The subprocess docs state: "When using shell=True, the shlex.quote() function can be used to properly escape whitespace and shell metacharacters in strings that are going to be used to construct shell commands." While this is true on Unix, it is not true on Windows. On Windows it is easy to create scenarios where shell injection still exists despite using shlex.quote properly (e.g. subprocess.run(shlex.quote("'&calc '"), shell=True) launches the Windows calculator, which it wouldn't do if shlex.quote was able to prevent shell injection on Windows). While the shlex docs state that shlex is for Unix, the subprocess docs imply that shlex.quote will work on Windows too, possibly leading some developers to erroneously use shlex.quote on Windows to try to prevent shell injection. Recommend: 1) qualifying the above section in the subprocess docs to make it clear that this only works on Unix, and 2) updating the shlex docs with warnings that shlex.quote in particular is not for use on Windows.

I wonder whether we should be more specific about the shells that shlex works for? Since WSL makes *sh (Bash, Dash, Sh, etc.) easily available on Windows, and I believe PowerShell on Linux keeps its own quoting rules.

Hmm, it'd be hard to enumerate them all. The module does say, "...simple syntaxes resembling that of the Unix shell" but that's it.

Distinguishing at the OS level for shlex does seem a bit weird given the existence of WSL and non-compliant shells on Linux like xonsh. I think it'd be nice if we could be a bit more specific on whats supported, maybe it covers all POSIX compliant shells?

For the subprocess warning I think it's fine to talk about the OS since it looks like the shell used are hard-coded in:

* https://github.com/python/cpython/blob/5241e189e77972d3a07acbbb3f0c0cbc2aeeb681/Lib/subprocess.py#L1403-L1407
* https://github.com/python/cpython/blob/5241e189e77972d3a07acbbb3f0c0cbc2aeeb681/Lib/subprocess.py#L1680-L1686