[英]Using subprocess.Popen to run a batch file in Windows
Why can we not use Popen
to run a batch file? 为什么我们不能使用Popen
运行批处理文件?
>>> p = Popen(["filename"], shell=True, stdout = PIPE)
This is working well, but according to the documentation we should not use shell = True
for "running a batch file or console-based executable". 这运行良好,但是根据文档,我们不应将shell = True
用于“运行批处理文件或基于控制台的可执行文件”。
Why can't we use shell = True
when it runs a batch file? 为什么在运行批处理文件时不能使用shell = True
? Why should it only be used for building in cmd? 为什么只在cmd中使用它?
Calling subprocess.Popen()
with the shell
parameter set to True
in production is a generally bad idea. 在生产环境中将shell
参数设置为True
来调用subprocess.Popen()
是一个糟糕的主意。 One of the dangers include shell injection vulnerabilities, as quoted by the Python 3 docs: 危险之一包括shell注入漏洞,如Python 3文档所述:
17.5.2. 17.5.2。 Security Considerations 安全注意事项
Unlike some other popen functions, this implementation will never implicitly call a system shell. 与某些其他popen函数不同,此实现绝不会隐式调用系统外壳程序。 This means that all characters, including shell metacharacters, can safely be passed to child processes. 这意味着所有字符(包括外壳元字符)都可以安全地传递给子进程。 If the shell is invoked explicitly, via
shell=True
, it is the application's responsibility to ensure that all whitespace and metacharacters are quoted appropriately to avoid shell injection vulnerabilities. 如果通过shell=True
显式调用了shell,则应用程序有责任确保所有空白和元字符都被正确引用,以避免shell注入漏洞。
Source: https://docs.python.org/3.6/library/subprocess.html 资料来源: https : //docs.python.org/3.6/library/subprocess.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.