gh-137586: Open external osascript program with absolute path (GH-137584)

Open web browser with absolute path

On macOS, web browsers are opened via popen calling osascript. However,
if a user has a colliding osascript executable earlier in their PATH,
this may fail or cause unwanted behaviour.

Depending on one's environment or level of paranoia, this may be considered a security vulnerability.

Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

Author: fionn

Lib/test/test_webbrowser.py

@@ -351,7 +351,7 @@ def test_default_open(self):
         url = "https://python.org"
         self.browser.open(url)
         self.assertTrue(self.popen_pipe._closed)
-        self.assertEqual(self.popen_pipe.cmd, "osascript")
+        self.assertEqual(self.popen_pipe.cmd, "/usr/bin/osascript")
         script = self.popen_pipe.pipe.getvalue()
         self.assertEqual(script.strip(), f'open location "{url}"')
 

Lib/turtledemo/__main__.py

@@ -136,7 +136,7 @@ def __init__(self, filename=None):
             # so that our menu bar appears.
             subprocess.run(
                     [
-                        'osascript',
+                        '/usr/bin/osascript',
                         '-e', 'tell application "System Events"',
                         '-e', 'set frontmost of the first process whose '
                               'unix id is {} to true'.format(os.getpid()),

Lib/webbrowser.py

@@ -656,7 +656,7 @@ def open(self, url, new=0, autoraise=True):
                    end
                    '''
 
-            osapipe = os.popen("osascript", "w")
+            osapipe = os.popen("/usr/bin/osascript", "w")
             if osapipe is None:
                 return False
 

Misc/NEWS.d/next/macOS/2025-10-17-01-07-03.gh-issue-137586.kVzxvp.rst

@@ -0,0 +1 @@
+Invoke :program:`osascript` with absolute path in :mod:`webbrowser` and :mod:`!turtledemo`.