gh-137586: Use bundle IDs in MacOSX to prevent file injection via OS handler

For non-http(s) URLs (e.g. file://), /usr/bin/open dispatches via the OS
file handler, which would launch an .app bundle rather than open it in a
browser. Fix this by routing non-http(s) URLs through the browser explicitly
using /usr/bin/open -b <bundle-id>.

Named browsers use a static bundle ID map (Chrome, Firefox, Safari, Chromium,
Opera, Edge). Unknown named browsers fall back to -a. For the default browser,
the bundle ID is resolved at runtime via the Objective-C runtime using
NSWorkspace.URLForApplicationToOpenURL, the same lookup MacOSXOSAScript
performed via AppleScript. Falls back to direct open if ctypes is unavailable.

http/https URLs with the default browser continue to use /usr/bin/open
directly, as macOS always routes these to the registered browser.

Author: secengjeff

Lib/test/test_webbrowser.py

@@ -333,7 +333,8 @@ def test_default(self):
         self.assertIsInstance(browser, webbrowser.MacOSX)
         self.assertEqual(browser.name, 'default')
 
-    def test_default_open(self):
+    def test_default_http_open(self):
+        # http/https URLs use /usr/bin/open directly — no bundle ID needed.
         browser = webbrowser.MacOSX('default')
         with mock.patch('subprocess.run') as mock_run:
             mock_run.return_value = mock.Mock(returncode=0)
@@ -344,17 +345,59 @@ def test_default_open(self):
         )
         self.assertTrue(result)
 
-    def test_named_open(self):
+    def test_default_non_http_uses_bundle_id(self):
+        # Non-http(s) URLs (e.g. file://) must be routed through the browser
+        # via -b <bundle-id> to prevent OS file handler dispatch.
+        file_url = 'file:///tmp/test.html'
+        browser = webbrowser.MacOSX('default')
+        with mock.patch('webbrowser._macos_default_browser_bundle_id',
+                        return_value='com.apple.Safari'), \
+             mock.patch('subprocess.run') as mock_run:
+            mock_run.return_value = mock.Mock(returncode=0)
+            result = browser.open(file_url)
+        mock_run.assert_called_once_with(
+            ['/usr/bin/open', '-b', 'com.apple.Safari', file_url],
+            stderr=subprocess.DEVNULL,
+        )
+        self.assertTrue(result)
+
+    def test_default_non_http_fallback_when_no_bundle_id(self):
+        # If the bundle ID lookup fails, fall back to /usr/bin/open without -b.
+        file_url = 'file:///tmp/test.html'
+        browser = webbrowser.MacOSX('default')
+        with mock.patch('webbrowser._macos_default_browser_bundle_id',
+                        return_value=None), \
+             mock.patch('subprocess.run') as mock_run:
+            mock_run.return_value = mock.Mock(returncode=0)
+            browser.open(file_url)
+        mock_run.assert_called_once_with(
+            ['/usr/bin/open', file_url],
+            stderr=subprocess.DEVNULL,
+        )
+
+    def test_named_known_browser_uses_bundle_id(self):
+        # Named browsers with a known bundle ID use /usr/bin/open -b.
         browser = webbrowser.MacOSX('safari')
         with mock.patch('subprocess.run') as mock_run:
             mock_run.return_value = mock.Mock(returncode=0)
             result = browser.open(URL)
         mock_run.assert_called_once_with(
-            ['/usr/bin/open', '-a', 'safari', URL],
+            ['/usr/bin/open', '-b', 'com.apple.Safari', URL],
             stderr=subprocess.DEVNULL,
         )
         self.assertTrue(result)
 
+    def test_named_unknown_browser_falls_back_to_dash_a(self):
+        # Named browsers not in the bundle ID map fall back to -a.
+        browser = webbrowser.MacOSX('lynx')
+        with mock.patch('subprocess.run') as mock_run:
+            mock_run.return_value = mock.Mock(returncode=0)
+            browser.open(URL)
+        mock_run.assert_called_once_with(
+            ['/usr/bin/open', '-a', 'lynx', URL],
+            stderr=subprocess.DEVNULL,
+        )
+
     def test_open_failure(self):
         browser = webbrowser.MacOSX('default')
         with mock.patch('subprocess.run') as mock_run:

