5

Looking at http://docs.python.org/2/library/subprocess.html#frequently-used-arguments I made the assumption that unless you use shell=True, there is no ability to use rm,cp,mv etc. Maybe the documentation is out-of-date as they are feeding the call method with a string, where it should be a list. But using shell=False certainly doesn't prevent the usage of said shell commands.

shell=False disables all shell based features

After looking at subprocess.py, I can see that all that argument does is add ["/bin/sh", "-c"] to the start of the argument string.

Can someone clarify this for me?

Improve this question
6
  • 3
    You're really missing the point of using Python if you're shelling out to use rm, cp and mv. Try using the myriad of in-built, platform-agnostic methods contained in os and shutil modules Commented Nov 8, 2012 at 11:44
  • I know full well of these and use them frequently, I'm writing something that I need to prevent from being hacked with shell commands, such as the ones above. Commented Nov 8, 2012 at 11:54
  • please accept my apologies. Remember then that these commands are not part of the shell (like they are in DOS) but executables in /bin. The shell sometimes has replacements, such as echo in Bash. Good luck :) Commented Nov 8, 2012 at 12:04
  • You seriously don't want to be executing arbitrary commands passed from a user, unless they're the owner of the system you're helping them to administrate with your tool. Commented Nov 8, 2012 at 12:05
  • i guess that's the whole point of the OPs assumption of preventing that by using shell=False and after looking into it he wonders what else if not exactly that, this option is good for! ;-) jm2c Commented Nov 8, 2012 at 12:37

1 Answer 1

Reset to default
6

The shell features they are talking about are things like | pipes, * globs and other wildcards, stdout/stderr redirects with > or 2>, <(process substitution) etc. They are not talking about other commands/programs such as mv, grep, etc.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Or things like cd. Note that on other systems, like Windows, there might not be executables for mv etc. so you might have to execute it in a shell context to make it work. But for file stuff it’s better to use Python’s built-in functions.
+1 Yep, just checked that out and can see the difference now. Thanks, will mark as answer after the timeout.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.