Sanitising arguments to shell commands

Jean-Michel Pichavant jeanmichel at
Fri Aug 21 11:22:03 CEST 2009

Ben Finney wrote:
> Miles Kaufmann <milesck at> writes:
>> I would recommend avoiding shell=True whenever possible. It's used in
>> the examples, I suspect, to ease the transition from the functions
>> being replaced, but all it takes is for a filename or some other input
>> to unexpectedly contain whitespace or a metacharacter and your script
>> will stop working--or worse, do damage (cf. the iTunes 2 installer
>> debacle[1]).
> Agreed, and that's my motivation for learning about ‘subprocess.Popen’.

Can someone explain the difference with the shell argument ? giving for 
instance an example of what True will do that False won't. I mean, I've 
read the doc, and to be honest, I didn't get it.
I'm concerned because I'm using subprocess, but I guess my shell arg has 
been filled a little bit random..


More information about the Python-list mailing list