    end
                    '''%(self.name, url.replace('"', '%22'))
 
-            osapipe = os.popen("osascript", "w")
+            osapipe = os.popen("/usr/bin/osascript", "w")
             if osapipe is None:
                 return False
 
diff --git a/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst b/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst
new file mode 100644
index 00000000000000..8e42065392a2de
--- /dev/null
+++ b/Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst
@@ -0,0 +1 @@
+Invoke :program:`osascript` with absolute path in :mod:`webbrowser` and :mod:`!turtledemo`.