Skip to content

gh-137586: Open web browser with absolute path #137584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

gh-137586: Open web browser with absolute path #137584

wants to merge 3 commits into from

Conversation

fionn
Copy link

@fionn fionn commented Aug 9, 2025
edited by bedevere-app bot
Loading

On macOS, web browsers are opened via popen calling osascript. However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour.

Depending on one's environment or level of paranoia, this may be considered a security vulnerability.

@python-cla-bot
Copy link

python-cla-bot bot commented Aug 9, 2025
edited
Loading

All commit authors signed the Contributor License Agreement.

CLA signed

@bedevere-app
Copy link

bedevere-app bot commented Aug 9, 2025

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@fionn fionn force-pushed the no-path-injection branch from 091f610 to 8700060 Compare August 9, 2025 08:59
@bedevere-app
Copy link

bedevere-app bot commented Aug 9, 2025

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@picnixz
Copy link
Member

picnixz commented Aug 9, 2025

Please open an issue first.

@fionn fionn changed the title Open web browser with absolute path gh-137586: Open web browser with absolute path Aug 9, 2025
@bedevere-app bedevere-app bot mentioned this pull request Aug 9, 2025
Open
@frenzymadness
Copy link
Contributor

Could you please add a news entry and also fix the osascript invocation in Lib/turtledemo/__main__.py?

@fionn fionn requested a review from terryjreedy as a code owner October 16, 2025 17:08
fionn added 3 commits October 17, 2025 01:09
@fionn
Open web browser with absolute path
2ef2289 
On macOS, web browsers are opened via popen calling osascript. However,
if a user has a colliding osascript executable earlier in their PATH,
this may fail or cause unwanted behaviour.

Depending on one's environment or level of paranoia, this may be
considered a security vulnerability.
@fionn
Invoke osascript with absolute path in turtledemo
882f3d6
@fionn
Add NEWS entry for osascript path
00682c5
@fionn fionn force-pushed the no-path-injection branch from e9ed37f to 00682c5 Compare October 16, 2025 17:10
@fionn
Copy link
Author

fionn commented Oct 16, 2025

Yes, done. I wasn't sure if this was significant enough to warrant a news item.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@terryjreedy terryjreedy Awaiting requested review from terryjreedy terryjreedy is a code owner

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fionn @picnixz @frenzymadness