Seeking collaboration on PR #146439: Safer macOS webbrowser opening (replacing osascript with /usr/bin/open) (original) (raw)

Hi everyone,

I recently opened PR #146439, which proposes replacing the osascript-based implementation in the webbrowser module on macOS with the safer built-in /usr/bin/open command.

This change addresses two important issues:

1. Security: The current code searches for and executes osascript via $PATH. This creates a classic attack vector (LOOBin-style technique). A malicious osascript placed earlier in the PATH could be executed instead. This risk was recently highlighted in the Axios npm supply chain attack on March 31, 2026, where the malware used AppleScript executed via osascript on macOS to deliver a Remote Access Trojan.
2. Usability in enterprise environments: On managed MacBooks (very common in corporate settings with MDM and endpoint protection), security teams are increasingly blocking or restricting osascript execution due to its abuse in supply chain attacks like the recent Axios incident. This causes webbrowser.open() to fail for many enterprise Python users, even for the simple task of opening a URL in the default browser.

The PR switches to an absolute path to /usr/bin/open (the modern Apple-recommended approach), maintains backward compatibility via deprecation of the old MacOSXOSAScript class, includes updated tests and documentation, and passes CI on all platforms.

Thank you in advance for any insights or time you can share.

Links:

• Pull Request: gh-137586: Replace 'osascript' with 'open' on macOS in webbrowser by secengjeff · Pull Request #146439 · python/cpython · GitHub
• Related Issue: Use absolute paths when invoking built-in shell commands · Issue #137586 · python/cpython · GitHub