(original) (raw)

On Sun, Jan 7, 2018 at 12:30 PM, Gregory P. Smith <greg@krypto.org> wrote:

the best way to improve shell escaping on windows is to send a PR against the list2cmdline code that escapes everything you believe it should when running on windows. With hyperlinks to the relevant msdn info about what might need escaping.

Agreed. FWIW the call to list2cmdline seems to compound the problem, since it just takes args and puts double quotes around it, mostly undoing the work of list2cmdline. For example if I use (args=\['a', 'b c'\], shell=True) I think list2cmdline turns that to args='a "b c"', and then the format() expression constructs the command:

cmd.exe /c "a "b c""

I really have no idea what that means on Windows (and no quick access to a Windows box to try it) but on Windows that would create \*two\* arguments, the first one being 'a b' and the second one 'c'.

At this point I can understand that Christian recommends against shell=True -- it's totally messed up! But the fix should really be to fix this, not inventing a new feature.

--Guido van Rossum (python.org/\~guido)