Author Charles Daffern
Recipients Charles Daffern, docs@python, eric.araujo, fdrake, serhiy.storchaka
Date 2016-01-15.19:29:49
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1452886190.18.0.454729273231.issue26124@psf.upfronthosting.co.za>
In-reply-to
Content
>To be sure that it is existing program, you can use shutil.which()

I'd like to clear this up a little because this is worded as if shutil.which()'s success implies that the shell will not fail.

Here is the setup to demonstrate:

>>> import os, shlex, shutil, subprocess
>>> open("do", "w").write("#!/bin/sh\necho Something is being done...")
__main__:1: ResourceWarning: unclosed file <_io.TextIOWrapper name='do' mode='w' encoding='UTF-8'>
41
>>> os.chmod("do", 0o700)


Here is the behaviour using shlex.quote:

>>> subprocess.call(shlex.quote("do"), shell=True, env={'PATH': '.'})
/bin/sh: 1: Syntax error: "do" unexpected
2


Here is the behaviour when quoting properly:

>>> subprocess.call("'do'", shell=True, env={'PATH': '.'})
Something is being done...
0


Here is the output of shutil.which:

>>> shutil.which("do", path=".")
'./do'


So checking shutil.which()'s success or failure will not guard against this case (though using its output would work around the problem).

>It's not at all obvious that the intention is to ensure such an argument should be treated only as a command external to the shell.
>
>If an application really wants to ensure the command is not handled as a shell built-in, it should use shell=False.

The shell will still search builtins if the argument is quoted, it just won't search for keywords. So, a quoted "bind", "shopt" or "jobs" will still work, but a quoted "case", "fi" or "done" will cause the shell to search for a command of that name rather than treating it as syntax.

Looking at the source, shlex.quote's refusal to quote certain arguments appears to be intentional. I would rather it quote slightly more carefully than necessary, than quote something incorrectly.
History
Date User Action Args
2016-01-15 19:29:50Charles Daffernsetrecipients: + Charles Daffern, fdrake, eric.araujo, docs@python, serhiy.storchaka
2016-01-15 19:29:50Charles Daffernsetmessageid: <1452886190.18.0.454729273231.issue26124@psf.upfronthosting.co.za>
2016-01-15 19:29:50Charles Daffernlinkissue26124 messages
2016-01-15 19:29:49Charles Dafferncreate