Actual meaning of ‘shell=True’ in subprocess

by

The benefit of not calling via the shell is that you are not invoking a ‘mystery program.’ On POSIX, the environment variable SHELL controls which binary is invoked as the “shell.” On Windows, there is no bourne shell descendent, only cmd.exe.

So invoking the shell invokes a program of the user’s choosing and is platform-dependent. Generally speaking, avoid invocations via the shell.

Invoking via the shell does allow you to expand environment variables and file globs according to the shell’s usual mechanism. On POSIX systems, the shell expands file globs to a list of files. On Windows, a file glob (e.g., “*.*”) is not expanded by the shell, anyway (but environment variables on a command line are expanded by cmd.exe).

If you think you want environment variable expansions and file globs, research the ILS attacks of 1992-ish on network services which performed subprogram invocations via the shell. Examples include the various sendmail backdoors involving ILS.

In summary, use shell=False.

More Related Contents:

  1. How to use `subprocess` command with pipes
  2. Python subprocess/Popen with a modified environment
  3. Using sudo with Python script
  4. Python: execute cat subprocess in parallel
  5. Difference between subprocess.Popen and os.system
  6. Run a program from python, and have it continue to run after the script is killed
  7. subprocess.call using string vs using list
  8. Popen waiting for child process even when the immediate child has terminated
  9. Understanding Popen.communicate
  10. Execute terminal command from python in new terminal window?
  11. Python: how to kill child process(es) when parent dies?
  12. OSError: [WinError 193] %1 is not a valid Win32 application
  13. subprocess.Popen() error (No such file or directory) when calling command with arguments as a string
  14. Using subprocess to run Python script on Windows
  15. running multiple bash commands with subprocess
  16. Keep a subprocess alive and keep giving it commands? Python
  17. Python output to Console within Subprocess from the child scricpt
  18. python getoutput() equivalent in subprocess [duplicate]
  19. Why subprocess.Popen doesn’t work when args is sequence?
  20. Is there a way to check if a subprocess is still running?
  21. How to run multiple commands synchronously from one subprocess.Popen command?
  22. Redirect subprocess stderr to stdout
  23. Interacting with bash from python
  24. Run BASH built-in commands in Python?
  25. Event Driven System Call in Python
  26. How do I eliminate Windows consoles from spawned processes in Python (2.7)? [duplicate]
  27. How to read the first byte of a subprocess’s stdout and then discard the rest in Python?
  28. Cannot find the file specified when using subprocess.call(‘dir’, shell=True) in Python
  29. subprocess.Popen in different console
  30. printing stdout in realtime from a subprocess that requires stdin

Leave a Comment