Use absolute paths when invoking built-in shell commands (original) (raw)
Bug report
Bug description:
On macOS, web browsers are opened via popen calling osascript.
Line 647 in3964f97
| osapipe = os.popen("osascript", "w") |
|---|
However, if a user has a colliding osascript executable earlier in their PATH, this may fail or cause unwanted behaviour.
Depending on one's environment or level of paranoia, this may be considered a security vulnerability.
CPython versions tested on:
CPython main branch, 3.13
Operating systems tested on:
macOS
Linked PRs
- gh-137586: Open external osascript program with absolute path #137584
- gh-137586: Replace 'osascript' with 'open' on macOS in webbrowser #146439
- [3.14] gh-137586: Open external osascript program with absolute path (GH-137584) #148173
- [3.13] gh-137586: Open external osascript program with absolute path (GH-137584) #148174
- [3.12] gh-137586: Open external osascript program with absolute path (GH-137584) #148175
- [3.11] gh-137586: Open external osascript program with absolute path (GH-137584) #148176
- [3.10] gh-137586: Open external osascript program with absolute path (GH-137584) #148177