string that can safely be used as one token in a shell command line, for
cases where you cannot use a list.
+ .. _shlex-quote-warning:
+
+ .. warning::
+
+ The ``shlex`` module is **only designed for Unix shells**.
+
+ The :func:`quote` function is not guaranteed to be correct on non-POSIX
+ compliant shells or shells from other operating systems such as Windows.
+ Executing commands quoted by this module on such shells can open up the
+ possibility of a command injection vulnerability.
+
+ Consider using functions that pass command arguments with lists such as
+ :func:`subprocess.run` with ``shell=False``.
+
This idiom would be unsafe:
>>> filename = 'somefile; rm -rf ~'
responsibility to ensure that all whitespace and metacharacters are
quoted appropriately to avoid
`shell injection <https://en.wikipedia.org/wiki/Shell_injection#Shell_injection>`_
-vulnerabilities.
-
-When using ``shell=True``, the :func:`shlex.quote` function can be
-used to properly escape whitespace and shell metacharacters in strings
-that are going to be used to construct shell commands.
+vulnerabilities. On :ref:`some platforms <shlex-quote-warning>`, it is possible
+to use :func:`shlex.quote` for this escaping.
Popen Objects
projects / thirdparty / Python / cpython.git / commitdiff
