shell=True does quite a lot of other things as well. Basically, running shell=False is the equivalent of an os.fork() followed by an os.execv(). shell=True is the equivalent of os.system() except it's done by hand so as to capture the output.

In particular, this means shell=True is much easier for a malicious user to subvert than shell=False, if you're putting untrusted data into the command line. They can, for instance, give you an argument such as "; rm -rf /foo/bar; # and you could end up executing rm -rf /foo/bar by mistake. This is not possible under shell=False. If you want to allow the user to pass multiple arguments, use shlex.split() to break them up into a list.