发表新帖
发表新帖

Actual meaning of 'shell=True' in subprocess

后端 未结
关注
5 1513
梦毁少年i
梦毁少年i 2020-11-21 05:05

I am calling different processes with the subprocess module. However, I have a question.

In the following codes:

callProcess = subproces
5条回答
  • 暗喜
    暗喜 (楼主)
    2020-11-21 05:25

    Executing programs through the shell means that all user input passed to the program is interpreted according to the syntax and semantic rules of the invoked shell. At best, this only causes inconvenience to the user, because the user has to obey these rules. For instance, paths containing special shell characters like quotation marks or blanks must be escaped. At worst, it causes security leaks, because the user can execute arbitrary programs.

    shell=True is sometimes convenient to make use of specific shell features like word splitting or parameter expansion. However, if such a feature is required, make use of other modules are given to you (e.g. os.path.expandvars() for parameter expansion or shlex for word splitting). This means more work, but avoids other problems.

    In short: Avoid shell=True by all means.

    0 讨论(0)
 看不清?
提交回复
热议问题