Using subprocess.Popen to run a batch file in Windows
Question
Why can we not use Popen to run a batch file?
>>> p = Popen(["filename"], shell=True, stdout = PIPE)
This is working well, but according to the documentation we should not use shell = True for "running a batch file or console-based executable".
Why can't we use shell = True when it runs a batch file? Why should it only be used for building in cmd?
1 answers
solution1
2 ACCPTED 2018-07-02 07:49:48
Calling subprocess.Popen() with the shell parameter set to True in production is a generally bad idea. One of the dangers include shell injection vulnerabilities, as quoted by the Python 3 docs:
17.5.2. Security Considerations
Unlike some other popen functions, this implementation will never implicitly call a system shell. This means that all characters, including shell metacharacters, can safely be passed to child processes. If the shell is invoked explicitly, via
shell=True, it is the application's responsibility to ensure that all whitespace and metacharacters are quoted appropriately to avoid shell injection vulnerabilities.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.