Author Charles Daffern
Recipients Charles Daffern, docs@python, eric.araujo, fdrake, serhiy.storchaka
Date 2016-01-15.19:29:49
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
>To be sure that it is existing program, you can use shutil.which()

I'd like to clear this up a little because this is worded as if shutil.which()'s success implies that the shell will not fail.

Here is the setup to demonstrate:

>>> import os, shlex, shutil, subprocess
>>> open("do", "w").write("#!/bin/sh\necho Something is being done...")
__main__:1: ResourceWarning: unclosed file <_io.TextIOWrapper name='do' mode='w' encoding='UTF-8'>
>>> os.chmod("do", 0o700)

Here is the behaviour using shlex.quote:

>>>"do"), shell=True, env={'PATH': '.'})
/bin/sh: 1: Syntax error: "do" unexpected

Here is the behaviour when quoting properly:

>>>"'do'", shell=True, env={'PATH': '.'})
Something is being done...

Here is the output of shutil.which:

>>> shutil.which("do", path=".")

So checking shutil.which()'s success or failure will not guard against this case (though using its output would work around the problem).

>It's not at all obvious that the intention is to ensure such an argument should be treated only as a command external to the shell.
>If an application really wants to ensure the command is not handled as a shell built-in, it should use shell=False.

The shell will still search builtins if the argument is quoted, it just won't search for keywords. So, a quoted "bind", "shopt" or "jobs" will still work, but a quoted "case", "fi" or "done" will cause the shell to search for a command of that name rather than treating it as syntax.

Looking at the source, shlex.quote's refusal to quote certain arguments appears to be intentional. I would rather it quote slightly more carefully than necessary, than quote something incorrectly.
Date User Action Args
2016-01-15 19:29:50Charles Daffernsetrecipients: + Charles Daffern, fdrake, eric.araujo, docs@python, serhiy.storchaka
2016-01-15 19:29:50Charles Daffernsetmessageid: <>
2016-01-15 19:29:50Charles Daffernlinkissue26124 messages
2016-01-15 19:29:49Charles Dafferncreate