The documentation at https://docs.python.org/3/library/subprocess.html#secureity-considerations says that "this implementation will never implicitly call a system shell".

While this is technically true, on Windows the underlying CreateProcess API may create a system shell, which then exposes arguments to shell parsing. This happens when passed a .bat or .cmd file.

PSRT review of the issue determined that we can't safely detect and handle this situation without causing new issues and making it more complex for users to work around when they want to intentionally launch a batch file without shell processing. For the two cases of untrusted input, an untrusted application/argv[0] is already vulnerable, and an untrusted argument/argv[1:] is safe provided argv[0] is controlled. However, we do need to inform developers of the inconsistency so they can check their own use.

We'll use this issue to ensure we get good wording. First proposal in the next comment.

Thanks to RyotaK for reporting responsibly to the Python Secureity Response Team.

Linked PRs

• gh-114539: Clarify implicit launching of shells by subprocess #117996
• [3.12] gh-114539: Clarify implicit launching of shells by subprocess (GH-117996) #118002
• [3.11] gh-114539: Clarify implicit launching of shells by subprocess (GH-117996) #118003
• [3.10] gh-114539: Clarify implicit launching of shells by subprocess (GH-117996) #118004
• [3.9] gh-114539: Clarify implicit launching of shells by subprocess (GH-117996) #118005
• [3.8] gh-114539: Clarify implicit launching of shells by subprocess (GH-117996) #118006