Author vstinner
Recipients vstinner
Date 2020-12-14.22:52:42
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
The os.popen() function uses a shell by default which usually leads to shell injection vulnerability.

It also has a weird API:

* closing the file waits until the process completes.
* close() returns a "wait status" (*) not a "returncode"

(*) see for the meaning of a "wait status".

IMO the subprocess module provides better and safer alternatives with a clean API. The subprocess module already explains how to replace os.popen() with subprocess:

In Python 2, os.popen() was deprecated since Python 2.6, but Python 3.0 removed the deprecation (commit dcf97b98ec5cad972b3a8b4989001c45da87d0ea, then commit f5a429295d855267c33c5ef110fbf05ee7a3013e extended os.popen() documentation again: bpo-6490).

platform.popen() existed until Python 3.8 (bpo-35345). It was deprecated since Python 3.3 (bpo-11377).


There is also the os.system() function which exposes the libc system() function. Should we deprecate this one as well?
Date User Action Args
2020-12-14 22:52:43vstinnersetrecipients: + vstinner
2020-12-14 22:52:43vstinnersetmessageid: <>
2020-12-14 22:52:43vstinnerlinkissue42641 messages
2020-12-14 22:52:42vstinnercreate