python · miss-islington · Nov 11, 2020 · Jul 16, 2020 · Aug 24, 2020 · Aug 24, 2020
diff --git a/Doc/library/shlex.rst b/Doc/library/shlex.rst
@@ -61,6 +61,18 @@ The :mod:`shlex` module defines the following functions:
    string that can safely be used as one token in a shell command line, for
    cases where you cannot use a list.
 
+   .. warning::
+
+      The ``shlex`` module is **only designed for Unix shells**.
+
+      The :func:`quote` function is not garaunteed to be safe on non-compliant
+      shells or shells from other operating systems such as Windows. Executing
+      commands quoted by this module on such shells can open up the possibility
+      of a command injection vulnerability.
+
+      Consider using functions that pass command arguments with lists such as
+      :func:`subprocess.run` with ``shell=False``.
+
    This idiom would be unsafe:
 
       >>> filename = 'somefile; rm -rf ~'

diff --git a/Doc/library/subprocess.rst b/Doc/library/subprocess.rst
@@ -693,9 +693,12 @@ quoted appropriately to avoid
 `shell injection <https://en.wikipedia.org/wiki/Shell_injection#Shell_injection>`_
 vulnerabilities.
 
-When using ``shell=True``, the :func:`shlex.quote` function can be
-used to properly escape whitespace and shell metacharacters in strings
-that are going to be used to construct shell commands.
+When using ``shell=True`` on **Unix** systems, the :func:`shlex.quote`
+function can be used to properly escape whitespace and shell metacharacters in
+strings that are going to be used to construct shell commands. Note that
+the :mod:`shlex` module is *only meant for Unix systems* and using it on other
+operating systems such as Windows can create a command injection vulnerability
+when coupled with ``shell=True``.
 
 
 Popen Objects