https://github.com/python/cpython/commit/14ac620e280aba83ce73b742ca36ac5e614b9a0a commit: 14ac620e280aba83ce73b742ca36ac5e614b9a0a branch: 3.8 author: Miss Islington (bot) <[email protected]> committer: ambv <[email protected]> date: 2024-05-07T10:48:26+02:00 summary:
[3.8] gh-114539: Clarify implicit launching of shells by subprocess (GH-117996) (GH-118006) (cherry picked from commit a4b44d39cd6941cc03590fee7538776728bdfd0a) Co-authored-by: Steve Dower <[email protected]> files: M Doc/library/subprocess.rst diff --git a/Doc/library/subprocess.rst b/Doc/library/subprocess.rst index 8eea5a474eda7c..2acbbbb4c06e07 100644 --- a/Doc/library/subprocess.rst +++ b/Doc/library/subprocess.rst @@ -666,8 +666,8 @@ Exceptions defined in this module all inherit from :exc:`SubprocessError`. Security Considerations ----------------------- -Unlike some other popen functions, this implementation will never -implicitly call a system shell. This means that all characters, +Unlike some other popen functions, this library will not +implicitly choose to call a system shell. This means that all characters, including shell metacharacters, can safely be passed to child processes. If the shell is invoked explicitly, via ``shell=True``, it is the application's responsibility to ensure that all whitespace and metacharacters are @@ -679,6 +679,14 @@ When using ``shell=True``, the :func:`shlex.quote` function can be used to properly escape whitespace and shell metacharacters in strings that are going to be used to construct shell commands. +On Windows, batch files (:file:`*.bat` or :file:`*.cmd`) may be launched by the +operating system in a system shell regardless of the arguments passed to this +library. This could result in arguments being parsed according to shell rules, +but without any escaping added by Python. If you are intentionally launching a +batch file with arguments from untrusted sources, consider passing +``shell=True`` to allow Python to escape special characters. See :gh:`114539` +for additional discussion. + Popen Objects ------------- _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-checkins.python.org/ Member address: [email protected]
