Skip to content

gh-137586: Open web browser with absolute path#137584

Open
fionn wants to merge 5 commits intopython:mainfrom
fionn:no-path-injection
Open

gh-137586: Open web browser with absolute path#137584
fionn wants to merge 5 commits intopython:mainfrom
fionn:no-path-injection

Conversation

@fionn
Copy link
Copy Markdown

@fionn fionn commented Aug 9, 2025
edited by bedevere-app bot
Loading

On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour.

Depending on one's environment or level of paranoia, this may be considered a security vulnerability.

@python-cla-bot
Copy link
Copy Markdown

python-cla-bot bot commented Aug 9, 2025
edited
Loading

All commit authors signed the Contributor License Agreement.

CLA signed

@bedevere-app
Copy link
Copy Markdown

bedevere-app bot commented Aug 9, 2025

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@fionn fionn force-pushed the no-path-injection branch from 091f610 to 8700060 Compare August 9, 2025 08:59
@bedevere-app
Copy link
Copy Markdown

bedevere-app bot commented Aug 9, 2025

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@picnixz
Copy link
Copy Markdown
Member

picnixz commented Aug 9, 2025

Please open an issue first.

@fionn fionn changed the title Open web browser with absolute path gh-137586: Open web browser with absolute path Aug 9, 2025
@bedevere-app bedevere-app bot mentioned this pull request Aug 9, 2025
Open
@frenzymadness
Copy link
Copy Markdown
Contributor

frenzymadness commented Oct 7, 2025

Could you please add a news entry and also fix the osascript invocation in Lib/turtledemo/__main__.py?

@fionn fionn requested a review from terryjreedy as a code owner October 16, 2025 17:08
fionn added 3 commits October 17, 2025 01:09
@fionn
Open web browser with absolute path
2ef2289 
On macOS, web browsers are opened via popen calling osascript. However,
if a user has a colliding osascript executable earlier in their PATH,
this may fail or cause unwanted behaviour.

Depending on one's environment or level of paranoia, this may be
considered a security vulnerability.
@fionn
Invoke osascript with absolute path in turtledemo
882f3d6
@fionn
Add NEWS entry for osascript path
00682c5
@fionn fionn force-pushed the no-path-injection branch from e9ed37f to 00682c5 Compare October 16, 2025 17:10
@fionn
Copy link
Copy Markdown
Author

fionn commented Oct 16, 2025

Yes, done. I wasn't sure if this was significant enough to warrant a news item.

@secengjeff secengjeff mentioned this pull request Mar 26, 2026
Open
@secengjeff
Copy link
Copy Markdown

secengjeff commented Mar 26, 2026

#146439 takes a broader approach to this issue by replacing MacOSXOSAScript entirely with a new MacOSX class that uses /usr/bin/open via subprocess.run, rather than switching to /usr/bin/osascript. This eliminates the osascript dependency and the PATH-injection vector completely, and also addresses the related usability problem of webbrowser.open() failing silently on managed endpoints where osascript is blocked. It may be worth considering whether that PR supersedes this one.

@gpshead gpshead added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes type-security A security issue needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes labels Apr 5, 2026
@gpshead
Copy link
Copy Markdown
Member

gpshead commented Apr 5, 2026

This is one think is worthwhile backporting given not relying on $PATH for this system binary seems like a good thing security wise.

hugovk
hugovk reviewed Apr 6, 2026
View reviewed changes
@hugovk
Copy link
Copy Markdown
Member

hugovk commented Apr 6, 2026

@fionn Please could you sign the CLA again?

#137584 (comment)

See https://devguide.python.org/getting-started/pull-request-lifecycle/#why-do-i-need-to-sign-the-cla-again

@fionn @hugovk
Be more specific in news item
489d186 
Co-authored-by: Hugo van Kemenade <[email protected]>
@fionn fionn force-pushed the no-path-injection branch from f6b048c to 489d186 Compare April 6, 2026 10:00
@fionn
Copy link
Copy Markdown
Author

fionn commented Apr 6, 2026

Ah, I guess this happened because I accepted the suggestion via the GitHub UI, which added a commit with the GitHub email address.

I amended the commit to match the email address I signed the CLA with instead.

@hugovk
Copy link
Copy Markdown
Member

hugovk commented Apr 6, 2026

Thanks, yes, that'll be it.

But you'll still need to add the GH account email to the CLA when the first backport PR is opened.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hugovk hugovk hugovk left review comments

@terryjreedy terryjreedy Awaiting requested review from terryjreedy terryjreedy is a code owner

Assignees

No one assigned

Labels

awaiting review needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@fionn @picnixz @frenzymadness @secengjeff @gpshead @hugovk @nazeerali4325-commits