[Python-3000] os.popen versus subprocess.Popen
Andrew McNabb
amcnabb at mcnabbs.org
Tue Apr 22 22:07:14 CEST 2008
On Tue, Apr 22, 2008 at 04:52:42PM -0300, Facundo Batista wrote:
>
> I think that force me to write a tuple or a list just in case I'd need
> to write a string that uses simple and double quotes, or backslashes,
> because it's "ugly", don't worth it.
Or spaces, or user input, or any special shell characters.
Basically, if you give a list or tuple of arguments, you can fork and
exec. It's really simple, and it does what you expect.
If you specify a string, then either Bash or something else has to parse
the input and separate it into arguments. If any user input is
involved, there will almost certainly be security problems. If not, it
will frequently break anyway.
As Guido pointed out, you can specify shell=True to get this latter
behavior. But if you do this, you often sacrifice correctness and/or
security. It's not a good habit.
--
Andrew McNabb
http://www.mcnabbs.org/andrew/
PGP Fingerprint: 8A17 B57C 6879 1863 DE55 8012 AB4D 6098 8826 6868
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-3000/attachments/20080422/2a2c0121/attachment.pgp>
More information about the Python-3000
mailing list