gh-137586: Open external osascript program with absolute path#137584

fionn

On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour.

Depending on one's environment or level of paranoia, this may be considered a security vulnerability.

Issue: Use absolute paths when invoking built-in shell commands #137586

python-cla-bot

All commit authors signed the Contributor License Agreement.

bedevere-app

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

bedevere-app

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

picnixz

Please open an issue first.

frenzymadness

Could you please add a news entry and also fix the osascript invocation in Lib/turtledemo/__main__.py?

On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour. Depending on one's environment or level of paranoia, this may be considered a security vulnerability.

fionn

Yes, done. I wasn't sure if this was significant enough to warrant a news item.

secengjeff

#146439 takes a broader approach to this issue by replacing MacOSXOSAScript entirely with a new MacOSX class that uses /usr/bin/open via subprocess.run, rather than switching to /usr/bin/osascript. This eliminates the osascript dependency and the PATH-injection vector completely, and also addresses the related usability problem of webbrowser.open() failing silently on managed endpoints where osascript is blocked. It may be worth considering whether that PR supersedes this one.

gpshead

This is one think is worthwhile backporting given not relying on $PATH for this system binary seems like a good thing security wise.

hugovk

@fionn Please could you sign the CLA again?

#137584 (comment)

See https://devguide.python.org/getting-started/pull-request-lifecycle/#why-do-i-need-to-sign-the-cla-again

Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

fionn

Ah, I guess this happened because I accepted the suggestion via the GitHub UI, which added a commit with the GitHub email address.

I amended the commit to match the email address I signed the CLA with instead.

miss-islington-app

Thanks @fionn for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.11, 3.12, 3.13, 3.14.
🐍🍒⛏🤖

bedevere-app

GH-148173 is a backport of this pull request to the 3.14 branch.

…ythonGH-137584) Open web browser with absolute path On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour. Depending on one's environment or level of paranoia, this may be considered a security vulnerability. (cherry picked from commit a0c57a8) Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

bedevere-app

GH-148174 is a backport of this pull request to the 3.13 branch.

…ythonGH-137584) Open web browser with absolute path On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour. Depending on one's environment or level of paranoia, this may be considered a security vulnerability. (cherry picked from commit a0c57a8) Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

bedevere-app

GH-148175 is a backport of this pull request to the 3.12 branch.

…ythonGH-137584) Open web browser with absolute path On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour. Depending on one's environment or level of paranoia, this may be considered a security vulnerability. (cherry picked from commit a0c57a8) Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

bedevere-app

GH-148176 is a backport of this pull request to the 3.11 branch.

…ythonGH-137584) Open web browser with absolute path On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour. Depending on one's environment or level of paranoia, this may be considered a security vulnerability. (cherry picked from commit a0c57a8) Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

bedevere-app

GH-148177 is a backport of this pull request to the 3.10 branch.

gpshead

But you'll still need to add the GH account email to the CLA when the first backport PR is opened.

confirming - #148173 (comment) - yup, looks like it needs the CLA as well. @fionn

…H-137584) (#148173) Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

…H-137584) (#148174) Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

…H-137584) (#148175) Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

…H-137584) (#148176) Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

…H-137584) (#148177) Co-authored-by: Fionn <1897918+fionn@users.noreply.github.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

fionn

confirming - #148173 (comment) - yup, looks like it needs the CLA as well.

Strange! Have re-signed it.

bedevere-bot

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot PPC64LE Fedora Stable Clang Installed 3.13 (tier-3) has failed when building commit c358b89.

What do you need to do:

Don't panic.
Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
Go to the page of the buildbot that failed (https://buildbot.python.org/#/builders/1429/builds/1122) and take a look at the build logs.
Check if the failure is related to this commit (c358b89) or if it is a false positive.
If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/#/builders/1429/builds/1122

Summary of the results of the build (if available):

Click to see traceback logs

fatal: unable to access 'https://github.com/python/cpython.git/': Failed to connect to github.com port 443 after 890 ms: Could not connect to server

chmod: cannot access 'target/': No such file or directory

make: *** No rule to make target 'distclean'.  Stop.

…ythonGH-137584) Open web browser with absolute path On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour. Depending on one's environment or level of paranoia, this may be considered a security vulnerability. Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

bedevere-app Bot added the awaiting review label Aug 9, 2025

fionn force-pushed the no-path-injection branch from 091f610 to 8700060 Compare August 9, 2025 08:59

fionn changed the title ~~Open web browser with absolute path~~ Aug 9, 2025

bedevere-app Bot mentioned this pull request Aug 9, 2025

Use absolute paths when invoking built-in shell commands #137586

Closed

fionn requested a review from terryjreedy as a code owner October 16, 2025 17:08

fionn added 3 commits October 17, 2025 01:09

Invoke osascript with absolute path in turtledemo

882f3d6

Add NEWS entry for osascript path

00682c5

fionn force-pushed the no-path-injection branch from e9ed37f to 00682c5 Compare October 16, 2025 17:10

secengjeff mentioned this pull request Mar 26, 2026

gh-137586: Replace 'osascript' with 'open' on macOS in webbrowser #146439

Merged

Merge branch 'main' into no-path-injection

7e51307

gpshead added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes type-security A security issue needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 labels Apr 5, 2026

hugovk reviewed Apr 6, 2026

View reviewed changes

Be more specific in news item …

489d186

Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

fionn force-pushed the no-path-injection branch from f6b048c to 489d186 Compare April 6, 2026 10:00

bedevere-app Bot added awaiting merge and removed labels Apr 6, 2026

bedevere-app Bot removed the awaiting merge label Apr 6, 2026

bedevere-app Bot removed the needs backport to 3.14 bugs and security fixes label Apr 6, 2026

bedevere-app Bot removed the needs backport to 3.13 bugs and security fixes label Apr 6, 2026

bedevere-app Bot removed the needs backport to 3.12 only security fixes label Apr 6, 2026

bedevere-app Bot removed the needs backport to 3.11 only security fixes label Apr 6, 2026

bedevere-app Bot removed the needs backport to 3.10 only security fixes label Apr 6, 2026

fionn deleted the no-path-injection branch April 7, 2026 03:36

Conversation

fionn commented Aug 9, 2025 • edited by bedevere-app Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

python-cla-bot Bot commented Aug 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

bedevere-app Bot commented Aug 9, 2025

Uh oh!

bedevere-app Bot commented Aug 9, 2025

Uh oh!

picnixz commented Aug 9, 2025

Uh oh!

frenzymadness commented Oct 7, 2025

Uh oh!

fionn commented Oct 16, 2025

Uh oh!

secengjeff commented Mar 26, 2026

Uh oh!

gpshead commented Apr 5, 2026

Uh oh!

hugovk commented Apr 6, 2026

Uh oh!

fionn commented Apr 6, 2026

Uh oh!

Uh oh!

miss-islington-app Bot commented Apr 6, 2026

Uh oh!

bedevere-app Bot commented Apr 6, 2026

Uh oh!

bedevere-app Bot commented Apr 6, 2026

Uh oh!

bedevere-app Bot commented Apr 6, 2026

Uh oh!

bedevere-app Bot commented Apr 6, 2026

Uh oh!

bedevere-app Bot commented Apr 6, 2026

Uh oh!

gpshead commented Apr 6, 2026

Uh oh!

fionn commented Apr 7, 2026

Uh oh!

bedevere-bot commented Apr 7, 2026

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

fionn commented Aug 9, 2025 •

edited by bedevere-app Bot

Loading

python-cla-bot Bot commented Aug 9, 2025 •

edited

Loading