从the python subprocess page

Unlike some other popen functions, this implementation will never implicitly call a system shell. This means that all characters, including shell metacharacters, can safely be passed to child processes. If the shell is invoked explicitly, via shell=True, it is the application’s responsibility to ensure that all whitespace and metacharacters are quoted appropriately to avoid shell injection vulnerabilities.

When using shell=True, the shlex.quote() function can be used to properly escape whitespace and shell metacharacters in strings that are going to be used to construct shell commands.

是否需要使用shell取决于如何调用它。从the subprocess popen info：

args is required for all calls and should be a string, or a sequence of program arguments. Providing a sequence of arguments is generally preferred, as it allows the module to take care of any required escaping and quoting of arguments (e.g. to permit spaces in file names). If passing a single string, either shell must be True (see below) or else the string must simply name the program to be executed without specifying any arguments.

因此，如果您可以使用元素列表调用子流程，而不是构建字符串，那么在python中这样做比在shell脚本中更容易，这应该不是问题。你知道吗

抱歉，这些链接是不同版本的python，看起来更清楚，但他们说了类似的事情，所以请检查您的python版本的正确的一个。你知道吗