Lib/webbrowser.py

@@ -613,16 +613,108 @@ def open(self, url, new=0, autoraise=True):
 #
 
 if sys.platform == 'darwin':
+    def _macos_default_browser_bundle_id():
+        """Return the bundle ID of the default web browser via NSWorkspace.
+
+        Uses the Objective-C runtime directly to call
+        NSWorkspace.sharedWorkspace().URLForApplicationToOpenURL() with a
+        probe https:// URL, then reads the bundle identifier from the
+        resulting NSBundle.  Returns None if ctypes is unavailable or the
+        lookup fails for any reason.
+        """
+        try:
+            from ctypes import cdll, c_void_p, c_char_p
+            from ctypes.util import find_library
+
+            objc = cdll.LoadLibrary(find_library('objc'))
+            objc.objc_getClass.restype = c_void_p
+            objc.sel_registerName.restype = c_void_p
+            objc.objc_msgSend.restype = c_void_p
+
+            def cls(name):
+                return objc.objc_getClass(name)
+
+            def sel(name):
+                return objc.sel_registerName(name)
+
+            # Build probe NSURL for "https://python.org"
+            NSString = cls(b'NSString')
+            objc.objc_msgSend.argtypes = [c_void_p, c_void_p, c_char_p]
+            ns_str = objc.objc_msgSend(
+                NSString, sel(b'stringWithUTF8String:'), b'https://python.org'
+            )
+
+            NSURL = cls(b'NSURL')
+            objc.objc_msgSend.argtypes = [c_void_p, c_void_p, c_void_p]
+            probe_url = objc.objc_msgSend(NSURL, sel(b'URLWithString:'), ns_str)
+
+            # Ask NSWorkspace which app handles https://
+            NSWorkspace = cls(b'NSWorkspace')
+            objc.objc_msgSend.argtypes = [c_void_p, c_void_p]
+            workspace = objc.objc_msgSend(NSWorkspace, sel(b'sharedWorkspace'))
+
+            objc.objc_msgSend.argtypes = [c_void_p, c_void_p, c_void_p]
+            app_url = objc.objc_msgSend(
+                workspace, sel(b'URLForApplicationToOpenURL:'), probe_url
+            )
+
+            # Get bundle identifier from that app's NSBundle
+            NSBundle = cls(b'NSBundle')
+            bundle = objc.objc_msgSend(NSBundle, sel(b'bundleWithURL:'), app_url)
+
+            objc.objc_msgSend.argtypes = [c_void_p, c_void_p]
+            bundle_id_ns = objc.objc_msgSend(bundle, sel(b'bundleIdentifier'))
+
+            objc.objc_msgSend.restype = c_char_p
+            bundle_id_bytes = objc.objc_msgSend(bundle_id_ns, sel(b'UTF8String'))
+            return bundle_id_bytes.decode() if bundle_id_bytes else None
+        except Exception:
+            return None
+
     class MacOSX(BaseBrowser):
-        """Launcher class for macOS browsers, using /usr/bin/open."""
+        """Launcher class for macOS browsers, using /usr/bin/open.
+
+        For http/https URLs with the default browser, /usr/bin/open is called
+        directly; macOS routes these to the registered browser.
+
+        For all other URL schemes (e.g. file://) and for named browsers,
+        /usr/bin/open -b <bundle-id> is used so that the URL is always passed
+        to a browser application rather than dispatched by the OS file handler.
+        This prevents file injection attacks where a file:// URL pointing to an
+        executable bundle could otherwise be launched by the OS.
+
+        Named browsers with known bundle IDs use -b; unknown names fall back
+        to -a.
+        """
+
+        _BUNDLE_IDS = {
+            'google chrome':  'com.google.Chrome',
+            'firefox':        'org.mozilla.firefox',
+            'safari':         'com.apple.Safari',
+            'chromium':       'org.chromium.Chromium',
+            'opera':          'com.operasoftware.Opera',
+            'microsoft edge': 'com.microsoft.Edge',
+        }
 
         def open(self, url, new=0, autoraise=True):
             sys.audit("webbrowser.open", url)
             self._check_url(url)
             if self.name == 'default':
-                cmd = ['/usr/bin/open', url]
+                proto, sep, _ = url.partition(':')
+                if sep and proto.lower() in {'http', 'https'}:
+                    cmd = ['/usr/bin/open', url]
+                else:
+                    bundle_id = _macos_default_browser_bundle_id()
+                    if bundle_id:
+                        cmd = ['/usr/bin/open', '-b', bundle_id, url]
+                    else:
+                        cmd = ['/usr/bin/open', url]
             else:
-                cmd = ['/usr/bin/open', '-a', self.name, url]
+                bundle_id = self._BUNDLE_IDS.get(self.name.lower())
+                if bundle_id:
+                    cmd = ['/usr/bin/open', '-b', bundle_id, url]
+                else:
+                    cmd = ['/usr/bin/open', '-a', self.name, url]
             proc = subprocess.run(cmd, stderr=subprocess.DEVNULL)
             return proc.returncode == 0