STINNER Victor <vstin...@python.org> added the comment:
https://docs.python.org/dev/library/subprocess.html#subprocess-replacements documentation suggests to replace os.popen(cmd, "w") with Popen(cmd, stdin=PIPE): without shell=True. My problem is that the replacement does change the behavior if the command does not exist. -- I would like to avoid a shell (shell=True) to avoid any risk of shell injection vulnerability, but also to avoid bugs caused by the usage of a shell. For example, "*" is a joker character. "*.py" is expanded to the list of filenames ending with ".py", or left unchanged if there is no file with a name ending with ".py". It's surprising if you are not used to a shell, and you expect "*" to be passed to the final command. There are other weird cases with a shell, like bpo-26124 "shlex.quote and pipes.quote do not quote shell keywords". See bpo-42641 "Deprecate os.popen() function" for other examples. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42648> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
