[3.9] gh-114539: Clarify implicit launching of shells by subprocess (GH-117996) ...

(cherry picked from commit a4b44d39cd6941cc03590fee7538776728bdfd0a)

Co-authored-by: Steve Dower <steve.dower@python.org>

diff --git a/Doc/library/subprocess.rst b/Doc/library/subprocess.rst
index 370ea5839b6fe3492ecfc0e6249e4c8a25588238..70cf95edcc34885eb8e447387f0d421230c63f69 100644 (file)
--- a/Doc/library/subprocess.rst
+++ b/Doc/library/subprocess.rst
@@ -713,8 +713,8 @@ Exceptions defined in this module all inherit from :exc:`SubprocessError`.
 Security Considerations
 -----------------------
 
-Unlike some other popen functions, this implementation will never
-implicitly call a system shell.  This means that all characters,
+Unlike some other popen functions, this library will not
+implicitly choose to call a system shell.  This means that all characters,
 including shell metacharacters, can safely be passed to child processes.
 If the shell is invoked explicitly, via ``shell=True``, it is the application's
 responsibility to ensure that all whitespace and metacharacters are
@@ -726,6 +726,14 @@ When using ``shell=True``, the :func:`shlex.quote` function can be
 used to properly escape whitespace and shell metacharacters in strings
 that are going to be used to construct shell commands.
 
+On Windows, batch files (:file:`*.bat` or :file:`*.cmd`) may be launched by the
+operating system in a system shell regardless of the arguments passed to this
+library. This could result in arguments being parsed according to shell rules,
+but without any escaping added by Python. If you are intentionally launching a
+batch file with arguments from untrusted sources, consider passing
+``shell=True`` to allow Python to escape special characters. See :gh:`114539`
+for additional discussion.
+
 
 Popen Objects
 -------------