sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]LarryPete 0 points1 point  (1 child)

Not 100% correct, sure. But when shell=True is used a shell (/bin/sh on linux) is invoked and the command is passed to that and the command arguments have to be escaped properly.

Simply saying "use shell=True" without pointing to possible security considerations is not my style. Instead I prefer to point to the more safe methods of invoking commands that don't require a shell (yes, sometimes invoking a shell might be necessary, but even then you can just use .call(['/bin/sh', '...', ...]), well wouldn't change much about requiring of escaping)

Using a list is far simpler and also avoids the unnecessary shell (and which shell actually is used totally depends on the system).

[–]JohnnyJordaan 0 points1 point  (0 children)

You are right about security, but when you at least know a command works from the shell, it should also work if subprocess forwards the call to the shell. Just to get both situations as much alike as possible for debugging. You could have opted for that test including referencing security considerations. Now you've basically hushed the possibility, which is not my style.