Python's subprocess module is great. It is definitely the cleanest wrapping of a system program of any of the scripting languages I've ever used. When you just want output, you call .communicate() and be done with it. When you want to interact, the file descriptors are there for you to play with. It's scripting heaven.
There is one feature that he could have touched on more:
shell=False is the only easy, safe way to put user-supplied input in a command line. This stuff is just too damned easy to get wrong.
I've seen heroic code that tried to work around shell quoting and escaping vulnerabilities. One colleague was trying to write a wrapper around the ldapsearch binary, and decided that filtering all "|" would do it. He'd completely forgotten that ` also triggers arbitrary command execution.
There is one feature that he could have touched on more:
shell=False is the only easy, safe way to put user-supplied input in a command line. This stuff is just too damned easy to get wrong.
I've seen heroic code that tried to work around shell quoting and escaping vulnerabilities. One colleague was trying to write a wrapper around the ldapsearch binary, and decided that filtering all "|" would do it. He'd completely forgotten that ` also triggers arbitrary command execution.
Don't be a hero. Keep bash away from your input.