Snippet: The leanest Popen wrapper

Chris Rebert clp2 at
Thu Aug 4 10:42:34 CEST 2011

On Thu, Aug 4, 2011 at 1:10 AM, Thomas Rachel
<nutznetz-0c1b6768-bfa9-48d5-a470-7603bd3aa915 at>
> Am 03.08.2011 19:27 schrieb Chris Rebert:
>>>                     shell= True,
>> I would strongly encourage you to avoid shell=True.
> ACK, but not because it is hard, but because it is unnecessary and unelegant
> at this point.
>> You really don't want to have to worry about doing proper shell escaping
>> yourself.
> That's nothing to really worry about - just doing
> def shellquote(*strs):
>        return " ".join([
>                "'"+st.replace("'","'\\''")+"'"
>                for st in strs
>        ])
> would do perfectly: shellquote('echo', "'", '"', " ", "\n")

I was considering the more general case where one of the strings may
have come from user input. You then need to also escape
$looks_like_a_var, `some_command`, and way more other such stuff that
your simple function doesn't cover. Even if the user is trusted, not
escaping such things can still lead to bizarre unintended

If the commands are completely static, then yes, I agree that lack of
necessity then becomes the main argument against shell=True.


More information about the Python-list mailing list