When to use Shell=True for Python subprocess module [duplicate]

by

If shell is True, the specified command will be executed through the shell. This can be useful if you are using Python primarily for the enhanced control flow it offers over most system shells and still want convenient access to other shell features such as shell pipes, filename wildcards, environment variable expansion, and expansion of ~ to a user’s home directory.

When shell=True is dangerous?

If we execute shell commands that might include unsanitized input from an untrusted source, it will make a program vulnerable to shell injection, a serious security flaw which can result in arbitrary command execution. For this reason, the use of shell=True is strongly discouraged in cases where the command string is constructed from external input

Eg. (Taken from docs)

>>> from subprocess import call
>>> filename = input("What file would you like to display?\n")
What file would you like to display?
non_existent; rm -rf / #
>>> call("cat " + filename, shell=True) # Uh-oh. This will end badly..

More Related Contents:

  1. How do I execute a program or call a system command?
  2. Running shell command and capturing the output
  3. Using sudo with Python script
  4. Python: execute cat subprocess in parallel
  5. live output from subprocess command
  6. Execute terminal command from python in new terminal window?
  7. How do I pipe a subprocess call to a text file?
  8. subprocess.call() arguments ignored when using shell=True w/ list [duplicate]
  9. File not found error when launching a subprocess containing piped commands
  10. Process substitution not allowed by Python’s subprocess with shell=True?
  11. python getoutput() equivalent in subprocess [duplicate]
  12. ‘yes’ reporting error with subprocess communicate()
  13. Understanding python subprocess.check_output’s first argument and shell=True [duplicate]
  14. Python: subprocess call with shell=False not working
  15. Why does subprocess.Popen() with shell=True work differently on Linux vs Windows?
  16. Cannot find the file specified when using subprocess.call(‘dir’, shell=True) in Python
  17. What is the subprocess.Popen max length of the args parameter?
  18. Read streaming input from subprocess.communicate()
  19. ImageMagick not authorized to convert PDF to an image
  20. catching stdout in realtime from subprocess
  21. How do I activate a virtualenv inside PyCharm’s terminal?
  22. Execute a file with arguments in Python shell
  23. Python read from subprocess stdout and stderr separately while preserving order
  24. Python read file as stream from HDFS
  25. Checking for interactive shell in a Python script
  26. How do I pass large numpy arrays between python subprocesses without saving to disk?
  27. Why does passing variables to subprocess.Popen not work despite passing a list of arguments?
  28. How to catch exception output from Python subprocess.check_output()?
  29. How can I specify working directory for a subprocess
  30. Command line execution in different folder

Leave a Comment