bpo-40932: Note security caveat of shlex.quote on Windows (GH-21502) Added a note in the `subprocess` docs that recommend using `shlex.quote` without mentioning that this is only applicable to Unix. Also added a warning straight into the `shlex` docs since it only says "for simple syntaxes resembling that of the Unix shell" and says using `quote` plugs the security hole without mentioning this important caveat.

commit: f9a8386e44a695551a1e54e709969e90e9b96bc4 [log] [tgz]
author: Ammar Askar <ammar@ammaraskar.com> Wed Nov 11 02:29:56 2020 -0500
committer: GitHub <noreply@github.com> Tue Nov 10 23:29:56 2020 -0800
tree: 8388f4572c7ff038dd4dab22b5231cbb61d5b87c
parent: fa476fe13255d0360f18528e864540d927560f66 [diff] [blame]
diff --git a/Doc/library/subprocess.rst b/Doc/library/subprocess.rst
index 85d0f46..292f8be 100644
--- a/Doc/library/subprocess.rst
+++ b/Doc/library/subprocess.rst

@@ -718,11 +718,8 @@
 responsibility to ensure that all whitespace and metacharacters are
 quoted appropriately to avoid
 `shell injection <https://en.wikipedia.org/wiki/Shell_injection#Shell_injection>`_
-vulnerabilities.
-
-When using ``shell=True``, the :func:`shlex.quote` function can be
-used to properly escape whitespace and shell metacharacters in strings
-that are going to be used to construct shell commands.
+vulnerabilities. On :ref:`some platforms <shlex-quote-warning>`, it is possible
+to use :func:`shlex.quote` for this escaping.
 
 
 Popen Objects
commit	f9a8386e44a695551a1e54e709969e90e9b96bc4	[log] [tgz]
author	Ammar Askar <ammar@ammaraskar.com>	Wed Nov 11 02:29:56 2020 -0500
committer	GitHub <noreply@github.com>	Tue Nov 10 23:29:56 2020 -0800
tree	8388f4572c7ff038dd4dab22b5231cbb61d5b87c
parent	fa476fe13255d0360f18528e864540d927560f66 [diff] [blame]