diff -r 62a058c76869 Doc/library/os.rst
--- a/Doc/library/os.rst	Mon Dec 01 13:10:12 2014 +0200
+++ b/Doc/library/os.rst	Mon Dec 01 12:15:45 2014 -0800
@@ -2899,8 +2899,23 @@
    contains the signed integer return code from the child process.
 
    This is implemented using :class:`subprocess.Popen`; see that class's
-   documentation for more powerful ways to manage and communicate with
-   subprocesses.
+   documentation for safer and more powerful ways to manage and communicate
+   with subprocesses.
+
+   .. warning::
+
+      The use of :func:`popen` is **strongly discouraged** in cases where the
+      command string is constructed from external input.  Executing shell
+      commands that incorporate unsanitized input from an untrusted source
+      makes a program vulnerable to `shell injection
+      <http://en.wikipedia.org/wiki/Shell_injection#Shell_injection>`_,
+      a serious security flaw which can result in arbitrary command execution.
+      For greater safety, consider using :mod:`subprocess` with
+      ``shell=False`` instead.
+
+      :func:`shlex.quote` can be used to properly escape whitespace and shell
+      metacharacters in strings that are going to be used to construct shell
+      commands.
 
 
 .. function:: spawnl(mode, path, ...)
@@ -3046,10 +3061,25 @@
    status of the command run; on systems using a non-native shell, consult your
    shell documentation.
 
-   The :mod:`subprocess` module provides more powerful facilities for spawning
-   new processes and retrieving their results; using that module is preferable
-   to using this function.  See the :ref:`subprocess-replacements` section in
-   the :mod:`subprocess` documentation for some helpful recipes.
+   The :mod:`subprocess` module provides safer and more powerful facilities
+   for spawning new processes and retrieving their results; using that module
+   is preferable to using this function.  See the :ref:`subprocess-replacements`
+   section in the :mod:`subprocess` documentation for some helpful recipes.
+
+   .. warning::
+
+      The use of :func:`system` is **strongly discouraged** in cases where the
+      command string is constructed from external input.  Executing shell
+      commands that incorporate unsanitized input from an untrusted source
+      makes a program vulnerable to `shell injection
+      <http://en.wikipedia.org/wiki/Shell_injection#Shell_injection>`_,
+      a serious security flaw which can result in arbitrary command execution.
+      For greater safety, consider using :mod:`subprocess` with
+      ``shell=False`` instead.
+
+      :func:`shlex.quote` can be used to properly escape whitespace and shell
+      metacharacters in strings that are going to be used to construct shell
+      commands.
 
    Availability: Unix, Windows.