[issue40932] subprocess docs don't qualify the instruction to use shlex.quote by OS

[Stephen Farris]

New submission from Stephen Farris <stephen.farris at jhuapl.edu>:

The subprocess docs state: "When using shell=True, the shlex.quote() function can be used to properly escape whitespace and shell metacharacters in strings that are going to be used to construct shell commands." While this is true on Unix, it is not true on Windows. On Windows it is easy to create scenarios where shell injection still exists despite using shlex.quote properly (e.g. subprocess.run(shlex.quote("'&calc '"), shell=True) launches the Windows calculator, which it wouldn't do if shlex.quote was able to prevent shell injection on Windows). While the shlex docs state that shlex is for Unix, the subprocess docs imply that shlex.quote will work on Windows too, possibly leading some developers to erroneously use shlex.quote on Windows to try to prevent shell injection. Recommend: 1) qualifying the above section in the subprocess docs to make it clear that this only works on Unix, and 2) updating the shlex docs with warnings that shlex.quote in particular is not for use on Windows.

----------
assignee: docs at python
components: Documentation
messages: 371140
nosy: Stephen Farris, docs at python
priority: normal
severity: normal
status: open
title: subprocess docs don't qualify the instruction to use shlex.quote by OS
versions: Python 3.8

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue40932>
_______________________________________