使用 subprocess.Popen 在 Windows 中运行批处理文件 [英] Using subprocess.Popen to run a batch file in Windows
问题描述
为什么我们不能使用 Popen
来运行批处理文件?
这运行良好,但根据文档,我们不应该使用 shell = True
来运行批处理文件或基于控制台的可执行文件".
为什么我们不能在运行批处理文件时使用 shell = True
?为什么它只能用于在 cmd 中构建?
使用 shell
参数设置为 True
调用 subprocess.Popen()
> 在生产中通常是一个坏主意.危险之一包括 shell 注入漏洞,如 Python 3 文档所述:
17.5.2.安全注意事项
与其他一些 popen 函数不同,这个实现永远不会隐式调用一个系统外壳.这个意味着所有字符,包括 shell 元字符,都可以安全地传递给子进程.如果显式调用 shell,则通过shell=True
,应用程序有责任确保所有适当引用空格和元字符以避免 shell注入漏洞.
来源:https://docs.python.org/3.6/library/subprocess.html
Why can we not use Popen
to run a batch file?
>>> p = Popen(["filename"], shell=True, stdout = PIPE)
This is working well, but according to the documentation we should not use shell = True
for "running a batch file or console-based executable".
Why can't we use shell = True
when it runs a batch file? Why should it only be used for building in cmd?
Calling subprocess.Popen()
with the shell
parameter set to True
in production is a generally bad idea. One of the dangers include shell injection vulnerabilities, as quoted by the Python 3 docs:
17.5.2. Security Considerations
Unlike some other popen functions, this implementation will never implicitly call a system shell. This means that all characters, including shell metacharacters, can safely be passed to child processes. If the shell is invoked explicitly, via
shell=True
, it is the application’s responsibility to ensure that all whitespace and metacharacters are quoted appropriately to avoid shell injection vulnerabilities.
Source: https://docs.python.org/3.6/library/subprocess.html
这篇关于使用 subprocess.Popen 在 Windows 中运行批处理文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!